On 23rd October, Derby News published
which exposed the fact that Boots had chosen not to communicate with 47 of its customers over the loss of their sensitive and personal data. Yesterday, a more sanitised version appears in the Derby Telegraph. Boots were so concerned with the Derby News article that they threatened legal action.
The Telegraph article includes many statements that don’t bear much examination:
- “Boots has confirmed that it was obliged to report the incident to the Information Commissioner’s Office (ICO)”
- NOT TRUE – an organisation only needs to report a breach where, in its opinion, there is a likelihood of a risk to people’s rights and freedoms.
- To quote the ICO website:
- “What breaches do we need to notify the ICO about?When a personal data breach has occurred, you need to establish the likelihood and severity of the resulting risk to people’s rights and freedoms. If it’s likely that there will be a risk then you must notify the ICO; if it’s unlikely then you don’t have to report it. However, if you decide you don’t need to report the breach, you need to be able to justify this decision, so you should document it.”
- An option exists NOT to report if it is considered unlikely
- Boots reported it, therefore they must have considered it to be a sufficiently high risk
- This principle of reporting has been confirmed, in detail, directly with the ICO, by Derby News.
- Boots maintain that the documents were either “misfiled, or shredded….but we have no evidence to suggest that they ever left the premises”
- There is no evidence to suggest that they remain on the premises….otherwise they wouldn’t be deemed lost.
- If they were sure that they never left the premises (and the Chaddesden branch is small), then there would be no need to report it to the ICO. But they did!
- In my conversations with Boots they confirmed that they did not know the whereabouts of the documents, and still don’t after 2 months. There is a likelihood that they left the premises.
- The Derby Telegraph state that “The ICO classified the situation as “low risk” “
- NOT TRUE – it is the responsibility of the reporting organisation to identify the risk. Boots classified it as not low risk, by definition.
- The ICO has not responded to Boots. They are 3 months behind with their formal replies to reports. Boots stated in writing to Derby News:
- “We confirm that we have received no formal response from the ICO following our report to date.”
- Boots believe that a non-response means it is classified as low risk – this also is NOT TRUE. ( This has been confirmed directly with the ICO)
- A spokesman for the firm said ” this did not affect customers or the way they received their medication”
- TRUE – the prescription dispensing tokens can be printed off again, and the customer is none the wiser, they will get their medication. They can’t be used by anyone else.
- NOT TRUE – an uncontrolled release of sensitive personal data is of importance to the customer and the rules state that the customer should be told.
- Boots are ” waiting for their (ICO) guidance on any next steps in the review process”
- NOT TRUE – I have spoken with the Data Breaches team in the ICO and they confirm that, in such circumstances of a loss of sensitive data that action should be taken in line with their legal duty. The process does not state that the reporting organisation “waits to be told what to do”. When the ICO reviews the report, they may either confirm that the actions taken were acceptable or may advise additional tasks.
Why is this important?
There is a risk that it could affect customers.
The most recent General Data Protection Regulations that came into force in May 2018 are there to protect individuals – their rights and freedoms. A prescription token includes full details of :
- NHS number
- GP surgery
The healthcare data is deemed to be sensitive data by the GDPR and subject to more stringent controls.
At a simple level:
- Boots lost customer’s sensitive data
- They should have informed the customers – they didn’t. That was their choice. This is still subject to ICO scrutiny and they will decide if Boots have failed in their legal duty.
- It would seem that Boots is trying to “reverse engineer” a case that the breach was low risk, and that no customer communication was necessary. This is borne out by the inconsistent and illogical arguments presented.
- Boots focus on the impact on the provision of medication which is NOT the issue; it is about lost sensitive data about individuals.
In a world, now, where everyone is particularly concerned about who has what data about them, the risk of identity fraud, and the consequent scams, then it is right that the individual takes control of their personal data. Where organisations have personal data for legitimate reasons then they have a legal duty to protect it, diligently. If they lose it, the individual should be told. Boots felt that this was not necessary!
Boots are clearly airbrushing the facts to make it sound more palatable, they are playing with a general ignorance of the Data Protection regulations to imply that they are being controlled by the ICO, and waiting for their direction.
Within 24 hours of publishing my article they were threatening me with legal action suggesting detailed edits to wording – much of it not a question of fact [ Note: the only specific fact I altered was the number of prescriptions lost] but to make it sound more favourable to Boots. A day later they have offered this version which the Derby Telegraph publish on page 21, with little evident fact checking.
Why did they not publish this “reassurance” at the end of August when the documents were lost?
What are Boots concerned about and what are they hiding?