Tag Archives: Personal Data

Compensation for identifiable third parties following a data breach

The subject of data protection has, once again, been visited by the England and Wales Court of Appeal. At the end of last week the Court (Gross LJ, McFarlane LJ and Coulson LJ) gave its judgment in an appeal brought by the Secretary of State for the Home Department and the Home Office against a decision of the England and Wales High Court in which it was found liable to three members of a family following a data breach.

The Factual Background
The facts as found proved by the court at first instance are more fully set out in the judgment of Mitting J ([2016] EWHC 2217 (QB)), but they can be summarised for the purposes of this blog post in the following way.  The case concerns three members of a family TLT, TLU and TLV. TLT and TLU are married (but have different surnames) and TLU is the teenage son of TLT (sharing the same surname). In 2010 the family lawfully arrived in the United Kingdom. They claimed asylum. They were also jointed by an older child who was, in 2010, 17 years of age. Upon turning 18, he applied for asylum in his own right. His application fro asylum was rejected and he was returned to Iran in 2012. TLT and TLU heard from relatives in Iran that upon his return to Iran their son had been detained and tortured and subsequently released after paying a bribe.

On 15th October 2013 the Home Office suffered a data breach when it accidently published more information than it had intended to concerning the family return process. It had intended to publish the statistics contained in the first sheet of a spreadsheet, but not the underlying data that was contained in a second sheet. The error was discovered on 28th October 2013 and the spreadsheet was immediately removed from the internet. It was discovered that by the time the spreadsheet was removed at least one unknown individual had downloaded and saved the spreadsheet.

In November 2014 a person who had downloaded the page and the spreadsheet from the UK Border Agency’s website uploaded the spreadsheet onto a US website; this was later removed on 18 December 2013.

The personal data of TLT was included within the spreadsheet; in particular it included both his forename and surname, his nationality (Iranian), his date of birth and age. It also noted that “assisted return” was being pursued and stated that the removal case type was “Family with Children – Voluntary”. It further acknowledged that asylum had been claimed.

In March 2014, TLU received some communications from a family member in Iran. These communications advised that the Iranian authorities had detained another member of TLU’s family and questioned them about “you”. It was said that the authorities in Iran claimed to have documentation showing that TLT and his family had claimed asylum.

The issues on appeal
There were three issues on appeal:

  • Did the spreadsheet in question contain the private and/or confidential information?
  • Did the spreadsheet contain personal data of which TLU and TLV were the data subjects?
  • Even if the information in the spreadsheet did not contain the personal data of TLU and TLV, are they entitled to damages for the distress they have suffered under section 13 of the Data Protection Act 1998 in any event?

The first issue
This issue amounts to a common law tort in English law. At para 28 of the judgment of the Court of Appeal Gross LJ said that “this issue is short, straightforward and essentially one of fact.” Gross LJ had “no hesitation in concluding that the Home Office’s publication of the spreadsheet misused TLU’s and TLV’s private and confidential information.” [31] TLT was the lead family claimant and the detailed nature of the information concerning TLT as such meant that TLU and TLV “could readily be identified by third parties” and that they “had a reasonable expectation of privacy and confidentiality in respect of their information in the spreadsheet.” [31]

The second Issue
In terms of section 1 of the Data Protection Act 1998, personal data was defined as meaning “data which relate to a living individual who can be identified (a) from those data, or (b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.” The Data Protection Act 1998 was the domestic vehicle through which the United Kingdom implemented is obligations under Directive 95/46/EC (which has, of course, now been replaced by the General Data Protection Regulation, but is still relevant for the purpose of this case as that was the law in force at the time). Recital 26 of the Directive noted that the “principles of protection” should take account “of all the means likely reasonably to be used either by the controller or by any other person to identify the” data subject.

In the present case, limb (b) of the definition of personal data was met in relation to TLU and TLV. The Home Office had argued that the information contained in row 1101 of the spreadsheet (which concerned TLT) did not “relate to” TLU and TLV. This was rejected by the court with reference to the statutory language. [39]

The Home Office had also sought to rely on Durant v Financial Services Authority as a means of trying to limit the scope of personal data (and therefore its liability) in this case. However, Gross LJ held that Durant, when properly applied, “powerfully reinforces the case for TLU and TLV” [44] and that Auld LJ was simply stating “a broad, practical working assumption.” [42] There was nothing within Durant that enabled the Court to depart from the conclusions that they must reach in light of the decision by the Court of Appeal in Vidal-Hall v Google and the Supreme Court in Common Services Agency v Scottish Information Commissioner

Third Issue
In the circumstances, this issue did not arise and the court felt it best to leave resolution of it “to a case where a decision is required” on it. [48]

Comment
The appeal was therefore dismissed by Gross LJ on all three issues that were raised and McFarlane LJ and Coulson LJ simply agreed adding no further comments of their own.

This is an interesting, but not unexpected, decision from the Court of Appeal which will be binding on all lower courts in England and Wales and will be persuasive in Scotland. It is difficult to find fault with the approach taken by the Court of Appeal or the judge at first instance; indeed, this is very much the view of the Court of Appeal. It does make it clear though that it will be possible for data subjects not directly referred to within the compromised data arising out of a data breach to sue for damages in certain circumstances. The first instance case had become an important case when such situations arose and now that the Court of Appeal has confirmed the approach adopted by the first instance judge it is likely that we will see more claims of this nature being made.

The circumstances in the present case are fairly clear-cut, but not all situations where liability might arise will be as clear-cut. The GDPR is not going to have any real impact upon this position; the definition of personal data essentially adopts the same two-stage test as was to be found within section 1 of the Data Protection Act 1998. Therefore this pre-GDPR case will continue to be instructive in the post-GDPR world we now inhabit.

