Welcome to the March 2017 edition of our Data Protection update, our monthly review of key developments in Data Protection law. As always, please do let us know if you have any feedback or suggestions for future editions.
The Italian Data Protection Authority (Garante) has fined five companies in excess of € 11 million for the unlawful processing of personal data.
The data breach was discovered during a police investigation, by the Guardia di Financia, into money laundering carried out by a multinational money transfer company, Sigue Global Service Limited, and four other organisations. The companies attributed foreign transfers to China and in order to avoid the application of anti-money laundering legislation, the companies were splitting up large transactions and attributing the transactions to more than a thousand customers, whose personal data was used illegally without their consent or any other legitimate basis for processing. According to the Garante's press release: "The names [on the] transfers were never the actual senders and, in some cases, [the names were of] deceased or non-existent people."
These sanctions are the highest ever issued by a Data Protection Authority in Europe. The previous record was also held by the Garante for the €1 million fine it imposed on Google in 2014. The lack of cooperation or effective remediation of their misconducts was reflected in the sanctions (€ 5,880,000 for Sigue and € 1,590,000, € 1,430,000, € 1,260,000 and € 850,000 for each of the agent companies respectively).
Please click here for the Garante's press release.
The NHS has come under pressure to implement enhanced data protection measures after the medical records of 26 million NHS patients became compromised in a major security breach amid warnings that the IT system used by thousands of GPs is not secure. The Information Commissioner is investigating concerns that sensitive medical records held by 2,700 medical practices (one in three of those in England) can be accessed by hundreds of thousands of unconnected people.
The problem stems from IT software used by GPs called "SystemOne". By switching on the "enhanced data sharing" function, GPs inadvertently allowed sensitive medical records of patients be accessed by receptionists, clerical staff, healthcare assistants and medics working in pharmacies, hospitals, GP surgeries, care homes and prisons even if there was no medical reason to do so.
Privacy campaign group medConfidential has published information online to help patients find out if their personal information is affected by the leak and assist them in taking steps to protect their data. Unfortunately, it may be too late for many patients as the information leaked could have already been accessed for malicious reasons or fallen into criminal hands. Phil Booth of medConfidential said: "This is a truly devastating breach which involves millions of patients’ GP records – for some, the most deeply personal, sensitive and confidential data about them – being exposed to hundreds of thousands of people, with no mechanism to prevent them if any of them chooses to look."
Also this month, the NHS was accused of covering up a huge data loss, that put thousands of patients at risk, by losing more than half a million pieces of confidential medical correspondence including screening results, blood test results and treatment plans between 2011 and 2016.
Please see here for more information.
The Information Commissioner's Office (ICO) draft guidance has provided an indication of the meaning of explicit consent as incorporated in the General Data Protection Regulation (GDPR). The paper advises that explicit consent, amongst other conditions, involves obtaining a very clear and specific statement of consent which must be separate from other terms and conditions. Consent must also be a positive opt-in and consent should not generally be a pre-condition of signing up to a service. The GDPR specifically bans pre-ticked opt-in boxes.
The ICO also advises that organisations should specifically name third party recipients of data where it is shared on the basis of consent. Individuals will have a specific right to withdraw consent and need to be offered easy ways to withdraw their consent at any time. The onus is on organisations to retain evidence of consent including how and when it has been obtained. Now is the time for businesses to check their consent practices and if they are not compliant with the GDPR, to plan and implement compliant consent practices ahead of 25 May 2018.
The draft guidance includes a helpful "What's new?" section detailing the differences between the current law and the GDPR. Read more here.
The draft guidance is currently open for comment and the quickest way to submit views is to use the ICO’s prepared form. If you haven't already done so, you can offer your views on the draft guidance before 31 March 2017 here.
The European Commission has published an updated European handbook on equality data, providing an overview on how best to collect and analyse data on issues relating to equal treatment in the EU. Chapter 7 of the handbook is aimed at employers undertaking diversity monitoring (sometimes called equal opportunities monitoring). The Commission recommends employers carry out diversity monitoring in the workplace as monitoring allows an organisation to obtain an overall, statistically-valid picture of the ways in which its policies and practices affect the equality groups, identify discriminatory practices and barriers to equal treatment.
The handbook also discusses ways in which employers can improve the level of staff disclosure of sensitive personal information, stating "experience shows that confidence in the monitoring system tends to grow once the system is in place and people become accustomed to it and are educated about it". The handbook concludes by suggesting workplace and service delivery equality and non-discrimination monitoring should be developed in dialogue with representatives of the equality groups and other stakeholders.
