The ICO has agreed not to issue the Health Board with an enforcement notice, as the Health Board has instead agreed to written undertakings to ensure that all staff including clinical staff are made aware of their data protection policies and receive sufficient training. The Board agreed to take other steps, including processes to confirm patient identity before sending out correspondence.

The Information Commissioner’s Office had agreed with the FSA’s decision, but now the Information Rights Tribunal has ruled that the names should not have been withheld as they did not amount to “personal data”. To be “personal data” under the Data Protection Act, the data needed to be biographical to affect the people’s privacy. Just providing the name was not something so as to affect their privacy. That might have been different, however, if the nature of the people’s involvement gave away other information about them and their views, such as if they worked for an organisation that conducted experiments on animals. That was not the case here, though.

Paul Gershlick, a Partner at Matthew Arnold & Baldwin LLP, comments: “In my view, these are breaches of the Act, but not really serious breaches. Considering the flagrant breaches of data protection laws carried out by some, it would be unfortunate if an organisation’s mistake that did not reveal very private categories of data went punished when it does so much good. However, it should still be a salutary lesson to always have regard to data protection laws.”

Social networking sites can process the photos without breaching data protection law if that processing is being done to check whether consent has been obtained, but, once that check has been finalised, the site must delete that information.

Facebook currently uses facial recognition technology to suggest the names of people featured in photographs to the uploaders. The name tags used by the uploaders can be viewed by other Facebook users.

Aside from consent, the Article 29 Working Party said that the social networking sites would need to take adequate technical measures such as encryption while the images are being uploaded. They should also use technical controls to try to safeguard against the images being used by third parties for purposes for which the user had not consented. To add to the regulatory burden, the body added that compliance with EU data protection law also meant giving the data subjects sufficient access rights to their images and not storing more data than was necessary for the tagging purpose.

The Working Party’s opinion also included some comments on the use of facial recognition technology by search engine providers and gaming services.

The Opinion is not legally binding, but it is best practice to comply with it, particularly as it gives an indication as to the action that the regulators would take to enforce the law.

Paul Gershlick, a Partner at Matthew Arnold & Baldwin LLP, comments: “The Working Party has once again taken a strict pro-privacy stance in providing an opinion. This is similar to the tough line it took against social networking sites and others in its opinion last year on geo-location services. For more on that geo-location opinion, click here: http://www.mablaw.com/2011/06/article-29-working-party-geo-location-data/.”

The Guidance can be found here: www.ico.gov.uk/~/…/Data_Protection/…/disproportionate_effort.pdf.

Its attacks included calling the requirement for all organisations with more than 250 employees to have a dedicated data protection officer disproportionate. It also criticised the data breach notification requirements as leading to unhelpful notification that may negatively impact on the quality of analysis that data controllers carry out before notifying; the CBI advocate a more risk-based approach, with notifications when there was an identified threat of material harm. In addition, it said the “right to be forgotten” was misleading as some organisations such as financial services and employers had to retain data and other organisations would be unable to guarantee whether third parties had reproduced the data anyway.

The CBI’s report follows a recent appraisal by the Information Commissioner’s Office in which the UK’s data protection regulator had not been totally behind the new rules. For more on the ICO’s reaction, see here: http://www.mablaw.com/2012/03/information-commissioner%e2%80%99s-office-eu-data-protection-laws/. The CBI’s report can be found here: http://www.cbi.org.uk/media-centre/press-releases/2012/03/eu-data-protection-reforms-risk-strangling-innovation-cbi/.

The report can be found here: https://www.trustwave.com/global-security-report.

Lancashire Constabulary has admitted breaching the Act, and has signed an undertaking with the ICO, promising to take better care of personal data, particularly if it involves sensitive personal data such as ethnicity and sexuality. Amongst the undertakings are promises to keep data to a minimum when taken outside of police stations and only take hard copy documents incorporating the personal data when absolutely necessary. The undertakings can be found here: http://www.ico.gov.uk/news/latest_news/2012/lancashire-constabulary-receives-penalty-after-loss-of-missing-person-report-14032012.aspx.  

Since 2010, the ICO has been entitled to fine organisations up to £500,000 for serious breaches of the Act.

