Data Protection Network | GDPR | Advice & Resources

Data Subject Access Requests – what are people entitled to? I’m often asked what’s in scope when responding the Right of Access – aka Data Subject Access Requests (DSAR/SAR). What are organisations obliged to provide, and what can they legitimately exclude? I’ve taken a look at some questions which routinely come up. But first a quick summary of what the law says… The Right of Access is a fundamental right under data protection legislation in the UK and EU. There are similar rights in other jurisdictions, but I’m focusing here on the right under UK GDPR and the Data Protection Act (DPA 2018). The law gives people the right to receive and copy of their personal data, and other supplementary information from any organisation acting as a controller. Controller or processor – what are we? Personal data is any information which could directly or indirectly identify the requestee. To give some examples, this could include images, voice and video recordings, demographic information, profiles, order history, marketing preferences, HR records, performance reviews, opinions expressed about the requestee, other personal identifiers … and the list goes on. Now, on to the FAQs… Q: Do we need to provide information the requestee already has, or is obvious to them? The short answer is, yes. Based on UK case law, organisations can’t refuse to disclose information on the grounds personal data is already known to the individual. (Case: Lttihadieh v 5-11 Cheyne Gardens, 2017). However, it wouldn’t need to be included if the person has made it clear they don’t want this information. You can always ask them. Q: Are they entitled to full documents? It isn’t a right to documentation. Just because someone’s name appears in a report, spreadsheet, meeting notes or any other document doesn’t mean they’re entitled to the whole document, if the rest doesn’t relate to them. It may prove easier and relevant to provide full documents, but you would be justified in not doing so. You can extract the necessary information, or redact the irrelevant information. But remember what you provide must be meaningful and have context. Q: Are they entitled to the full content of email correspondence? Linked to the question above, people are only entitled to a copy of their personal data. So just because their email address or email signature appears in an email (or email chain) doesn’t make this their personal data. For example, routine business as usual emails, where the content is solely about business related matters will not be the individual’s personal data. It can be really helpful to explain this from the start. Q: Are handwritten notes in scope? Personal data which is not part (or intended to be part) of a structured filing system is not in scope. For example handwritten notes in a personal notepad where there’s no intention to formally file these notes would not need to be included. However, if for example, employees write notes in ‘day books’ which are intended to be kept as a record of conversations, these would be in scope. Q: How much effort is required? Organisations are expected to make all reasonable efforts to search, identify and retrieve all the personal data being requested. The ICO would expect systems to be well-designed and maintained so information can be efficiently located (including carrying out searches) and extracted. The right of access is not new. It was around long before GDPR came into force in 2018, so organisations would be expected to be well prepared to handle requests. Q: Can we refuse to comply with a request? Sometimes it may seem obvious the requestee has an ulterior motive for submitting a DSAR. In general, an individual’s motives shouldn’t affect their right to obtain a copy of their personal data, or the organisation’s duty to respond. Organisations can however refuse to comply with a request, either partially or fully, where they judge it to be manifestly unfounded or manifestly excessive. A request might be considered manifestly unfounded if, for example, the individual… ■ has no real intention of exercising their right ■ offers to withdraw their request in return for some kind of benefit ■ explicitly states they want to cause disruption ■ makes unsubstantiated accusations or allegations ■ is targeting a specific employee due to a grudge ■ sends regular and targeted requests as part of a concerted campaign A request might be considered manifestly excessive if it’s clearly or obviously unreasonable or would involve disproportionate effort. In assessing whether it would involve disproportionate effort, you should consider the following factors: ■ the nature of the requested information; ■ the context of the request, and the relationship between you and the individual; ■ whether a refusal to provide the information or even acknowledge if you hold it may cause substantive damage to the individual; ■ your available resources; ■ whether the request largely repeats previous requests and a reasonable interval hasn’t elapsed; or ■ whether it overlaps with other requests (although if it relates to a completely separate set of information it is unlikely to be excessive). If you rely on either of these grounds, be sure to document your decision, the rationale behind it and explain this to the individual. To give an example, quite a few years ago I worked on a request from a disgruntled former employee where, among everything else, they asked for all CCTV footage of them. The business operated CCTV which captured employees as they entered and exited the main office. We asked the individual if there were specific dates and times they