Monthly Archives: December 2017

Data Protection/Privacy Enforcement: November 2017

A bit later than normal, it is time for our monthly review of the enforcement action taken by the Information Commissioner in respect of Privacy and Data Protection matters during the month of November 2017.  This follows on from our reviews covering September 2017 and October 2017.

Key Points

  • Ensure that when you are collecting personal data that you are clear and open about what it will be used for.  If it is to be supplied to third parties for direct marketing purposes state as accurately as possible who those third parties are –  stating that it will be shared with “carefully selected partners” is not going to be sufficient.
  • When undertaking direct marketing by electronic means, such as by E-mail or text message, ensure that you have in place the necessary consent (and remember the definition of consent in the Data Protection Directive) of the recipient before sending your marketing messages.
  • Once again, if you have access to personal data as part of your employment, ensure that you only access it where there is a legitimate business need for you to do so.  Do not send personal data to your own personal E-mail address without first explaining to your employer why you need to do it and getting their consent to do so.

Enforcement action published by the ICO in November 2017

Verso Group (UK) Limited

Verso Group (UK) Limited was served with a Monetary Penalty Notice [pdf] in the amount of £80,000.  Verso had been supplying personal data to third parties to enable those third parties to conduct direct marketing campaigns; the Commissioner considered that Verso had breached the First Data Protection Principle in doing so.  This was because the Commissioner did not consider that the terms and conditions and privacy policies of Verso and those other companies from which it obtained personal data were clear enough to make the processing by Verso fair and lawful.

Hamilton Digital Solutions Limited

Hamilton Digital Solutions Limited were served with an Enforcement Notice [pdf] and a Monetary Penalty Notice [pdf] in the amount of £45,000 after the company were responsible for the sending of in excess of 150,000 text messages for the purposes of direct marketing in breach of the Privacy and Electronic Communications (EC Directive) Regulations 2003.

Prosecutions

There were a number of successful prosecutions reported by the ICO during the month of November 2017:

Prosecution 1 –
A former employee of a community based counselling charity was prosecuted by the ICO at Preston Crown Court and pleaded guilty to three charges under Section 55 of the Data Protection Act 1998.  The Defendant had sent a number of E-mails to his personal E-mail address which contained sensitive personal data of clients, without his employers’ consent.  He was given a 2 year Conditional Discharge, ordered to pay costs of £1,845.25 and a £15 Victim Surcharge.

Prosecution 2 –
An employee of Dudley Group NHS Trust pleaded guilty two offences under Section 55 of the Data Protection Act 1998:  one of unlawfully obtaining personal data and one of unlawfully disclosing personal data.  The defendant had accessed the medical records of a neighbour and former friend medical records and also disclosed information about a baby.  She was fined a total of £250 (£125 for each offence) and was ordered to pay prosecution costs amounting to £500 and a victim surcharge of £30.

Prosecution 3 –
A former nursing auxiliary at the Royal Gwent Hospital in Newport was fined £232 for offences under Section 55 of the Data Protection Act 1998.  She was also ordered to pay prosecution costs of £150 and a victim surcharge of £30.  The Defendant had unlawfully accessed the records of a patient who was also her neighbour

Alistair Sloan

If you require advice and assistance in connection with any of the issues above, or any other Information Law matter, please do contact Alistair on 0345 450 0123 or by completing the form on the contact page of this blog.  Alternatively, you can send him an E-mail directly.

Registered Social Landlords and FOI

Yesterday, the Scottish Government began a consultation on legislation to formally designate Registered Social Landlords (RSLs) as Scottish public authorities for the purposes of the Freedom of Information (Scotland) Act 2002 (“FOISA”).  The draft Order being consulted on proposes a commencement date of 1st April 2019.

This is not an unexpected development in the field of information law.  In December 2016 the Scottish Government consulted on the principle of designating RSLs as public authorities for the purposes of FOISA.  It has been widely anticipated that RSLs would be designated as a public authority for the purposes of FOISA.

