Welcome to the October 2016 edition of our Data Protection update, our monthly review of key developments in Data Protection law. As always, please do let us know if you have any feedback or suggestions for future editions.
Following an in-depth investigation by the ICO into a significant data leak that occurred in October 2015, TalkTalk has now been hit with a record fine of £400,000.
The investigation found that there were serious inadequacies in TalkTalk's approach to the incident. For example, the database software used by TalkTalk was seriously outdated and had been affected by a bug for which a solution had been known for over three and a half years prior to the incident. In addition, the method responsible for the leak was found to be an SQL injection attack, a type of attack which had been well understood for over 10 years before the leak and for which known defences exist.
ICO's investigation further discovered that TalkTalk had been subject to two earlier SQL injection attacks in July and September 2015, but that the company had taken no action because the webpages affected had not been properly monitored.
As a result of these findings the ICO concluded that, "for no good reason", TalkTalk had "failed to take appropriate measures against the unauthorised or unlawful processing of personal data, in contravention of the Data Protection Act." TalkTalk was therefore in breach of both principle 1 and principle 7 of the DPA.
The fine levied by the ICO is the biggest it has ever issued. It reflects the range of factors at play in the case and the severity of the breach. The ICO further expressed its desire that other businesses will now learn from TalkTalk's mistakes and treat their data protection obligations with the sincerity that they deserve.
The High Court has ruled that the General Medical Council (GMC) was incorrect in its decision to disclose a doctor's fitness to practice report following a subject access request (SAR) from that doctor's former patient.
The former patient alleged incompetence against the doctor and filed the SAR in order to assist with potential litigation. The GMC consulted with the doctor, who refused to consent to disclosure of the report on the basis that 1) it was his personal data, and 2) the purpose of the request was litigation.
The GMC conducted a balancing exercise of the parties' competing privacy rights and decided that the report could be disclosed but, after corresponding with the doctor's solicitors, refrained from doing so until the problem was resolved by the courts.
The High Court found that the GMC's decision making process was insufficient, identifying "four factors that the GMC balancing exercise did not reflect adequately", including the rebuttable presumption against disclosure in the absence of consent and the litigious purpose of the former patient's SAR.
In his judgment, Soole HHJ set out the following three steps that data controllers should undertake when conducting similar balancing exercises:
- attempt to balance the privacy rights of the data subjects;
- if there is no consent, the starting point must be against disclosure and this is even more so the case if there is an express refusal of consent; and
- consider using CPR 31 if the sole or dominant purpose of the SAR is to obtain documentation for litigious purposes, as this would be the more appropriate route under which to make the disclosure.
The recognition of the litigious purpose as a relevant factor in determining the response is an important development and does run counter to ICO guidance on this topic.
American computer technology firm Seagate is set to face a class-action lawsuit from its own employees for failing to properly protect their data. This follows a similar class-action filed by 6,000 Morrisons' employees in the UK earlier this year after personal data relating to up to 100,000 members of staff was mistakenly published online.
The proposed action follows a massive breach in March this year when an employee in the firm's HR department responded to an e-mail from a hacker masquerading as a member of Seagate's senior management. The employee inadvertently forwarded on the personal details of around 10,000 people to the hackers, including information relating to employees of the firm as well as their families.
The technique used against Seagate is known as 'whaling'. It involves the hackers spending weeks or even months monitoring the target firm in order to learn about and then impersonate the internal workings of the organisation in question in order to obtain data.
It is believed that Concentrix, a US firm contracted by HMRC to administer cuts to tax credit payments, has suffered a serious data protection breach.
A group calling itself 'Concentrix Mums' has alleged that the firm has committed significant breaches of the Data Protection Act 1998 (DPA) by sending out documents containing personal data to the wrong claimants. In several cases individuals have allegedly received the case and national insurance numbers of other tax benefit claimants.
If true, such errors would constitute a major breach of Concentrix's data protection obligations and could lead to enforcement action by the ICO and private litigation from affected data subjects.