were interested in. They responding just reiterating the request for all CCTV footage. I think understandably we judged this to be an manifestly excessive request, requiring disproportionate effort and that it would not cause any damage to the individual not to receive this. Q: What can be excluded or redacted? Once all the information relating to the individual has been retrieved, the data collated often includes information which doesn’t need to be disclosed. There may be justifiable grounds for excluding information or redacting documents, emails, video recordings and so on. Information relating to others: the person making the request has a right to receive a copy of their personal data, they’re not entitled to personal data about other people. The DPA 2018 confirms you do not need to include certain information if it means disclosing information which identifies someone else, unless the other person has given their consent or it’s reasonable to disclose without the other person’s consent. Confidential information: A duty of confidence may arise when another individual has genuinely shared ‘confidential’ information with the expectation it remains confidential. Confidentiality cannot be automatically assumed and needs to be assessed on a case-by-case basis. Other information which may also be considered confidential includes, but is not limited to; trade secrets, information made confidential under another law, internal costs or commercial rates, intellectual property and information covered as part of a non-disclosure agreement Other exemptions: The DPA 2018 provides a number of further exemptions which may apply depending on the nature of your business and the context of the specific request. These don’t always apply in the same way. Sometimes you might be obliged to rely on an exemption (i.e. it would break another law), other times it will be a choice. Commonly used exemptions include; legal professional privilege, crime and taxation, management information, research and statistics, confidential references and journalism. The ICO says exemptions should not be routinely relied upon or applied in a blanket fashion. And remember, you may be required to demonstrate how an exemption applies and your rationale for relying on it. The ICO has published guidance on exemptions and how they apply. These are just some questions I get asked and I’m afraid to say there are plenty more. Responding to DSARs can be very time-consuming, with nuanced considerations and can feel a minefield if you don’t receive many requests or out of the blue receive your first one. Our DSAR Guide provides more information about how to prepare and fulfil requests. Also see the ICO’s detailed Right of Access Guidance.

Why record keeping is the cornerstone of data protection Records of Processing Activities No one ever wrote a thriller about record keeping. Denzel, Keanu, Keira and Brad are not required on set. But here’s why we should give it due attention. Put simply, without adequate records it’s difficult to demonstrate compliance with data protection legislation (GDPR and UK GDPR). Records are core to meeting the accountability principle, i.e. being ready and able to demonstrate evidence of compliance. Let’s step back for a moment. Each organisation needs to know what personal data they hold, where it’s located and what purposes it’s being used for. Only then can you be sure what you’re using it for is fair and lawful, and gain confidence you’re meeting other GDPR obligations. To put it another way, how confident is your organisation in answering the following questions? Do we know what personal data we hold, it’s sensitivity and all the systems it’s sitting on – including data shared with third parties? Do we know all purposes for processing? Have we determined an appropriate lawful basis for each purpose? And are we meeting the specific requirements for that basis? When handling special category data, have we also identified a special category condition? Have we confirmed how long we need to keep the data for each purpose? All of the above feed into transparency requirements, and what we tell people in our privacy notices. In my opinion, you can’t answer these questions with confidence unless you map your organisation’s use of personal data and maintain a central record. This may be in the form of a Records of Processing Activity (RoPA). Okay, so the absence of data protection records might only come to light if your organisation is subject to regulatory scrutiny. But not putting this cornerstone in place could result in gaps and risks being overlooked – which could potentially materialise into a serious infringement. In my view, a RoPA is a sensible and valuable asset for most organisations. I fully appreciate creating and maintaining a RoPA can feel like a Herculean task, especially if resources are overstretched. That’s why we often recommend taking a proportionate and achievable approach, focussing on special category data use and higher risk activities first. Then build on this foundation when you can. RoPA requirements under GDPR & UK GDPR The requirements apply to both controllers and processors and include keeping records covering: the categories of personal data held the purposes of processing any data sharing details of transfers to third countries, including a record of the transfer mechanism safeguards in place; retention periods the technical and organisational measures used to protect the data and more… Do you employ less than 250 people? If so, record keeping requirements may be less stringent. But you’ll still be required to maintain a RoPA if: your processing of personal data is not occasional your processing is likely to result in risk to the rights and freedoms of individuals you process special category data (e.g. health data, ethnicity, trade union membership, biometrics and more) you process personal data relating to criminal convictions and offences. You can read more about the requirements in ICO records of processing guidance. Benefits of Record Keeping (RoPA) Here are just some of the benefits you can get from your RoPA. 1. Understanding the breadth and sensitivity of your data processing. 