Alistair Sloan

If you require further information in relation any data protection or privacy law matter then please do contact Alistair Sloan on 0141 229 0880 or by E-mail. You can also follow our dedicated information law account on twitter for news and updates concerning data protection, privacy and freedom of information.

Personal Data and FOI: to anonymise or not to anonymise

I recently wrote a blog post covering the release of third party personal data under freedom of information laws in both Scotland and the rest of the UK. Requests which seek the release of third party personal data, or where information within the scope of a FOI request constitutes the personal data of a third party, are the most common examples of where freedom of information and data protection overlap; however, they are not the only examples.

On Friday of last week, the Herald contained a piece covering calls which had been made to anonymise FOI requests which are sent to government advisers. These calls follow on from some high profile disagreements between the Scottish Government and journalists. The allegations levelled against the Scottish Government is that ministers and their advisers are having undue influence over what information is and is not released under the Freedom of Information (Scotland) Act 2002; in particular where the request comes from a journalist. The Scottish Information Commissioner is currently carrying out an “intervention” which is looking at this matter alongside one which has a wider remit in relation to the Scottish Government’s handling of FOI requests. It is understood that the Commissioner’s Office will report its findings of these interventions in the next month or so.

These wider issues are not, however, the focus of this blog post. Rather, the focus of this blog post relates to the call to anonymise FOI requests in this way and whether this is a practice that public authorities ought to be following in any event.

The General Data Protection Regulation and the Data protection Act 2018 now govern how organisations, such as public authorities, process personal data. Reducing the data protection framework down to its most basic requirement, data controllers should not be processing the personal data of a data subject unless they have a lawful basis to do so.

When a public authority circulates a request for information, or a proposed response to a request for information, that is not stripped of the personal data of the requester then that would amount to the processing of personal data of which the requester is the data subject. What is the lawful basis of processing in Article 6 of the GDPR which enables the public authority to process the requester’s personal data in that way?  Clearly there is a need for the requester’s personal data to be processed in order to enable the response to be issued to the requester and there will no doubt be some central record which records who has made FOI requests, what the request was for and what the outcome of the request was – if only to enable the authority to respond to an internal review, appeal to the Commissioner or appeal to the tribunal/courts.

The Authority cannot possibly have the consent of the data subject to process their personal data by circulating it around the authority. Consent cannot be inferred in the way that would be necessary in order to rely upon consent. There’s no contract with the data subject which would require the processing of their personal data in this way.

Answering a FOI request is a legal obligation on behalf of the public authority, but is it necessary to provide the name of the requester to the department(s) who need to search for the information or to an official or adviser who is having in put into the response? Probably not, especially when set against the ‘applicant blind’ way in which FOI requests are supposed to be dealt with. Is it necessary in order to protect the vital interests of the data subject or of another natural person? I’d have thought it unlikely. Again, it’s unlikely to be necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. Finally, it’s unlikely that it would be necessary for the purposes of the legitimate interests pursued by the controller or by a third party.

In short, it’s unlikely that it is necessary for those searching for the information or considering the proposed response to know who the requester is. There are, of course, situations where a different course might be required. For example, if considering refusing the request on the grounds that it is vexatious under section 14 of the Freedom of Information (Scotland) Act 2002 or section 14 of the Freedom of Information Act 2000; it will often be necessary to speak with other areas of the organisation, especially persons responsible for handling complaints. In such circumstances it would be necessary for those being consulted to know the identity of the requester, otherwise the evidence required in order to justify reliance upon the vexatious provisions could not be gathered.

In normal circumstances, public authorities should probably be removing personal data such as a requester’s name, place of work and job title (where included) from a request before sending it out to those who need to perform searches for information or those who, in accordance with the authority’s internal procedures, need to approve responses before they’re issued. Only where the identity of the requester is directly relevant to the response, such as where consideration is being given to refusing the request on the grounds that it is vexatious, should the identity of the requester be disclosed otherwise it may amount to a breach of data protection law.

It may be relevant at this juncture to look, briefly, at the applicant blind requirement of freedom of information law. The applicant blind requirement is not specifically provided for within the relevant legislation; however, it has been understood for some considerable time that requests ought to be dealt with in a way that means that they are applicant blind.  The applicant blind requirement is often largely over-stated.  There are clearly situations where the applicant’s identity will be relevant; for example is it a request for that person’s own personal data or is it a vexatious/repeated request or are you aware of any disability which may mean that you need to make reasonable adjustments in terms of the Equality Act 2010?  If public authorities applied the applicant blind requirement absolutely and slavishly, it would cause difficulties in those situations and also in others.

The purpose of the applicant blind test is to ensure that, other than where the exemption necessitates it, the requester’s identity does not form part of the decision in whether to apply an exemption or in the application of the public interest balancing test. Anonymising FOI requests when they go out to the wider organisation or to selected individuals for comment/approval assists to ensure that the applicant blind aspect of the FOI regime is also complied with.

Alistair Sloan

If you require advice and assistance in connection with a freedom of information or data protection matter then contact Alistair Sloan on 0141 229 0880. Alternatively you can send Alistair and E-mail.

The Tension Continues: GDPR, FOI and EIRs

An exemption that is frequently deployed by Scottish public authorities is the exemption in section 38 of Freedom of Information (Scotland) Act 2002 (along with its corresponding exception in the Environmental Information (Scotland) Regulations 2004, regulation 11) which relates to personal data; both the personal data of the requester themselves as well as the personal data of third parties.  Data protection law is changing later this month and as a consequence section 38 (as well as Regulation 11 of the Environmental Information Regulations) will also see some amendment.