Paul Gershlick, a Partner at Matthew Arnold & Baldwin LLP, comments: “After many years of problems for EU organisations of doing business with people in the US because of the US’s lack of data protection laws, this looks to be a major step forward in international trade. We need to await what the new law will look like. But this is promising.”

• It welcomes the continued exemption for domestic processing, although it says that it would be helpful to clarify that personal commercial activity such as selling something for oneself on an online auction site – is within the exemption.
• The ICO is pleased to see non-EU data controllers fall within the law, but it questions how it can be enforced, and also who would be caught – for example, would a US site merely offering goods that happen to be seen by someone in the EU have to comply with the EU laws?
• It wishes to see clarity over whether online identifiers such as Internet Protocol addresses and cookie identifiers count as personal data. The ICO believes it should depend on the context, so that where the details are used to target a particular individual, that would be personal data. 
• Clarity that, for consent to apply, this would need a clear affirmative action such as clicking a tick-box or taking some other positive step.
• The ICO wishes to see a default position of processing being able to take place except where it overrides the data subject’s fundamental rights and freedoms.
• The ICO wonders why some categories of data such as trade union membership are given heightened status of “sensitive personal data”, whereas others that data subjects would think of as being more sensitive (such as financial data) are not considered as such.
• It welcomes the new “right to be forgotten”, being the right of individuals to have their data (such as at online social networking sites) removed. However, this could be misleading to data subjects as in many cases their data cannot be totally “forgotten” and will still appear on the Internet.
• Perhaps the strongest criticism comes in relation to notification of data breaches. Whilst the ICO is strongly in favour of such a duty, it should be proportionate with only the serious breaches (such as financial loss occurring) being notified to avoid the danger that regulators will receive more notifications than it can cope with. In addition, the proposed timing should be changed so that the requirement should be without undue delay rather than within 24 hours, as too early a notification could lead to meaningless information and a distraction from dealing with the breach.

Mr Graham blasted the “chicken feed fines” of £200 that had to be handed out to someone guilty of an offence of data blagging under the Data Protection Act, on the same day as other people were jailed under the Fraud Act for the same activity. Under the Criminal Justice and Immigration Act, the Justice Secretary has the power to introduce new regulations that would provide for jail as an option, but this has not yet been done.

For more on the cases and the ICO’s views, click here: http://www.ico.gov.uk/news/latest_news/2012/letting-agent-unlawfully-accessed-tenants-benefit-details-27022012.aspx.

In Croydon’s case, papers relating to a child sex abuse court case were stolen from a social worker in a pub and the Information Commissioner’s Office was unhappy that the Council had failed to communicate its data protection guidance to staff and carry out adequate checks to make sure people understood it. Norfolk’s case involved a hand-delivered report about a child’s emotional well-being being delivered to the next-door-neighbour with the Council having failed to have appropriate data protection training or have a system of double-checking colleagues’ work on sensitive personal data.

These punishments demonstrate the ICO’s willingness to hand out substantial fines for just single errors. Once again, the cases have involved the public sector.

In a press release, the EC outlined the main changes that will be made to the data protection regime in the EU::

-          There will be one set of rules across the EU, rather than each EU Member State having its own rules.

-          The scope of the people caught by the data protection law will be increased. The rules will apply to data controllers who are not established within the EU if the data processing relates to offers of goods or services to data subjects within the EU or a monitoring of EU data subjects’ behaviour. Clearly, this is intended to cover large online players from the US such as Google.

-          In addition, what counts as personal data is being widened. Data will be personal data if it is not just data held by the data controller that can identify the individual but also data held by a third party which, in combination with the data held by the data controller, could identify. This could catch rights holders that hand over Internet Protocol addresses to Internet service providers for enforcement of copyright infringement under the Digital Economy Act 2010.

-          There will no longer be an obligation for organisations to notify (or register) all data protection activities to data protection regulators (such as the Information Commissioner’s Office (ICO) in the UK), but only data breaches will need to be notified; however, that will need to take place within 24 hours of becoming aware of the breach. Organisations will need to have continuous monitoring and reporting systems in place at all times. Security breaches must also be notified to data subjects “without undue delay”.

-          In place of general notification obligations, organisations will have to maintain documentation and records showing their processing activities, and be subject to strict audit requirements and produce that to the authorities on demand.

