Monthly Archives: October 2018

Data Protection and Privacy Enforcement: September 2018

October is nearly over and I am only now getting round to looking at the Information Commissioner’s data protection and privacy enforcement from September. As with most months, many of the key points drawn from September’s enforcement action will be familiar to regular reads of this feature. However, they are evidently worth repeating.

Key Points

  • Once again, it is clear that organisations engaged in direct marketing where they have obtained contact details from third parties are not carrying out sufficient due diligence checks on the data that is received by them. It is not going to be enough to simply rely upon an assurance from the supplier that all the contact details comply with the law; the recipient organisation needs to check this for themselves. Often the agreement that is obtained from the ultimate intended recipient of the marketing communications is not specific enough to enable the intended marketing to be undertaken lawfully. For example, these agreements often simply refer to “carefully selected partners” (or words of similar effect) – this is not specific enough and should not be relied upon.
  • The right of subject access is a fundamental right afforded to data subjects and data controllers should therefore ensure that they have in place sufficient processes to ensure that they can comply with subject access requests within the required time (one month under the GDPR). Data controller should also ensure that they have in place adequate resources (including resilience) to meet the tight deadlines.
  • It is important that organisations have in place processes to stop bulk extraction of personal data (where bulk extraction would not be legitimately required) or to ensure that unauthorised bulk extraction is either not able to take place or be spotted quickly when it has taken place. It is important that systems which contain personal data are monitored to identify unusual or suspicious activity.

Data Protection and Privacy Enforcement from September 2018

Everything DM Limited
Everything DM Limited was served with an Enforcement Notice [pdf] together with a monetary penalty in the amount of £60,000 [pdf]. The Commissioner found that Everything DM Limited had been responsible for the sending of 1.42 million E-mails without having in place appropriate consent, contrary to the requirements of Regulation 22 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”). The commissioner’s investigation revealed that EDML relied on the consent of third parties but didn’t take reasonable steps to make sure the data complied with the requirements of PECR.

London Borough of Lewisham
The Information Commissioner’s Office issued an Enforcement Notice to the London Borough of Lewisham council in respect of its outstanding subject access requests [pdf]. As at 29 March 2018, the council had a backlog of 113 unanswered subject access requests; including one request that was made to the council as far back as 2013. The Council had in place a recovery plan to eliminate the backlog by 31 July 2018, but it failed to meet that deadline. The notice records that there were still 19 requests that pre-dated the 25th May 2018. The Commissioner’s office considered that the Council had breached principles 6 and 7 and that the breach was one that was likely to cause distress to data subjects. The Council was required by the Notice to comply with the subject access requests by 15 October 2018.

Equifax Limited
Equifax Limited, a credit reference agency, was served with a monetary penalty in the sum of £500,000 after the Commissioner found that Equifax Limited had breached 5 of the 8 data protection principles in the Data Protection act 1998 [pdf].

Bupa Insurance Services Limited
Bupa Insurance Services Limited was served with a monetary penalty notice in the sum of £175,000 after it was discovered that personal data of Bupa Global’s customers was being offered for sale on the “dark web” [pdf]. The matter was investigated and it was discovered that a member of Bupa’s Partnership advisory Team had made unauthorised use of personal data accessed from a system they had access to. The Commissioner considered that Bupa failed to have in placed adequate technical organisational measures as required by the seventh data protection principle. Bupa was unaware of a defect in the system and was unable to detect unusual activity, such as bulk extractions of data; nor did Bupa routinely monitor the activity log of the relevant system.

Prosecutions
A former nurse at Southport and Ormskirk Hospital NHS Trust was prosecuted by the Information Commissioner’s Office after she unlawfully accessed patient’s records. The nurse accessed patients’ medical records outside of her role; in particular she inappropriately accessed the records of 5 patients, 17 times. The nurse admitted offences under section 55 of the Data Protection Act 1998 and was fined £400. She was also ordered to pay prosecution costs of £364.08 and a victim surcharge of £40.

Alistair Sloan

If you require advice and assistance in connection with any of the data protection/privacy issues above, or any other Information Law matter, please do contact Alistair Sloan on 0141 229 0880 or by sending him an E-mail directly.  You can also follow our dedicated information law twitter account.

