|
News
Since June 2007, we have
published news in our regular email service. Click to be added to the list:
PDP News
Below a selection of
the stories that appeared in greater detail in
Privacy & Data Protection
Journal.
21st June 2007
Orange and Littlewoods in data breaches
Orange Personal Communications
Services Ltd and Littlewoods Home Shopping have been found to be in
breach of the Data Protection Act by the UK data protection regulator.
A complaint regarding the way in
which new members of Orange staff were allowed to share user names and
passwords when accessing the company IT system led to an investigation.
The Information Commissioner's Office ( ICO ) found that Orange was not
keeping its customers' personal information secure, in breach of Article
17 of the Data Protection Directive ( the 7th Data Protection Principle
under UK law ).
Littlewoods had failed to
respect an individual's wish to stop the company using her personal data
for direct marketing purposes. Despite her requests, Littlewoods
continued to send her marketing materials.
Both organisations have signed a
formal undertaking with the ICO. Orange has promised that the
sharing of user names and passwords by Customer Service Representatives,
to access computer systems, will not be allowed under any circumstances.
Littlewoods' undertaking obliges the company to respect opt-outs from
receiving marketing materials.
Mick Gorrill, Head of Regulatory
Action at the ICO, said: "Organisations that process individuals'
personal information must do so in compliance with the Data Protection
Act. If they do not, they not only risk further action from the
Information Commissioner but also risk losing the trust of their
customers. Individuals must feel confident that organisations are
safeguarding their personal information."
Copies of the signed undertakings
are available at:
www.ico.gov.uk/what_we_cover/data_protection/enforcement.aspx
Details of the training session:
Direct
Marketing – how to overcome the legal risks
The
6th
Annual Data Protection Compliance Conference will feature a
special 'data breach' panel, with experts from Deloitte, Accenture and
other organisations.
15th June 2007
Big Brother fine confirmed
Spain's Supreme Court has
confirmed the highest ever fine imposed by the country's Data Protection
Agency.
The 1,081,822 Euro fine was
imposed against Zeppelin Television S.A. the producers of Spain's Big
Brother television programme for failing to protect the personal data of
people applying to take part in the programme. The fine was
originally imposed by the Spanish regulator in 2001.
The breaches of the DPA were
that the company (i) did not comply with the information rights of the
participants in the programme; (ii) did not obtaining their express
consent for the processing of sensitive data; (iii) did not fulfil the
requirements for data processing by third parties; and (iv) did not
comply with regulations on security measures.
The facts that led to the
investigation were that Zeppelin's security system was breached and the
data of the participants in the programme were made available over the
internet.
12th June 2007
CCTV surveillance is now at extreme proportions
The UK and Irish data protection
regulators have delivered warnings as fears grow over the explosion in
technology used to monitor individuals.
People are now monitored in the
street as well as in the workplace. A recent report by Camerawatch
indicates that up to 90% of CCTV cameras in operation in the UK breach
data protection law.
UK Information Commissioner,
Richard Thomas, said, "There are dangers to our privacy, our autonomy,
the more the information is converged together”. Stressing that
the threat comes from government as well as private companies, he added,
"we have got to make sure there is full accountability and that people
don't go too far and really undermine our fundamental rights and our
integrity as individuals.
"People now understand that data
protection is an essential barrier to excessive surveillance... The
risks that arise from excessive surveillance effect both individuals and
society as a whole... too much surveillance creates a climate of fear
and suspicion”.
The introduction of privacy
impact assessments prior to the installation of CCTV systems will,
according to the regulators, ensure organisations set out how they will
minimise the threat to privacy and address all the risks of new
surveillance arrangements prior to their implementation. These
assessments, which are already commonly used in other countries, such as
Australia and the USA, will ensure that ways of working do not lead to
unacceptable intrusion into private lives.
Mr Thomas said, "Two
years ago I warned about the dangers of waking up to a surveillance
society… it is important that there is a vigorous debate around the
issue of surveillance - about where lines should be drawn and the
restrictions and safeguards which are needed... Many information
gathering activities are essential and beneficial to modern life.
But balance is needed and there must be limits… Positive action is
required to ensure the potential risks do not manifest themselves.
Otherwise the trust and confidence which individuals must have in all
organisations that hold information about them will be placed in
jeopardy”.
Jonathan Bamford, Director of
Data Protection Development at the Information Commissioner's Office,
told Privacy & Data Protection, "All organisations that use CCTV systems
to capture images of identifiable individuals need to comply with the
Data Protection Act. We issued a CCTV Code of Practice to help
organisations better understand their responsibilities and the measures
they should take. It is important that CCTV operators have signs
indicating the use of CCTV that alert the public to who is undertaking
the surveillance. It is also important that they ensure that the
images are of good enough quality for their purposes and restrict
disclosure of these beyond use for detecting a crime. The
monitoring of employees must be properly justified and our Employment
Practices Code of Practice gives specific guidance on the safeguards
that need to be in place”.
The Commissioner's Office is
working on a revision to the existing CCTV Code of Practice, which
should be available from July.
The Irish Data Protection
Commissioner has stated that CCTV usage is high on his agenda for
enforcement in the coming year. In his latest Annual Report he
states that, “we will be looking at whether CCTV systems used in
commercial settings and in public spaces comply with data protection
guidelines”.
The CCTV Code of
Practice is available at
www.dpdocuments.com
PDP Training Courses:
CCTV in the Workplace - this half-day training session
looks at everything an organisation needs to know to install and use
CCTV systems in compliance with the law. Further information is
available on the
Training pages.
Surveillance:
CCTV and employee monitoring - this Workshop, part of the
two-day Annual Data Protection Conference, considers CCTV in the context
of employee monitoring. For further details, see the
Conference pages.
25th April 2007
Emails – right to privacy at work
The European Court of Human
Rights has ruled that a UK employer was wrong in law in monitoring the
private email, phone and Internet use of one of its employees.
The case, Copland v United
Kingdom, which was originally brought against the UK government in 1999,
concerned monitoring carried out by a public body ( an educational
institution ) in breach of Article 8 of the European Convention on Human
Rights.
The Court had previously ( in
Halford v United Kingdom ) concluded that telephone calls from a public
employer's premises are covered by the notions of 'private life' and
'correspondence' in Article 8. In Copland, the Court extended this
right to the sending of personal emails from work. The applicant,
Lynette Copland, had been given no warning that her calls would be
liable to monitoring. Therefore, said the court, she had a
reasonable expectation as to the privacy of calls made from her work
telephone. The Court unanimously found a breach of Ms Copland's
right to privacy and awarded her 9,000 euros in damages and costs.
It should be noted that the case
was decided on the basis of UK law in force in 1999, i.e. before the
coming into force of both the Data Protection Act 1998 and the
Regulation of Investigatory Powers Act 2000. If the same case was
brought today, there would be an effective domestic remedy under those
pieces of legislation.
14th February 2007
UK Bank fined £1m for data security breach
The UK financial services
regulator, the Financial Services Authority, has fined the UK's largest
building society £980,000 following the theft of an employee's laptop.
The laptop contained customer data relating to some of its 11 million
account holders.
The FSA has criticised the
Nationwide Building Society for failing adequately to address the risk
that customer data might be lost or stolen. The laptop was stolen
from the home of a Nationwide employee who reported the theft but not
the fact that the laptop contained such a significant amount of customer
data. The employee then went on holiday for three weeks.
During this period nothing was done to investigate what data the stolen
laptop contained.
The FSA indicated that the
Nationwide's risk assessment and security procedures were inadequate.
The FSA specifically pointed to the fact that staff did not know what
steps they were supposed to take in the event of such a breach.
