Category Archives: Privacy

Privacy, the common law and Scotland

In a recent opinion from Lord Bannatyne (B C and Others v Chief Constable Police Service of Scotland and others [2019] CSOH 48), sitting in the Outer House of the Court of Session, we have the first express statement that there is a right of privacy at common law in Scotland. Traditionally in Scotland, privacy law has been dealt with through the European Convention on Human Rights, the Human Rights Act and data protection law.

This case involved a number of police officers who are facing disciplinary proceedings by the Police Service of Scotland for alleged misconduct which is founded upon a number of messages sent via WhatsApp. The messages came into the possession of the professional standards department having been discovered on the phone of an officer who was being investigated in connection with alleged sexual offences.

The messages in question were characterised by Senior Counsel for the Police Service of Scotland in her written submissions as being “on any view, blatantly sexist and degrading, racist, anti-semitic, homophobic, mocking of disability” and included “a flagrant disregard for police procedures by posting crime scene photos of current investigations.” [para 166] Lord Bannatyne believed that it was “a characterisation which a reasonable person having regard to the content of the messages would be entitled to reach. I conclude that the content of the messages can be regarded as potentially informing the issue of breach of Standards in circumstances calling into question the impartial discharge of the petitioners’ duties.” [para 166]

In terms of the common law right to privacy, the starting point for Lord Bannatyne was the relationship between the Human Rights Act 1998 and the Common Law. He quoted Lord Reid, with approval, in R (Osborn) v The Parole Board at paragraph 57 of that judgment. From that passage Lord Bannatyne concluded that if the right to privacy exists at common law, Article 8 of the convention does not supersede it. Lord Bannatyne noted that the European jurisprudence could be used to help inform and develop a common law right to privacy.

He then went on to ask whether there was a justification for a right to privacy in the common law. He cited, with approval, the words of Lord Nicholls at paragraph 12 of the judgment in Campbell v MGN Ltd. Lord Bannatyne thought that the right to privacy could “be described as a core value and one which is inherent in a democratic and civilised state.” [para 106]. He continued:

“[it] seems to flow from the centrality of the role of privacy in a democratic society and particularly in a society where electronic storage of information and electronic means of intrusion into the private lives of a citizen by government, private organisations and individuals are growing exponentially the common law should recognise the right to privacy.” [para 107]

Lord Bannatyne considered that the English authority on the point was of assistance. In England and Wales the common law on privacy has been developed in the context of the development of the law on breach of confidence. Scotland also has a concept of breach of confidence, which is a well understood remedy and it has been explicitly accepted previously that the law in Scotland in respect of breach of confidence is the same as the law in respect of breach of confidence in England and Wales (see, for example, Lord Advocate v Scotsman Publications).

At paragraph 116 of his opinion, Lord Bannatyne observed “that given privacy is a fundamental right I think it highly likely that it exists in the common law of Scotland.” He also noted that it was “inherently unlikely” that Scottish and English law in relation to this fundamental matter are entirely different.

Finally, he considered the existing case law in Scotland (to the extent that there is any) tended to support the view that such a right exists in the law of Scotland. He also found it “noteworthy” that none of the cases to which he was referred expressly or implicitly stated that there was no common law right to privacy in Scotland.

Lord Bannatyne went on to consider that the Petitioners could have “no reasonable expectation of privacy” flowing “from the attributes which arise as a result of their position as constables.” [para 166] It is not the case that police officers, as a result of their position, have no right to privacy at all, but, rather, that this right is limited. Lord Bannatyne opines that the limitation can be defined in the following way: “f their behaviour in private can be said to be potentially in breach of the Standards in such a way as to raise doubts regarding the impartial performance of their duties then they have no reasonable expectation of privacy.” [para 168] A police officer, because of the attributes of a person holding the office of constable, is in a different position to an ordinary member of the public. [para 168]

The remaining issues that had to be dealt with by Lord Bannatyne were dealt with in, comparably, fairly short compass. Lord Bannatyne held that “there is a clear and accessible basis for the disclosure [by the police, as a public authority, to the professional standards branch of Police Scotland] in the circumstances of this case.” [para 192] He also held that the disclosure decision was not an arbitrary one. [para 192]