HMRC have since released a statement saying that "the handling of individual claimants' private information is … strict and rigorous", and has announced that it will be investigating the allegations in full.
The Court of Justice of the European Union (CJEU) has determined that dynamic IP addresses can constitute personal data for the purposes of the EU Data Protection Directive (EC/95/46) (Directive), provided that the relevant person's identity can be deduced from a combination of the IP address and additional data.
The decision comes following a dispute between the German Government and Patrick Breyer, a German citizen. Mr Breyer objected to the retention of dynamic IP addresses, search terms and dates of access by various German public institution websites and complained that his IP address should be kept confidential. In response the German government argued that the IP address was not protected as personal data because it could not be used to identify Mr Berger without further information being obtained from the Internet Service Provider (ISP).
The CJEU agreed with Mr Berger on the basis that although the IP address alone would not be enough to identify a data subject, when combined with information available from ISPs, it would render individuals identifiable and it therefore fell within the definition of personal data.
The CJEU did recognise, however, that there could be exceptions to this where identification is either prohibited by law or practically impossible (i.e. if it required a disproportionate amount of time and cost to identify the data subject), and in which case the IP address would not be personal data.
The General Data Protection Regulation (GDPR), which will come into effect in May 2018, defines personal data in the same way as the Directive and consequently this decision could well affect how IP addresses are treated under the new legislation.
The US Government has formally accused Russia of perpetrating cyber-attacks against the Democratic Party's computer networks in an attempt to interfere with the upcoming presidential elections.
Russia has previously been accused of complicity in the attacks by both Hillary Clinton and the Democratic Party, but this announcement by the Obama administration is the first time that the US has officially alleged that the Vladimir Putin's government is behind the attacks.
In response the Russian premier has denied any involvement, claiming that "Russia does not meddle in other countries' domestic affairs." Moreover, the Russian Government has hit back by claiming that Putin's personal website is attacked by "several thousand hackers each day", many of whom can be traced back to the USA. The Russian Government has also reiterated an offer made to President Obama last year to hold a joint conference on the subject of fighting cybercrime together.
Over 19,000 e-mails were stolen from the Democratic Party's computer systems earlier this year in July. The contents of some of these e-mails were used in an attempt to embarrass Clinton and the Democratic Party by purporting to demonstrate evidence of alleged corruption and bias against Bernie Sanders, who had previously contested the role of Democratic nominee.
While the US Government has now formally blamed Russia for the attacks on the Democratic Party, it has stopped short of enacting sanctions against the Russian regime in retaliation. American cyber-security agencies have also sought to reassure voters that the decentralised nature of US voting systems will prevent any further "Russian-sponsored electoral tampering."
As reported here in our September edition, the internet giant Yahoo recently confirmed that information from at least 500 million accounts was stolen in a sophisticated cyber-attack that occurred in 2014.
US law enforcement and regulatory bodies are currently investigating the incident in order to determine whether or not any disciplinary action should be taken against the firm. Meanwhile, a private Yahoo user whose personal data were amongst those stolen in the hack has now filed a lawsuit against Yahoo in the Californian federal court for gross-negligence and breach of various US laws.
This lawsuit was filed on behalf of all affected users of Yahoo in the USA and as such seeks class-action status. The lawsuit is for unspecified damages and cites a failure by Yahoo to bulk up its security measures as a reason for the breach.
Lawyers for the plaintiff anticipate that many hundreds more lawsuits may be filed against Yahoo across the US and overseas, with the potential liability for the company running into tens of millions of dollars. Such an outcome would have serious repercussions for Yahoo's value and could further jeopardise the already perilous state of take-over talks with Verizon (please see the September bulletin for more details).
On 11 October the G7 collection of industrial powers announced that they had agreed on guidelines for the protection of the global financial sector from cyber-attacks. This announcement follows a series of cross-border cyber-attacks and electronic bank robberies by sophisticated groups of hackers.
The guidelines comprise a set of non-binding principles and have since been published on the websites of the relevant cyber-security agencies for each G7 member (click here for the principles as published by the UK Government).
