When Mr Patel complained to Unite about the postings, Unite took the forum offline and released a statement that the allegations against Mr Patel were unfounded; but Unite failed to respond to Mr Patel’s request for the identification of those responsible.

The BASSA website was subject to terms of use, which warned users that their personal data might be disclosed subject to data protection and privacy law.

Mr Patel successfully applied to the High Court for a “Norwich Pharmacal” order, which required Unite to provide the identities, addresses and Internet Protocol addresses of the users responsible. Instead, Unite provided an expert’s report to show that the information requested had in fact been deleted. Mr Patel and his solicitors pushed Unite to make further efforts to recover the information, without success. Mr Patel therefore sought a further Norwich Pharmacal order for an independent expert to be given access to Unite’s database on the grounds that the continued failure to provide the information must be, at best, as a result of incompetence or technical ignorance. Unite objected to a further order on data protection grounds.

The High Court ruled that Unite had not provided sufficient evidence that it had carried out the reasonable search required by the first Norwich Pharmacal order, and Unite had not shown that it had actually followed up the information provided by Mr Patel in order to carry out that search. The High Court noted that the additional order that Mr Patel was asking for was intrusive, but that it was proportionate and necessary to give the order so that Unite would comply with Mr Patel’s information request. The High Court considered the fact that the website terms of use warned users that Unite might disclose a user’s identity, subject to data protection and privacy law, and that, without the order, those responsible would not be identified. Whilst the order was given by the High Court, it was strictly limited to an expert appointed jointly by both parties and only to the disclosure of the information which would identify those responsible, or which explained why identification was not possible.

In a press release, the EC outlined the main changes that will be made to the data protection regime in the EU::

-          There will be one set of rules across the EU, rather than each EU Member State having its own rules.

-          The scope of the people caught by the data protection law will be increased. The rules will apply to data controllers who are not established within the EU if the data processing relates to offers of goods or services to data subjects within the EU or a monitoring of EU data subjects’ behaviour. Clearly, this is intended to cover large online players from the US such as Google.

-          In addition, what counts as personal data is being widened. Data will be personal data if it is not just data held by the data controller that can identify the individual but also data held by a third party which, in combination with the data held by the data controller, could identify. This could catch rights holders that hand over Internet Protocol addresses to Internet service providers for enforcement of copyright infringement under the Digital Economy Act 2010.

-          There will no longer be an obligation for organisations to notify (or register) all data protection activities to data protection regulators (such as the Information Commissioner’s Office (ICO) in the UK), but only data breaches will need to be notified; however, that will need to take place within 24 hours of becoming aware of the breach. Organisations will need to have continuous monitoring and reporting systems in place at all times. Security breaches must also be notified to data subjects “without undue delay”.

-          In place of general notification obligations, organisations will have to maintain documentation and records showing their processing activities, and be subject to strict audit requirements and produce that to the authorities on demand.

-          Data controllers will also have to comply with training requirements.

-          People will be able to access and transfer their own data more easily. They will have a right to be given their data in a convenient portable format such as a disk or MP3 file. They will also have a right to be told how long their data will be kept for.

-          Data subjects will have a right to be told where the data controller got their data from.

-          There will be a “right to be forgotten” where people will be able to delete their data if there are no grounds for it being retained. This will put a huge burden on Internet businesses in particular, which will have to do what they can to ensure links to the data is deleted by others even after they have deleted it.

-          Member State regulators, such as the ICO, will be strengthened to allow them to better enforce the rules, with possible fines of up to £1m or 2% of a company’s global turnover. The amount of the fine will depend on the nature, gravity and duration of the breach; whether the breach was deliberate or negligent; previous history of breaches; what security measures had been put in place; and the level of co-operation with the authorities.

-          All organisations will have to appoint data protection officers unless they have fewer than 250 employees, in which case they will be exempt from this requirement.

-          Clearer rules for the transfer of data across borders within multi-national organisations will be introduced. In addition, national data protection authorities will need to approve bespoke agreed clauses as an alternative to the standard contractual clauses for transfers between an organisation in one EU country and another organisation outside of the EU.

-          Any consent from a data subject will have to be explicit rather than implied. Any written consent such as a tick-box will need to be distinguishable from other consents. This would mark a change from current online acceptance practice.