Employers need to be aware of the technical and practical considerations of diversity monitoring which may involve the collection of personal data (data related to identifiable individuals) or anonymous workforce surveys. In accordance with existing data privacy principles, employers gathering personal data must explain to employees why it is collecting the data, how the data will be used and the security measures in place to protect said personal data. The employer must also keep the data up-to-date especially in relation to disability, as disability status can change.
For further information on diversity monitoring, please click here.
A Scottish Sheriff Court has awarded over £17,000 in compensation pursuant to section 13(1) of the Data Protection Act 1998 (DPA) for distress caused by intrusive CCTV and audio recording in a family home.
The case concerns a married couple, Mr and Mrs Woolley, who live above a guest house in Edinburgh owned by Nahid Akram (the Defender). The subject of the proceedings was a claim for compensation due to breaches of the first, third and fifth data protection principles by the Defender in relation to highly intrusive CCTV and audio recording systems installed by her from October 2013. Four CCTV cameras and four audio boxes which record 24 hours a day were installed on the guest house, deliberately to cover the Woolley's private property. Sheriff Ross, in a ruling issued at Edinburgh Sheriff Court, said that the processing of personal data gathered from the Defender's video and audio recording equipment was "intrusive, excessive and unjustified" and "unnecessary in relation to any legitimate purpose" and awarded the Woolleys £8,634 each.
It is thought to be the first time that a court in the UK has awarded damages to account purely for the distress caused by a breach of UK data protection laws (although the case of Google v Vidall Hall did allow for it but was subsequently settled). Compensation was granted on the basis of £10 for each day that the Woolleys' data had been processed in breach of the DPA, with a deduction being made for one month's worth of days per year to account for days where the Woolleys were "likely to be absent from the property, for example on holiday". It will be interesting to see if the approach of a daily figure adopted in this case is followed in future cases.
Full details of the judgment can be found here and our previous updates on Google v Vidall Hall can be found here and here.
While the term "big data" is relatively new, the act of gathering and storing large amounts of information for eventual analysis dates back to the early 2000s. Distinctive aspects of big data analytics include use of algorithms, the tendency to collect "all the data", the repurposing of data and use of new types of data.
It isn't surprising that the ICO's publication coincides with both an increase in the use of big data analytics across all sectors and the planned implementation of the GDPR. The ICO confirmed that "embedding privacy and data protection into big data analytics enables not only societal benefits such as dignity, personality and community, but also organisational benefits like creativity, innovation and trust."
The GDPR strengthens data subjects privacy rights in the big data context and includes provisions relating to profiling, privacy impact assessments (PIAs) and data protection by default. In the paper, the ICO acknowledges the transparency and accountability objectives of the GDPR. The ICO identifies the benefits of big data analytics and contains guidance on the practicalities of conducting PIAs in a big data context, since the GDPR will require a PIA for most big data applications involving processing of personal data. The ICO presents six recommendations to help organisations achieve compliance which include anonymisation, PIAs, appropriate privacy notices, privacy by design, the development of ethical principles and auditable machine learning algorithms.
To read the ICO's paper please click here.
The Court of Justice of the European Union (CJEU) has ruled that a telephone subscriber who gives permission for his or her data to be published in one member state, has given permission for his or her data to be used in all member states. The judgment relates to a Belgian company, European Directory Assistance (EDA), which offers directory enquiry services from Belgium. The EDA had asked three companies that assign telephone numbers in the Netherlands for data on their subscribers, but the companies, Tele2, Ziggo and Vodafone Libertel, refused saying that they were not required to comply. Ultimately the CJEU disagreed with this approach.
Full details of the judgment can be found here.
The proposed Directive's scope is intended to cover the provision of digital goods (such as films, music computer programs and e-books) and services (such as social media platforms and cloud computing services) for a price, or where a consumer actively provides "personal data or other data as counter-performance", including where free services are provided on this basis.
Whilst the Directive remains in draft form (and is subject to change), it is important for digital businesses to be aware of the personal data related issues which are likely to impact their supply contracts, including businesses whose economic model is based on providing "free" services that derive value from personal data collected.
The European Data Protection Supervisor's (EDPS) opinion confirmed support for the overall aim of the proposed Directive but did highlight some concerns in relation to the use of personal data as a currency in return for goods or services. In the EDPS' opinion, the treatment of personal data as a currency could diminish the fundamental right to protection of personal data enshrined in EU legislation. Perhaps notably for those in the process of implementing the GDPR, the broad definition of personal data in the draft Directive could mean that all data within the scope of the proposed Directive would also be covered by the GDPR and related EU data protection framework. Businesses may therefore need to engage with a further regulatory regime, resulting in increased cost and man-power unless the proposed Directive is amended to tie in more closely with the GDPR.
A copy of the EDPS' opinion can be found here.
