Liability for patient data breach in the Healthcare sector
In this article, Paul Hardman considers liability for a patient data breach in the Healthcare sector.
Contract, tort and data protection legislation
Data breach gives rise to legal repercussions in three ways, breach of contract, tort (that is to say a breach of a duty of care) and under data protection legislation, principally The General Data Protection Regulations 2016/679 (GDPR). Different considerations apply to each. This article is mainly concerned with contractual breach and how that can be addressed in the contract terms. You will find further information on GDPR breach in the article GDPR – understanding personal data in the healthcare sector by my colleague, Stanley Lees.
What is a patient data breach?
Many businesses will have a data protection officer or manager responsible for data security and will recognise a data breach when they see it. However, it is worth remembering that under GDPR a personal data breach occurs whenever any personal data is lost, destroyed, corrupted or disclosed but also if someone accesses data or passes it on without authorisation and even in circumstances where data is made temporarily unavailable. A ‘personal data breach’ is defined in the GDPR as ‘a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data’.
Cause and responsibility
Legal liability follows culpability and in turn that requires the cause of the breach and the party responsible for ensuring that that breach did not happen to be established.
Data breaches happen in as many ways as can be imagined. Recently, classified Ministry of Defence documents were found at a bus stop in Kent and British Airways settled a legal claim by about 420,000 people affected by a data breach which resulted from a cyberattack. But they can also easily occur through simple daily tasks such as using the wrong email address with a message which includes someone else’s personal details. They can be caused by someone outside an organisation, such as a hacker, for whom neither party to the contract has direct responsibility, or by someone inside an organisation including directors, staff, consultants, self -employed contractors and agents or by someone to whom responsibility for data processing have been outsourced.
Key contract terms
Contract terms will hopefully provide guidance as to legal liability in the situation you are faced with. Key points to look out for in contracts between organisations buying in IT solutions (‘customers’) and software service and programme providers (‘software providers’) are:
- Liability for employees and agents: businesses are generally liable for the wrongs of their employees under the principles of vicarious liability and also for the wrongs of their agents. The contract will reinforce these general principles in express terms by stating that each party is responsible for acts and omissions of their employees and agents.
- Liability for sub-contractors: typically, contracts will not allow sub-contracting or outsourcing and if that is the case, permission to use sub-contractors or third-party outsourcers will have to be negotiated. The terms of that permission will require that the party is responsible for acts and omissions of their sub-contractors or third-party outsourcers. Care should be taken with the terms of sub-contracting or outsourcing for instance to include an indemnity from the sub-contractor or third-party outsourcer in favour of the contracting/outsourcing party.
- Compliance with data protection laws: a key principle will be to establish which of the parties to the contract is the ‘data controller’ and which the ‘data processor’ or if the parties are joint controllers. The data controller will be responsible for ensuring that data subject consent to ‘processing’ has been given (and that such consent is adequate). Other clauses will follow the requirements of the GDPR and will depend on what data is being processed, where the processing takes place and if ‘sub-processors’ are going to be used. The controller is responsible for reporting breaches to the Information Commissioners Office (the ICO): the data processor is responsible for reporting breaches to the data controller. These obligations will be reinforced by the contract which will require each party to comply with the data protection laws such that a breach of those laws will also be a breach of contract.
- Confidentiality: the database of users including personal details such as email contact addresses will be part of the body of confidential information of the customer and the customer will therefore hold the software provider liable for any data breach which amounts to an unauthorised or unpermitted disclosure. If the software provider is considering using sub-contractors or outsourcing it will need to make sure that disclosure is permitted for that purpose.
A software programme provider will expect its customer to take responsibility for use of the programme and that includes liability for personal data inputted by the customer or its authorised users. In the contract this is dealt with as an indemnity for use by the customer but a blanket indemnity fails to recognise that the fault for a data breach may lie with the software programme provider, for instance, in the architecture of the programme. In these circumstances the liability of the customer should be restricted to ‘improper use’ of the programme. Improper use is a wide term that will need discussion but for instance could include:
- any improper use, misuse or unauthorised alteration of the programme by the customer;
- any use of the programme by the customer in a manner inconsistent with the then-current user and contract documentation including failure to follow user instructions.
- the use by the customer of any hardware or software not provided or approved by the software provider for use by the customer in connection with the programme; or
- the use of a non-current version or release of the programme.
Limitation of liabilities
The contract will limit the liability of the software provider taking a layered approach. The first layer will be to strip out all statutory liabilities that can legally be removed, then it will remove various items of indirect or consequential loss and then whatever is left will be limited to an agreed amount for instance linked to the insurance cover or by a formula, such as a multiple of the fees payable under the contract. This will cover claims between the parties, typically by the customer against the software provider, both for breach of contract and in tort but it will not absolve the parties for any liability that may arise to third parties such as end users nor fines that may be imposed by the ICO.
The limitation of liability provisions will give the software provider assurance that in most instances any claim by the customer will not be fatal to its business.
The customer may also want the benefit of liability limitations and may suggest that a mirror version of the software provider’s provisions would be appropriate. This should be resisted at least to the extent that it would limit the liability of the customer to pay for the services.
Both parties should take careful note of any assurances that are given in the form of ‘indemnities’ as claims under indemnities tend not to be limited. The indemnities will typically include claims relating to use of personal data and ownership of intellectual property in the software programme.
The software provider should make sure that it has adequate insurance to cover any claim that may arise in an amount that is appropriate to the contract. Cyber Liability insurance will cover for data protection, unintentional breach of GDPR and computer viruses. In addition, if the software provider is supplying advisory services it will need professional indemnity insurance in addition to public and employer’s liability cover.
The GDPR has made it a necessity for parties to go into negotiations prepared and aware of the consequences of data breaches in particular the ability to recover damages from the wrongful party, compensation from the tortfeasor and claims against insurers. Limiting financial liability must be considered against the consequences of breach, the party best placed to assume the onus of responsibility and of course the resources and negotiating positions of the party: it is not an area that can be ignored until an issue arises. Equally, it is not possible simply to pass liability to the other party under the contract in all circumstances: a balanced approach based on the terms of the GDPR must be taken.
Specialist legal advice for the healthcare sector
If you would like further guidance in relation to patient data in the healthcare sector, our team of specialist legal advisors can help. Please get in touch by calling 0117 906 9400 or email firstname.lastname@example.org