The Data Protection Bill proposes amendments to both the Freedom of Information (Scotland) Act 2002 (“FOISA”) as well as the Environmental Information (Scotland) Regulations 2004 (“the Scottish EIRs”).  The Bill is still making its way through the UK Parliamentary procedure and is due to have its third reading later today (9 May 2018) and, subject to completing its passage through Parliament in time, will come into force on 25 May 2018.  There are currently no amendments tabled in the Commons ahead of the Bill’s third reading that would affect the relevant provisions in the Bill, but it is important to bear in mind that until the Bill completes its journey through the various stages of the legislative process it can be amended – even if it passes the Commons today, it still has to go back to the House of Lords and could become locked in a game of ping-pong between to the Commons and the Lords during which time it could be further amended.  However, it seems unlikely that there will be any changes to the relevant provisions within the Bill.

Schedule 18 to the Bill proposes the amendments that should be made to a wide range of primary and secondary legislation, both reserved and devolved.  Paragraphs 88-90 of Schedule 18 (as it stands at the time of writing) contain the amendments that will be made to section 38 of FOISA; meanwhile paragraphs 292-294 of Schedule 18 contain the amendments that will be made to the Scottish EIRs.

The Office of the Scottish Information Commissioner has published, in draft form, updated guidance on the application of section 38 to take account of the GDPR and the expected amendments to the relevant parts of FOISA and the Scottish EIRs. As it is still in draft form, anybody relying upon it (requester or public authority) should continue to monitor it to ensure that it has not been updated.

The proposed amendments to FOISA and the Scottish EIRs look, on the face of it, quite significant.  However, the addition of a lot of text to section 38 and regulation 11 does not necessarily mean that there will be a drastic change in practice on the ground.  One thing that public authorities should be aware of is the proposed subsection (5A) to section 38 and the proposed paragraph (7) of regulation 11.  These proposals will have the effect of re-instating the ‘legitimate interests’ condition for lawful processing where public authorities are considering the release of third party personal data under the FOISA or the Scottish EIRS.

In short, what this will mean is that public authorities will be able to consider legitimate interests in the same way as they do now under condition 6 of schedule 2 when dealing with FOI requests under either regime.  Had it not been for these proposed provisions then the GDPR might well have had a significant impact upon the release of third party personal data under FOISA and the Scottish EIRs; it would have had the effect of removing the processing condition mostly relied upon when releasing third party personal data in response to FOI requests.  It should be noted that Schedule 18 to the Data Protection Bill proposes re-instating the legitimate interests condition in respect of the release of third party personal data under the Freedom of Information Act 2000 and the Environmental Information Regulations 2004 (see, as at the time of writing, paragraphs 58 and 289 of Schedule 18 respectively).

There is very little difference between condition 6 of Schedule 2 to the Data Protection Act 1998 and the legitimate interests condition in Article 6 of the GDPR and in practical terms there is almost no difference at all.  The only real area where there may be some difference is where the third party personal data is that of a child where Article 6(1)(f) of the GDPR instructs data controllers to have particular regard to the interests and fundamental rights and freedoms of data subjects who are children.  In reality, the fact that a data subject is a child is likely to always have been a factor that has been taken into consideration when undertaking the balancing exercise required by Condition 6 of Schedule 2 and so even to this extent there is unlikely to be much in the way of change.

Of course, the provisions are untested and the Commissioner and courts could take a different view, but in my view we are likely to see the release of the same sorts of third party personal data under FOISA and the Scottish EIRs after the GDPR as we do now.  Furthermore, there is the question as to whether the re-introduction of legitimate interests for FOI purposes is lawful in terms of EU law.  Article 85 of the GDPR does require Member States to reconcile the right to protection of personal data under the GDPR with the right to freedom of expression and information.  Whether the UK Government’s method of reconciling the two, by effectively disapplying the prohibition on public authorities relying upon legitimate interests in respect of the performance of their tasks, is permitted by EU law is something we might need to wait to discover (then again, the UK might not be in the EU long enough for that matter to be determined – but that’s a whole different issue).

In conclusion both requesters and public authorities should familiarise themselves with the amended section 38 and regulation 11.  In practice not much, if anything, is likely to change when it comes to the releasing of third party personal data under FOI laws (both Scottish and UK regimes). However, public authorities and requesters should keep a close eye on the decisions of both the Scottish and UK Information Commissioners as well as the First-Tier Tribunal, Upper Tribunal, English and Welsh Court of Appeal, the Court of Session and the UK Supreme Court.

Alistair Sloan

If you require any assistance with any Freedom of Information or Data Protection/Privacy law matter you can contact Alistair Sloan on 0141 229 0880 or by E-mail.  We also have a twitter account dedicated to information law matters from across the UK.

Crossroads: where data protection and freedom of information intersect

The laws relating to freedom of information and those relating to privacy and data protection often come into conflict with one another.  One issue which arises often for those who are responsible for answering freedom of information requests is whether or not to disclose personal data of third parties which is caught up within the information that has been requested.  This is an area that has been the subject of much litigation both under the Scottish and UK FOI laws; indeed, cases have gone from Scotland all the way to the UK Supreme Court (this might be because there are fewer levels of appeal to go through in Scotland and until very recently Scottish litigants did not need the permission of the Court of Session or the Supreme Court to take an appeal there).

