The ongoing Coronavirus pandemic and related Government guidance, requiring social distancing and individuals to work from home where possible, has resulted in many organisations rapidly having to adapt the way in which they operate.
Despite the unprecedented challenges that will need to be faced over the coming weeks, including in many cases significantly reduced resources (both in terms of staff and funds), it is important that organisations do what they can to try to maintain data security protections whilst taking the actions necessary to deal with this crisis. This may include the need to send unusual and sometimes urgent communications to individuals, which can increase the risk of breaching data protection laws.
The data breach reported by Watford Community Housing (“WCH”) last month provides a timely reminder of what can go wrong, compounding the difficulties already faced by an organisation as it needs to expend further time and resources in taking the necessary steps to deal with the breach, in addition to facing exposure to potential enforcement action under data protection laws.
On Monday 23 March 2020, WCH sent an email to its tenants, providing advice on how tenants could communicate with, and receive information from WCH during the Coronavirus pandemic. Unfortunately, this email inadvertently attached a spreadsheet containing the personal data of approximately 3,500 WCH residents. The spreadsheet included some personal data that is categorised as ‘special category’ data and is subject to additional protections due to its sensitivity, under data protection laws. More specifically, the spreadsheet included tenants’ names, addresses, dates of birth, religious beliefs, sexual orientation, ethnic origin and disability status. This information was reportedly collected by WCH with tenants’ consent to enable them to tailor their services and comply with regulatory duties relating to their tenants. The spreadsheet did not contain financial information.
Key regulatory provisions
Under Article 33 of the GDPR, unless the personal data breach is “unlikely to result in a risk to the rights and freedoms” of the affected data subjects, the controller must notify the breach to the supervisory authority (in the UK, this is the ICO). This notification must be without undue delay and, where feasible, within 72 hours of becoming aware of the breach.
Furthermore, if the personal data breach is likely to result in a high risk to the rights and freedoms of the data subjects, then under Article 34 GDPR, the controller must also communicate the personal data breach to affected data subjects without undue delay.
In assessing their notification obligations, (in particular with regard to assessing risk as well as how to maintain accountability and record keeping), controllers should refer to the Article 29 Data Protection Working Party ‘Guidelines on Personal data breach notification under Regulation 2016/679’.
How did WCH respond?
In a statement on its website, WCH explained the measures that they were taking to address the incident. This included sending a follow-up email to all affected tenants the same evening apologising for the incident and requesting them to promptly delete the email containing the erroneous attachment, reporting the breach to the ICO and their industry regulator and carrying out an internal investigation, including a full review of their processes, to guard against this happening again. They have also set up a free helpline for those affected and free identity and credit monitoring services. They are reportedly taking a variety of steps to assess the potential impact on those affected by the breach, including identifying safeguarding concerns and contacting relevant tenants to offer additional support, guidance and reassurance.
Lessons to learn
Appropriate procedures must be in place to ensure that communications sent out to large numbers of recipients are carefully checked to ensure that personal data relating to other recipients is not inadvertently disclosed. This includes taking measures to ensure that the email addresses of the other recipients are not disclosed in the ‘To’ line of the email (i.e. by blind copying recipients on mass mailings) where appropriate, and checking both the content of the communication itself and any attachments. Organisations should remind employees working from home of the need to comply with its data protection and data security policies at all times, highlighting key measures, as described in our recent blog.