Category Archives: Data Protection

True Vision Productions & Bounty UK

The Information Commissioner has recently served two Monetary Penalty Notices (“MPNs”) that are worthy of some note. They were both issued for breaches which occurred prior to 25 May 2018 and are therefore both under the Data Protection Act 1998. This means that the maximum penalty in both cases was £500,000, rather than the larger penalties under the General Data Protection Regulation.

The first MPN [pdf] of the two MPNs that will be discussed in this blog was served on True Visions Productions (“TVP”) in connection with filming undertaken in a maternity unit operated by Cambridge University Hospitals NHS Foundation Trust (“CUH”).

Between July 2017 and 29 November 2019 TVP had placed static CCTV-style cameras with audio recording capabilities within three out of the four assessment rooms at the maternity unit. This was to gather footage for possible use in a television documentary on still births. The Commissioner accepted that there was a public interest in documentaries of this nature; however, she found that TVP had breach the first data protection principle in Schedule 1 to the Data Protection Act 1998.

TVP had not done enough to ensure that they had the explicate consent of those being filmed and there appeared to be no way for CUH staff to turn the cameras off. Therefore, if anyone did not wish to be filmed they would need to be seen in the one room without cameras; if that room was unavailable then the patient would have no choice but to be filmed. The fact that no human had access to the footage without first having the consent of the patient was insufficient: the recording and temporary storage of the footage was processing of personal data and would have required the Schedule 3 condition of explicate consent. Very little was done to bring the filming to the attention of patients; CUH staff were only required to answer questions if asked and there were notices placed in the premises along with information on tables; however, these were inadequate. TVP was served with a MPN in the amount of £120,000.

The second MPN of note is one served on Bounty (UK) Ltd in the amount of £400,000 [pdf]. Bounty UK gives itself the description of being a pregnancy and parenting support club. It provides information and markets services (including offers) to parents at different stages from pre-conception to pre-school. As part of this it distributes packs to new parents. The company also operates as a data brokering service and had previously also supplied data to third parties for the purpose of direct marketing by electronic means (although this apparently ended on 30 April 2018). Bounty collected personal data for the purpose of registering new members and did so in a number of ways, including directly from new mothers at their hospital bedsides.

Bounty had shared personal data with a range of organisations including a credit reference agency, a marketing and profiling agency and a telecommunications company; all for the purposes of direct marketing by electronic means. This related to about 14,300,000 unique individuals. Each record could be shared on multiple occasions. This was, apparently, all done on the basis that Bounty had obtained consent from the data subjects concerned.

The Commissioner found that Bounty had failed to comply with the fairness requirement within the first data protection principle in Schedule 1 to the Data Protection Act 1998. Bounty had not been transparent enough in providing information about the purposes for which personal data would be used. Bounty failed to process personal data fairly because they did not adhere to individual’s reasonable expectations of how their personal data would be used.

The consent apparently obtained by Bounty did not meet the requirements of the Data Protection Act 1998; it was neither specific nor informed.

Of course, both Bounty (UK) Limited and TVP have a right of appeal against the MPNs issued to them (both in terms of the decision to impose a penalty and the amount of that penalty). It remains to be seen whether either will seek to appeal to the First-Tier Tribunal.

Alistair Sloan

We are able to assist with a wide range of privacy and data protection matters. If you would like advice or assistance on these issues, or any other information law matter, contact Alistair Sloan on 0141 229 0880 or by E-mail. You can also follow our dedicated information law twitter account

Information Notices: UKIP v Information Commissioner (Part 2)

Last year I blogged on UKIP’s appeal to the First-Tier Tribunal (Information Rights) (“FTT”) against an Information Notice issued by the Commissioner; the FTT dismissed UKIP’s appeal. UKIP sought (and was granted) permission to appeal to the Upper Tribunal. The Upper Tribunal has now issued its decision. The decision has not yet been published by HMCTS; however, the wonderful people at 11KBW have published it [pdf] on their Panopticon blog (you can read Robin Hopkin’s post on their blog here). If you can’t be bothered reading to the end; the spoiler is that UKIP’s appeal was also dismissed by the Upper Tribunal.

By the time that UKIP’s appeal came before the Upper Tribunal, there were four “heads of appeal”: (1) The FTT had erred in law in terms of its approach to the exercise of the Commissioner’s discretion in issuing the notice; (2) the FTT had erred in law in terms of the scope of the notice; (3) the FTT had erred in law in terms of the timeframe for the notice; and (4) the FTT had erred in law in terms of irrationality.

The first head of appeal related to whether or not the FTT was correct, in law, to conclude that the scope of the information notice was clear. Upper Tribunal Judge Wikeley, at paragraph 24, concluded that taking the first five paragraphs of the information notice together, they were sufficient to comply with the requirements in section 43(2)(b) of the Data Protection Act 1998 (“DPA98”). Judge Wikeley did concede that the FTT did not provide as full reasons as he had, but they were clear enough that the FTT was satisfied that the notice complied with the requirement in section 43(2)(b) of the DPA98. The Judge, again said (having said it previously in another case), that the FTT does not need to set out in detail “every twist and turn of its assessment of the evidence and its consequential reasoning.” It is enough that the decision shows that the FTT has applied the correct legal test and has explained its decision in “broad terms”.

The second head of appeal related to the period for which the Commissioner wanted information from UKIP. The notice made reference to the 2015 General Election, but then asked questions about the 2016 referendum of the UK’s membership of the European Union. The judge accepted “that some of the drafting of the information notice is not ideal.” The notice had used both the former and present tense; sometimes together as alternatives. The Upper Tribunal concluded that “on a fair and objective reading of the notice as a whole, the information sought was plainly not confined to the 2015 General Election; rather it related to the ongoing processing of personal data” and also noted that the notice “should not be read as if it were a criminal indictment.” [para 27].