One area which is perhaps the most contentious of all is where the personal data in question relations to civil servants.  The generally accepted position has been that in most cases the personal data of junior civil servants will be redacted while personal data relating to senior civil servants is more likley to be disclosed.  This position, however, is one that has never really had any scrutiny from the superior courts; that is until now.  On 6th April the Upper Tribunal (Administrative Appeals Chamber) made its decision in Cox v Information Commissioner and Home Office [2018] UKUT 119 (AAC).  Judge Wikeley records that to the best of his knowledge Cox was “the first occasion on which the Upper Tribunal has had to consider in any depth the issue of the principles governing the disclosure of the names of individual civil servants in response to a request under FOIA.” [32]

In this appeal the Appellant, Mr Cox, is concerned with the development of Government policy and its application in relation to migration from the Horn of Africa.  The Appellant made a request for information to the Home Office pursuant to his right of access to information within the Freedom of Information Act 2000.  His request for information sought details concerning meetings between civil servants from the Home Office and government officials from countries within the region.  In particular, the Appellant sought the dates of the meetings, names of all those who were present at the meetings and also the notes of such meetings.

There were two issues in the appeal, but this blog post only focuses on the first of those issues; that being the disclosure of the names of civil servants.  The Home Office had refused to disclose the names of three civil servants who had formed part of the UK’s delegation to Eritrea in December 2014 (they were referred to as J, L and N during the course of the proceedings before the First-Tier Tribunal).  The Information Commissioner had agreed with the Home Office and found that the Home Office had complied with the requirements of the Freedom of Information Act 2000 in withholding the names under section 40(2) of the Act.

The UK and Scottish provisions in respect of personal data are the same (although, in the Scottish Act the exemption can be found within section 38 of the Freedom of Information (Scotland) Act 2002).  Personal data of third parties is exempt under FOI law where to release the personal data would amount to a breach of the data protection principles.  When third party personal data is involved in an FOI request the sixth condition in Schedule 2 to the Data Protection Act 1998 comes into play.  This condition requires there to be a balancing exercise undertaken between the rights of the data subject and the rights of the person who is seeking disclosure of the personal data.

In South Lanarkshire Council v Scottish Information Commissioner [2013] UKSC 55 (a case which involved the disclosure of pay scales within the Council in connection with matters concerning equal pay), Lady Hale observed that the sixth condition in Schedule 2 required that three discrete questions are asked and answered:

  1. Is the data controller or the third party or parties who whom the data are disclosed pursuing a legitimate interest of interests?
  2. Is the processing involved necessary for the purpose of those interests?
  3. Is the processing unwarranted in the circumstances by reason of prejudice to the rights and freedoms or legitimate interests of the data subject?

The first hurdle for a requester to get across in seeking to have third party personal data, including the names of civil servants, disclosed under FOI laws is that they are pursuing a legitimate interest. It is clear from the authorities that there is no inherent interest in the release of civil servants’ names: “[t]here is no reason why the general transparency values underpinning FOIA should automatically create a legitimate interest in disclosure under the DPA.” [42] (see also Department of Health v Information Commissioner and Lewis [2017] EWCA Civ 374)  What needs to be assessed is “the legitimate interests of the individual requester, and not the more abstract legitimate interests of the public at large”. [43]  If the decision-maker, whether that be the public authority, commissioner or courts/tribunals, is not satisfied that there is no legitimate interest being pursued by the requester, then they do not need to go any further as the sixth condition would not apply (see the comments of Judge Jacobs giving the decision of the Upper Tribunal in Information Commissioner v (1) CF and (2) Nursing and Midwifery Council [2015] UKUT 449 (AAC) at paragraph 19 in particular).

When the personal data exemptions are in play they represent an exception to the general proposition that the FOI process is applicant blind (i.e. that the applicant doesn’t play a part in determining whether information ought to be released or not); other exceptions include, for example, the vexatious provisions and the aggregation provisions within the appropriate limit regulations.  Judge Jacobs, at paragraph 30, in IC v CF & NMC (above) said that it “is impossible to apply paragraph 6(1) without having regard to the identity of the applicant, the interest pursued by the request and the extent to which information is already potentially available to the public.”

Each case will, of course, turn on its own facts.  Many of the factors which go into determining whether third party personal data ought to be released is specific to the facts and context. However, I suggest that we can draw some clear principles from the case law to date:

  1. When determining the legitimate interests part of the test; there is no public benefit legitimate interest – reference must be had to who is making the request and why they are making the request;
  2. The balancing exercise required to be undertaken when applying condition 6 of Schedule 2 is not the same balancing exercise that is completed when undertaking the public interest balancing exercise;
  3. FOI rights do not take precedence over privacy and data protection rights;
  4. When it comes to the personal data of civil servants; there is no hard rule that the personal data (including names) of senior civil servants will always be disclosed and likewise there is no hard rule that the personal data (including names) of junior civil servants will always be redacted; it is a decision that is both fact-specific and context-specific

The decision in Cox is of course one that is not binding on the Scottish Information Commissioner, but it is binding upon the First-Tier Tribunal and the UK Information Commissioner.  It essentially approves of the way in which public authorities and both commissioners have been handling these issues to date and so we’re unlikely to see anything change as to how the tension between FOI laws and the data protection laws is resolved.

The Data Protection Bill will (when it is finally passed and eneacted) amend both the Freedom of Information Act 2000 and the Freedom of Information (Scotland) Act 2002 to reflect the General Data Protection Regulation; the provisions look a bit unwieldy, but in reality they are unlikely to change very little in terms of day-to-day practice.

Alistair Sloan

If you require advice and assistance on any aspect of freedom of information or data protection and privacy law then you can contact Alistair Sloan on 0141 229 0880; alternatively you can contact him directly be E-mail.  We have a Twitter account dedicated to information law issues , which you are welcome to follow.

Data Protection and Privacy Enforcement: February 2018

February is a short month, and did not see the same level of publicity by the Information Commissioner’s Office in respect of enforcement action taken to enforce privacy and data protection laws as was seen in January.

