UK: Data Protection And Privacy Newsletter - January 2013

Sony fined £250,000 following hacking attack

Sony operated the PlayStation network platform, and was the data controller in respect of the personal data provided by customers when they created an account to access the network platform. The network platform, including customer databases, was administered and maintained on Sony's behalf by a US service provider (which was part of the Sony group). The network platform was used by millions of customers in Europe, the Middle East, Africa, Australia and New Zealand. The network platform was infiltrated following hacking attacks on various online networks of the Sony group. The attacker accessed personal data stored on the network platform, including millions of customers' names, addresses, email addresses, dates of birth and account passwords. The incident was voluntarily reported by Sony to the ICO.

The Commissioner held that there had been a serious breach of the data protection principle that "appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data". Sony failed to ensure that appropriate technical measures were taken, such as additional cryptographic controls to protect passwords and updating the relevant software. Sony had been subject to hacking attacks prior to this attack, and should have therefore anticipated a further attack and taken appropriate security measures. The Sony group is part of a multinational group of companies with sufficient resources to address security issues. The breach was likely to cause substantial damage or distress to the affected accountholders, and Sony was therefore fined £250,000.

ICO discusses EU data protection reforms

The ICO has published a blog post on EU data protection reforms. The ICO suggests that the planned reforms could amount to one of the biggest changes to the data protection regime that the UK has ever experienced. The ICO is heavily involved in the UK's input on the reforms and states that it is playing close attention to developments in the legislative process.

The initial reform proposals were published by the European Commission in January 2012. The next step in the legislative process involves the European Parliament and the Council of the European Union looking at the proposals separately, before coming together to approve a final text.

There are five committees of the European Parliament appointed to examine the proposed data protection reforms. Each committee is required to submit its own amendments before negotiating a consolidated European Parliament view on the reforms, which is expected in late April.

Running alongside this process, the Council itself is looking at the proposed reforms. The Council is made up of relevant ministers and government officials from each Member State. The Ministry of Justice represents the UK in respect of the proposed data protection reforms. It works closely with the Home Office and is being advised by the ICO.

The ICO describes how the parliamentary committees are well advanced in their scrutiny, but the Council is further behind. However, more meetings of the Council are being scheduled to ensure that the negotiations can be completed as quickly as possible, to try to keep the process on track.

Once both the European Parliament and the Council have their consolidated views, they will need to negotiate with one another, possibly over the summer, to seek agreement on the text of the legislation. Failing agreement, there will need to be another reading of the texts by the European Parliament and the Council, followed by further negotiations. According to the ICO, there is an imperative to have a package adopted by 2014, when the European Parliament and the European Commission are due for re-appointment.

In relation to the content of the discussions that are ongoing, there is a debate about whether the reforms should be in the form of a regulation (which will apply directly in every Member State) or a directive (which will need to be transposed into each Member State's national law). The current proposal is for a general regulation which will have direct effect in each Member State and a directive specifically for the criminal justice sector. According to the ICO, there is speculation that the directive will be put on the back burner. There is also a move to confine the regulation to the private sector and develop a new directive to cover the public sector, which the ICO and other data protection authorities are resisting.

Bank employee fined for unlawfully obtaining bank statements

An employee (D) of Barclays unlawfully accessed bank statements of her partner's ex-wife. At the time, D's partner was involved in a legal dispute over the terms of the divorce settlement with his ex-wife. According to the ICO's announcement, when certain eBay transactions were raised in a meeting between the estranged couple, the ex-wife became suspicious that her account had been viewed. Barclays were contacted and, when they began investigating, D left her job. D pleaded guilty to unlawfully obtaining personal data, which is a criminal offence under section 55 of the Data Protection Act 1998 (DPA). D was fined £500 by the Derby Crown Court, and ordered to pay a £15 victim surcharge and £1,410.80 prosecution costs.

The Information Commissioner commented that he felt the level of the fine was inadequate and that there is a need for more effective sentences (which the ICO believes should include prison sentences) to deter the unlawful access and use of personal information. The ICO's statement on the case can be found here.

Information Commissioner's response to the Leveson Report

The Information Commissioner has published his response to the Leveson Report, which can be found here. The Leveson Report sets out proposals designed to improve the culture, practices and ethics of the press, and includes comments on and recommendations for the ICO and the DPA.

The Information Commissioner acknowledges that the Leveson Report is critical of the work of the ICO relating to the regulation of the press. However, he points out that since the period during which the bulk of the activity analysed by the Leveson Inquiry took place (2003-2007) the ICO has changed a lot, with the ICO having an enhanced enforcement tool kit and a more effective management structure.

