HSC took 52 days to notify data officers of a high-risk personal data breach it had become aware of involving three individuals, breaching the legal notification period by over a month.
The States department took even longer to notify two of the data subjects, only notifying them 62 days after becoming aware of the leak which happened in December 2023.
The data contained details of substance misuse and HSC identified the risk as being high to the individuals’ significant interests.
Health had argued that some elements of the breach were in dispute and were carrying out internal investigations into the matter which resulted in delay, but the regulator said the length of the delay was unjustifiable.
“HSC explained that it had needed to take steps to verify the accuracy of contact details it held for two of these individuals, prior to sending written notification. While this was a reasonable step to take, HSC failed to do this in a timely manner,” the Office of the Data Protection Authority said in a public statement.
“The requirement to notify individuals where a personal data breach is deemed likely to result in a high risk to significant interests allows individuals to understand what has happened to their personal data and to take any precaution that they consider necessary to protect their interests.
“The failure to notify individuals as soon as practicable meant that there was a protracted period where these individuals were unable to take any steps to protect their significant interests.”
The ODPA has issued a formal reprimand to HSC. This is the fifth time a public statement has been made about a States health breach, and the first time for this service area.
Comments
Comments on this story express the views of the commentator only, not Bailiwick Publishing. We are unable to guarantee the accuracy of any of those comments.