Data protection is currently a hot topic, not least because of the introduction of The General Data Protection Regulation (GDPR) which comes into force in May 2018. This is widely regarded to be the biggest shake-up of data protection legislation since the 90's, which of course was when the Data Protection Act 1998 was introduced.
The GDPR places more onerous obligations on organisations in respect of handling data, with a significant increase in penalties for non-compliance. It is therefore understandable that organisations are concerned about the balance shifting even more in favour of individuals when it comes to their personal data.
With that in mind, two recent cases highlight some of the practical issues which arise both for organisations and individuals when dealing with personal data. The first case, (Holyoake v Candy and another - 2017) is a High Court case where the Claimants (H and C) are involved in a dispute relating to an unsecured loan which was advanced to a company connected to C's brother, to H personally. A subject access request (SAR) was originally submitted by H to C and the Defendant in April 2016 but was subsequently narrowed in November 2016.
The Data Protection Act 1998 (DPA) gives individuals the right to access their personal data by making a SAR. One exemption to a SAR is material protected by legal professional privilege.
The Defendant and C responded to the narrowed SAR but relied on legal professional privilege in relation to some of the documents containing H's personal data and withheld the information. H made an application to the High Court to order compliance with the narrowed SAR. The main issues were:
- whether C and the Defendant had carried out an adequate search; and
- the validity of the reliance on the legal professional privilege exemption.
A number of arguments were put forward by C as to why the searches were not adequate (including only corporate email accounts, not personal email accounts were searched). However, the court ruled that searches were limited to what was "proportionate and reasonable" which it concluded they were, not least because there was no evidence (in this particular case) that personal email accounts had been used for business purposes and so were not required to be searched.
In relation to the legal professional privilege exemption, the court ruled that the evidence sufficiently made out the case that this was properly applied, subject only to iniquity and inspection issues. In relation to iniquity, legal privilege may be lost if there is any evidence of wrong-doing but that was not the case here. In addition, the court will only inspect material protected by legal professional privilege if there is credible evidence that those relying on the exemption either misunderstood it, could not be trusted to apply it properly or where there was no other alternative; again that was not the case here. For these reasons, C's application failed. This is a is a useful decision, welcomed by data controllers, particularly the court's conclusion that searches need only be "proportionate and reasonable".
Amongst the various changes introduced by the GDPR, subject access rights are retained but they are subject to various significant changes including:
- removing the ability to charge a fee as a condition of providing an individual with their personal data (unless the request is manifestly excessive); and
- reducing the timeframe for responding to a SAR from 40 days to 1 month (albeit with the ability to extend for a up to a further 2 months in relation to complex requests).
The GDPR also introduces new rights for individuals in addition to the SAR including the much publicised 'right to be forgotten' wand the lesser-publicised right to 'restrict processing'. At the same time, other existing rights are amplified including the right of individual to object to the processing of their personal data (on any grounds). You can read more about the changes to individuals' rights and organisations' obligations under the GDPR here.
The second case, widely reported in the recent press, involves a former recruitment agency employee (Rebecca Gray) who was prosecuted and fined under S55 DPA for unlawfully obtaining personal data.
S55 DPA creates the offence of obtaining or disclosing personal data by knowingly or recklessly, without the consent of the data controller either:
- obtaining or disclosing personal data or the information contained in personal data; or
- procuring the disclosure to another person of the information contained in the personal data.
In this case, Ms Gray emailed the personal data of approximately 100 clients and potential clients to her personal email account as she was leaving to start with a competitor recruitment company. She then contacted the individuals upon starting her new job.
Ms Gray pleaded guilty to the offence under S55 DPA and was fined £200, ordered to pay £214 prosecution costs and a £30 victim surcharge.
It is often forgotten that the DPA includes criminal offences for individuals (both employees and directors) as well as the civil remedies imposed on organisations for breaches of the DPA. It is a timely reminder of the importance of ensuring that staff at all levels are trained on an ongoing basis and made aware of not only their employers' obligations/liabilities in relation to personal data but also the risks to the individual of misusing other peoples' personal data (not to mention other potential offences including theft). At the same time, it is also advisable for organisations to consider ahead of time, the types of data which individuals may come into contact with, how the information is secured (e.g. through user access controls/keeping access logs) and how any suspected misuse of information may be investigated (e.g. through employee monitoring policies). These risks may be amplified where an organisation permits staff to use their own smartphones/tables to perform their role and the risks of data being accessed and stored on staff-owned devices or backed-up to staff personal accounts should be considered as part of an organisations 'bring your own device' policy.