Lord Bannatyne also held the interference was necessary, in accordance with Article 8(2) of the Convention. He did not agree that all of the matters listed in Article 8(2) were engaged, but did hold that ‘public safety’ and ‘the prevention and detection of crime’ were engaged. [para 198] In terms of the balancing exercise to be carried out, Lord Bannatyne considered that the balance was“heavily weighted on the side of disclosure” and he was “unable to identify a less intrusive measure which could have been used without unacceptably comprising the objectives [he had] identified.” [para 201]

Finally, in respect of interdict, Lord Bannatyne held that even if he had been with the Petitioners he would nevertheless have held that the Petitioners were not entitled to the interdict which they sought. [para 202]

This is an important case as it is the first time that a Scottish court has expressly declared that there is a common law right to privacy in Scotland. That, however, has to be tempered with the fact that it is a decision of the Outer House and therefore only of persuasive authority in the Court of Session and lower courts. A different Lord Ordinary (or a Sheriff) may ultimately reach a different conclusion (although, I think that unlikely). Although, the Petitioners were right on this point, they ultimately lost the case and the petition was refused. Therefore there may well be a reclaiming motion (appeal) to the Inner House and this point may well be considered and decided upon by the Inner House. This would give us binding authority which all the lower courts in Scotland would be required to follow stating that there is a common law right to privacy in Scotland.

The decision will certainly add an additional tool to the armory of individuals who are concerned about their privacy and breaches thereof; it will also be another angle which those advising on issues of privacy will have to consider. We may begin to see more cases proceed on the basis of a breach of the common law right to privacy as opposed to cases proceeding on breaches of convention rights and data protection law.

Alistair Sloan

If you would like advice in connection with any privacy matter, or any other information law matter; contact our team on 0141 229 0880 or by E-mail. You can also follow our dedicated Information law twitter account.

Privacy v Freedom of Expression in the Court of Appeal

Last year, Mr Justice Arnold gave judgment in the interesting case of Ali & Aslam v Channel 5 Broadcasting. This case concerned the fly-on-the wall programme broadcast on Channel 5 called “Can’t Pay? We’ll take it away”; which follows the work of High Court Enforcement Officers as they enforce court orders relating to debt and housing matters. Mr Justice Arnold found Channel 5 to be liable to the Claimants in the sum of £10,000 each; holding that the Claimant’s rights to privacy outweighed the rights of Channel 5 in respect of freedom of expression and the public interest.

Both parties appealed to the England and Wales Court of Appeal; Channel 5 on the issue of liability and the Claimants on the grounds that the damages awarded were insufficient. In a judgment given on 16th April 2019, the Court of Appeal (Irwin LJ, Newey LJ and Baker LJ) refused both appeals.

The Court of Appeal addressed the issue of liability first, before dealing with the appeal on quantum (the amount of damages awarded). The issue for the Court of Appeal was whether Arnold J had gone beyond what was justified in balancing the Claimants’ rights to privacy against Channel 5’s rights to freedom of expression; and as a consequence had made an error of law. The Court of Appeal held that Arnold J had taken “too narrow a view of what was in the public interest, effectively confining it to the High Court Process.” [74] The Court considered that Arnold J was wrong to conclude “that the publication of each specific piece of information in respect of which the Claimants had a legitimate expectation of privacy had to be justified as a matter of general public interest.” [74]

An interference with privacy which cannot be justified (logically or rationally) by reference to the public interest served by publication cannot be rendered lawful by editorial discretion. However, where there is a rational view by which publication can be justified in the public interest the courts should be slow to interfere, giving full weight to editorial discretion and knowledge.

Despite having some reservations about the treatment of the public interest issues in the judgment from Arnold J (in particular, the narrow approach taken to the public interests issues which arose), the Court refused the cross-appeal by Channel 5. The court had three principal reasons for doing so, set out in paragraphs 92-94 of its judgment. Those can be summarised as follows:

  1. Arnold J was clearly well aware of the relevant legal principles set out in the applicable case law.
  2. The Court of Appeal was satisfied that Arnold J was fully aware of the range of public interest issues raised in the programme; and
  3. The Court of Appeal was satisfied that while another judge might have reasonably found against the Claimants, it was not unreasonable for Arnold J to have found in their favour.

