29 Sep 2017

Data Protection update - September 2017

Linkedin

Welcome to the September 2017 edition of our Data Protection update, our monthly bulletin on key developments in data protection law. As always, please do let us know if you have any feedback or suggestions for future editions.

Data protection

Cybersecurity

ICO enforcement

Data protection

Data Protection Bill introduced before UK parliament

Following the release of the Government's statement of intent outlining proposals for the new Data Protection Bill last month (as reported in our August bulletin here), on 14 September 2017, the Government published the Data Protection Bill (the DP Bill). The DP Bill will repeal and replace the Data Protection Act 1998 (DPA) and is designed to complement the General Data Protection Regulation (GDPR) as well as set certain new standards for data protection in the UK. The DP Bill will enter into force in May 2018, and will be maintained after Brexit. In contrast, as it is an EU Regulation, the GDPR will cease to apply in the UK following Brexit.

Whilst being directly applicable in the EU from 25 May 2018, the GDPR empowers EU Member States to introduce, in its nationally implemented laws, variations from the GDPR in certain circumstances. The DP Bill does exactly this by supplementing the GDPR, incorporating a number of exemptions and derogations from the GDPR and providing valuable detail on how the GDPR will be enforced in the UK. The DP does not reproduce the text of the GDPR so the two documents will need to be read alongside each other. Notably, the DP Bill ensures that, following the implementation of the GDPR, the UK will retain many of the exemptions granted under the DPA which will allow businesses to continue to process personal data where necessary for legal or public interest reasons. The exemptions contained within the DP Bill cover a wide range of areas, including legal professional privilege, sensitive health and social care and education records. The DP Bill will be debated at its second reading in the House of Lords on 10 October 2017. It is thought that given the complexity of the legislation it will be heavily scrutinised in Parliament.

To read the DP Bill in full, please click here.

The Government has published a number of useful factsheets relating to the DP Bill which can also be accessed here.

Top

 

ICO issues GDPR draft guidance on contracts and liabilities

On 13 September 2017, the ICO published draft guidance, which is currently open for discussion, relating to contracts and liabilities between controllers and processors under the GDPR. It provides detailed, practical guidance for UK organisations on contracts between controllers and processors under the GDPR, recognising that the enforcement powers under the GDPR, and the accompanying increases in potential fines, could have significant operational and financial implications for both controllers and processors.

A key requirement of the GDPR is that contracts must state details of the processing, such as the nature and purpose of the processing, the type of personal data being processed and categories of data subjects, and must also set out the processor's obligations. This includes the standards the processor must meet when processing personal data and the permissions it needs from the controller in relation to the processing.

In the future, it is thought that standard contractual clauses may be provided by the European Commission or the ICO, as is permitted by the GDPR, which could form part of a certification scheme. However, at the moment no standard clauses have been drafted.

The ICO has emphasised that existing contracts may need to be updated to reflect the new GDPR requirements from 25 May 2018.

It is therefore necessary to check existing templates and current contracts to make sure they contain all the required elements. If they don’t, new contracts will need to be drafted and signed. It would also be prudent to make sure that processors understand the reasons for the changes and the new obligations that the GDPR places on it.

Importantly, processors should be aware that they can be directly liable to controllers for failing to meet the terms of the agreed contract, as well as being subject to the investigation and corrective powers of the ICO or other applicable supervisory authority under the GDPR.

The consultation on this draft guidance ends on 10 October 2017.

To read the ICO's guidance in full, please click here.

Top

 

European Commission publishes data protection and information position paper on Article 50 Brexit negotiations with the UK

A position paper issued by the European Commission on 6 September 2017, on the use of data and protection of information obtained or processed before the withdrawal date of the UK from the EU, has stated that the UK's access to networks, information systems and databases established by EU law will, as a general rule, be terminated on the date of withdrawal from the EU.

It also outlines that the UK or entities in the UK may keep and continue to use personal data or information received or processed in the UK before the withdrawal date if the conditions set out in the position paper are met. Otherwise, such data or information (including copies) should be erased or destroyed.

The paper sets out the European Commission's essential principles to be presented to the UK in the context of Article 50 negotiations.

The principles include:

  1. provisions of EU data protection law applicable on the withdrawal date (e.g. the GDPR) should continue to apply to personal data in the UK, processed before the withdrawal date, relating to data subjects in the remaining 27 EU Member States and data subjects outside the EU to the extent that EU data protection law applied to such personal data before the withdrawal date (i.e. existing data subject rights are retained);
  2. EU classified and national classified information exchanged in the interests of the EU (e.g. information received from Member States by the UK on the basis of EU law) before the withdrawal date should continue to be protected in accordance with the provisions of EU law applicable on the withdrawal date; and
  3. other restrictions on use and access to data and information received by the UK from EU Member States before the withdrawal date (e.g. limitations of storage periods, professional secrecy rules in EU mergers, antitrust and state aid proceedings) should continue to be protected in accordance with the provisions of EU law on the withdrawal date.