Key points 

  • Failing to comply with an Enforcement Notice is a criminal offence (see section 47 of the Data Protection Act 1998); there is a right of appeal to the First-Tier Tribunal (Information Rights) against the terms of an Enforcement Notice and so if you do not agree with the terms of the notice you should seek legal advice about the possibility of making such an appeal.
  • Employees should be careful what they do with personal data; in most cases the enforcement liability will lie with the employer (although, your employer might take disciplinary action against you for failing to comply with company policies and procedures).  However, there are circumstances when employees can be held personally, and indeed criminally, liable for breaches of the Data Protection act 1998.
  • The right of subject access is a fundamental right of data subjects and data controllers must ensure that they comply with their obligations in respect of a subject access request made by a data subject.  The right of subject access remains a key feature of the new European data protection framework and the GDPR strengthens the right of subject access for data subjects.

Enforcement action published by the ICO during February 2018

Pennine Care NHS Foundation Trust
The ICO has conducted a follow-up assessment [pdf] with Pennine Care NHS Foundation Trust finding that the Trust had complied with the terms of the undertaking which it had previously given [pdf] following a consensual audit [pdf] by the Commissioner’s staff.

Gain Credit LLC
Gain Credit LLC was served with an Enforcement Notice [pdf] by the Information Commissioner for failing to comply with a subject access request made to it.  This came to light after the data subject in question made a request to the Information Commissioner that she carry out an assessment pursuant to section 42 of the Data Protection Act 1998 into whether it was likely or unlikely that the processing by Gain Credit LLC was in accordance with the provisions of the Act.

Direct Choice Home Improvements Limited
In March 2016 Direct Choice Home Improvements Limited was served with a Monetary Penalty Notice in the amount of £50,000 [pdf] and also an Enforcement Notice [pdf] for breaching Regulation 21 of the Privacy and Electronic Communications (EC) Directive Regulations 2003 (PECR).  The company continued to breach Regulation 21 of PECR and the Commissioner prosecuted it for breaching the Enforcement Notice.  The company was not represented at Swansea Magistrates’ Court and was convicted in absence.  The company was fined £400 as well as being ordered to pay £364.08 in prosecution costs and a victim surcharge of £40. (Don’t forget that PECR remains part of the privacy and data protection law landscape when the GDPR becomes applicable in May.)

Other Prosecutions
A former employee of Nationwide Accident Repair Services Limited was prosecuted by the Information Commissioner for unlawfully obtaining personal data contrary to section 55 of the Data Protection Act 1998.  The defendant had sold the personal data of his employers’ customers to a third party who then made use of the personal data to contact some of those customers concerning their accident.  The defendant was convicted and fined £500 as well as being ordered to pay costs of £364 and a victim surcharge of £50.  An offence of unlawfully disclosing personal data was admitted to and taken into consideration by the Court.

A former local authority education worker was prosecuted after she unlawfully disclosed personal data contrary to section 55 of the Data Protection Act 1998.  The defendant had taken a screenshot of a council spreadsheet which concerned the eligibility of named children to free school meals and then sent it onto an estranged parent of one of the children.  She pled guilty to three offences and was fined £850 by Westminster Magistrates’ Court as well as being ordered to pay £713 in costs.

Alistair Sloan

If you require advice or assistance in respect of a data protection or privacy law matter, or any other Information Law matter; then contact Alistair Sloan on 0345 450 0123, or send him and E-mail.

Data Protection/Privacy Enforcement: January 2018

It has been a busy start to the year for the Information Commissioner’s Office (ICO).  The start of 2018 also saw the highest ever sentences imposed on those in breach of Data Protection and Privacy laws in the United Kingdom.  It is time to have a closer look at the Data Protection and Privacy Enforcement action published by the ICO during January 2018 as part of our regular monthly review.  You can read our review of the privacy and data protection enfrocement from December 2017 here.

Key Points

  • If you have access to personal data as part of your employment, ensure that you only access it where there is a genuine professional need for you to do so; even if the reason you are looking for information could be considered harmless.
  • As far as the Information Commissioner is concerned, ‘ignorance is not bliss’; Data Controllers must have adequate and up to date procedures, technology and policies in place to ensure that they are not in breach of any data protection laws or regulations.
  • Organisations can’t generally send advertising or marketing emails unless the recipient has informed the sender that they consent to such emails being sent by, or at the instigation of, that sender.  Any consent must be freely given, explicit and informed but also involve a positive indication signifying the individual’s agreement. In order for consent to be informed by an individual, the individual must know exactly what it is they are consenting to (for more information see Alistair Sloan’s blog post PECR:  The forgotten relative).
  • Failure to notify the Information Commissioner of any personal data breach in accordance with the Notification Regulations will not be tolerated.  If it has come to your attention that there has been a breach, you must come clean and put your hands up. A much wider requirement to notify the ICO of personal data breaches becomes applicable with the GDPR later this year, for more on that see our blog post on Personal Data Breaches under the GDPR.
  • It goes without saying, meticulous attention to detail must be taken when you are sending any correspondence containing personal data, you must ensure that it is sent to the correct person.

Enforcement action published by the ICO in January 2018

The Carphone Warehouse Ltd
The Carphone Warehouse Ltd was served with a Monetary Penalty Notice in the sum of £400,000 after serious failures and inadequate software placed customer and employee data at risk.

Newday Limited
Newday Ltd were served a Monetary Penalty Notice in the sum of £230,000 after approximately 48,096,988 emails were sent to individuals who had not consented to receive marketing, contrary to regulation 22 of the Privacy and Electronic Communications (EC Directive) Regulations 2003.  The Commissioner decided that the consent relied on by Newday Limited was not sufficiently informed and therefore it did not amount to valid consent.