-          Data controllers will also have to comply with training requirements.

-          People will be able to access and transfer their own data more easily. They will have a right to be given their data in a convenient portable format such as a disk or MP3 file. They will also have a right to be told how long their data will be kept for.

-          Data subjects will have a right to be told where the data controller got their data from.

-          There will be a “right to be forgotten” where people will be able to delete their data if there are no grounds for it being retained. This will put a huge burden on Internet businesses in particular, which will have to do what they can to ensure links to the data is deleted by others even after they have deleted it.

-          Member State regulators, such as the ICO, will be strengthened to allow them to better enforce the rules, with possible fines of up to 2% of a company’s global turnover or €1m for other bodies. The amount of the fine will depend on the nature, gravity and duration of the breach; whether the breach was deliberate or negligent; previous history of breaches; what security measures had been put in place; and the level of co-operation with the authorities.

-          All organisations will have to appoint data protection officers unless they have fewer than 250 employees, in which case they will be exempt from this requirement.

-          Clearer rules for the transfer of data across borders within multi-national organisations will be introduced. In addition, national data protection authorities will need to approve bespoke agreed clauses as an alternative to the standard contractual clauses for transfers between an organisation in one EU country and another organisation outside of the EU.

-          Any consent from a data subject will have to be explicit rather than implied. Any written consent such as a tick-box will need to be distinguishable from other consents. This would mark a change from current online acceptance practice.

-          Data access policies will have to be not only fair but also transparent.

-          The law will move from data being permitted if “not excessive” to effectively minimising the data as it will only be legitimate if the purpose cannot be fulfilled by processing non-personal data.

-          Data processors (people who process data on behalf of data controllers and do not take any decisions in respect of the data) are currently not subject to the data protection requirements. They are only caught under contract law when data controllers (as they are required to do) enter into a written agreement with the data processor to contain certain safeguards. That will change. Under the new regime, data processors will have specific direct obligations to maintain security of data under the law.

-          Data controllers will generally not be able to charge data subjects for data subject access requests.

The proposals will be sent to the European Parliament and the Council of Ministers for discussion, and will take effect two years after they have eventually been adopted.

Paul Gershlick, a Partner at Matthew Arnold & Baldwin LLP, comments: “This proposed law makes depressing reading. The Commission has trumpeted the ease of cost to business, but such a statement totally ignores all the other increases in regulation that this law would introduce. On balance, this will involve much more red tape for business to have to comply with. At a time when SMEs need a helping hand to grow and help to rescue the EU’s economy, this development is not going to be welcomed. Instead of considering SMEs’s legitimate interests, the Commission seems to have been too focused on protecting EU citizens against big US Internet businesses.

“The one plus side is that the new data protection law will be implemented in one consistent way across the whole EU; the major downside, though, is that it will involve much stricter obligations than businesses currently face, including tougher internal programmes and records and quick reports to the regulators and data subjects of data breaches. And there will now be much bigger fines for breaches. Let’s hope some of the provisions are softened before the law is passed.”

Paul Gershlick, Head of Pharmaceuticals and Life Sciences at Partner at Matthew Arnold & Baldwin LLP and a data protection law specialist, comments: “We need to understand the facts as the ICO sees them and then make a judgement, but such a large fine seems harsh given that the hospital appear to have been the victim and no data actually got into the public domain through the hospital’s action with the police when the items appeared on eBay. This action signals the tough intentions of the UK’s data protection regulator in dealing with data security breaches involving people’s health data.”

The ICO sets out a plan of 5 Es: eduate, empower, engage, enable and enforce. It is not purely about enforcement as it wants to educate and help too, but that is clearly the end result if there are problems. It wants to target its limited resources to the areas in which it perceives are the greatest need to act to protect individuals. It will consider the volume, nature and sensitivity of the data and the number of people affected. Ultimately, it will consider what is in the public interest.

The ICO wants to ensure that its activities are conducted transparently, proportionately, consistently, targeted and in an accountable way. It also wants to see a high proportion of the public aware of their privacy rights and how to enforce them.

The Information Rights Strategy can be found here: http://www.ico.gov.uk/about_us/plans_and_priorities/information_rights_strategy.aspx.

