02 Aug 2017

Data Protection update - July 2017

Linkedin

Welcome to the July 2017 edition of our Data Protection update, our monthly bulletin on key developments in data protection law. As always, please do let us know if you have any feedback or suggestions for future editions.

Data protection

Cybersecurity

ICO enforcement

Data protection

Ministry of Justice discloses judge's handwritten notes in response to data subject access request

The Ministry of Justice (MoJ) has disclosed the handwritten notes of an employment tribunal judge in response to a data subject access request (SAR) under the Data Protection Act 1998 (DPA).

Following an employment tribunal decision in 2013 regarding a constructive dismissal claim, former car service manager Mr Percival requested access to the judge's notes by exercising his subject access rights under the DPA. The MoJ asserted that (a) the notes did not form part of a "relevant filing system" and therefore did not fall within the scope of the DPA; (b) it was not a relevant data controller in respect of the notes; and (c) in any event the notes should not be disclosed. The Information Commissioner’s Office (ICO) disagreed and confirmed that once notes were placed on the court file they became part of a relevant filing system and the MoJ became a data controller when the notes were added to the court file. Similarly, the MoJ’s argument that judicial notes should be exempt from SARs was overruled by the ICO on the basis that "handwritten notes in the court files will be data for the purposes of the DPA". 

Top





European Privacy Flag project launches GDPR certification scheme and privacy tools

A European research project called 'Privacy Flag', co-funded by the European Commission, has launched privacy tools for citizens and organisations to assess compliance with the GDPR.

Privacy Flag introduces a "EuroPrivacy" certification scheme which enables companies to certify the compliance of their services with the GDPR. The website also contains tools to ascertain if apps, websites or Internet of Things deployments installed on smartphones are GDPR-compliant. These tools provide a mechanism for data subjects to ensure their personal data will be properly protected in accordance with the GDPR.

The Privacy Flag has also introduced a "Privacy PACT". This is a voluntary legally-binding mechanism for entities in Japan, Korea, China and the US to commit to GDPR compliance. Additionally, the Privacy Flag website contains a publicly disclosed list of the names of privacy compliant companies signed up to the Privacy PACT which we may see become a way to build trust in an organisation’s data privacy practices when developing business activities in the European Union.

To visit the Privacy Flag website, please click here.

Top





Privacy Shield adequacy decision incorporated into EEA agreement

The European Economic Area (EEA) joint committee has adopted a decision of the European Commission, formally extending the EU-US Privacy Shield data transfer framework (Privacy Shield) to Iceland, Liechtenstein and Norway, by incorporating it into the EEA Agreement. The formal extension of the Privacy Shield took effect on 8 July 2017, subject to any necessary EEA notifications.

This will be welcomed by organisations that transfer personal data from Iceland, Liechtenstein and Norway to the US, however, it should be noted that the Privacy Shield remains subject to an EU court challenge and the European Commission's up-coming annual review, which is due to take place in September 2017.

Top





Article 29 Working Party releases Opinion on employee monitoring at work

The Article 29 Working Party (WP29) has updated its 2001 opinion and 2002 working document on workplace monitoring by adopting an opinion on 'data processing at work' on 8 June 2017 (the Opinion).

Whilst the WP29 restates its previous conclusions, it has identified the need to consider technological developments, such as smart devices and the Bring Your Own Device (BYOD) trend, which have enabled more intrusive ways of employee monitoring.

The WP29 identifies nine different data processing scenarios in which new technologies may have the potential to result in high risks to employees' privacy, including during the recruitment process (including the use of social media); resulting from monitoring IT usages at the workplace; and involving international transfers of HR and other employee data.

The WP29 also advises against the use of automated decision making and states that, given the imbalance of power, employees can only give free consent in exceptional circumstances, meaning consent will rarely be a legitimate legal basis for processing. Valid grounds may include processing necessary for the performance of the employment contract (e.g. to pay the employee), or processing in connection with obligations imposed by employment law. The WP29 outlines that, for an employer to successfully rely on the legitimate interest ground, the processing must be strictly necessary for a legitimate purpose and must be proportionate to the business need.

