“Appalling”

The British Pregnancy Advisory Service has just received a Civil Monetary Penalty of £200,000 for breaching the seventh principle of the Data Protection Act. A hacker, intent on vandalising the BPAS website, discovered a vulnerability in its coding. The details of thousands of women who had requested a call back about BPAS’ various abortion and contraception services were stored on the site, and the hacker was able to steal them.

The hacker, James Jeffery, threatened to reveal the names of the individuals, and has subsequently been convicted for offences under the Computer Misuse Act. There is no question that Jeffery’s threats to invade the privacy of innocent women were disgraceful, and he has rightly been punished. BPAS has announced that it intends to challenge the ICO’s CMP, and I don’t argue with that. The Information Commissioner’s recent interview with the Independent suggests that he doesn’t properly understand how his powers work, and the loss of the Scottish Borders CMP appeal (a CMP I don’t believe should ever have been issued) suggests he is not alone. The ICO’s use of its CMP powers is disproportionately focused on security and the public sector. The absence of an enforcement strategy for inaccuracy, which can be at least as harmful as poor security, is a disgrace.

However, whatever you think of the narrow issues of the size and nature of the BPAS CMP, the organisation’s approach to the case is a matter of real concern. I’ve written in the past about the annoying habit of data controllers to claim, in the face of some obvious and avoidable cock-up, that they take data protection very seriously when all of the evidence suggests that they don’t. Inevitably, BPAS joined in: “bpas takes any data breach immensely seriously and we were appalled that any information we hold had been compromised“.

Jeffery’s criminal actions are not a shield for BPAS’ failings. I agree with the ICO’s characterisation of them as ‘unforgivable‘. As the ICO CMP notice explains – and BPAS does not dispute – BPAS did not even know that a copy of all requests for a callback was retained on their website, making a series of assumptions about the way their website worked without actually finding out. In retaining callback requests for many years, BPAS breached the fifth data protection principle by keeping information for longer than they needed it. By storing sensitive (in the dictionary sense of the word) personal data insecurely, they breached the seventh principle, which requires organisations to take appropriate technical steps to prevent both ‘unauthorised’ and ‘unlawful’ processing. This means that data controllers have to try to prevent criminal breaches as well as accidents and cock-ups – the greater the risk of a criminal attack, the stronger the security needs to be.

Every organisation is potentially at risk from a hacker and so needs basic steps. BPAS routinely handle medical information, and describe themselves as the UK’s leading abortion provider. The likelihood of BPAS being hacked is much greater than it would be for other organisations, and the consequences for their clients of data being hacked are more damaging. What security is ‘appropriate’ for BPAS is much greater than the norm, and yet their approach had all the competence and planning of a parish council. They deserve to be criticised and perhaps punished, as they have betrayed the trust of every woman who has contacted them. Whatever your view of abortion rights, women should be able to contact an abortion provider in complete confidence. For several years, BPAS has failed to deliver on this. Jeffery was only able to access the data because BPAS left it there.

In the light of this, BPAS’ public approach to the CMP causes me great concern. Most of the statement on their website is about Jeffery’s actions, trying to create the impression that the fault is largely with him. A quote from the Chief Executive, Ann Furedi, makes this explicit. She says: “bpas was a victim of a serious crime by someone opposed to what we do“. BPAS is not the victim here; the victims of Jeffery’s actions were the people who contacted the organisation. BPAS is at pains to play down the significance of the information that was stolen: “These were not personal medical records of women who had undergone treatment at bpas and such records were never at risk“. Given that the BPAS website makes it clear that their main activity is abortion, were the records to be revealed (something made possible because of BPAS’ poor security), they would have been data about women who were likely to be seeking an abortion. No amount of sophistry can reduce the sensitivity of this information. As the ICO points out: “Some of the call back details were from individuals whose ethnicity and social background could have led to physical harm or even death if the information had been disclosed by the attacker“. It isn’t good enough for BPAS to claim that the risk to these women was entirely down to Jeffery; they put their clients in this position, especially given that hacking and criminal attack is regrettably but obviously part of the landscape in which they work. A statement made in 2012 at the time of the incident was even worse, as it claimed “the confidentiality of women receiving treatment was never in danger“, neglecting to say that the confidentiality of many women who contacted them possibly seeking treatment was unprotected.

