Tag Archives: Information Law

Data Protection/Privacy Enforcement: January 2018

It has been a busy start to the year for the Information Commissioner’s Office (ICO).  The start of 2018 also saw the highest ever sentences imposed on those in breach of Data Protection and Privacy laws in the United Kingdom.  It is time to have a closer look at the Data Protection and Privacy Enforcement action published by the ICO during January 2018 as part of our regular monthly review.  You can read our review of the privacy and data protection enfrocement from December 2017 here.

Key Points

  • If you have access to personal data as part of your employment, ensure that you only access it where there is a genuine professional need for you to do so; even if the reason you are looking for information could be considered harmless.
  • As far as the Information Commissioner is concerned, ‘ignorance is not bliss’; Data Controllers must have adequate and up to date procedures, technology and policies in place to ensure that they are not in breach of any data protection laws or regulations.
  • Organisations can’t generally send advertising or marketing emails unless the recipient has informed the sender that they consent to such emails being sent by, or at the instigation of, that sender.  Any consent must be freely given, explicit and informed but also involve a positive indication signifying the individual’s agreement. In order for consent to be informed by an individual, the individual must know exactly what it is they are consenting to (for more information see Alistair Sloan’s blog post PECR:  The forgotten relative).
  • Failure to notify the Information Commissioner of any personal data breach in accordance with the Notification Regulations will not be tolerated.  If it has come to your attention that there has been a breach, you must come clean and put your hands up. A much wider requirement to notify the ICO of personal data breaches becomes applicable with the GDPR later this year, for more on that see our blog post on Personal Data Breaches under the GDPR.
  • It goes without saying, meticulous attention to detail must be taken when you are sending any correspondence containing personal data, you must ensure that it is sent to the correct person.

Enforcement action published by the ICO in January 2018

The Carphone Warehouse Ltd
The Carphone Warehouse Ltd was served with a Monetary Penalty Notice in the sum of £400,000 after serious failures and inadequate software placed customer and employee data at risk.

Newday Limited
Newday Ltd were served a Monetary Penalty Notice in the sum of £230,000 after approximately 48,096,988 emails were sent to individuals who had not consented to receive marketing, contrary to regulation 22 of the Privacy and Electronic Communications (EC Directive) Regulations 2003.  The Commissioner decided that the consent relied on by Newday Limited was not sufficiently informed and therefore it did not amount to valid consent.

TFLI Ltd
TFLI Ltd received a Monetary Penalty Notice of £80,000.  This penalty was also in relation to contravention of regulation 22 of the Privacy and Electronic Communications (EC Directive) Regulations 2003.  TFLI Limited sent approximately 1,218,436 unsolicited marketing texts promoting a loan website.

Barrington Claims Ltd
Barrington Claims Ltd were issued a Monetary Penalty Notice in the sum £250,000 after they failed to ensure automated marketing calls were made only to individuals who had consented to receive them. The Commissioner decided to issue a Monetary Penalty under section 55A of the Data Protection Act 1998, in relation to contravention of regulations 19 and 24 of the Privacy and Electronic Communications (EC Directive) Regulations 2003.  The company were unable to provide evidence that it had the consent of individuals to whom it had instigated the calls.

Goody Market UK Ltd
Goody Market UK Ltd were issued a Monetary Penalty Notice in the sum of £40,000 after they failed to ensure that text messages containing marketing material were only sent to individuals who had consented to receive them.  They were also served an Enforcement Notice. The texts were sent on the basis of data sourced from a third party, and purchased on behalf of Goody Market UK Ltd by a data broker.  Goody Market UK Ltd were unable to provide the Commissioner with any evidence that the recipients consented to the marketing messages, having relied on verbal assurance from the data broker.  The Commissioner found that Goody Market UK Ltd had contravened Regulation 22 of PECR.

West Midlands Police
West Midlands Police have signed an Undertaking to comply with the Data Protection Act after the Information Commissioner was informed that a data breach had occurred in relation a Criminal Behaviour Order.  The order was imposed on two individuals, but in a leaflet distributed to publicise the order, the names of the witnesses were revealed.