The guidance advocates a cookie audit to identify the cookies used, distinguishing between session, persistent and third party cookies, look at how privacy-intrusive each cookie is and how clear information is provided to users.

The ICO has also given further guidance on obtaining consent. It says that website operators should have minimal use of cookies until users have consented. Implied consent is not a viable option at the moment, but as users become more aware of cookies, that could be used. It also advocates contractual obligations between third parties and website owners governing the collection of consent for the third party cookies.

The ICO’s report and the guidance can be found here:  http://www.ico.gov.uk/news/latest_news/2011/must-try-harder-on-cookies-compliance-says-ico-13122011.aspx.

Paul Gershlick, a Partner and Head of the Pharmaceutical and Life Sciences sector at Matthew Arnold & Baldwin LLP, says, “It is absolutely crucial to protect patient data. However, privacy groups again appear to be pursuing a single concern agenda – ie privacy. What about improving patient care and improving or saving lives? Instead of criticising the Government’s healthcare data strategy for being pursued too fast, people worried about privacy should instead be working with the Government to make sure the privacy safeguards are in place so that the health benefits can be achieved as soon as possible. The longer any delays take, the fewer number of people who will benefit from any reforms. When people’s lives are at stake, there should be no time to lose.”

Paul Gershlick, a Partner and Head of the Pharmaceutical and Life Sciences sector at Matthew Arnold & Baldwin LLP, comments: “This case shows that any organisations involved with people’s health data must be careful to ensure that their employees do not misuse the data and that they take adequate safeguards to protect it. Health data about individuals falls within the category of sensitive personal data and is a higher class of data that is protected under data protection laws. That said, this outcome would probably have been the same regardless of the fact that the data misused was within the category of sensitive personal data.”

Some have raised privacy concerns over the proposals.  Big Brother Watch has said it should be for patients to decide what happens with their medical information rather than governments.  Meanwhile, Patient Concern warns that the plans would be the death of patient confidentiality.

However, Paul Gershlick, a Partner and Head of the Pharmaceutical and Life Sciences sector at Matthew Arnold & Baldwin LLP, disagrees with those concerns and welcomes the Government’s initiative.  He says: ”It is clear from the Government plans that patient data will be anonymous so that any one individual will not be identified during the data sharing.  If that is the case, why should there be any fuss from privacy campaigners? Under UK data protection law, people lose rights over “their” data if that data is anonymised. 

“Surely, as long as patient data is protected through anonymity, the main objective must be to improve patient care and make people’s lives better.  As a society, we must do all we can to improve the quality of care through helping to achieve faster drug development and introduction. If the NHS works together with the private sector to help to develop or bring out new drugs quicker, that has got to be a good thing if it saves anyone’s lives or makes them more comfortable.  And if this has the added bonus of generating more business in the UK by making it a more attractive place to do business in the pharmaceutical and life sciences sector particularly in these economic uncertain times, so much the better.”

In her statement, Reding said consumers should be more “empowered”. She also issued a warning that cloud computing service providers would face stricter provisions. Cloud computing refers to the making available of software and data on a network such as the Internet rather than on the user’s own servers.

Paul Gershlick, a Partner at Matthew Arnold & Baldwin LLP and editor of Upload-IT, comments: “This statement will send shockwaves through businesses. Currently, there are a number of grounds on which organisations can process data. They include if it is for their legitimate interests and it does not cause the data subject unwarranted harm. The statement is short so something may be lost in the translation, but at face value it suggests that the only grounds for processing data will be with explicit consent and that consent must be given in advance. That could prevent many businesses from functioning efficiently if they need to obtain explicit consent first every time.

“The new laws will also look to address the problem of social media site users saying something embarrassing and then never being able to remove it later, leaving them in an awkward position when a prospective interviewer checks them out on the web before a job interview. There has not yet been any clarity over users’ position when someone else posts a comment, photo or video clip about them on the web without their consent – if someone is featured in someone else’s posted content, will the subject be able to pull it?

“Further, the statement issues a warning for cloud computing service providers, but does not give any indication about how exactly their businesses may be affected.

“Overall, the statement leaves more questions than answers and is not particularly helpful for businesses looking to plan ahead to the new regime. They will have to watch this space over the next few weeks to see what the impact will be.”

