Protecting confidential information

The shock news the Princess of Wales has undergone treatment for cancer has dominated headlines worldwide and it came after reports three clinic workers were being investigated for trying to access her medical records.

Kate Middleton shared the news in a video message following growing speculation about her health after she underwent major abdominal surgery in January [1] cited 25.3.24

In the footage Kate explained how she wanted to keep the diagnosis secret while she took time to ‘explain everything’ to her three children and to assure them she is going to be ok.

The unexpected announcement came shortly after reports emerged workers at a prestigious private hospital in London  were under investigation for trying to access Kate’s private medical records.

The Princess of Wales is believed to have been told about the potential data breach.

The Information Commissioner’s Office (ICO), the UK’s data protection watchdog, is reported to have said: ‘We can confirm that we have received a breach report and are assessing the information provided’ [2] cited 25.3.24

For all employers in what is a digital age, the protection of private and confidential information that they hold and store is of paramount importance.

Whether it is sensitive patient information, classified client or customer data or top secret trade information, there are rigorous standards every employer must meet to safeguard it.

Doing so should extend to more than just ensuring cybersecurity measures are place to keep the information safe.

It also requires a complete understanding of the law, company policies and for employees to know what is expected of them.

What constitutes confidential information is established through case law. The three-part test for confidentiality includes the following criteria:

• Quality of confidence: the information must have the necessary quality of confidence, meaning it must be objectively confidential and not just treated or labelled as confidential by the holder.

• Obligation of confidence: the information must be imparted in circumstances that impose an obligation of confidence on the recipient. This could be through a contractual agreement like a non-disclosure agreement or inherent in the nature of the relationship or the circumstances of the disclosure

• Unauthorised use: there must be an unauthorised use of the information that causes detriment to the person who communicated it. The information must be used in a manner that was not authorised by the person who provided it.

Laws requiring employers to protect confidential information have been in place since the introduction of the Data Protection Act 1998.

However in recent months there have been examples of employees accessing and sharing private and confidential information held by their employer, and having to face the consequences for their unlawful actions.

In February, an ex-police officer who admitted taking sensitive material he was prohibited access to and then sharing it without consent is facing a criminal sentencing after previously carrying out misconduct while working for Essex Police [3] cited 25.3.24

It is reported the exact nature of the offending has not been revealed, but the offence of misconduct in a public office relates to an investigation into the sharing of images and material of a sensitive nature without a policing purpose to do so.

In January, a Gatwick Airport border officer working on the anti-smuggling team was given a suspended jail sentence after sharing sensitive documents with criminals [4] cited 25.3.24

The National Crime Agency found instances in which the female worker sent images to prisoners, in possession of illegally held mobile phones, of sensitive documents containing details of criminal records and individuals who were in custody after being arrested for drug smuggling. On another occasion she shared details of a police investigation she was assisting with.

Here we take a look at the law surrounding the protection of confidential information,  detail some of the responsibilities of both employers and employees, and focus on best practice for employers in addressing attempted breaches and actual breaches.

Legal requirements

The Data Protection Act 1998 was replaced by the Data Protection Act 2018, which incorporates the EU General Data Protection Regulation (GDPR) standards.

The GDPR came into effect May 2018, and despite Brexit, the UK has retained the regulations in domestic law as the UK GDPR [5] cited 25.3.24

These laws direct that all personal data be handled lawfully, fairly, and transparently. The legislation provides stronger legal protection for more sensitive information.

It does mean employers are required to ensure appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction or damage.

Compliance with the data protection principles is essential for all organisations handling personal data.

Employers can face significant penalties for breaching GDPR regulations. The ICO has the authority to issue fines of up to £17.5 million or 4 per cent of an organisation’s global turnover, whichever is higher.

In 2019, the ICO announced the intention to issue £183.39 million fine to British Airways for a GDPR breach. The fine was eventually reduced to £20 million in light of the COVID-19 pandemic and its effect on the airline industry [6] cited 25.3.24

The penalty was imposed after it was discovered the British Airways website diverted users’ traffic to a hacker website, which resulted in hackers stealing personal data of more than 400.000 customers.

Additionally, employers may also be subject to legal action from individuals whose personal data has been compromised as a result of a GDPR breach.

Employer responsibility

An employer must protect any confidential information it collects and stores.

The requirement to do so involves ensuring robust security measures are put in place, such as encryption, access controls, and regular data backups, to prevent unauthorised access or disclosure.

Additionally, an employer must develop clear policies and procedures plainly detailing how confidential information should be handled, including guidelines for storage, sharing, and disposal.

Employees play a fundamental role in the protection of confidential data. Employers should ensure staff are fully trained on the importance of confidentiality and the risks associated with mishandling sensitive information.

Training sessions will typically cover areas such as data protection laws, recognising phishing attempts and how to securely store physical documents.

Despite the best efforts of any business a data breach can still occur. To manage such an occurrence, employers must also have incident response procedures in place to effectively deal with any incidents e.g. carrying out a thorough investigation, notifying affected parties and liaising with the ICO as required.

Employee responsibility

Employees play an essential role in protecting private and sensitive information. Individuals can be prosecuted for a data breach.

All staff must adhere to any policies and procedures that an employer has in place. This will generally include being cautious when handling sensitive data, ensuring the information is not shared with anyone not authorised to view it  and following secure practices for storing and communicating information.

Employees also have to be alert for signs of potential security threats, such as phishing emails or suspicious activity on company systems, and report any concerns without delay.

Additionally, employees must undergo regular training to stay informed and up to date about best practices for data security and confidentiality.

Handling a breach

For a detailed guide, employers should refer to the ICO’s official documentation on personal data breaches and breach response and monitoring [7] cited 25.3.24

Some of the key steps in that guidance for handling attempted data breaches and actual breaches include:

• Recognise a data breach: train staff to identify security incidents and data breaches.
• Response plan: Have a plan in place for addressing breaches, including a dedicated person or team responsible for managing them.
• Risk assessment: assess the likely risk to individuals as a result of a breach.
• Notification: if the breach is likely to result in a high risk to individuals’ rights and freedoms, inform those individuals without undue delay. Notify the ICO within 72 hours of becoming aware of the breach, where feasible.
• Documentation: keep a record of any personal data breaches, regardless of whether you are required to notify the ICO.

It is also advisable for employers to seek expert legal advice to deal with any incidents.