Tag Archives: Information Commissioner

Data Protection/Privacy Enforcement: November 2017

A bit later than normal, it is time for our monthly review of the enforcement action taken by the Information Commissioner in respect of Privacy and Data Protection matters during the month of November 2017.  This follows on from our reviews covering September 2017 and October 2017.

Key Points

  • Ensure that when you are collecting personal data that you are clear and open about what it will be used for.  If it is to be supplied to third parties for direct marketing purposes state as accurately as possible who those third parties are –  stating that it will be shared with “carefully selected partners” is not going to be sufficient.
  • When undertaking direct marketing by electronic means, such as by E-mail or text message, ensure that you have in place the necessary consent (and remember the definition of consent in the Data Protection Directive) of the recipient before sending your marketing messages.
  • Once again, if you have access to personal data as part of your employment, ensure that you only access it where there is a legitimate business need for you to do so.  Do not send personal data to your own personal E-mail address without first explaining to your employer why you need to do it and getting their consent to do so.

Enforcement action published by the ICO in November 2017

Verso Group (UK) Limited

Verso Group (UK) Limited was served with a Monetary Penalty Notice [pdf] in the amount of £80,000.  Verso had been supplying personal data to third parties to enable those third parties to conduct direct marketing campaigns; the Commissioner considered that Verso had breached the First Data Protection Principle in doing so.  This was because the Commissioner did not consider that the terms and conditions and privacy policies of Verso and those other companies from which it obtained personal data were clear enough to make the processing by Verso fair and lawful.

Hamilton Digital Solutions Limited

Hamilton Digital Solutions Limited were served with an Enforcement Notice [pdf] and a Monetary Penalty Notice [pdf] in the amount of £45,000 after the company were responsible for the sending of in excess of 150,000 text messages for the purposes of direct marketing in breach of the Privacy and Electronic Communications (EC Directive) Regulations 2003.

Prosecutions

There were a number of successful prosecutions reported by the ICO during the month of November 2017:

Prosecution 1 –
A former employee of a community based counselling charity was prosecuted by the ICO at Preston Crown Court and pleaded guilty to three charges under Section 55 of the Data Protection Act 1998.  The Defendant had sent a number of E-mails to his personal E-mail address which contained sensitive personal data of clients, without his employers’ consent.  He was given a 2 year Conditional Discharge, ordered to pay costs of £1,845.25 and a £15 Victim Surcharge.

Prosecution 2 –
An employee of Dudley Group NHS Trust pleaded guilty two offences under Section 55 of the Data Protection Act 1998:  one of unlawfully obtaining personal data and one of unlawfully disclosing personal data.  The defendant had accessed the medical records of a neighbour and former friend medical records and also disclosed information about a baby.  She was fined a total of £250 (£125 for each offence) and was ordered to pay prosecution costs amounting to £500 and a victim surcharge of £30.

Prosecution 3 –
A former nursing auxiliary at the Royal Gwent Hospital in Newport was fined £232 for offences under Section 55 of the Data Protection Act 1998.  She was also ordered to pay prosecution costs of £150 and a victim surcharge of £30.  The Defendant had unlawfully accessed the records of a patient who was also her neighbour

Alistair Sloan

If you require advice and assistance in connection with any of the issues above, or any other Information Law matter, please do contact Alistair on 0345 450 0123 or by completing the form on the contact page of this blog.  Alternatively, you can send him an E-mail directly.

Data Protection/Privacy Enforcement: October 2017

Continuing the regular monthly look at Data Protection and Privacy enforcement taken by the Information Commissioner, this blog post reviews the enforcement action published during October 2017.

Key Points

  • When seeking consent for the purposes of direct marketing, be clear and precise in the language that you use.
  • When buying-in lists of contact details for the purpose of Direct Marketing you are responsible for ensuring that the there is valid consent in place so carry out your own due-diligence.
  • You are responsible for the direct marketing calls made by your agent as you are the instigator of the calls
  • If you have access to personal data as part of your job, do not access it unless you have a valid reason to do so in connection with your employment.

Enforcement Action published by ICO in October 2017

Xerpla Limited

Xerpla Limited was served with a Monetary Penalty Notice [pdf] in the amount of £50,000 after the Information Commissioner found that they had sent more than 1 million unsolicited direct marketing communications by electronic mail.  The Information Commissioner considered that Xerpla was not clear or specific enough about who subscribers were agreeing to receive marketing from.

Vanquis Bank Limited

Vanquis Bank Limited were served with an Monetary Penalty Notice [pdf] in the amount of £75,00 and an Enforcement Notice [pdf] after the Information Commissioner found that they had sent text messages and E-mails marketing credit cards without consent.