To read the Commission's position paper, please click here.

Top

 

Employer monitoring of private messages may be a breach of human rights

Earlier this month the European Court of Human Rights reversed a 2016 judgment and held that, in monitoring an employee's personal e-mails, the employer had breached the employee's right to respect his private life and correspondence.

In light of this case it will be prudent for employers to take a look at their policies and practices when monitoring employees' communications, particularly bearing in mind the enhanced rights of data subjects under the GDPR.

We released an alert with our employment colleagues on this judgement. To read more, please click here.

Top

Cybersecurity

Government reports that businesses are still unprepared for cyber attacks

The UK Government has published two reports into the preparedness of FTSE 350 companies (the FTSE 350 Report) and the charity sector (the Charity Report) to address the risks posed by cyber attacks (together, the Reports). The FTSE 350 Report is an annual health check on cyber security, which is open to all FTSE 350 companies on a voluntary basis.

The findings of the Reports include:

  • one in ten FTSE 350 companies operate without a response plan for a cyber incident;
  • over fifty per cent of companies see cyber risk as a top level risk;
  • only six per cent of businesses are completely prepared for new data protection rules;
  • the charity sector is equally unprepared for the changes and additionally holds acutely sensitive information about vulnerable individuals;
  • charities, which often hold large data sets, are as susceptible to cyber attacks as businesses are;
  • due to restricted budgets, many charities tended not to have in-house expertise on cyber security and often relied upon informal information sources such as friends or family members; and
  • more than two-thirds of FTSE 350 company boards had received no training to deal with a cyber incident.

To read the Reports please click here and here.

Top

 

Equifax hack puts data of 400,000 UK customers at risk

400,000 people in the UK may have had their information stolen following a cybersecurity breach at the credit monitoring firm, Equifax.

The US company said an investigation had revealed that a file containing UK consumer information “may potentially have been accessed”.

The data includes names, dates of birth, email addresses and telephone numbers, but does not contain postal addresses, passwords or financial information. Equifax discovered the hack in July 2017 and informed its customers in mid-September 2017 after the ICO ordered Equifax to alert British customers following the firm’s announcement that criminals had exploited a website application to access its files.

Top

 

FA increases cyber security over hacking concerns

It has been announced that England players and staff will be advised not to use public or hotel Wi-Fi at next summer's World Cup in Russia over hacking fears. The FA is concerned that confidential information including injury, squad selection and tactical details could be hacked. FA officials are understood to be increasingly concerned about IT security in Russia, and have been boosting cyber counter-measures, including strengthening online firewalls and introducing encrypted passwords for websites and devices.

Top

 

ICO Enforcement

ICO fines Nottinghamshire County Council £70,000 for leaving vulnerable people's personal information exposed online for five years

The DPA requires organisations to take appropriate measures to keep personal data secure, especially when dealing with sensitive information. But, in July 2011, Nottinghamshire County Council posted the gender, addresses, postcodes and care requirements of elderly and disabled people in an online directory, which didn’t have even basic security or access restrictions such as a username or password.

The matter was discovered when a member of the public using a search engine was inadvertently able to access and view the data with no need to log in, and was concerned that it could be used by criminals to target vulnerable people or their homes – especially as it even revealed whether or not they were still in hospital.

The ICO issued Nottinghamshire County Council with a monetary penalty notice in the sum of £70,000.

To review the penalty notice, please click here.

Top

 

Two substantial fines for companies behind illegal calls

The ICO has fined Easyleads Limited £260,000 for making 16.7 million automated calls. This fine comes the week after a company called Your Money Rights Ltd were held responsible, and fined £350,000, for making 146 million illegal calls about PPI; the highest number of automated calls to result in an ICO fine to date.

Neither Easyleads nor Your Money Rights had specific consent from the people it made automated calls to, which is required under the Privacy and Electronic Communications Regulations (PECR) to make automated marketing calls.

Following the ICO’s investigation, Companies House posted plans for Easyleads to be struck off and dissolved.

The ICO has made clear that it is committed to recovering fines it has issued and will work with insolvency practitioners and liquidators if a company moves to insolvency after being fined.

To review the Your Money Rights penalty notice, please click here.

To review the Easyleads penalty notice, please click here.

Top

Linkedin

KEY CONTACT

Jonathan Kirsop

Jonathan Kirsop
Partner

T:  +44 20 7809 2121 M:  +44 7554 403 022 Email Jonathan | Vcard Office:  London

Alison Kenney

Alison Kenney
Associate

T:  +44 20 7809 2278 M:  Email Alison | Vcard Office:  London