The purpose behind the principles is to encourage government agencies, regulators and private entities to "approach cyber-security from a risk-management perspective". By publishing an agreed set of principles, the G7 countries hope to harmonise a global approach to cyber-security and to ensure that any weak links in the system are strengthened as a result.
Of particular interest is element four: Monitoring. This recommends that entities should "establish systematic monitoring processes to rapidly detect cyber incidents and periodically evaluate the effectiveness of identified controls." Although the guidelines do not create a legal obligation for private firms to institute monitoring systems, they encourage such entities to do so now if they have not already.
The investigatory powers tribunal has revealed that British security agencies including MI5, MI6 and GCHQ have operated an illegal regime to "secretly and unlawfully collect massive volumes of confidential personal data" over the previous 17 years.
The agencies harvested various types of communications data as part of the 'collection of bulk communications data (BCD)' programme and are said to have done so "without adequate safeguards or supervision." In addition, significant types of personal data including personal medical, financial and tax records were kept by the agencies as part of the 'bulk personal datasets (BPD)' regime.
The tribunal has now ruled that both the BCD and the BPD regimes failed to comply with article 8 of the European Convention of Human Rights (ECHR), incorporated into UK law by the Human Rights Act in 1998. However, the judgment failed to specify whether or not the unlawfully gather data would now be deleted.
The tribunal further determined that since the disclosure of the agencies' activities in 2015, the collection of data in this way has been subject to more effective scrutiny and supervision. As a result, the data collection and retention activities carried out by the agencies concerned no longer threaten to breach article 8 of the ECHR.
The ruling comes as the Investigatory Powers Bill (the so-called 'Snooper's Charter') faces its final hurdle in the House of Lords. Once passed into law, the Snooper's Charter will place the mass digital surveillance carried out by the UK's security agencies on a clear legal footing for the first time.
The "first in the nation" cyber-security regulation proposed by the New York Department of Financial Services (DFS) is another step closer to becoming law this month as the period for public comment on the draft legislation draws to a close.
It is currently proposed that from 1 January 2017 the draft regulation will apply to over 3,000 financial institutions and insurers required to operate their business under a license (or similar requirement) pursuant to New York banking, finance or insurance law. The regulation will therefore apply to foreign based entities as well as domestically based firms, and will introduce legal obligations far in excess of existing US federal legislation relating to cyber-security.
Among other requirements, the draft legislation will oblige affected firms to appoint Chief Information Security Officers and employ cyber-security personnel to oversee and enforce the cyber-security programme; to track data in sufficient detail to allow all financial transactions to be recreated in the event of a breach; and to encrypt all non-public information that the firm holds and transmits.
Compliance with these new obligations will be vital as the DFS has the power to levy significant fines and is also able to revoke New York banking and insurance licences from offending firms.
Intelligent Lending, trading as Ocean Finance, has been fined £130,000 and issued with an enforcement notice by the ICO after sending more than seven million unsolicited spam texts. The ICO received nearly 2000 complaints from individuals during a four month period while Ocean Finance transmitted the texts.
The company claimed that it believed it was complying with the law because the third party firm who provided the names and contact details of the consumers had stated that it had obtained consent from the consumers to send texts to them.
The ICO investigation into the spam texts found that the consent claimed was not sufficient to meet the requirements imposed by the DPA. Steve Eckersley, ICO Head of Enforcement, warned that this decision should be a reminder that it is the responsibility of all companies embarking on similar marketing campaigns to ensure that personal data has been obtained fairly and lawfully and that "it is not enough to rely on the word of a third party."
Click here to read the ICO's detailed guidance for firms carrying out direct marketing.
A Northern Irish care home has been fined £15,000 by the ICO following a breach of its data protection obligations. The breach occurred when an employee of the Whitehead Nursing Group took home an unencrypted laptop after work. The laptop contained details of the care home's resident's birth dates and medical records, as well as the disciplinary and sickness records of members of staff, and was then later stolen during a burglary.
The fine levied by the ICO was considered proportionate to the organisation's size and the presence of several mitigating factors.