The statement can be found here: http://europa.eu/rapid/pressReleasesAction.do?reference=MEMO/11/762&type=HTML.

The report can be found here: http://www.publications.parliament.uk/pa/cm201012/cmselect/cmjust/1473/147302.htm.

The 65 requests received in that period covered more than 300 individual items, and came from the UK government and courts. Six of the requests related to videos that raised national security concerns on YouTube, and several other were court orders relating to defamation and privacy.

Details of the requests can be found here.

Of particular concern in the pharmaceutical sector is that out of 47 undertakings that the ICO has agreed with organisations that have breached the Data Protection Act since April, 40% of those have been in the healthcare sector.

The ICO’s press release can be found here.

The Information Commissioner’s Office and, now on appeal, the Information Tribunal agreed with the police. The Tribunal also discounted Ms Smith’s claims that sensitive personal data can be disclosed if it is in the substantial public interest to do so. The Tribunal ruled that although there was public interest in establishing data on sexual offences, the higher threshold of substantial public interest had not been surmounted. There was public interest in establishing sexual offences by teachers and others in positions of trust. Substantial public interest could have been for something like prevalence of sexual offender activity or police incompetence in dealing with the issue. The Tribunal decided that although the decision was finely balanced, the police were right not to reveal the information that could have led to identifying individuals in this case.

The ruling can be found here: http://www.bailii.org/uk/cases/UKFTT/GRC/2011/2011_0006.html.

The ICO’s consultation document can be found here: http://www.ico.gov.uk/about_us/consultations/our_consultations.aspx.

The Article 29 Working Party’s opinions are not legally binding and they only represent the body’s own interpretation of data protection laws. However, they can be very persuasive and should not be ignored. It will be interesting to see what changes are made by the UK’s regulator, the Information Commissioner’s Office, to its stance on consent following this opinion. This can potentially affect a lot of businesses, particularly Internet ones.

The Article 29 Working Party opinion can be found here: http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2011/wp187_en.pdf.

Big Brother Watch’s statement can be found here: http://www.bigbrotherwatch.org.uk/Police_databases.pdf.

These figures are astonishing. Everyone would reasonably expect there to be the odd bad apple or two. But the scale of wrongdoing is incredible. The police need to carry out a root and branch review to ensure that their staff more effectively do what they should be doing – protecting the public. Anyone arguing that this demonstrates that we live in a police state, however, need to remember this – we only found out about these figures because of the Freedom of Information Act and the investigative work carried out by Big Brother Watch.

The ICO highlighted one case where a member of staff left 29 patient records in a public place after taking them from the NHS premises. In another case, one NHS Trust sent details about a vulnerable adult to an engineering company. Five health organisations have signed undertakings, promising to improve their standards, but the ICO wants the rest of the health industry to take note.

The European Commission is now consulting with communications service providers, consumer groups, Member States and others on practical guidelines that would harmonise the rules across the EU. It has asked the following questions:

• How would organisations comply with the new notification obligation?
• What types of breaches should trigger individuals being notified?
• What means of notification should take place and what procedure should be followed?
• What information should be in the notification to the regulator and the affected individuals?

The consultation is open until 9 September and can be found here: http://europa.eu/rapid/pressReleasesAction.do?reference=IP/11/887&format=HTML&aged=0&language=EN&guiLanguage=en..

Lancashire Police has agreed to take appropriate security measures to prevent data being accessed without authorisation, and it has also promised to conduct quality assurance checks before material is published on its website. It has further decided to implement a new policy for staff emphasising the importance of taking appropriate action to safeguard data.

The Regulations mean that, in basic terms, consent must be obtained from a website user before a website operator can place a cookie on the user – if a user refuses to give their consent, the cookie cannot be placed. Various means of obtaining consent have been suggested, but the ICO went for the straightforward route on its own website – a tick-box when you arrive on the website homepage telling you that, unless you give your consent, certain parts of the website will not work properly.

Under the Freedom of Information Act, a member of the public can request that certain information be disclosed by a public body. In this instance, a member of the public asked the ICO to disclose figures of who was giving their consent to the placement of the cookie. The information disclosed showed that 90% of users refused to give their consent. The cookie was a Google Analytics cookie and, as a result, 90% of users disappeared from the ICO’s analytics.

