Monthly Archives: June 2018

Compensation for identifiable third parties following a data breach

The subject of data protection has, once again, been visited by the England and Wales Court of Appeal. At the end of last week the Court (Gross LJ, McFarlane LJ and Coulson LJ) gave its judgment in an appeal brought by the Secretary of State for the Home Department and the Home Office against a decision of the England and Wales High Court in which it was found liable to three members of a family following a data breach.

The Factual Background
The facts as found proved by the court at first instance are more fully set out in the judgment of Mitting J ([2016] EWHC 2217 (QB)), but they can be summarised for the purposes of this blog post in the following way.  The case concerns three members of a family TLT, TLU and TLV. TLT and TLU are married (but have different surnames) and TLU is the teenage son of TLT (sharing the same surname). In 2010 the family lawfully arrived in the United Kingdom. They claimed asylum. They were also jointed by an older child who was, in 2010, 17 years of age. Upon turning 18, he applied for asylum in his own right. His application fro asylum was rejected and he was returned to Iran in 2012. TLT and TLU heard from relatives in Iran that upon his return to Iran their son had been detained and tortured and subsequently released after paying a bribe.

On 15th October 2013 the Home Office suffered a data breach when it accidently published more information than it had intended to concerning the family return process. It had intended to publish the statistics contained in the first sheet of a spreadsheet, but not the underlying data that was contained in a second sheet. The error was discovered on 28th October 2013 and the spreadsheet was immediately removed from the internet. It was discovered that by the time the spreadsheet was removed at least one unknown individual had downloaded and saved the spreadsheet.

In November 2014 a person who had downloaded the page and the spreadsheet from the UK Border Agency’s website uploaded the spreadsheet onto a US website; this was later removed on 18 December 2013.

The personal data of TLT was included within the spreadsheet; in particular it included both his forename and surname, his nationality (Iranian), his date of birth and age. It also noted that “assisted return” was being pursued and stated that the removal case type was “Family with Children – Voluntary”. It further acknowledged that asylum had been claimed.

In March 2014, TLU received some communications from a family member in Iran. These communications advised that the Iranian authorities had detained another member of TLU’s family and questioned them about “you”. It was said that the authorities in Iran claimed to have documentation showing that TLT and his family had claimed asylum.

The issues on appeal
There were three issues on appeal:

  • Did the spreadsheet in question contain the private and/or confidential information?
  • Did the spreadsheet contain personal data of which TLU and TLV were the data subjects?
  • Even if the information in the spreadsheet did not contain the personal data of TLU and TLV, are they entitled to damages for the distress they have suffered under section 13 of the Data Protection Act 1998 in any event?

The first issue
This issue amounts to a common law tort in English law. At para 28 of the judgment of the Court of Appeal Gross LJ said that “this issue is short, straightforward and essentially one of fact.” Gross LJ had “no hesitation in concluding that the Home Office’s publication of the spreadsheet misused TLU’s and TLV’s private and confidential information.” [31] TLT was the lead family claimant and the detailed nature of the information concerning TLT as such meant that TLU and TLV “could readily be identified by third parties” and that they “had a reasonable expectation of privacy and confidentiality in respect of their information in the spreadsheet.” [31]

The second Issue
In terms of section 1 of the Data Protection Act 1998, personal data was defined as meaning “data which relate to a living individual who can be identified (a) from those data, or (b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.” The Data Protection Act 1998 was the domestic vehicle through which the United Kingdom implemented is obligations under Directive 95/46/EC (which has, of course, now been replaced by the General Data Protection Regulation, but is still relevant for the purpose of this case as that was the law in force at the time). Recital 26 of the Directive noted that the “principles of protection” should take account “of all the means likely reasonably to be used either by the controller or by any other person to identify the” data subject.

In the present case, limb (b) of the definition of personal data was met in relation to TLU and TLV. The Home Office had argued that the information contained in row 1101 of the spreadsheet (which concerned TLT) did not “relate to” TLU and TLV. This was rejected by the court with reference to the statutory language. [39]

The Home Office had also sought to rely on Durant v Financial Services Authority as a means of trying to limit the scope of personal data (and therefore its liability) in this case. However, Gross LJ held that Durant, when properly applied, “powerfully reinforces the case for TLU and TLV” [44] and that Auld LJ was simply stating “a broad, practical working assumption.” [42] There was nothing within Durant that enabled the Court to depart from the conclusions that they must reach in light of the decision by the Court of Appeal in Vidal-Hall v Google and the Supreme Court in Common Services Agency v Scottish Information Commissioner

Third Issue
In the circumstances, this issue did not arise and the court felt it best to leave resolution of it “to a case where a decision is required” on it. [48]

The appeal was therefore dismissed by Gross LJ on all three issues that were raised and McFarlane LJ and Coulson LJ simply agreed adding no further comments of their own.

