Tag Archives: Data Protection

Scottish Government’s Programme for Government: the information law perspective

Yesterday, the Scottish Government launched its Programme for Government [pdf] (the Scottish Government’s equivalent to the Queen’s Speech) for the coming Parliamentary year. There are three proposed Bills, which the Scottish Government plans to introduce in the coming year, that have a data protection and privacy angle to them. Those bills are: the Biometric Data Bill, the Disclosure Bill and the Census (Amendment) Bill.

Biometric Data Bill
This Bill will be designed to take forward the recommendations of the Independent Advisory Group on the use of Biometric Data which was chaired by John Scott QC. The Programme for Government document says of the Bill that it:

will enhance oversight of biometric data and  techniques used for the purposes of justice and community safety. It will include provision for the creation of a statutory code of practice covering the acquisition, use, retention and disposal of data including fingerprints, DNA and facial images. We will ensure an appropriately distinct and proportionate approach to capturing biometric data for children aged between 12 and 17.

Disclosure Bill
The Disclosure Bill will relate to the disclosure of criminal history data under the Disclosure Scotland schemes. The Bill will aim to “simplify the system and strike the right balance between strengthened safeguarding and helping people with convictions to get back into work.”

Census (Amendment) Bill
The Census (Amendment) Bill will be designed to bring changes which will permit the National Records of Scotland to ask questions on sexual orientation and transgender status beginning in the 2021 census. The questions will be voluntary.

There is no much in the way of detail in the full programme for government document, but it seems fairly clear that these three Bills will crossover into the world of data protection and privacy. Once the Bill’s are published we may have a better idea as to the nature of the data protection and privacy aspects to them.

Alistair Sloan

If you would like advice on a data protection or privacy matter than contact Alistair on 0141 229 0880 or you can E-mail him directly. You can also follow our twitter account dedicated to the field of Information law.

Privacy and Data Protection: director disqualified

In September 2017 the Information Commissioner served a Monetary Penalty Notice on Easyleads Limited in the amount of £260,000 [pdf]; the company was also served with an Enforcement Notice by the Commissioner requiring the company to comply with the terms of the Privacy and Electronic Communications (EC Directive) Regulations 2003 [pdf]. It has since transpired that the company never paid the monetary penalty notice and the Information Commissioner petitioned the court to have the company wound-up. It is not unheard of for monetary penalty notices served by the Commissioner to go unpaid; however, where they do it is often because the company goes into liquidation. A copy of the order winding the company up following the petition by the Information Commissioner [pdf] can be found on the Companies House website.

What is interesting about this case though is an announcement by the Insolvency Service that the Secretary of State had accepted a disqualification undertaking from Shaun Harkin, the director of Easyleads Limited. The effect of the undertaking is to ban Mr. Harkin from “directly or indirectly becoming involved, without the permission of the court, in the promotion, formation or management of a company for six years”.

The announcement from the insolvency Service explains that the reason Mr Harkin is now banned from being a director of a company for 6 years is because he failed to ensure that the company complied with its statutory obligations, specifically that he failed to ensure that the company complied with the requirements of the Privacy and Electronic Communications (EC Directive) Regulations 2003 around undertaking direct marketing by telephone.

This is an important announcement from the Insolvency Service; it demonstrates that the effects of failing to comply with data protection and privacy law can be wide-ranging. There is the potential for directors running companies which fail to comply with data protection and privacy law facing being banned from being involved in the formation or management of companies for a not insignificant period of time. It remains to be seen whether this sort of action becomes much more frequent and it is not something that is directly in the control of the Information Commissioner herself, but if the Insolvency Service is starting to take seriously breaches of data protection and privacy law by companies and looking to disqualify directors (where it can within the parameters of the law) then this is clearly something that those involved in the formation and management of limited companies ought to bear in mind when considering data protection and privacy compliance.

Alistair Sloan

If you require advice or assistance on a matter relating to data protection or privacy law then you can contact Alistair Sloan on 0141 229 0880 or send him an E-mail. You can also follow our twitter account dedicated to information law matters.