Behind the scenes, BPAS may well be putting their house in order diligently and enthusiastically. Their public statements paint the organisation as a victim, but they are also guilty of significant failings and it may be that they realise that and simply don’t want to admit it publicly. It doesn’t give me confidence that they’re going to improve security and a more transparent admission of what went wrong would be better. The worst thing about their attempt to manage the bad news and spin their way out of the headlines however, has nothing to do with security or their position or the ICO fine. In none of the BPAS’ public statements, or the interviews I have heard Furedi give is there an apology to the women. They see the ICO’s actions as “appalling” and are horrified by what has happened to them, but for the women, there isn’t even regret.

Everyone thinks Data Protection is about computers and policies and dry, tedious sections of the law. It’s not. Data Protection is about people. It is about protecting their data, communicating with them, and it’s about the actions of people who handle data. It’s a uniquely human topic. The important issue here is not BPAS’ reputation. It is the protection of the identities of the people who BPAS exist to serve. BPAS let them down and should apologise to them now.

KLF Revisited*

On June 1st 2012, the Chief Executive of Brighton and Sussex University Hospital Trust, Duncan Selbie, gave a statement about the threatened ICO Civil Monetary Penalty of £325,000 for a Data Protection breach involving the insecure disposal of hard drives by a subcontractor. In the statement, Mr Selbie said the following:

In a time of austerity, we have to ensure more than ever that we deliver the best and safest care to our patients with the money that we have available. We simply cannot afford to pay a £325,000 fine and are therefore appealing to the Information Tribunal.

Despite these stirring words, the Trust paid up shortly afterwards. Unaware of another FOI request on WhatDoTheyKnow that had already revealed the crucial information, I made my own request to the Trust a few weeks ago about various aspects of the case, including whether they had paid for external advice. Several public bodies have told me that they were tempted to challenge their CMP, but the cost put them off. Given Brighton’s later statement that they were “not prepared to incur further costs“, I guessed that they must have been paying someone, and wondered how much they had paid out. Much of my request was refused, but one answer they did give me was that particular fact.

Brighton paid £168,259.59 in legal fees to Field Fisher Waterhouse up until the point that they paid the penalty, and £10,000 to a barrister. As well as the CMP itself, Brighton paid out an extra £180,000, with nothing to show for it. When the story was originally leaked to the local press in January, the CMP was supposedly £375,000, so the best that can be said is that they shaved off £40,000 (£50,000 minus the 20% discount they got from paying on time). The Interim Chief (who replaced Selbie) stated when the penalty was paid that “We have made repeated attempts over the past six months, most recently last week, to reach a settlement that recognised that errors were made but no harm arose, all of which have been rejected by the Information Commissioner’s Office”. If this was what FFW were being paid to handle, is it possible that £180,000 of public money was spent trying to spare the Trust’s blushes?

You will think me self-serving for saying so, but I think that any organisation that finds itself in this pickle could find better things to spend public money on. For starters, they would have saved a fortune by paying up and doing nothing else. However, I think I speak on behalf of all of my competitors when I say that if you want to spend money in response to a Data Protection incident, the only way training and consultancy will cost you £180,000 is if the training sessions are accompanied by the London Symphony Orchestra, the sandwiches are provided by Ferran Adria and the training rooms are decorated by Elton John’s florist.