The third head of appeal related to the Commissioner’s exercise of discretion. UKIP argued that the Commissioner should have used the ‘least restrictive’ means of obtaining the information that she wanted; in other words she could have and therefore should have simply written a further letter to UKIP. This submission was based on principles which were developed in the context of the legitimate interests ground of processing personal data in the DPA98; it was “inappropriate” to try and “read across” [para 29]. Further, UKIP argued that it did not have the resources to provide a satisfactory response to the Commissioner’s initial letter: this was given short shrift by the judge.

The final head of appeal was that the Tribunal’s final decision was irrational in legal terms. The FTT had started out by giving a provisional view that the notice lacked clarity in its scope, but ended up concluding that it was, in fact, clear. Again, the judge accepted that the FTT’s reasoning was “sparse”, but nonetheless concluded that it was “sufficient.” [para 34]

Therefore, UKIP’s appeal was dismissed and the information notice, once again, stands. It will need to be complied with, subject to any further appeal, within 30 days of the Upper Tribunal’s decision being sent to the parties.

One final point is worth noting; the Upper Tribunal comments that, like a decision notice issued pursuant to section 50 of the Freedom of Information Act 2000, the Commissioner cannot vary an information notice once it has been issued: the commissioner can, unlike a decision notice, cancel the notice and re-issue a fresh notice. That is a consequence of the statutory framework: the statute gives the Commissioner the power to cancel a notice and makes no mention of varying (however, the statute does make mention of the Commissioner being able to vary other notices). In the circumstances an information notice cannot be varied once it is issued; if there is a problem with it then the notice must be cancelled by the Commissioner and a fresh notice issued. The same, in my view, would hold true for information notice issued under the Data Protection Act 2018. The statute provides that the Commissioner can cancel a notice, but makes no mention of varying the notice (whereas, she can vary, for example, an enforcement notice – the statute expressly provides for that in section 153).

From this decision we can take the following:-

  1. An information notice does not need to give a detailed statement as to why the Commissioner requires the information requested in the notice.
  2. The commissioner’s drafting of information notices gets a pass, but could be better.
  3. The commissioner doesn’t need to utilise less intrusive methods of obtaining information instead of exercising her discretion to issue an information notice.
  4. A controller’s lack of resources is not a reason why the Commissioner should not issue an information notice (indeed, it may even be a reason in favour of exercising discretion to issue an information notice).
  5. The FTT is not bound by a preliminary view it expresses and can change its mind.
  6. The Commissioner cannot vary an information notice should there be a problem with it: only cancel it and issue a fresh notice.

Alistair Sloan

If you require advice or assistance in respect of a privacy/data protection, or any other information law, matter then contact Alistair Sloan on 0141 229 0880 or you can send him an E-mail. You can also follow our dedicated information law twitter account.

Data Protection and Brexit: Changes to UK law (Part 1)

This is the first in a series of blog posts that I intend on doing over the next period which look at some of the changes to the GDPR and the Data Protection Act 2018 that will be brought about by the withdrawal of the United Kingdom from the European Union. In my 2018 information law review, published in January, I noted that the UK Government had published The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (Draft). These regulations, made pursuant to the powers conferred upon the Government in terms of the European Union (Withdrawal) Act 2018, make significant changes to the GDPR and the Data Protection Act 2018 in order to ensure that they both still work and make sense once the UK has withdrawn from the European Union. They will not enter into force until “exit day”.

Representatives
Currently any controller or processor (excluding those who fall within limited exceptions) established outside of the EU require to appoint a representative within the EU as a point of contact for data subjects and the supervisory authorities. The draft 2019 Regulations will amend this requirement so that any controller or processor not established in the United Kingdom will be required to appoint such a representative within the United Kingdom. This will apply to controllers and processors based in EU and EEA states after “exit day”. Therefore it is important that EU and EEA businesses who are not established with the UK, but collect personal data of data subjects in the UK, turn their minds to appointing such a representative within the UK in time for exit day.

Equally, it should be noted that UK businesses currently do not need to appoint such representatives within the EU/EEA because the UK is an EU member. When the UK leaves the European Union it will be necessary for UK businesses to comply with Article 27 of the EU GDPR; therefore, a representative within one of the 27 EU member states will need to be appointed.

Adequacy decisions
Under the GDPR the European Commission has the power to make adequacy decisions. These are decisions which allow the flow of personal data to a territory (or a part of a territory or sector within a territory) outside of the EU. The draft 2019 Regulations will insert new provisions (sections 17A and 17B) into the Data Protection Act 2018 establishing a very similar regime which will allow the Secretary of State to make “adequacy regulations” these will function in much a similar way. It is probably quite likely that one of the first adequacy regulations to be made will specify that the EU and EEA states have an adequate level of personal data protection.

The UK, upon exit day, will fall outside of the European Commission agreements and adequacy decisions (such as the EU-US “safe harbour” agreement). Similar agreements will need to be agreed with the UK. Controllers who currently rely on adequacy decisions of the Commission will need to think about how they will comply with UK data protection law in respect of international transfers of personal data, post-brexit.

Standard data protection clauses
Under the GDPR the European Commission has the power to adopt standard data protection clauses which, if used, will give an adequate level of protection for personal data when that personal data is transferred to a non-EU member state.

The draft 2019 Regulations will insert a section 17C into the Data Protection Act 2018, which will give the Secretary of State the power to make regulations specifying “standard data protection clauses which the Secretary of State considers provide appropriate safeguards for the purposes of transfers of personal data to a third country or an international organisation in reliance on Article 46 of the UK GDPR.”  In essence, the power of the Commission will transfer to the Secretary of State on exit day.

