IBTS faces massive costs if personal data is leaked

PROFESSOR ROBERT CLARK

February 20 2008 04:48 AM

THE Irish Blood Transfusion Service (IBTS) seemed to be aware of its responsibilities when it comes to protecting the data of the thousands of selfless donors who give their time and blood to help save the lives of others.

It seems from their statement that they were aware that personal data transfers to countries outside the European Economic Area (EEA) must meet either contractual standards set by the European Commission or be exempt from pre-clearance rules.

A contract appears to have been agreed and the personal data was encrypted to a highish standard of security -- factors stressed in the IBTS statement.

However, one wonders why it was necessary to effectively upgrade the software by reference to so many files that were apparently 'live' files.

Indeed, the fact that the laptop was stolen from someone who was not a IBTS employee and was on their way home suggests that appropriate security steps may not have been in place.

They now have some questions to answer. Not just to blood donors but also to the Data Commissioner.

Why leave the data on the hard drive or leave the CD in the laptop as the case may be?

Was this employee following security rules set out either in the contract or his employment contract?

Although already serious, if the information is decrypted and leaked, the situation for the IBTS is much worse.

Should any loss be shown, these European Commission standard contracts allow data subjects -- the people whose data has been leaked -- to sue as they, as well as the IBTS, were parties to the contract.

This means that if the private health data is made publicly available -- for example, it could be posted on the internet -- those named could allege they have suffered a financial loss or a loss or reputation as a result of their health condition being made public. In such a case, a court could award damages.

The most important rule in data protection is probably the one that requires personal data to be kept secure.

The level of security needed depends in the main on the sensitivity of the data and the level of the threat, and the security measures in place may be physical (locks) or technological (firewalls, encryption).

The Data Protection Commissioner has consistently pressed for medical data to be rendered anonymous, where possible, as in this state medical records are not 'personal data' because no living individual can be identified from this data. This appears not to have been done and it might be pertinent to ask if the use of the medical records in their identity-sensitive format was essential for 'trialling' the new software application.

While the medical profession is given a degree of latitude when medical files are used for 'medical purposes' such as research, the testing of new software is clearly not one of them. So let us hope the encryption protecting the personal data is not broken as this might be expensive as well as embarrassing for IBTS.

Professor Robert Clark is a member of the Internet Advisory Board and is the author of 'Data Protection Law in Ireland'