The Lead Experts Limited

The Lead Experts Limited were served with a Monetary Penalty Notice [pdf] in the amount of £70,000 and an Enforcement Notice [pdf] after the Information Commissioner found that they had instigated automated marketing calls to telephone subscribers without the subscriber’s consent.

Prosecutions

A former employee of Kent and Medway NHS and Social Care Partnership Trust was fined £300, ordered to pay prosecution costs of £364.08 and a victim surcharge of £30 after pleading guilty to an offence under the Data Protection Act 1998.  The defendant had accessed the health records of a single patient 279 times over a three-week period in October and November 2015, viewing the files up to 50 times in a day.  The patient was known to the defendant, but she had no valid lawful reason to access the records and did so without her employer’s consent.

Alistair Sloan

If you require advice and assistance in connection with any of the issues above, or any other Information Law matter, please do contact Alistair on 0345 450 0123 or by completing the form on the contact page of this blog.  Alternatively, you can send me an E-mail directly.

Compensation in Data Protection law

Section 13 of the Data Protection Act 1998 makes provision for a data subject to raise court proceedings for payment of damages where there has been a breach of the Data Protection Act 1998 which has caused them damage and/or distress.  The provisions in Section 13 have not been used as often as they might otherwise have; this may have been partly down to the way in which the legislation was initially drafted, but that was rectified (in England, at least) by the English Court of Appeal in Google Inc v Vidal-Hall and ors [2015] EWCA Civ 311.

The General Data Protection Regulation, which is due to become applicable in the UK from 25th May 2018, makes provision for data subjects to obtain compensation from controllers and processors in Article 82.  The right is for “any person who has suffered material or non-material damage as a result of an infringement of [the GDPR]” to be compensated.  Clause 159(1) of the Data Protection Bill (which is still in the early stages of the parliamentary process), provides that this “includes financial loss, distress and other adverse effects.”

A Data Subject is not limited to claiming compensation from the controller.  The GDPR provides that a processor will “be liable for the damage caused by processing only where it has not complied with the obligations…specifically directed to processors or where it has acted outside or contrary to lawful instructions of the controller.”

Article 82(3) of the GDPR introduces a defence to such a claim for compensation, but it is an exceptionally high test.  No liability arises where the controller or processor “proves that it is not in any way responsible for the event giving rise to the damage.”  The burden of proof falls on the controller or process and liability attaches even where the processor or controller is responsible for the event causing the damage in the most minor of ways.

The terms of Article 82(3) create joint and several liability for controllers and processors.  In a situation where multiple controllers and/or processors are all partially responsible for the event giving rise to the damage; the data subject could elect to sue any one of them (or indeed, all of them).  Where the data subject elects to sue just one controller/processor who is responsible, controller/processor is entitled to recover from the other controllers/processors “that part of the compensation corresponding to their part of responsibility for the damage.”

Where the data subject elects to sue more than one controller/processor then Recital 146 of the GDPR explains that, in accordance with Member State law, compensation may be apportioned by the court according to the responsibility of each controller or processor for the damage caused by the processing.

The GDPR does not stipulate any maximum amount of compensation that can be awarded to data subjects; however, Recital 146 of the GDPR explains that data subjects should receive full and effective compensation for the damage they have suffered.  Quite what “full and effective compensation” mean is something that will be worked out as the courts grapple with the new provisions.  There have been almost no published decisions from the Scottish courts in respect of claims for compensation under Section 13 of the Data Protection Act 1998, but where there have been decisions the compensation awarded has not been particularly high.  For example, Sheriff Ross awarded the each of the Pursuers £8,364 in Woolley v Akbar [2017] SC Edin 7.  That case concerned the use of CCTV at private dwellings and the compensation figure was calculated on a nominal rate of £10 per day that the Defender was in breach of the Act.

The GDPR only applies to processing of personal data in areas which are within the competence of the European Union; however, the Data Protection Bill extends the scope of the GDPR to areas beyond the competence of the European Union.  Clause 160 of the Bill provides for compensation where it cannot be claimed under Article 82 and the clause mirrors the terms of Article 82.

In Scotland both the Sheriff Court and the Court of Session will have jurisdiction to hear claims under Article 82 of the GDPR and Clause 160 of the Data Protection Bill (as is the case with claims under Section 13 of the Data Protection Act 1998).  In practice it is likely that the vast majority of claims will be heard in the Sheriff Court given that it is unlikely that any claim will exceed £100,000 and will therefore be within the privitive jurisdiction of the Sheriff Court.  However, with the advent of Group Proceedings (see Section 17 of the Civil Litigation (Expenses and Group Proceedings) (Scotland) Bill [pdf]) it is possible the Article 82 claims will end up the Court of Session as the Bill only provides for a group proceedings procedure in the Court of Session.