2. Visibility of where data protection risks lie. This will help establish priorities and focus efforts to tackle key risks. 3. Confidence your activities are lawful and meet specific regulatory requirements. 4. Tackle over retention of data – it’s a common challenge. By establishing your purposes for processing personal data, you can determine how long you need to keep that data. Then you can take practical steps to delete any data you no longer need. 5. Transparency – An up-to-date RoPA feeds into your privacy notice, making sure the information you provide accurately reflects what you are really doing. 6. Data breaches – Your RoPA should be the ‘go to’ place if you suffer a data breach. It can help you to quickly identify what personal data may have been exposed and how sensitive the data is, which processors might be involved and so on. Helping you to make a rapid risk assessment (within 72 hours) and helping you make positive decisions to mitigate risks to protect individuals. 7. Supply chain – Keeping a record of your suppliers (‘processors’) is a key aspect of supplier management along with due diligence, contractual requirements and international data transfers. 8. Privacy rights – If you receive a Data Subject Access Request, your records can help to locate and access the specific data required to fulfil the request. If you receive an erasure request, you can quickly check your lawful basis for processing and see if the right applies, and efficiently locate what systems the data needs to be deleted from. Tips to get started Here are a few very quick tips on how to commence a RoPA project or breathe new life into an outdated spreadsheet you last looked at in 2018! Who? No DPO or data protection team can create and maintain these records their own – they need support from others. Enlist the support of your Senior Leadership Team, as you’ll need them to back you and drive this forward. Confirm who is or should be is accountable for business activities which use personal data within all your key business functions – the data owners. For example, Human Resources (employment & recruitment activities), Sales & Marketing (customer/client activities), Procurement (suppliers), Finance, and so on. Data owners are usually best placed to tell you what data they hold and what it’s currently used for, so get them onside. What? Make sure you’re capturing all the right information. The detail of what needs to be recorded is slightly different if you act as a controller or processor (or indeed both). If you need to check take look at the ICO guidance on documentation. When? There’s always some new system, new activity and/or change of supplier, isn’t there? You should aim to update your records whenever you identify new processing or changes to existing processing – including identifying when you need carry out a Data Protection Impact Assessment or Legitimate Interests Assessment. Good stakeholder relations can really help with this. In conclusion, record keeping might not win many Oscars, but it really is the cornerstone of data protection compliance. Adequate records, even if not massively detailed, can be really beneficial in so many ways, not just if the ICO (or another Data Protection Authority) comes calling.

Controller or processor? What are we? The importance of establishing if an organisation is acting as a processor or controller On paper the definitions of controller and processor under GDPR (& UK GDPR) may seem straight-forward, but deciding whether you’re acting as a controller, joint-controller or processor can sometimes be a contentious area. Many a debate has been had between DPOs and lawyers when trying to classify the relationship between different parties. It’s not unusual for it to be automatically assumed all suppliers providing a service are acting as processors, but this isn’t always the case. Sometimes joint controllership, or separate distinct controllers, is more appropriate. Or perhaps a company is simply providing a service, and is not processing the client’s personal data (other than minimal contact details for a couple of employees). It’s worth noting service providers (aka suppliers or vendors) will often act as both, acting as controller and processor for different processing tasks. For example, most will be a controller for at least their own employee records, and often for their own marketing activities too. What GDPR says about controllers and processors The GDPR tells us a controller means ‘the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data’. A processor means ‘a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller’. How to decide if we’re a controller or processor There are some questions you can ask to help reach a conclusion: ■ Do we decide how and what personal data is collected? ■ Are we responsible for deciding the purposes for which the personal data is used? ■ Do we use personal data received from a client/partner for our own business purposes? ■ Do we decide the lawful basis for the processing tasks we are carrying out? ■ Are we responsible for making sure people are informed about the processing? (Is it our