A “mistake” resulted in the “leak” of 780 e-mail addresses of patients who attended an HIV clinic in London.
From the BBC News website.
A London sexual health centre mistakenly leaked the details of nearly 800 patients who have attended HIV clinics, bosses have admitted.
The 56 Dean Street clinic in Soho sent out the names and email addresses of 780 people when a newsletter was issued to clinic patients.
Patients were supposed to be blind-copied into the email but instead details were sent as a group email.
The clinic blamed the breach on “human error”.
Listening to the story on the radio, for me it struck me there were some key messages about training, understanding the changing complex digital landscape and digital capability within organisations.
There are some key digital capability lessons that come out from this incident. Why was “simple” e-mail been used to send out a newsletter, when there was a risk of a leak of sensitive data?
Had the staff member received training in:
- Data literacy, the principles of data protection;
- e-Mail usage, not just how to use e-mail, but also the correct procedures and processes for different kinds of e-mail.
From a policy and procedural prospective, was a risk assessment undertaken in terms of formal checking processes for the use of sensitive personal data?
Was the team aware of the range of tools and services that could be used to send out a newsletter? How would they be made aware? Who was responsible for this within the clinic?
Whilst the leak was human error, with better understanding of the issues involved, it could have been an error which could have been mitigated or avoided if there was a better understanding of the digital tools used and available for sending out newsletters.
The Information Commissioner’s Office (ICO) has been informed and would be making inquiries. Fines for breaches of data protection can reach £500,000.
So could this happen in education?
Well, yes sadly it happens all the time, maybe not to the same level of harm and distress of the breach at the NHS clinic, but universities and colleges do leak personal information and breach the principles of the data protection act.
The ICO publishes regular reports on action it takes against organisations who breach the data protection act.
One university recently had to agree to undertake to ensure that no future breaches of the data protection principles would take place due to an incident where the personal data of a group of students within a spreadsheet was sent out.
…a spreadsheet containing personal data, including exam results, of 1831 students and applicants was sent in error to 22 students. The spreadsheet was being used to assign coursework titles and associated instructions for a module, however the relevant information was not extracted from the spreadsheet and it was sent out in its original form.
Staff work on spreadsheets all the time that contain personal data, unless there are processes and checks in place, and an understanding of the issues relating to the use of personal information (data literacy) then there is a risk that there can be leaks of personal data.
The spreadsheet had been worked on by and transferred between several employees of the data controller prior to being sent out in error. No formal checking process was in place and it was not recognised that irrelevant personal data was contained on the spreadsheet being sent out.
One of the key mechanisms to avoid these kinds of problems is providing training and support. The university in this case did provide training in this area, however it wasn’t effective in stopping the leak, part of the reason for this was the low uptake of the training.
Data protection training was available on demand but only 461 of approximately 6000 staff (7.7%) had taken this during the year prior to the incident.
Though we don’t know the reasons why the majority of staff had not taken the training, from my own experience and based on the research in the project there are some key reasons why staff do not take up the training offers available.
- Staff feel they don’t have the time for the training, in reality this is not a time issue, but one of priorities.
- Staff assume they know this stuff, they perceive they are already capable in this area and don’t need further training or updating; or they think it is not relevant in their role
- Managers assume their staff know how to use digital tools and services, not just from a mechanistic perspective, but also are fully aware of the social and legal facets of use of these tools. Ask people if they can use e-mail, the majority will say yes.
- Training is often seen as a one-time thing, which then lasts forever… this assumes that technology doesn’t change. You may know that you don’t e-mail spreadsheets around with personal data, but with the advent of cloud computing with services such as Office365 and Google Apps, means that sharing spreadsheets (and other documents) is now just one click away. The fact that these services often hold document history (a feature) means that merely deleting personal data won’t be sufficient. Regular updating is important as the technological landscape changes.
What lessons can we learn?
- The importance of understanding the digital literacy, and in this case data literacy and skills (capabilities) of your staff.
- The value of processes, procedures that can be easily followed when using digital data.
- Digital capability is more than just understanding the mechanistic use of digital tools and services, there are the wider social, ethical and legal implications of using digital tools.
- The value of effective training, support and updating.
- The importance of understanding the digital landscape when choosing tools for activities (especially those activities involving sensitive information).
The leak of personal data from the NHS Clinic is an awful incident, and will be distressing for those patients whose details were shared. Data literacy and effective use of e-mail (ICT proficiency are just two aspects of digital capability that in these two incidents were assumed to be in place and understood by the staff involved, sadly they weren’t.
Image Credits: Laptop