Those who process personal data should be aware that the right of a data subject to claim compensation, whether that be under the Data Protection Act 1998, the GDPR or the Data Protection Bill (when it becomes an Act), arising out of a data protection breach is in addition to any enforcement action that the Information Commissioner takes, such as the issuing of an administrative fine.

Alistair Sloan

If you would like to pursue a claim for compensation for a data breach, or if you require to defend such a claim; or if you would like advice and assistance with any other Information Law matter we would be pleased to hear from you. You can contact Alistair Sloan on 0345 450 0123.  Alternatively, you can send him an E-mail.

More is less and less is more

On 30th October 2017 the First-Tier Tribunal (Information Rights) promulgated its decision in McGoldrick v The Information Commissioner; the Tribunal’s decision made two points which it is worth considering.  The request for information in question was made to HM Treasure concerning the Mersey Tunnels; the full terms of the request for information are set out in the Tribunal’s decision.

The first point relates to the use of section 12 of the Freedom of Information Act 2000 where some of the information that may fall within the scope of the request is likely to be environmental information; and the second is on the duty of a public authority to provide advice and assistance.

On the first issue, the Tribunal (at paragraph 12) states that it

“agrees with the Information Commissioner that the appellant’s request could cover both non-environment and environmental information, for the purposes of regulation 2(1)(c) but that it would defeat the purpose behind section 12 and regulation 12(4)(d) if a public authority were obliged to collate the requested information in order to ascertain what information fell under either FOIA or the EIR. We agree, therefore, that HM Treasury was correct to consider the request under section 12, even though it might include some environmental information.”

The Tribunal considers that it is appropriate for an authority to not separately identify environmental information and deal with that under the Environmental Information Regulations 2004 where there is a substantial volume of information which covers both environmental and non-environmental information.  It seems that the Tribunal is of the view that there is no need to issue a refusal notice citing Regulation 12(4)(b) [although the Tribunal refers to Regulation 12(4)(d), but this seems as though it may be a typographical error] where a request is going to exceed the appropriate limit and it is likely that there is going to be environmental information within the ambit of the request.

On the second issue, the Tribunal decided that, on the facts of the present case, that HM Treasure did not comply with its obligation to provide adequate advice and assistance and overturned the Commissioner’s decision that it had.  In this case, HM Treasure told the requester that he might like to consider refining his request by reducing the amount of information requested.  The Commissioner considered that such a suggestion was sufficient in order to discharge the authority’s duty to provide advice and assistance.

At paragraph 18 of the Tribunal’s decision it stated:

“Given the widespread nature of computer-driven searches for information in connection with FOIA requests, it is, we consider, reasonable to expect large, sophisticated organisations, such as HM Treasury, to point out to requesters how the most thorough search is likely to exceed the relevant financial limit under the Regulations made by reference to section 12, and to suggest a reformulation of the request in terms specific to computerised searches. Accordingly, if HM Treasury had asked the appellant to reformulate his request by reference to emails and documents containing both the terms “Mersey tunnel” and “toll”, the appellant may well have reformulated his request.”

The Tribunal appears to be suggesting that a large public authority may have to go a bit further than a smaller authority in order to discharge its duty to provide advice and assistance.  It appears that, in certain cases, it may be necessary for a public authority to not only suggest that a requester reformulate their request but rather to go further and actually suggest ways in which it could be reformulated; especially when computer-driver searches for information are involved.

This certainly does fit with the way in which the legislation has been drafted; Section 12(1) of the Freedom of Information Act 2000 does include “so far as it would be reasonable to expect the authority to do so” within its terms.  So, where an authority is issuing a refusal notice under Section 12 of the Freedom of Information Act 2000 authorities, especially larger ones, ought to consider whether they are capable of suggesting how a request could be refined, not just that the requester may wish to consider refining it.

Alistair Sloan

We are able to provide advice and assistance in connection with a range of Freedom of Information matters, including appeals against decisions of both the Scottish and UK Information Commissioners.  If you would like to do discuss a Freedom of Information, or any other Information Law, matter with us then you can contact Alistair Sloan on 0345 450 0123.  Alternatively, you can send him an E-mail.

Data Protection/Privacy Enforcement: September 2017

Following on from last month’s post looking at the Data Protection/Privacy Enforcement taken in August 2017, it is now time to review what data protection/privacy enforcement the ICO publicised during September 2017.

Key Points

The key points from the enforcement action publicised by the ICO during the course of September are:

  • Ensure that where your organisation undertakes direct marketing by telephone, you do not make calls to numbers which are listed on the Telephone Preference Service; unless you have been given consent to make such calls.
  • Before you engage in a marketing campaign by making automated telephone calls, ensure that you have consent from the subscribers to the numbers that you intend to call, whether the numbers are registered with the telephone Preference Service or not.
  • Generally you require the consent of the recipient before you can send marketing materials by electronic means (including text messages and E-mail).
  • It is important that all employees (including agency and temporary staff) have an adequate level of data protection training for their job role and that there is in place ongoing refresher training on a regular basis.
  • If you are an employee and have access to personal data as part of your job role, do not make use of that access for any purposes not required as part of your employment; including for personal purposes.  Also, don’t forward personal data to your personal E-mail, for any reason, unless your employer has agreed to it first.