Turning to the appeal on damages, the first ground of appeal advanced essentially amounted to one that the level of damages awarded to each Claimant did not reflect the scale and nature of the publication. The second ground is that the judge was wrong to take into account the publication of the postings by the Ahmeds when setting the awards of damages for the publications by the Defendant. The third ground is that the judge wrongly failed to take into account the impact of the programme on the Claimants’ children.

All three grounds of appeal in respect of quantum were refused by the Court of Appeal. In respect of ground 2, the Court of Appeal noted that “[i]t must be obvious that the distress attributable to the programme was reduced because a number of people within the Claimants’ community or network were already aware of the broad events from the postings”. In respect of ground 3, the Court of Appeal considered that Arnold J had taken into account t he potential impact on the Claimants’ children.

On ground 1, the Court of Appeal distinguished against damages awarded in the case of phone hacking and the present case. They did so on the basis that in t he hacking cases those responsible for the hacking knew full well what they were doing was illegal; however, in the present case Channel 5 had taken steps to ensure that they remained within the law; including obtaining expert legal opinion. Furthermore, in the circumstances it was appropriate for Mr Justice Arnold to make an award of damages in the round.

There is some helpful guidance from the Court of Appeal on the issue of quantum in respect of breaches of privacy in the media sphere. In assessing quantum it is possible to look at issues in the round and reach a global figure of damages, rather than awarding damages identifiable to each issue. Furthermore, damages for cases of this kind cannot be calculated mathematically. Finally, an appellate court should not seek to interfere with an assessment as to quantum unless the damages awarded are so high or so low as to be perverse.

Alistair Sloan

If you would like advice or assistance in connection with a privacy issue, or any other information law matter; contact Alistair Sloan on 0141 229 0880. You can also send him an E-mail.

Privacy v Freedom of Expression: ‘Can’t Pay? We’ll take it away’

Yesterday an interesting privacy judgment was handed down in the English High Court by Mr Justice Arnold.  The Claimants, Shakir Ali and Shahinda Aslam, brought proceedings against Channel 5 Broadcast Limited (“Channel 5”) for breaching their privacy in using footage of their eviction in the defendants’ television programme, ‘Can’t Pay?  We’ll take it away’.

‘Can’t Pay?  We’ll take it away’ is an observational documentary series broadcast by Channel 5 which follows the work of High Court Enforcement Agents.  The programme often features the evictions of tenants from residential premises by High Court Enforcement Agents and these agents pursuing debtors for the recovery of monies owed to their clients.  At Paragraph 58 of his judgment, Mr Justice Arnold states that the production company “wanted to show how the process which courts provided for the enforcement of debts and the reclaiming of property from debtors and tenants actually operated within ordinary peoples’ lives. He particularly wanted to show how landlords and creditors could expedite enforcement by moving the process from the County Court to the High Court, and the effect of this.”

The Claimants argued that they had a reasonable expectation of privacy and that this had been breached.  Meanwhile, the Defendants argued that the Claimants did not have a reasonable expectation of privacy.  Alternatively Channel 5 argued that if the Claimants did have a reasonable expectation of privacy, that was defeated by the Defendants’ rights to freedom of expression when the two were balanced against one another.  Channel 5 was responsible for selecting which enforcement actions that were filmed for the programme would actually appear in the television series.

On the day of the eviction, the Claimants were visited by two High Court Enforcement Agents; one of whom was in training and the other, Mr Paul Bohill, had more than 30 years’ experience as a High Court Enforcement Agent.  Only the first claimant was in the property when the Agents, together with a television film crew, arrived at the property to effect the eviction.  Certain information was supposed to be provided to those being filmed but the evidence proved that Mr Bohill actively prevented that information being given to the Claimants, even when the first claimant enquired about why it was being filmed.  Mr Justice Arnold covers the events of the eviction of the claimants, in detail, in paragraphs 70 – 115 of his judgment.

On 17th June 2015 the first claimant contacted the production company objecting to footage of his eviction being used in the television series.  He was told that they [the production company] needed to get their facts straight with regards to his benefits, but that his objections would be passed onto Channel 5 who made decisions about broadcast.