privacy notice people should see?) If you’re answering ‘yes’, to some or all of these questions, it’s highly likely you’re a controller. The ICO makes it clear it doesn’t matter if a contract describes you as a processor; “organisations that determine the purposes and means of processing will be controllers regardless of how they are described in any contract about processing services”. A processor only processes a controllers’ personal data on their behalf and crucially doesn’t use this data for its own business purposes. While a processor may make its own day-to-day operational decisions, it should only process the data in line with the controller’s instructions, unless required to do otherwise by law. Sometimes overlooked is the fact even if a handful of employees of a service provider only have access to a controller’s personal data it still means the service provider is ‘processing’ the data, and will be a processor. Why it’s important to confirm your status Controllers have a higher level of accountability. They are obliged to comply with all data protection principles, such as ensuring the lawfulness of processing, being transparent (e.g. privacy notices), fulfilling privacy rights requests and so on. Processors do have a number of direct obligations, such as being required to implement appropriate technical and organisation measures to protect personal data. A processor is also responsible for ensuring the compliance of any sub-processors it may use to fulfil their services to a controller. In fact processors are liable for the sub-processors. The ICO issued a £3m fine to a software company in March 2025 for failing to implement sufficient measures, which you can read about here. Data processing agreements There’s a requirement to have an appropriate agreement in place between a controller and a processor. Article 28 of EU / UK GDPR sets out specific requirements for what must be included in the contractual terms. Such terms are often covered in a Data Processing Agreement/Addendum, but sometimes will be covered in a specific section on data protection within the main contract. (If there’s no DPA, no addendum and no section on data protection that’s a massive red flag!) Often overlooked is the need to have clear documented instructions from the controller. It can be helpful to have these as an annex to the main contract (or master services agreement), so they can be updated if the processing changes. We’ve written more about the detail of what needs to be covered in contractual terms here. Another area which can get forgotten is sub-processors and international data transfers. There are times where you’re looking to engage the services of a household name, a well-known and widely used processor. This sometimes leads to limited or no flexibility to negotiate contractual terms. In such cases, it pays to check the terms and, if necessary, take a risk-based view on whether you wish to proceed or not. Before even looking at the terms, due diligence on prospective processors is a ‘must do’ for controllers, while taking an approach proportionate to the level of risk the outsourced processing poses. And for their part processors need to be prepared to prove their data protection and information security credentials.

Court of Appeal rejects appeal against ICO fine The very first fine the ICO issued under the GDPR was back in 2019. It was to pharmacy, for storing unlocked boxes containing sensitive medical information in the yard behind its offices. More than five years later, the fine has yet to be paid. The initial penalty notice was for £275,000 against Doorstep Dispensaree, a pharmacy in Edgware, North London. The company appealed, arguing the ICO’s actions were disproportionate and failed to take into consideration the firm’s financial hardship. It also argued less personal information was affected than originally thought. 67,000 documents were involved, rather than the 500,000 the original enforcement notice cited. Furthermore, the pharmacy claimed their backyard storage area was largely secure from public access. The fine was subsequently reduced to £92,000. As an aside, I’d suggest this is still a huge number of records stored in unlocked boxes. The data concerned involved customer’s names, addresses, dates of birth, NHS numbers, medical information and prescriptions. This wasn’t the end of it. Doorstep Dispensaree raised a subsequent appeal, arguing the judge in the previous appeal failed to recognise the burden of proof lay with the ICO, and that undue weight had been given to the ICO’s reasons for opposing and setting a penalty. In a decision welcomed by the ICO, the Court of Appeal has now dismissed this appeal. It ruled the burden of proof should lie with the appellant, Doorstep Dispensaree, and subsequent tribunals and appeals aren’t required to ignore original monetary penalty notices when making decisions. Responding to the news, Information Commissioner John Edwards said, “I welcome the Court of Appeal’s judgment in this case as it provides clarity for future appeals. We defended our position robustly and are pleased that the court has agreed with our findings.” The ICO has been much criticised for its lack of enforcement action under GDPR. It’s issued multiple fines under the Privacy and Electronic Communications Regulations (PECR), but fewer under GPDR (now UK GDPR). This may be due to the fact violating the PECR rules can be more clearcut. While much of the criticism may be fair, I believe this case demonstrates the legal hurdles the Regulator can face when taking enforcement action. However, the more cases we get, the more case law we’ll have for UK GDPR.