Administrative Fines
The power of the Information Commissioner to issue administrative fines (or, in the language of the Data Protection Act 2018, ‘Penalty Notices’) will continue to exist when the UK leaves the European Union. The maximum amounts of those penalties are currently expressed in Euros (although the Data Protection Act 2018 requires the Information Commissioner to issue the penalties in pounds sterling). The draft 2019 Regulations will amend the maximum amounts to convert them into pounds sterling as opposed to Euros. The €10,000,000 figure will change to £8,700,000; while the €20,000,000 figure will become £17,500,000. These figures are roughly what the euro figures convert to using the current exchange rates.

These are just some of the many changes that will be made by the draft 2019 Regulations. I hope to be able to do some more blog posts looking at some of the other changes contained within the draft 2019 regulations as we approach the 29th March 2019 (the date on which the UK is scheduled to leave the European Union).

Alistair Sloan

If you require advice or assistance in respect of a privacy/data protection, or any other information law, matter then contact Alistair Sloan on 0141 229 0880 or you can send him an E-mail. You can also follow our dedicated information law twitter account.

Data Protection and Privacy Enforcement: November 2018

0The year is progressing quickly and we’re now onto looking at November’s enforcement action published by the Information Commissioner’s Office in relation to privacy and data protection matters. We are beginning to see enforcement action under the Data Protection Act 2018 (“DPA18”) filter through, but the majority is very much still under the Data Protection Act 1998 (“DPA98”) in respect of breaches which occurred prior to 25 May 2018.

Key Points

  • Carrying out a Data Protection Impact Assessment in the early stages of any project where it is envisaged that personal data will be processed is a useful tool to help highlight privacy and data protection concerns so that they can be addressed in the planning phase. Data protection by design and privacy impact assessments were recommended good practice under the DPA98; however, the GDPR mandates data protection by design and default (Article 25) and the carrying out of data protection impact assessments in certain circumstances (Article 35). Even if the GDPR does not require you to complete a DPIA, it is worthwhile undertaking one in any event – it can also be a helpful document to present to the Commissioner should her office begin any investigation into your organisation.
  • It is important to regularly download an updated version of the Telephone Preference Service list and to do so as close as possible to an intended direct marketing campaign. If you undertake regular direct marketing campaigns then you should probably be downloading the updated list once per month. Relying on an out of date version could mean that you unlawfully call numbers – the cost of regularly obtaining a copy of the TPS list is insignificant compared to the financial penalties that can be issued by the Information Commissioner for contraventions of Regulation 21 of the Privacy and Electronic Communications (EC Directive) Regulations 2003.
  • It should go without saying that if the Information Commissioner takes enforcement action against you for contravening privacy and data protection laws then you should ensure that you take adequate remedial measures to ensure that the contravention doesn’t happen again.
  • If you obtain a list of telephone numbers to call for marketing purposes from a third party the obligation rests with you to ensure that you have lawful authority to make (or instruct others on you behalf to make) calls to each intended number.
  • Controllers may no longer be required to notify the Commissioners of their processing of personal data; however, they are still required to make payment to the Commissioner of a fee. Those who either (a) don’t know they are due to pay  a fee; or (b) miss paying their fee and rectify the matter once the Commissioner has contacted them about their non-payment will likely not face formal enforcement action, but those who continue to fail to pay the fee once the Commissioner has contacted them can expect to be required to pay a financial penalty for failure to pay the fee.

Enforcement Action published by the ICO during November 2018

Metropolitan Police Service
The Commissioner of Police of the Metropolis (MPS) was served with an Enforcement Notice by the Information Commissioner [pdf] requiring the MPS to take a number of specified steps; including the conducting of a data protection impact assessment, in respect of its Gangs Matrix. The Gangs Matrix is part of the MPS’ ongoing effort to reduce the incidences of crime in London arising from gangs. The Notice only emphasises the Commissioner’s primary concerns in respect of the MPS’ compliance with the data protection principles, rather than listing every single contravention. The Notice makes reference to contraventions of the first, third, fourth, fifth and seventh data protection principles

DM Bedroom Design Ltd
The Information Commissioner served DM Bedroom Design Ltd with a monetary penalty in the sum of £160,000 [pdf] and also served it with an Enforcement Notice [pdf] after finding that the company had contravened Regulation 21 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”). This was not the first time that the company had received a monetary penalty from the Commissioner for contravening PECR. The company operated an internal suppression list and also advised the Commissioner that it screened lists against the Telephone Preference Service (“TPS”) list; however, the Commissioner found that the company had not downloaded the TPS list since March 2017.

Solartech North East Limited
Solaretech North East Limited (“Solartech”) was served by the Information Commissioner with a monetary penalty in the amount of £90,000 [pdf] and an enforcement notice [pdf]. The Commissioner found that Solartech had contravened Regulation 21 of PECR by making almost 75,000 calls unlawfully to numbers listed with the Telephone Preference Service. Solartech had previously came to the attention of the Commissioner’s office in 2014 and had bene provided with advice from her office as well as subjected to a period of monitoring. Despite this, and further advice and monitoring in 2016/17 Solartech continued to contravene Regulation 21 of PECR. Solartech sought (unsuccessfully) to blame third parties for these contraventions.

Uber
Uber is a popular app which provides taxi services to its users by linking them with Uber drivers in their area. It has bene the subject of many recent legal battles in the Employment field and has now also come to the attention of data protection supervisory authorities in the United Kingdom and the Netherlands. The Information Commissioner served Uber with a monetary penalty notice in the amount of £385,000 following a cyber attack. [pdf] The Commissioner found that Uber had breached the seventh data protection principle by failing to have in place adequate technical and organisational measures.