At paragraph 169 of his judgment, Mr Justice Arnold states that in his “judgment the principal factors relied upon by the Claimants do lead to the conclusion that they had a reasonable expectation of privacy in respect of the information in question. The Programme was largely filmed in their home; it showed them being evicted without prior warning; it showed them in a state of shock and distress; it showed them being taunted by Omar Ahmed; and it was foreseeable that the broadcasting of the Program me would have an adverse effect on their children. I do not accept that the open justice principle means that the Claimants’ Article 8 rights were not engaged. Open justice means that Channel 5 was entitled to report the facts that the courts had made the Order for Possession and issued the Writ of Possession and in consequence the Claimants had been lawfully evicted; but what happened in their home on 2 April 2015 was not part of the proceedings. Nor do I consider that the broadcasting of the information was an inevitable consequence of the Claimants’ failure to comply with the Order for Possession. Nor do I accept that Mr Ali’s Article 8 rights were  significantly weakened by his political activity.  Mrs Aslam had not engaged in political activity at all. I accept that the Claimants, and their children, had already suffered damage to their privacy as a result of the Ahmeds’ postings on social media, but I do not accept that this meant that the broadcasting of Programme either could not or did not inflict further damage given the substantial scale and duration of the broadcasting.”

In respect of the argument advanced on behalf of Channel 5, that Mr Ali had consented to being filmed, Mr Justice Arnold states that the consent was not “true consent”, was “an agreement to participate under protest” and “was not fully informed agreement given that he was not told anything about the programme that was being filmed or who would broadcast it or about the body cameras.” (paragraph 177).  In any event, Mr Justice Arnold held that “to the limited extent that he did give consent on 2 April 2015, he unequivocally withdrew that consent prior to the first broadcast of the Programme.” (paragraph 178).

Having found that the Claimants did have a reasonable expectation of privacy, it became necessary for the court to balance that against Channel 5’s rights to freedom of expression.  There was no dispute that there was a genuinely held belief by the production company and channel 5 that the programme was in the public interest; however, there was a dispute between the parties as to whether that was enough or whether it had to be assessed objectively.  Mr Justice Arnold concluded that it was clear that the court had to assess it objectively.

Channel 5 argued that “the programme addressed a number of matters of real public interest and concern: increasing levels of personal debt, and in particular rent arrears of tenants in privately-rented accommodation; the dependence of tenants on benefits, and in particular housing benefit; the effect of enforcement of writs of possession by HCEAs; and the consequences for both landlords and tenants. He further submitted that it was justified for Channel 5 to illustrate these matters by showing what happened to real people in real situations, because that was the best way to engage the public and stimulate debate.”

At paragraph 195, Mr Justice Arnold concludes that “the Programme did contribute to a debate of general interest, but…the inclusion of the Claimants’ private information in the Programme went beyond what was justified for that purpose…The focus of the Programme was not upon the matters of public interest, but upon the drama of the conflict between Omar Ahmed [the landlord] and the Claimants. Moreover, that conflict had been encouraged by Mr Bohill…”

Mr Justice Arnold ultimately concluded that when balancing the rights of the Claimants to a private and family life against Channel 5’s rights to freedom of expression, the balance came down in favour of the Claimants’ Article 8 rights.  Each claimant was ultimately awarded £10,000 in damages.

This case raises a number of questions about similar style programmes regularly broadcast on television in the United Kingdom.  It is possible that Channel 5 might face claims from others featured in ‘Can’t Pay?  We’ll take it away’ arising out of the publicity that this judgment has received.  Of course, Channel 5 might well decide to appeal the decision; however, in the meantime broadcasters who broadcast similar style programmes and the production companies who make them ought to reflect upon the decision in the meantime and take it into account when making decisions about programming content of that nature.  It is clear that individuals in these situations do have a reasonable expectation of privacy.  There will be circumstances where the broadcasters’ freedom of expression will defeat the privacy rights of the individuals; however, there will need to be a genuine attempt to cover matters of public interest.  If it is simply for the prupose of entertainment, then broadcasters could find themselves being sued for breach of privacy if they do not have informed consent from the individuals featured (or do not take steps to protect the identities of those featured).

Alistair Sloan

If you would like advice or assistance in respect of a privacy/data protection issue or any other information law matter then contact Alistair Sloan on 0345 450 0123 or send him an E-mail.