Enforcement Action published by ICO in August 2017

True Telecom Limited

True Telecom Limited were served with a Monetary Penalty Notice [pdf] in the amount of £85,000 and an Enforcement Notice [pdf] after the Commissioner had found that True Telecom was responsible for 201 unsolicited telephone calls for the purposes of direct marketing made to numbers registered with the Telephone Preference Service, contrary to the requirements of the Privacy and Electronic Communications (EC Directive) Regulations 2003.

Cab Guru Limited

Cab Guru Limited were served with a Monetary Penalty Notice [pdf] in the amount of £45,000 after the Commissioner found that it had instigated the transmission of more than 350,000 text messages for the purposes of direct marketing without having the consent of the intended recipient to do so, contrary to the requirements of the Privacy and Electronic Communications (EC Directive) Regulations 2003.

Your Money Rights Limited

Your Money Rights Limited were served with a Monetary Penalty Notice [pdf] in the amount of £350,000 after the Commissioner found that it had instigated more than 146,000,000 automated marketing calls without having the consent of the subscribers to the number(s), contrary to the requirements of the Privacy and Electronic Communications (EC Directive) Regulations 2003.

Easy Leads Limited

Easy Leads Limited were served with a Monetary Penalty Notice [pdf] in the amount of £208,000 and an Enforcement Notice [pdf] after the Commissioner found that the company had instigated more than 16,500,000 automated marketing telephone calls without having the consent of the subscribers to the numbers, contrary to the requirements of the Privacy and Electronic Communications (EC Directive) Regulations 2003.

Dyfed Powys Police

The Chief Constable of Dyfed Powys Police signed an undertaking [pdf] to ensure compliance with the seventh data protection principle after a number of breach incidents occurred which highlighted that many of the force’s police officers had received no data protection training and that there was no refresher training in place either.  The Commissioner did not take formal enforcement action against Dyfed Powys Police on the basis of remedial actions which had already been taken by the controller.

Prosecutions

A former employee of The University Hospitals of North Midlands NHS Trust was prosecuted at North Staffordshire Magistrates’ Court for an offence under Section 55 of the Data Protection Act 1998. The former employee accessed the sensitive medical records of colleagues as well as people she knew that lived in her locality, without the consent of the data controller. The defendant entered a plea of guilty and was fined £700, ordered to pay costs of £364.08 and a Victim Surcharge in the amount of £70.

A former employee of Leicester City Council was convicted of an offence under Section 55 of the Data Protection Act 1998 at Nuneaton Magistrates’ Court after he unlawfully obtained personal data.  The defendant emailed personal data relating to 349 individuals, which included sensitive personal data of service users of the Adult Social Care Department, to his personal email address without his employers’ consent.  He was fined £160, ordered to pay £364.08 prosecution costs and a victim surcharge in the amount of £20.

Alistair Sloan

If you require advice and assistance in connection with any of the issues above, or any other Information Law matter, please do contact Alistair on 0345 450 0123 or by completing the form on the contact page of this blog.  Alternatively, you can send me an E-mail directly.

Subject Access Requests under the GDPR

The right of subject access has been a cornerstone of the Data Protection Act 1998 (“the DPA”).  This is the right that allows individual data subjects to, among other things, receive confirmation from a data controller whether or not the controller is processing their personal data and to obtain copies of that data which is being processed by the data controller.  Under the DPA, data controllers have 40 calendar days in which to respond to a subject access requests and can charge a fee which does not exceed the prescribed limit (which is £10 for most data controllers).

The critical importance of the right of subject access means there is no surprise that the General Data Protection Regulation (“GDPR”), which becomes applicable from 25 May 2018, continues to have in place a right of subject access. The right of subject access is to be found in Article 15 of the GDPR and has been incorporated into Clause 43 of the Data Protection Bill, published by the government earlier this month.  There have been some changes to that right which are designed to make it much more effective for data subjects.  This blog post explores some of the key changes to the right of subject access; however, it is by no means comprehensive.

The first key change to note is the length of time that data controllers will have to comply with a subject access request; this is being reduced from the current 40 calendar days to 30.  Where the data controller has “reasonable doubts as to the identity of an individual making” as subject access request, then they may request the provision of additional information to enable the controller to confirm the identity.  Where such a request is made, Clause 52 of the Data Protection Bill provides that the 30 day period does not begin to be calculated until the day on which that information is provided to the data contoller.  It should be noted though that this does not provide a route to delay the fulfilling of a subject access request; the data controller must have doubts as to the identity of the requester and those doubts must be reasonable.