A designation as a public authority for the purposes of FOISA will have ramifications for RSLs beyond the obvious need to comply with FOISA and being under the regulatory oversight of the Scottish Information Commissioner.  It will also have implications for RSLs in respect of how they implement the General Data Protection Regulation (“GDPR”), which becomes applicable from 25th May 2018.

There are a number of aspects of the GDPR which are directed towards public bodies.  The Data Protection Bill currently before the UK Parliament defines what a public body is for the purposes of the GDPR.  Clause 6 of the Bill provides that a body which is designated as a Scottish public authority for the purposes of the FOISA is a public body.  This will mean that RSLs will have to appoint a Data Protection Officer; even although many of them would not have had to before this decision was taken by the Scottish Government.

It also has implications for the grounds upon which they can legitimately process personal data.  Processing of personal data for the purpose of pursuing a legitimate interest of the controller is permissible under the GDPR.  However, the GDPR goes on to provide that public bodies cannot rely upon legitimate interest as a ground of processing in performance of their tasks.  Therefore, any RSL that has been preparing for the GDPR on the basis that they will be able to process personal data on the legitimate interests ground will have to re-evaluate its processing of personal data ahead of its designation as a public authority for the purposes of FOISA.

It is worthy of note, simply for interest, that the Data Protection Bill proposes giving the Secretary of State the power to make regulations which state that a public body is not in fact a public body for the purposes of the GDPR.  However, there has been no indication that the Secretary of State intends on making use of this power or how the power is intended to be used; therefore, it is probably advisable not to work on the basis that a RSLs will be declared not to be public bodies for the purposes of the GDPR.

Another possible implication for RSLs is in relation to the Environmental Information (Scotland) Regulations 2004 (“the EIRs”).  The Scottish Information Commissioner has already previously decided that RSLs are public authorities for the purpose of these regulations, which govern access to environmental information.  The Housing (Amendment) (Scotland) Bill may have implications for the basis upon which the Commissioner concluded that RSLs were a public authority for the purposes of the EIRs.  If it does, there may be a gap where RSLs are not public authorities for the purposes of EIRs.  Once they become designated as a public authority for the purposes of FOISA, they will automatically become a public authority for the purposes of the EIRs as well.

Alistair Sloan

If you would like advice or assistance in respect of a freedom of information or data protection matter then contact Alistair Sloan on 0345 450 0123.  Alternatively, you can send him an E-mail.

Nefarious Endeavours and Vicarious Liability for Data Breaches

Last week I highlighted the important decision handed down by Mr Justice Langstaff sitting in the English High Court in the case of Various Claimants v WM Morrisons Supermarket PLC  [2017] EWHC 3113 (QB).  In that blog post I stated that the judgment was lengthy and would take some time to properly read and digest and that I would cover the judgment in much more detail in due course.  It has indeed taken some time to read and digest, but I am now in a position to bring readers a much more in-depth consideration of the judgment.

The facts sitting behind the Morrisons decision are stark.  An employee of the Defendants, Andrew Skelton, ran a business on the side.  His business was connected to the slimming industry and involved him sending a perfectly legal drug, which was in the form of a white powder.  On 20th May 2013, Mr Skelton left a pre-paid package with Morrisons’ mail room which contained this white powder.  While the package was being handled by staff in the mail room it burst open and some of the contents spilled out.  This triggered a process within Morrisons that could have resulted in the mail room being closed; however, that was not necessary.

Mr Skelton was eventually disciplined by Morrisons in connection with this incident.  He had committed no criminal offences in connection with the incident:  the drug was perfectly legal and he had paid for the postage himself.  However, Morrisons decided that his conduct was not in keeping with their values and issued him with a verbal warning.  Mr. Skelton disagreed with this sanction and utilised the company’s internal appeals process to appeal the disciplinary decision; that appeal was unsuccessful.  Mr Skelton took exception to the way in which we was treated and began to embark upon a criminal enterprise which was designed to damage the Defendants.

