So today we have the news that a top plastic surgery outfit has been breached by hackers. Included in the haul: before and after pictures of celebrities’ improved nether regions. Never thought I’d be able to include labiaplasty as a keyword in this blog. Hard to think of anything more intrusive by way of data breach, though.
Well, so what, another day, another breach. You might expect a medical practice with pictures of patients’ anatomies to be a really hard target, but hell – at least the hackers won’t be able to circulate the pics on Twitter any more. So that’s alright, then.
The ICO is – rightly – already involved (and, from their tone, grumpy), but from next May it’ll all be much more exciting. You knew this bit was coming, didn’t you? Yes, it’s another GDPR blog.
[TL;DR – take extra care if you have medical, ethnic, sexual, political or biometric data on your systems. Make sure your consents or justifications are solid, your hosting is secure, your data is encrypted and your users’ privileges limited]
Here’s the key text:
9. Processing of special categories of personal data
1. Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.
a) the data subject has given explicit consent to the processing of those personal data for one or more specified purposes [member state can restrict further]
b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law [member state law applies too]
c) processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;
d) processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects;
e) processing relates to personal data which are manifestly made public by the data subject;
f) processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;
g) processing is necessary for reasons of substantial public interest [member state legal restrictions];
h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services [member state law applies or medical professional]
i) processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices [member state legal restrictions]
Those are my highlights, and my redactions for “ease” of reading.
Obviously LBPS had the consent of the data subjects, and a 9.1(h) exception for provision of medical care. Apparently labiaplasty can be an occupational requirement for some professional pornstars, horse-riders and cyclists; presumably the equivalent justification for operations on the male anatomy is mostly vanity.
Whether it had explicit consent, or any other justification, to retain those images (and whatever other data was taken) is a more interesting question – effective retention policies, and their conjoined twin of effective data destruction procedures, are an absolutely critical element of effective GDPR compliance.
Much more importantly, were LBPS really in compliance with their duties under articles 24, 25 and 32, especially for special categories of data? I won’t list them all out in full, but the key bits are:
24. Responsibility of the controller
the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation.
25. Data protection by design and by default
the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.
32. Security of processing
1. […] the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including
a) the pseudonymisation and encryption of personal data;
b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
2. In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.
So, after 930-odd words (most of them not mine) – what does this mean for you?
If you have Article 9 data – like ethnicity, religious affiliation or sexual orientation – which you might be collecting for an Article 9.1(b) reason like Equality Act compliance as an employer, or as part of an anti-bullying strategy, or to help with your diversity policy, and you don’t secure it properly, and it breaches, your world will fall in.
If LBPS are found not to have taken sufficient care over their cyber security, even though GDPR and therefore Article 32 is not yet in force, I predict that the ICO will be very very unhappy.
Next year, for this kind of breach, that means €20m of very very unhappy.