PECR: The forgotten relative

Much of the focus in relation to data protection and privacy law is on implementation of the Genera Data Protection Regulation, which becomes applicable from 25 May 2018.  However, many of the discussions that are taking place in respect of GDPR implementation are forgetting the GDPR’s older cousin:  the snappily named Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications).  This Directive from the European Union dating from 2002 was implemented in the United Kingdom through the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”).

 The Directive on privacy and electronic communications is concerned with the processing of personal data and the protection of privacy in the electronic communications sector and is of importance to telecommunications providers, Internet Service Providers and any person or organisation who conducts direct marketing by electronic means; however, this blog post is concerned only with direct marketing and is a follow-up to my recent blog post on whether consent is required under the GDPR.

The GDPR might be the big thing at the moment, but it is important not to consider it in isolation.  When thinking about GDPR implementation it is necessary to take a holistic view and think about how it interacts with other laws because these other laws don’t stop having effect just because of the GDPR.  Therefore, it is essential to consider how these other laws affect your GDPR implementation.

The rules on direct marketing by electronic means are relatively simple and straightforward, but this does not stop unlawful behaviour from taking place on an industrial scale.  Rarely does a month go past without the Information Commissioner’s Office publishing information on enforcement action it has taken against businesses arising out of failing to comply with PECR, especially since the law changed to lower the legal threshold for Monetary Penalty Notices in relation to PECR infringements.

Electronic Mail
Electronic Mail includes E-mail and SMS text messaging.  The general rule for direct marketing by electronic mail is that you need consent, as defined by the 1995 Data Protection Directive.  This means that you must have a freely given, specific and informed indication that the person to whom you are directing the marketing wants to receive such marketing.

There is an exception to this which is referred to as the “soft opt-in”.  This applies where you have obtained a person’s personal data “in the course of the sale or negotiations for the sale of a product or service” to them.  You can then send direct marketing to this person, without first gaining their express consent, where you are marketing your own similar products or services.  The data subject must be “given a simple means of refusing (free of charge except for the costs of the transmission of the refusal) the use of his contact details for the purposes of such direct marketing, at the time that the details were initially collected”.

Each direct marketing communication that is sent must include a simple means of opt-out of further direct marketing content (and this must be free of charge, except for the costs of transmission of the opt-out).

Telephone:  Automated calls
The rules for direct marketing by telephone are split into automated and unsolicited live telesales calls.  In the case of automated calls with recorded information played when the phone line being called is answered, the subscriber (i.e. the person who has contracted with the telephone service provider) must have notified the caller (or the person instigating the call where the caller is a third party acting on behalf of the instigator) that, for the time being, they consent to receiving such calls.  Again, this requires there to be a freely given, specific and informed indication.  Consent can be withdrawn.

Telephone:  Unsolicited live telesales calls
You do not require consent to make such calls; however, you must not make such calls where the subscriber has notified you that they do not wish to receive such calls, or if the number is registered with the Telephone Preference Service (TPS).  You can call numbers registered with the TPS where the subscriber has consented to receiving calls from you, notwithstanding that the number is registered with the TPS.  Consent can, as always, be withdrawn at a later date.

Fax
Yes, it is still a thing and some people (and indeed whole sectors) still use fax machines.  However, as it is more or less an obsolete technology all I will say on the matter is that PECR regulates the use of fax for direct marketing and the relevant parts are Regulations 20 and 25.

That is a very brief run through of the relevant law as it stands today.  However, a couple of points to note in closing:  Firstly, the EU is currently working on a replacement to the current Directive.  It had been anticipated that the new E-Privacy Regulation would be implemented alongside the GDPR, but work started on it too late and so it won’t.  Whether it will be finalised in and in force prior to Brexit is something that we will need to wait and see.  Secondly, depending on what happens with the Brexit negotiations it may still end up being part of UK law even if it comes into force after the UK leaves the EU.  Thirdly, there is likely to be some temporary adjustments to PECR from 25 May 2018, that is because PECR adopts a lot of definitions from the Data Protection Act 1998 and the 1995 Data Protection Directive (both of which will be repealed on 25 May 2018).  Finally, the domestic Regulations were made under the European Communities Act 1972; therefore the European Union (Withdrawal) Bill may well have some impact upon them.

Alistair Sloan

If you would like advice or assistance with a privacy or data protection matter, or any other information law concern then contact Alistair Sloan on 0345 450 0123 or send him an E-mail.