The European Court of Justice (ECJ) considers that the right to be forgotten does not apply to personal data in a companies' register. The case concerns an Italian national; Mr Manni who was awarded a contract for the construction of a tourist complex in Italy. The properties failed to sell and Mr Manni believed this was because the companies' register disclosed that his previous company had been declared insolvent and struck off the companies' register following liquidation proceedings. Mr Manni requested the Italian Chamber of Commerce (ICC) delete his personal data from the companies' register but the ICC refused.
The ECJ confirmed that the right to be forgotten is qualified and has to be balanced against other rights, in this case the right of the public to access information. As such, Mr Manni did not have a right to demand the removal of his personal data from a company register. It will be interesting to follow whether the same approach is taken by courts and regulators in interpreting the enhanced "right to be forgotten" in the GDPR.
To view the press release, please click here.
The biggest ever leak of secret CIA documents by Wikileaks, named "Vault 7", highlighted the CIA's ability to penetrate everyday consumer electronics (e.g. iphones, laptops etc.) belonging to members of the public, intensifying concerns about individuals right to privacy, famously roused back in 2013 by Edward Snowden. The 8,761 documents published by WikiLeaks focus mainly on the CIA's techniques for hacking and surveillance.
Reports suggest that the CIA views the latest leaks as a move in the US-Russia intelligence services battle. However, one explanation for the leaks could be to release data to support a case that Russia interfering in the US election is merely a conspiracy theory. Regardless, Vault 7 will (once again) raise questions about the inability of US intelligence agencies (and other intelligence agencies around the world) to protect secret documents in the digital age.
Germany has raised its alert level against cyber-attacks to "heightened readiness" ahead of the country's parliamentary elections in September 2017. It has been reported that German government websites are already subjected to daily assaults.
"We are noticing attacks against government networks on a daily basis," Arne Schoenbohm, president of Germany's Federal Office for Information Security (BSI), told the newspaper Welt am Sonntag. The BSI is in close contact with election officials, political parties and German federal states to discuss how to guard against cyber-attacks and stands ready to react to potential attacks ahead of the elections, Mr Schoenbohm said.
This is undoubtedly a result of the breach recently suffered by the Czech Republic, the cyber-attacks interfering in the US presidential election, and the suspected Russian hack on the Norwegian foreign ministry and armed forces.
ICO issues one of its highest fines to Road Accident Consult Ltd (trading as Media Tactics) who was behind 22 million nuisance calls as a result of 182 complaints made via the ICO's online reporting tool. Interestingly, Media Tactics automated marketing calls, which play a recorded message, can only be made to people who have specifically agreed to receiving such calls.
Media Tactics told the ICO’s enforcement team that it had bought data from other firms and believed the data subjects had consented to being contacted. The phone numbers were sourced from a range of websites including discount and prize draw websites, pay day loans, insurance brokers and an electronic cigarette seller.
Many of the privacy notices on the identified websites were generic and unspecific, for example: "we may share your details with third parties whose offers we think might interest you" or contained a long list of general categories of organisations to whom the data would be disclosed, including, to name a few, the following sectors: astrology, charitable organisations, comparison websites, debt collection, financial providers, fashion and leisure goods, general retailers and general marketing. Most of the privacy notices did not refer to the data being used for the purposes of making automated direct marketing calls.
The ICO found automated marketing calls can only be made to people who have previously notified the caller that they consent to such communications being sent by, or at the instigation of, the caller. As such, Media Tactics did not have the necessary permission and this was against the law.
For more information, please click here.
An investigation was commenced in April 2015 when a patient found that transcripts including details from interviews with Lister Hospital IVF patients could be freely accessed by searching online.
The investigation revealed the hospital had been routinely sending unencrypted audio records of the interviews by email to a company in India. Details of private conversations between a doctor and various hospital patients wishing to undertake fertility treatment were transcribed in India and then sent back to the hospital. The ICO found the Indian company could not restrict access to the personal information because it stored audio files and transcripts using an unsecure server.
HCA International Ltd breached the DPA by failing to ensure that their sub-contractor acted responsibly in compliance with the seventh data protection principle. Head of ICO enforcement, Steve Eckersley said: "The reputation of the medical profession is built on trust. HCA International has not only broken the law, it has betrayed the trust of its patients."
For more information, please click here.
Norfolk County Council has been filed £60,000 for leaving files, which included sensitive information about children, in a cabinet sent to a second hand shop. The breach by Norfolk County Council came to light after the cabinet was purchased by a member of the public.
The ICO commented "Norfolk County Council appears to have overlooked the need to ensure it had robust measures in place to protect this information. It should have had a written procedure in place which made it clear that any storage items removed from the office which may have contained personal were thoroughly checked before disposal."
For more information, please click here.