-          Data access policies will have to be not only fair but also transparent.

-          The law will move from data being permitted if “not excessive” to effectively minimising the data as it will only be legitimate if the purpose cannot be fulfilled by processing non-personal data.

-          Data processors (people who process data on behalf of data controllers and do not take any decisions in respect of the data) are currently not subject to the data protection requirements. They are only caught under contract law when data controllers (as they are required to do) enter into a written agreement with the data processor to contain certain safeguards. That will change. Under the new regime, data processors will have specific direct obligations to maintain security of data under the law.

-          Data controllers will generally not be able to charge data subjects for data subject access requests.

The proposals will be sent to the European Parliament and the Council of Ministers for discussion, and will take effect two years after they have eventually been adopted.

Paul Gershlick, a Partner at Matthew Arnold & Baldwin LLP, comments: “This proposed law makes depressing reading. The Commission has trumpeted the ease of cost to business, but such a statement totally ignores all the other increases in regulation that this law would introduce. On balance, this will involve much more red tape for business to have to comply with. At a time when SMEs need a helping hand to grow and help to rescue the EU’s economy, this development is not going to be welcomed. Instead of considering SMEs’s legitimate interests, the Commission seems to have been too focused on protecting EU citizens against big US Internet businesses.

“The one plus side is that the new data protection law will be implemented in one consistent way across the whole EU; the major downside, though, is that it will involve much stricter obligations than businesses currently face, including tougher internal programmes and records and quick reports to the regulators and data subjects of data breaches. And there will now be much bigger fines for breaches. Let’s hope some of the provisions are softened before the law is passed.”

Paul Gershlick, Head of Pharmaceuticals and Life Sciences at Partner at Matthew Arnold & Baldwin LLP and a data protection law specialist, comments: “We need to understand the facts as the ICO sees them and then make a judgement, but such a large fine seems harsh given that the hospital appear to have been the victim and no data actually got into the public domain through the hospital’s action with the police when the items appeared on eBay. This action signals the tough intentions of the UK’s data protection regulator in dealing with data security breaches involving people’s health data.”

The ICO sets out a plan of 5 Es: eduate, empower, engage, enable and enforce. It is not purely about enforcement as it wants to educate and help too, but that is clearly the end result if there are problems. It wants to target its limited resources to the areas in which it perceives are the greatest need to act to protect individuals. It will consider the volume, nature and sensitivity of the data and the number of people affected. Ultimately, it will consider what is in the public interest.

The ICO wants to ensure that its activities are conducted transparently, proportionately, consistently, targeted and in an accountable way. It also wants to see a high proportion of the public aware of their privacy rights and how to enforce them.

The Information Rights Strategy can be found here: http://www.ico.gov.uk/about_us/plans_and_priorities/information_rights_strategy.aspx.

The guidance advocates a cookie audit to identify the cookies used, distinguishing between session, persistent and third party cookies, look at how privacy-intrusive each cookie is and how clear information is provided to users.

The ICO has also given further guidance on obtaining consent. It says that website operators should have minimal use of cookies until users have consented. Implied consent is not a viable option at the moment, but as users become more aware of cookies, that could be used. It also advocates contractual obligations between third parties and website owners governing the collection of consent for the third party cookies.

The ICO’s report and the guidance can be found here:  http://www.ico.gov.uk/news/latest_news/2011/must-try-harder-on-cookies-compliance-says-ico-13122011.aspx.

Viagogo – the website – had objected to the hand over, saying that to do so would be disproportionate and infringe its users’ data protection rights. The Court of Appeal disagreed. The rights had to be balanced and the RFU was entitled to know about who was infringing its contract terms. The Court of Appeal therefore ruled that it was right to grant the RFU a “Norwich Pharmacal Order” against Viagogo to reveal the data. Whether or not the England rugby body used that data to take action against the sellers or the people who had provided the tickets to the sellers was irrelevant to the ruling.

The changes to the guidance largely reflect the revisions made to the Privacy and Electronic Communications Regulations in May 2011, under which electronic communications providers must inform the ICO about all data protection breaches. The main difference is the recommendation to provide a monthly report rather than simply to maintain a record of breaches which can be audited by the ICO for compliance.