Mr Skelton was employed as an IT internal auditor within Morrisons.  This meant that he was highly literate in IT and also meant that he had access to personal data.  It is not necessary to go into the facts in much more detail.  It is suffice to say that in the course of his employment with Morrsions, Mr. Skelton lawfully processed personal data which had been extracted from the company’s payroll software.

As part of his nefarious endeavour, Mr. Skelton made a personal copy of the personal data and proceeded to post it onto the internet in January 2014.  By this time, Mr. Skelton had left Morrisons (having resigned).  By March 2014, the fact that vast quantities of personal data from Morrisons’ payroll software had been posted onto the internet had not been discovered.  Mr. Skelton then, anonymously, sent a CD of the personal data to a number of local newspapers including a link to where the personal data had been posted.  One of the local newspapers altered Morrisons to the publication of the personal data and Morrisons took steps to have it removed and to investigate matters.

Ultimately, Mr. Skelton was arrested and charged with various offences under both the Data Protection Act 1998 and the Fraud Act 2006.  He was later convicted and sentenced to a period of imprisonment.  With that context now set out, it is time to turn to the civil claim brought by over 5,000 of the affected data subjects against Morrisons.

The claimants effectively argued two primary positions:  (1) that Morrisons was directly liable for the breach arising out of its own acts and omissions; and (2) alternatively, that Morrisons was vicariously liable in respect of Mr. Skelton’s actions.

In advancing the case for primary liability, Counsel for the Claimants argued that Morrisons was at all material times the data controller of the payroll data which Mr. Skelton had misused for his criminal enterprise.  This argument was repelled by Langstaff J.  Mr Justice Langstaff concluded that by taking it upon himself to decide that he was going to copy the personal data and place it on the internet, Mr. Skelton had put himself into the position of deciding what personal data would be processed and the purposes for which it would be processed.  Mr. Skelton was therefore the data controller, not Morrisons.  It was therefore Mr. Skelton’s actions that were in breach of the Data Protection Principles rather than the actions of Morrisons.

The rejection of the primary liability then brought Mr Justice Langstaff onto the question of secondary liability.  Could Morrisons be held as being vicariously liable for the actions of Mr. Skelton, and if so, were they vicariously liable for the actions of Mr. Skelton?  Mr Justice Langstaff decided that Morrisons could, and indeed were, vicariously liable for the actions of Mr. Skelton in publically disclosing the Claimants’ personal data on the internet.  In reaching this conclusion, Mr Justice Langstaff has seemingly reached two contradictory conclusions:  that Mr. Skelton was acting independently of Morrisons (thus making him a data controller in his own right) while at the same time holding that Mr. Skelton was acting in the course of his employment (thus opening the door for viacarious liability to attach to Morrisons).  These are not necessarily easy to reconcile and as a consequence it may well end up in the Court of Appeal (or indeed, possibly even the Supreme Court) in due course.  Morrisons have, as I previously noted, been granted permission to appeal the vicarious liability finding to the Court of Appeal by Langstaff J.

The Defendants essentially attacked the vicarious liability position using a three pronged approach.  First, they argued, that the statutory scheme of the Data Protection Act 1998 excluded the possibility of there being vicarious liability at common law.  Their second prong was very much based upon the premise of their first:  they argued that if the statute impliedly excluded vicarious liability, it would not be constitutionally possible for the courts to impute such liability into the scheme.  The third prong of their attack was based on Mr. Skelton acting as his own independent data controller.  If he was so acting, the Defendants argued; then he could not also be acting in the course of his employment such as to make Morrisons vicariously liable for his actions.

Langstaff J, in holding that Morrisons were vicariously liable, looked closely at the timeline of events which had occurred.  Mr Justice Langstaff took the view that “what happened was a seamless and continuous sequence of events” [para 183].  The actions of Mr. Skelton as an independent data controller were sufficiently linked to his employment at Morrisons so as to have the result of Morrisons being vicariously liable for his actions as an independent data controller.