Fixed Penalty Notices: Data Protection Fees
The old notification requirement and fee under the DPA98 has gone, but has been replaced with a new data protection fee payable by controllers who are not exempt from the fee. The new fees regulations are found in The Data Protection (Charges and Information) Regulations 2018. Organisations who are required to pay the fee and fail to do so may be served with a penalty notice by the Commissioner requiring them to pay a fixed penalty calculated in relation to the amount of the fee payable under the Regulations by the controller. The Commissioner has taken enforcement action, in the form of fixed penalty notices, against a number of controllers in the business, manufacturing and finance sectors for failure to pay their data protection fees; even after being contacted by the Commissioner about the unpaid fee. The Commissioner has not published all of the penalty notices, or even a list of controllers subject to enforcement action, but has instead published “example” notices (which read more like templates than examples) for each of the three sectors.

Alistair Sloan

If you require advice and assistance in connection with any of the data protection/privacy issues above, or any other Information Law matter, please do contact Alistair Sloan on 0141 229 0880 or by sending him an E-mail directly.  You can also follow our dedicated information law twitter account.

Data Protection and Privacy Enforcement: October 2018

Regular readers of this blog will know that every month I look at the published enforcement action taken by the Information Commissioner in respect of privacy and data protection law. The infractions are often very similar and the same key lessons to take away from the enforcement action appear frequently; October’s enforcement action proves no different. There is, however, a mixture of enforcement action taken under the Data Protection Act 1998 (“DPA98) – in respect of breaches that occurred prior to the 25 May 2018 – and enforcement action taken under the Data Protection Act 2018 (”DPA18).

Key Lessons

  • When the Commissioner’s office makes contact with you in the course of an investigation it is advisable to cooperate with the investigation. The Commissioner has powers to require persons (not just data controllers) to provide her office with information. It is a criminal offence not to comply with an information notice issued by the Commissioner under the DPA98 while a person who fails to comply with an Information Notice served under the DPA18 can be made the subject of an Information Order by the court.
  • Before making telephone calls for the purpose of direct marketing it is essential that organisations check their list against the list held by the Telephone Preference Service. It is against the law to call a number listed with the TPS for the purposes of direct marketing unless you can show that the recipient has not objected, for the time being, to receiving marketing calls from you. The law has recently been changed and the Commissioner will soon be able to serve a monetary penalty on directors of a company for breaches of the requirements of the Privacy and Electronic Communications (EC Directive) Regulations 2003.
  • Any removable media such as CDs and USB memory sticks should be encrypted to prevent unauthorised access to personal data in the event that the media is lost or stolen. Controllers should also consider putting in place technical barriers to ensure that personal data is not unnecessarily being put onto removable media.
  • When drafting privacy statements where you are seeking to obtain consent for direct marketing; it is important to be specific about just what marketing might be sent. It is insufficient to rely upon statements along the lines of “you consent to receive marketing from our carefully selected third party affiliates” and similar.
  • The person who instigates a call is liable for a contravention of PECR, not the person who makes the call. Therefore you cannot avoid liability by engaging a third party contractor to make calls on your behalf. If you have directed that the calls be made then you are liable for any contraventions of PECR. Therefore, companies who engage third parties to undertake telemarketing on their behalf need to ensure that they have in place adequate due diligence to ensure that there are no negligent contraventions of PECR.
  • It’s not enough to simply rely upon your own internal suppression lists when making telephone calls for the purposes of direct marketing; it is also important that call lists as screened against the list maintained by the Telephone Preference Service. It’s also important that companies engaging in telesales regularly obtain an updated version of the list maintained by the TPS and you should never seek to rely upon a version of the list that is more than 28 days old.
  • It can be worthwhile brining appeals against Notices served by the Commissioner – especially where the terms of the notice are unclear. Where reasons are provided for a decision they generally require to be intelligible.

Enforcement action published by the Information Commissioner in October 2018

Oaklands Assist UK Limited
Oaklands Assist UK Limited (“OAUK”) was served with a Monetary Penalty Notice  in the sum of £150,000 [pdf] after the Commissioner found that OAUK had used a public electronic communications service for the purpose of direct marketing in contravention of Regulation 21 of the Privacy and electronic Communications (EC Directive) Regulations 2003 (“PECR”). It appears that OAUK did not initially comply with the Commissioner’s investigation as the penalty notice states that the Commissioner had to serve an Information Notice on OAUK and it only made contact with the Commissioner’s office when they were threated with prosecution for failure to comply with an Information Notice. The Commissioner found that OAUK had made 63,724 direct marketing calls to numbers that were listed on the TPS, in contravention of Regulation 21 of PECR.

Heathrow Airport Limited
Heathrow Airport Limited (“LHR”) was served with a monetary penalty notice in the sum of £120,000 [pdf] after the Commissioner found that it had breached the seventh data protection principle in schedule 1 to the DPA98. LHR had lost an unencrypted USB memory stick which had been found by a member of the public in West London. The member of the public who found the USB memory stick took it to a public library where they accessed it. Approximately 1% of the files on the memory stick contained personal data, including sensitive personal data. The Commissioner found that the use of removable media was widespread within LHR, but that there was little in the way of measures in places to ensure oversight. Furthermore, there were no technical barriers in place to limit or restrict the downloading of information from LHR’s systems onto removable media.

