Lessons learned from reprimands

Q2 2023/24 (July to September 2023)

1. Bolstering online security and keeping systems safe is a must 

In recent years, cyber attacks have been one of the most common incidents affecting organisations, and many of the cyber incidents we see come from phishing. That’s what led to the reprimands issued to law firm Swinburne Snowball and Jackson (SSJ) and Gloucester City Council.

In January 2021, threat actors compromised an SSJ employee email account via a spear phishing attack and interfered with payments to beneficiaries of a probate matter, resulting in fraudulent payments. 

Our investigation found that SSJ did not have a suitable contract in place with its IT provider that defined the security requirements needed or the level of security required, and it did not have multifactor authentication in place for the affected email account.

In the case of Gloucester City Council, a December 2021 ransomware attack via a phishing email received from a legitimate third-party address, which resulted in personal information being extracted and encrypted.

Our investigation found that the Council failed to prevent log tampering, did not have a centralised logging system, or a security information and event management system, in place. That meant the Council could not effectively monitor and respond to security incidents, detect suspicious activities, or identify potential threats. We also found that the Council did not recover access to personal information in a timely manner and was unable to determine if specific groups of people were at risk as a result of the incident.

To avoid similar incidents, organisations should: 

• Ensure all relevant staff receive training in identifying phishing attacks, which is when attackers attempt to trick people into clicking a bad link that will download malware or into revealing people’s username and password. Organisations should consider tailoring the measures in the NCSC Phishing Attack guidance to their own organisation. 
• Implement two-factor or multifactor authentication wherever it is possible to do so – to take the most common example, a password and a one-time token generator. This will be even more important for organisations that handle sensitive personal information. Read our Passwords in online services guidance. 
• Determine and communicate security requirements to a supplier and formalise responsibilities within a contract. As part of this, establish how to seek assurances a supplier has implemented appropriate levels of security. The NCSC supply chain security guidance provides practical examples of how to manage security within a supply chain. 
• Make sure that access to personal information is restored in the event of any incidents, such as by establishing an appropriate backup process. Such recovery measures should be reviewed regularly to ensure they’re appropriate in large incidents that pose a risk to people through confidentiality, availability or integrity issues. 

For more advice, visit our security guidance for organisations. 

2. Use alternatives to BCC when sending emails containing sensitive personal information 

Failure to use blind carbon copy (BCC) correctly in emails is one of the top data breaches reported to us every year. These breaches can cause real harm, especially where sensitive personal information is involved.

In July 2023, we reprimanded the Patient and Client Council (PCC) and the Executive Office for disclosing people’s information by using inappropriate group email options.

The PCC sent an email to 15 people across Northern Ireland, each of whom had lived experience of gender dysphoria, using the carbon copy (CC) option. Although the body of the email did not contain personal information, the people who received the email could reasonably infer that the other recipients also had experience of gender dysphoria, given their inclusion in the email. This could have been information the recipients would not wish to be shared with people unknown to them.

The Executive Office’s Interim Advocate’s Office, established following the report of the Historical Institutional Abuse (HIA) Inquiry, sent an e-newsletter to 251 subscribers using the ‘to’ field. Although only email addresses were disclosed, it can be inferred that the people included in the email were likely to be victims and survivors, as the newsletter content was tailored to survivors who were wishing to engage, or who were already engaging, with the HIA Inquiry compensation scheme.

To avoid similar incidents, organisations should:

1. Consider using other secure means to send communications that involve large amounts of data or sensitive information. This could include using bulk email services, mail merge, or secure data transfer services, so information is not shared with people by mistake. 
2. Consider having appropriate policies in place and training for staff in relation to email communications. 
3. For non-sensitive communications, organisations that choose to use BCC should do so carefully to ensure personal email addresses are not shared inappropriately with other customers, clients, or other organisations.

For further advice on email best practices, view our full email and security guidance.

3. Consider the risks relating to personal information when using messaging apps for business purposes

While it’s not unlawful for organisations to use private messaging apps to conduct official business, they must have clear policies and processes in place so people’s information is handled appropriately and securely.

We reprimanded NHS Lanarkshire after 26 employees used WhatsApp to share patients’ personal information over the course of two years, including names, phone numbers and addresses. Images, videos and screenshots, which included clinical information, were also shared. A non-staff member was also added to the WhatsApp group in error, resulting in the inappropriate disclosure of personal information to an unauthorised person.

Our investigation found that NHS Lanarkshire did not have the appropriate policies, clear guidance and processes in place when WhatsApp was made available to download. For example, there was no assessment of the potential risks relating to sharing patient data in this way.

To avoid similar incidents, organisations should: 

• Take a data protection by design and default approach before deploying new apps. That includes considering the risks relating to personal information and the requirement to assess and mitigate these risks in any approval process. 
• Review all organisational policies and procedures relevant to new apps and amend where appropriate. 
• Ensure explicit communications, instructions or guidance are issued to employees on their data protection responsibilities when new apps are deployed.

You can read all reprimands issued from January 2023 to date on our Enforcement webpage.

Q1 2023/24 (April to June 2023)

As we look back at the reprimands issued in the past three months, here are three brief lessons for organisations across the public and private sectors to improve their data protection practices:

1. Avoid inappropriate disclosure of personal information by having policies in place and training your staff

We reprimanded five organisations for disclosing people’s information inappropriately in the past three months: Achieving for Children, University Hospitals Dorset NHS Foundation Trust, Ministry of Justice, Parkside Community Primary School, and Thames Valley Police.

Whether not redacting a document properly or not disposing of it correctly, or displaying personal information on an electronic screen by mistake, what we found was that most organisations did not have appropriate processes and policies in place or adequate staff training. To avoid similar incidents, organisations should:

• Review all data protection policies, procedures and guidance, including how to detect and report a personal data breach.
• Provide adequate training for staff responsible for redactions and disclosures.
• Ensure appropriate technical and organisational measures are in place to ensure the security and confidentiality of emails sent internally that include personal information, particularly when these contain sensitive or special category data.

2. Respond to information access requests on time

We reprimanded Plymouth City Council and Norfolk County Council for failing to respond to Subject Access Requests (SARs) within the statutory timeframe.

People have the right to ask organisations for a copy of their personal information. This includes where they got their information from, what they’re using it for and who they are sharing it with.

Organisations must respond to a SAR within one month of receipt of the request. However, this could be extended by up to two months if the SAR is complex.

Read our guidance on SARs so you are prepared and take a proactive approach on dealing with requests.

3. Implement a data protection by design and default approach

Sussex Police and Surrey Police were reprimanded for rolling out an app that recorded phone conversations and unlawfully captured personal information. This case is a lesson learned to any organisation planning to introduce an app, product or service that uses personal information, including:

• Development and deployment of any new apps should take a data protection by design and default approach from the very start.
• You should consider the method and means of data processing, with action taken to ensure processing is compliant with data protection law prior to the app being deployed.
• Data protection guidance should be issued to staff in respect of the use of any apps, with staff required to confirm that issued guidance has been read and understood.

As with any enforcement action, we expect organisations to improve their practices as set out in the reprimands we issue. We follow up to understand the changes organisations have made based on our recommendations. Other organisations can learn from these reprimands, so people’s information is handled appropriately.