Privacy and the Monitoring of Communications in the Employment Setting

On 5th September 2017 the Grand Chamber of the European Court of Human Rights issued its decision in the case of Bărbulescu v. Romania, which considers the application of the right to a private and family life contained in Article 8 of the European Court of Human Rights to the monitoring of a person’s communications by their employer.

The background to the case is that an employee was dismissed by his employer for making use of company equipment and services (internet connection and computer) for personal purposes during working hours; in particular, he had been sending personal messages (some of which were of an “intimate nature”) to his brother and fiancée.  The company’s internal policies prohibited this use and after following the disciplinary process required by Romanian domestic law, he was dismissed.  He brought a case in the domestic courts and was unsuccessful in all of those courts.  He then brought a case before the European Court of Human Rights which ultimately ended up with the Grand Chamber issuing its decision on 5th September 2017.  The procedural background to the case is more fully set out in the Court’s judgment.

The Court stated that the relationship between an employee and their employer “is contractual, with particular rights and obligations on either side, and is characterised by legal subordination.” (paragraph 117) The court went on to state, at paragraph 118, that “labour law leaves room for negotiation between the parties to the contract of employment.  Thus, it is generally for the parties themselves to regulate a significant part of the content of their relations.”

In terms of the margin of appreciation afforded to States under the European Convention of Human Rights, the Court decided, at paragraph 119, that States “must be granted a wide margin of appreciation in assessing the need to establish a legal framework governing the conditions in which an employer may regulate electronic or other communications of a non-professional nature by its employees in the workplace.”  However, the Court went on to state, in paragraph 120 of its judgment, that “the discretion enjoyed by States in this field cannot be unlimited.  The domestic authorities should ensure that the introduction by an employer of measures to monitor correspondence and other communications, irrespective of the extent and duration of such measures, is accompanied by adequate and sufficient safeguards against abuse.”  These adequate and sufficient safeguards, the court stated at paragraph 121, “are essential.”

The Court sets out five factors which it considers domestic authorities should treat as being relevant:

  1. What notification has been given to the employee regarding the possibility that the employer might take measures to monitor their correspondence and other communications, and what notification the employee has been given regarding the implementation of these measures;
  2. The extent of the monitoring by the employer and the degree of intrusion into the employee’s privacy (a distinction should be drawn between simply monitoring the flow of communications and the monitoring of the content of the communications);
  3. The reasons the employer has provided to justify the monitoring of their communications and their actual content – greater justification will be required for monitoring the content as opposed to just the flow;
  4. Whether it would have been possible for the employer to have in place a monitoring system that was based on less intrusive methods and measures than simply directly accessing the content of the employee’s communications;
  5. The consequences of the monitoring for the employee subjected to it, and the use made by the employer of the results of the monitoring operation, in particular whether the results were used to achieve the declared aim of the measure;
  6. Whether there were adequate safeguards in place; especially when the employer’s monitoring operations are of an intrusive nature.

This case makes it clear that it can be legitimate for an employer to monitor, not only the flow of private communications made by an employee on company systems, but also the actual content of the correspondence.  However, employers do not have an unlimited right.

Employers will have to think carefully about what aims they are trying to achieve by the monitoring of communications by employees on company systems and whether their proposed method of monitoring is proportionate with that aim.  Furthermore, employees should be given clear and fair notice of what monitoring is taking place and the purpose for the monitoring.

Employers will also need to give careful consideration to the safeguards that they need to have in place with regards to the monitoring procedures they have in place and ensure that what safeguards they do have in place are adequate.  With regards to safeguards, the court specifically stated that employers should not have access to the actual content of the correspondence concerned unless the employee has been notified in advance.

The court has also said that domestic authorities should ensure that any employee whose communications have been monitored has access to a remedy before a judicial body and that judicial body should have jurisdiction to determine, at least in substance, how the six criteria set out in its judgment have been observed and whether the impugned measures were in fact lawful.

This decision doesn’t really change the law as it already operated.  The decision does not prevent employers from undertaking the monitoring of communications by their employees on the employer’s systems.  However, the decision does act as a useful reminder that the ability to conduct such monitoring activities is not wholly unrestrained.  The decision, coupled with the forthcoming applicability of the General Data Protection Regulation, may well provide a good opportunity for employers to review their policies in this area to ensure that they are compliant with the law.