Miss-sold Products UK Ltd
Miss-sold Products UK Ltd were served a Monetary Penalty Notice in the sum of £350,000 after they failed to ensure that marketing calls were only made to individuals who had consented to receive marketing. The penalty was in relation to contravention of Regulation 19 of the Privacy and Electronic Communications (EC Directive) Regulations 2003.

SSE Energy Supply Ltd
SSE Energy Supply Ltd was issued a Monetary Penalty Notice of £1,000 after they sent an email to an individual in error.   The penalty was issued because of contravention of Regulation 5A of the Privacy and Electronic Communications (EC Directive) Regulations 2003.  This Regulation requires that a provider of a public electronic communications service must notify the Information Commissioner of a personal data breach without undue delay.  SSE Energy Supply Ltd sent an email to the wrong email address, disclosing the name of a customer and their account number.  After they became aware of the breach, SSE Energy Supply Limited did not follow its policies and procedures that were in place and as a consequence there was a delay in reporting the personal data breach to the Information Commissioner.

Prosecutions
There were a number of successful prosecutions reported by the ICO during January 2018:

  1. An investigation by the ICO, which began in 2013, resulted in record fines for Woodgate and Clark Ltd, the company director and private investigators who were involved in the illegal trade of personal information.  A claim had been made on an insurance policy in relation to a fire at business premises which the claimant owned.  Private investigators unlawfully obtained confidential financial information and disclosed it to Woodgate and Clark Ltd, which then disclosed it to an insurer client.  The defendants were all prosecuted under s55 of the Data Protection Act 1998.  Woodgate and Clark Ltd were fined £50,000 in addition to being ordered to pay £20,000 in costs.  The company director was fined £75,000 and was ordered to pay £20,000 in costs; while both private investigators were fined £10,000 and ordered to pay £2,500 in costs.
  2. A director of an accident claims company invented a car crash so that he could trace and get in touch with the owner of a private number plate he wanted to buy.  He was prosecuted at Bristol Magistrates’ Court for a breach of S55 of the Data Protection Act 1998 for the offence of unlawfully obtaining personal data.  He was convicted and received a fine of £335.00.  The defendant was also ordered to pay prosecution costs of £364.08 and a victim surcharge of £33.00.
  3. An individual was charged with two offences of unlawfully disclosing personal data.  The defendant had come into possession of a USB stick and published sensitive police information from it on Twitter.  He was sentenced to a 12 month conditional discharg,e in part because he had been placed on a stringent bail conditions including wearing an electronic tag before the hearing.  He had to pay £150 in cost and £15 victim charge.

Vicki Macleod Folan

If you require advice and assistance in connection with any of the issues above, or any other Information Law matter, please do contact Alistair Sloan on 0345 450 0123 or by completing the form on the contact page of this blog.  Alternatively, you can send him an E-mail directly.

Data Protection/Privacy Enforcement: December 2017

Our monthly look at the enforcement action taking by the Information Commissioner in respect of Privacy and Data Protection matters continues with a review of the enforcement action published by the ICO in December 2017.  You can view last month’s review of the November 2017 enforcement action here.  December 2017 was not an overly busy month for the ICO; they published just one Enforcement Notice.

Key Points

  • Ensure that you have in place adequate procedures to ensure that you handle Subject Access requests within the time allowed by the law.

Enforcement Action

Secretary of State for Justice
The Secretary of State for Justice was served with an Enforcement Notice [pdf] requiring him to deal with his department’s backlog of delayed Subject Access Requests.  As at 10 November 2017 the Ministry of Justice had 793 Subject Access Requests which were over 40 days old; some of this backlog was made up of Subject Access Requests made in 2014.  This was a reduction from the 919 requests more than 40 days old as at 28 July 2017 (which included requests going back to 2012).  The Data Protection Act 1998 requires that Subject Access Requests be responded to within 40 calendar days (this will be reduced to 30 calendar days under the GDPR – you can find out more about this change, and others to the right of subject access requests, in my blog post on Subject Access Requests under the GDPR).

Alistair Sloan

If you require advice or assistance with Subject Access Requests, or any other Information Law matter then contact Alistair Sloan on 0345 450 0123 or send him and E-mail

GDPR: Do I need consent?

