Learning points for GPs from the 2016 report from the Office of the Data Protection Commissioners?

Q. Any learning points for GPs from the 2016 report from the Office of the Data Protection Commissioners?

The Annual Report of the Office of the Data Protection Commissioner always makes interesting reading. It is available from Data Protection.

Case study 16 discusses what happened when a primary school suffered a data breach when it was hit by a ransomware attack. The subsequent investigation by the Office of the Data Protection Commissioner (ODPC) revealed multiple deficiencies:

• No polices or procedures were in place to maintain adequate backups
• No procedures or policy documents existed focusing on system attacks such as ransomware or viruses
• No contracts with data processors (the ICT services providers) were in place setting out their obligations and, as a result, actions taken by the ICT suppliers were inadequate in response to the attack
• A lack of staff training and awareness of the risks associated with opening unknown email attachments or files.

The school took steps to mitigate the risks identified by implementing staff training, ensuring contracts were in
place with ICT suppliers, ensuring they have appropriate data security and data backup, and ensuring the appropriate organisational measures are in place.

The benchmark for all data controllers will be raised when the EU General Data Protection Regulation (GDPR) comes into place in May 2018. The ODPC has published a resource to assist data controllers to prepare for the regulations. This is available at GP and You.