Information Commissioner on primacy of data protection for all professionals – backed by swingeing penalties

That was before the days when you could sit on the train with your smart phone checking up on your friends on Facebook, tracking the location of the Uber taxi that’s coming to collect you from the station, planning flights for your next beach holiday or making a few quick bank transfers. Whilst it’s all very convenient to be able to do these things anytime, anywhere, every single action that you take on your smart phone, your i-Pad or even your desk top can be tracked and stored seemingly in perpetuity. For these reasons, a shake-up of data protection law is needed to make it fit for the 21st century and beyond.

New Legislation

In May 2018, new legislation – the General Data Protection Regulation (“GDPR”) – will come into force. It extends the rights that individuals currently have under data protection law, introduces a new culture of “accountability”, and increases the penalties and obligations that arise when organisations breach individuals’ rights.

The Information Commissioner, in a speech to the ICAEW in January, commented: “We’re all going to have to change how we think about data protection”.

She made it clear that the changes would be significant, and were designed to protect rights in a world in which “a lot of people feel that they’ve lost control of their own data”.

Personal Data

The definition of “personal data” under the new law is more detailed than under the current legislation, reflecting changes in technology and the way in which organisations collect information about individuals. For example, online identifiers – such as an IP address – will be personal data under the new regime, as will data which has been key-coded (or “pseudonymised”) provided that it is not too difficult to attribute the pseudonym to a particular individual. However, it is not only new technologies that are covered. Manual filing systems will in future be more widely defined, so that a set of papers arranged simply in date order (which would not be included as personal data under the current law) are likely to be covered.

Accountants and other professionals deal with personal data every day. Examples include: HR records; clients’ payroll information; expenses details showing who travelled to where and when; and customer marketing information such as which Managing Directors enjoy being entertained at the rugby…

Strengthening Individuals’ Rights

Some of the important changes to data protection law, strengthening individuals’ rights, are:

• changes to subject access rights, meaning that individuals will be able to obtain details of their personal data from an organisation in a maximum of 30 days (as opposed to the current 40) and, in most cases, without having to pay a fee;
• the “right to be forgotten” which may entitle individuals to request complete erasure of their data; and
• much more stringent consent requirements.

Probably the most significant change will be to the consent requirements. Organisations will no longer be allowed to rely on silence, pre-ticked boxes or inactivity to signify consent to the processing of personal data. Instead

• clear affirmative action will be required for an individual to give consent, and
• organisations will have to keep records of that consent.

This will cause a problem for organisations currently processing data which are unable to prove positive consent –

when the new legislation comes into force, they will have to either find an alternative legal basis for processing the data, or they will have to cease processing the data.

In her speech to the ICAEW, the Information Commissioner made it clear that she expected organisations to move away from seeing data protection as a “box ticking exercise” towards building a “culture of privacy that pervades an entire organisation”. She emphasised the business benefits of being perceived as an organisation which respects the privacy of individuals, and foresaw that this issue could well play a role in consumer choice.

Sanctions

However, for those organisations that do not take data protection legislation seriously, there is a big stick. The Information Commissioner’s Office (“ICO”) has not held back from using its current powers to enforce the data protection legislation. Three recent examples demonstrate the approach:

• A historical society was fined £500 when a laptop containing personal information about people who had donated artefacts to the society was stolen from an employee’s home. The laptop was not encrypted, and there were no appropriate policies in place covering employees working from home or using mobile devices. The ICO made it clear that the fine was low due to the historical society’s financial circumstances – and that most organisations should expect to receive a much higher fine for similar breaches. The ICO has confirmed in the past that where an organisation’s unencrypted laptop containing personal data is stolen or misplaced, then a fine will follow.
• The ICO warned a council to toughen up its data protection procedures after a social worker left some court documents containing sensitive information about 27 people (including 14 children) on the roof of her car and then drove off. The council was particularly criticised for failing to keep records of data protection training given to temporary staff.

An employee of a recruitment agency emailed personal data of 100 clients and potential clients to her personal email address as she was leaving to start a new role at a rival recruitment company. She used the information to contact those individuals in her new job. She was prosecuted at Warrington Magistrates’ Court for the offence of unlawfully obtaining data. She pleaded guilty and was fined £200, ordered to pay costs – and of course now has a criminal record.

Increased Penalties

The new legislation will be backed by high penalties for breaches

• 20 Million Euros; or
• 4% of an organisation’s worldwide turnover if higher.

Organisations will have to self-report certain data breaches to the ICO within 72 hours.

Start Preparing for May 2018

So, the message is clear. All organisations – no matter how small – must start preparing for May 2018. As the Information Commissioner warned the members of the ICAEW,

“If a business can’t show that good data protection is a cornerstone of their practices, they’re leaving themselves open to a fine or other enforcement action that damage their bank balance or business reputation.”

Louise Connacher is a Director in our Employment Department. For further information regarding Data Protection / HR Matters contact her or a member of the Data Protection Team.