The General Data Protection Regulation becomes applicable in the United Kingdom later this year, the 25th May to be precise.  There is a lot of information out there on the GDPR; some of which is incorrect.  Relying upon incorrect information could cause data controllers and processors unnecessary headaches.

In this blog post I am going to focus on just one aspect of the GDPR, upon which there seems to still be a large amount of misinformation floating around.  It is an issue of such fundamental importance that getting it wrong will inevitably lead to headaches and crises in businesses and other organisations that simply do not need to exist:  that aspect is consent.

It is not difficult to find information on the internet selling the idea that the GDPR requires the consent of data subjects before a data controller can process personal data.  It should be obvious, but in case it is not, that is completely false.  Article 6 of the GDPR sets out six grounds which make the processing of personal data lawful under the GDPR; one of those six grounds is indeed consent, but it therefore follows that there are five other grounds of lawful processing which do not require the consent of the data subject.

It is important to understand Article 6 to ensure that your GDPR preparations are on the right track; one of the first things that any data controller who is preparing for the GDPR needs to establish is upon what basis they are processing the personal data.  If a data controller goes off in the wrong direction by assuming that consent is always required then they’re going to hit a problem:  what if a data subject refuses you consent, or withdraws consent which was previously given, to process personal data where you have a statutory obligation or some other compelling business need to process it?  You’re still going to have to process that personal data, but having asked the data subject for their consent you have given them a false impression.  One of the most fundamental aspects of the GDPR is fairness:  giving a data subject a false impression on the need for consent cannot be considered to be fair.  In short, if you need to process personal data irrespective of whether the data subject has given their consent; then consent is not the appropriate Article 6 ground to rely upon.

As noted above, there are a total of six grounds in Article 6 of the GDPR which make the processing lawful.  The grounds in Article 6 are (and note they do not appear in any special order of importance):

  • the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
  • the processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract
  • the processing is necessary for compliance with a legal obligation to which the controller is subject
  • the processing is necessary in order to protect the vital interests of the data subject or of another natural person
  • the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
  • the processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child

Picking the right Article 6 grounds to legitimise your processing is vital; it feeds into so many other aspects of data protection compliance (such as your privacy notice).  Consent should only become a consideration where none of the other grounds of lawful processing in Article 6 apply.  Where some may be becoming confused with regards to consent is the requirement to be transparent with data subjects.  You have to tell data subjects clearly, and in easy to understand language, what personal data you are processing about them, how it is being processed and why you are processing it.  This is not the same as gaining their consent and should not be confused as such.

Alistair Sloan

If you require advice and assistance with any aspect of getting prepared for the GDPR, or any other Privacy and Data Protection law matter then contact us on 0345 450 0123 or you can send Alistair Sloan and E-mail.

Data Protection/Privacy Enforcement: November 2017

A bit later than normal, it is time for our monthly review of the enforcement action taken by the Information Commissioner in respect of Privacy and Data Protection matters during the month of November 2017.  This follows on from our reviews covering September 2017 and October 2017.

Key Points

  • Ensure that when you are collecting personal data that you are clear and open about what it will be used for.  If it is to be supplied to third parties for direct marketing purposes state as accurately as possible who those third parties are –  stating that it will be shared with “carefully selected partners” is not going to be sufficient.
  • When undertaking direct marketing by electronic means, such as by E-mail or text message, ensure that you have in place the necessary consent (and remember the definition of consent in the Data Protection Directive) of the recipient before sending your marketing messages.
  • Once again, if you have access to personal data as part of your employment, ensure that you only access it where there is a legitimate business need for you to do so.  Do not send personal data to your own personal E-mail address without first explaining to your employer why you need to do it and getting their consent to do so.

Enforcement action published by the ICO in November 2017

Verso Group (UK) Limited

Verso Group (UK) Limited was served with a Monetary Penalty Notice [pdf] in the amount of £80,000.  Verso had been supplying personal data to third parties to enable those third parties to conduct direct marketing campaigns; the Commissioner considered that Verso had breached the First Data Protection Principle in doing so.  This was because the Commissioner did not consider that the terms and conditions and privacy policies of Verso and those other companies from which it obtained personal data were clear enough to make the processing by Verso fair and lawful.