Policies were apparently inaccessible and staff were not adequately
trained. The fact that no action was taken in the first three
weeks after the breach increased the opportunity for the information to
be misused ( although there is no evidence of misuse ). The FSA
particularly noted that the failures occurred in an environment of
heightened awareness of information security issues. “Nationwide
is the UK's largest building society and holds confidential information
for over 11 million customers”, said Margaret Cole, director of
enforcement at the FSA. “Nationwide's customers were entitled to
rely upon it to take reasonable steps to make sure their personal
information was secure”, she added.
Of significance is the fact that
the FSA and not the UK's data protection regulator, the Information
Commissioner, has penalised the Nationwide. Businesses regulated
by the FSA, whose remit includes the supervision of systems and controls
of the businesses it regulates, will need urgently to reassess their
data protection and data security risks. The FSA rebuked the
Nationwide for not being prepared in advance to deal with such an
incident.
This is not the only recent
example of a regulator other than a data protection authority exercising
jurisdiction over security breach issues in Europe. Recently the
Hellenic Authority for Information and Communication Security and
Privacy fined Vodafone €76,000,000 over a security breach and
wiretapping incident at the time of the 2004 Athens Olympics.
Bridget Treacy, information law
expert at Hunton & Williams says, “Until now, European businesses have
considered themselves fortunate in not being subject to a regulatory
regime in which data security breaches must be reported to data subjects
or regulators. This contrasts sharply with the requirements in the
US where security breach notification obligations have become a complex,
high-profile risk for all businesses to manage. The possibility of
introducing a US-style security breach notification requirement in
Europe is currently a hotly debated topic; the Nationwide incident is
likely to fuel that debate further”.
In the United States, more than
30 states have security breach notification laws in place, resulting in
a de facto national standard of notification. In general,
companies must notify individuals that their information may have been
compromised if an unauthorized person is reasonably likely to have
accessed or acquired sensitive personal information about those
individuals. A number of states also require notification to a
state agency. In addition, the US Federal Trade Commission
recently formed a new division, called the Division of Privacy and
Identity Protection, to handle data security issues. This signals
a new focus on data security and information breaches in the US, and a
likely increase in regulatory enforcement activities.
Nationwide has now taken steps
to deal with the breach, apologised to customers and reviewed their risk
assessment procedures. Its chief executive, Philip Williamson,
said “I wish to emphasise that there has been no loss of money from our
customers' accounts as a result of this incident”.
7th February 2007
Breaching DPA now carries 2 years jail time
The Lord Chancellor has
announced that the Government will amend the Data Protection Act 1998 to
introduce custodial penalties of up to two year's imprisonment for
people and organisations found guilty of breaching section 55 of the
Data Protection Act. Section 55 makes it a criminal offence to
obtain personal data from Data Controllers without their consent.
It is also an offence to sell personal data that are illegally obtained.
The change in the maximum
punishment from a fine to imprisonment comes after last year's
representations from the Information Commissioner ( see
Privacy & Data Protection, Volume
6, Issue 7 ). In the Commissioner's report last year,
'What price privacy?', he detailed how private investigators and
journalists have created a market for illegally obtained personal data.
In December 2006 the Commissioner followed-up his initial report with
'What price privacy now?', which contained further details of the
illegal trade.
Law firms and other bodies that
use private investigators will need to ensure that the activities that
are being carried out in their name do not amount to a breach of Section
55.
2nd February 2007
Paris incensed by sex and medical revelations
In an unusual and deeply
invasive case of privacy infringement, Paris Hilton has filed a lawsuit,
claiming the website ParisExposed.com is "the single most egregious and
reprehensible invasions of privacy ever committed against an
individual".
ParisExposed.com includes sex
photos and videos, highly-sensitive medical records, diary entries and
audiotapes of Miss Hilton's conversations.
The publication of this material
was made possible due to that fact that Paris Hilton omitted to pay a
bill at her storage facility, following which the owner of the facility
put the personal possessions on sale at auction. The lot was
purchased for $2,775 and subsequently sold on to two enterprising
individuals for $10 million.
For $39.97 a month,
ParisExposed.com, launched by David Hans Schmitt and Bardia Persa,
offers subscribers access to Hilton's most personal documents, including
medical bills, her sister Nicky's marriage certificate, bank statements,
and prescription bottles for herpes medication. The site
apparently also streams home videos, including one showing cocaine
consumption and lists the private phone numbers of thousands of
celebrities including Donald Trump, Chelsea Clinton, Michael Jackson,
Nicole Ritchie, Christina Aguilera, Pink, Madonna, and Arnold
Schwarzenegger.
The federal lawsuit, which asks
for compensatory and punitive damages, claims the use of Paris' most
personal belongings for commercial purposes is a violation of Federal
Copyright laws as well as a violation of Paris' right to privacy.
The suit also seeks a restraining order and an injunction against the
website.
According to Julie O'Neil of US
firm Kelley Drye Collier Shannon, "It's hard to imagine how Hilton's
suit could fail. She has a variety of laws that appear to be on
her side. For example, California law provides strong protection
against invasions of privacy. Hilton had a reasonable expectation
that her medical records, financial records, home videos, diaries and
other possessions would remain private and not be sold or posted online
for all to see and, perhaps, misuse. Also in her favour are state
laws making it unlawful to profit off of a celebrity's name and likeness
without her consent. The defendants' website is doing just that".
The situation would not
have been so clear if the case was litigated in the UK. According
to expert barrister, Ashley Roughton of Hogarth Chambers, "I would be
surprised if Paris Hilton were able to maintain an action for either
breach of confidence or invasion of privacy in this jurisdiction. Hilton
did not pay her storage bill and, presumably, because her storage
contract so stipulates, her effects were sold to settle the bill - she
knew that when she signed the contract. Now she has to face the
consequences. Copyright, on the other hand is a different matter
since title to copyright does not follow physical title. Subject
to issues of title ( such as where film clips were taken by others ) I
would expect Hilton to succeed in relation to copyright".
15th November 2006
Crackdown on personal data theft
Following the recent prosecution
of a couple for data theft, the UK Information Commissioner has
announced a crackdown on one of the UK's fastest growing illegal trades.
A husband and wife team, who
traded as 'Analysis and Business Research' and who allegedly made £140,000
per year from trading in fraudulently obtained personal information,
were convicted of breaching section 55 of the Data Protection Act.
Sharon and Stephen Anderson, who had made a career out of making bogus
calls to extract personal data on behalf of their clients, pleaded guilty to the charge and were ordered to pay £14,800 in fines and costs.
The couple may have received a custodial sentence had their prosecution
taken place next year, when the government is expected to change the
maximum punishment for breaching the Data Protection Act from a fine to
two years imprisonment.
In what will hail a shake up of
the activities of private detective agencies and those who hire them,
the prosecution marks a change in attitude at the Commissioner's Office.
The 'softly softly' approach will be replaced by decisive, strategic and
firm action for breaches of data protection law. The private
detective agencies that used Mr and Mrs Anderson's services for
obtaining personal data were named as Carratu International, Fleet
Investigations and Keypoint Services.
Professional services firms that
use private detectives will need to review their practices and will need
to take assurances that data protection law will not be breached in
investigations carried out on their behalf. The Commissioner is known to
be looking into the activities of law firms in particular.
“These are serious offences,
which are highly damaging to the individuals concerned. People’s
personal details ought not to fall into the wrong hands”, said a
spokesman for the Commissioner’s office.
31st August 2006
Hackers have obtained the credit card details of almost 19,000 online
shoppers from AT&T.
AT&T, the US telecoms company,
said it had notified shoppers at its online store of the security
breach, which affected people buying high-speed DSL internet items.
