In our increasingly busy digital lives, it is all too easy to hit send without checking if the ‘autofill’ has identified the correct recipient. Or you have not moved the email address to the BCC field. Most of the time these errors only have minor impact on individuals, but not always – the Ministry of Defence (MOD) sent an email copying-in 250 Afghan individuals rather than blind-copied them in.
This, of course, could have disastrous repercussions for those individuals involved because some of those emails contain profile pictures and other personal information; such disclosure (or loss of privacy) amounts to a breach of the UK GDPR. This could have been avoided with a little more care. For instance, steps such as turning off the autofill function and setting a delivery delay on your email allows you to stop the email before it gets distributed.
What should your business do if it experiences a data breach like this?
The first task is to investigate the data breach, what data has been leaked and understand how it happened. This may require interviewing members of staff to assist with the investigation and carry out audit checks on your data process systems/checks. Upon conclusion of the investigation, and if you decide to make any changes at this point, careful notes must be taken to explain why you have made these changes to ensure there is no suggestion that you covered up any evidence of a data breach.
There is a possibility that your company could be receive a claim for a breach of GDPR, either by an individual or a group of individuals. There are, however, a number of defences and exemptions that your company could rely on in defence against such a claim – take some expert advice before moving ahead.
What are the defences and exemptions?
The Data Protection Act 2018 provides a number of exemptions from liability in health and social care, academia, journalism, national security or defence when a data breach occurs, if the data controller or processor can prove they were not in any way responsible for the event giving rise to the damage. This places the burden on you to demonstrate that your company has complied with the requirements of the UK GDPR and the data protection principles. You will need to show evidence of this through appropriate audit trails and training records.
Extent of exposure
There is a further risk that you could be held responsible/vicariously liable for an act by your employees. The question is whether your employee was acting in the course of their employment whilst the data breach occurred. This depends on the motives of the said individual if they are identified.
In a case last year (Various Claimants v WM Morrison Supermarket) the individual who worked at Morrison’s in their payroll department was sending information to an audit company, but also uploaded all of the Morrison’s employees’ personal details to an online sharing portal.
The said individual was acting in the course of their employment and so the High Court and Appeal Court held Morrison’s liable for the damages caused to its employees. However, the Supreme Court disagreed. It transpired that this individual had a grudge against Morrison’s and decided to take matters into their own hands. The Supreme Court decided that that act of uploading the data to the online portal was acting outside the course of their employment and held that Morrison’s was not liable.
What do we need to learn about data security?
There are a few points that could help you in creating a defence against a claim for a breach of GDPR:
- Train staff
- Use delivery delay on email
- If sending sensitive data, encrypt/password protect it; so, if it does reach the wrong person, they can’t access it
- If you have any doubt about whether you can share email addresses with other recipients, always use the BCC field
- Make sure you regularly conduct audits on data process
- Any changes that need to be made should be documented by taking careful notes and explaining why you have implemented these changes.