Boost Finance Limited
Boost Finance Limited (“Boost”) was served with a monetary penalty notice in the sum of £90,000 [pdf] after the Commissioner found that it was responsible for a large number of unsolicited E-mails in respect of pre-paid funeral plans. The Commissioner found that Boost (trading as findmeafuneralplan.com) had instigated, via affiliates that it had appointed, in excess of 4 million unsolicited marketing E-mails contrary to Regulation 22 of PECR. The E-mails were sent to individuals who had subscribed to a number of Boost’s affiliates. The Commissioner concluded [para 16] that Boost had “relied upon inadequate, generic, vague, misleading, tiered and incomplete personal data collection methods and privacy statements as a way of obtaining consent to send direct marketing E-mails.”

Aggregate IQ Data Services Limited
This is not a new Enforcement Notice, but rather it is a notice of variation of the first ever enforcement notice served under the DPA18 [pdf]. Aggregate IQ Data Services Limited (“AIQ”) was served with an enforcement notice by the Commissioner in respect of her investigation into data analytics in politics (which arose out of the allegations surrounding Facebook and Cambridge Analytica). AIQ had appealed the Notice to the First-Tier Tribunal (Information Rights) and has since discontinued that appeal. The revised notice is in much tighter terms than the original notice served by the Commissioner. The revised notice requires AIQ to “[e]rase any personal data of individuals in the UK, determined by reference to the domain name of the email address processed by AIQ, retained by AIQ on its servers as notified to the Information Commissioner…” AIQ is required to do this within 30 days of the Office of the Information and Privacy Commissioner of British Columbia notifying it that either the OIPC no longer requires it for an investigation, or that the OIPC informs AIQ that it is happy for AIQ to comply with the notice (whichever occurs the soonest).

Facebook Ireland Ltd
Facebook Ireland Ltd is the company who UK users (and indeed other EU users) of the Facebook social media platform have a relationship with. The Commissioner served Facebook Ireland with a monetary penalty notice in the sum of £500,000 for breaches of the first and seventh data protection principles [pdf]. The Commissioner considered that Facebook UK Limited, a UK establishment, had carried out certain activities on behalf of Facebook Ireland and Facebook Inc. As the breaches occurred while the DPA98 was still in force, £500,000 represents the maximum penalty that the Commissioner could issue. It is understood that Facebook Ireland has appealed the monetary penalty to the First-Tier Tribunal (Information Rights).

ACT Response Limited
The Information Commissioner served ACT Response Limited (“ACT”) with a monetary penalty notice in the amount of £140,000 [pdf] after she found that ACT had instigated in excess of £490,000 telephone calls for the purposes of direct marketing in contravention of Regulation 21 of PECR. The company operated its own internal suppression list, but did not screen its lists against the Telephone Preference Service list. ACT provided a copy of a training manual to the commissioner during her investigation, which contained a script which directed those making the calls to ask whether a person was listed on the TPS and to apologise if they were. ACT tried to blame the contravention on one of its sister companies as the company that made the calls, but the sister company made the calls on behalf of ACT and the lines used to make the calls were registered to ACT.

Alistair Sloan

If you require advice and assistance in connection with any of the data protection/privacy issues above, or any other Information Law matter, please do contact Alistair Sloan on 0141 229 0880 or by sending him an E-mail directly.  You can also follow our dedicated information law twitter account.

Directors’ personal liability: Privacy and Electronic Communications (EC Directive) Regulations 2003

One of the most frequent areas where the Information Commissioner undertakes enforcement action is in relation to breaches of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”). PECR, among other things, governs direct marketing which takes place by way of telephone, SMS and E-mail (but not post). Under the current regime, the Commissioner is able to issue Monetary Penalty Notices (up to a maximum of £500,000) to data controllers who fail to comply with the requirements of PECR; however, the Commissioner has for sometime wanted greater powers. In particular, the Commissioner has been seeking the power to issue monetary penalties to directors of those companies.

When a company is served with a monetary penalty notice for breaching PECR, it is not uncommon for the company to close and for a new company to be created in its place with the same people at its helm, undertaking the same activities. The new company is often referred to as a phoenix company. This often means that (a) the penalty goes unpaid; and (b) the same individuals are continuing with their unlawful activity under a separate and distinct entity which is free from the debts and burdens of the old company.

On Thursday 15th November 2018, the Government made The Privacy and Electronic Communications (Amendment) Regulations 2018; which are due to enter into force as from Monday 17th December 2018. These Regulations amend PECR to allow the Commissioner to also serve a monetary penalty notice on “officer of the body” in certain circumstances. An officer of the body is defined as, in relation to a body corporate, “a director, manager, secretary or other similar officer of the body or any person purporting to act in such capacity, or where the affairs of the body are managed by its members, a member”; and in relation to a Scottish partnership, “a partner or any person purporting to act as a partner.”

This opens up a wide variety of persons who serve in companies and partnerships to the possibility of being personally served with a monetary penalty notice as well as the company. However, the Regulations do not allow the Commissioner to serve a monetary penalty notice only on the officer; it is a pre-requisite of the amended regulations that the Commissioner must have served a monetary penalty notice on the controller.

Furthermore, the Commissioner can’t just automatically serve a monetary penalty notice on the officer(s) of the body on each occasion that she serves a monetary penalty notice on the body. The power only applies where the contravention of PECR “took place with the consent or connivance of the officer” or where the contravention is “attributable to any neglect on the part of the officer.”

In short, if a body ceases to exist after being served with a monetary penalty for contraventions of PECR; the commissioner could start coming after the officers personally where they consented, or connived, to contravene PECR or where simply negligent in respect of any contravention. It will be interesting to see just how the Commissioner goes about using this power (the possibility of a personal financial penalty of up to £500,000 will be significant for the vast majority of officers). It is more than probable that the Commissioner will utilise this new power where she can as it is one that her office has been seeking for some time.

Alistair Sloan

If you require advice or assistance in respect of a privacy/data protection, or any other information law, matter then contact Alistair Sloan on 0141 229 0880 or you can send him an E-mail. You can also follow our dedicated information law twitter account.