Meeting prospective clients’ due diligence demands Proving your data protection and information security credentials Many businesses provide a service to other businesses, and once the pitch is done and you’re getting closer to signing that vital and lucrative contract, there can be a hurdle to overcome. Namely, meeting the client’s due diligence and supplier set up requirements. For bigger well-known service providers this can be a breeze, but often small-to-medium sized organisations can find themselves grappling to prove their credentials. Requests can sometimes feel exasperatingly detailed, irrelevant or over-zealous. Once you’ve got through the questions about sustainability, environmental impact, modern slavery, diversity, equality and inclusion, there will often be the need to answer questions about your approach to data protection and information security. This will almost certainly be the case where your company’s services involve handling your prospective client’s personal data on their behalf. To use data protection terminology, if the client is the ‘controller’ and your organisation will act as their ‘processor’. It’s important this relationship is clear, as there are specific contractual requirements for controllers-to-processors relationships under EU/UK GDPRs. Both parties need to meet their obligations. Are we a controller or processor? So how can you get ahead of the game and be well-prepared? I’ve put together some key questions you may need to cover off. Some of these points will need to be included in any Controller-Processor Data Processing Agreement. 1. Do you have a Data Protection Officer? Not all businesses need to appoint a DPO (despite most questionnaires expecting you to). If you don’t have a DPO, you may need to explain who in the organisation is responsible for data protection, and may need to be ready to justify why you don’t need a DPO. DPO Myth Buster 2. Do you have a dedicated Information Security team? As well as being able to provide details of where responsibility for information security rests within your organisation, you’re also likely to be required to provide details of the security measures and controls you have in place to protect client data. This could for example be restricted access controls, use of encryption or pseudonymisation, back-ups, and so on. You may be asked if you have any form of security certification or accreditation. Note: For contractual terms, such as a Data Processing Agreement/Addendum it’s likely you’ll need to include a summary of your security measures. 3. What data protection related policies do you have? The most common requirement is being able to demonstrate you have a Data Protection Policy. Namely an internal policy which sets out data protection requirements, and your expectations and standards for your staff. A client could ask to see a copy of this. They might also ask if you have more detailed policies or procedures covering specific areas such as a data retention, individual privacy rights and so on. 4. Where will your processing of client personal data take place? Many clients will be looking to understand if an international data transfer (what’s known as a restricted transfer) will be taking place. Whether this is happening will be dependent on your client’s location and your own location – including the locations of any servers you’ll process client data on. The client may want to confirm there are necessary ‘safeguards’ in place for any restricted transfers, to ensure such transfers meet legal requirements. Examples of these include an adequacy decision, Standard Contractual Clauses (with the UK Addendum if relevant) or a UK International Data Transfer Agreement. They may also ask you about Transfer Impact Assessments. International Data Transfers Guide 5. Do you sub-contract services to third-parties? You need to be prepared to share details of any third-party companies you use to provide your services which involve the handling, including access to, your client’s personal data. These are often referred to as ‘sub processors’. They’re also likely to ask you to confirm in which country these sub-processors are based (i.e. the geographical location where the ‘processing’ takes place). Note: International data transfers and working with sub-processors are key elements of the GDPR mandated contractual terms between a controller and processor. 6. What procedures do you have in place for handling a personal data breach? You may be asked if you’ve suffered a data breach in recent years, and to provide details of your procedures for handling a data breach. We’d recommend all businesses have a data breach plan/procedure/playbook. If you’re acting as a processor for your client, you’ll need to inform them ‘without undue delay’ (often within 24 or 48 hours of becoming aware of the breach). Plus be ready to provide them with all relevant information about the incident rapidly, so they can assess their own data risks and report it to the relevant Data Protection Authority (such as the Information Commissioner’s Office) if appropriate. 7. Do you have a disaster recovery plan and backups? The GDPR doesn’t detail specific requirements around resilience and disaster recovery – this will depend on the nature and sensitivity of the processing. But if you suffer a data breach (particularly a ransomware attack) you’ll want to make your systems have integrity and are fully operational again very quickly after the event. Your clients will expect this if their data could be affected, so expect to be asked tricky questions. 8. Do you have a Record of Processing Activities? You may be asked to confirm you have a Record of Processing Activities and might be asked more detailed questions about your record keeping. 