Nefarious Endeavours and Vicarious Liability for Data Breaches: Round 2 (The Court of Appeal)

The England and Wales Court of Appeal has delivered its judgment in the appeal by Morrisons against a finding by the High Court that it was vicariously liable for breaches of the Data Protection Act 1998 by one of its former employees. I will not set out the facts in much detail and instead direct readers to the blog post that I wrote following the decision of the High Court. It should be noted that all references to the DPA in this blog post are to the Data Protection Act 1998 and not the Data Protection Act 2018. For the sake of this post all that is really necessary to say is that Mr. Skelton, a former employee of Morrisons, was rather disgruntled when his employment with Morrisons came to an end. Before leaving Morrisons’ employment he copied records of over 5,000 employees onto a personal memory stick with the intention of disclosing that personal data on the internet.

Mr Justice Langstaff, who heard the case in the High Court, on his own motion granted Morrisons leave to appeal the vicarious liability issue to the Court of Appeal. Morrisons took the opportunity granted to them by Mr Justice Langstaff and appealed to the Court of Appeal. When the case came before the Court of Appeal there were three grounds of appeal: (1) the Judge ought to have concluded that, in its proper interpretation and having regard to the nature and purposes of the statutory scheme, the DPA excludes the application of vicarious liability; (2) the Judge ought to have concluded that, on its proper interpretation, the DPA excludes the application of causes of action for misuse of private information and breach of confidence and/or the imposition of vicarious liability for breaches of the same; and (3) the Judge was wrong to conclude (a) that the wrongful acts of Mr Skelton occurred during the course of his employment by Morrisons, and, accordingly, (b) that Morrisons was vicariously liable for those wrongful acts.

The Court of Appeal took the first and second grounds of appeal together; they essentially constructed an argument that the DPA provides a comprehensive statutory code which prevents a finding of vicarious liability. The Appellants’ argued that the DPA indicated a position contrary to the common law position that vicarious liability holds good for a wrong comprising a breach of a statutory duty. The Court of Appeal disagreed concluding at paragraph 60 of its judgment that “the concession that the causes of action for misuse of private information and breach of confidentiality are not excluded by the DPA in respect of the wrongful processing of data within the ambit of the DPA, and the complete absence of any provision of the DPA addressing the situation of an employer where an employee data controller breaches the requirements of the DPA, lead inevitably to the conclusion that the Judge was correct to hold that the common law remedy of vicarious liability of the employer in such circumstances (if the common law requirements are otherwise satisfied) was not expressly or impliedly excluded by the DPA.”

In relation to the Appellants’ third ground of appeal, this was also refused by the Court of Appeal. The Court noted, at paragraph 66, that in this “case the claimants’ cause of action in tort against Mr Skelton were already established when he improperly downloaded their data onto his USB stick. At that stage, had any of them been aware of what happened, they could as a matter of law have claimed at least nominal damages and sought and injunction to prevent dissemination of the data.” The Appellants’ Senior Counsel, Anya Proops QC, argued that (relying upon authority from the Supreme Court in a case from the jurisdiction of England and Wales) what Mr. Skelton had done at work in November (that being the downloading of the data) was “past history by the time he distributed the data from his home in January” [para 67].

In essence the Appellants’ Senior Counsel was arguing that the law on vicarious liability only permitted the employer to be liable for the conduct of the employee if the employee was on the job at the time. In essence, Senior Counsel was arguing that the chain of liability ended at the same time as Mr. Skelton’s employment ended. However, that argument did not fair much better in the Court of Appeal than it did in the High Court.