In terms of fees, there is no provision within the GDPR for a data controller to request a fee for making a subject access request; however, Article 15(3) of the GDPR does permit data controllers to charge a reasonable fee based on administrative costs for providing copies of the personal data being processed beyond the first copy (i.e. the first copy is free).  For subsequent copies, what will be considered a “reasonable fee” remains to be seen.  The Data Protection Bill has supplemented this provision and allows the Secretary of State to set a cap on such fees.  There has not yet been any indication as to whether (a) the Secretary of State will set such a cap; and (b) if so, what that cap will be.

The administrative fines provisions of the GDPR apply to the right of subject access and a failure to comply with the requirements of Article 15 can attract a maximum administrative fine of the greater of €20m or 4% of global turnover.

Data Controllers have sometimes interpreted the right of subject access under Section 7 of DPA as only providing a right to receive copies of the personal data processed, but that is not the case; and it continues to be the case under the GDPR.  Data Controllers should therefore familiarise themselves with the full suite of rights that a data subject has under the heading of subject access; these can be found in Clause 43(2) of the Data Protection Bill or in Article 15 of the GDPR.

There are a number of circumstances in which a data controller can restrict a data subject’s right of subject access.  These are set out in Clause 43(4) of the Data Protection Bill and are:

  • to avoid obstructing an official or legal inquiry, investigation or procedure;
  • avoid prejudicing the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties;
  • to protect public security;
  • to protect national security

However, where a data controller has restricted the data subject’s right to subject access, the data contoller is required to provide certain information to the data subject in writing and without undue delay.  That information is:

  • that the rights of the data subject have been restricted;
  • the reasons for the restriction;
  • the data subject’s right to make a request to the Information Commissioner to check that the processing is compliant;
  • the data subject’s right to make a complaint to the Information commissioner; and
  • the data subject’s rights to make an application to the court (in Scotland, the Court of Session or the Sheriff Court).

One additional point of note about subject access requests is that the GDPR, in recital 63 and unlike the Data Protection Directive, upon which the Data Protection Act 1998 is based, states that the purpose of the right to subject access is to enable the data subject “to be aware of, and verify, the lawfulness of the processing.”  This may mean that Subject Access Requests may be rejected where they are submitted for other reasons.  Whether the courts will consider Recital 63 as exhaustive as to the purposes for which an individual may exercise their rights of subject access or not remains to be seen.

There is a lot to the right of subject access and there are some key changes which will come into effect on 25 May 2018.  This is a cornerstone of data protection law and data controllers should be attaching substantial weight to compliance as a consequence.

Alistair Sloan

If you would like any advice and assistance on subject access requests, either under the GDPR or the Data Protection Act 1998, or any other Information Law matter; then contact Alistair Sloan on 0345 450 0123.  Alternatively, you can send him an E-mail.

Data Protection Officers under the GDPR

Many data controllers already have people within their organisation who are referred to as “Data Protection Officers”.  Currently, people with the job title of “Data Protection Officer” can be senior members of staff, or (more often) quite junior members of staff, and their job roles can vary quite considerably from organisation to organisation.  Under the current data protection framework within the UK there is no formal concept of a Data Protection Officer, but that will all change in May 2018 when the General Data Protection Regulation becomes applicable.

The Data Protection Officer

The Data Protection Officer, or DPO, is a specific concept within the GDPR.  All public bodies will be required to appoint a DPO (with one exception, on which see further on) as will many private sector organisations.  The DPO is a key person within the new data protection framework and organisations should avoid giving people who are not a DPO within the context of the GDPR job titles which could be misleading.

The DPO should operate at a senior level and be able to feed into the highest level of the organisation.  The DPO should be a person with expert knowledge of data protection law and practices and should assist the controller or processor to monitor internal compliance with the GDPR.  The DPO can be a full-time or part-time member of staff, but can also be provided by a third party in terms of a service contract.

Where a DPO has been appointed, the data controller is required to publish the name and contact details for their DPO.

When does a Data Protection Officer require to be appointed?

All public authorities, regardless of size, (and with the exception of courts acting in their judicial capacity) will be required to appoint a DPO under the GDPR.  The GDPR does not define what is meant by “public authority or body” and this will largely be left up to national laws to determine.  It would be fair to say that in the UK any organisation that is deemed to be a public authority for the purposes of the Freedom of Information Act 2000 or a Scottish public authority for the purposes of the Freedom of Information (Scotland) Act 2002 will be considered as a public authority or body.

It is also probable that private companies who carry out functions of a public administrative nature will also be considered as a public authority or body and so the definition of public authority for the purposes of the Environmental Information Regulations 2004 and the Environmental Information (Scotland) Regulations 2004 should also be considered.