9. Procedures for handling client individual privacy rights requests If you are a processor, handling personal data on behalf of your client, it won’t be your responsibility to respond to privacy rights requests (such as Data Subject Access Requests or erasure requests). However, you may need to assist your client in fulfilling requests relating to the client data you hold. And if you receive a request relating to client data, this must be swiftly sent on to the client. They may ask for evidence of a robust process for doing this. 10. Privacy information Don’t forget your Privacy Notice (aka Privacy Policy). Before a prospective client works with you, they may look at your website and take a peek at the privacy information you provide. If this is off the mark and fails to meet key legal requirements, it could be a warning sign for them that you don’t take your data protection obligations seriously. Privacy Notices Quick Guide The above is by no means an exhaustive list but should help you to be prepared for some of the key areas you may be questioned about. At DPN, we often suggest processors prepare a factsheet or FAQ in advance of receiving these due diligence questionnaires. This can really help put your business on the front foot and demonstrate to your clients you’re on the ball for both data protection and information security. Crucially it speeds up the decision-making and onboarding process, as by being well prepared you no longer have to scrabble around at the last minute. So you can start work for your new client more quickly.

DPN Legitimate Interests Guidance and LIA Template (v 3.0) Published in November 2024 this third version of our established Legitimate Interests Guidance aims to help organisations assess whether they can rely on legitimate interests for a range of processing activities. Routine or more complex activities, such as those involving the use of AI. First published in 2017, this updated version includes an improved LIA template (in Excel) to use when conducting your own Legitimate Interests Assessments. Many thanks to PrivacyX Consulting and Privacy Partnership Law for working with us on this latest version. We’d also like to thank the original Legitimate Interests Working Group of 2017/2018, comprising representatives from a wide range of companies and institutions, who collaborated to produce previous versions. Important UK update: The Data (Use and Access) Act 2025 introduces a new lawful basis for processing into the UK GDPR. This new lawful basis of ‘recognised legitimate interests‘ can be relied up by organisations for specific purposes without being required to conduct a balancing test (i.e. a Legitimate Interests Assessment).

Five top causes of data breaches And how to mitigate the risks Data breaches are like booby traps in movies; some are like the huge stone ball that chases Indiana Jones down a tunnel. Some are sneaky, like the poisoned darts Indie dodges (before he gets chased by a big stone ball!). Nonetheless, like booby traps in Hollywood movies, there are common themes when it comes to data breaches. None of them, to my knowledge, involve being chased by a giant stone ball. And, unlike Indiana Jones, you don’t have to rely on supernatural luck and a sympathetic screenwriter to prevent these breaches occurring. Back to the real world. While the threat of cyber-attacks continues to loom large, here’s an interesting fact; 75% of breaches reported to the Information Commissioner’s Office (ICO) are non-cyber related – caused by ‘human error’. Or, to put it another way, they’re often attributable to a lack of training and robust procedures to prevent someone making a mistake. We’ve delved into ICO reporting figures, and put together a top five of the most common causes of data breaches, together with some top tips on how to mitigate the risk of these occurring in your organisation. Our data breach countdown… Number 5: Ransomware Ransomware is a malicious software used by bad actors to encrypt an organisation’s system folders or files. Sometimes the data may be exfiltrated (exported) too. A ransom demand often follows, asking for payment. The attacker will say this can be paid in exchange for the decryption key and an assurance the data they claim to have will be deleted. In other words, it will not be published on the dark web or shared with others. But there are no guarantees even if you choose to pay the ransom. It’s worth noting the ICO and National Cyber Security Centre discourage paying ransoms. Ransomware attacks can cause a personal data breach, but this may be only one of a number of risks to the business, such as financial, legal, commercial and reputational. These attacks are becoming increasingly sophisticated. It’s now possible for a bad actor to buy an ‘off the shelf’ cyber-attack via the dark web, or tailor a package to suit their needs. How to mitigate ransomware risks Appropriate steps need to be taken to protect systems from these types of attacks. Often this will mean investing more time and money into security measures. Here are just some of the ways to try and prevent attacks: ✔ Implementing Multifactor Authentication (MFA) ✔ Installing antivirus software and firewalls ✔ Use of complex passwords ✔ Keeping all systems and software updated ✔ Running regular cyber security and penetration testing ✔ Monitoring logs to identify threats ✔ Cyber awareness training Also, crucially making sure you have up-to-date and separate backups is the most effective way of recovering quickly from a ransomware attack. Number 4: Postal errors This is a simple administrative error, which can have minor or significant consequences. An item containing personal data is posted to the wrong person. This could be an invoice sent to the incorrect person, exam