TFLI Ltd
TFLI Ltd received a Monetary Penalty Notice of £80,000.  This penalty was also in relation to contravention of regulation 22 of the Privacy and Electronic Communications (EC Directive) Regulations 2003.  TFLI Limited sent approximately 1,218,436 unsolicited marketing texts promoting a loan website.

Barrington Claims Ltd
Barrington Claims Ltd were issued a Monetary Penalty Notice in the sum £250,000 after they failed to ensure automated marketing calls were made only to individuals who had consented to receive them. The Commissioner decided to issue a Monetary Penalty under section 55A of the Data Protection Act 1998, in relation to contravention of regulations 19 and 24 of the Privacy and Electronic Communications (EC Directive) Regulations 2003.  The company were unable to provide evidence that it had the consent of individuals to whom it had instigated the calls.

Goody Market UK Ltd
Goody Market UK Ltd were issued a Monetary Penalty Notice in the sum of £40,000 after they failed to ensure that text messages containing marketing material were only sent to individuals who had consented to receive them.  They were also served an Enforcement Notice. The texts were sent on the basis of data sourced from a third party, and purchased on behalf of Goody Market UK Ltd by a data broker.  Goody Market UK Ltd were unable to provide the Commissioner with any evidence that the recipients consented to the marketing messages, having relied on verbal assurance from the data broker.  The Commissioner found that Goody Market UK Ltd had contravened Regulation 22 of PECR.

West Midlands Police
West Midlands Police have signed an Undertaking to comply with the Data Protection Act after the Information Commissioner was informed that a data breach had occurred in relation a Criminal Behaviour Order.  The order was imposed on two individuals, but in a leaflet distributed to publicise the order, the names of the witnesses were revealed.

Miss-sold Products UK Ltd
Miss-sold Products UK Ltd were served a Monetary Penalty Notice in the sum of £350,000 after they failed to ensure that marketing calls were only made to individuals who had consented to receive marketing. The penalty was in relation to contravention of Regulation 19 of the Privacy and Electronic Communications (EC Directive) Regulations 2003.

SSE Energy Supply Ltd
SSE Energy Supply Ltd was issued a Monetary Penalty Notice of £1,000 after they sent an email to an individual in error.   The penalty was issued because of contravention of Regulation 5A of the Privacy and Electronic Communications (EC Directive) Regulations 2003.  This Regulation requires that a provider of a public electronic communications service must notify the Information Commissioner of a personal data breach without undue delay.  SSE Energy Supply Ltd sent an email to the wrong email address, disclosing the name of a customer and their account number.  After they became aware of the breach, SSE Energy Supply Limited did not follow its policies and procedures that were in place and as a consequence there was a delay in reporting the personal data breach to the Information Commissioner.

Prosecutions
There were a number of successful prosecutions reported by the ICO during January 2018:

  1. An investigation by the ICO, which began in 2013, resulted in record fines for Woodgate and Clark Ltd, the company director and private investigators who were involved in the illegal trade of personal information.  A claim had been made on an insurance policy in relation to a fire at business premises which the claimant owned.  Private investigators unlawfully obtained confidential financial information and disclosed it to Woodgate and Clark Ltd, which then disclosed it to an insurer client.  The defendants were all prosecuted under s55 of the Data Protection Act 1998.  Woodgate and Clark Ltd were fined £50,000 in addition to being ordered to pay £20,000 in costs.  The company director was fined £75,000 and was ordered to pay £20,000 in costs; while both private investigators were fined £10,000 and ordered to pay £2,500 in costs.
  2. A director of an accident claims company invented a car crash so that he could trace and get in touch with the owner of a private number plate he wanted to buy.  He was prosecuted at Bristol Magistrates’ Court for a breach of S55 of the Data Protection Act 1998 for the offence of unlawfully obtaining personal data.  He was convicted and received a fine of £335.00.  The defendant was also ordered to pay prosecution costs of £364.08 and a victim surcharge of £33.00.
  3. An individual was charged with two offences of unlawfully disclosing personal data.  The defendant had come into possession of a USB stick and published sensitive police information from it on Twitter.  He was sentenced to a 12 month conditional discharg,e in part because he had been placed on a stringent bail conditions including wearing an electronic tag before the hearing.  He had to pay £150 in cost and £15 victim charge.

Vicki Macleod Folan

If you require advice and assistance in connection with any of the issues above, or any other Information Law matter, please do contact Alistair Sloan on 0345 450 0123 or by completing the form on the contact page of this blog.  Alternatively, you can send him an E-mail directly.

It’s just legitimite interests, isn’t it?

The General Data Protection Regulation (GDPR) becomes applicable in the United Kingdom on 25th May 2018.  Preparations are well underway in business, government and the regulator for the new privacy and data protection landscape.  People are trying to find their way through the GDPR and the Data Protection Bill to understand exactly what it is that they’re required to do in order to comply with the new framework, but there are a lot of misunderstandings about certain requirements of the GDPR.  I have already dealt with one of those, the issue as to whether or not consent is required under the GDPR on this blog.  Another area where there appears to a lot of misunderstanding is with the legitimate interests ground for processing, especially in the area of direct marketing.

Article 6(1)(f) of the GDPR provides that it is lawful to process the personal data of a data subject where the “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”  This is the legitimate interests ground for processing; but as can be seen from a proper reading of the condition, it is not the silver bullet condition that some people seem to think that it is.