Security was breached at the
weekend, the company said, and online stores were quickly shut down in
response.
AT&T said it would reimburse
customers for any fraudulent transactions and pay for any necessary
credit services.
There were no indications that
fraudulent transactions had been carried out before the stolen
information came to light, AT&T said.
Further details of this story
are in Volume 6, Issue 8 of
Privacy & Data
Protection
Wednesday 9th August
Phone-tapping at Prince Charles's household
Three men have been arrested
over the interception of phone calls linked to royal staff. A
police investigation is also examining whether other public figures have
had calls intercepted. Three men, including a News of the World
reporter, were arrested in London on 8th August.
The indications are that
voicemail messages left by members of the royal household have been
listened to by third parties. Reports suggest the police inquiry stemmed
from the alleged interception of a private phone conversation between
ITV News journalist Tom Bradby and a Clarence House official. A
message he left is said to have formed the basis of a News of the World
article.
Although the investigation into
who else might have had their phones tapped includes at least one MP, it
does not apparently include the Prime Minister.
The chairman of the Press
Complaints Commission, Sir Christopher Meyer, said he had heard rumours
about journalists using interception techniques to obtain information.
"One hears stories and rumours
all the time that this may be going on. Nobody has come to me with
hard evidence of this," he said. "The Press Complaints Commission sets
out in clause 10 of its code of practice that the press must not
intercept private or mobile telephone calls, messages or e-mails and a
whole bunch of other things which come under the heading of clandestine
devices and subterfuge. I shall be extremely interested to hear
how the police investigation goes on."
Scotland Yard said the claims
had "potential security implications." For this reason, the
investigation is being handled by the anti-terrorist branch.
Scotland Yard added, in a prepared statement, that, "Police launched an
investigation after concerns were reported to the Met's Royalty
Protection Department by members of the Royal Household at Clarence
House. It is focused on alleged repeated security breaches within
telephone networks over a significant period of time and the potential
impact this may have on protective security around a number of
individuals." It added that as a result of initial inquiries,
police now believe "public figures beyond the Royal Household" have had
their telephones intercepted. "Police continue to work with the
telephone companies concerned and continue to have their full support in
attempting to identify any other person whose telephone may have been
intercepted," the statement said.
The three arrested men were
detained under Section 1 of the Regulation of Investigatory Powers Act
2000.
Tuesday, 1st August
2006
UK to impose prison sentences for data misuse
The UK government is proposing
custodial sentences for unlawfully obtaining and using personal data.
Following comments by the
Information Commissioner that prison sentences should apply for data
crimes ( see
Privacy & Data
Protection, Volume 6, Issue 6 ), the Department of Constitutional
Affairs has produced a consultation document. In the document, published
in late July, the government says that there is a need "to provide an
appropriate and effective level of deterrent to those who seek to profit
from the illegal trade in personal information, and to those who
otherwise wilfully or recklessly give out personal data to those who
have no right to see it”. The paper cites private detectives and
journalists as being the primary culprits for unlawfully obtaining and
using peoples’ personal information.
The proposal is to increase the
maximum punishment for the offence of 'unlawful obtaining' in section 55
of the Data Protection Act to 2 years imprisonment (six months if tried
summarily in the magistrates' court).
Section 55 makes it an offence
to sell or offer to sell personal data which has been (or subsequently
is) obtained or procured knowingly or recklessly, without the consent of
the data controller. An advertisement indicating that personal
data may be available for sale constitutes an offer to sell data.
The paper cites cases an example
if a single person invoicing organisations up to £130,000 per month for
tracing individuals. The fines currently being metered out by the
courts will not deter such people.
The offence will not apply to
front line public sector staff who make errors of judgment (for example
the sharing of data to protect a child), but rather is intended to catch
individuals who abuse the trust placed in them by their employers or
others who deliberately set out to acquire personal data without a valid
legal reason.
A person who wilfully obtains
personal information by deception, e.g. 'blagging' personal information
from a bank, telecommunications company or government entity, would be
guilty of the offence in section 55. Likewise, an employee who knowingly
obtained personal information from the employer‘s records relating to
another and sold it to a journalist would be guilty of this offence.
The Information Commissioner
will be speaking on this and other topics at the
5th Annual Data
Protection Compliance Conference in London on 27th September 2006.
The consultation period runs
from 24th July to 30th October. The consultation paper,
'Increasing penalties for deliberate and wilful misuse of personal
data', is available on the DCA website, or via this link:
'Increasing penalties for deliberate and wilful misuse of personal data'
Friday, 7th July 2006
The operator of a website designed to allow
searches for people's contact details has been issued with an
Enforcement Notice by the Information Commissioner's Office (ICO).
It is the first time the ICO has issued an order over a website.
Apparently, B4U, a
Birmingham company which performs searches for information on
individuals at www.b4usearch.com, is in breach of UK data protection
law. B4U has allegedly breached the law by using electoral roll
data from before 2002 for its searches. After 2002, people filling
in an electoral roll form could choose to be excluded from the public
register. The ICO says that the company ignored requests from
individuals for their details to be removed.
"We will take action
against organisations that don't process personal information in line
with the requirements of the Act and cause significant concern to
individuals," said Mick Gorrill, head of Regulatory Action at the ICO.
"People have an important right under the Data Protection Act to know
that their personal information is sufficiently protected".
The ICO said that it had
received 1,600 complaints about the site, many saying that B4U did not
remove their personal details when requested.
B4U owner Raj Banga said no
notice has been received by him from the ICO, and the company has never
refused anyone a request for data removal.
The B4U website says that
written requests for removal will take five days to process and details
a premium rate fax line which costs £1.50 per minute which can be used
for more immediate removals.
Further detail will appear in
the upcoming edition of
Privacy
& Data Protection Journal.
This, and other important cases,
will be discussed at the
5th Annual Data Protection
Compliance Conference in London in September.
Tuesday, 30th May 2006
The European Union's highest court ruled today that EU-US passenger data
transfer arrangements were illegal, saying they did not provide adequate
privacy protection for European travellers.
The trans-Atlantic agreement,
made in 2004 between the US's Department of Homeland Security and the
EU's Commission, compels European airlines to turn over 34 pieces of
information about each passenger (Passenger Name Record information) -
including name, home addresses and credit card details - within 15
minutes of departure of any commercial aircraft bound for the US from
Europe. Washington maintained that it needed the extensive PNR data for
"preventing and combating terrorism and other transnational serious
crimes". The agreement allowed the US authorities to store the data for
over 3 years.
The European Court of Justice
today found that the data would not be "adequately protected" by the US
in accordance with the requirements of the European Data Protection
Directive. It gives the European Commission until 30th September
to find an alternative solution.
According to Peter Carey, Editor
of
Privacy & Data Protection,
"the legal farce that was the PNR transfer system has finally been
recognised as such. The real question now is what will be implemented to
replace it from September”.
Stewart Baker, an assistant
secretary of state for the US Department of Homeland Security, said: "I
am confident that we will find a solution that will keep the data
flowing and the planes flying".
25th May 2006
Commissioner issues Enforcement Notice against
Attorney General's Office on Iraq
The Information Commissioner has
issued an Enforcement Notice under the Freedom of Information Act which
forces the Attorney General's Office to reveal information regarding the
military intervention in Iraq.
Following the denial of requests
for access to information on the Attorney General's advice regarding the
decision to go to war in Iraq, the Commissioner is not satisfied that
the exemptions cited by the Government are sufficient to merit the
refusal of access to all the information requested.
For further information on this
Enforcement Notice, see
Volume 2, Issue 5 of Freedom of Information. To take out a
subscription to Freedom of Information, please click
here.