results put in the wrong envelope or medical information sent to the wrong patient. Breaches of this nature can happen by: ► using incorrect addresses ► using old addresses ► mistakenly including more than 1 letter in the same envelope ► mistakenly attaching documents relating to another person to a letter How to mitigate post breach risks ✔ Robust training and regular reminders! ✔ Using a check list e.g. Step 1) Check the address is correct when drafting a letter. Step 2) Check again after printing. Step 3) Check again before it does in the envelope. Number 3: Unauthorised access As the name suggests this is someone gaining access to personal information they shouldn’t have access to. This can be an external or internal threat. To give some examples; ► Exploiting software vulnerabilities: Attackers can exploit software vulnerabilities to gain unauthorised access to applications, networks, and operating systems. ► Password guessing: Cybercriminals can use special software to automate the guessing process, targeting details such as usernames, passwords and PINs. ► Internal threats: Unauthorised access and use of personal data by employees or ex-employees. Here are some real-life cases: ● 2022 – a former staff advisor for an NHS Foundation was found guilty of accessing patient records without a valid reason. ● 2023 – a former 111 call centre advisor was found guilty and fined for illegally accessing the medical records of a child and his family. ● 2024 – a former management trainee at a car rental company was found guilty and fined for illegally obtaining customer records. Accessing this data fell outside his role at the time. How to mitigate unauthorised access risks Here are just some of the ways of reducing your vulnerability to these types of breaches: ✔ Applying the ‘principle of least privilege’ – this sets a rule that employees should have only the minimum access rights needed to perform their roles. ✔ Strong password management e.g. make sure systems insist on complex passwords and prevent users sharing their access credentials. ✔ Monitoring user activity Number 2: Phishing attacks Phishing is when attackers send scam emails or text messages containing links to malicious website. Often they try to trick users into revealing sensitive information (such as login credentials) or transferring money. Any size of organisation is a potential target for phishing attacks. A mass campaign could indiscriminately target thousands of inboxes, an attack could specifically target your company or an individual employee. Attacks are becoming increasingly sophisticated, and scam messages are made to look very realistic. Sometimes they will know who you do business with, and change just one letter in an email address, so you think it’s from an organisation you know. Mitigating phishing attack risks Here are a few tips for some of the ways you can reduce the risk of falling victim to a phishing attack. ✔ Training and awareness to help employees identify spoof emails and texts ✔ Setting up DMARC (Domain-based Message Authentication, Reporting and Conformance) to prevent bad actors spoofing your website domain Also see NCSC phishing guidance Number One: Email Errors Yup, the top cause of data breaches is still email. Emails sent to the wrong recipient(s) or accidentally using CC for multiple recipients (thereby revealing their details to all recipients). A breach of this nature can be embarrassing, and/or can have serious consequences. To give an example: The Central YMCA sent emails to individuals participating in a programme for people living with HIV. The CC field was used by accident, thereby revealing the email addresses to all recipients. People on the list could be identified or potentially identified from their email addresses and it could be inferred they were likely to be living with HIV. Mitigating email breach risks Here are some of the ways you can try and prevent email errors occurring: ✔ Don’t broadcast to multiple people using BCC (it is too easy to make a mistake).Instead use alternative more secure bulk email solutions. ✔ Set rules to provide alerts to warn employees when they us the CC field. ✔ Turn off the auto-complete function to prevent the system suggesting recipients’ email addresses. ✔ Set a delay, to allow time for errors to be corrected before the email is sent. ✔ Make sure staff are trained about security measures when sending bulk communications One of the biggest weapons in the data protection arsenal is training and awareness. We recently worked with a client who was using an excellent cyber-security training module, which staff had to complete not once, but twice a year. However, training on its own is unlikely to be enough. Regular reminders and updates are needed too. Near-misses and high-profile cases in the media can be used to get the message through. Here’s a real-life example of a genuine disaster, one I would definitely share. You can just imagine how this happened. The Police Service of Northern Ireland (PSNI) experienced a horrendous, life-changing data breach entirely of its own making. Hidden fields in a spreadsheet disclosed in a Freedom of Information Request revealed the personal details of their entire workforce, including their job description and places of work. It was assumed the list subsequently fell into the hands of paramilitary organisations, leading to an enormously disruptive and expensive personal security review. ICO PSNI fine The PSNI case also illustrates how some of the worst data protection hazards are those we set for ourselves. Not a big stone ball or poison darts. Simply a human error on a spreadsheet, an error adequate in-house procedures failed to prevent or identify. How many such hazards are spread across your organisation?