It’s easy to ignore this information – what would the ICO want this information for anyway? The importance, however, is in the fact that other websites who use cookies and have to ask for consent are likely to see a similar pattern, and those websites might use the information collected for advertising purposes – analytics for advertising may see the information they have to use drastically reduced, and many Internet businesses that rely on advertising for revenue may be operating at a handicap.

Information is key to the ongoing development of the advertising-run Internet, but also to the business that rely on the Internet for revenues, whether advertising based or not. A commercially viable option for obtaining consent to place cookies is an essential tool going forward for any Internet-dependent business.

The new law has been attacked for providing little privacy benefits to users, whilst adversely affecting their online experience and adding red tape and cost to website operators as well as potentially operating their viability with advertising revenue affected. This development will surely only add to those concerns.

The ICO has recently given website operators a one year window to comply with the new law, but has warned of action against anyone not taking appropriate steps to prepare. Meanwhile, the European Commission has now thrown down the gauntlet to industry to create industry standards by June 2012 that will create standard ways of gaining user consent to cookies. Neelie Kroes, a European Commissioner, has threatened to use all available means to protect citizens’ privacy if this does not happen. So far, only six countries (including the UK) across the European Union have implemented the new cookies opt-in law.

If you would like to discuss what options you have in order for your business to comply with the Regulations, please contact us on mark.weston@mablaw.com, paul.gershlick@mablaw.com or simon.weinberg@mablaw.com.

Nevertheless, Twitter has acted in accordance with its terms of use, which say that it would release information about its users if required by subpoena, court order or other legal process. Its policy is also to notify users of requests for information prior to disclosure unless prohibited by law.

CCTV images can be considered as personal data, and the ICO’s action came after CCTV footage of a shopper from the website was posted on YouTube. The ICO has made it clear that such disclosure of personal data should take place only where ‘necessary’ i.e. for the purposes of crime detection, rather than just for entertainment, as it was here.

The ICO criticised Internet Eyes for not encrypting CCTV images it shared with its members, and it was also not tracking member activity meaning that it could not trace who had posted the video on YouTube. The ICO has made sure that the website has signed an undertaking to ensure encryption and sufficient tracking, and has also requested that the website not allow a member to access CCTV footage taken within a 30 mile radius of the member’s registered location, in an attempt to decrease the likelihood that those people visible in the footage are identifiable to a particular member.

It is an offence under the Data Protection Act to knowingly or recklessly obtain personal data without consent. The data was important to T-Mobile and its competitors as it contained details of names, addresses, telephone numbers and customer contract end dates. This is the first time the Information Commissioner has sought a confiscation order under the Proceeds of Crime Act. That is where an order is made to deprive the wrong-doer from any benefit he has received from the crime.

The Information Commissioner has hailed the result in this case as marking a new chapter in deterrents against misuse of personal data. This case proves that there will be an audit trail and his office will try to find what has happened to it, and will take appropriate action, according to the Commissioner. The fine is the largest ever for employees who have stolen personal data for their own gain.

This case shows that some people in the personal injury industry are taking “ambulance chasing” to another level. It is one thing to take part in activity that may leave a bad taste in the mouth.  It is another to break the law when doing so.

• the necessity for data retention as provided in the Directive has not been sufficiently demonstrated;
• data retention could have been regulated in a less privacy-intrusive way;
• the Directive leaves too much scope for member states to decide on the purposes for which the data might be used, and also for establishing who can access the data and under which conditions.

The Directive provides that communications service providers must retain various communications data for a period of between six and 24 months for the purposes of investigation, detection and prosecution of serious crime. In April 2011, the European Commission reviewed the Directive, and criticised its effectiveness in a report due to the fact that it had been interpreted in different ways in different Member States, leading to inconsistency and confusion for telecoms operators.

The EDPS has called on the European Commission to consider repealing the Directive in order to harmonise data retention laws across Europe, which was the primary intention of the Directive. Data retention periods currently differ across Europe, benefitting some communications service providers but not being a disadvantage to others. Privacy lobbyists are also likely to respond well to the EDPS’s opinion as they have long argued that the blanket data retention requirement infringes a data subject’s right to privacy.