Cyber security and ransomware attacks are becoming more common for public authorities. The recent ransomware attack on the NHS deployed malicious software blocking access to the computer system. A ransom was then demanded to release the data. This demonstrates that public sector organisations are prime targets for such attacks.
Local authorities in particular hold significant volumes of personal data, including sensitive personal data, which makes them vulnerable to attack. Recent responses to freedom of information requests made by The Times, suggest that 115 of 430 local authorities in the UK have been hit by ransomware type attacks in the past 12 months alone.
When it comes into force on the 25th May 2018, the General Data Protection Regulation will up the ante considerably in relation to the security of personal data and make it mandatory for local authorities to notify the ICO where a personal data breach occurs that would result in a risk to the rights of individuals.
The time limit for notification is tight, only 72 hours from becoming aware of the breach. A failure to do so could expose local authorities to the vastly increased fines under the GDPR. A failure to report a breach attracts the lower level of fine under the GDPR, but when you consider that lower level fines can amount to approximately £9m, this should be enough of a deterrent.
When it comes to data security, local authorities will need to ensure that they have adequate organisational and technical measures in place to maintain the security of personal data, including encryption, pseudonymisation and adequate fire walls. In addition, local authorities will need to carefully consider the engagement of processors such as IT contractors to whom they might outsource the provision of IT systems or services.
Such an arrangement between the authority and the IT contractor is likely to result in a contractor-processor relationship under the GDPR. Whilst it is currently the case under the Data Protection Act 1998 that controllers must have a written agreement with their processors, under the GDPR the list of provisions that must be included in that contract is greatly increased. In addition, the GDPR requires controllers to carry out certain due diligence on their processors. This will include ensuring they are satisfied that their processors have implemented appropriate measures themselves to meet the requirements of the GDPR, particularly in relation to the security of any personal data.
Whilst currently it may be the case that many data breaches are going undetected by controllers because IT contractors are not informing them of such breaches, this should change under the GDPR. This is because under the GDPR, processors will have their own obligations in relation to data protection compliance. One compliance aspect is the requirement to notify the controller, without undue delay, where they become aware of a data breach. Whilst this is an obligation imposed on the processor by the terms of the GDPR, it would be advisable for controllers, when they review/enter into contracts with their processors, to not only include the mandatory list of provisions required by the GDPR in the contract but to also reinforce the obligation to report a breach to the controller in the body of the contract itself.
That should hopefully deal with the issue of ignorance on the part of the controller as to when breaches occur. The next issue, and arguably a more important issue, for local authorities is whether, upon becoming aware of the data breach from a data processor, the local authority can comply with the notification timeframe of 72 hours. Within this short timeframe, controllers will need to take steps to contain the breach, if possible mitigate the effects of the breach and prepare a notification report.
It will be imperative therefore that local authorities have a procedure which guides them through the process to enable them to deal with the matter as efficiently and effectively as possible.
Lowri Phillips is partner at Geldards