There are essentially three elements to the condition:  (1) necessity; (2) legitimate interests of the controller or a third party; (3) the interests or fundamental rights of the data subject.  Therefore before being able to rely upon legitimate interests as the processing condition, it is essential that controllers go through a three stage process.  The first stage is to identify what the interests are.  In determining whether the interest identified by the data controller is a legitimate interest, it is necessary for them to consider whether a data subject can reasonably expect, at the time and in the context of the collection of the personal data, that processing for this purpose may take place.  If a data subject could not reasonably expect that the processing envisaged by the data controller may take place, at the time and in the context of collection of the personal data, it will not be a legitimate interest.

The second stage is to consider necessity; the processing must be necessary for the legitimate interest(s) being pursued.  If the processing is not necessary then a data controller cannot rely upon the ‘legitimate interests’ condition for processing the personal data in question.  The ICO currently puts it this way “[i]f you can reasonably achieve the same result in another less intrusive way, legitimate interests will not apply.”  It is therefore essential to consider whether there are other ways to fulfil the legitimate interest(s) identified.  The test does not require it to be “strictly necessary” or “absolutely necessary”, but it is still a high test

The final element that needs to be considered before a decision to rely upon legitimate interests can be taken, is whether the legitimate interests are overridden by the fundamental rights and freedoms of the data subject.  This can be a very difficult assessment to make and can, on occasions, be on a knife-edge.  It is fundamentally about proportionality and in a lot of cases the data subject’s fundamental rights and freedoms will override the legitimate interests with the result that another condition needs to be found to enable processing take place.

At the very outset I did mention that there is a lot of misunderstanding about legitimate interests in the field of direct marketing.  It is true that the GDPR does state, in Recital 47, that “[t]he processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest”, but it’s not as simple as that.  Firstly it is important to note that the Recital states that it “may be” a legitimate interest; that is not the same thing as saying that it “will be” or “is” a legitimate interest.  It only opens the door to marketing being a legitimate interest; it does not remove the need to consider whether it is, in any given context, a legitimate interest.

Secondly, it is important not to consider the GDPR in isolation.  I have already written about the forgotten relative of the GDPR:  The Privacy and Electronic Communications (EC Directive) Regulations 2003.  These are extremely relevant when conducting direct marketing by electronic means (such a by telephone, E-mail or text message).  Processing personal data for the purposes of marketing might well be lawful because it can be shown that it is a legitimate interest for the controller or a third party, but how that marketing is then delivered must comply with the other relevant laws and codes which regulate marketing activity.

The legitimate interests condition is a flexible one, but data controllers should not assume that if no other condition applies, or is appropriate, that they can simply say “it’s legitimate interests” and be done with it.  Where a controller does rely upon legitimate interests, the accountability principle will kick in and the supervisory authority may well ask for it to be justified.  Therefore, where it is proposed to rely upon legitimate interests a record should be kept demonstrating how each of three elements to the legitimate interests condition is met.

Alistair Sloan

If you would like advice or assistance with a privacy or data protection matter, or any other information law matter then contact Alistair Sloan on 0345 450 0123 or send him an E-mail.

 

Data Protection/Privacy Enforcement: December 2017

Our monthly look at the enforcement action taking by the Information Commissioner in respect of Privacy and Data Protection matters continues with a review of the enforcement action published by the ICO in December 2017.  You can view last month’s review of the November 2017 enforcement action here.  December 2017 was not an overly busy month for the ICO; they published just one Enforcement Notice.

Key Points

  • Ensure that you have in place adequate procedures to ensure that you handle Subject Access requests within the time allowed by the law.

Enforcement Action

Secretary of State for Justice
The Secretary of State for Justice was served with an Enforcement Notice [pdf] requiring him to deal with his department’s backlog of delayed Subject Access Requests.  As at 10 November 2017 the Ministry of Justice had 793 Subject Access Requests which were over 40 days old; some of this backlog was made up of Subject Access Requests made in 2014.  This was a reduction from the 919 requests more than 40 days old as at 28 July 2017 (which included requests going back to 2012).  The Data Protection Act 1998 requires that Subject Access Requests be responded to within 40 calendar days (this will be reduced to 30 calendar days under the GDPR – you can find out more about this change, and others to the right of subject access requests, in my blog post on Subject Access Requests under the GDPR).

Alistair Sloan

If you require advice or assistance with Subject Access Requests, or any other Information Law matter then contact Alistair Sloan on 0345 450 0123 or send him and E-mail

Information Law Review of 2017

2018 is now upon us and this is a big year in the field of Information Law, the General Data Protection Regulation will at last become applicable in the United Kingdom.  If you are a data controller or a data processor, your preparations for the GDPR should be well under way; however, if you have not yet started to prepare for these regulations then it is not yet too late.  The lesser known brother of the GDPR also kicks in this year, the Law Enforcement Directive, which governs the processing of personal data by law enforcement agencies.

However, before I get stuck into what is coming this year in the field of Information law, I want to take a moment to look back at some of the things that happened in 2017.  At the tail end of 2017 the High Court in England issued its anticipated judgment in the case of Various Claimants v WM Morrisons Supermarket PLC  [2017] EWHC 3113 (QB)This represented a significant development in the data protection field and opens up a much wider range of circumstances in which data subjects can sue a data controller under Section 13 of the Data Protection Act 1998.

In October 2017, the Irish High Court made a reference to the Court of Justice of the European Union at the request of the Irish Data Protection Commissioner seeking a preliminary ruling on “Privacy Shield”, the successor to the Safe Harbour rules which had previously been held to be unlawful by the European Court.

In September 2017, the Grand Chamber of the European Court of Human Rights issued a decision concerning the application of the right to a private and family life contained in Article 8 of the European Court of Human Rights to the monitoring of a person’s communications by their employer.