It is clear from paragraph 196 of the judgment that Langstaff J was troubled by the conclusions that he had reached.  One point was singled out for particular attention as the one which “most troubled” him; that was that by finding Morrisons as being vicariously liable he had in effect assisted Mr. Skelton in his criminal endeavours.  The ultimate aim of Mr. Skelton’s nefarious activities was to cause harm to Morrisons; a finding of vicarious liability for the distress caused by the data subjects opens up the possibility that each and every single one of those affected will seek compensation from Morrisons.  Even if the payments to each data subject are low; if they end up having to be made to the approximately 10,000 employees who were affected the financial burden to Morrisons is not going to be insignificant.  That will represent a harm caused to Morrisons; perhaps harm that was not envisaged by Mr. Skelton when he started upon his nefarious activities; however, it is a harm that will be suffered by Morrisons arising.   The ultimate aim of Mr. Skelton’s nefarious activities was to cause harm to Morrisons; a finding of vicarious liability for the distress caused by the data subjects opens up the possibility that each and every single one of those affected will seek compensation from Morrisons.  Even if the payments to each data subject are low; if they end up having to be made to the approximately 10,000 employees who were affected the financial burdern to Morrisons is not going to be insignificant.

It remains to be seen whether Morrisons will appeal the judgement; they already have permission to take the matter to the Court of Appeal.  Of course, the judgment of Lansgatff J is not binding upon any court in Scotland; however, it will likely be considered as persuasive authority in both the Sheriff Court and the Court of Session.  Data Controllers in Scotland should pay as much attention to the case as those based in England and Wales.

Alistair Sloan

If you would like to discuss an issue related to data protection, or any other information law matter, then contact Alistair Sloan on 0345 450 0123.  Alternatively, you can send him an E-mail.

Vicarious Liability in Data Protection Law

This Morning Mr Justice Langstaff, sitting in the High Court of Justice, handed down a judgment in the case of Various Claimants –v- Wm Morrisons Supermarket PLC [2017] EWHC 3113 (QB).  In March 2014 the Defenders, Morrisons, revealed that its payroll data for the majority of its staff had been stolen.  The data which had been taken had been published online on a file sharing website earlier that year; it was discovered in March when copies of the data were sent anonymously to three newspapers together with a link to the online published version. The investigation that followed resulted in Andrew Skelton, formerly a senior Manager with the company, being convicted of fraud at Bradford Crown Court in 2015.  Mr Skelton was sentenced to eight years’ imprisonment.

In total around 100,000 of the Defenders’ 120,000 employees were affected by the actions of Mr Skelton.  Of those, 5,518 employees raised proceedings in the High Court claiming compensation for a breach a statutory duty (under the Data Protection act 1998) and also at common law.  The Claimants’ primary position before the court was that the Defenders were directly liable.  However, they argued that, in the alternative, the Defenders were vicariously liable.

In a judgment which is 59 pages long and contains 198 paragraphs, Langstaff J, dismissed the direct liabiality argument; however, found that the Defenders were vicariously liable.  This is an important judgement in the field of privacy and data protection and it is one that employers should certainly be aware of.  The court has found a data controller liable to the claimants arising out of a criminal enterprise by one of their employees.  It is certainly worthy of much fuller analysis and I will provide such an analysis on this blog in due course; however, it is a lengthy judgment and it will take some time to properly read and digest.

It should be noted that this may not be the end of this litigation; Morrisons have been given permission by Langstaff J to appeal the finding on vicarious liability to the Court of Appeal if they so wish.  We await to see whether Morrisons decide to appeal the decision.

Alistair Sloan

If you would like advice or assistance in connection with Data Protection/Privacy, or if you would like advice and assistance with any other Information Law matter we would be pleased to hear from you. You can contact Alistair Sloan on 0345 450 0123.  Alternatively, you can send him an E-mail.