Hamilton Digital Solutions Limited

Hamilton Digital Solutions Limited were served with an Enforcement Notice [pdf] and a Monetary Penalty Notice [pdf] in the amount of £45,000 after the company were responsible for the sending of in excess of 150,000 text messages for the purposes of direct marketing in breach of the Privacy and Electronic Communications (EC Directive) Regulations 2003.

Prosecutions

There were a number of successful prosecutions reported by the ICO during the month of November 2017:

Prosecution 1 –
A former employee of a community based counselling charity was prosecuted by the ICO at Preston Crown Court and pleaded guilty to three charges under Section 55 of the Data Protection Act 1998.  The Defendant had sent a number of E-mails to his personal E-mail address which contained sensitive personal data of clients, without his employers’ consent.  He was given a 2 year Conditional Discharge, ordered to pay costs of £1,845.25 and a £15 Victim Surcharge.

Prosecution 2 –
An employee of Dudley Group NHS Trust pleaded guilty two offences under Section 55 of the Data Protection Act 1998:  one of unlawfully obtaining personal data and one of unlawfully disclosing personal data.  The defendant had accessed the medical records of a neighbour and former friend medical records and also disclosed information about a baby.  She was fined a total of £250 (£125 for each offence) and was ordered to pay prosecution costs amounting to £500 and a victim surcharge of £30.

Prosecution 3 –
A former nursing auxiliary at the Royal Gwent Hospital in Newport was fined £232 for offences under Section 55 of the Data Protection Act 1998.  She was also ordered to pay prosecution costs of £150 and a victim surcharge of £30.  The Defendant had unlawfully accessed the records of a patient who was also her neighbour

Alistair Sloan

If you require advice and assistance in connection with any of the issues above, or any other Information Law matter, please do contact Alistair on 0345 450 0123 or by completing the form on the contact page of this blog.  Alternatively, you can send him an E-mail directly.

Data Protection/Privacy Enforcement: September 2017

Following on from last month’s post looking at the Data Protection/Privacy Enforcement taken in August 2017, it is now time to review what data protection/privacy enforcement the ICO publicised during September 2017.

Key Points

The key points from the enforcement action publicised by the ICO during the course of September are:

  • Ensure that where your organisation undertakes direct marketing by telephone, you do not make calls to numbers which are listed on the Telephone Preference Service; unless you have been given consent to make such calls.
  • Before you engage in a marketing campaign by making automated telephone calls, ensure that you have consent from the subscribers to the numbers that you intend to call, whether the numbers are registered with the telephone Preference Service or not.
  • Generally you require the consent of the recipient before you can send marketing materials by electronic means (including text messages and E-mail).
  • It is important that all employees (including agency and temporary staff) have an adequate level of data protection training for their job role and that there is in place ongoing refresher training on a regular basis.
  • If you are an employee and have access to personal data as part of your job role, do not make use of that access for any purposes not required as part of your employment; including for personal purposes.  Also, don’t forward personal data to your personal E-mail, for any reason, unless your employer has agreed to it first.

Enforcement Action published by ICO in August 2017

True Telecom Limited

True Telecom Limited were served with a Monetary Penalty Notice [pdf] in the amount of £85,000 and an Enforcement Notice [pdf] after the Commissioner had found that True Telecom was responsible for 201 unsolicited telephone calls for the purposes of direct marketing made to numbers registered with the Telephone Preference Service, contrary to the requirements of the Privacy and Electronic Communications (EC Directive) Regulations 2003.

Cab Guru Limited

Cab Guru Limited were served with a Monetary Penalty Notice [pdf] in the amount of £45,000 after the Commissioner found that it had instigated the transmission of more than 350,000 text messages for the purposes of direct marketing without having the consent of the intended recipient to do so, contrary to the requirements of the Privacy and Electronic Communications (EC Directive) Regulations 2003.

Your Money Rights Limited

Your Money Rights Limited were served with a Monetary Penalty Notice [pdf] in the amount of £350,000 after the Commissioner found that it had instigated more than 146,000,000 automated marketing calls without having the consent of the subscribers to the number(s), contrary to the requirements of the Privacy and Electronic Communications (EC Directive) Regulations 2003.

