The Data Protection Act (along with related regulations) governs how personal data is treated. Two recent cases have highlighted the importance of this issue.
Firstly, in September an HIV clinic which is part of the Chelsea and Westminster NHS Trust sent a group email to hundreds of patients, CC not BCC. As a result, it disclosed the personal data of each patient on the list to all the others. The fact that this included sensitive personal data in the form of actual or possible medical conditions made the breach all the more serious.
Misuse of personal data therefore gives rise to serious legal, ethical and commercial implications and any organisation getting it wrong and storing or transferring such data in breach of the rules can face severe financial penalties. In the UK, over the last year, the Information Commissioner's Office imposed fines of over £1 million and secured ten criminal convictions for unlawfully obtaining or disclosing personal data.
As this embarrassing episode illustrates, since most organisations hold personal data, whether it be on employees, patients, customers, suppliers or other personnel, they ignore this legislation at their peril.
The second development has not given rise to the same level of personal distress but has more far reaching ramifications. In October the European Court of Justice (ECJ) issued a landmark ruling. EU data protection laws (which the UK regime is based on) preclude EU citizens’ data from being exported to countries outside the EU without adequate levels of protection. Under the Safe Harbour agreement, US companies could circumvent this requirement, as long as they met key data protection criteria. However, the ECJ has now turned this principle on its head by ruling that, since data sent to the USA is potentially vulnerable to surveillance by the US intelligence community, the Safe Harbour regime may not offer an adequate level of protection. Numerous companies whose business model depended on the seamless transfer of personal data across the Atlantic now face a real problem.
In particular, while the USA and EU thrash out the terms of “Safe Harbour 2.0”, which may take some months, it looks unlikely that any sort of grace period will apply. Anyone transferring personal data to the US would therefore be well advised to ensure that an adequate level of protection is reflected in its procedures and contracts, so that, if necessary, it can demonstrate that it is complying with the spirit of the law, as it were, even if the law in question is in a state of limbo.