Weekly podcast: NHS Digital, Typeform and ICO registration fine

This week, we discuss the unauthorised sharing of 150,000 patients’ confidential health data, the first ripples from the Typeform data breach, and a £4,500 fine for a company that didn’t register with the ICO.

Hello and welcome to the IT Governance podcast for Friday, 6 July. Here are this week’s stories.

NHS Digital has blamed a third-party coding error for a data breach in which the confidential health information of 150,000 patients was shared against their will.

Patients who registered what were known as type 2 opt-outs at GP surgeries that used TPP’s SystmOne software after 31 March 2015 nevertheless had their confidential health information shared by NHS Digital for use in clinical research because their objections to its being used for anything other than their own care were not passed on.

In a statement to parliament, the Parliamentary Under-Secretary of State for Health Jackie Doyle-Price MP said:

“TPP has apologised unreservedly for its role in this matter and has committed to work with NHS Digital so that errors of this nature do not occur again. This will ensure that patients’ wishes on how their data is used are always respected and acted upon.

“NHS Digital will write to all TPP GP practices today to make sure that they are aware of the issue and can provide reassurance to any affected patients. NHS Digital will also write to every affected patient. Patients need to take no action and their objections are now being upheld.

“There is not, and has never been, any risk to patient care as a result of this error.”

The Information Commissioner’s Office and the National Data Guardian for Health and Care, Dame Fiona Caldicott, have been notified.

For more information about information security in the healthcare sector, please visit itgovernance.co.uk/healthcare.

The Barcelona-based web form and survey company Typeform has suffered a data breach, in which an unknown third party accessed a server and downloaded a backup containing client information from before 3 May. One client, Ocean Protocol, confirmed that the information was unencrypted.

Typeform identified the breach on 27 June and remedied its apparent cause half an hour later.

Numerous organisations have been affected, including the Tasmanian Electoral Commission in Australia, which warned voters who applied for express votes at recent elections that their “name, address, email and date of birth information” had been compromised; the online bank Monzo, about 20,000 of whose customers’ personal data was “likely to have been included in the breach”; the Piccadilly grocer Fortnum & Mason, 23,000 of whose customers’ personal data was compromised; and the frankly rather splendidly named Shavington-cum-Gresty Parish Council, which saw the information of 304 people who filled in its surveys affected.

Typeform has about 30,000 clients, so there are likely to be many, many more breach notifications to come. The number of those clients’ customers – that is, the number of individuals likely to be affected by the incident – is impossible to quantify at this stage, but is likely to be considerable.

Under the GDPR (General Data Protection Regulation), Typeform is a data processor and its clients – the companies on whose behalf it processes personal data – are data controllers. Data controllers must report security breaches to the ICO within 72 hours unless there is unlikely to be a risk to data subjects’ rights and freedoms. The Information Commissioner’s Office advises Typeform’s clients:

“If your organisation has been affected by the Typeform incident and you have enough information to establish that there may be a risk to your customers, you should report the breach to the ICO. If we need further information we will be in contact with you.

“You should consider how your customers may be affected by the breach. If you think there is a high risk to their rights and freedoms, you need to tell them about the breach without delay. You should tell them about any steps you are taking to mitigate the effects of the breach and provide them with advice on what to do to protect themselves.”

Talking of the GDPR and the Information Commissioner’s Office, as I’m prone to do, the ICO has fined a CCTV company – Noble Design and Build of Telford, Shropshire – £4,500 for failing to comply with an Information Notice and processing personal data without registering – a criminal offence under the old Data Protection Act. (It was prosecuted under the terms of the 1998 Act because of when the offence took place.)

Under the new Data Protection (Charges and Information) Regulations 2018, which came into force on 25 May this year (the same day as the GDPR), data controllers must still register with the ICO and pay a data protection fee each year, but it’s no longer a criminal offence not to.

However, the ICO does have the power to enforce the new regulations and serve monetary penalties of up to £4,350 on those that don’t pay their fees.

These fees range from £40 for micro organisations to £2,900 for large organisations. A public consultation on exemptions from paying charges is currently underway.

You can find more information about registering as a data controller on our blog.

Well, that’ll do for this week. Until next time you can keep up with the latest information security news on our blog. Whatever your information security needs – whether regulatory compliance, stakeholder reassurance or just greater business efficiency – IT Governance can help your organisation to protect, comply and thrive. Visit our website for more information: itgovernance.co.uk.


  1. Chris Dockree 9th July 2018