This is an interesting, but not unexpected, decision from the Court of Appeal which will be binding on all lower courts in England and Wales and will be persuasive in Scotland. It is difficult to find fault with the approach taken by the Court of Appeal or the judge at first instance; indeed, this is very much the view of the Court of Appeal. It does make it clear though that it will be possible for data subjects not directly referred to within the compromised data arising out of a data breach to sue for damages in certain circumstances. The first instance case had become an important case when such situations arose and now that the Court of Appeal has confirmed the approach adopted by the first instance judge it is likely that we will see more claims of this nature being made.

The circumstances in the present case are fairly clear-cut, but not all situations where liability might arise will be as clear-cut. The GDPR is not going to have any real impact upon this position; the definition of personal data essentially adopts the same two-stage test as was to be found within section 1 of the Data Protection Act 1998. Therefore this pre-GDPR case will continue to be instructive in the post-GDPR world we now inhabit.

Alistair Sloan

If you require further information in relation any data protection or privacy law matter then please do contact Alistair Sloan on 0141 229 0880 or by E-mail. You can also follow our dedicated information law account on twitter for news and updates concerning data protection, privacy and freedom of information.

Data Protection/Privacy Enforcement: May 2018

May saw the long awaited General Data Protection Regulation coming into force, but it will be a while yet before we begin to see regulatory enforcement action taken under the GDPR and the associated Data Protection Act 2018 being taken. In May there was, as is normal, a steady stream of enforcement action against data controllers published by the Information Commissioner’s Office. It is once again time to take our monthly look at what breaches the Commissioner has taken enforcement action in relation to and what data controllers and their staff can learn from it.

Key Points

  • This is a frequent message of these monthly reviews, but it is important to ensure that you screen telephone numbers you are intending to call as part of a marketing campaign against the list maintained by the Telephone Preference Service. If you have, and can demonstrate that you have, consent to do so; you can call a number that is listed with the Telephone Preference Service.
  • When undertaking direct marketing by telephone you must identify the caller; if you are making the call on behalf of a third party then you must also identify the third party. It is not permissible to hide, obscure or refuse to provide the identity of the caller or their principal.
  • If you are obtaining personal data from a third party organisation for the purposes of direct marketing, you should ensure that you conduct your own due diligence checks to ensure that the appropriate consents are in fact in place.
  • When drafting privacy notices, when setting out to who you will be passing personal data onto for the purposes of direct marketing you need to be fairly specific. It is not sufficient to simply put “selected partners” or phrases that are similarly generic.
  • When sending personal data or sensitive personal data, even to other sites within your own company, it is important to ensure that you have in place adequate technical and organisational measures. Encrypting CDs and memory sticks is easy and cheap to do and therefore should be done whenever sending personal data outside the organisation on such media.
  • You should ensure that when updating the security of your websites and servers that you look at all aspects of your website and severs, including microsites and sub-domains, to ensure that you are taking appropriate precautions to secure the websites and servers.
  • When storing personal data offsite you should ensure that you take steps to keep that personal data safe and secure; off-site storage may not be visited as regularly by staff as your on-site storage and so this should be taken into consideration. When vacating a premises it is important to ensure that you systematically check the premises to ensure that all personal data has been removed from the site – you should be able to evidence your plan and that it was followed.
  • If you’re processing personal data within the European Union which concerns a data subject resident oustide of the European Union then you may be required to comply with a subject access request received from teh data subject.

Enforcement action published in May 2018

IAG Nationwide Limited
IAG Nationwide Limited was served with both an Enforcement Notice [pdf] and a Monetary Penalty Notice in the amount of £100,000. [pdf] IAG Nationwide Limited is an advertising/marketing agency. IAG Nationwide Limited made telephone calls to numbers which were listed with the Telephone Preference Service (TPS) and continued to make such calls even after complaints had been raised with the TPS.  This was a contravention of Regulation 21 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR). IAG Nationwide Limited also failed to properly identify itself to those who it called which was a contravention of Regulation 24 of PECR. Indeed, when the Commissioner’s staff contacted the company by telephone they refused to provide its address and only provided an E-mail address which was unregistered and available for sale.

