data protection update
November & December 2013
Our update contains essential reading for the holiday period.
Key points to note are:
The first decision of the Upper Tribunal on the ICO's monetary penalty powers – upholding a penalty imposed for a security breach.
A penalty of £175,000 has been imposed on a payday loan company sending thousands of spam texts
Data reform proposals are delayed by concerns over the "One-stop shop" mechanism.
· The Advocate General considering the legality of the EU Data Retention Directive has issued his Opinion – considering the Directive to be illegal.
Best wishes to our readers for restful holidays and a very happy 2014.
Information Commissioner’s Office (ICO)
23 October 2013
ICO signs Memorandum of Understanding ("MoU") with the Surveillance Camera Commissioner
The ICO has entered into a MoU with the Surveillance Camera Commissioner in order to establish a working relationship between the two Commissioners in the performance of their respective functions under the Data Protection Act 1998, the Freedom of Information Act 2000, the Environmental Information Regulations 2004 and the Protection of Freedoms Act 2012. The MoU identifies a number of areas where the commissioners may cooperate, including:
Membership of the Surveillance Camera Commissioner's Advisory Group;
The production of information for the public and specific interest groups;
The creation of links between the Commissioners' websites;
Organisation of conferences or seminars;
Sharing areas of specialist knowledge; and
Liaison with other Commissioners responsible for the oversight of surveillance.
As the MoU is a statement of intent, it does not give rise to any legally binding obligations on the part of either Commissioner.
A copy of the MoU can be found here.
Central London Community Healthcare NHS Trust v Information Commissioner  UKUT 0551
21 November 2013
Upper Tribunal issues judgment on appeal against ICO monetary penalty notice
This is the first decision by the Upper Tribunal relating to a monetary penalty notice (“MPN”), issued by the Commissioner under section 55A Data Protection Act 1998 (“DPA”).
The Trust had repeatedly faxed sensitive medical details of patients to a member of the public by mistake, believing that it was faxing them to a hospice. The Trust had “self-reported” its own contravention to the Commissioner, who had issued an MPN of £90,000.
The Trust appealed against the MPN, first to the First-Tier Tribunal, which rejected the appeal, and then to the Upper Tribunal. The grounds of appeal were:
the Commissioner failed to recognise he had a discretion as to whether to issue a MPN, and failed to consider how this should be exercised;
the Tribunal should have concluded that the Commissioner was barred from serving an MPN, because the Trust had self-reported its breach;
the Commissioner had acted unlawfully in offering the Trust a discount of £18,000 for early payment of the MPN, but refusing to allow the Trust to benefit from the discount if it decided to appeal; and
the quantum of the award was unsustainably high.
The Upper Tribunal rejected all four grounds of appeal, on the basis that:
The fact that a public authority has self-reported a breach does not prevent the Commissioner from issuing an MPN. If that were to be the case, a data controller responsible for a deliberate and very serious breach of the DPA could avoid an MPN simply by self-reporting;
The Commissioner has discretion whether to issue an MPN where the statutory conditions for its issue are met, as well as discretion as to the amount. On appeal, the First-Tier Tribunal must conduct a full merits review of the Commissioner’s exercise of his discretion, and had done so;
It was permissible for the Commissioner to operate a scheme which gave a discount for early payment, if and only if, the public authority did not appeal. There was a strong public policy argument justifying such a scheme – the early payment and early resolution of the issue. The proper analogy was with discount schemes operated for fixed penalty notices e.g. for minor motoring contraventions;
The Upper Tribunal did in principle have the power to increase a penalty under section 55A DPA, although that issue did not arise on the facts of this case.
The decision is significant in outlining the process and justifications behind the MPN and appeals process.
The case can be found here.
01 November – 19 December 2013:
The enforcement for this period for this month includes a prosecution for unlawful access to medical records by a Surgery Manager and a prosecution for 'blagging' by private investigators; a monetary penalty for nuisance texts; as well as three undertakings which included an undertaking to comply with the Privacy and Electronic Communications Regulations, and for incidents relating to the dissemination of sensitive data to wrong recipients and an intranet site.
Please see attached Enforcement Table for more details of the undertaking.
