People entering/exiting building.

Bupa fined for systemic data protection failures

Published on 20 December 2018

What if an employee goes rogue with your personal data? Will you be able to show effective oversight measures including monitoring of employee access to databases?

The background

Between January and March 2017 an employee of Bupa’s Brighton office copied the personal information of 547,000 Bupa customers.  The stolen personal information included names, dates of birth, email addresses and nationalities.  The employee was able to access the personal information via Bupa’s customer relationship management system, from which he sent bulk data reports to his personal email account and subsequently uploaded the data to the dark web. 

Bupa was alerted to the breach by an external partner who spotted the data for sale; the employee was dismissed and a warrant for his arrest was issued.  Bupa and the ICO received 198 complaints about the data breach.

The decision

The ICO fined Bupa £175,000 for failing to have effective security measures to protect its customers’ information. 

After investigating the incident, the ICO discovered that Bupa did not routinely monitor the activity log of its customer relationship management system.  A defect in the system also meant that Bupa was unable to detect unusual activity taking place within the system, such as the bulk extractions of data carried out by the rogue employee.  The ICO’s investigation also discovered other systemic failures in Bupa’s technical and organisational measures which left 1.5m records at risk.  An ICO spokesman noted that Bupa provided ‘no satisfactory explanation’ for these systemic breaches. 

As the relevant data breaches occurred before the introduction of the GDPR, the ICO dealt with the incident under the provisions and penalties of the Data Protection Act 1998. 

Why is this important?

Whilst being determined under the provisions of the now-defunct Data Protection Act 1998, this decision highlights the ICO’s current proactivity in issuing fines for data breaches and suggests that the ICO will not hesitate to use its new, stronger powers under the GDPR and Data Protection Act 2018.

The fine also reinforces the need for companies to employ sufficient security measures and strictly control, and monitor, access to of any personal data they hold.  The ICO took particular issue with the fact that Bupa was unaware of the risk posed to its customers’ personal data, and that it offered no satisfactory explanation for the systemic inadequacies in its system. 

Any practical tips?

Ensure that any system which holds, manages or processes personal information is regularly monitored and has mechanisms to detect any unusual activity concerning the data.  Restrict access to personal information to only those individuals who strictly need to process the data, and consider restricting the system’s ability to copy or extract any information.  This will help to both prevent future breaches and to demonstrate to the ICO that the company had in place effective security measures to protect personal information. It may well prevent a GDPR-level fine, and also lessen the risk of (an ever scarier) class action for distress caused by a data breach.