Costelloe and Kelly Limited
Costelloe and Kelly Limited were served a Monetary Penalty Notice in the amount of £19,000 [pdf] after it undertook a direct marketing campaign by text message in a way that contravened Regulation 22 of PECR. The company instigated the transmission of approximately 283,500 test messages promoting products without having in place proper consent to do so. The company had relied upon a list supplied to it by a data provider which said that it had obtained consent for the purposes of direct marketing by text messages. Cotselloe and Kelly Limited conducted little or no due diligence itself to ensure appropriate consent. The consent obtained by its data provider was insufficient as it referred only to providing details to its “partners” and other generic descriptions when getting people to “opt-in”.

SCL Elections Limited
SCL Elections Limited was served with an Enforcement Notice requiring it to comply with a Subject Access Request made to it by a data subject [pdf]. SCL Elections Limited provided some information, for and on behalf of Cambridge Analytica. The data subject was not satisfied with the response and made a request for assessment to the Commissioner. In response, SCL Elections Limited asserted that the data subject had no right to make a subject access request nor a request for assessment to the commissioner as the data subject was a US rather than a UK citizen. The Commissioner disagreed and found that SCL Elections had not fully complied with its obligations.

Crown Prosecution Service
The Crown Prosecution Service (CPS) was served with its second Monetary Penalty Notice for a failure to comply with the seventh data protection principle [pdf]. In November 2016 the CPS received from Surrey Police 15 unencrypted DVDs from Surrey Police. The DCDs contained interviews with alleged victims of child sexual abuse. The DVDs received by the CPS were copies; the originals being maintained by Surrey Police. The DVDs were sent by tracked DX delivery to another CPS office to be examined by specialists and were noted to have been delivered before 7 in the morning. The DVDs were likely to have been left in a reception area where individuals not employed by the CPS could have had access to the package. The CPS could not locate the packages. They therefore did not have in place adequate technical and organisational measures.

The University of Greenwich
The University of Greenwich was served a monetary penalty notice in the amount of £120,000 [pdf] after a breach of security resulted in the personal data of approximately 19,500 individuals being extracted by an authorised attacker. The personal data included sensitive personal data in relation to 3,500 individuals. The attacker posted the personal data on a third party website. The commissioner found that the university had failed to have in place adequate technical and organisational measures to ensure that, so far as was possible, the security breach which occurred did not happen and thus contravened the seventh data protection principle.

Bayswater Medical Centre
Bayswater Medical Centre was served a monetary penalty notice in the amount of £35,000 [pdf] after it left sensitive personal data in an empty premises. The practice had operated from two sites, but merged down to one retaining the second as a storage facility. Another GP practice sought to take over the lease and the Bayswater Medical Centre provided the second GP practice with a set of keys. On numerous occasions the second practice notified Bayswater medical Centre of the presence of the medical centres patient records which were unsecured. Bayswater Medical Centre did nothing to rectify the situation, including failing to remove the records from the premises when the new practice requested them to uplift the records. The Commissioner found that the Medical Centre had failed to comply with the requirements of the seventh data protection principle.

A limited company and its director have been prosecuted by the Information Commissioner’s Office for failing to comply with an Information Notice. The Information notices were issued in October 2017 and both failed to respond to the notices. The company was fined £1,000 and ordered to pay a £100 victim surcharge while the director was fined £325 and ordered to pay a victim surcharge of £32. The director was also ordered to pay £364.08 in prosecution costs.

A former recruitment consultant was successfully prosecuted by the Information Commissioner’s Office after he illegally obtained personal data. The defendant set up his own recruitment consultancy and left his former employer’s employment. When he left the defendant took 272 CVs from his former employers’ database without consent. He admitted an offence of unlawfully obtaining personal data under section 55 of the Data Protection Act 1998.  He was fined £355 and ordered to pay £35 victim surcharge and £700 prosecution costs by Exeter Magistrate’s Court.

Alistair Sloan

If you require advice and assistance in connection with any of the data protection/privacy issues above, or any other Information Law matter, please do contact Alistair Sloan on 0141 229 0880 or by sending him an E-mail directly.  You can also follow our dedicated information law twitter account.