Stewart Room is possibly the most high profile of FFW’s lawyers and in a recent blog on CMPs he claimed that they are “stupid” and an “inefficient waste of time and money“. I believe that Room’s take on CMPs is wrong, but in any case, it’s difficult to accept lectures about where public money ends up in a CMP case from someone whose firm trousered the thick end of two hundred grand of it. Given his concern about keeping public money “in the public body“, one can only assume Room refused to have anything to do with the Brighton case. Just to recap the details, Brighton had an out-of-date service level agreement with their contractor (para. 4 of the CMP notice). They let a man into a secure area of their building without – it appears – knowing he was an unpaid subcontractor (para. 5). From the notice, it’s not clear who they thought he was when they let him in, and they did not obtain proper evidence of destruction of the hard drives from him (para. 6). The individual managed to remove 200 hard drives containing information about people’s sexual health without Brighton knowing (para. 11). And of course, all of this mess happened because Brighton were operating a system where sensitive personal data of the most confidential kind was being stored on 1000s of hard drives, which may be a bigger breach than the one that alerted the Commissioner. If these are ‘appropriate technical and organisational measures’, I am a banana. Unlike so many CMPs, this was not human error underpinned by the absence of some policy or training; this looks like a complete system failure, for which the senior corporate level are responsible. A challenge to this CMP was unwinnable and should have been unthinkable.

But even if Brighton’s case had not been open and shut, the apparent cost of challenging a decision has to become a matter of public concern. Central London Community Healthcare NHS Trust is appealing their CMP at the Information Tribunal in December. Their case appears to have some merit and it’s very different to Brighton’s. But their penalty was £90,000, and within the 35-day deadline, they would have paid the discounted rate of £72,000. This is now lost. If they are using a legal firm of similar stature and hourly rate to FFW, that £72,000 may have already been swallowed, and they have set themselves a high bar to clear. They have to win, get the penalty overturned, and get their costs awarded against the ICO. Anything less than that is indefensible, even if they’re right. Needless to say, the same chap who asked Brighton about their costs has now asked CLCH the same question.

To win at the Tribunal on a security case, there are only two options. The breach is not the incident, so the organisation needs to show it has put all the necessary technical and organisational measures in place, and checked that they are being followed. Relatively few organisations can achieve this; they escape CMPs only because they don’t have incidents or they don’t tell the ICO about them. The only alternative to appropriate compliance would be to find some procedural loophole or flaw in the ICO’s process – paragraph 3.1.3. of the minutes of the ICO’s July Information Rights Committee suggest this might be a possibility. FFW employ the former ICO Head of Enforcement as a consultant, but even if he has some cracking inside information about the ICO process, was it really worth £170,000 to find out what it is? Beating a CMP on a technicality will not change the fact that an organisation has breached the DPA, and the combined expertise of all those involved at FFW didn’t seem to help Brighton do anything but back down.

Organisations should be able to challenge the ICO. FOI has proved time and again that the ICO is not infallible and Tribunal intervention is sometimes necessary to protect the public interest in non-disclosure as well as disclosure. Friends tell me that the cost of an FOI challenge is relatively low, especially on a paper hearing, and can often be justified. Challenging a vexatious request can even save money in the long run, given the amount of staff time that can be squandered on a run of requests that a Tribunal success can put a stop to (fingers crossed, Devon). Even Michael Gove’s misbegotten run at the Tribunal over private emails only cost £13,000 – a waste of money, but a snip compared to £180,000. If a CMP recipient with a decent case can challenge the ICO without huge cost, I’ll root for them all the way. It would be good to see the ICO’s CMP approach tested and a bit of embarrassment for Wilmslow is rarely a bad thing. But no matter how aggrieved the organisation may feel, good governance must put a low ceiling on legal costs. The subtle subliminal message of this blog may be BUY TRAINING NOT LAWYERS, BUY TRAINING NOT LAWYERS, but it could equally be a case for more IT security staff or DP staff, better IT systems, or more curious auditors. Had Brighton paid some contract lawyers earlier on, I would not be writing this, and I doubt the bill would be anything like the current figure.

Mr Selbie is now Chief Executive of Public Health England, but he still needs to explain why his public statement about public money is so at odds with the internal decisions made on his watch. Brighton has a management board, auditors, and regulators, all of whom have questions to answer about this mess. I spend much of my time on this blog excoriating the ICO and I also complain about the raw deal that local public authorities get at their hands, especially under DP enforcement. But this one is different – the ICO got it right, and the shocking thing about Brighton’s handling of the case is that in receipt of the biggest penalty in DP history, they contrived to increase it by more than 50%. In a time of austerity, that’s a heavy price to pay.

http://www.youtube.com/watch?v=i6q4n5TQnpA