 

Data Protection and Privacy Enforcement: September 2018

October is nearly over and I am only now getting round to looking at the Information Commissioner’s data protection and privacy enforcement from September. As with most months, many of the key points drawn from September’s enforcement action will be familiar to regular reads of this feature. However, they are evidently worth repeating.

Key Points

  • Once again, it is clear that organisations engaged in direct marketing where they have obtained contact details from third parties are not carrying out sufficient due diligence checks on the data that is received by them. It is not going to be enough to simply rely upon an assurance from the supplier that all the contact details comply with the law; the recipient organisation needs to check this for themselves. Often the agreement that is obtained from the ultimate intended recipient of the marketing communications is not specific enough to enable the intended marketing to be undertaken lawfully. For example, these agreements often simply refer to “carefully selected partners” (or words of similar effect) – this is not specific enough and should not be relied upon.
  • The right of subject access is a fundamental right afforded to data subjects and data controllers should therefore ensure that they have in place sufficient processes to ensure that they can comply with subject access requests within the required time (one month under the GDPR). Data controller should also ensure that they have in place adequate resources (including resilience) to meet the tight deadlines.
  • It is important that organisations have in place processes to stop bulk extraction of personal data (where bulk extraction would not be legitimately required) or to ensure that unauthorised bulk extraction is either not able to take place or be spotted quickly when it has taken place. It is important that systems which contain personal data are monitored to identify unusual or suspicious activity.

Data Protection and Privacy Enforcement from September 2018

Everything DM Limited
Everything DM Limited was served with an Enforcement Notice [pdf] together with a monetary penalty in the amount of £60,000 [pdf]. The Commissioner found that Everything DM Limited had been responsible for the sending of 1.42 million E-mails without having in place appropriate consent, contrary to the requirements of Regulation 22 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”). The commissioner’s investigation revealed that EDML relied on the consent of third parties but didn’t take reasonable steps to make sure the data complied with the requirements of PECR.

London Borough of Lewisham
The Information Commissioner’s Office issued an Enforcement Notice to the London Borough of Lewisham council in respect of its outstanding subject access requests [pdf]. As at 29 March 2018, the council had a backlog of 113 unanswered subject access requests; including one request that was made to the council as far back as 2013. The Council had in place a recovery plan to eliminate the backlog by 31 July 2018, but it failed to meet that deadline. The notice records that there were still 19 requests that pre-dated the 25th May 2018. The Commissioner’s office considered that the Council had breached principles 6 and 7 and that the breach was one that was likely to cause distress to data subjects. The Council was required by the Notice to comply with the subject access requests by 15 October 2018.

Equifax Limited
Equifax Limited, a credit reference agency, was served with a monetary penalty in the sum of £500,000 after the Commissioner found that Equifax Limited had breached 5 of the 8 data protection principles in the Data Protection act 1998 [pdf].

Bupa Insurance Services Limited
Bupa Insurance Services Limited was served with a monetary penalty notice in the sum of £175,000 after it was discovered that personal data of Bupa Global’s customers was being offered for sale on the “dark web” [pdf]. The matter was investigated and it was discovered that a member of Bupa’s Partnership advisory Team had made unauthorised use of personal data accessed from a system they had access to. The Commissioner considered that Bupa failed to have in placed adequate technical organisational measures as required by the seventh data protection principle. Bupa was unaware of a defect in the system and was unable to detect unusual activity, such as bulk extractions of data; nor did Bupa routinely monitor the activity log of the relevant system.

Prosecutions
A former nurse at Southport and Ormskirk Hospital NHS Trust was prosecuted by the Information Commissioner’s Office after she unlawfully accessed patient’s records. The nurse accessed patients’ medical records outside of her role; in particular she inappropriately accessed the records of 5 patients, 17 times. The nurse admitted offences under section 55 of the Data Protection Act 1998 and was fined £400. She was also ordered to pay prosecution costs of £364.08 and a victim surcharge of £40.

Alistair Sloan

If you require advice and assistance in connection with any of the data protection/privacy issues above, or any other Information Law matter, please do contact Alistair Sloan on 0141 229 0880 or by sending him an E-mail directly.  You can also follow our dedicated information law twitter account.

Nefarious Endeavours and Vicarious Liability for Data Breaches: Round 2 (The Court of Appeal)

The England and Wales Court of Appeal has delivered its judgment in the appeal by Morrisons against a finding by the High Court that it was vicariously liable for breaches of the Data Protection Act 1998 by one of its former employees. I will not set out the facts in much detail and instead direct readers to the blog post that I wrote following the decision of the High Court. It should be noted that all references to the DPA in this blog post are to the Data Protection Act 1998 and not the Data Protection Act 2018. For the sake of this post all that is really necessary to say is that Mr. Skelton, a former employee of Morrisons, was rather disgruntled when his employment with Morrisons came to an end. Before leaving Morrisons’ employment he copied records of over 5,000 employees onto a personal memory stick with the intention of disclosing that personal data on the internet.

Mr Justice Langstaff, who heard the case in the High Court, on his own motion granted Morrisons leave to appeal the vicarious liability issue to the Court of Appeal. Morrisons took the opportunity granted to them by Mr Justice Langstaff and appealed to the Court of Appeal. When the case came before the Court of Appeal there were three grounds of appeal: (1) the Judge ought to have concluded that, in its proper interpretation and having regard to the nature and purposes of the statutory scheme, the DPA excludes the application of vicarious liability; (2) the Judge ought to have concluded that, on its proper interpretation, the DPA excludes the application of causes of action for misuse of private information and breach of confidence and/or the imposition of vicarious liability for breaches of the same; and (3) the Judge was wrong to conclude (a) that the wrongful acts of Mr Skelton occurred during the course of his employment by Morrisons, and, accordingly, (b) that Morrisons was vicariously liable for those wrongful acts.

