Weekly Data Privacy Alert August 28, 2017
Changes to Rules on Whistleblowing in France
In June 2017, the CNIL published a revised norm for reporting systems (AU-004), which covers the general whistleblower protection and the internal reporting mechanism required for anti- corruption compliance programs (both which have been recently introduced into French law by the so-called law “Sapin 2”) and to which companies can self-certify compliance. Further information is available here.
ICO Fines Nottinghamshire County Council for Exposing Personal Information Online
On 31 August 2017, the Nottinghamshire County Council was fined £70,000 because it had left vulnerable people’s personal information exposed online for five years. An online directory, which had no access restrictions, included sensitive information such as the gender, addresses and care requirements of approximately 3,000 elderly and disabled people. The directory also revealed whether they had been or were still in hospital. The ICO found that this was a serious and prolonged breach of the Data protection Act 1998, which requires organisations to take appropriate measures to keep personal data secure, especially when dealing with sensitive personal information.
NHS Staff Warned That Unlawfully Accessing Patient Records Is an Offence
A former healthcare assistant who pleaded to offences of unlawfully obtaining and disclosing personal data was ordered to pay a total of £1,715 in fines and costs by the ICO. Following a complaint by a patient, an investigation was opened and revealed that the healthcare assistant had accessed the records of 29 people and that some information had been subsequently shared with others. The ICO stated that this was a breach of patient confidentiality and a breach of the Data Protection Act 1998. The ICO has, therefore, warned NHS staff about the potentially serious consequences of prying into patients’ medical records without authorisation or a valid reason.