In case you missed our recent Devonshires’ Information Law Conference, here is a reminder of our top ten current data protection issues you should be aware of.
If you have any questions on this Data Protection Update, please do not hesitate to contact Hetal Ruparelia or Nick Billingham.
- Updated ICO guidance on Subject Access Requests (“SARs”)
- Direct Marketing
- Use of Automatic Facial Recognition (“AFR”)
- Group Litigation Orders
- First fine levied for a data breach under the Data Protection Act 2018
- Vicarious liability for data breach caused by rogue employee
- Data breaches and cyber security
- International data transfers
- Processing employee criminal conviction data
- Covert recording and admissibility in Court
Updated ICO guidance on Subject Access Requests (“SARs”)
The ICO has published updated draft guidance on SARs which explains in greater detail the rights that individuals have to access their personal data and the obligations on controllers. The draft guidance also explores the special rules involving certain categories of personal data, how to deal with requests involving the personal data of others, working out the timescales for responding and the exemptions that are most likely to apply in practice when handling a request. If provides further clarification on when an extension can be sought for responding to a SAR, when a fee can be charged and what ‘manifestly unfounded’ means in practice.
Draft Direct Marketing Code of Practice
The Information Commissioner is producing a Direct Marketing Code of Practice, as required by the Data Protection Act 2018. The Code starts with a section looking at the definition of direct marketing to help you decide if the code applies to you, before moving on to cover areas such as planning your marketing, collecting data, delivering your marketing messages and individuals rights.
The definition of direct marketing is at s.122 (5) of the Data Protection Act 2018 as follows;
“direct marketing” means the communication (by whatever means) of advertising or marketing material which is directed to particular individuals”.
Use of AFR
In the case of Bridges v South Wales Police, the Divisional Court in Cardiff dismissed an application for judicial review brought by a civil liberties campaigner against South Wales Police’s use of AFR. The Divisional Court held that, although the police’s use of AFR engaged the right to privacy under article 8 and amounted to the processing of sensitive personal data, its use was nonetheless lawful on the basis that the interference struck a fair balance and was not disproportionate.
Group Litigation Orders
There is an increase in the use of Group Litigation Orders by data subjects who have been subjected to a data breach. Following the 2018 British Airways cyber-attack in which 500,000 customers were affected, a Group Litigation Order was granted in October 2019 meaning that issues for the data subjects affected by the cyber-attacks can be argued as one. Commentators are expecting each data subject to be awarded compensation in between £2000-£6000, the total of which could be substantial for British Airways.
First fine levied under the Data Protection Act 2018
Doorstop Dispensaree was the first company under the Data Protection Act 2018 to be fined following a data breach. This company provides pharmaceutical dispensary services to thousands of care homes. It left approximately 500,000 documents containing personal data in unlocked containers in an outside space outside its premises. The documents were exposed to water and damages. The company was being investigated by Medicines and Healthcare Products Regulatory Agency into alleged unlicensed and unregulated storage and distribution of medicines and they made the ICO aware of the breach. Doorstop Dispensaree was fined £275,000. The enforcement action highlights that Regulators are taking a collaborative approach and sensitive data on vulnerable individuals is a high enforcement priority.
Vicarious liability for data breach caused by rogue employee
In the case of Various Claimants v Morrisons, a rogue employee unlawfully disclosed payroll data of thousands of his former colleagues. A claim was brought by a number of the data subjects affected by the breach to hold Morrisons vicariously liable for the employee’s actions. The High Court and Court of Appeal found that Morrisons is vicariously liable. This decision was appealed at the Supreme Court, the decision of which is eagerly awaited. If the Supreme Court upholds the decision, this will have a major implication on all employers when faced with a data breach.
Data breaches and cyber-security
We are increasingly noticing data breaches being centred on cyber security issues. The ICO has issued a Notice of Intent to fine Marriot International £99.2 million following the Starwood Group Hotels systems having been compromised by a cyber-incident. Marriot International acquired the Starwood Group. The cyber-incident affected 339 million data subjects. The ICO has made it clear that “proper due diligence when making a corporate acquisition” is part of the accountability principle.
International data transfers
If personal data is transferred to a country outside of the EEA, this is a “restricted transfer” and this can only be done if additional protections are in place to protect the personal data. Data controllers making a restricted transfer must consider;
- Is there an adequacy decision in relation to the country or territory where the receiver of personal data is located? If not;
- Has an appropriate safeguard been put in place as referred to in the GDPR? If not;
- Does an exception set out in the GDPR apply? If not, the restricted transfer cannot be made.
Processing employee criminal conviction data
Many employers ask whether a prospective employee has any unspent convictions on an application form. We have noticed a trend of employers ‘overchecking’ roles and also failing to identify their ground for processing this information under the GDPR. One of the main grounds an employer can rely on to process this information is where;
- It is necessary for the purposes of performing or exercising obligations or rights which are imposed or conferred by law on the controller or the data subject in connection with employment;
- An appropriate policy in place; and
- Appropriate safeguards are in place.
Covert recording and admissibility in Court
In the case of Mustard v Flower & Flower & Direct Line Group 2019, Master Davison handed down a detailed judgment on the admissibility of covert recordings, including recording of neuropsychological testing in a head injury case. The Court found that the recordings were not unlawful, that they did not breach the GDPR or the DPA 2018 and that the Overriding Objective under the CPR clearly favoured admitting the recordings into evidence, subject to providing safeguards that the recording of the proprietary test materials of the neuropsychological testing did not enter the public domain.