:: Click
to download the
Enforcement Notice, dated 22nd May 2006.
:: Click
here to download the
Disclosure Statement
April 2006
Johnson fails to get compensation at trial
David Johnson has failed to get compensation at trial from
the Medical Defence Union.
:: For
further details, see
Privacy & Data Protection, Volume 6, Issue 5
April 2006
Euro citizens must be more careful with data - EDPS
According to Peter Hustinx, the European Data Protection Supervisor
(EDPS), EU citizens must be more careful in communicating personal data
on mobile phones and when they bank or shop on the Internet.
Europeans were much too “naive in dealing with personal data” said
Hustinx.
People who surf the internet or
use mobile phones leave digital footprints which can be misused by
unscrupulous people and businesses, said Hustinx, adding, “The risks are
constantly growing”.
Hustinx predicts that in a few
years, companies will attract new costumers by guaranteeing personal
data protection. “Privacy will soon develop into a sales pitch”, Hustinx
said.
The EDPS has criticised
the new Data Retention Directive ( see
Privacy & Data Protection, Volume
6, Issue 3, pages 9-11 ) as “unbalanced”, saying that he expects
consumers and businesses to take legal action once the controversial
plans have been implemented into national law.
:: Peter
Hustinx will be speaking at the 5th Annual Data Protection Compliance
Conference & Workshop Series on 27th September in London. For
details, visit www.pdpconference.com
March 2006
Durant alleges human rights breach
Having exhausted his avenues of complaint in the UK, Michael Durant is
now taking his grievance against Barclays Bank and the Financial
Services Authority to the European Court of Human Rights (‘ECHR’).
:: For
further details, see
Privacy & Data Protection, Volume 6, Issue 4
March 2006
Conviction for unlawful obtaining
David Schumacker, who unlawfully obtained information relating to an
individual’s bank account was fined £500 and ordered to pay £500 costs
after pleading guilty to a breach of the UK Data Protection Act.
:: For
further details, see
Privacy & Data Protection, Volume 6, Issue 4
February 2006
Call for stricter approach
to foreign data transfers
The EU Data Protection Working Party has called for greater consistency
in application of the EU’s data export laws and for a stricter
interpretation of the derogations from the export ban.
:: For
further details, see
Privacy & Data Protection, Volume 6, Issue 3
February 2006
De Vere hotel in data blunder
Thousands of documents revealing the credit card numbers, addresses,
phone numbers and signatures of guests were dumped in an open skip by
one of Britain’s best-known hotels. The owner of the Grand Hotel in
Brighton was forced to apologise after staff threw out registration
forms and credit card slips of thousands of guests, including those of
several MPs.
:: For
further details, see
Privacy & Data Protection, Volume 6, Issue 3
:: Binding
Corporate Rules – first company approved
Posted: 17th December 2005
:: Durant
appeal denied
Posted:
30th November 2005
:: Data
Protection should be Human Right
Posted: 22nd September 2005
:: Charles
Clarke sought to win support from European Union countries today for
contentious Europe-wide anti-terror laws on retaining personal data
Posted: 8th September 2005
:: Recruitment
agency fined £2000 for non-registration
Posted: 2nd September 2005
:: Reuse
Directive
Posted: 19th July 2005
:: HR
and Medical data to be new enforcement priorities
Posted: June 2005
:: Solicitor's
firm fined for failure to notify
Posted: 22nd
March 2005
:: Smith
v Lloyds case — casts doubt on 'once processed, always processed'
Posted: 16th March 2005
:: New
clauses approves for data exports
Posted: 10th January 2005
:: Police
bugging – unlawful
Posted: December 2004
:: Data
protection law - France finally catches up with Europe
Posted: October 2004
:: EU
investigates UK data laws
Posted: September 2004
:: French
Data Protection Authorities rule US email spy software unlawful
Posted:
18th
August 2004
:: EU
investigates UK data laws
Posted: June 2004
:: Naomi
Campbell establishes right to privacy
Posted: 19th May 2004
:: Commissioner
publishes new guidance after Durant
Posted: 25th February 2004
:: Court
dramatically restricts subject access right
Posted: 9th January 2004
:: German Data
Protection Authority allows foreign transfer of General Electric's
employee data
Posted: 29th December 2003
:: The
fourth and final part of the Employment Practices Data Protection Code
has been issued in draft form for a 3 month period of public
consultation.
Posted: 6th December 2003
:: The
UK's privacy regulator has published guidance on the E-Privacy
Regulations. The Information Commissioner's document will be
crucially important for businesses in developing their strategies for
electronic communications for 2004 and beyond.
Posted: 20th November 2003
:: The
Communications Minister, Stephen Timms, today announced the
publication of the Privacy and Electronic Communications (EC
Directive) Regulations 2003.
Posted: 18th September 2003
:: Commissioner
promises to simplify data protection law
The Information Commissioner, Richard Thomas, states that he is
committed to simplifying data protection law for small businesses.
Posted: 1st September 2003
:: Information
Commissioner's Annual Report
The new Information Commissioner, Richard Thomas, published his first
annual report today. A hard copy of the Report is available for
£20.50 from the Stationery Office. Click to download the Annual Report
( PDF
format - download: Adobe®
Acrobat® Reader® )
Posted: 16th July 2003
:: The
Information Commissioner's Office has released the final version of
the Monitoring Code for Employers
Posted: 13th June 2003
::
New Law on Email Marketing
Posted: 30th May 2003
::
European Commission publishes
report on Euro-wide data protection compliance
Posted:
20th May 2003
::
Zeta-Jones
wins action against Hello!
Posted: 19th April 2003
::
Privacy Ombudsman to replace Press Complaints Commission
Posted: December 2002
::
Naomi Campbell to take fight to House of Lords
Posted: 20th November 2002
::
Information
Commissioner unveils pro-active data enforcement regime
Posted: 25th September 2002
::
New Data Protection Directive
Posted: 25th June 2002
::
Compliance of UK websites with data protection
law
Posted: 20th May 2002
::
Naomi Campbell
wins landmark privacy ruling
Posted: 27th March 2002
::
Website operators should consider themselves
perfectly at liberty to refuse to disclose the identity of their users
Posted: 3rd January 2002
::
Key Changes - the Data Protection Act 1998
Posted:
24th October 2001
Binding Corporate Rules –
first company approved
Posted: 17th December 2005
On December 15th 2005, US based GE was the first company to have its
Binding Corporate Rules (“BCRs”) approved by the UK's Information
Commissioner. The UK, which has been taking the lead in the use of
BCRs to get around the personal data export ban, was the lead Data
Protection Authority (“DPA”) for the negotiation, since there are more
GE affiliated legal entities in the UK than in any other EU Member
State. GE is now hopeful that other DPAs will follow suit by
approving GE's BCRs for data transfers from the relevant countries.
The BCR scheme adopted by GE covers the transfer of employee data
between wholly or majority owned GE entities around the world.
To read about how to
draft Binding Corporate Rules, see
Privacy & Data
Protection, Volume 5, Issue 4, pages 3-4.
Top
Durant appeal denied
Posted:
30th November 2005
The claimant in the
infamous data protection case, Durant v Financial Services Authority,
has been denied access to the highest UK court to hear his case.
On 29th November 2005,
the House of Lords refused leave to appeal to Mr Durant, the determined
litigant in the most significant UK data protection case to date.
By doing so, the House is allowing the decision of the Court of Appeal
to stand as good law, at least for the time being.
The 2003 case of Durant
v FSA found that certain paper-based files used by the FSA did not
amount to a 'relevant filing system' for the purposes of the Data
Protection Act 1998. The court stated that essentially a
paper-based filing system must be searchable almost as easily as a
computer record in order to be caught by the provisions of the Act.
