Conclusion of Investigation in relation to the theft of Irish Blood Transfusion Service personal data on a laptop in New York
The Office of the Data Protection Commissioner has now completed its investigation in relation to the circumstances surrounding the theft of a laptop in New York from an employee of the New York Blood Center Inc (NYBC) which contained personal data in the control of the Irish Blood Transfusion Service.
The following conclusions have been reached:
- The NYBC was selected following a public tender process to provide a data extraction tool required by the IBTS for their electronic records system, Progesa. The NYBC have proven experience in developing an appropriate query tool for the system. It is this tool that NYBC agreed to adapt for the IBTS systems and, subsequently, to maintain (thus creating an on-going relationship).
- The personal data provided in CD form to the NYBC was contained in transaction log files from usage of the Progesa electronic records system from 2nd July to 11th October 2007. The relevant data contains donor / patient names, addresses, email addresses and/or mobile phone numbers where such were provided. The log files also contain numeric codes for other kinds of information such as that relating to attendance at the IBTS or blood test results performed by the IBTS either for its own purposes or on behalf of certain health institutions. Importantly, the key for these codes was not on the stolen laptop or on the disks given to the NYBC for the performance of its functions.
- An appropriate contract utilising the EU model contract clauses is in place providing for the transfer of the personal data in question to the NYBC in the US. This contract specifically envisages access to the personal data in question taking place on a laptop with appropriate encryption in place. Accordingly, the actual arrangements for the transfer of the personal data to the US do not give rise to any data protection concerns.
- It is not possible to isolate individual fields in the log files, so it would have been difficult if not impossible to have anonymised the files prior to their supply to the NYBC. Accordingly, the amount of personal data supplied to the NYBC for the performance of the contract entered into is not considered excessive in the circumstances.
- The security protocols used to protect the data when loaded onto the laptop were appropriate to the potential harm that might result from inappropriate access to the personal data in question. We are satisfied, based on the information provided, that the key to the encryption software used on the laptop was not stored anywhere on the laptop or elsewhere.
On the above basis, the conclusion reached is that the transfer of the personal data in question to the NYBC in the US did not constitute a breach of the Data Protection Acts. Furthermore, this Office is satisfied that all appropriate procedures to ensure compliance with the requirements of the Data Protection Acts were put in place by the IBTS for the processing of the personal data in question by the NYBC.
Finally, it is the conclusion of this Office that the encryption in place on the laptop was sufficient to ensure that there is only the remotest of possibilities of access taking place to the personal data in question. Even in such an eventuality the personal data in question does not contain any sensitive information in relation to any of the identifiable persons.
27th February, 2008.