British Airways hack prompts sector guidance for protecting sensitive social care data

data protection

A law firm has delivered guidance on what care providers can do to ensure the personal data they hold is protected.

The guidance, written by Anthony Collins Solicitors, comes on the back of the announcement that the Information Commissioner’s Officer (ICO) intends to fine British Airways (BA) more than £183 million following a hack last year that compromised the personal data of 500,000 of BA’s customers.

In the briefing, the law firm considers the ICO’s reasons and explains what providers can do to ensure that sensitive personal information such as safeguarding reports, bank details, HR records and care files are protected.

Story continues below

Anthony Collins suggests that providers implement simple steps, such as having a lockable cabinet, a cybersecurity policy and updating systems and apps regularly.

The firm also advises providers to introduce encryption and stronger protection for all laptops and USB devices for sending and storing sensitive personal information.

It says providers should not leave confidential paperwork or machines carrying sensitive information unattended or out in the open; and ensure that they pay careful attention to conducting due diligence as to or into privacy practices of potential merger or acquisition targets.

Providers shouldn’t keep personal data for any longer than necessary, the firm says, adding that providers should ensure that any third parties with who they share information are not just data compliant, but compliant with any relevant information.

Care providers should also put breach-management protocols in place to ensure that breaches are discovered, reported and dealt with promptly; train their staff regularly; and audit their facilities every six months to a year to ensure uniformity of best practice.

Finally, the law firm urges care providers not to panic.

“Remember that when issuing a penalty, the ICO will consider a host of factors, including the number of individuals affected, the nature of the personal data and the gravity and duration of the failure to protect,” said data protection solicitor Eeshma Qazi.

“The real threat is not an ICO fine or even court action by aggrieved data subjects, but reputational damage that comes from public enforcement and the loss of user trust that inevitably follows.”

Digital Social Care, a partnership between members of the Care Provider Alliance, Skills for Care and NHS Digital, has launched a new website providing advice and support to the adult social care sector on technology and data protection.

Tags : British Airwaysdata protectionInformation Commissioner's Officer
Sarah Clarke

The author Sarah Clarke

Leave a Response