The Commissioner has this week issued an enforcement notice to the Labour Party in response to its act of making unsolicited automated marketing calls without consent to almost half a million people. The calls were made in June 2009 and were designed to encourage people to vote in the European elections. The ICO held that, notwithstanding their inherently political nature, the actions taken by the Labour Party amounted to unlawful ‘direct marketing’ for the purposes of the Privacy and Electronic Communications Regulations 2003. The enforcement notice requires the Labour Party to desist from making further automated calls without the recipients’ consent. Breach of the notice will amount to a criminal offence and could lead to prosecution. This is not the first time that a political party has received an enforcement notice in response to making automated calls. Similar notices have previously been served on the Conservatives, the Scottish National Party and the Liberal Democrats. See further the Commissioner’s press release on this issue.
Demystifying Data Protection
November 27th, 2009 by Timothy Pitt-PayneThe Information Commissioner’s Office has just launched a Guide to Data Protection, available on the ICO website. At the heart of the guidance is a detailed commentary on each of the Data Protection Principles, and on the conditions for processing set out in Schedule 2 and 3 of the Act.
The Data Protection Act 1998 is, notoriously, not user-friendly. One of the problems is that so much of its central content is tucked away in the Schedules: for instance, you have to get as far as Schedule 7, paragraph 10 before you find out that there is an exemption to the right of subject access where information is protected by legal professional privilege. So assistance in navigating the legislation is very welcome.
On a first glance, the ICO Guide looks as if it will be of real help - clearly written, comprehensive, but not unduly lengthy. It will also be useful to those wanting to know how the ICO itself might interpret and enforce the Act.
Banned Aid
November 21st, 2009 by Timothy Pitt-PayneIn March this year the Information Commissioner took enforcement action against the Consulting Association, which had been operating a secret blacklist of employees in the construction industry, including details of trade union activity. We posted about this story here, earlier this year.
Today, the Guardian has extensive coverage of what has happened since.
The Department for Business, Enterprise and Regulatory Reform has now consulted on draft regulations under section 3 of the Employment Relations Act 1999. The consultation ended on 18th August 2009. The proposed regulations are intended to outlaw the compilation, dissemination and use of blacklists of trade unionists. They would make it unlawful to refuse employment, or to dismiss employees or subject them to a detriment, for reasons related to a prohibited blacklist. Individuals who suffer loss through blacklisting would be able to bring claims either in the Employment Tribunal or in the civil courts, depending on the nature of their complaint.
The trade union UCATT commissioned a report from the Institute of Employment Rights about the proposed regulations. The report, by Professor Keith Ewing, was published on 15th September 2009: it is entitled “Ruined Lives”, and deals specifically with blacklisting in the construction industry. It includes sample material from Consulting Association files. The report gives a fascinating history of the practice of blacklisting, going back to the late 19th century. It suggests a number of changes to the draft Regulations, including: that keeping or using a blacklist, or supplying information to it, should be a criminal offence; and that there should be a right to compensation for the fact of being included on a blacklist, even if the inclusion does not lead to any loss.
A further point to note about the draft Regulations is that they deal specifically with the blacklisting of trade unionists (as does section 3 of the 1999 Act). So they would not assist individuals who had been blacklisted for other reasons; e.g. because of their political beliefs and affiliations, or because they have a history of raising concerns about health and safety issues.
A number of individuals have brought employment tribunal claims arising out of alleged blacklisting. The claims have been consolidated and there will be a case management discussion in Manchester ET on 24th November 2009. This blog gives further information.
Meanwhile the Information Commissioner’s Office (ICO) has taken control of the Consulting Association database. Individuals who think that they may have been blacklisted can contact the ICO; for more information, see this page of the ICO’s website.
Civil penalty notices: consultation
November 12th, 2009 by Ben HooperWhen the new monetary penalties regime under sections 55A-E of the DPA comes fully into force, the Information Commissioner will have power to impose a civil penalty on a data controller for a serious contravention of any of the data protection principles if - in essence - the contravention is (1) deliberate or reckless and (2) of a kind likely to cause substantial damage or distress.
The Ministry of Justice is currently consulting on what the maximum penalty under section 55A should be. £500,000 is proposed. Whilst this is clearly not an insubstantial sum, it needs to be compared with the fact that many other regulators have power to impose a penalty of up to 10% of an organisation’s turnover. If the data controller at issue has a turnover that is significantly above £5m, and - for example - a serious contravention has caused damage or distress to a very large number of people, the maximum penalty of £500,000 may begin to look a little on the small side. Indeed, the Commissioner may not even be able to go that far: the ICO’s draft guidance on the monetary penalty powers indicates at paragraph 7.4 that swift payment of the penalty will lead to a 20% reduction. So a data controller that decides not to contest the penalty may end up only paying a maximum of £400,000.
One final point. The penalties are to be paid into the consolidated fund (section 55A(8)). Thus, where the data controller is a central government body, the imposition of any size of penalty will have a slightly unreal quality to it, as the sum involved will simply return to the financial pot from which the body in question drew its funding in the first place.
WHEN WILL THEY EVER LEARN?
November 10th, 2009 by Timothy Pitt-PayneWe call them “data protection duck outs”. The New Zealanders call them “BOTPAs” (standing for “Because of the Privacy Act”). Organisations do something silly, and then blame it on data protection legislation.
There’s a nice recent example. A parcel was addressed to a 9 day old baby. Initially the Royal Mail wouldn’t deliver it to her grandfather, apparently because the Data Protection Act required the baby to sign for it personally. Not surprisingly, the ICO has confirmed that the Act does not require anything of the kind.
