Personal Data: Guard it with your life or suffer the consequences...


A Brief Data Protection Update:

With technological advancements and the increasing use of social network sites, mobile phone apps and online shopping and banking (among other things) more personal data is being processed and shared now than ever before. The European Union and the UK Information Commissioner's Office (the ICO) are therefore sharpening their focus on protecting personal data.

The European Union

As you are no doubt aware, the EU plans to make certain changes to European data protection law by way of an EU Regulation which is currently in draft form. The intention is to make the data protection framework across Europe significantly more coherent and consistent. The draft Regulation aims to give individuals more rights and control over their own personal data, as well as ensuring that businesses comply. If the Regulation passes into law then it will apply directly in all Member States without implementation in two years' time (estimated 2016).

Some of the main changes which will impact businesses are:

The level of fines may increase to €100 million or 5% of the business turnover. This was initially proposed to be €1 million or 2% of the business turnover. However, the European Parliament's Civil Liberties Committee (LIBE) has just voted that the fine level should be significantly increased.
There will be a higher regulation of data processors as well as data controllers.
At the moment only serious breaches must be notified. The proposed Regulation states that there is no threshold for reporting data protection breaches.
If you are to employ more than 250 employees, are a public body or your business involves operations which require regular and systematic monitoring of data subjects, then it is a mandatory requirement to appoint a Data Protection Officer.
Individuals may have a 'right to be forgotten', which means they can request that their information is deleted. There are limits to this, for example, a credit rating cannot be deleted.

There is some controversy around some of the proposed changes, due to concerns about how they will be implemented in practice. However, the one thing that is certain is that there will be fairly substantial and wide reaching changes.

The UK Information Commissioner's Office

The ICO was given powers in April 2010 to impose fines of up to £500,000 for serious data breaches and it has not been shy about using these in recent months. A recent example of this was in August this year when a monetary penalty notice was imposed on Aberdeen City Council. Inadequate homeworking arrangements lead to 39 pages of personal data being uploaded to the internet by a Council employee. The Council was fined £100,000.

In July, NHS Surrey was fined a hefty £200,000 after sensitive personal data belonging to thousands of patients was discovered on hard drives sold on an online auction site. These two fines are good examples of situations that could have easily been avoided if the respective organisations had appropriate policies, procedures and training in place.

This year, however, is the first time that a fine by the ICO has been overturned. A fine of £250,000 issued by the ICO against the Scottish Borders Council was overturned by the UK Information Rights Tribunal. Files containing personal information about former employees were disposed of in a recycling bank at a supermarket car park and were found by a member of the public. To impose a fine the ICO must prove, among other things, that the breach was likely to cause substantial damage or substantial distress.

The UK Information Rights Tribunal held that the ICO did not meet the above test. The reasoning for this was the Scottish Borders Council had a trusted data processor that it had used for many years and the discovery of the files by a journalist or someone untrustworthy (someone who could cause substantial damage or distress) was held to be too unlikely to satisfy this test. In making this judgement the UK Information Rights Tribunal has set the bar higher for the ICO and this could result in more appeals against fines by the ICO.

Custodial Sentences Discussion Re-Opened

Finally, plans for a public consultation on whether custodial sentences should be introduced for the Data Protection Act 1998 (the DPA) Section 55 offence of unlawfully obtaining or disclosing personal data have been re-ignited. A proposal to introduce two year prison sentences was raised in 2006, but no action was taken. The topic has returned to the forefront of the agenda as a result of the Parliamentary Home Affairs Committees investigation into unlawful activity of private investigators, who are subject to the DPA due to the nature of the information they collect when investigating individuals.

The Criminal Justice and Immigration Act 2008 enables the Government to make an Order to introduce custodial sentences for breaches of Section 55 of the DPA, so jail terms are a very real possibility in the not too distant future.

In short, when it comes to data protection, date thieves and slapdash organisations need to watch out – the landscape is changing. All others, watch this space…