Paul Gershlick, a Partner and Head of the Pharmaceutical and Life Sciences sector at Matthew Arnold & Baldwin LLP, says, “It is absolutely crucial to protect patient data. However, privacy groups again appear to be pursuing a single concern agenda – ie privacy. What about improving patient care and improving or saving lives? Instead of criticising the Government’s healthcare data strategy for being pursued too fast, people worried about privacy should instead be working with the Government to make sure the privacy safeguards are in place so that the health benefits can be achieved as soon as possible. The longer any delays take, the fewer number of people who will benefit from any reforms. When people’s lives are at stake, there should be no time to lose.”

The fine follows a similar incident last year where public parts of a document about another child were sent to the same member of the public by the council. The ICO admonished the council, with the council promising to improve its processes.

In addition to the fine, the council has been ordered to retrain all staff in relation to data protection before the end of March 2012, with refresher training to follow every three years.

The “Article 29 Working Party”, which is a committee of national regulators from each EU State (including the UK’s Information Commissioner’s Office), will provide the basis for the new board. The board will offer support to each country’s regulator and, it is hoped, will bring about more harmonisation between the data protection laws in each Member State.

Paul Gershlick, a Partner and Head of the Pharmaceutical and Life Sciences sector at Matthew Arnold & Baldwin LLP, comments: “This case shows that any organisations involved with people’s health data must be careful to ensure that their employees do not misuse the data and that they take adequate safeguards to protect it. Health data about individuals falls within the category of sensitive personal data and is a higher class of data that is protected under data protection laws. That said, this outcome would probably have been the same regardless of the fact that the data misused was within the category of sensitive personal data.”

Some have raised privacy concerns over the proposals.  Big Brother Watch has said it should be for patients to decide what happens with their medical information rather than governments.  Meanwhile, Patient Concern warns that the plans would be the death of patient confidentiality.

However, Paul Gershlick, a Partner and Head of the Pharmaceutical and Life Sciences sector at Matthew Arnold & Baldwin LLP, disagrees with those concerns and welcomes the Government’s initiative.  He says: ”It is clear from the Government plans that patient data will be anonymous so that any one individual will not be identified during the data sharing.  If that is the case, why should there be any fuss from privacy campaigners? Under UK data protection law, people lose rights over “their” data if that data is anonymised. 

“Surely, as long as patient data is protected through anonymity, the main objective must be to improve patient care and make people’s lives better.  As a society, we must do all we can to improve the quality of care through helping to achieve faster drug development and introduction. If the NHS works together with the private sector to help to develop or bring out new drugs quicker, that has got to be a good thing if it saves anyone’s lives or makes them more comfortable.  And if this has the added bonus of generating more business in the UK by making it a more attractive place to do business in the pharmaceutical and life sciences sector particularly in these economic uncertain times, so much the better.”

The ICO highlights that it believes the new framework must:

-          be clear and easy to understand and provide a cost-effective means of individuals exercising their rights;

-          set out a clear structure with overarching high-level principles based on risk, context and purpose with flexibility for enforcement bodies, rather than a prescriptive approach based on lists;

-          involve an obligation on organisations to carry out a private impact assessment where processing could have a significant or adverse effect on an individual, uses intrusive technology or creates a particular risk.

-          ensure that data processors are responsible and accountable, with the emphasis on the maintenance of standards rather than simply having a ‘process’ that complies with the law; and

-          allow the ICO more inspection and enforcement powers in both the private and public sectors with less emphasis on prior approval and authorisation of a data processor’s activities.

The ICO was critical of recent statements suggesting that consumers should have a “right to be forgotten” as it could mislead and create false expectations and be impossible to implement in practice.

The full text of the briefing can be found here.

The EU has proposed several changes to the current data protection regime, including granting individuals a “right to be forgotten” by allowing them to force organisations to delete personal data they hold and making non-EU based organisations subject to EU data protection law if they store personal data of EU citizens in the “cloud” (i.e. storing the data on an Internet-based network rather than on local servers).

The Culture Minister responded that:

-          A “right to be forgotten” would give the public false expectations. His argument was based on the ease and speed with which data can be copied and circulated on the Internet, to the extent that the Government would be unlikely to pass a law into force that it was impossible to enforce.  After all, how could one organisation promise that someone’s photos had been permanently deleted when someone else may have copied them from that original site?