In response to the Leveson Report's specific recommendations for the ICO, the Information Commissioner has proposed, among other things, the following action points:

  • Revising the ICO's Data Protection Regulatory Action Policy to include details on how the ICO will use its regulatory powers in relation to the press
  • In consultation with the press and broadcasting industry and the new press regulator, developing a Code of Practice on the DPA and the media
  • Preparing and issuing guidance to the public on their individual rights in relation to the obtaining and use of their personal data by the press, and how to exercise those rights
  • Adding a section to the ICO's website dedicated to giving advice to individuals on their information rights vis-à-vis the media
  • Drafting a stakeholder engagement plan detailing the key stakeholders in the press and the nature and frequency of contact required. Once completed, considering establishing a media reference panel, to ensure a ready source of expertise is available to the ICO on key media issues
  • Continuing to digest the Leveson Report and considering whether the ICO should establish a cross-office Enforcement Board to oversee the application of all the ICO's prosecution and civil enforcement powers

The Information Commissioner also provided his views on certain recommendations of the Leveson Report directed at the Ministry of Justice, including those regarding:

  • Scaling back the exemption from the obligations to comply with certain data protection principles and individual information rights, currently contained in section 32 of the DPA, in relation to the publication of journalistic material
  • Allowing compensation for pure distress (not just distress associated with damage) for breach of the DPA.
  • Increasing the severity of the sentences available for criminal offences under section 55 of the DPA (concerning the unlawful use of personal data)
  • Increasing the scope of the prosecution powers of the Information Commissioner
  • Reconstituting the ICO as an Information Commission, led by a Board of Commissioners with a suitable range of expertise

The recommendations of the Leveson Report covered in the Information Commissioner's response would, if implemented, clearly have a major impact on the ICO and the DPA. In the Information Commissioner's blog post accompanying his response to the Leveson Report, he points out that he anticipates "many long and arduous telephone conferences as the new regulatory landscape takes shape in 2013".

ICO consults on subject access code of practice

The DPA provides individuals with the right of access to their personal information held by organisations, by making a subject access request. Once received, an organisation normally has 40 days to respond to the request.

The ICO has announced a consultation on a new draft code of practice on subject access requests, to help organisations handle subject access requests while supporting the public in taking control of their personal information. According to the ICO, during the last financial year the ICO received nearly 6,000 complaints from individuals regarding subject access requests, which was more than any other type of complaint. The new code of practice will aim to explain clearly and simply an organisation's legal responsibilities and individual's rights under the DPA.

The draft code of practice and consultation document can be found here. The ICO is requesting individuals and organisations that have experience in handling or making subject access requests to review the draft code and provide their opinions. The closing date for the consultation is 21 February 2013, and the final code will be published in spring 2013. Clyde & Co will be submitting their comments on the consultation and will publish a summarised form of these once the consultation period has closed. If you have any comments which you would like to be fed in to the consultation, please do let your usual Clyde & Co contact know, or email Isabel Ost (isabel.ost@clydeco.com).

ICO comments on the draft Communications Data Bill

The draft Communications Data Bill proposes, among other things, to expand the powers of certain public authorities (in particular law enforcement authorities) to obtain "communications data" from "telecommunications operators", requiring them to log data of internet activity for the purpose of countering crime committed online. These powers will require additional data collection and retention by telecommunications operators. The new powers will be subject to certain safeguards, including as to data security and integrity and the destruction of data. Under the current draft, the ICO would be responsible for policing these safeguards.

The Joint Committee of both Houses of Parliament recently published a report on the Bill, which can be found here. The ICO has published a statement responding to this report, which is available here.

The Information Commissioner stated that he is concerned about the adequacy of the proposed safeguards that the ICO will be responsible for regulating. In addition, to ensure the security of retained personal information and its destruction after a certain period of time, the ICO believes it will require increased powers and resources. The Information Commissioner was therefore pleased to see this issue referred to in the report of the Joint Committee. The Information Commissioner emphasised (in a theme that seems to run through much of this month's news) that the report added to calls for stronger deterrent sentences for those misusing personal information, which the Information Commissioner calls to be implemented without delay.

The draft Communications Data Bill is currently being redrafted.

ICO highlights concerns over protection of personal data in local government

The ICO has highlighted its concerns relating to the standard of data protection in local government, following its recent issuance of a number of monetary penalties against local councils. The ICO has criticised local governments' attitudes towards protecting personal data. The Information Commissioner stated that recent fines have been caused by councils "treating sensitive personal data in the same routine way they would deal with more general correspondence" and that councils are often not appearing to have "acknowledged that the data they are handling is about real people, and often the more vulnerable members of society". The recent penalties mean that 19 local councils have now received monetary penalties for breaching the DPA, totalling £1,885,000. The ICO states that it is pressing the Ministry of Justice for stronger powers to audit local councils', as well as NHS bodies', data protection compliance, if necessary without consent.