As already noted, the requirement to appoint a DPO is not simply confined to public authorities; private sector organisations will also be required to appoint a DPO if they meet certain criteria.  Private sector organisations (whether they are a data controller or a data processor – references to data controller in this blog post should be taken to include data processors) will need to appoint a DPO where their core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale.

Finally, any data controller whose core activities consist of processing, on a large scale (which is yet to be properly defined), special categories of data or personal data relating to criminal convictions and  offences.  Special categories of personal data broadly corresponds with what the Data Protection Act 1998 describes as “sensitive personal data”, which includes personal data such as race, religion, political beliefs, health data etc.

What this means is that there is likely to be a requirement on a large number of private sector organisations to appoint a DPO.

The tasks of the Data Protection Officer

The GDPR sets out various tasks that Data Protection Officers will be required to carry out; these are:

  • to inform and advise the controller or the processor and the employees who are
    processing personal data of their obligations pursuant to the GDPR;
  • to monitor compliance with the GDPR, including the assignment of responsibilities, awareness- raising and training of staff involved in the processing operations, and the related audits;
  • to provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35
  • to co-operate with the Information Commissioner as the supervisory authority
  • to act as the contact point for the supervisory authority on issues related to the processing of personal data

Data Protection Officers must be able to carry out their functions independently and must also be given sufficient resources to enable to them fulfill their obligations (for larger organisations, this is may include, for example, having a staff to assist them).  The requirement for them to conduct their responsibilities independently means that they should not be subject to direction on the performance of their responsibilities by anyone in the organisation and should not be treated unfairly for discharging their duties (e.g. they shouldn’t be side-lined or dismissed if they give an opinion that isn’t appreciated).

There is no obligation within the GDPR for an organisation to do what their DPO advises them to do; however, the accountability principle in the GDPR will mean that the ICO will likely want an explanation as to why an organisation has gone against the advice of their DPO if that is what they decide to do.

It is for each data controller and processor to decide whether or not they require to appoint a DPO; however, the accountability principle of the GDPR will mean that organisations who have decided they do not require a DPO should be able to demonstrate how and why they came to that decision. Organisations that are not required to appoint a DPO under the GDPR can still appoint one if they wish, but persons who are “electively” appointed as a DPO will be viewed in exactly the same way as those whose appointment is mandatory.

Core Activities

What constitutes and organisation’s core activities is not specifically defined within the GDPR.  However, Recital 97 of the GDPR states that in the private sector, the “primary activities [of the controller] and do not relate to the processing of personal data as ancillary activities”.  The Recital is not part of the law, but is a tool which assists with the inetrpretation of the law.  Oragnisations will need to be clear as to what their “primary activities” are in order to be able to work out whether processing personal data is one of their “core activities”.

The Article 29 Woking Party, in its Guidelines on Data Protection Officers expresses it in the following way:

“Core activities’ can be considered as the key operations to achieve the controller’s or processor’s objectives. These also include all activities where the processing of data forms as inextricable part of the controller’s or processor’s activity. For example, processing health data, such as patient’s health records, should be considered as one of any hospital’s core activities and hospitals must therefore designate DPOs.

On the other hand, all organisations carry out certain supporting activities, for example, paying their employees or having standard IT support activities. These are examples of necessary support functions for the organisation’s core activity or main business. Even though these activities are necessary or essential, they are usually considered ancillary functions rather than the core activity.”

Large Scale Processing

As noted above, the GDPR does not define what is meant by large scale processing activities.  In its guidelines on Data Protection Officer, the Article 29 Working Party has suggested four factors which should be taken into consideration when decideing whether processing is taking place on a large scale.  Those factors are:

  1. the number of data subjects concerned – either as a specific number or as a proportion of the relevant population;
  2. the volume of data and/or the range of different data items being processed;
  3. the duration, or permanence, of the data processing activity;
  4. the geographical extent of the processing activity

As the phrase remains underfined within the GDPR it is a matter that will require a level of judicial interpretation.  No doubt the domestic courts will be asked to grapple with the concept of large-scale processing at somepoint; as will the Court of Justice of the European Union (although, what impact a decision of the court will have in the UK given Brexit is a matter that remains to be seen).

Penalties

A failure to appoint a DPO where one is required is a matter which can attarct an administrative fine; in this case the maximum is €10m or 2% of global turnover (which ever is greater).  I have covered administrative fines in more detail in another blog post.  Articles 38 and 39 of the GDPR, which relate to the position of the DPO and their tasks, are also subject to the administartive fine provisions; again with the maximum being €10m or 2% of global turnover (whichever is greater).

Alistair Sloan

If you would like advice on Data Protection Officers under the GDPR, or on any other matter relating to data protection/privacy or Freedom of Information, then you can contact Alistair Sloan on 0345 450 0123, by completing the contact form on this blog, or you can send him an E-mail directly.

