Sometimes, the biggest privacy and security weaknesses are human. Nowhere was that more obvious than this week, when the ICO fined a TV production company £120,000 for infringing on patient privacy at a hospital.
London-based True Visions Productions (TVP) set up CCTV-style cameras and microphones at Addenbrooke’s Hospital in Cambridge while filming a documentary about stillbirths, according to the Information Commissioner’s Office.
The company asked the hospital trust for permission to be on site, but the ICO ruled that it didn’t do a good job of telling the most important people of all: the patients. The walk-in clinic it was filming in is for patients who have concerns about their pregnancies, making them a highly sensitive and vulnerable group.
There were “limited notices” posted around the room, but they didn’t properly explain the situation to patients, and one letter left on a table for patients incorrectly said that mothers and visitors would not be filmed without permission, the ICO said.
ICO director of investigations Steve Eckersley came down hard on the company.
“Patients would not have expected to have been filmed in this situation, and many will have been very distressed when they learned such a private and potentially traumatic moment had been recorded,” he said. “The recorded footage would have included the sensitive personal data of patients who could already be suffering anxiety and stress.”
TVP is reportedly unhappy with the decision and considering an appeal, but it’s a good example of how proper training in good privacy practices and clear communication can avoid problems that snowball later.
These are human issues, not technical ones. Human factors like these will be a focal point at the Infosecurity Europe 2019 conference. Talks will cover topics including engaging employees to drive secure behaviour by building a brand around infosecurity, and applying behavioural science to security awareness. Attendees will also get to hear about how they can enforce cybersecurity awareness across people with different personality traits to ensure that everyone follows the rules.
The TVP fine isn’t the only case in which questions over filming permissions have led to heavy penalties. In the US, September 2018 saw the Department Of Health And Human Services Office for Civil Rights settle with three hospitals for compromising patient privacy. They invited film crews on premises to film for a documentary series without getting patient consent. Payouts totalled $999,000.
The topic of Governance, Risk and Compliance will be covered throughout the free-to-attend conference at Infosecurity Europe in London from 4-6 June. See all the talks on Governance, Risk and Compliance here. Infosecurity Europe is the leading European event for information and cyber security; find out more and secure your free visitor badge.