The Isle of Man Data Protection Authority (DPA) has been investigating a healthcare board for violations of the GDPR. The Board has already received an enforcement notice following complaints about non compliance with GDPR. They were told they needed to provide an action plan with quarterly updates regarding how they process personal data.
Following the most recent investigation, it was found the Board have infringed on:
- The principle of integrity and confidentiality
- Responsibility of the controller
- Security of processing
Despite the previous warning from the DPA, the Board continues to put the personal data and special category data of patients at risk. Most importantly, they continue to send data about health via insecure methods, both internally and externally. The method of sending this information is so poor that the Board is aware of several data breaches in the past six months. Most critically, there was a case where unencrypted medical records of a patient was incorrectly sent to around 2200 people.
The DPA has ordered the Board to take the following actions within the next four months:
- Implement appropriate measures to prevent further data breaches
- Bring its processing activities into compliance
- Implement appropriate technical and organisational measures
- Communicate completion of these actions to the Commissioner
Within six weeks, the Board must communicate to the Commissioner details of the actions they are taking or intend to take.
Find out more about how Value Privacy can help your organization manage data.