Easy Leads Limited

Easy Leads Limited were served with a Monetary Penalty Notice [pdf] in the amount of £208,000 and an Enforcement Notice [pdf] after the Commissioner found that the company had instigated more than 16,500,000 automated marketing telephone calls without having the consent of the subscribers to the numbers, contrary to the requirements of the Privacy and Electronic Communications (EC Directive) Regulations 2003.

Dyfed Powys Police

The Chief Constable of Dyfed Powys Police signed an undertaking [pdf] to ensure compliance with the seventh data protection principle after a number of breach incidents occurred which highlighted that many of the force’s police officers had received no data protection training and that there was no refresher training in place either.  The Commissioner did not take formal enforcement action against Dyfed Powys Police on the basis of remedial actions which had already been taken by the controller.

Prosecutions

A former employee of The University Hospitals of North Midlands NHS Trust was prosecuted at North Staffordshire Magistrates’ Court for an offence under Section 55 of the Data Protection Act 1998. The former employee accessed the sensitive medical records of colleagues as well as people she knew that lived in her locality, without the consent of the data controller. The defendant entered a plea of guilty and was fined £700, ordered to pay costs of £364.08 and a Victim Surcharge in the amount of £70.

A former employee of Leicester City Council was convicted of an offence under Section 55 of the Data Protection Act 1998 at Nuneaton Magistrates’ Court after he unlawfully obtained personal data.  The defendant emailed personal data relating to 349 individuals, which included sensitive personal data of service users of the Adult Social Care Department, to his personal email address without his employers’ consent.  He was fined £160, ordered to pay £364.08 prosecution costs and a victim surcharge in the amount of £20.

Alistair Sloan

If you require advice and assistance in connection with any of the issues above, or any other Information Law matter, please do contact Alistair on 0345 450 0123 or by completing the form on the contact page of this blog.  Alternatively, you can send me an E-mail directly.

Subject Access Requests under the GDPR

The right of subject access has been a cornerstone of the Data Protection Act 1998 (“the DPA”).  This is the right that allows individual data subjects to, among other things, receive confirmation from a data controller whether or not the controller is processing their personal data and to obtain copies of that data which is being processed by the data controller.  Under the DPA, data controllers have 40 calendar days in which to respond to a subject access requests and can charge a fee which does not exceed the prescribed limit (which is £10 for most data controllers).

The critical importance of the right of subject access means there is no surprise that the General Data Protection Regulation (“GDPR”), which becomes applicable from 25 May 2018, continues to have in place a right of subject access. The right of subject access is to be found in Article 15 of the GDPR and has been incorporated into Clause 43 of the Data Protection Bill, published by the government earlier this month.  There have been some changes to that right which are designed to make it much more effective for data subjects.  This blog post explores some of the key changes to the right of subject access; however, it is by no means comprehensive.

The first key change to note is the length of time that data controllers will have to comply with a subject access request; this is being reduced from the current 40 calendar days to 30.  Where the data controller has “reasonable doubts as to the identity of an individual making” as subject access request, then they may request the provision of additional information to enable the controller to confirm the identity.  Where such a request is made, Clause 52 of the Data Protection Bill provides that the 30 day period does not begin to be calculated until the day on which that information is provided to the data contoller.  It should be noted though that this does not provide a route to delay the fulfilling of a subject access request; the data controller must have doubts as to the identity of the requester and those doubts must be reasonable.

In terms of fees, there is no provision within the GDPR for a data controller to request a fee for making a subject access request; however, Article 15(3) of the GDPR does permit data controllers to charge a reasonable fee based on administrative costs for providing copies of the personal data being processed beyond the first copy (i.e. the first copy is free).  For subsequent copies, what will be considered a “reasonable fee” remains to be seen.  The Data Protection Bill has supplemented this provision and allows the Secretary of State to set a cap on such fees.  There has not yet been any indication as to whether (a) the Secretary of State will set such a cap; and (b) if so, what that cap will be.

