While data encryption software is often recommended to enhance the security of sensitive data, there are those instances when it cannot fulfill its potential. Therefore, policies are often created prohibiting its dissemination–and when such policies go national, they’re called laws. Often times, those are ignored as well. Or, there may be a loophole.
London Clinic In Harley Street Suffers Patient Data Breach
The Daily Mail has an article of how more than 100 UK patient records were obtained by ITV investigators (an investigation that was aired on TV a couple of nights ago). Posing as a marketing executive, the ITV presenter was able to get in touch with an Indian duo who supplied 116 patient records as proof of their illicit prowess: supplying patient information illegally.
This duo claimed to have “freelancers” working for them at outsourcing companies, and that they could provide any kind information. Most of the records had treatment at the London Clinic as a common factor.
Under the UK’s Data Protection Act, it is illegal to export private, sensitive information outside of the European Union unless there’s safety measures in place, such as the use of encryption when transferring files.
The funny thing is that, it doesn’t appear that anything was exported outside the UK.
How The Data Go Transferred
It’s a long chain, but the gist comes down to this: The London Clinic had some consultants working for them. The consultants contracted DGL Information Technologies UK to digitize paper records, who in turn had an agreement with Scanning And Data Solutions, also based in the UK.
While the last company did scan the files, the job of actually putting such information into usable format (by entering it into a database) was done by people in India.
But, here’s the twist: it’s never revealed where the servers with the scanned information happens to be.
Is This A Loophole?
I’m not a lawyer, and I’ve only read summaries of the UK Data Protection Act, but from what I’ve read, the law makes it illegal to export data outside the EU without safeguards. But, is there anything regarding the access of information by foreigners on home soil?
This distinction is not trivial, since the internet allows one to connect to any computer in the world.
In my knowledge, in most cases any documents would have been sent to an outsourcing company in India, digitized and protected. The guys in India do their job, and the digitized goods are sent back (transferred, FTP’ed, whatever).
Another way to do the job, however, is to have the people in India log into my servers at home. Question is, have I just exported sensitive data out to India? Is accessing considered a transfer of data?
According to the ICO, the answer is probably “yes” in the above case:
In the case of Bodil Lindqvist v Kammaraklagaren (2003) (Case C-101/01), the European Court of Justice held that there was no transfer of personal data to a third country where an individual loaded personal data onto an internet page in a Member State using a internet hosting provider in that Member State, even though the page was accessible via the internet by people based in a third country. Instead, a transfer was only deemed to have taken place where the internet page was actually accessed by a person located in a third country.[my emphasis]
There you have it. No loopholes.
You know what this means. The ICO is going to be fining someone–they cannot not do that, especially with an entire country having seen the show.
On the other hand, you’ve got to admit that any companies outsourcing such jobs overseas have their work cut out for them. I mean, even if a company goes through all the right procedures–uses file encryption like AlertBoot on their data transfers and whatnot, for example–they really can’t control what happens at the other end.
Related Articles and Sites: