Monthly Archives: November 2017

Data Protection/Privacy Enforcement: October 2017

Continuing the regular monthly look at Data Protection and Privacy enforcement taken by the Information Commissioner, this blog post reviews the enforcement action published during October 2017.

Key Points

  • When seeking consent for the purposes of direct marketing, be clear and precise in the language that you use.
  • When buying-in lists of contact details for the purpose of Direct Marketing you are responsible for ensuring that the there is valid consent in place so carry out your own due-diligence.
  • You are responsible for the direct marketing calls made by your agent as you are the instigator of the calls
  • If you have access to personal data as part of your job, do not access it unless you have a valid reason to do so in connection with your employment.

Enforcement Action published by ICO in October 2017

Xerpla Limited

Xerpla Limited was served with a Monetary Penalty Notice [pdf] in the amount of £50,000 after the Information Commissioner found that they had sent more than 1 million unsolicited direct marketing communications by electronic mail.  The Information Commissioner considered that Xerpla was not clear or specific enough about who subscribers were agreeing to receive marketing from.

Vanquis Bank Limited

Vanquis Bank Limited were served with an Monetary Penalty Notice [pdf] in the amount of £75,00 and an Enforcement Notice [pdf] after the Information Commissioner found that they had sent text messages and E-mails marketing credit cards without consent.

The Lead Experts Limited

The Lead Experts Limited were served with a Monetary Penalty Notice [pdf] in the amount of £70,000 and an Enforcement Notice [pdf] after the Information Commissioner found that they had instigated automated marketing calls to telephone subscribers without the subscriber’s consent.

Prosecutions

A former employee of Kent and Medway NHS and Social Care Partnership Trust was fined £300, ordered to pay prosecution costs of £364.08 and a victim surcharge of £30 after pleading guilty to an offence under the Data Protection Act 1998.  The defendant had accessed the health records of a single patient 279 times over a three-week period in October and November 2015, viewing the files up to 50 times in a day.  The patient was known to the defendant, but she had no valid lawful reason to access the records and did so without her employer’s consent.

Alistair Sloan

If you require advice and assistance in connection with any of the issues above, or any other Information Law matter, please do contact Alistair on 0345 450 0123 or by completing the form on the contact page of this blog.  Alternatively, you can send me an E-mail directly.

Compensation in Data Protection law

Section 13 of the Data Protection Act 1998 makes provision for a data subject to raise court proceedings for payment of damages where there has been a breach of the Data Protection Act 1998 which has caused them damage and/or distress.  The provisions in Section 13 have not been used as often as they might otherwise have; this may have been partly down to the way in which the legislation was initially drafted, but that was rectified (in England, at least) by the English Court of Appeal in Google Inc v Vidal-Hall and ors [2015] EWCA Civ 311.

The General Data Protection Regulation, which is due to become applicable in the UK from 25th May 2018, makes provision for data subjects to obtain compensation from controllers and processors in Article 82.  The right is for “any person who has suffered material or non-material damage as a result of an infringement of [the GDPR]” to be compensated.  Clause 159(1) of the Data Protection Bill (which is still in the early stages of the parliamentary process), provides that this “includes financial loss, distress and other adverse effects.”

A Data Subject is not limited to claiming compensation from the controller.  The GDPR provides that a processor will “be liable for the damage caused by processing only where it has not complied with the obligations…specifically directed to processors or where it has acted outside or contrary to lawful instructions of the controller.”

Article 82(3) of the GDPR introduces a defence to such a claim for compensation, but it is an exceptionally high test.  No liability arises where the controller or processor “proves that it is not in any way responsible for the event giving rise to the damage.”  The burden of proof falls on the controller or process and liability attaches even where the processor or controller is responsible for the event causing the damage in the most minor of ways.

The terms of Article 82(3) create joint and several liability for controllers and processors.  In a situation where multiple controllers and/or processors are all partially responsible for the event giving rise to the damage; the data subject could elect to sue any one of them (or indeed, all of them).  Where the data subject elects to sue just one controller/processor who is responsible, controller/processor is entitled to recover from the other controllers/processors “that part of the compensation corresponding to their part of responsibility for the damage.”

Where the data subject elects to sue more than one controller/processor then Recital 146 of the GDPR explains that, in accordance with Member State law, compensation may be apportioned by the court according to the responsibility of each controller or processor for the damage caused by the processing.

The GDPR does not stipulate any maximum amount of compensation that can be awarded to data subjects; however, Recital 146 of the GDPR explains that data subjects should receive full and effective compensation for the damage they have suffered.  Quite what “full and effective compensation” mean is something that will be worked out as the courts grapple with the new provisions.  There have been almost no published decisions from the Scottish courts in respect of claims for compensation under Section 13 of the Data Protection Act 1998, but where there have been decisions the compensation awarded has not been particularly high.  For example, Sheriff Ross awarded the each of the Pursuers £8,364 in Woolley v Akbar [2017] SC Edin 7.  That case concerned the use of CCTV at private dwellings and the compensation figure was calculated on a nominal rate of £10 per day that the Defender was in breach of the Act.

The GDPR only applies to processing of personal data in areas which are within the competence of the European Union; however, the Data Protection Bill extends the scope of the GDPR to areas beyond the competence of the European Union.  Clause 160 of the Bill provides for compensation where it cannot be claimed under Article 82 and the clause mirrors the terms of Article 82.

In Scotland both the Sheriff Court and the Court of Session will have jurisdiction to hear claims under Article 82 of the GDPR and Clause 160 of the Data Protection Bill (as is the case with claims under Section 13 of the Data Protection Act 1998).  In practice it is likely that the vast majority of claims will be heard in the Sheriff Court given that it is unlikely that any claim will exceed £100,000 and will therefore be within the privitive jurisdiction of the Sheriff Court.  However, with the advent of Group Proceedings (see Section 17 of the Civil Litigation (Expenses and Group Proceedings) (Scotland) Bill [pdf]) it is possible the Article 82 claims will end up the Court of Session as the Bill only provides for a group proceedings procedure in the Court of Session.

Those who process personal data should be aware that the right of a data subject to claim compensation, whether that be under the Data Protection Act 1998, the GDPR or the Data Protection Bill (when it becomes an Act), arising out of a data protection breach is in addition to any enforcement action that the Information Commissioner takes, such as the issuing of an administrative fine.

Alistair Sloan

If you would like to pursue a claim for compensation for a data breach, or if you require to defend such a claim; or if you would like advice and assistance with any other Information Law matter we would be pleased to hear from you. You can contact Alistair Sloan on 0345 450 0123.  Alternatively, you can send him an E-mail.

FOISA Vexatious decision notice appealed to Court of Session

Section 14 in both the Freedom of Information Act 2000 (“FOIA”) and the Freedom of Information (Scotland) Act 2002 (“FOISA”) enable an authority not to comply with a request for information that is vexatious.  What is meant by vexatious in Section 14 of FOIA has been the subject of litigation all the way to the Court of Appeal and the leading authority is Dransfield and another v The Information Commissioner and others [2015] EWCA Civ 454; [2015] 1 WLR 5316.  However, there has not yet been any litigation in Scotland on the meaning of vexatious within Section 14 of FOISA; the Scottish Information Commissioner’s guidance [pdf] on the subject appears to draw heavily on the Dransfield decision.

Those who make a point of reading the Scottish Information Commissioner’s regular round-ups of decisions will note that the most recent one informs us of an appeal to the Court of Session against a decision of the Scottish Information Commissioner which upheld the authority’s use of Section 14.  If the appeal proceeds, it will be the first time that the Scottish courts will have considered Section 14 of FOISA.

It will be interesting to see whether the Court of Session adopts the Dransfield position, or whether it takes a different approach to vexatious requests in Scotland.  If the Court of Session does publish an Opinion, we will of course cover it on this blog.

