Appropriate Organisational Steps?

A recent (24/11/2021) decision of the Upper Tribunal Administrative Appeals Chamber contained a concession from the Information Commissioner which may seem surprising, at least out of context. At paragraph #126 it is reported that “The Commissioner had sought and received confirmation from LBH that its email network was sufficiently secure to send unencrypted information. The Commissioner confirmed to [the appellant] her view that there was no obligation on an organisation to encrypt emails and that there was no evidence to suggest that LBH’s email network was not secure.”

The context was a complaint that the ICO had failed to deal with a complaint by the appellant. The gist of the complaint was that a council (LBH) , in responding to her request, had sent to the appellant highly sensitive personal files by simple email. The material was not encrypted, or password protected, and LBH had not (although it could have) used its encrypted mail service. This was a service available to council officers which would effectively have uploaded the data to a secure site and allowed the appellant to access it. That method would have meant the material was encrypted at all stages of the journey.

There does not appear to be any suggestion of a personal data breach. The appellant was entitled to receive the information from the council and did so. The email was apparently sent to the correct intended address, and it was accepted that there was no evidence it had been intercepted, compromised or seen by any unauthorised party.

However contrast the submission made by the ICO with the guidance on it’s website:

Article 32 provides further considerations for the security of your processing. This includes specifying encryption as an example of an appropriate technical measure, depending on the risks involved and the specific circumstances of your processing...

Encrypting personal data whilst it is being transferred provides effective protection against interception by a third party. You should use encrypted communications channels when transmitting any personal data over an untrusted network.

LBH’s email network may well have been secure. It is part of the .gov secure email domain. That is not the same as saying that the transfer was fully secure. If such transfers were fully secure there would be no need for the council to even provide a secure, encrypted email facility, or to have policies that staff should (but did not in this case) use it for sensitive material, or e.g. encrypt and password protect the files.

The risk of not doing so is not simply malicious interception which (unless you are a celebrity or politician is unlikely to be targeted at most people) , but the far more common risk of misdirection. Any DPO will tell you that one of the more common data breaches is the misdirected email, whether due to a typo, selecting a similar recipient name, careless use of autocomplete or some other human factor. Used properly encryption and systems such as the council provided and advocated undoubtedly substantially mitigate (but do not eliminate) risks from such errors

It is hard therefore to disagree with the appellant’s assertions that, since simple additional measures were available to the council, they should have been used. What is not so clear is whether the failure to use them was human error (whether deliberate or careless) or whether the council policy simply left it open to use or not use. There is also no information as to whether the sender was aware of any policy requirements via training or otherwise.

Was there accordingly a breach of the Art 32 requirement here? Being charitable I will assume the council policy did say that the available secure email / encryption should be used for this type of communication, and that the sender had appropriate IG training and awareness. In other words that this was ‘human error’. On that basis it may well be that there was no breach of Art 32. The controller has done all that is reasonably required. The argument is that there is no logical or lawful reason to sanction a controller in such a case.

That is however not the reason put forward by the ICO. In my view there is an obligation on an organisation to encrypt emails containing sensitive data where the facility exists and can be applied, unless there is a good reason not to. The website guidance should be preferred. The Tribunal decision does not need to be regarded as setting any standards on this issue as it was in fact wholly decided on different procedural grounds.

Of course, if the email had been misdirected / intercepted leading to a personal data breach we would be in a whole new ball game. There still may be no breach of Art 32, but there are clear breaches of principle 1 (unfair and unlawful processing including breach of confidentiality) and principle 6 as the data have no longer been processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing. Human error does not protect the controller here as they are responsible for the actions of the employee.

Note: Although I appear to accept that in the decided case there was no breach of Art 32, consideration of the breach scenario does suggest that even in the decided case there was a breach of principle 6. The data was not in fact processed in a manner which ensured security. On balance my view is that there was a breach of Art 5(1)(f) but not Art 32 at the point when the send button was clicked. That would not have availed the appellant procedurally.

Nevertheless, the ICO handling of the complaint (paras 35-39) seems sloppy and a more reasoned and robust approach should have prevented any need for the appellant to pursue the matter. The suggestion at para 36 that “the Commissioner could only investigate if there were evidence that a third party had actually accessed the information” is nonsense. Any breach of the UK GDPR is within the scope of the s165 DPA complaints procedure. It is not limited to personal data breaches. The ICO could have quicky disposed of this informally by suggesting LBH should remind staff to follow existing procedures, but declining to take any specific regulatory action.

This entry was posted in GDPR. Bookmark the permalink.

Leave a Reply