EU Data Protection Reform
06 December 2013
"One-stop shop" disagreement likely to setback data protection reform package
The Justice and Home Affairs Committee of the Council of Ministers met on 6th December 2013. The "one stop shop" was a key topic for discussion.
The Council of Ministers had earlier indicated provisional agreement for the one stop shop principle. However, this position was set aside following advice from the Legal Service of the Council that the current model would create "a complicated system for data subjects […] that would be incompatible with the right to an effective remedy."
Further technical work on the one-stop shop is to be undertaken. This may involve:
· limiting the exclusive jurisdiction of the lead authority;
· enhancing the 'proximity' between individuals and the decision-making supervisory authority by involving the local supervisory authorities in the process; and
· conferring more powers on the European Data Protection Board.
The frustration of Commission Vice President, Viviane Reding, is apparent: "We are effectively reopening questions which had been agreed in October […] The One-Stop-Shop would become an empty shell. […] I cannot support this. I have often called on the Council to move forward on this file quickly. But not at any cost. I want a meaningful reform, and this has to include a meaningful One-Stop-Shop."
Vice-President Reding's comments, in relation to the data protection reforms can be found here and here.
Article 29 Working Party
04 December 2013
A29 WP calls for swift adoption of the data reform package
Following the vote of the LIBE Committee on the General Data Protection Regulation and the Directive for the law enforcement sector on 21 October 2013, the Working Party adopted an opinion calling for a swift adoption of the package.
The Working Party noted that the reforms will help rebuild citizens' trust in governments and the digital economy as a whole, which has been negatively impacted by recent revelations of national security surveillance programmes.
The Working Party urges all parties involved to intensify their efforts to ensure that an agreement on a final text is reached before the end of the term of the current EU legislature.
Please find the full article here.
03 December 2013 Work programme for 2014
The A29WP has published its Work Programme for 2014. Sub-groups will focus on:
The Future of Privacy – especially preparation for the role of the European Data Protection Board in the draft Regulation
Technology – the Internet of Things, wearable technology, cloud computing and device fingerprinting
International transfers – assessing the impact of the draft Regulation and making recommendations following on from the evaluation report on safe harbor
Borders, travel and law enforcement – will view the proposal for a new Police and Justice Directive and will continue to review the impact of the NSA leaks
E government, will review the use of apps and e-signatures in government
EDPS (European Data Protection Supervisor)
15 November 2013
EDPS comments on the European Commission's proposals on harmonising electronic communications
The EDPS notes that the proposals may be a positive step for the Digital Society, but will unduly limit internet freedom and the principle of 'net neutrality'.
The proposal promotes traffic management measures which allow the monitoring of users’ internet communications, including emails sent or received, websites visited and files downloaded in order to filter, slow down or restrict access to illegal services or content. The EDPS has commented that, to re-build consumer confidence in the electronic communications market, users need to be certain that their rights to privacy, confidentiality of their communications and protection of their personal information are respected.
The EDPS proposes that:
The Commission outlines more precise reasons justifying traffic management measures.
Users are alerted to any interference with their rights, allowing them to switch to those providers that apply less privacy-invasive traffic management techniques in their services
There should be a greater role for national data protection authorities in the supervision of traffic management measures by providers.
The EDPS article can be found here.
Digital Rights Ireland Ltd v The Minister for Communications, Marine and Natural Resources The Minister for Justice, Equality and Law Reform The Commissioner of the Garda Síochána Ireland and The Attorney General
Request for a preliminary ruling from the High Court of Ireland
Kärntner Landesregierung Michael Seitlinger and Christof Tschohl
12 December 2013
Advocate General's Opinion: EU Data Retention Directive invalid
The Data Retention Directive requires European telecommunications providers to store details of prescribed electronic communications for between six to twenty-four months.
The Directive was challenged in proceedings in Ireland and Austria which were referred to the CJEU.
The Opinion states that the Directive "is as a whole incompatible with Article 52(1) of the Charter of Fundamental Rights of the European Union, since the limitations on the exercise of fundamental rights which that directive contains because of the obligation to retain data which it imposes are not accompanied by the necessary principles for governing the guarantees needed to regulate access to the data and their use." The Directive requires Member States to set out rules for access to retained data in national law: according to the Advocate General the key parameters for access should have been set out in the Directive itself .