The WP29 also set out guidelines for the legitimate use of new technology, in a number of specific scenarios, as follows:

  • Employers must be able to justify a legitimate interest to review applicants’ social media profiles, taking into account whether the social media profile it is related to business (e.g. LinkedIn) or private purposes (e.g. Facebook);
  • Employees must be informed of the existence of any monitoring and the purposes for the monitoring (policies must be clear and readily accessible to all employees); and
  • If an organisation has a BYOD policy, employers should implement preventative measures to ensure no employee is subject to extensive device monitoring as there is a high risk this will capture data relating to the employee's private and family life.

To read the Opinion, please click here.

Top





Brexit: the EU data protection package

The House of Lords' EU Home Affairs Sub-committee (HoL Committee) has published a report which considers the impact of Brexit on the GDPR, the EU-US Privacy Shield, and the EU-US Umbrella Agreement (see our February 2017 update for more information).

It is clear that, once the UK leaves the EU, it will no longer be bound by the EU data protection regime, nor will it be a party to the EU-US Privacy Shield or the EU-US Umbrella Agreement. However, EU data protection rules cannot be ignored. The extra-territorial scope of the GDPR means that any UK (or indeed global) organisation doing significant business in the EU post-Brexit will still need to apply its rules regardless of its legislative status in the UK. The UK will therefore have to ensure that its data protection rules do not diverge significantly from the EU framework in order to retain options for companies needing to exchange personal data with the EU. Receiving an "adequacy" decision from the European Commission confirming that the UK's data protection rules offer an equivalent standard of protection to that available within the EU is considered the most comprehensive mechanism for the UK to continue to share data with the EU in an unhindered way.

The HoL Committee supports the UK Government’s stance on maintaining unhindered data flows post-Brexit and warns that any post-Brexit arrangement leading to friction around UK-EU data flows could put the UK at an economic disadvantage. The report also emphasises that the ability to move data across borders is central to international trade, particularly given the UK's economic dependence on the services sector. The HoL Committee estimates that around half of the UK's trade in services is "enabled by digital technologies and the associated data flows".

The report’s key issues and recommendations include:

  1. The Government should pursue an "adequacy" decision from the European Commission and should put in place transitional arrangements to cover the gap between leaving the EU and obtaining said adequacy decision;
  2. Putting in place arrangements with the US to ensure personal data is afforded the same level of protection as the EU-US Privacy Shield and the Umbrella Agreement, noting that Switzerland has secured a mirror of the Privacy Shield agreement with the US (as well as an adequacy decision from the EU); and
  3. The Government should seek to secure a role for the ICO on the European Data Protection Board. The UK has a strong track record of influencing European data protection laws and had an extensive input in relation to the GDPR.

The HoL Committee expressed a need for concrete detailed plans to be put in place sooner rather than later.

To read the HoL Committee's full report, please click here.

Top





Cybersecurity

FCA launches new cyber security guide

On 22 June 2017, the FCA published its new guide setting out 'good practice' cyber-security procedures to assist organisations, particularly micro, small and medium-sized enterprises (​SMEs​), to become more resilient to cyber-attacks and to respond adequately to cyber incidents. In light of the recent series of cyber-attacks, the guide sets out numerous precautions, which businesses can take to improve their resilience to cyber security attacks, including the following:

  • Manage the risk – by understanding the range of data held by the business and who has access to the most sensitive information;
  • Encryption – use encryption software to protect critical information from unauthorised access;
  • Network and computer security - ensure networks, systems and software are kept up to date and fully patched;
  • User and device credentials - employ two-factor authentication for sensitive information;
  • Disaster recovery plan – have an effective disaster recovery system in place to ensure you are able to restore your services in the event of a cyber-attack; and
  • Engage with the Cyber Security Information Sharing Partnership (CISP) - a joint industry and government initiative to allow firms to exchange cyber threat information in real time and provide support for firms experiencing ongoing cyber-attacks. 

For more information, please click here.

Top





Sweden suffers huge leak of confidential information

Sweden's Prime Minister, Stefan Lofven, confirmed that in 2015 the Swedish government suffered a serious leak of confidential information, potentially including details of military personnel and security planning, but news of the leak only emerged this month. The Prime Minister has blamed a sub-standard outsourcing agreement, entered into by Sweden's transport agency, for the breach. The outsourcing agreement allowed confidential information to be disclosed to IT workers in Eastern Europe, even though they lacked the requisite security clearance. Details of exactly what was leaked is still being established. The Swedish media has been reporting that the home addresses of pilots, databases containing criminal records and information on people suspected of crimes were accessible to the IT workers, although such reports have not yet been confirmed.