Lock up your data
June 5th, 2009 by Timothy Pitt-PayneThe importance of ensuring the security of personal data has been highlighted in a recent press release from the ICO dated 4 June 2009. The ICO has found Salford Royal NHS Foundation Trust in breach of the Data Protection Act, after a desktop computer containing sensitive personal information relating to around 3,500 patients was stolen. Although the computer was password protected, it was not encrypted or secured to a desk.
A formal undertaking has been signed by the Trust. It will ensure that: appropriate security measures are in place to restrict access to areas where personal information is stored; desktop computers are secured to desks to prevent easy removal; any personal data required to be held on a portable device is suitably encrypted; and personal details are not retained on any computer for longer than is required.
Mick Gorrill, Assistant Information Commissioner at the ICO, emphasised that the worrying trend of personal data losses must be rectified. He said:
“I am increasingly concerned about the way some NHS organisations are failing to securely hold people’s health and personal information. Organisations must implement appropriate safeguards to ensure personal details about patients do not fall into the wrong hands.”
Many thanks to Andrew Smith, currently a pupil at 11KBW, for preparing a first draft of this post.
Doing it by the book
June 5th, 2009 by Timothy Pitt-PayneThe Information Commissioner’s Office has today announced the latest version of the Privacy Impact Assessment Handbook. As the title indicates, its purpose is to help organisations to identify and address the privacy risks of their activities.
Following the HMRC data breach in November 2007, the Cabinet Office introduced a requiring for all central Government departments and their agencies to conduct Privacy Impact Assessments (PIAs) when developing new systems. The ICO encourages all organisations to incorporate data protection safeguards into any new project involving personal information.
The handbook is in two parts: Part I (the first two chapters) gives an overview of the PIA process, with detailed information about privacy, common risks, and possible solutions; Part II then gives a practical guide to conducing a PIA. There are also four appendices, with examples of screening questions, checklist templates, and privacy strategies.
The handbook should help organisations to make reasoned judgments about the privacy implications of new projects or technological innovations. Some of the recommendations may overlap with privacy work already being done by organisations. A PIA does not have to be conducted as a totally separate exercise; indeed, it may be helpful to look at privacy issues in a broader policy context.
Many thanks to Andrew Smith, currently a pupil at 11KBW, for researching this post and preparing a first draft.
Who blacklists the blacklisters?
May 11th, 2009 by Timothy Pitt-PayneIn March this year the Information Commissioner took enforcement action against the Consulting Association, which had been operating a secret blacklist of employees in the construction industry, including details of trade union activity. Today the Department for Business, Enterprise and Regulatory Reform has announced that new regulations will be introduced to outlaw the use of blacklists in this way. There is a power to regulate under section 3 of the Employment Relations Act 1999, but so far it has never been used. A consultation exercise is promised for early summer. Draft regulations were previously prepared in 2003, and there was full consultation; so this time round the consultation will be shorter than the normal 12 week period.
It is very interesting to see such a direct link between action by the ICO, and new regulations. The Government line had previously been that there was no evidence that regulations were needed. The ICO has now provided them with their missing evidence.
Blacklists have a long history. The Economic League attracted controversy in the 1980s (and was eventually disbanded in 1994); apparently it had a list of 22,000 political subversives, including one Gordon Brown MP.
Employment vetting is much in the news at present and is clearly attracting great interest. We are currently considering an exciting project in this area: watch this space!
California court says don’t cry before you’re hurt
April 27th, 2009 by Timothy Pitt-PayneIn November 2007 it was announced that HMRC had lost two CDs containing personal information about 25 million people. Since then there has been a steady stream of stories about data losses, mainly from the public sector.
The Data Protection Act 1998 requires appropriate measures to be taken against the accidental loss of personal data. Breach of this requirement can lead to enforcement action by the Information Commissioner. An individual whose data was lost could claim compensation from the data controller under section 13 of the Act, but only on proof of damage. If the individual had suffered identity fraud as a result of the breach then this would probably be sufficient. What if the individual argued that he was now at a higher risk of ID fraud, even though no fraud had yet taken place? Would this count as damage?
A US district court in California has recently considered a similar question. In Ruiz v Gap and Vangent a laptop was stolen containing unencrypted personal data of 750,000 Gap job applicants. In a class action, the plaintiff sued for negligence, contending that he and the other class members had suffered damage consisting of exposure to an increased risk of ID fraud. The Court granted summary judgment to the defendants and dismissed the claim. Speculative harm, or the threat of future harm, was not enough for a cause of action in negligence. The plaintiff relied on cases where recovery had been allowed for medical monitoring after negligent exposure to toxic substances; the court rejected the analogy. It also noted that Gap had informed those whose information was on the laptop, and had offered to provide them with 12 months of free credit monitoring. The plaintiff had not taken up this offer.
In policy terms it is questionable whether strengthening individual rights of action is the best way to deal with data loss. Of course, individuals who suffer direct financial loss - through ID fraud or otherwise - should be compensated. But in the Ruiz type of claim individual damages are likely to be modest. There is no great social benefit in spending a lot of time and money in order to provide a wide class of individuals with low-level compensation. Instead the focus should be on deterring breaches and avoiding recurrence. The Information Commissioner’s new power to fine for serious data protection breaches (DPA section 55A) is a step in the right direction, though not yet in force.
If the UK regulatory framework needs further strengthening then one option would be legislation requiring data controllers to notify affected individuals where information is lost or stolen. Last year the Thomas/Wolpert data sharing review recommended notification to the Information Commissioner as good practice, but not as a mandatory requirement. The Government agreed. Its response (see page 19) made clear that it had considered, and rejected, the possibility of a US-style law requiring notification of data breaches to the individuals affected.
Incidentally, I found the Ruiz case via the excellent blog maintained by InfoSecCompliance LLC, a US firm specialising in privacy, information law and data security. David Navetta is their founding member.