Probably the most high profile piece of enforcement action taken by the Information Commissioner’s Office in March was its application for, and execution of, a warrant to enter and inspect the offices occupied by Cambridge Analytica as part of the Commissioner’s wider investigation into the use of personal data in politics. It would seem that data protection warrants get more people excited about data protection than would ordinarily be the case. The Cambridge Analytica warrant was not the only warrant that the Commissioner obtained and executed in March; the Commissioner’s website also published details of a warrant that it executed in Clydebank (Glasgow). This warrant was directed towards alleged breaches of the Privacy and Electronic Communications (EC Directive) Regulations 2003 which deal with, insofar as this blog is concerned with, the rules concerning direct marketing to individuals by electronic means.
Key Points
- Care needs to be taken when looking at sharing personal data on a controller-to-controller basis with other companies, including separate companies within the same group of companies. Data controllers need to ensure that they identify what their lawful basis for processing is, provide adequate fair processing information to data subjects in relation to such sharing of personal data and ensure that any changes to their policy in respect of data-sharing do not result in that sharing being for a purpose that is incompatible with those stated at the time of collection.
- If you, as an individual (whether or not you are yourself a data controller), unlawfully disclose personal data to third parties then you could be liable for prosecution.
Enforcement Action published by the ICO during March 2018
WhatsApp Inc.
An undertaking was given by WhatsApp Inc. In it, WhatsApp undertook not to do a number of things; including not transferring personal data concerning users within the EU to another Facebook-controlled company on a controller-to-controller basis until the General Data Protection Regulation becomes applicable on 25th May 2018. The undertaking was given after WhatsApp introduced new terms and conditions and a new privacy policy which affected how it processed personal data held by it; in particular, how it would now share personal data with other Facebook-controlled companies.
Prosecutions
A former housing worker was convicted at St. Albans Crown Court after he shared a confidential report identifying a potential vulnerable victim. The defendant was convicted of three charges of unlawfully obtaining disclosing personal data contrary to section 55 of the Data Protection Act 1998. He was fined £200 for each charge and was ordered to pay £3,500 in costs.
Should you require advice or assistance about UK Data Protection and Privacy law then contact Alistair Sloan on 0141 229 0880. You can also contact him by E-mail. You can also follow our dedicated Twitter account covering all Information Law matters: @UKInfoLaw