Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
Create an account
Join our community for free to access exclusive whitepapers, reports, and regulatory information.
Isle of Man: Information Commissioner issues enforcement notice on Manx Care Ltd for insufficient security measures
The Information Commissioner published, on 25 February 2022, its decision in Case No. 2022/01, as issued on 25 February 2022, in which it imposed an enforcement notice on Manx Care Limited for violations of Articles 5(1)(f), 24(1), and 32 of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), following indications of non-compliance in the company's quarterly report.
Background to the notice
In particular, the Information Commissioner outlined that Manx Care in March 2021 assumed liability and responsibility for the actions and quarterly updates required under Enforcement Notice No. EN2020/0001, previously issued to the Department of Health and Social Care. Further, the Information Commissioner clarified that Manx Care indicated little substantive progress in its quarterly report of February 2022, which required the adoption of appropriate technical and organisational measures to ensure an adequate level of security.
Findings of the Information Commissioner
Notably, the Information Commissioner stated that Manx Care was aware of its failure to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, especially concerning special category data, namely health data sent in email communications and attachments. Subsequently, the Information Commissioner noted that such failure resulted in several personal data breaches in the past six months, including a case where the unencrypted medical records of patients were emailed to 2,200 email recipients.
Outcomes
In conclusion, the Information Commissioner was satisfied that Manx Care, as the data controller, violated its responsibilities to uphold the principles of integrity and confidentiality when processing personal data, and especially the security of such processing, thus violating Articles 5(1)(f), 24(1), and 32 of the GDPR. As a result, the Information Commissioner imposed corrective measures, among other things, to bring the processing activities into compliance with the GDPR, to implement appropriate technical and organisational measures to prevent further personal data breaches, and to communicate the completion of the measures within four months.
You can read the press release here and the enforcement notice here.
Send us your Feedback!
Please let us know what you think of DataGuidance! It will only take 60 seconds and help us make the site better for you.