Administrative Fines and the GDPR

Since 2010 the Information Commissioner has had the power to impose a Monetary Penalty Notice in respect of certain breaches of the Data Protection Act 1998 (“the DPA”), and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”).  In 2015 I undertook a Master of Laws degree and my dissertation looked at how the Commissioner had used the power to serve these penalties, but only in relation to breaches of the DPA.  What became clear from my research was that the Commissioner tended to focus on breaches of the seventh data protection principle (which relates to having in place sufficient technical and organisational measures).  However, the Commissioner’s enforcement team have been even more active in issuing monetary penalties for breaches of PECR.  You can see examples of the types of DPA and PECR breaches that can result in the Commissioner serving a Monetary Penalty Notice in my blog post on Data Protection/Privacy Enforcement from August 2017.

The GDPR also includes provisions for financial penalties, which it terms as “administrative fines”, for certain breaches of the Regulation.  For some breaches the maximum penalty is €10m or 2% of global turnover (whichever is the greater); while for others the maximum penalty is €20m or 4% of global turnover (whichever is the greater).  These penalties are far greater than the maximum penalty currently available to the Commissioner, which I fixed at £500,000.  Of course, while the maximum penalties prescribed in the GDPR are in Euros, the UK does not use the Euro as its currency.  The recent Statement of Intent [pdf] from the UK Government (published in August 2017) suggests that the equivalent will be £17m where the GDPR sets a maximum of €20m.  The Government is expected to publish a Data Protection Bill later this month; once it does, we may become more enlightened about how the UK Government intends on converting the maximum penalties from Euros to Pounds Sterling.

Over the last year or so, there have been numerous articles published which focus on the high level of the administrative fines which will be available to the Commissioner.  At this stage it is far too early to tell exactly how the Commissioner will make use of her greatly extended powers; however, looking at how the current powers have been used may well cast some light onto the future.  It is probably fairly unlikely that the ICO will radically change how they have been enforcing data protection law upon the GDPR becoming effective (at least not immediately anyway).  Indeed, the Commissioner herself has published a blog post on the ICO’s blog seeking squash the idea that her office will be rushing to issue crippling financial penalties to errant data controllers.

The consistency mechanism within the GDPR, when having reference to Recital 150, may be used to ensure that there is a consistent approach taken across Member States in the application of administrative fines.  This may well mean that, over time, a more consistent approach to financial penalties may develop across supervisory authorites.  What impact this will have in the UK remains to be seen, given that developing a consistent approach, if indeed that is what happens, will take time; the UK is on course to leave the European Union a little under 12 months after the GDPR becomes applicable.

As I noted above, insofar as the DPA is concerned, much of the Commissioner’s use of monetary penalties has been in relation to breaches of the seventh data protection principle.  Where monetary penalties have been issued, common features have been a failure to have in place adequate policies and procedures; a failure to ensure the staff have been adequately trained in the organisation’s policies and procedures; and a failure to have in place adequate security (especially encryption).

The seventh data protection principle has survived, and is now to be found in Article 5(1)(f) of the GDPR.  Article 5(1)(f) reads: “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures”.  In GDPR language it is the ‘integrity and confidentiality’ principle; a failure to comply with this basic principle of processing is one of the breaches that can result in a maximum administrative fine of €20m or 4% of global turnover (whichever is the greater).

Given that the Commissioner (and her predecessor) has historically taken action for breaches of the seventh data protection principle (including, but not limited to, the imposition of financial penalties); a reasonable assumption to make is that she will enforce against breaches of the integrity and confidentiality principle.  Therefore, if an oragnisation is found to have breached the integrity and confidentiality principle, and one of the common contributory factors mentioned above are presents; they should consider that an administrative fine is a real possibility (but not necessarily an inevitability).

What is impossible to tell at the moment is the level of the administrative fines that the ICO will issue; although, it is unlikely that there will be a tectonic shift in the size of penalties issued by the Commissioner.  The ICO has traditionally taken into account the organisation’s financial resources when fixing the financial penalty and it is likely that this will continue; indeed Recital 150 of the GDPR states that the supervisory authority should take into account the “economic situation of the person in considering the appropriate amount of the fine.” However, the GDPR does require the ICO to ensure that the imposition of administrative fines in respect of infringements of the Regulation shall, in each individual case, be effective, proportionate and dissuasive.

Recital 148 of the GDPR does state that “in a case of a minor infringement or if the fine likely to be imposed would constitute a disproportionate burden to a natural person, a reprimand may be issued instead of a fine.”  The Recital continues by stating that:

 “due regard should be given to the nature, gravity and duration of the infringement, the intentional character of the infringement, actions taken to mitigate the damage suffered, degree of responsibility or any relevant previous infringements, the manner in which the infringement became known to the supervisory authority, compliance with measures ordered against the controller or processor, adherence to a code of conduct and any other aggravating or mitigating factor.” 

