Health and Social Care has breached data protection rules again, after sending an email containing someone’s personal medical information to another person.
The Office of the Data Protection Authority confirmed last week that the HSC Committee has been reprimanded as a result, and told to ensure all of its employees are aware of “how and when to use technical security measures”.
Those measures must include training employees, and implementing clear policies, guidance and protocols to prevent data breaches such as this from happening.
The ODPA said the personal data was sent to the wrong person via email despite HSC “using a system that provided additional control over sent e-mails”.
After the email had been sent, HSC failed to revoke the incorrect recipient’s access to it because staff didn’t know how to. Instead, HSC asked the incorrect recipient of the email to delete the message without opening it.
While assurances were given that that would happen, the ODPA found that the incorrect recipient had accessed the email and shared its contents.
It was also revealed that HSC hadn’t alerted the ODPA of this data breach, believing the threshold for notifying the authority hadn’t been reached.
But, because the email contained medical information which is defined as “special category data” it is supposed to be treated with a higher level of security and so HSC should have notified the ODPA of the breach by law.
The Office of the Data Protection Authority confirmed that it imposed a reprimand against HSC for the above breaches of the Data Protection Law, last week.
The Committee for Health and Social Care was reprimanded because it has ultimate responsibility for all health and social care matters in Guernsey.
This is believed to be the fourth time the Committee has been reprimanded by the ODPA since data protection laws were introduced in May 2018.