Alistair Sloan

If you would like advice on a matter concerning data protection or privacy, then you can contact our Alistair Sloan on 0345 450 0123 or by completing the contact page on this blog.  Alternatively, you can send him an E-mail directly.

Data Protection/Privacy Enforcement – August 2017

In this blogpost I shall be looking at the enforcement action taken by the Information Commissioner in the fields of data protection and privacy which was publicised during August 2017.  It is hoped that this will become a regular monthly feature on this blog.

Key Points

The key points from the enforcement action publicised by the ICO during the course of August are:

  • Ensure that where your organisation undertakes direct marketing by telephone, you do not make calls to numbers which are listed on the Telephone Preference Service; unless you have been given consent to make such calls.
  • Ensure that contractors who have access to personal data only have access to that personal data which is necessary for the services that they are providing to you.
  • Ensure that you have appropriate technical and organisational measures in places to prevent the unauthorised or unlawful processing of personal data when processing personal data over the internet.
  • Ensure that all of your staff (including temporary and agency staff) are given data protection training which is appropriate to their job role, and to ensure that regular refresher training is undertaken.
  • If you are an employee and have access to personal data as part of your job role, do not make use of that access for any purposes not required as part of your employment; including for personal purposes.

Enforcement Action published by ICO in August 2017

H.P.A.S Limited (trading as Safestyle UK)

H.P.A.S Limited were served with a Monetary Penalty Notice [pdf] in the amount of £70,000 and an Enforcement Notice [pdf] after the Commissioner found that they had made unsolicited direct marketing calls to telephone numbers which were listed on the Telephone Preference Service.

Laura Anderson Limited t/a Virgo Home Improvements

Laura Anderson Limited were served with a Monetary Penalty Notice [PDF] in the amount of £80,000 and an Enforcement Notice [pdf] after the Commissioner found that they had made unsolicited direct marketing calls to telephone numbers which were listed on the Telephone Preference Service.

Home Logic UK Limited

Home Logic UK Limited were served with a Monetary Penalty Notice [pdf] in the amount of £50,000 after the Commissioner found that they had made unsolicited direct marketing calls to telephone numbers which were listed on the Telephone Preference Service.

Talk Talk Telecom Group Plc

Talk Talk Telecom Group Plc were served with a Monetary Penalty Notice [pdf] in the amount of £100,000.  The Commissioner found that they had failed to have in place adequate technical and organisational measures to prevent against the unauthorised or unlawful processing of personal data.  Talk Talk Telecom Group Plc had in place unjustifiably wide-ranging access to personal data by external agents, which put that personal data at risk.

London Borough of Islington

The London Borough of Islington was served with a Monetary Penalty Notice [pdf] in the amount of £70,000.  The Commissioner found that the Borough’s parking enforcement application had design flaws and some of the functionality was misconfigured, allowing for unauthorised access to personal data.

Nottinghamshire County Council

Nottinghamshire County Council was served with a Monetary Penalty Notice [pdf] in the amount of £70,000.  The Commissioner found that the Council had failed to have in place an authentication process for accessing an internet based allocation service for home carers; this left personal data and sensitive personal data exposed on the internet.

Cheshire West and Chester Council

Cheshire West and Chester Council signed an undertaking [pdf] stating that they would take certain steps to ensure compliance with the Data Protection Act 1998.  In particular the Commissioner was concerned that a number of self-reported incidents by the council involved staff who had not received data protection training.

Prosecution

A former employee of Colchester Hospital University NHS Foundation Trust was prosecuted in The Colchester Magistrates’ Court.  The Defendant pleaded guilty to offences under Section 55 of the Data Protection Act 1998.  She had accessed the sensitive health records of friends and people she knew and disclosed some of the personal information she obtained obtained.  She was fined £400 for the offence of obtaining the personal data and £650 for the offence of disclosing the personal data.  She was also required to pay prosecution costs and a victim surcharge.

I can provide advice and assistance on a wide range of information law matters.  If you wish to discuss an information law matter with me then you can contact me on 0345 450 0123 or by completing the form on the contact page of this blog.  Alternatively, you can send me an E-mail directly.

Alistair Sloan