This point which troubled Mr Justice Langatsff in the High Court the most features in ground of appeal three and that is this: the motivation of Mr. Skelton was to cause harm to Morrisons; by finding Morrisons vicariously liable renders the court an accessory in furthering Mr. Skelton’s criminal aims. It appears that it was this point that triggered Mr Justice Langstaff to grant permission to appeal to Morrisons. None of the cases to which the court was referred did the situation arise where the conduct for which the employer was to be held vicariously liable arose out of the employees settled determination to cause harm to the employer. However, it had been held in previous decisions that the motive of the employee was irrelevant in reaching a determination as to whether the employer was vicariously liable. The Appellants’ Senior Counsel argued that “there is an exception to the irrelevance of motive where the motive us, by causing harm to a third party, top cause financial or reputational damage to the employer.” [para 76] The Court of Appeal was, however, unpersuaded. [para 76]

The Appellants’ senior counsel also sought to argue that a finding of vicarious liability in this case would place an enormous burden upon Morrisons and on innocent employers in cases that could come in the future. However, the Court of Appeal was not persuaded by this argument. At paragraph 77 of its judgment the court states “[a]s it happens Mr Skelton’s Nefarious activities involved the data of a very large number of employees although, so far as we are aware, none of them has suffered financial loss. But suppose he had misused the data so as to steal a large sum of money from one employee’s bank account. If Morrisons’ arguments are correct, then (save for any possible claim against the bank) such a victim would have no remedy except against Mr Skelton personally.” The court compared that situation to the one which arose in what was described by the court as “the foundation of the modern law of vicarious liability” [para 76] In that case a solicitor’s clerk dishonestly procured a conveyance in his own favour of the client’s property.

The solution proposed by the Court of Appeal to any burden that might be placed upon employers arising out of data theft incidents was insurance. [para 78].

The appeal was therefore dismissed by the Court of Appeal. It remains to be seen whether this will be the end of this aspect of the proceedings, or whether Morrisons will seek to appeal the matter to the Supreme Court. The level of damages to be awarded is yet to be determined as that matter was split from the issue of liability when the case was before the High Court. Whether we will ever get to see any judicial writings on quantum will depend upon whether that can be agreed between the Claimants and Morrisons.

Application in Scotland
This is, of course, a judgment of the England and Wales Court of Appeal; Scotland has a separate and distinct legal system meaning that English court judgments do not bind Scottish courts, but rather are of persuasive authority – especially when they deal with matters of law which are common across the whole of the UK (such as data protection law).

It should be noted that in Scotland there is no authority on whether breach of confidence is a delict (the Scottish equivalent of tort) or a unique obligation; nor, has there been any authority considering relationship between breach of confidence and “misuse of private information” in relation to Scots law. It has been argued by academics that the Scottish courts would likely follow the English position; however, this is yet to be tested in the law of Scotland (and, for what it’s worth, I agree with the position that the Scottish courts would likely follow the English courts on this matter). Therefore data controllers with a presence in Scotland should be careful when considering the Court of Appeal’s comments in relation to the tort of misuse of private information.

Data Controllers in Scotland should not ignore this judgment for various reasons. Firstly, it may be that although the controller is based in Scotland they may be processing the personal data of data subjects based in England who may, dependent upon the circumstances, be able to bring proceedings in an English court as opposed to a Scottish court. Secondly, it is only a matter of time before claims of this nature come before the English courts. Litigation of this nature has been rare in Scotland for a variety of reasons, but with the advent of Group Proceedings through the Civil Litigation (Expenses and Group Proceedings) (Scotland) Act 2018 it might well become much easier for large groups of data subjects to bring claims against data controllers.

Alistair Sloan

If you would like advice or assistance in connection with Data Protection/Privacy, or if you would like advice and assistance with any other Information Law matter we would be pleased to hear from you. You can contact Alistair Sloan on 0345 450 0123.  Alternatively, you can send him an E-mail.

Scottish Information Commissioner’s 2017/18 Annual Report

Friday 28 September 2018 was International right to Know Day, a day designed to highlight the public’s right to know and to campaign for FOI laws. Scotland has had Freedom of Information laws in place since January 2005 and a similar statutory regime entered into force on the same date for information held by UK public bodies. The Scottish Information Commissioner used International right to Know Day to launch his office’s annual report [pdf].

In 2017/2018 the Commissioner’s office received a total of 507 appeals, up from 425 in 2016/2017 (but not the highest number received in any one year). Of the appeals that were received the vast majority (75%) were classed by the commissioner’s office as coming directly from individuals with the media accounting for 11% and commercial/private enterprises accounting for 3%.