-          It was questionable how feasible it would be to enforce EU law against non-EU organisations and there was the possibility that the law would stifle innovation and economic growth in the sector.

The full text of the speech can be found here.

ENISA also expressed concern in relation to security and privacy risks from such practices. The report suggests that users are becoming increasingly dependent on websites storing their personal information to make their future visits quicker and easier; whilst this is a benefit to a user, it makes fraud and unauthorised access easier, with the potential for not only financial loss but also possible reputational harm, discrimination and even exclusion from websites altogether.

The report suggests that the other effect of the practice is that website operators are being put under increasing pressure to store and protect personal information in a legally compliant way, which they may not have the knowledge or financial means to undertake.

ENISA suggested that privacy-friendly mechanisms should be incorporated into new websites and software, with clear instructions for users explaining the risks involved in a personalised service.

The World Wide Web Consortium (W3C) has published two draft standards to allow users to express privacy preferences in relation to cookies.  W3C released details of:

1. the “Tracking Preference Expression”, which defines mechanisms for users to express cross-site tracking preferences, and for websites to indicate whether these preferences are complied with; and
2. the “Tracking Compliance and Scope Specification”, which defines the meaning of a “Do Not Track” mechanism for notifying websites of a preference and set out best practice for website compliance.

It is hoped that the documents will culminate in the development of software that can be used and developed further by browser operators to protect users from cookies and tracking mechanisms. It is intended that the new standards will allow a user to express a preference for how their data is collected for tracking purposes and alert users as to whether a website honours their preferences or not.

The documents have been developed by a working group within W3C which includes representatives of Apple, Facebook, Google, IBM, Microsoft and Yahoo.

W3C is hopeful that the standards will be in operation in 2012.

In her statement, Reding said consumers should be more “empowered”. She also issued a warning that cloud computing service providers would face stricter provisions. Cloud computing refers to the making available of software and data on a network such as the Internet rather than on the user’s own servers.

Paul Gershlick, a Partner at Matthew Arnold & Baldwin LLP and editor of Upload-IT, comments: “This statement will send shockwaves through businesses. Currently, there are a number of grounds on which organisations can process data. They include if it is for their legitimate interests and it does not cause the data subject unwarranted harm. The statement is short so something may be lost in the translation, but at face value it suggests that the only grounds for processing data will be with explicit consent and that consent must be given in advance. That could prevent many businesses from functioning efficiently if they need to obtain explicit consent first every time.

“The new laws will also look to address the problem of social media site users saying something embarrassing and then never being able to remove it later, leaving them in an awkward position when a prospective interviewer checks them out on the web before a job interview. There has not yet been any clarity over users’ position when someone else posts a comment, photo or video clip about them on the web without their consent – if someone is featured in someone else’s posted content, will the subject be able to pull it?

“Further, the statement issues a warning for cloud computing service providers, but does not give any indication about how exactly their businesses may be affected.

“Overall, the statement leaves more questions than answers and is not particularly helpful for businesses looking to plan ahead to the new regime. They will have to watch this space over the next few weeks to see what the impact will be.”

The statement can be found here: http://europa.eu/rapid/pressReleasesAction.do?reference=MEMO/11/762&type=HTML.

The report can be found here: http://www.publications.parliament.uk/pa/cm201012/cmselect/cmjust/1473/147302.htm.

The ECJ ruled that those individuals that were the subject of stories published online not only had the choice of suing the publisher either in the country where the publisher is based or in the country where the individual had their “centre of interests”, but they also had the choice of bringing the claim in a country where the story or content was accessible (although only for the damage suffered in that country). In such an instance, the ECJ ruled that the relevant national courts could not apply a stricter law to the case than that applied by the courts in the country where the publisher was actually based.

In an age where content spreads so easily on the Internet, the waters have suddenly become more muddied for a publisher – it is now much easier than previously thought for a person who is the subject of a story to take action.

The 65 requests received in that period covered more than 300 individual items, and came from the UK government and courts. Six of the requests related to videos that raised national security concerns on YouTube, and several other were court orders relating to defamation and privacy.

Details of the requests can be found here.

Of particular concern in the pharmaceutical sector is that out of 47 undertakings that the ICO has agreed with organisations that have breached the Data Protection Act since April, 40% of those have been in the healthcare sector.