The administrative fines provisions of the GDPR apply to the right of subject access and a failure to comply with the requirements of Article 15 can attract a maximum administrative fine of the greater of €20m or 4% of global turnover.

Data Controllers have sometimes interpreted the right of subject access under Section 7 of DPA as only providing a right to receive copies of the personal data processed, but that is not the case; and it continues to be the case under the GDPR.  Data Controllers should therefore familiarise themselves with the full suite of rights that a data subject has under the heading of subject access; these can be found in Clause 43(2) of the Data Protection Bill or in Article 15 of the GDPR.

There are a number of circumstances in which a data controller can restrict a data subject’s right of subject access.  These are set out in Clause 43(4) of the Data Protection Bill and are:

  • to avoid obstructing an official or legal inquiry, investigation or procedure;
  • avoid prejudicing the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties;
  • to protect public security;
  • to protect national security

However, where a data controller has restricted the data subject’s right to subject access, the data contoller is required to provide certain information to the data subject in writing and without undue delay.  That information is:

  • that the rights of the data subject have been restricted;
  • the reasons for the restriction;
  • the data subject’s right to make a request to the Information Commissioner to check that the processing is compliant;
  • the data subject’s right to make a complaint to the Information commissioner; and
  • the data subject’s rights to make an application to the court (in Scotland, the Court of Session or the Sheriff Court).

One additional point of note about subject access requests is that the GDPR, in recital 63 and unlike the Data Protection Directive, upon which the Data Protection Act 1998 is based, states that the purpose of the right to subject access is to enable the data subject “to be aware of, and verify, the lawfulness of the processing.”  This may mean that Subject Access Requests may be rejected where they are submitted for other reasons.  Whether the courts will consider Recital 63 as exhaustive as to the purposes for which an individual may exercise their rights of subject access or not remains to be seen.

There is a lot to the right of subject access and there are some key changes which will come into effect on 25 May 2018.  This is a cornerstone of data protection law and data controllers should be attaching substantial weight to compliance as a consequence.

Alistair Sloan

If you would like any advice and assistance on subject access requests, either under the GDPR or the Data Protection Act 1998, or any other Information Law matter; then contact Alistair Sloan on 0345 450 0123.  Alternatively, you can send him an E-mail.

Data Protection/Privacy Enforcement – August 2017

In this blogpost I shall be looking at the enforcement action taken by the Information Commissioner in the fields of data protection and privacy which was publicised during August 2017.  It is hoped that this will become a regular monthly feature on this blog.

Key Points

The key points from the enforcement action publicised by the ICO during the course of August are:

  • Ensure that where your organisation undertakes direct marketing by telephone, you do not make calls to numbers which are listed on the Telephone Preference Service; unless you have been given consent to make such calls.
  • Ensure that contractors who have access to personal data only have access to that personal data which is necessary for the services that they are providing to you.
  • Ensure that you have appropriate technical and organisational measures in places to prevent the unauthorised or unlawful processing of personal data when processing personal data over the internet.
  • Ensure that all of your staff (including temporary and agency staff) are given data protection training which is appropriate to their job role, and to ensure that regular refresher training is undertaken.
  • If you are an employee and have access to personal data as part of your job role, do not make use of that access for any purposes not required as part of your employment; including for personal purposes.

Enforcement Action published by ICO in August 2017

H.P.A.S Limited (trading as Safestyle UK)

H.P.A.S Limited were served with a Monetary Penalty Notice [pdf] in the amount of £70,000 and an Enforcement Notice [pdf] after the Commissioner found that they had made unsolicited direct marketing calls to telephone numbers which were listed on the Telephone Preference Service.

Laura Anderson Limited t/a Virgo Home Improvements

Laura Anderson Limited were served with a Monetary Penalty Notice [PDF] in the amount of £80,000 and an Enforcement Notice [pdf] after the Commissioner found that they had made unsolicited direct marketing calls to telephone numbers which were listed on the Telephone Preference Service.

Home Logic UK Limited

Home Logic UK Limited were served with a Monetary Penalty Notice [pdf] in the amount of £50,000 after the Commissioner found that they had made unsolicited direct marketing calls to telephone numbers which were listed on the Telephone Preference Service.