Also in September 2017, the UK Government published its Data Protection Bill which will replace the Data Protection Act 1998, extends GDPR standards to areas not within the competence of the European Union and implements the Law Enforcement Directive, among other things.

Now looking ahead to 2018, it is possible that we might see a decision from the English Court of Appeal in the Morrisons case referred to above, the judge having granted permission to Morrisons to appeal his findings in relation to vicarious liability.  We may also see claims for compensation being made based upon the Morrisons decision.

In Scotland, we will be expecting to see some more progress made by the Scottish Parliament in its consideration of the Children and Young People (Information Sharing) (Scotland) Bill.  I provided written evidence to the Education and Skills Committee on this Bill last year.  The Committee has had some difficulty in completing its Stage 1 consideration of the Bill and the previous deadline of 22 November 2017 for completion of Stage 1 was removed by the Scottish Parliament.

It is also possible that we will see the Scottish Parliament’s Public Audit and Post-Legislative scrutiny Committee begin to undertake a post-legislative inquiry into the operation of the Freedom of Information (Scotland) Act 2002 (or announce that such an inquiry will take place in due course).  If such an inquiry does take place, it will be the first time that there will have been a complete review of the Scottish FOI Act and how it is operating.

Staying on the subject of Freedom of Information in Scotland, we are likely to see the outcome of the Scottish Information Commissioner’s formal intervention in respect of the Scottish Government’s compliance with the Freedom of Information (Scotland) Act 2002.  We are also likley to see an Order being made under Section 5 of the Freedom of Information (Scotland) Act 2002 designating Registered Social Landlords as scottish public authorities with effect from 1st April 2019.

By the end of 2018 we should also hopefully have a much better idea as to what the UK’s relationship with the European Union will be after it leaves, and in particular what impact this will have on data protection and privacy law in Scotland and the rest of the UK.

There will no doubt be a raft of new court decisions in relation to both Privacy/Data Protection and Freedom of Information over the course of the next 12 months and I will attempt to address the most important and unusual decisions here on the Information Law Blog from Inksters Solicitors.

Alistair Sloan

If you would like advice or assistance with Privacy and Data Protection matters (including GDPR preparation) or with UK and Scottish Freedom of Information requests contact Alistair Sloan on 0345 450 0123 or you can E-mail him.

Data Protection/Privacy Enforcement: November 2017

A bit later than normal, it is time for our monthly review of the enforcement action taken by the Information Commissioner in respect of Privacy and Data Protection matters during the month of November 2017.  This follows on from our reviews covering September 2017 and October 2017.

Key Points

  • Ensure that when you are collecting personal data that you are clear and open about what it will be used for.  If it is to be supplied to third parties for direct marketing purposes state as accurately as possible who those third parties are –  stating that it will be shared with “carefully selected partners” is not going to be sufficient.
  • When undertaking direct marketing by electronic means, such as by E-mail or text message, ensure that you have in place the necessary consent (and remember the definition of consent in the Data Protection Directive) of the recipient before sending your marketing messages.
  • Once again, if you have access to personal data as part of your employment, ensure that you only access it where there is a legitimate business need for you to do so.  Do not send personal data to your own personal E-mail address without first explaining to your employer why you need to do it and getting their consent to do so.

Enforcement action published by the ICO in November 2017

Verso Group (UK) Limited

Verso Group (UK) Limited was served with a Monetary Penalty Notice [pdf] in the amount of £80,000.  Verso had been supplying personal data to third parties to enable those third parties to conduct direct marketing campaigns; the Commissioner considered that Verso had breached the First Data Protection Principle in doing so.  This was because the Commissioner did not consider that the terms and conditions and privacy policies of Verso and those other companies from which it obtained personal data were clear enough to make the processing by Verso fair and lawful.

Hamilton Digital Solutions Limited

Hamilton Digital Solutions Limited were served with an Enforcement Notice [pdf] and a Monetary Penalty Notice [pdf] in the amount of £45,000 after the company were responsible for the sending of in excess of 150,000 text messages for the purposes of direct marketing in breach of the Privacy and Electronic Communications (EC Directive) Regulations 2003.

Prosecutions

There were a number of successful prosecutions reported by the ICO during the month of November 2017:

Prosecution 1 –
A former employee of a community based counselling charity was prosecuted by the ICO at Preston Crown Court and pleaded guilty to three charges under Section 55 of the Data Protection Act 1998.  The Defendant had sent a number of E-mails to his personal E-mail address which contained sensitive personal data of clients, without his employers’ consent.  He was given a 2 year Conditional Discharge, ordered to pay costs of £1,845.25 and a £15 Victim Surcharge.

Prosecution 2 –
An employee of Dudley Group NHS Trust pleaded guilty two offences under Section 55 of the Data Protection Act 1998:  one of unlawfully obtaining personal data and one of unlawfully disclosing personal data.  The defendant had accessed the medical records of a neighbour and former friend medical records and also disclosed information about a baby.  She was fined a total of £250 (£125 for each offence) and was ordered to pay prosecution costs amounting to £500 and a victim surcharge of £30.

Prosecution 3 –
A former nursing auxiliary at the Royal Gwent Hospital in Newport was fined £232 for offences under Section 55 of the Data Protection Act 1998.  She was also ordered to pay prosecution costs of £150 and a victim surcharge of £30.  The Defendant had unlawfully accessed the records of a patient who was also her neighbour

Alistair Sloan

If you require advice and assistance in connection with any of the issues above, or any other Information Law matter, please do contact Alistair on 0345 450 0123 or by completing the form on the contact page of this blog.  Alternatively, you can send him an E-mail directly.