The Court of Appeal took the first and second grounds of appeal together; they essentially constructed an argument that the DPA provides a comprehensive statutory code which prevents a finding of vicarious liability. The Appellants’ argued that the DPA indicated a position contrary to the common law position that vicarious liability holds good for a wrong comprising a breach of a statutory duty. The Court of Appeal disagreed concluding at paragraph 60 of its judgment that “the concession that the causes of action for misuse of private information and breach of confidentiality are not excluded by the DPA in respect of the wrongful processing of data within the ambit of the DPA, and the complete absence of any provision of the DPA addressing the situation of an employer where an employee data controller breaches the requirements of the DPA, lead inevitably to the conclusion that the Judge was correct to hold that the common law remedy of vicarious liability of the employer in such circumstances (if the common law requirements are otherwise satisfied) was not expressly or impliedly excluded by the DPA.”

In relation to the Appellants’ third ground of appeal, this was also refused by the Court of Appeal. The Court noted, at paragraph 66, that in this “case the claimants’ cause of action in tort against Mr Skelton were already established when he improperly downloaded their data onto his USB stick. At that stage, had any of them been aware of what happened, they could as a matter of law have claimed at least nominal damages and sought and injunction to prevent dissemination of the data.” The Appellants’ Senior Counsel, Anya Proops QC, argued that (relying upon authority from the Supreme Court in a case from the jurisdiction of England and Wales) what Mr. Skelton had done at work in November (that being the downloading of the data) was “past history by the time he distributed the data from his home in January” [para 67].

In essence the Appellants’ Senior Counsel was arguing that the law on vicarious liability only permitted the employer to be liable for the conduct of the employee if the employee was on the job at the time. In essence, Senior Counsel was arguing that the chain of liability ended at the same time as Mr. Skelton’s employment ended. However, that argument did not fair much better in the Court of Appeal than it did in the High Court.

This point which troubled Mr Justice Langatsff in the High Court the most features in ground of appeal three and that is this: the motivation of Mr. Skelton was to cause harm to Morrisons; by finding Morrisons vicariously liable renders the court an accessory in furthering Mr. Skelton’s criminal aims. It appears that it was this point that triggered Mr Justice Langstaff to grant permission to appeal to Morrisons. None of the cases to which the court was referred did the situation arise where the conduct for which the employer was to be held vicariously liable arose out of the employees settled determination to cause harm to the employer. However, it had been held in previous decisions that the motive of the employee was irrelevant in reaching a determination as to whether the employer was vicariously liable. The Appellants’ Senior Counsel argued that “there is an exception to the irrelevance of motive where the motive us, by causing harm to a third party, top cause financial or reputational damage to the employer.” [para 76] The Court of Appeal was, however, unpersuaded. [para 76]

The Appellants’ senior counsel also sought to argue that a finding of vicarious liability in this case would place an enormous burden upon Morrisons and on innocent employers in cases that could come in the future. However, the Court of Appeal was not persuaded by this argument. At paragraph 77 of its judgment the court states “[a]s it happens Mr Skelton’s Nefarious activities involved the data of a very large number of employees although, so far as we are aware, none of them has suffered financial loss. But suppose he had misused the data so as to steal a large sum of money from one employee’s bank account. If Morrisons’ arguments are correct, then (save for any possible claim against the bank) such a victim would have no remedy except against Mr Skelton personally.” The court compared that situation to the one which arose in what was described by the court as “the foundation of the modern law of vicarious liability” [para 76] In that case a solicitor’s clerk dishonestly procured a conveyance in his own favour of the client’s property.

The solution proposed by the Court of Appeal to any burden that might be placed upon employers arising out of data theft incidents was insurance. [para 78].

The appeal was therefore dismissed by the Court of Appeal. It remains to be seen whether this will be the end of this aspect of the proceedings, or whether Morrisons will seek to appeal the matter to the Supreme Court. The level of damages to be awarded is yet to be determined as that matter was split from the issue of liability when the case was before the High Court. Whether we will ever get to see any judicial writings on quantum will depend upon whether that can be agreed between the Claimants and Morrisons.

Application in Scotland
This is, of course, a judgment of the England and Wales Court of Appeal; Scotland has a separate and distinct legal system meaning that English court judgments do not bind Scottish courts, but rather are of persuasive authority – especially when they deal with matters of law which are common across the whole of the UK (such as data protection law).

It should be noted that in Scotland there is no authority on whether breach of confidence is a delict (the Scottish equivalent of tort) or a unique obligation; nor, has there been any authority considering relationship between breach of confidence and “misuse of private information” in relation to Scots law. It has been argued by academics that the Scottish courts would likely follow the English position; however, this is yet to be tested in the law of Scotland (and, for what it’s worth, I agree with the position that the Scottish courts would likely follow the English courts on this matter). Therefore data controllers with a presence in Scotland should be careful when considering the Court of Appeal’s comments in relation to the tort of misuse of private information.

Data Controllers in Scotland should not ignore this judgment for various reasons. Firstly, it may be that although the controller is based in Scotland they may be processing the personal data of data subjects based in England who may, dependent upon the circumstances, be able to bring proceedings in an English court as opposed to a Scottish court. Secondly, it is only a matter of time before claims of this nature come before the English courts. Litigation of this nature has been rare in Scotland for a variety of reasons, but with the advent of Group Proceedings through the Civil Litigation (Expenses and Group Proceedings) (Scotland) Act 2018 it might well become much easier for large groups of data subjects to bring claims against data controllers.