Lord Justice Auld in
the Court of Appeal also took the opportunity to give his impression of
what information amounts to 'personal data' under the law - for further
detail, see Privacy & Data
Protection, Volume 4, Issue 3, page 4.
Now that the highest
court in the UK has declined to deal with the issue, the Durant case
essentially represents current data protection law in the UK - the
problem for the UK is that the case does not sit comfortably with the
European Commission's view of what data protection law should be.
The Commission has been
keeping a close eye on the Durant proceedings and was watching the House
of Lords with interest. It is now likely that that the Commission
will initiate formal infringement proceedings against the UK - as
initially reported in
Privacy & Data Protection, Volume 6, Issue 1.
If the Commission does
bring infringement proceedings, the Department of Constitutional Affairs
is likely to respond by stating that the Data Protection Act 1998 is an
accurate implementation of the Directive and that it is merely the
Durant case itself that seeks to restrict law's application. In support
of this argument, the DCA will likely reiterate that, contrary to
commonly-held views, Lord Justice Auld's comments regarding the
definition of 'personal data' in Durant are not binding as such, but
merely 'helpful guidance'.
Top
Data Protection should be Human
Right
Posted: 26th September 2005
Several of the world's
leading Privacy Commissioners have asked the United Nations to treat
Data Protection rights as if they were Human Rights.
At their 14th Annual
Conference in Montreux, the Privacy Commissioners of Switzerland,
Germany, Spain, Poland, New Zealand, Canada, Lithuania, Hong Kong,
Netherlands, Czech Republic, Italy, Guernsey, Victoria (Australia) and
the European Data Protection Supervisor called on the United Nations to
prepare a legally binding document which pronounces data protection
rights as enforceable human rights.
In related news,
hardware and software manufacturers the world over have been asked to
develop products and systems that incorporate privacy enhancing
technologies.
::
Click to download a copy of
The Montreux
Declaration
Top
Charles Clarke sought to win
support from European Union countries today for contentious Europe-wide
anti-terror laws on retaining personal data
Posted: 8th September 2005
Charles Clarke sought
to win support from European Union countries today for contentious
Europe-wide anti-terror laws on retaining personal data.
The home secretary
called on the 25 Member States to store telephone and internet records
for at least 12 months as they review counter-terrorism work undertaken
since the London bombings in July.
At a meeting of EU
justice ministers in Gateshead, Mr Clarke stressed the importance of the
information to terrorism investigators. He made his call for an
agreement by next month amid industry claims that the measures could
cost communications companies millions of euros each year and police
warnings that they could be swamped with information.
At present, countries
have widely differing rules on how long companies must store the data,
ranging from a few months to four years. Finland and Germany are
known to have reservations about the details of the rules, amid concerns
about compensation for companies and the impact on data protection laws.
In a paper presented to
ministers at the meeting, the UK says such data are the "golden thread"
running through terrorism investigations.
"I think we can make
the case that our ability to retain data is a real and genuine plus in
the war on organised crime and terrorism. We have done a lot of
work on this and we also believe the issue of cost is not an issue," Mr
Clarke said this week.
Top
Recruitment agency fined
£2000 for non-registration
Posted: 2nd September 2005
Evidence of the
Information Commissioner's Office's tougher stance on data compliance is
demonstrated today by a Welsh company being fined £2,000 for processing
personal data without a registration.
Following a guilty plea
at Abergavenny Magistrates' court on 1st September 2005, the company was
ordered to pay a £2,000 fine and £400 costs.
"I am pleased that the
magistrates’ court has recognised the seriousness of a failure to
notify," said Information Commissioner Richard Thomas. "Complying
with the Data Protection Act ensures that individuals' personal
information is secure, accurate, up-to-date and processed fairly.
This prosecution should remind recruitment agencies and other
organisations of their responsibilities under the Act."
Under the Data
Protection Act, it is a criminal offence not only to fail to notify
personal data processing to the Information Commissioner's Office, but
also to inadequately notify. In an interview with Marie Anderson, the
Northern Ireland Commissioner, she said that, under the Commissioner's
Non-Notification Project, once enforcement has been taken for
non-notification, the UK regulator will begin to go after the companies
whose registrations do not accurately reflect the processing that they
undertake.
Read the full interview
with Marie Anderson in
Privacy & Data
Protection, Volume 5, Issue 8.
Top
Reuse Directive
Posted: 19th July 2005
Introduction
The full name of the Re-Use Directive is the Directive on the Re-Use of
Public Sector Information (Directive 2003/98/EC) of the European
Parliament and of the Council of 17 November 2003 on the Re-Use of
Public Sector Information, published in the Official Journal on 31
December 2003.
Member States are
obliged to bring the Directive into force by 1 July 2005. The dti
and HMSO are jointly working on implementation of the Re-Use Directive.
The regulations and guidance has been issued, together with a number of
other documents. These are on the HMSO website.
Provisions in the
Directive
The Re-Use Directive does not introduce a new obligation on public
authorities to make information available.
However, where public
authorities choose, or are obliged under other provisions to make
information available, then the Directive sets out certain minimum
approaches that Member States must follow, so as to ensure harmonisation
of the rules and practices in Member States. This, in turn, is
intended to facilitate the development of services based on the re-use
of public sector information.
Article 6 of the Re-Use
Directive sets out principles governing charging for re-use information.
It states as follows:
"Where charges are made, the total income from supplying and allowing
re-use of documents shall not exceed the cost of collection, production,
reproduction and dissemination, together with a reasonable return on
investment. Charges should be cost-oriented over the appropriate
accounting period and calculated in line with the accounting principles
applicable to the public sector bodies involved".
Recital 14 further provides as follows:
"Production includes creation and collation, and dissemination may
also include user support. Recovery of costs, together with a reasonable
return on investment, consistent with applicable accounting principles
and the relevant cost calculation method of the public sector body
concerned, constitutes an upper limit to the charges, as any excessive
prices should be precluded. The upper limit for charges set in
this Directive is without prejudice to the right of Member States or
public sector bodies to apply lower charges or no charges at all, and
Member States should encourage public sector bodies to make documents
available at charges that do not exceed the marginal costs for
reproducing and disseminating the documents".
The Re-Use Directive also:
- requires public
sector bodies to handle requests for information in a timely manner;
and if no timescale is mandated, within 20 working days (except for
expensive or complex requests);
- suggests that information should be provided in electronic format
where possible and appropriate;
- imposes transparency requirements relating to pricing and licence
conditions;
- exalts Member States to promote the provision of material online,
accompanied with appropriate search facilities;
- prohibits discriminatory conditions for re-use, but permits
exclusive arrangements where necessary for the provision of a service
in the public interest.
Impact of the Directive
Public sector organisations will be required to list the information
that they hold which is available for re-use and provide online standard
licensing agreements. HMSO has produced standard licenses for
public sector bodies to adapt.
Where information is
exempt under the Freedom of Information Act 2000 ("FOIA"), it will not
be made available for re-use. The intention is that rights under
FOIA and the Re-Use Directive will sit along side one another - FOIA
being directed to access to information, the Re-Use Directive being
directed to re-use.
Similarly, where the
intellectual property rights in information are owned by a third party,
then the public sector body may refuse to allow re-use.
Lastly, if the activity
of supplying the document is one which falls outside the public sector
body's public task, then the body may refuse to allow re-use.
Public bodies will
therefore need to list the information which they hold which will be
available for re-use (taking account of the exemptions referred to
above) and set up standard licensing terms and charges for re-use.