The case can be found here.
27 November 2013
European Commission publishes views on EU-US data flows
The Commission has stopped short of suggesting revocation of the adequacy decision for Safe Harbor and does not want to make data protection standards part of the on-going trade negotiations.
However, the Commission calls for action in six areas:
swift adoption of the EU's data protection reform;
making Safe Harbor safer – the EC makes 13 recommendations to improve Safe Harbor;
strengthening data protection safeguards in the law enforcement area – in particular by giving EU citizens who are not resident in the USA access to judicial redress;
using the existing Mutual Legal Assistance and sectoral agreements to obtain data e.g. using the Terrorist Financing Tracking Programme;
addressing European concerns in the on-going US reform process; and
promoting privacy standards internationally.
The European Commission FAQs can be found here.
Enforcement notice, undertaking, monetary penalty, or prosecution?
Summary of steps required (in addition to the usual steps*)
01 November 2013
Mansfield District Council
Follow up review of Undertaking originally signed on 17 January 2013.
The ICO conducted a follow-up review of Mansfield District Council's (MDC) actions following its undertaking of 17 January 2013. The ICO concluded that MDC had taken appropriate steps and put plans in place to address the requirements of the undertaking and mitigate the risk highlighted.
No further action by MDC required.
01 November 2013
Health and Care Professions Council
Follow up review of Undertaking originally signed in July 2013.
The ICO conducted a review of the Health and Care Professions Council (the "Council") in relation to the undertaking it signed in July 2013. The ICO found that the Council has or is taking appropriate steps to address the requirements of the undertaking.
No further action by the Council required.
20 November 2013
ICU Investigations Limited
Prosecution under s.55 DPA.
The men behind private investigation company "ICU Investigations Ltd" were found guilty of conspiring to unlawfully obtain or access personal data, a criminal offence under section 55 of the Data Protection Act 1998.
ICU Investigations Ltd worked on behalf of clients such as Allianz Insurance PLC, Brighton & Hove Council and Leeds Building Society, to trace individuals, primarily for the purpose of debt recovery. The court found that the company had tricked organisations such as utilities companies and TV licensing into revealing personal data. The ICO investigation found approximately 2,000 separate offences between 2009 and 2010.
Five employees had previously pleaded guilty to the charges and the company was also found guilty as a separate defendant. The ICO found no evidence of criminality by any of ICU Investigations Ltd's clients, who were found to be unaware of the fact that the data had been obtained by illegal means.
A sentencing hearing has been listed for the 24 January 2014.
21 November 2013
Great Ormond Street Hospital for Children NHS Foundation Trust
The ICO was informed of four separate incidents over 18 months where letters containing sensitive medical information was sent to the wrong addresses.
In the majority of the cases, the letters had been sent by temporary member of staff, who were exempt from data protection training.
Furthermore, it was found that failure to attend data protection training was not followed up in any way.
The ICO has used this case to highlight the importance of organisations providing adequate data protection training to temporary and agency workers in roles which involve the day-to-day handling of personal data.
Great Ormond Street Hospital for Children NHS Foundation Trust to ensure that:
temporary or bank staff are provided with sufficient data protection training before they carry out work that involves regular contact with personal data, especially sensitive personal data;
such training is fully monitored, and attendance is enforced where necessary;
sufficient processes are put in place to ensure medical records and referral letters are sent to the correct address, and that practical guidance on these processes are communicated to all staff and;
they implement such other security measures as are appropriate to ensure that personal data is protected against unauthorised and unlawful processing, accidental loss, destruction, and/or damage.
22 November 2013
Foyle Women's Aid
Follow up review of Undertaking originally signed in August 2013.
The ICO conducted a review of the actions taken by Foyle Women's Aid in relation to the undertaking it signed in August 2013. The ICO found that the Foyle Women's Aid is taking appropriate steps to address the requirements of the undertaking.
Further steps required:
Data Protection training should be completed by the end of November 2013 as planned.
Encryption software should be installed on all laptops, iPads and any other mobile devices used by staff.
Procedural guidance should be introduced for staff to follow in relation to the secure use of mobile devices, as planned.
The access restriction software training which is currently scheduled for 2014 should be completed by all relevant staff prior to its implementation.
