A serious question in respect of the most recent issues within Ireland’s CervicalCheckscreening service, is whether the “IT problems” at Quest Diagnostics, and their consequences for some 800 women, amounted to a personal data breach under Regulation (EU) 2016/679 (otherwise known as the GDPR). It is serious because, if it was a personal data breach, then the HSE were obliged to consider notifying both the Data Protection Commission (DPC) and the women affected. If so, notification to the DPC should have taken place within 72 hours of the HSE becoming aware of the breach, whilst the women should have had to been informed “without undue delay”.
Was this a personal data breach?
The circumstances of the problem are not entirely clear, but the HSE’s official statement said:
“… Quest Diagnostics’ laboratories based at Chantilly in Virginia, USA, have delayed issuing cervical screening results to some women and their GPs, due to IT problems in how result letters were electronically triggered.”
On the face of it, that does not sound like a personal data breach. However, the Article 29 Data Protection Working Party in their 2017 “Guidelines on Personal data breach notification under Regulation 2016/679” are quite clear that:
“…an incident resulting in personal data [in this case patient HPV test results] being made unavailable for a period of time is a security breach. If the lack of availability of personal data is likely to result in a risk to the rights and freedoms of natural persons, then the controller will need to notify.”
Most interestingly, the specific example of this given in the guidelines is this:
“In the context of a hospital, if critical medical data about patients are unavailable, even temporarily, this could present a risk to individuals’ rights and freedoms”.
I am not clear on what the IT problems were, or indeed exactly what was the cause in the delay in issuing results, but at the very least there is a clear indication that the issue impacted personal data, and the result was a considerable delay. Based on the personal data breach notification guidelines, these problems may well have amounted to a personal data breach.
Should there have been a notification?
One huge criticism of this delay is not just the delay itself, but the fact that it was not communicated until questions from an RTÉ journalist (prompted by concerns raised by one of the women affected) brought the issue into the public spotlight.
However, if this was a personal data breach, the notification requirements compellednotification within very short periods of time.
Notifying the Data Protection Commission
A notification is always required. The exception is where the personal data breach is unlikely to result in a risk to the rights and freedoms of the individuals affected. In this case, I really can’t square this breach as “unlikely” to result in some risk to the rights and freedoms of the 800 women concerned. If I am right, then there should have been a notification to the Data Protection Commissioner within 72 hours after the HSE having become aware of the breach. I’m not aware of any such notification having been made.
Communicating a personal data breach to the data subjects
If the data breach is likely to result in a high risk to the rights and freedoms of the data subjects, then the breach has to be communicated without “undue delay”. That communication has to include substantive information about what has gone wrong, the consequences, and what is being done to address the breach.
The guidelines are once again helpful, and they make it clear that:
“this risk exists when the breach may lead to physical…damage for the individuals whose data have been breached.”
With some help from the framework adopted by ENISA (the European Network and Information Security Agency), I completed a risk assessment to determine whether this was a breach that required communication. My conclusion was that it was, particularly bearing in mind the potential for physical harm or psychological distress on those who were awaiting the results. However, risk assessments are never consistent in their outcomes, so alternative views might prevail, especially where they are endowed with a greater knowledge of the facts. Nevertheless, intuitively this is something that should have been raised very quickly and communicated.
Consequences for the HSE
From a data protection perspective, the sanctions available to the Data Protection Commissioner are more limited than if the HSE was a private body – the Data Protection Act limits administrative fines to €1m for public bodies, and in any event the fine goes straight back to the Department of Finance.
Of more relevance is the right of data subjects to bring a data protection action,against the HSE in this case, where they consider their rights have been infringed as a result of the processing of their personal data in a manner that fails to comply with data protection laws. What this may mean is that where data subjects have suffered material or non-material harm as a result of the breach, then they may have an opportunity to claim compensation through the Circuit or High Court.
So what?
The main point of this article is to raise awareness that data protection laws, like the GDPR, have far wider application and consequence than may first appear. In this case there was arguably a legal, and not just a moral, obligation on the HSE to have done more to inform affected women of the problems with the issue of their results far sooner than they did. This point is missing from the commentary I have seen, and one wonders whether the HSE have also reflected on the data protection implications of this problem.