Top





ICO Enforcement

Boomerang Video Ltd fined £60,000 after it suffered a cyber-attack  

An online video game rental company, Boomerang Video Ltd (Boomerang), was subjected to a cyber-attack in 2014, in which over 26,000 customer details were compromised. The attacker used a common "SQL injection" technique to access the data which is a type of cyber-attack widely considered to be easily avoidable. The ICO investigation uncovered that Boomerang had failed to take appropriate technical measures against the unauthorised or unlawful processing of personal data and, in particular: 

  1. had not carried out regular network penetration testing on its website (which should have detected a coding error in the login page);
  2. failed to ensure customer passwords for the Wordpress section of its website were sufficiently complex to withstand a brute-force attack; 
  3. failed to keep the decryption key secure; and 
  4. held customer card details on the web server for longer than was necessary to provide Boomerang's services. 

The ICO decided that the above findings constitute a serious contravention of the seventh data protection principle (to take appropriate technical measures against the unauthorised or unlawful processing of personal data) and fined Boomerang £60,000. 

Click here for the monetary penalty notice.

Top





ICO investigation into the Royal Free's use of patient data

The ICO has, after a year-long investigation, held that the Royal Free London NHS Foundation Trust (Royal Free) failed to comply with data protection laws when carrying out clinical testing of an AI-powered app, called Streams, for the alert, diagnosis and detection for life-threatening kidney injuries. As part of the testing, the Royal Free provided personal data of approximately 1.6 million patients to Google DeepMind.

The ICO confirmed that there was no data sharing arrangement in place but rather "the relationship between the Royal Free and [Google] DeepMind is one of a data controller to a data processor." As Google DeepMind was not provided the personal data for its own purposes and processed the personal data in accordance with the Royal Free’s instructions.

Key shortcomings included the fact that the Royal Free had used real patient data to test Streams, patients were not properly informed that their data would be used, and a failure to obtain patient consent. It was also not necessary and proportionate to process records relating to 1.6 million patients to test the clinical safety of the application.

In this instance, the Royal Free’s failures were not found to have caused substantial damage or distress to the affected patients, and the ICO has not issued a fine.  Instead, the Royal Free has agreed to the terms of an undertaking which allows the data to be used by the Streams app whilst requisite compliance measures are put in place.

For more information, please click here.

Top





ICO fines Moneysupermarket.com Ltd £80,000 for sending unsolicited direct marketing emails

MoneySuperMarket has been fined £80,000 for ignoring customers’ marketing opt-out preferences. The ICO, which imposed the fine, said the price comparison website sent 7.1 million emails to customers who had previously made it clear that they did not want to be contacted in that way. MoneySuperMarket’s email included a section entitled "you've told us in the past you prefer not to receive these. If you'd like to reconsider, simply click the following link to start receiving our emails," acknowledging that the customers receiving the emails had in fact opted out of direct marketing.

This contravention amounts to a serious breach of regulation 22 of the PECR and has resulted in a considerable fine. ICO head of enforcement Steve Eckersley said: "Organisations can't get around the law by sending direct marketing dressed up as legitimate updates."

For more information, please click here.

Top





ICO issues record number of PECR penalties

The ICO has issued, in the past 12 months, more fines for breach of PECR than ever before. The ICO's Annual Report confirms that the ICO issued 23 penalties totalling £1,923,000. The largest fine, totalling £270,000, was served on Road Traffic Consult for making 22 million unsolicited automated marketing calls to member of the public. The ICO also reported that it has issued 16 civil monetary penalties for breaches of the DPA, totaling £1,624,500. The largest fine of £400,000 was imposed on TalkTalk.

To read the Annual Report, please click here.

Top





Linkedin

KEY CONTACT

Jonathan Kirsop

Jonathan Kirsop
Partner

T:  +44 20 7809 2121 M:  +44 7554 403 022 Email Jonathan | Vcard Office:  London

Alison Kenney

Alison Kenney
Associate

T:  +44 20 7809 2278 M:  Email Alison | Vcard Office:  London