The contract with the external shredding company should contain appropriate security clauses and checks on the company’s security procedures should be conducted annually.
22 November 2013
Ahead of next year's Scottish Referendum vote, campaign group "Better Together" sent 300,000 messages to individuals in Scotland urging them to complete a survey confirming how they intended to vote.
The messages were sent out by a third party marketing company during March and April 2013. On both occasions, the campaign group failed to check whether the recipients had provided their consent to be contacted, believing that the consent had been obtained by another company working on their behalf.
Better Together agreed to sign an undertaking to comply with the Privacy and Electronic Communications Regulations.
The ICO, which received 61 complaints following Better Together's actions, used this case to remind Scottish referendum campaign groups that they must comply with electronic marketing rules ahead of next year's vote.
Better Together must neither transmit, nor instigate the transmission of, unsolicited communications for the purposes of direct marketing by means of electronic mail to individual subscribers unless the recipient of the electronic mail has previously notified Better Together that they consent.
26 November 2013
Royal Borough of Windsor and Maidenhead
A report containing the details of 257 individual employees, was published on a general section of the data controller's intranet, as opposed to a restricted section, as intended.
Although no sensitive personal data was included, and the data could only be accessed by the data controller's employees through the intranet, it was found that there were no mandatory data protection training requirements for staff handling data. Furthermore, the ICO found that the data controller's policies and procedures on the handling of personal data were incomplete.
Royal Borough of Windsor and Maidenhead to ensure that:
they will review and revise policies and procedures for the handling and use of personal data, especially in the area of information security, and bring these into operation by no later than 31 December 2013;
all staff shall be made aware of the policies and procedures by no later than 31 December 2013;
from 31 December 2013, all staff whose roles involve access to personal data shall be trained in data protection and the data controller's policies and procedures on commencing their employment. All existing staff whole roles involve access to personal data shall receive such training no later than 31 December 2013. Such training shall be refreshed and updated regularly thereafter for all relevant staff, at intervals not exceeding two years;
compliance with policies on data protection and training requirements shall be appropriately and regularly monitored and enforced; and
they implement such other security measures as it deems appropriate to ensure that personal data is protected against unauthorised and unlawful processing, accidental loss, destruction, and or damage.
03 December 2013
GP Surgery Manager
During a review of the surgery manager's attendance file, it was discovered that he had accessed patients' records on 2023 occasions between August 2009 and October 2010. As the former surgery manager, Mr Tennison was only required to access the records on three occasions under the remit of his role, and having received adequate data protection training, was well aware of his unlawful behaviour.
£996 fine and order to pay a £99 victim surcharge and £250 prosecution costs.
16 December 2013
First Financial (UK) Limited
First Financial offers payday loans. ICO received complaints from over 4,000 people about texts sent without consent during two months in 2013. First Financial sent the texts using unregistered SIM cards to try and avoid detection.
The monetary penalty notice emphasises the disturbing impact of the texts viz. they were often sent in the early hours; some were on numbers only used for contact with elderly relatives; roaming charges were incurred etc.
The ICO relied on a Direct Marketing Association article to suggest that only 3% of people receiving spam texts would complain. The likely actual number of texts sent, therefore, would be much higher than this.
The notice concluded that this was a serious and deliberate breach of the Privacy & Electronic Communications Regulations of a kind likely to cause substantial distress. Readers may remember that both the company and its sole director were prosecuted, in October, for failure to notify the company's data processing activities to the Information Commission.
Monetary penalty of £175,000
This briefing gives general information only as at the date of first publication and is not intended to give a comprehensive analysis. It should not be used as a substitute for legal or other professional advice, which should be obtained in specific circumstances.
Bird & Bird LLP is a limited liability partnership, registered in England and Wales with registered number 0C340318 and is regulated by the Solicitors Regulation Authority. Its registered office and principal place of business is at 15 Fetter Lane, London EC4A 1JP.
Bird & Bird is an international legal practice comprising Bird & Bird LLP and its affiliated and associated businesses and has offices in the locations listed on our web site: twobirds.com.
A list of members of Bird & Bird LLP, and of any non-members who are designated as partners and of their respective professional qualifications, is open to inspection at the above address.