Welcome to our quarterly Data and Privacy eBulletin in which we reflect on some of the key developments since May 2017.
Publication of the Data Protection Bill – GDPR and Brexit provisions
On 14 September 2017, the UK Data Protection Bill (the DPB) was published, intending to bring about a UK implementation of the GDPR. Our initial thoughts on the DPB are available here.
Brexit paper on data protection – the Government’s proposal for ‘adequacy plus’
The UK Government has published its ‘Brexit paper’ in relation to data protection and has proposed a kind of ‘adequacy plus’ for the UK when it leaves the EU. One of our partners, Jo Sanders, provides her views on the paper here.
Publication of guidelines on personal data breach notifications
The Article 29 Working Party has adopted guidelines on personal data breach notifications under the GDPR. For the first time for many member states, including the UK, the GDPR will introduce a mandatory obligation for all companies to report data breaches to the Information Commissioner’s Office unless the breach is unlikely to result in a risk to the rights and freedoms of individuals. The GDPR also creates the requirement, in certain cases, to report the breach to the affected individuals.
European Commission’s (EC) position paper on use of data and protection of information obtained or processed before Brexit
In brief, the position paper sets out the conditions for keeping and continuing to use data that is collected prior to withdrawal of the UK from the EU. It states that, to the extent that this personal data is covered by EU law, the EU laws that are in place at the time of withdrawal will continue to apply to this data, which will include data subjects’ rights and transfers to countries outside the EEA. Practically speaking, depending on how the Data Protection Bill and other Brexit legislation are finalised, businesses may have to deal with personal data under two sets of laws post-Brexit. The full position paper is available here.
Class action for data breach begins
The data breach lawsuit taken by former workers at Morrisons supermarkets began in the High Court. This is thought to be the first class action taken for a data breach in the UK.
The action has been brought by 5,500 current and former employees whose payroll details, including bank account details and salary, were released onto the internet by a disgruntled employee (he is currently serving an eight-year prison sentence for his role in the breach). The workers have taken the case against Morrisons for failing to prevent the data breach by adequately securing their personal data, leaving the employees open to identity theft and possible financial loss.
Monitoring employees in the workplace
The Article 29 Working Party (A29WP) has adopted an opinion on data processing at work in light of technological developments which have enabled more intrusive and pervasive ways of monitoring employees in, and outside of, the workplace.
The opinion reiterates previous guidance that employers must always have a legal ground (for example, a legitimate interest or legal obligation) for processing employees’ personal data. In particular employers should ensure that data processing of employee data is necessary, fair, proportionate, transparent and that a legal ground applies.
The opinion also provides some health warnings for employers who are using, or are considering using, technology to monitor their workforce and, in particular gives guidance on monitoring social media profiles, using all-inclusive monitoring solutions and the use of video monitoring and analytics.
Employers should ensure that their employees are aware of when and how their data is being processed and policies should be updated to take account of any new technologies being implemented. The opinion is a reminder for employers that the fact that an employee is using devices or technology owned by the employer does not negate their rights to private life under Article 8 of the European Convention.
In further developments in this area, the Grand Chamber of the European Court of Human Rights in Barbulescu v Romania held that the decision of a private company to monitor an employee’s electronic communications and access their contents interfered with his Article 8 right to privacy.
You can read more about this decision here.
Enforcement action: keeping your web-based platforms secure
Three separate monetary penalties imposed by the ICO are a timely reminder that adequate access restrictions need to be put in place in order to keep personal data stored on web-based platforms secure.
TalkTalk was fined £100,000 following the ICO’s finding that the company’s portal could be used by service providers engaged by TalkTalk to access, search and export personal data of TalkTalk customers for which there was no commercial need. Employees at one third party service provider, which was engaged to resolve high level complaints and resolve network connectivity problems, unlawfully accessed the details of 21,000 customers. There were no restrictions in place to limit access to only those accounts which were having connectivity problems.
Islington council was fined £70,000 after it emerged that members of the public could access the personal data of individuals who had lodged parking ticket appeals by manipulating the URL of the council’s website.
Nottinghamshire county council was also fined £70,000 following the discovery that the council’s home care allocation system could be accessed via an internet search engine and personal details of individuals using the home care services could be obtained.
LAD Media v Information Commissioner: first tier tribunal reduces ICO monetary penalty
LAD Media appealed against the ICO’s decision to impose a monetary penalty of £50,000 for sending 393,872 direct marketing text messages without the necessary consent of the recipients.
The first-tier tribunal (information rights) upheld the decision, agreeing with the ICO that LAD Media did not have the necessary consents and had seriously contravened the Privacy and Electronic Communications Regulations 2003.
However, the tribunal determined that the fine imposed by the ICO was too high and reduced it to £20,000. In deciding to reduce the fine, the tribunal took into account the size of the company, the fact that it was the company’s first direct marketing campaign and that profits generated through the campaign were minimal.
The tribunal noted that, although there is no binding guidance to assist with determining monetary penalties, the following factors should be taken into account:
- The circumstances of the contravention.
- The seriousness of that contravention, as assessed by the harm, either caused or likely to be caused, as a result; whether the contravention was deliberate or negligent; and the culpability of the person or organisation concerned, including an assessment of any steps taken to avoid the contravention.
- Whether the recipient of the fine is an individual or an organisation, including its size and sector.
- The financial circumstances of the recipient of the fine, including the impact of any monetary penalty.
- Any steps taken to avoid further contravention(s).
- Any redress offered to those affected.
Companies can use customers’ personal data to defend their reputation
A new ruling from the ICO – on a headline story involving Jeremy Corbyn – has indicated that it is legitimate for a company to publish a customer’s personal data to combat negative publicity which has been generated by that same individual.
The dispute, which hit headlines last year, involved Jeremy Corbyn claiming no seats were available on a ‘ram-packed’ train.
However, the train company released CCTV footage and a photograph, which revealed the contrary.
In this case, it was held to be lawful to publish the material of Mr Corbyn, which amounts to his personal data, where it corrected a misleading account he had given that had potentially caused damage to the business’ reputation.
This is a situation often faced by retailers and others, where a complainant has made exaggerated or misleading claims which result in adverse publicity. There has been a fear that it is not possible to counter those false claims because of the need to disclose some of the complainant’s personal data, but this decision confirms that it is acceptable to do so provided that it is done responsibly.
However, care must be taken not to disclose the personal data of any other person. This might be especially difficult where personal data is mixed and relates to several customers, or as in the case of Mr Corbyn, it involved footage and a photograph of numerous people. If that is the case, the personal data of those third parties should be concealed.
We will be attending the IAPP Congress in Brussels on 8-9 November. If you will be attending and would like to use the occasion to meet, please contact Jo Sanders.
Are you ready for the GDPR?
There is still time to prepare for the General Data Protection Regulation coming into force on 25 May 2018. If you require assistance please contact one of our data protection experts listed on the right.
In early 2018, we will be running training sessions for Data Protection Officers on their GDPR obligations. Please contact us for further information.