ICO fine for Police Service of Northern Ireland What went wrong and what can we learn from this data breach? You may recall the awful data breach last summer by the Police Service of Northern Ireland (PSNI). The personal details of its entire workforce (9,483 officers and staff) were accidentally exposed in response to a Freedom of Information request. The dreadful mistake left many fearing for their safety with an assumption the information shared got into the hands of dissident republicans. This was a simple mistake involving a spreadsheet, which ALL organisations should take heed of. The ICO has announced a £750,000 fine and says simple-to-implement procedures could have prevented this serious breach. If the ICO had not applied its discretionary approach for the public sector, the fine would otherwise have been £5.6 million. But in assessing the level of the fine, the current financial position of the PSNI and a desire not to divert public money from where it’s needed, were taken into account. A commercial organisation would have faced a much heftier financial penalty. What went wrong? The PSNI received two Freedom of Information requests in August 2023 from the same person. These came via WhatDoTheyKnow (WDTK); a platform which helps people submit requests and publishes responses. The requests were for information about the number of officers at each rank and number of staff at each grade, and some other details. This information was downloaded in the form of an Excel file from the PSNI’s HR system and included personal data relating to all employees. During the analysis, multiple other worksheets were created within the same file. Once completed all visible worksheets were deleted. But when the file was subsequently uploaded to the WDTK website, it emerged a hidden worksheet remained containing personal details. This had gone unnoticed, despite quality assurance. More detail is available in the ICO Penalty Notice. In this case the evidence of the distress and harm caused by this data breach was evident. The ICO has published some of the comments from police officers affected, including: “How has this impacted on me? I don’t sleep at night. I continually get up through the night when I hear a noise outside to check that everything is ok. I have spent over £1000 installing modern CCTV and lighting around my home, because of the exposure.” In announcing the penalty fine, John Edwards, UK Information Commissioner said: “I cannot think of a clearer example to prove how critical it is to keep personal information safe… Let this be a lesson learned for all organisations. Check, challenge and change your disclosure procedures to ensure you protect people’s personal information.” What lessons can we learn? While this is a particularly serious case, the ICO says mistakes when disclosing information via spreadsheets are nothing new. Public Authorities in particular are being urged to make sure robust measures are in place to make sure personal information is kept safe and the risk of human error is reduced. The regulator has published a useful checklist for any disclosures made using Excel: ✔ Delete hidden columns, rows and worksheets that are not pertinent to the request ✔ Remove any linked data from pivot tables, charts and formula which are not part of the request ✔ Remove all personal data and special category data which is not necessary to provide to fulfil the request ✔ Remove any meta data ✔ Make sure the file size is as you’d expect for the volume of data being disclosed ✔ Convert files to CSV More information is available in an ICO Advisory Note Crucially, organisations need to make sure all staff involved in the disclosure process have been given appropriate training. It’s too easy to point the finger at individuals for making mistakes, when it’s often a lack of robust procedures, training and final ‘pre-send’ checks which are ultimately to blame.