The ICO’s press release can be found here.

The first report considered how 14 social networking websites had implemented the 2009 agreement. This second report considered nine social networking websites, which included a range of blogging, gaming, file-sharing and personal social-networking functionality, and found that only two of the websites had default settings which made a child’s information visible only to approved contacts; the other websites shared a large amount of that information beyond a child’s approved contacts.

The EC has said that it will take into account the two reports when it undertakes a comprehensive initiative to empower and protect children when using new technologies, which is set to take place later this year.

The Information Commissioner’s Office and, now on appeal, the Information Tribunal agreed with the police. The Tribunal also discounted Ms Smith’s claims that sensitive personal data can be disclosed if it is in the substantial public interest to do so. The Tribunal ruled that although there was public interest in establishing data on sexual offences, the higher threshold of substantial public interest had not been surmounted. There was public interest in establishing sexual offences by teachers and others in positions of trust. Substantial public interest could have been for something like prevalence of sexual offender activity or police incompetence in dealing with the issue. The Tribunal decided that although the decision was finely balanced, the police were right not to reveal the information that could have led to identifying individuals in this case.

The ruling can be found here: http://www.bailii.org/uk/cases/UKFTT/GRC/2011/2011_0006.html.

The paper states that the principles of cloud computing, where file and programs are stored effectively on the Internet, must comply with the strictest principles of data protection and privacy. It goes on to argue that a watchdog body should be formed to regulate cloud computing services, with an emphasis on transparency of cloud computing operations.

The ICO has now completed the audit and has said that Google has taken ‘reasonable steps’ to improve its privacy policies and that it has taken action in all the areas in which it had agreed to do so. The ICO has now asked Google to continue its improvements and to better inform its users of its privacy policies.

The Article 29 Working Party’s opinions are not legally binding and they only represent the body’s own interpretation of data protection laws. However, they can be very persuasive and should not be ignored. It will be interesting to see what changes are made by the UK’s regulator, the Information Commissioner’s Office, to its stance on consent following this opinion. This can potentially affect a lot of businesses, particularly Internet ones.

The Article 29 Working Party opinion can be found here: http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2011/wp187_en.pdf.

Big Brother Watch’s statement can be found here: http://www.bigbrotherwatch.org.uk/Police_databases.pdf.

These figures are astonishing. Everyone would reasonably expect there to be the odd bad apple or two. But the scale of wrongdoing is incredible. The police need to carry out a root and branch review to ensure that their staff more effectively do what they should be doing – protecting the public. Anyone arguing that this demonstrates that we live in a police state, however, need to remember this – we only found out about these figures because of the Freedom of Information Act and the investigative work carried out by Big Brother Watch.

The ICO highlighted one case where a member of staff left 29 patient records in a public place after taking them from the NHS premises. In another case, one NHS Trust sent details about a vulnerable adult to an engineering company. Five health organisations have signed undertakings, promising to improve their standards, but the ICO wants the rest of the health industry to take note.

The European Commission is now consulting with communications service providers, consumer groups, Member States and others on practical guidelines that would harmonise the rules across the EU. It has asked the following questions:

• How would organisations comply with the new notification obligation?
• What types of breaches should trigger individuals being notified?
• What means of notification should take place and what procedure should be followed?
• What information should be in the notification to the regulator and the affected individuals?

The consultation is open until 9 September and can be found here: http://europa.eu/rapid/pressReleasesAction.do?reference=IP/11/887&format=HTML&aged=0&language=EN&guiLanguage=en..

Click here to view the article in full.

Lancashire Police has agreed to take appropriate security measures to prevent data being accessed without authorisation, and it has also promised to conduct quality assurance checks before material is published on its website. It has further decided to implement a new policy for staff emphasising the importance of taking appropriate action to safeguard data.

The Regulations mean that, in basic terms, consent must be obtained from a website user before a website operator can place a cookie on the user – if a user refuses to give their consent, the cookie cannot be placed. Various means of obtaining consent have been suggested, but the ICO went for the straightforward route on its own website – a tick-box when you arrive on the website homepage telling you that, unless you give your consent, certain parts of the website will not work properly.