The facts of some of the recent decisions are summarised below:

Leeds City Council: A support assistant in the children services department re-used (in line with the Council's policy) an envelope, which was originally intended for an unrelated external third party, for internal mail, but forgot to cross out the original address. The envelope was delivered to the originally-marked external recipient. The enclosed documents contained personal data relating to four data subjects, including confidential and highly sensitive personal data relating to a young person (including details of a criminal offence). Although the Council had overarching policies relating to data protection and information security, which were available to staff on its intranet together with limited training, there were no specific policies or training on security measures to be applied when sending sensitive personal data to internal or external third parties. The unintended recipient (a grandmother who had previously received correspondence from the Council relating to one of her grandchildren) sent an email to inform the Council that she received the documents. The Council collected the documents and sent a letter of apology to the affected individuals.

Devon County Council: A social worker prepared an adoption panel report using another family's report as a template, to remind her of the type of information to be included. The social worker was asked to send additional copies of her report to its original recipients, but accidentally sent copies of the template family's report. The template family's report contained confidential and highly sensitive personal data relating to approximately 22 data subjects, including information on the ethnic origin, religion, mental and physical health and alleged criminal activities of a couple being considered as part of the adoption process. The recipients did not return the template family's report for over two months. The Council had overarching policies on data protection and personal information security, but could not demonstrate that the social worker had read the policies and there was no specific guidance on the handling or posting of sensitive information. Data protection training, although available, was not mandatory and the social worker had not undertaken any of the Council's information governance training packages.

London Borough of Lewisham: A social worker on his probationary period took case papers relating to a child protection matter out of the office so that he could prepare for an upcoming court hearing over the weekend. Social workers were allowed by the Borough to take case papers out of the office without permission. The papers were carried in an opaque shopping bag, which the social worker mistakenly left on the train on his journey home. The bag containing the papers was recovered from the train company's lost property office seven days later. The papers contained confidential and highly sensitive personal data relating to a family who were the subject of care proceedings due to allegations of abuse and neglect against the perpetrators, including sexual abuse. Although the Borough had overarching policies on data protection and information security, there was no specific guidance on how sensitive personal data should be transported. Although training materials were available on the intranet, the social worked had not completed the relevant training.

In each of these cases, the Information Commissioner held that there was a serious breach of the data protection principle that "[a]ppropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data". In each case, the breach was considered likely to cause substantial distress to the affected data subjects.

Each of the councils failed to take appropriate organisational measures against unauthorised processing/accidental loss of personal data. The appropriate measures differed in each case and included:

  • Having different envelopes for internal and external mail that are clearly distinguishable
  • Having a peer checking process for envelopes containing confidential and sensitive personal data
  • Having appropriate and robust policies, guidelines, procedures and training for staff
  • Providing security locks for bags and considering a more secure means of accessing sensitive personal data out of the office (e.g. encrypted USB pens)

Leeds City Council was fined £95,000, Devon County Council was fined £90,000 and the London Borough of Lewisham was fined £70,000.

ICO highlights FOI requests made in 2012

The ICO has published a news release illustrating the kind of information that has successfully been obtained during 2012 by way of freedom of information requests made under the Freedom of Information Act 2000. Under the Act, individuals have the right to ask public authorities for official documents (eg minutes of council meetings and details of public spending). The public authority must then provide the information or explain why the information should not be disclosed. Individuals can complain to the ICO if a public authority wrongly refuses to release the requested information.

According to the news release, Ministry of Justice figures showed that 37,313 information requests were made to central government offices in the first three quarters of 2012, with many more being made to local councils, NHS bodies, police forces and other public authorities. Freedom of information requests revealed, for example, that there are 43,586,400 fake one pound coins in circulation and the amount of gifts given to the Metropolitan Police Force by businesses.

Looking forward, the Deputy Information Commissioner describes how he expects more information to become available in 2013. Changes to the regime are being explored to look at the way public authorities release information, which could include providing data in formats that make it easier to process and analyse and providing licences for others to re-use information to benefit the public.

ICO announces freedom of information monitoring of four public authorities

The ICO has announced that the Department for Education, the Department for Work and Pensions, the Office of the First Minister and Deputy First Minister in Northern Ireland and Wirral Metropolitan Borough Council will be monitored for the first quarter of 2013 over concerns about the timeliness of their responses to freedom of information requests. These public authorities were selected for monitoring as they either failed to respond to 85% of freedom information requests within the time limit of 20 working days or had exceeded the time limit by a significant margin on numerous occasions. The Information Commissioner stated that the ICO may take further action after the monitoring period has expired if there is not the necessary improvement in the authorities' standard of compliance.

