The British Pregnancy Advisory Service has just received a Civil Monetary Penalty of £200,000 for breaching the seventh principle of the Data Protection Act. A hacker, intent on vandalising the BPAS website, discovered a vulnerability in its coding. The details of thousands of women who had requested a call back about BPAS’ various abortion and contraception services were stored on the site, and the hacker was able to steal them.
The hacker, James Jeffery, threatened to reveal the names of the individuals, and has subsequently been convicted for offences under the Computer Misuse Act. There is no question that Jeffery’s threats to invade the privacy of innocent women were disgraceful, and he has rightly been punished. BPAS has announced that it intends to challenge the ICO’s CMP, and I don’t argue with that. The Information Commissioner’s recent interview with the Independent suggests that he doesn’t properly understand how his powers work, and the loss of the Scottish Borders CMP appeal (a CMP I don’t believe should ever have been issued) suggests he is not alone. The ICO’s use of its CMP powers is disproportionately focused on security and the public sector. The absence of an enforcement strategy for inaccuracy, which can be at least as harmful as poor security, is a disgrace.
However, whatever you think of the narrow issues of the size and nature of the BPAS CMP, the organisation’s approach to the case is a matter of real concern. I’ve written in the past about the annoying habit of data controllers to claim, in the face of some obvious and avoidable cock-up, that they take data protection very seriously when all of the evidence suggests that they don’t. Inevitably, BPAS joined in: “bpas takes any data breach immensely seriously and we were appalled that any information we hold had been compromised“.
Jeffery’s criminal actions are not a shield for BPAS’ failings. I agree with the ICO’s characterisation of them as ‘unforgivable‘. As the ICO CMP notice explains – and BPAS does not dispute – BPAS did not even know that a copy of all requests for a callback was retained on their website, making a series of assumptions about the way their website worked without actually finding out. In retaining callback requests for many years, BPAS breached the fifth data protection principle by keeping information for longer than they needed it. By storing sensitive (in the dictionary sense of the word) personal data insecurely, they breached the seventh principle, which requires organisations to take appropriate technical steps to prevent both ‘unauthorised’ and ‘unlawful’ processing. This means that data controllers have to try to prevent criminal breaches as well as accidents and cock-ups – the greater the risk of a criminal attack, the stronger the security needs to be.
Every organisation is potentially at risk from a hacker and so needs basic steps. BPAS routinely handle medical information, and describe themselves as the UK’s leading abortion provider. The likelihood of BPAS being hacked is much greater than it would be for other organisations, and the consequences for their clients of data being hacked are more damaging. What security is ‘appropriate’ for BPAS is much greater than the norm, and yet their approach had all the competence and planning of a parish council. They deserve to be criticised and perhaps punished, as they have betrayed the trust of every woman who has contacted them. Whatever your view of abortion rights, women should be able to contact an abortion provider in complete confidence. For several years, BPAS has failed to deliver on this. Jeffery was only able to access the data because BPAS left it there.
In the light of this, BPAS’ public approach to the CMP causes me great concern. Most of the statement on their website is about Jeffery’s actions, trying to create the impression that the fault is largely with him. A quote from the Chief Executive, Ann Furedi, makes this explicit. She says: “bpas was a victim of a serious crime by someone opposed to what we do“. BPAS is not the victim here; the victims of Jeffery’s actions were the people who contacted the organisation. BPAS is at pains to play down the significance of the information that was stolen: “These were not personal medical records of women who had undergone treatment at bpas and such records were never at risk“. Given that the BPAS website makes it clear that their main activity is abortion, were the records to be revealed (something made possible because of BPAS’ poor security), they would have been data about women who were likely to be seeking an abortion. No amount of sophistry can reduce the sensitivity of this information. As the ICO points out: “Some of the call back details were from individuals whose ethnicity and social background could have led to physical harm or even death if the information had been disclosed by the attacker“. It isn’t good enough for BPAS to claim that the risk to these women was entirely down to Jeffery; they put their clients in this position, especially given that hacking and criminal attack is regrettably but obviously part of the landscape in which they work. A statement made in 2012 at the time of the incident was even worse, as it claimed “the confidentiality of women receiving treatment was never in danger“, neglecting to say that the confidentiality of many women who contacted them possibly seeking treatment was unprotected.
Behind the scenes, BPAS may well be putting their house in order diligently and enthusiastically. Their public statements paint the organisation as a victim, but they are also guilty of significant failings and it may be that they realise that and simply don’t want to admit it publicly. It doesn’t give me confidence that they’re going to improve security and a more transparent admission of what went wrong would be better. The worst thing about their attempt to manage the bad news and spin their way out of the headlines however, has nothing to do with security or their position or the ICO fine. In none of the BPAS’ public statements, or the interviews I have heard Furedi give is there an apology to the women. They see the ICO’s actions as “appalling” and are horrified by what has happened to them, but for the women, there isn’t even regret.
Everyone thinks Data Protection is about computers and policies and dry, tedious sections of the law. It’s not. Data Protection is about people. It is about protecting their data, communicating with them, and it’s about the actions of people who handle data. It’s a uniquely human topic. The important issue here is not BPAS’ reputation. It is the protection of the identities of the people who BPAS exist to serve. BPAS let them down and should apologise to them now.