In terms of which public authorities have their responses appealed to the Commissioner; local authorities still make up the largest percentage (although there was a fairly significant decrease in the percentage share of appeals from the previous year). Local authorities are followed the Scottish Government and its agencies and the police.

30% of the appeals made to the Scottish Information Commissioner were deemed to be invalid appeals; that is to say they were appeals that the Commissioner’s office could not investigate. The annual report reveals that among the most common reasons why an appeal was not valid are that the applicant had not made a request for review to the Scottish public authority (an appeal can only be made to the Scottish Commissioner after the Scottish public authority has reviewed its initial decision or failed to carry out a review of its initial decision that has been requested) and that the timescales for making FOI appeals within the Act had not been met. Requesters should remember that they should make requests for review within 40 working days of the date that the authority issued its response or the date that it should have responded where no response has been received. Furthermore, it should be remembered that appeals to the Commissioner should normally be made within 6 months of the date on which the authority responded to the review request or, where no response has been recieved to a request for an internal review, within 6 months of the date that the authority should have responded to the internal review.

Failure to respond appeals, that is an appeal which concerns a failure by an authority to respond to a request and/or request for review, continue to be a problem. In 2017/18 19% of the appeals handled by the Commissioner concerned a failure to respond; this is down slightly from the 20% it was in 2016/17, but is up from the 16% figure in 2015/16. These are fairly clear-cut appeals as an authority has either responded within the statutory timeframe not and they should be appeals that authorities can avoid fairly easily. No authority can be perfect 100% of the time and there will be cases where the inflexibility of the 20 working-day rule, in particular cases where the public interest is finely balanced or where third party consultation is required, will mean that breaches will occur; however, staying in contact with the requester can help to avoid these appeals even where the authority is technically in breach of the law.

Of the decisions made by the Commissioner in response to appeals under section 47 of the Freedom of Information (Scotland) Act 2002, 65% resulted in a decision which was wholly or partially in favour of the requester.

Some interesting enforcement matters from within the report which are worthy of mention include:

  • Highland Council was issued with an Information Notice when it delayed in providing information to the Commissioner’s Office which was required in order to enable the Commissioner to investigate an appeal made to him by a requester.
  • The Commissioner also highlights that his office considered referring East Dunbartonshire Council to the Court of Session for failing to comply with one of his decisions (but in the end, it would appear that, such a step ultimately proved unnecessary).
  • The Commissioner refers to his high profile level 3 intervention in respect of the Scottish Government’s performance and culture in respect of FOI, which is still ongoing.
  • A less profile level 3 intervention by the Commissioner was the ongoing intervention in Police Scotland, which is now in the monitoring phase after an action plan was agreed between Police Scotland and the Commissioner. There were concerns about searching for and locating information to respond to information requests as well as concerns around record-keeping.
  • Two independent schools (which had become subject to FOI following the last extension of the Act by the Scottish Ministers) were subject to level 4 interventions where they had failed to adopt publication schemes as required by section 23 of the Freedom of Information (Scotland) Act 2002.

The Commissioner’s report makes reference to three Court of Session cases in respect of decisions that it had made, one of which Inksters were instructed in by one of the parties. The number of appeals against decisions of the Scottish Information Commissioner remain particularly low (both appeals taken by requesters and Scottish public authorities); whether this is because the Commissioner’s office is doing a good job in terms of interpreting the Freedom of Information (Scotland) Act 2002 and the Environmental Information (Scotland) Regulations 2004, or whether it has more to do with the significant costs to be faced by requesters and Scottish Public Authorities who decide to take an appeal to Scotland’s highest civil court is a matter which is very much open for debate.

There is lots of other useful information with the Commissioner’s annual report, but at the risk of this blog post becoming too unwieldy I shall leave it there.

Alistair Sloan

Whether you are a requester or a public authority we can provide you with advice and assistance on Freedom of Information matters. Contact Alistair Sloan on 0141 229 0880 or you can send him an E-mail. You can also follow our dedicated twitter account on information law matters.