Alistair Sloan

If you would like advice or assistance in connection with Data Protection/Privacy, or if you would like advice and assistance with any other Information Law matter we would be pleased to hear from you. You can contact Alistair Sloan on 0345 450 0123.  Alternatively, you can send him an E-mail.

Non-payment of Data Protection Fees: The ICO announces first steps in enforcement

Under the Data Protection Act 1998 it was an offence to process personal data without notifying with the Information Commissioner (and paying the required notification fee) unless you were exempt from having to notify. The position changed in May when the GDPR and Data Protection Act 2018 entered into force. The requirement to notify, which had its origin in the 1995 Data Protection Directive, was done away with. This left the UK with a particular problem: the Information Commissioner’s work in relation to the enforcement of data protection was funded entirely by the notification fees paid by data controllers. The solution was to introduce a system of fees which data controllers are required to pay to the Information Commissioner unless they are exempt from having to do so.

The law was also changed so that non payment of the data protection fee by a controller required to pay it is no longer a criminal offence. There are duplicate provisions in law which allow the Information Commissioner to charge these fees. The duplicate provisions are section 137 of the Data Protection Act 2018 and section 108 of the Digital Economy Act 2017. The fees payable are current specified within The Data Protection (Charges and Information) Regulations 2018, which were made exercising the powers under section 108 of the Digital Economy Act (the Regulations being made prior to the enactment of the Data Protection Act 2018 in May). There are, however, no provisions within the Digital Economy Act 2017 in respect of penalties for non-payment of these fees; the only provision which provides for non-payment of these fees is section 158 of the Data Protection Act 2018, which applies to fees made under section 137 of the Data Protection Act 2018.

In terms of section 158 of the Data Protection Act 2018, the maximum penalty for non-payment of the fee is 150% of the highest charge payable in accordance with the fees regulations, disregarding any discount available under the fees regulations.

It seems that a number of data controllers, who the Commissioner believes should be paying a fee, have not paid their fee. Earlier this week it was announced that the Information Commissioner’s Office had started to take enforcement action against 34 such organisations. The enforcement regime in section 158 of the Data protection Act 2018 applies to regulations made under section 108 of the Digital Economy Act 2017 by virtue of a provision within Schedule 20 to the Data Protection Act 2018 which provides that Regulations made under section 108 of the Digital Economy Act 2017 are to have effect as if they were Regulations made under section 137 of the Data Protection Act 2018 after the coming into force of section 137 of the Data Protection act 2018 (which happened on 25 May 2018).

The Notices of Intent, according to the ICO press release, have been issued to a range of controllers across the public and private sectors and that there are others in the process of being about to be issued. They act as a final warning by the ICO they if organisations don’t pay then they will be the recipient of a fixed penalty. It seems that the ICO is taking a relatively strong stance against non-payers from the outset and data controllers should therefore ensure that they pay their registration fees (where applicable) as and when their notification under the Data Protection Act 1998 comes to an end; or immediately where they were did not notify under the Data Protection Act 1998.

Alistair Sloan

If you would like advice on a data protection or privacy matter than contact Alistair on 0141 229 0880 or you can E-mail him directly. You can also follow our twitter account dedicated to the field of Information law

Data Protection/Privacy Enforcement: August 2018

August was another quiet month in terms of the data protection and privacy enforcement action published by the Information Commissioner’s Office. There were just two Monetary Penalty Notices published by the ICO last month. There are still a few key points to draw from last month’s published enforcement action – some of which are featured fairly regularly on these monthly blogposts, but are worthy of repitition.

Key Points

  • When carrying out direct marketing by telephone it is important that you check the intended list against the list held by the Telephone Preference Service before undertaking the campaign. If any number you intend on calling appears on that list you must satisfy yourself that you have sufficient evidence to support that you can still call that number, despite it being on the TPS.
  • If you’re getting your telephone lists from a third party then you must still do your own due diligence. Ensure that you have received sufficient evidence from the seller that the persons on the list have, in fact, indicated that they don’t mind being marketed to.
  • When drafting a privacy notice which sets out that you may share personal data with third parties it is important to be as accurate and precise as possible. It is not enough to include something along the lines of that you will share personal data with “carefully selected partners” and if you have a detailed list of organisations (or categories of organisations) that you may share personal data with, it is important that you do not share personal data with third parties who do not fall within that list.

Enforcement action published by the ICO in August 2018

AMS Marketing Limited
AMS Marketing Limited was served with a Monetary Penalty Notice in the amount of £100,000 [pdf] after if breached Regulation 21 of the Privacy and Electronic Communications (EC Directive) Regulations 2003. AMS Marketing had made in excess of 75,000 calls to numbers which were listed with the Telephone Preference Service and were unable to demonstrate to the Commissioner that they had been notified by the subscriber that they did not object, for the time being, to receiving calls for the purpose of direct marketing.

Lifecycle Marketing (Mother and Baby) Ltd
Life Style Marketing (Mother and Baby) Ltd (also known as ‘Emma’s Diary’) was served with a Monetary Penalty Notice in the amount of £140,000 after it failed to comply with the first data protection principle in Schedule 1 to the Data Protection Act 1998 (“DPA1998”). The company sold the personal data of more than 1 million individuals to the Labour Party for use in its campaign during the General election that took place in 2017 without telling those individuals that this is something that it might do with their personal data. The company, the Commissioner found, had no lawful basis within Schedule 2 of the DPA1998 for processing the personal data of those individuals.

Alistair Sloan

If you require advice and assistance in connection with any of the data protection/privacy issues above, or any other Information Law matter, please do contact Alistair Sloan on 0141 229 0880 or by sending him an E-mail directly.  You can also follow our dedicated information law twitter account.