ICO issues £25,000 fine for sensitive data breach

On 8 July the Information Commissioner’s Office (ICO) fined a transgender charity £25,000 after emails containing personal data — including special category data — were made publicly available. Given the increasing need to collect special category data, this decision has helpful takeaways for the production industry.

POP's guide to becoming a casting agent

What happened?

In 2016 the charity’s CEO created an internal email group for trustees. The CEO failed to apply the appropriate security settings to the group, which resulted in more than 700 pages of confidential emails being viewable online for nearly three years.

These publicly searchable emails included the personal data (eg, names, email addresses and job titles) of 550 people, as well as special category data concerning 15 people.

What is special category data?

The UK GDPR defines special category data’ as:

  • personal data revealing racial or ethnic origin;
  • personal data revealing political opinions;
  • personal data revealing religious or philosophical beliefs;
  • personal data revealing trade union membership;
  • genetic data;
  • biometric data (where used for identification purposes);
  • data concerning health;
  • data concerning a person’s sex life; and
  • data concerning a person’s sexual orientation.

The sensitive nature of this data means that a breach may cause significant damage or distress to the data subjects, which will likely be taken into account in any ICO penalty decision.

What does this mean for production companies?

The collection of special category data is now common in the production industry. Diversity requirements for funding and awards — as well as a push for a more inclusive industry — mean that production companies are collecting special category data concerning disability, gender identification, race, religion, ethnicity and sexual orientation, among other things. Further, health-related data collected to prove compliance with COVID-19 requirements is special category data. This includes vaccination status data, the collection of which may become more common as lockdown restrictions ease.

As data controllers, production companies must implement appropriate technical or organisational processes to ensure that personal data across their shows is processed securely. In this case, the ICO found that the charity should have restricted access to the internal email group and considered an extra layer of protection, such as pseudonymising or encrypting personal data.

The ICO also found that the charity was negligent in its approach to data protection as it didn’t update its data protection policies when the GDPR took effect or introduce safeguards to protect the sensitive data that it held. This shows the importance of having robust compliance processes in place.

As well as robust processes, organisational oversight is key. The charity hadn’t used the email group in question since 2017, but the emails stayed online until 2019. Ensuring that all of your data from all of your past and future productions is GDPR compliant can give you peace of mind even after a production has wrapped.

This latest fine follows news that British Airways has settled a class action with thousands of customers following its 2018 data breach. While the amount of the settlement remains unknown, it may encourage other victims of data breaches to pursue class actions to obtain compensation for damages.

To find out more about how POP’s tech can help you to keep your data secure, get in touch at hello@wegotpop.com.

Want to hear from us via our newsletter?

Sign up here