Silent Witness is a BBC crime drama about a team of forensic pathology experts and their investigations into various crimes – it’s a bit like American hit shows Bones and Law & Order. In a recent episode, a cyber hacker steals the files of 30,000 patients from a hospital, and then extorts the hospital for payment. As medical secrets are leaked, several murders are tied to the data breach.
In addition to the criminal investigations, boardroom drama ensues when the hospital chief is questioned about the (apparently awful) cyber security firm he selected. It was at this point that I turned to my husband in disbelief and said, “where on Earth is the hospital’s data protection officer!?”
Of course, television dramas are entitled their artistic licence. I’m not sure data protection officers make for enthralling plot devices, if I’m honest. But shows like this demonstrate just how mainstream data breaches, cyber security and hacking personal data have become. In fact, many non-lawyers are now familiar with at least some concept of data protection legislation.
With just four months to go until the new General Data Protection Regulations (“GDPR”) come into effect and replace the Data Protection Act 1998, here is a reminder as to when a private organisation is required by law to have a data protection officer (“DPO”).
Firstly, the GDPR applies to all organisations within the European Union which collect, handle, process or store personal data. Under Article 37, DPOs are mandatory for private organisations – to include private hospitals and the Lyell Centre of forensic pathology on Silent Witness, presumably – whose core activities include either of the following on a large scale:
- regular and systematic monitoring of data subjects; or
- processing special categories of data, or data relating to criminal offences.
Unhelpfully, the GDPR provides little explanation as to what this actually means, and several of the terms used above are not defined by the law itself. It is important to remember that it’s not only businesses confused about compliance: uncertainty and ambiguity are key complaints from lawyers, too. The Article 29 Working Party (“WP29”), a European Union advisory body, does however provide guidance on practical interpretation of the GDPR:
- “Regular and systematic monitoring” means all forms of tracking and profiling on the internet, as well as credit scoring and location tracking. This includes using behavioural advertising practices and website cookies.
- “Special categories of personal data” includes racial or ethnic origins, political opinions, religious or philosophical beliefs, and “data relating to criminal offences” is rather self-explanatory. Due to the sensitivity of this information, the GDPR requires additional protections for processing such data.
- “Core activities” are the key operations necessary to achieve the organisation’s goals or primary objectives, usually within a commercial context. For example, processing data for payroll and employment purposes is considered “ancillary” activity, rather than a core activity. Conversely, a hospital needs to process patient health data to provide healthcare services safely and effectively. This is a key objective for the hospital, so processing should therefore be considered a core activity.
- “Large scale” processing operations are those which involve a considerable amount of personal data at regional, national or supranational level, or those which concern a large number of data subjects. Again, “large scale” is a term not defined by the GDPR, but an organisation should consider the number of data subjects, the volume or range of data items, and the geographical extent.
From a practical perspective, failure to manage data security policies under proper care and supervision may leave an organisation vulnerable to certain operational risks. In addition to financial penalties and regulatory sanctions (up to €10 million or 4% of annual turnover), a company should consider the non-financial harm a data breach can cause. These often include reputational damage, loss of customer good will, and the costs of litigation associated with a company’s failure to protect personal data.
To be fair, the Silent Witness episode in question aired only last week, well in advance of the GDPR implementation date of May 25th. But after the regulations come into effect this spring, perhaps BBC scriptwriters will entertain the idea of writing the role of a DPO into some of their shows. Who knows – doing so might even inspire a young viewer to consider data protection careers…