There will therefore need to be a balancing exercise undertaken by the ICO to find the right level of fine in each case (in the same way as is done today).

There may be some small increase in the level of penalties being issued by the ICO from May 2018, but it is unlikely that we will begin to see financial penalties much larger than those that we are seeing today (not immediately anyway).  The Article 29 Working Party and the ICO will no doubt issue guidance on administrative fines in due course and once we see that guidance we might have a better idea as to how the administrative fines will operate in practice.

Alistair Sloan

If you have a data protection/privacy matter which you would like to discuss, then you can contact Alistair Sloan on 0345 450 0123; or you can complete the contact form on this blog.  Alternatively, you can send him an E-mail directly.

Data Protection/Privacy Enforcement – August 2017

In this blogpost I shall be looking at the enforcement action taken by the Information Commissioner in the fields of data protection and privacy which was publicised during August 2017.  It is hoped that this will become a regular monthly feature on this blog.

Key Points

The key points from the enforcement action publicised by the ICO during the course of August are:

  • Ensure that where your organisation undertakes direct marketing by telephone, you do not make calls to numbers which are listed on the Telephone Preference Service; unless you have been given consent to make such calls.
  • Ensure that contractors who have access to personal data only have access to that personal data which is necessary for the services that they are providing to you.
  • Ensure that you have appropriate technical and organisational measures in places to prevent the unauthorised or unlawful processing of personal data when processing personal data over the internet.
  • Ensure that all of your staff (including temporary and agency staff) are given data protection training which is appropriate to their job role, and to ensure that regular refresher training is undertaken.
  • If you are an employee and have access to personal data as part of your job role, do not make use of that access for any purposes not required as part of your employment; including for personal purposes.

Enforcement Action published by ICO in August 2017

H.P.A.S Limited (trading as Safestyle UK)

H.P.A.S Limited were served with a Monetary Penalty Notice [pdf] in the amount of £70,000 and an Enforcement Notice [pdf] after the Commissioner found that they had made unsolicited direct marketing calls to telephone numbers which were listed on the Telephone Preference Service.

Laura Anderson Limited t/a Virgo Home Improvements

Laura Anderson Limited were served with a Monetary Penalty Notice [PDF] in the amount of £80,000 and an Enforcement Notice [pdf] after the Commissioner found that they had made unsolicited direct marketing calls to telephone numbers which were listed on the Telephone Preference Service.

Home Logic UK Limited

Home Logic UK Limited were served with a Monetary Penalty Notice [pdf] in the amount of £50,000 after the Commissioner found that they had made unsolicited direct marketing calls to telephone numbers which were listed on the Telephone Preference Service.

Talk Talk Telecom Group Plc

Talk Talk Telecom Group Plc were served with a Monetary Penalty Notice [pdf] in the amount of £100,000.  The Commissioner found that they had failed to have in place adequate technical and organisational measures to prevent against the unauthorised or unlawful processing of personal data.  Talk Talk Telecom Group Plc had in place unjustifiably wide-ranging access to personal data by external agents, which put that personal data at risk.

London Borough of Islington

The London Borough of Islington was served with a Monetary Penalty Notice [pdf] in the amount of £70,000.  The Commissioner found that the Borough’s parking enforcement application had design flaws and some of the functionality was misconfigured, allowing for unauthorised access to personal data.

Nottinghamshire County Council

Nottinghamshire County Council was served with a Monetary Penalty Notice [pdf] in the amount of £70,000.  The Commissioner found that the Council had failed to have in place an authentication process for accessing an internet based allocation service for home carers; this left personal data and sensitive personal data exposed on the internet.

Cheshire West and Chester Council

Cheshire West and Chester Council signed an undertaking [pdf] stating that they would take certain steps to ensure compliance with the Data Protection Act 1998.  In particular the Commissioner was concerned that a number of self-reported incidents by the council involved staff who had not received data protection training.

Prosecution

A former employee of Colchester Hospital University NHS Foundation Trust was prosecuted in The Colchester Magistrates’ Court.  The Defendant pleaded guilty to offences under Section 55 of the Data Protection Act 1998.  She had accessed the sensitive health records of friends and people she knew and disclosed some of the personal information she obtained obtained.  She was fined £400 for the offence of obtaining the personal data and £650 for the offence of disclosing the personal data.  She was also required to pay prosecution costs and a victim surcharge.

I can provide advice and assistance on a wide range of information law matters.  If you wish to discuss an information law matter with me then you can contact me on 0345 450 0123 or by completing the form on the contact page of this blog.  Alternatively, you can send me an E-mail directly.

Alistair Sloan