The Information Commissioner published, on 16 August 2022, its decision, as issued on 13 July 2022, in which it imposed a fine of £170,500 on Manx Care Limited for violations of Articles 5(1)(c), 5(1)(f), 5(2), 24, 25, 32, 34, and 58 of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), for failing to comply with the enforcement decision issued on 25 February 2022.

Background to the notice

In particular, the Information Commissioner noted that in October 2021, Manx Care emailed an insecure attachment containing one of its patient's confidential health data to 1,870 different recipients. In this regard, the Information Commissioner issued an enforcement notice to Manx Care, noting that Manx Care failed to comply with such enforcement notice, which has led to the aforementioned penalty.

Findings of the Information Commissioner

Notably, the Information Commissioner stated that Manx Care had committed the following infringements:

• the transmission of personal data and special category data to any party unconnected with the community care of the patient is not adequate, relevant, and limited to what is necessary in relation to the purposes for which they were processed and infringes Article 5(1)(c) of the GDPR;
• Manx Care did not process the personal data and special category data of the patient in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures and infringed Article 5(1)(f) of the GDPR;
• failure to be responsible for, or demonstrate compliance with the principles of data protection pursuant to Article 5(2) of the GDPR;
• failure to implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with the Annex to the Data Protection (Application of GDPR) Order 2018, including a lack of data protection policies and internal procedural guidance for staff, infringing Article 24 of the GDPR;
• failure to implement appropriate technical and organisational measures, which are designed to implement data protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of Article 25 of the GDPR;
• failure to implement appropriate technical and organisational measures for ensuring that, by default, only personal data which is necessary for each specific purpose of the processing is processed pursuant to Article 25(1) of the GDPR;
• failure to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk to the rights and freedoms of natural persons caused by the transmission of personal data and special category data to any party unconnected with the treatment of the patient, infringing Article 32 of the GDPR;
• Article 34(1) of the GDPR, by failing to communicate the personal data breach to the data subject 'without undue delay' and only after having been 'required' to do so by the Information Commissioner;
• Article 34(2) of the GDPR, by failing to include all the requisite information in its communication to the data subject; and
• failure to comply with the Enforcement Notice, infringing Article 58 of the GDPR.

In addition, in deciding a proposed fine, the Information Commission noted, among others, the following aggravating factors:

• the data disclosed related to health, which is special category data;
• despite the Enforcement Notice issued in October 2020, including the requirement for Manx Care to implement such measures, Manx Care failed to do so and did not have appropriate technical and organisational measures to ensure a level of security appropriate to the risk;
• the lack of measures implemented; and
• similar personal data breaches were reported to the Information Commissioner in January 2022.

Outcomes

In conclusion, the Information Commissioner decided, in this case, to stay the aforementioned payment of the penalty until 31 December 2022.  Furthermore, the Information Commissioner highlighted that the stay is dependent on Manx Care demonstrating that it has implemented appropriate technical and organisational measures by 31 December 2022 and that failure to do so will mean that the penalty will become payable.

You can read the press release here and the penalty notice here.

(UPDATE) 12 January 2023

Information Commissioner extends stay period for penalty due to progress

The Information Commissioner announced, on 11 January 2023, that it had decided, on 5 January 2023, to issue a penalty variation notice, regarding the aforementioned decision and fine imposed on Manx Care. In particular, the Information Commissioner explained that Manx Care had recently engaged constructively with the Information Commissioner and that the Information Commissioner is satisfied with the progress reported by Manx Care for the period between 27 November and 26 December 2022. Furthermore, the Information Commissioner noted that, although Manx Care has commenced the implementation of technical and organisational measures to ensure the security of patient data being distributed internally, there is still significant work to be completed.

However, given the progress that has been made, the Information Commissioner decided to extend the stay period for the penalty for a further three months from 31 December 2022 to 31 March 2023.

You can read the press release here and the variation notice here.