Talk Talk Telecom Group Plc

Talk Talk Telecom Group Plc were served with a Monetary Penalty Notice [pdf] in the amount of £100,000.  The Commissioner found that they had failed to have in place adequate technical and organisational measures to prevent against the unauthorised or unlawful processing of personal data.  Talk Talk Telecom Group Plc had in place unjustifiably wide-ranging access to personal data by external agents, which put that personal data at risk.

London Borough of Islington

The London Borough of Islington was served with a Monetary Penalty Notice [pdf] in the amount of £70,000.  The Commissioner found that the Borough’s parking enforcement application had design flaws and some of the functionality was misconfigured, allowing for unauthorised access to personal data.

Nottinghamshire County Council

Nottinghamshire County Council was served with a Monetary Penalty Notice [pdf] in the amount of £70,000.  The Commissioner found that the Council had failed to have in place an authentication process for accessing an internet based allocation service for home carers; this left personal data and sensitive personal data exposed on the internet.

Cheshire West and Chester Council

Cheshire West and Chester Council signed an undertaking [pdf] stating that they would take certain steps to ensure compliance with the Data Protection Act 1998.  In particular the Commissioner was concerned that a number of self-reported incidents by the council involved staff who had not received data protection training.

Prosecution

A former employee of Colchester Hospital University NHS Foundation Trust was prosecuted in The Colchester Magistrates’ Court.  The Defendant pleaded guilty to offences under Section 55 of the Data Protection Act 1998.  She had accessed the sensitive health records of friends and people she knew and disclosed some of the personal information she obtained obtained.  She was fined £400 for the offence of obtaining the personal data and £650 for the offence of disclosing the personal data.  She was also required to pay prosecution costs and a victim surcharge.

I can provide advice and assistance on a wide range of information law matters.  If you wish to discuss an information law matter with me then you can contact me on 0345 450 0123 or by completing the form on the contact page of this blog.  Alternatively, you can send me an E-mail directly.

Alistair Sloan

Welcome to the Information Law Blog by Inksters Solicitors

Welcome to the Information Law Blog from Inksters Solicitors.  On this blog we will be covering the latest issues in the areas of Data Protection/Privacy and also Freedom of Information.  Most of the contributions to this blog will be by Alistair Sloan, although there may be contributions from other members of the Inksters team from time to time.

Alistair is one our solicitors based in our Glasgow HQ; he offers legal services throughout Scotland in the field of information law, among others.   Alistair regulalry travels around Scotland and in particular visits our Caithness base in Wick on a frequent basis.  Alistair has been involved in the fields of freedom of information and data protection for a number of years, including prior to qualifying as a solicitor, and has built up a knowledge base on both areas throughout that time.  While studying for his Master of Laws degree, he researched the Information Commissioner’s use of Monetary Penalty Notices for breaches of the Data Protection Act 1998.

The area of information law is constantly developing.  The biggest change on the horizon is the General Data Protection Regulation, which will be applicable in the UK (and across the rest of the European Union) from 25 May 2018.  This new Regulation from the European Union represents the single biggest change to the laws relating to data protection and privacy in the UK in more than 20 years.

Much of the field of Information law is governed by EU law in one way or another, whether it be data protection or access to environmental information held by public authorities; therefore, the hot political subject of Brexit will feature heavily in the information law field over the coming years.

We’re not new to the world of information law; in 2016 our Sylvia MacLennan acted for the successful Petitioner in WF v Scottish Ministers.  This case challenged the position in Scotland where an accused person could seek access to the medical records of a complainer in a criminal case, but that the complainer was said not to have any standing to make representations directly to the court (including through their own solicitor) on the question of whether their medical records should be disclosed to the accused.  It also challenged the lack of availability of legal aid in Scotland to complainers concerning such issues.

We hope that this blog will become a useful resource for individuals to find out about the latest developments in the field of information law.  To keep up to date with this blog and what we are doing you can follow Alistair on twitter here; we also have a dedicated information law twitter account, which you can follow as well.

If you want to discuss an information law matter with Alistair you contact him on 0345 450 0123 or by completing the form on the contact page of this blog.  Alternatively, you can send him an E-mail directly.