::
Hazel Grant specialises in Information Technology projects, including
PFI and PPP ventures. Hazel's work regularly involves advising on public
procurement, the licensing of software and databases and data
protection.
Hazel Grant's Biography
Top
HR and Medical data to be
new enforcement priorities
Posted: June 2005
The European Union's chief data protection body
has decreed that better compliance must be achieved two key areas of
data usage - employers' information on employees and medical data.
The Data
Protection Working Party has issued a paper outlining the scope of its
future work program. Priority areas of focus will be patient and medical
data and human resource records.
Secondary areas
of focus will include Binding Corporate Rules and their approval
process, as well as the co-ordination of enforcement action and audit
procedures. Other areas pinpointed for attention include:
-
Data retention rules
-
Information security
-
Online authentication
The Working Party
also mentioned the likely approval of the data protection regimes in
Australia, New Zealand and Jersey ( Channel Islands ) for the purposes of
data transfers from the EU.
Subscribers to
Privacy & Data Protection journal can obtain a free copy of the Working
Party's paper by sending an email to docs@privacydataprotection.co.uk
Top
Solicitor's firm
fined for failure to notify
Posted: 22nd
March 2005
In early March, a
solicitor was fined £3,150 for breaching the Data Protection Act.
Ralph Harold Donner had failed to notify the Commissioner, as required
under the Act. According to the Commissioner's Office, Mr Donner,
a senior partner at the matrimonial firm Feld Mckay and Donner, had been
contacted by the Information Commissioner more than five times over a
period of two years, but had still failed to notify.
Following a guilty plea
at Bolton Magistrates' court, Mr Donner was fined £3,150 and ordered to
pay a further sum towards prosecution costs.
"I am pleased that the
magistrates' court has recognised the seriousness of a failure to
notify", said Information Commissioner Richard Thomas. "Complying with
the Data Protection Act ensures that individuals' personal information
is secure, accurate, up-to-date and is processed fairly. This
prosecution should remind solicitors and other organisations of their
responsibilities under the Act".
Peter Carey, Consultant
Solicitor with Charles Russell and Editor of
Privacy & Data Protection journal, said that, "Notification is
just the tip of the iceberg for law firms. The main compliance
issues derive from implementing appropriate policies and procedures to
ensure compliance with the Eight Data Protection Principles".
Barristers should be
aware that they may also need to notify their processing to the
Information Commissioner. The register of data controllers reveals
that many barristers' chambers are already registered, although the
majority are not. The Information Commissioner's Office is of the
view that not only must a barrister's chambers register, but so must the
individual barristers that comprise the chambers.
Peter Carey is leading
a one-day Workshop on 'Data Protection Compliance for Law Firms' 10th
May and 8th November in London, and 7th November in Manchester.
::
Click for further details on Peter Carey's workshops:
'Data Protection
Compliance for Law Firms'
Top
Smith v Lloyds case
— casts doubt on 'once processed, always processed' Posted: 16th
March 2005
A recent decision has
confirmed the intention of the UK courts to restrict the application of
the Data Protection Act 1998 ('DPA') to paper-based records.
In Smith v Lloyds TSB
Bank, the judge decided that computer print-outs containing personal
data were not within the scope of the DPA. The mere fact that the
information contained in documents was once held in computer form, did
not mean that it was available to an individual on a subject access
request.
On 23rd February 2005,
in the High Court, Justice Laddie held that information relating to a
loan made by Lloyds TSB to a company was not 'data' within the DPA
because it was not stored electronically nor was part of a ‘relevant
filing system'.
The claimant's
contentions, relying on the wording in the Data Protection Directive,
that (i) the information was once processed electronically and,
therefore, should be treated as within the DPA even though it was now in
printed-out form, and (ii) any pile of documents containing personal
information should fall within the remit of the DPA because of the ready
availability of modern scanning equipment, were rejected by the judge.
According to Ashley
Roughton, Mr Smith's barrister, "Mr Justice Laddie made it clear that
the argument that merely because paper files could very easily be turned
into a relevant filing system did not make those files disclosable; the
fact that such files could be turned into relevant filing systems did
not make them relevant filing systems.
"The judge also
explained what the words "wholly or partially" in Article 3 of the
Directive meant that it was intended to apply to situations where, say,
data were held on computer by day and remained held by night, though
not, technically by means of equipment operating automatically in
response to instructions given, since the computer is off. In the
case of Mr Smith the data were arguably held on computer disk, though
there was some dispute as to whether this was so - unresolved, up to
1992 and he was seeking disclosure in 2001".
Eduardo Ustaran, data
protection expert at Field Fisher Waterhouse, said, "For the third time
in a row, the now old Durant approach to personal data has won, which
can only be good news for data protection officers and information
managers".
A full case report
appears on pages 11-12 of
Privacy & Data
Protection, Volume 5, Issue 4.
Top
New clauses approves
for data exports
Posted: 10th January 2005
In an attempt to promote greater use of model contractual clauses, the
European Commission has approved a new set of clauses for the transfer
of personal data to countries outside the European Union.
Model clauses are one method of circumnavigating the export ban
contained in the 8th Data Protection Principle, which provides that,
Personal data must not be transferred to a
country or territory outside the European Economic Area unless that
country or territory has an adequate level of protection for the rights
and freedoms of data subjects.
The new set of clauses, which apply only to exports to 'data
controllers', and, therefore, do not cover outsourcing arrangements,
were formed after pressure was brought on the Commission by a coalition
of organisations including the International Chamber of Commerce and the
Japan Business Council in Europe.
According to Eduardo Ustaran, specialist data protection lawyer at Field
Fisher Waterhouse, "from a commercial perspective, the new clauses make
a lot more sense than the original ones. My prediction is that
they will prove very popular. What we need now is a similar set
dealing with transfers to data processors such as offshore service
providers".
Andrew Sharpe of law
firm Charles Russell's Data Protection Team agrees. He said that,
"other than the lack of a provision dealing with a requirement for
"opt-in" for direct marketing by electronic means in the data protection
principles annexed to the clauses, and the slightly unclear wording of
the jurisdiction clause, the clauses should not present any major
practical problems in their use."
The new clauses do away with 'joint and several liability', the main
sticking point in the previous set. Instead, they make the data
exporter and data importer liable to individual data subjects for their
own breaches of the export contract.
Further, the data exporter must check that the importer is able to
fulfil its obligations under the contract - in doing so, it can either
carry out an audit at the importer's premises or it can request evidence
from the importer of sufficient financial resources to meet any relevant
liability that it may face.
David Griffiths of Clifford Chance, told Privacy & Data Protection that
"companies will welcome the new liability regime. Under the new
clauses, data exporting companies are not jointly and severally liable
for breaches by data importing companies. However, data exporting
companies are not completely off the hook. They will have to be able
prove they used reasonable efforts to check that the data importing
company is able to meet its obligations under the clauses.
Although the new clauses are a real step forward, they will still be
awkward to implement for multinational groups of companies. Progress on
the adoption of binding corporate rules solution remains essential".
The new regime gives individual data subjects who are aggrieved by the
export arrangement the right to sue the data importer in an EU Member
State.
The Decision bolsters the powers of national data protection authorities
in Europe by giving them powers to suspend data exports where the
exporter refuses to take steps to enforce the contract against the
importer or refuses to co-operate with the data protection authority.
In the text of the new Decision, the Commission reiterates that the
clauses must be used in their entirety and cannot be amended or
modified.
An article in the January 2005 edition of Privacy & Data
Protection journal contains a full analysis of the new model
clauses.
Top
Police bugging – unlawful
Posted: December 2004
The European Court of Human Rights has determined that the covert
recording of conversations of suspects being held by police in custody
is a violation of the right to respect for private life.