Under the Freedom of Information Act, a member of the public can request that certain information be disclosed by a public body. In this instance, a member of the public asked the ICO to disclose figures of who was giving their consent to the placement of the cookie. The information disclosed showed that 90% of users refused to give their consent. The cookie was a Google Analytics cookie and, as a result, 90% of users disappeared from the ICO’s analytics.

It’s easy to ignore this information – what would the ICO want this information for anyway? The importance, however, is in the fact that other websites who use cookies and have to ask for consent are likely to see a similar pattern, and those websites might use the information collected for advertising purposes – analytics for advertising may see the information they have to use drastically reduced, and many Internet businesses that rely on advertising for revenue may be operating at a handicap.

Information is key to the ongoing development of the advertising-run Internet, but also to the business that rely on the Internet for revenues, whether advertising based or not. A commercially viable option for obtaining consent to place cookies is an essential tool going forward for any Internet-dependent business.

The new law has been attacked for providing little privacy benefits to users, whilst adversely affecting their online experience and adding red tape and cost to website operators as well as potentially operating their viability with advertising revenue affected. This development will surely only add to those concerns.

The ICO has recently given website operators a one year window to comply with the new law, but has warned of action against anyone not taking appropriate steps to prepare. Meanwhile, the European Commission has now thrown down the gauntlet to industry to create industry standards by June 2012 that will create standard ways of gaining user consent to cookies. Neelie Kroes, a European Commissioner, has threatened to use all available means to protect citizens’ privacy if this does not happen. So far, only six countries (including the UK) across the European Union have implemented the new cookies opt-in law.

If you would like to discuss what options you have in order for your business to comply with the Regulations, please contact us on mark.weston@mablaw.com, paul.gershlick@mablaw.com or simon.weinberg@mablaw.com.

CCTV images can be considered as personal data, and the ICO’s action came after CCTV footage of a shopper from the website was posted on YouTube. The ICO has made it clear that such disclosure of personal data should take place only where ‘necessary’ i.e. for the purposes of crime detection, rather than just for entertainment, as it was here.

The ICO criticised Internet Eyes for not encrypting CCTV images it shared with its members, and it was also not tracking member activity meaning that it could not trace who had posted the video on YouTube. The ICO has made sure that the website has signed an undertaking to ensure encryption and sufficient tracking, and has also requested that the website not allow a member to access CCTV footage taken within a 30 mile radius of the member’s registered location, in an attempt to decrease the likelihood that those people visible in the footage are identifiable to a particular member.

It is an offence under the Data Protection Act to knowingly or recklessly obtain personal data without consent. The data was important to T-Mobile and its competitors as it contained details of names, addresses, telephone numbers and customer contract end dates. This is the first time the Information Commissioner has sought a confiscation order under the Proceeds of Crime Act. That is where an order is made to deprive the wrong-doer from any benefit he has received from the crime.

The Information Commissioner has hailed the result in this case as marking a new chapter in deterrents against misuse of personal data. This case proves that there will be an audit trail and his office will try to find what has happened to it, and will take appropriate action, according to the Commissioner. The fine is the largest ever for employees who have stolen personal data for their own gain.

This case shows that some people in the personal injury industry are taking “ambulance chasing” to another level. It is one thing to take part in activity that may leave a bad taste in the mouth.  It is another to break the law when doing so.

• the necessity for data retention as provided in the Directive has not been sufficiently demonstrated;
• data retention could have been regulated in a less privacy-intrusive way;
• the Directive leaves too much scope for member states to decide on the purposes for which the data might be used, and also for establishing who can access the data and under which conditions.

The Directive provides that communications service providers must retain various communications data for a period of between six and 24 months for the purposes of investigation, detection and prosecution of serious crime. In April 2011, the European Commission reviewed the Directive, and criticised its effectiveness in a report due to the fact that it had been interpreted in different ways in different Member States, leading to inconsistency and confusion for telecoms operators.

The EDPS has called on the European Commission to consider repealing the Directive in order to harmonise data retention laws across Europe, which was the primary intention of the Directive. Data retention periods currently differ across Europe, benefitting some communications service providers but not being a disadvantage to others. Privacy lobbyists are also likely to respond well to the EDPS’s opinion as they have long argued that the blanket data retention requirement infringes a data subject’s right to privacy.