PECR: The forgotten relative

Much of the focus in relation to data protection and privacy law is on implementation of the Genera Data Protection Regulation, which becomes applicable from 25 May 2018.  However, many of the discussions that are taking place in respect of GDPR implementation are forgetting the GDPR’s older cousin:  the snappily named Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications).  This Directive from the European Union dating from 2002 was implemented in the United Kingdom through the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”).

 The Directive on privacy and electronic communications is concerned with the processing of personal data and the protection of privacy in the electronic communications sector and is of importance to telecommunications providers, Internet Service Providers and any person or organisation who conducts direct marketing by electronic means; however, this blog post is concerned only with direct marketing and is a follow-up to my recent blog post on whether consent is required under the GDPR.

The GDPR might be the big thing at the moment, but it is important not to consider it in isolation.  When thinking about GDPR implementation it is necessary to take a holistic view and think about how it interacts with other laws because these other laws don’t stop having effect just because of the GDPR.  Therefore, it is essential to consider how these other laws affect your GDPR implementation.

The rules on direct marketing by electronic means are relatively simple and straightforward, but this does not stop unlawful behaviour from taking place on an industrial scale.  Rarely does a month go past without the Information Commissioner’s Office publishing information on enforcement action it has taken against businesses arising out of failing to comply with PECR, especially since the law changed to lower the legal threshold for Monetary Penalty Notices in relation to PECR infringements.

Electronic Mail
Electronic Mail includes E-mail and SMS text messaging.  The general rule for direct marketing by electronic mail is that you need consent, as defined by the 1995 Data Protection Directive.  This means that you must have a freely given, specific and informed indication that the person to whom you are directing the marketing wants to receive such marketing.

There is an exception to this which is referred to as the “soft opt-in”.  This applies where you have obtained a person’s personal data “in the course of the sale or negotiations for the sale of a product or service” to them.  You can then send direct marketing to this person, without first gaining their express consent, where you are marketing your own similar products or services.  The data subject must be “given a simple means of refusing (free of charge except for the costs of the transmission of the refusal) the use of his contact details for the purposes of such direct marketing, at the time that the details were initially collected”.

Each direct marketing communication that is sent must include a simple means of opt-out of further direct marketing content (and this must be free of charge, except for the costs of transmission of the opt-out).

Telephone:  Automated calls
The rules for direct marketing by telephone are split into automated and unsolicited live telesales calls.  In the case of automated calls with recorded information played when the phone line being called is answered, the subscriber (i.e. the person who has contracted with the telephone service provider) must have notified the caller (or the person instigating the call where the caller is a third party acting on behalf of the instigator) that, for the time being, they consent to receiving such calls.  Again, this requires there to be a freely given, specific and informed indication.  Consent can be withdrawn.

Telephone:  Unsolicited live telesales calls
You do not require consent to make such calls; however, you must not make such calls where the subscriber has notified you that they do not wish to receive such calls, or if the number is registered with the Telephone Preference Service (TPS).  You can call numbers registered with the TPS where the subscriber has consented to receiving calls from you, notwithstanding that the number is registered with the TPS.  Consent can, as always, be withdrawn at a later date.

Fax
Yes, it is still a thing and some people (and indeed whole sectors) still use fax machines.  However, as it is more or less an obsolete technology all I will say on the matter is that PECR regulates the use of fax for direct marketing and the relevant parts are Regulations 20 and 25.

That is a very brief run through of the relevant law as it stands today.  However, a couple of points to note in closing:  Firstly, the EU is currently working on a replacement to the current Directive.  It had been anticipated that the new E-Privacy Regulation would be implemented alongside the GDPR, but work started on it too late and so it won’t.  Whether it will be finalised in and in force prior to Brexit is something that we will need to wait and see.  Secondly, depending on what happens with the Brexit negotiations it may still end up being part of UK law even if it comes into force after the UK leaves the EU.  Thirdly, there is likely to be some temporary adjustments to PECR from 25 May 2018, that is because PECR adopts a lot of definitions from the Data Protection Act 1998 and the 1995 Data Protection Directive (both of which will be repealed on 25 May 2018).  Finally, the domestic Regulations were made under the European Communities Act 1972; therefore the European Union (Withdrawal) Bill may well have some impact upon them.

Alistair Sloan

If you would like advice or assistance with a privacy or data protection matter, or any other information law concern then contact Alistair Sloan on 0345 450 0123 or send him an E-mail.