The case, Wood v United Kingdom (Application No. 23414/02), was brought
by Clayton Wood, a UK citizen, who was suspected of being involved in a
series of burglaries. The police had difficulty obtaining evidence
in their investigation and, therefore, decided to carry out a covert
operation by arresting the suspects and detaining them together in a
police cell which had been fitted with audio recording equipment.
The content of their conversations were the basis of the prosecution's
case against Mr Wood.
In its judgment, the European Court of Human Rights held that the police
activity breached the right to privacy contained in Article 8 of the
European Convention of Human Rights.
The UK government conceded, in light of the court's case law, that there
had been no legal basis for the measures, and that there was no
effective remedy under UK domestic law for that breach of Article 8.
The court accordingly found, unanimously, that the covert surveillance
measures involving the applicant constituted an interference which was
not "in accordance with the law" and that there was no effective remedy
(breach of Article 13).
Top
Data protection law
- France finally catches up with Europe
Posted: October 2004
The European Data Protection Directive (95/46/EC) has finally been
implemented into French national law, by way of as substantial update to
the Computing and Liberties Act. France was the only EU Member
State to have not implemented the Directive - the Commission had
previously commenced enforcement action against the country.
Businesses who operate in France should take urgent steps to check if
they are compliant with new French data protection law, parts of which
came into force on 7th August 2004.
Under the new law, the following types of processing must be authorised
in advance by the French data protection authority, the National
Computing and Liberties Commission ('CNIL'): processing of sensitive
personal data; use of automated processing techniques ( where people may
be excluded from the advantages of a right, a benefit or a contract );
automated interconnection of separate databases; use of biometric
identifiers; and transfers of personal data outside the EU.
This authorisation must be expressly granted and a lack of response from
the CNIL in the two months following the filing of the application must
be taken to denote a refusal.
The French notification ('declaration') system has also been beefed up.
However, the new law does leave the possibility to simplify the
procedures as regards certain types of processing, by allowing
simplified declarations and even some exemptions from declaration.
The CNIL anticipated this new flexibility in a decision earlier this
year that companies no longer need notify details of the company
payroll.
If companies fail to notify processing or to seek prior authorization
for processing, where required, the penalties can be severe - criminal
law sanctions with penalties of up to three years imprisonment and a
€300,000 fine. Further, according to French case law, any
recording or processing which is not duly declared to or authorised by
the CNIL cannot be legally used against an employee.
Top
EU investigates UK
data laws
Posted: September 2004
The European Commission has written to the UK to request information
relating to its implementation of the Data Protection Directive
(95/46/EC). One potential outcome of an investigation by the
Commission is that the UK could be forced to amend its data protection
laws.
The impetus for the move by Europe apparently stems from a complaint
made to the European Commission by Mr Durant following his
unsuccessful subject access legal case that went through the British
courts system in 2003.
Following the unsuccessful attempt by Mr Durant to extract information
from the UK Financial Services Authority under the subject access
provisions of the Data Protection Act 1998, and his subsequent
complaint to the European Commission about inadequate UK compliance
with the EU Data Protection Directive, the Commission has indicted its
disquiet with the UK’s implementation of the Directive by sending the
government a request for further information on its national data
protection laws.
In the Durant case, the Court of Appeal found that Mr Durant was not
entitled to many of the documents he was seeking from the Financial
Services Authority—in doing so, the court found that both the terms
‘personal data’ and ‘relevant filing system’ had a restricted meaning
under the UK Data Protection Act. For further detail on the case and
the court’s view of the definitions of the above terms, see Privacy &
Data Protection, Volume 4, Issue 3, page 4.
Many are also commenting that the UK has inadequately implemented the
Electronic Privacy Directive (2002/58/EC), resulting in too lenient a
treatment of persons who send unsolicited commercial email (‘spam’) in
the UK.
Top
French Data Protection Authorities rule US email spy software
unlawful
Posted:
18th
August 2004
The French Data Protection
Authority, Commission Nationale de L'Infortmatique et des Libertés ("CNIL"),
has ruled that an email service provided by Rampell Software, a
Florida-based company, is illegal, as it breaches French data protection
law.
Subscribers to the service, called
'Did They Read It?', are able to
track all emails that they send without the recipient's knowledge. The
software informs subscribers when recipients have received their email,
what time they opened it and for how long it remained open on their
screen. It also provides further information such as how many times the
email was viewed, the type of operating system used by the recipient,
who the email was forwarded to, and whether the secondary recipients
opened the message.
Under European Data Privacy legislation, such collection and
transmission of data is unlawful. Under the French law, it punishable by
up to 5 years imprisonment and fines of up EUR300,000. CNIL has
therefore warned would-be subscribers of 'Did They Read It?' that the
use of the service in France could expose them to legal action.
Top
EU investigates UK data
laws
Posted: June 2004
The European Commission
has written to the UK to request information relating to its
implementation of the Data Protection Directive (95/46/EC). One
potential outcome of an investigation by the Commission is that the UK
could be forced to amend its data protection laws.
Following the
unsuccessful attempt by Mr Durant to extract information from the UK
Financial Services Authority under the subject access provisions of the
Data Protection Act 1998, and his subsequent complaint to the European
Commission about inadequate UK compliance with the EU Data Protection
Directive, the Commission has indicted its disquiet with the UK's
implementation of the Directive by sending the government a request for
further information on its national data protection laws.
In the Durant case, the
Court of Appeal found that Mr Durant was not entitled to many of the
documents he was seeking from the Financial Services Authority - in
doing so, the court found that both the terms 'personal data' and
'relevant filing system' had a restricted meaning under the UK Data
Protection Act. For further detail on the case and the court's
view of the definitions of the above terms, see
Privacy & Data
Protection, Volume 4, Issue 3, page 4.
Many are also
commenting that the UK has inadequately implemented the Electronic
Privacy Directive (2002/58/EC), resulting in too lenient a treatment of
persons who send unsolicited commercial email ('spam') in the UK.
According to reports, this seems have led to 'spam gangs' moving from
other European countries to the UK. In Italy, for example,
spammers can face severe penalties. In the UK, the regime is known
to be such that no penalties will be handed down.
Steve Linford of
Spamhaus, an anti-spam organisation, said the UK law was full of
'gigantic loopholes' and its punitive measures derisory. Britain,
he warned, was on course to become one of the world's fastest-growing
sources of spam and was already 10th in the table of the worst spamming
countries.
The UK's response to
the letter from Brussels is awaited. In the meantime, Richard
Thomas, the UK data protection regulator, has apparently seen a copy of
a draft of the letter that has been sent to the UK government - he has
made no further comment.
Top
Naomi Campbell
establishes right to privacy
Posted: 19th May 2004
In a landmark ruling,
the Supermodel Naomi Campbell has finally won her privacy action against
the Mirror. The UK House of Lords, by a narrow majority of 3 to 2,
has ruled that Miss Campbell’s right to privacy had been breached.
It has been a long haul
for Miss Campbell. She won her action at trial before Morland J in
the High Court ( see
Privacy & Data Protection, Volume 2, Issue 5, page 1 ) and was
awarded £3,500 in compensation. She then lost her appeal in the
Court of Appeal a year later.
The case arose from the
publication by the Mirror, on 1st February 2001, of an article
concerning Miss Campbell's addition to drugs, and the fact that she was
trying to beat the habit. An accompanying photograph showed her
arriving at a Narcotics Anonymous meeting - the photograph was taken
covertly by a photographer who was some distance away, concealed in a
parked car.
