Home Knowledge ICO Sanctions Heralds Dawn of New Era for Data Breach Fines under GDPR

ICO Sanctions Heralds Dawn of New Era for Data Breach Fines under GDPR

July 18, 2017
Partner
David Cullen

 

The ICO has ruled that the Royal Free Hospital in London breached the UK Data Protection Act 1988 when it shared 1.6 million patient records with Alphabet’s DeepMind, a sister company of Google. The shared data was used to test a new app built on artificial intelligence called Streams. The healthcare app has been designed for the diagnosis and detection of acute kidney injury. However, the ICO ruled that the hospital failed to adequately inform patients that their data would be used as part of the test. 

The ICO found that sensitive personal data was used in a way “that data subjects would not reasonably expect or to which have not directly consented”.  A significant factor that affected the ICO decision was that the data transfer was so broad in scope. For instance, a patient who presented in the last five years at an accident or emergency department or radiology who had little or no prior engagement with the hospital could not reasonably expect their data would be transferred to a third party to help develop a new mobile application. Although there were a number of shortcomings overall, the decision turned on non-compliance with the following four key data protection principles:

  • That personal data must be shared fairly and lawfully.
  • That it should be adequate relevant and not excessive. 
  • That it must be processed in accordance with the rights of data subjects. 
  • And that it failed to demonstrate that the appropriate technical and organisational controls were taken.  

Notwithstanding the material nature of the breaches and the volume of sensitive personal data shared, the commissioner opted not to impose the maximum fine. Instead she decided to require the hospital to give undertakings around future performance. 

The ICO decision is significant as it is likely to be one of the last cases of this nature to involve sanctions solely for the data controller. When the General Data Protection Regulation (the “GDPR”) comes into effect in May 2018, processors will bear more compliance risk. The GDPR is based largely on principles of transparency and accountability and processors will likely have to engage in contracts by which they will assume significantly more obligations and risk. These obligations combined with the new general conditions for imposing administrative fines under the GDPR will expose processors (and controllers) to significant financial risk in cases like this. Certain breaches will attract a maximum fine of €20 million or 4% of global turnover. Given these new stricter obligations it is likely that post May 2018 a breach on a similar scale will result in both the controller and the processor being exposed to greater fines and sanctions.

For further information, visit William Fry’s dedicated website to the GDPR, PrivacySource, which includes in-depth analysis and practical tips on preparing for the GDPR.

Contributed by: Brian McElligott

 

Recommended Insights

See all
Article and Insights
1
Feb 2024
Responsible Business Annual Report 2023
William Fry is pleased to launch its Responsible Business Annual Report 2023.
Article and Insights
2
Feb 2024
Digital Operational Resilience Act – second batch of technical standards launched for consultation
We focus on the second batch of draft implementation measures announced by the Eur...
WF_author_blank
Partner
John O’Connor
Article and Insights
2
Feb 2024
John Delaney Documents – Supreme Court Refuses Leave to Appeal
The Supreme Court has refused leave to appeal from a decision rejecting John Delan...
WF_author_blank
Consultant
Deirdre O’Donovan
Article and Insights
24
Jan 2024
Cross-Examining Affidavit Evidence in Insolvency Cases
The High Court recently dismissed a petition seeking the winding up of a biofuel c...
WF_author_blank
Partner
Fergus Doorly
prev
next
See all