Alistair Sloan

We are able to provide advice and assistance in connection with a range of Freedom of Information matters, including appeals against decisions of both the Scottish and UK Information Commissioners.  If you would like to do discuss a Freedom of Information, or any other Information Law, matter with us then you can contact Alistair Sloan on 0345 450 0123.  Alternatively, you can send him an E-mail.

More is less and less is more

On 30th October 2017 the First-Tier Tribunal (Information Rights) promulgated its decision in McGoldrick v The Information Commissioner; the Tribunal’s decision made two points which it is worth considering.  The request for information in question was made to HM Treasure concerning the Mersey Tunnels; the full terms of the request for information are set out in the Tribunal’s decision.

The first point relates to the use of section 12 of the Freedom of Information Act 2000 where some of the information that may fall within the scope of the request is likely to be environmental information; and the second is on the duty of a public authority to provide advice and assistance.

On the first issue, the Tribunal (at paragraph 12) states that it

“agrees with the Information Commissioner that the appellant’s request could cover both non-environment and environmental information, for the purposes of regulation 2(1)(c) but that it would defeat the purpose behind section 12 and regulation 12(4)(d) if a public authority were obliged to collate the requested information in order to ascertain what information fell under either FOIA or the EIR. We agree, therefore, that HM Treasury was correct to consider the request under section 12, even though it might include some environmental information.”

The Tribunal considers that it is appropriate for an authority to not separately identify environmental information and deal with that under the Environmental Information Regulations 2004 where there is a substantial volume of information which covers both environmental and non-environmental information.  It seems that the Tribunal is of the view that there is no need to issue a refusal notice citing Regulation 12(4)(b) [although the Tribunal refers to Regulation 12(4)(d), but this seems as though it may be a typographical error] where a request is going to exceed the appropriate limit and it is likely that there is going to be environmental information within the ambit of the request.

On the second issue, the Tribunal decided that, on the facts of the present case, that HM Treasure did not comply with its obligation to provide adequate advice and assistance and overturned the Commissioner’s decision that it had.  In this case, HM Treasure told the requester that he might like to consider refining his request by reducing the amount of information requested.  The Commissioner considered that such a suggestion was sufficient in order to discharge the authority’s duty to provide advice and assistance.

At paragraph 18 of the Tribunal’s decision it stated:

“Given the widespread nature of computer-driven searches for information in connection with FOIA requests, it is, we consider, reasonable to expect large, sophisticated organisations, such as HM Treasury, to point out to requesters how the most thorough search is likely to exceed the relevant financial limit under the Regulations made by reference to section 12, and to suggest a reformulation of the request in terms specific to computerised searches. Accordingly, if HM Treasury had asked the appellant to reformulate his request by reference to emails and documents containing both the terms “Mersey tunnel” and “toll”, the appellant may well have reformulated his request.”

The Tribunal appears to be suggesting that a large public authority may have to go a bit further than a smaller authority in order to discharge its duty to provide advice and assistance.  It appears that, in certain cases, it may be necessary for a public authority to not only suggest that a requester reformulate their request but rather to go further and actually suggest ways in which it could be reformulated; especially when computer-driver searches for information are involved.

This certainly does fit with the way in which the legislation has been drafted; Section 12(1) of the Freedom of Information Act 2000 does include “so far as it would be reasonable to expect the authority to do so” within its terms.  So, where an authority is issuing a refusal notice under Section 12 of the Freedom of Information Act 2000 authorities, especially larger ones, ought to consider whether they are capable of suggesting how a request could be refined, not just that the requester may wish to consider refining it.

Alistair Sloan

We are able to provide advice and assistance in connection with a range of Freedom of Information matters, including appeals against decisions of both the Scottish and UK Information Commissioners.  If you would like to do discuss a Freedom of Information, or any other Information Law, matter with us then you can contact Alistair Sloan on 0345 450 0123.  Alternatively, you can send him an E-mail.