The Lords were at pains
to stress that a right to privacy, as such, does not exist in English
law - the action was decided under breach of confidence - but in
reality, the case confirms a right to privacy. Even Lord Nicholls,
who dissented in the case, stated that, "the protection of various
aspects of privacy is a fast developing area of the law".
Lord Hope of Craighead,
allowing the appeal by Miss Campbell, said that, "despite the weight
that must be given to freedom of expression…there was here an
infringement of Miss Campbell's right to privacy that cannot be
justified".
Jo Sanders, media
litigation solicitor at Olswang, and co-author of 'Media Law', said
that, "whilst Campbell is a case very much on its own facts, its
importance should not be underestimated. It represents a
significant, if subtle, shift in the attitude of the courts towards
privacy claims. An action in breach of confidence has now been
finessed by a new test for the unlawful disclosure of private
information, which places emphasis on the private nature of the material
concerned and the potentially harmful effect its widespread disclosure
will have on the subject.
"Where a private act,
such as sexual conduct, occurs in public and there is no public interest
in exposing the conduct, then this judgment suggests that the subject of
the story could recover damages for its disclosure. And it gave
little leeway to journalists, who will need to show public interest in
each element of their story, not just the overall journalistic package.
The wider effects of the decision remain uncertain, but it is clear that
Campbell will not be the last chapter in the story of developing privacy
law in this country".
For a detailed analysis
of the facts of the case, see Kate Brimsted's article in
Privacy & Data
Protection, Volume 2, Issue 6, at pages 8 to 11.
Top
Commissioner publishes
new guidance after Durant
Posted: 25th February 2004
The Information
Commissioner's Office has moved quickly to publish new guidance which
reflects the judgment of the Court of Appeal in the important case of
Durant v Financial Services Authority [2003].
This new guidance
provides a summary to data protection officers and advisers on the 2 key
issues raised in the Court of Appeal's decision, namely:
1. What "data" are
"personal" within the meaning of the Data Protection Act 1998 ('the
Act')? and
2. What is meant by a
"relevant filing system" in relation to manual files? While the
guidance provided by the Information Commissioner in relation to
"relevant filing systems" is only of relevance to manual records, the
guidance regarding "personal data" will apply equally to manual and
computerised records.
Personal Data
The Information Commissioner has provided examples which will help us to
apply the Court of Appeal's decision on whether "data" relates to an
identified individual.
Simply because a
person's name appears on a document does not mean that the information
contained in the document will be "personal data" about that person.
What is important is whether the information affects the named
individual's privacy, whether in a personal, family or professional
capacity. It is likely to do so if the information is capable of
having an adverse impact on the individual. In determining this
one should consider whether the information is significantly
biographical. Also, it will not "relate" to the individual, and so
will not be personal data, if the individual is not the focus of the
information.
Relevant Filing System
The Information Commissioner has clarified that the Act will only apply
to manual files if they are organised in a sophisticated and structured
manner (akin to the easy accessibility of a computerised filing system).
Therefore, manual files clearly indexed or structured, allowing easy
identification of relevant information about the individual, would fall
under the Act. However, files organised chronologically or which
would require someone to leaf through to find out whether information
about a named individual ( or information qualifying as personal data
about that named individual ) is held are unlikely to constitute a
relevant filing system.
The guidance recommends
applying the "temp test" to identify whether a relevant filing system is
in place. The temp test requires you to consider whether, if you
employed a temporary administrative assistant, they would be able to
extract specific information about an individual without any particular
knowledge of the work that you do or the documents that you hold.
If the temp could locate the information easily, the information will be
held in a relevant filing system. If, however, the temp would need
to leaf through the file contents to obtain the information required,
the information would not be in a relevant filing system.
As a consequence of the
Durant case the Information Commissioner's guidance acknowledges that it
is likely that very few manual files ( including manual personnel
records unless they are clearly indexed/sub-divided ) will be caught by
the Act. Again, it is important to note that the concept of
"relevant filing system" applies only to manual records. Records
held in computerised format which can be easily searched will, if they
contain personal data ( using the guidance in the Durant case as to what
amounts to personal data ), be covered by the disclosure obligations in
the Act. Equally, if data held in a manual file is also held
electronically, it may also be disclosable in that form.
However, organisations
in the public sector ( or carrying out public functions ) must be aware
that in 2005 the Freedom of Information Act 2000 will amend the Act.
Following that amendment, personal data in manual files held by such
organisations must be accurate, up to date and accessible, regardless of
the system used to file the information within those manual files ( i.e.
even if they are unstructured, but not unstructured manual personnel
records ).
Top
Court dramatically
restricts subject access right
Posted: 9th January 2004
In a move that will
dramatically reduce the Data Protection Act's applicability to
paper-based records, the UK Court of Appeal has refused an application
for subject access on the basis that the information sought did not
constitute 'personal data'.
In the case of Durant v
Financial Services Authority (2003), the Claimant sought access to files
held by the FSA concerning a dispute that he had with Barclays Bank.
The FSA, in its supervisory role, had investigated his complaint against
the bank.
The files were held by
the FSA in paper-based manual filing systems. The court found that
such filing systems did not amount to a 'relevant filing system’ under
the Act and, therefore, that the Claimant was not entitled to access to
them, due to the fact that they were not akin to a computerised system
in terms of ready accessibility to data.
Having determined that
a purposive approach is appropriate to the interpretation of the Data
Protection Act, Lord Justice Auld stated that the purpose of the subject
access rights in the Act is to enable an individual to check whether the
processing of his or her personal data unlawfully infringes his or her
privacy. The purpose is not, however, to provide "an automatic key
to any information, readily accessible or not, of matters in which he
may be named or involved".
This case appears to
restrict the scope of 'personal data' to information that has some
connection to the relevant individual, as opposed to a mere mention of
the individual's name. The information should be biographical or
have the individual as its focus in order to constitute 'personal data'
under the Act - in other words, the information must affect a person's
privacy.
For further detail on
the Court of Appeal decision, see the article in
Volume 3, Issue 4 of
Privacy & Data Protection Journal.
Top
German Data
Protection Authority allows foreign transfer of General Electric's
employee data
Posted: 29th December 2003
The North Rhine
Westphalia Data Protection Authority has approved a transfer of employee
data from Germany to the United States. The authority ruled that
General Electric's binding internal rules were sufficient to protect
employees' rights during the transfer of data collected by the company's
German subsidiary to its US headquarters.
The German Federal Data
Protection Act prohibits the transfer of data to a country that does not
provide adequate data protection standards, such as the United States.
Section 4(c) of the Act provides that a local Data Protection Authority
can approve certain transfers of personal data if the recipient
guarantees the protection of the employees' rights, for example through
a contract or binding company rules on conduct.
Under Section 4(b),
factors to be taken in account when considering a transfer include:
-
the purpose of the
transfer
-
the duration of
intended use of the data
-
the countries where
the data is collected and will be received and
-
the regulations to be
complied with by the recipient.
In this case, General
Electric's internal rules provided adequate protection, as they
specified the purpose for which data would be transferred, and granted
precise rights to employees, including rights to notification and the
correction of data.
Top
The fourth and final
part of the Employment Practices Data Protection Code has been issued in
draft form for a 3 month period of public consultation.
Posted: 6th December 2003
Information About Workers’ Health is intended to give employers clear
and practical guidance about how to comply with data protection law when
handling information about workers' health. Part 4 of the Code contains
general guidance on handling health information about workers. It
also contains sections dealing specifically with the operation of
occupational health schemes, medical examination and testing of workers,
drug and alcohol testing and genetic testing in the workplace.
The consultation period will end on 27 February 2004.
Download a copy of the
Employment Practices Data Protection draft code.
Top
The UK's | 