International Focus - Dubai

The DIFC Data Protection Law Amendment Law was enacted on 23 December 2012, with the intention of increased transparency, efficiency and effectiveness in the exercise of the DIFC Commissioner of Data Protection's (the Commissioner's) powers. It amends the existing DIFC Data Protection Law and the Data Protection Regulations. The Dubai International Financial Centre (DIFC) is a federal free zone in Dubai, UAE. It is one of very few jurisdictions in the Middle East to have implemented a specific data protection regime.

The key changes to the Law and Regulations are:

  • A new requirement for Data Controllers to notify the Commissioner of any changes to their data processing activities within 14 days of the change(s) occurring
  • An express provision that a Data Controller may contravene the Law by any act or omission that is not compliant with the Law or the Regulations
  • An ability for the Commissioner to apply to the DIFC Court for an order directing compliance and the payment of costs by Data Controllers
  • A formal system under which the Commissioner may impose a fine (with fines ranging from USD 5,000 to USD 25,000 depending on the relevant contravention)
  • A change to the definition of Personal Data to cover personally identifiable data processed by automatic means or recorded as part of any filing system where specific information relating to a particular individual is readily accessible

The amendments are not extensive but help to clarify Data Controllers' practical obligations under the Law. Further, the introduction of a formal system of fines is likely to assist in encouraging increased understanding of and compliance with the Law.

Please click here to view the full update

SCL Seminar – Have you got IT covered?

On 29 January 2013 Clyde & Co hosted and sponsored an IT event for the Society for Computers and Law. This seminar entitled 'Have you got IT covered?' was attended by many in-house and private practice lawyers, and representatives of insurers.

The session was chaired by Dr David Sharp of Charteris plc and the panel included Andrew Horrocks, partner in Clyde & Co's Professional and Commercial Disputes team who has wide IT-related claims experience, and Phil Mayes of Lockton's Global Technology practice. The talk looked at insurance contracts and policy coverage within the IT sector, assessing IT risks and liabilities when taking out insurance, and the effect of insurance on limitation of liability clauses in IT contracts. The seminar also covered likely future developments in this developing area of insurance including cyber-liability, BYOD (bring your own device) and cloud computing plus other legal pitfalls and issues.

For further information on any of the issues discussed, please contact Andrew Horrocks (andrew.horrocks@clydeco.com).

For more details about SCL please visit www.scl.org

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
 
In association with
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
 
Email Address
Company Name
Password
Confirm Password
Position
Mondaq Topics -- Select your Interests
 Accounting
 Anti-trust
 Commercial
 Compliance
 Consumer
 Criminal
 Employment
 Energy
 Environment
 Family
 Finance
 Government
 Healthcare
 Immigration
 Insolvency
 Insurance
 International
 IP
 Law Performance
 Law Practice
 Litigation
 Media & IT
 Privacy
 Real Estate
 Strategy
 Tax
 Technology
 Transport
 Wealth Mgt
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates
Check to state you have read and
agree to our Terms and Conditions

Terms & Conditions and Privacy Statement

Mondaq.com (the Website) is owned and managed by Mondaq Ltd and as a user you are granted a non-exclusive, revocable license to access the Website under its terms and conditions of use. Your use of the Website constitutes your agreement to the following terms and conditions of use. Mondaq Ltd may terminate your use of the Website if you are in breach of these terms and conditions or if Mondaq Ltd decides to terminate your license of use for whatever reason.

Use of www.mondaq.com

You may use the Website but are required to register as a user if you wish to read the full text of the content and articles available (the Content). You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these terms & conditions or with the prior written consent of Mondaq Ltd. You may not use electronic or other means to extract details or information about Mondaq.com’s content, users or contributors in order to offer them any services or products which compete directly or indirectly with Mondaq Ltd’s services and products.

Disclaimer

Mondaq Ltd and/or its respective suppliers make no representations about the suitability of the information contained in the documents and related graphics published on this server for any purpose. All such documents and related graphics are provided "as is" without warranty of any kind. Mondaq Ltd and/or its respective suppliers hereby disclaim all warranties and conditions with regard to this information, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Mondaq Ltd and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use or performance of information available from this server.

The documents and related graphics published on this server could include technical inaccuracies or typographical errors. Changes are periodically added to the information herein. Mondaq Ltd and/or its respective suppliers may make improvements and/or changes in the product(s) and/or the program(s) described herein at any time.

Registration

Mondaq Ltd requires you to register and provide information that personally identifies you, including what sort of information you are interested in, for three primary purposes:

  • To allow you to personalize the Mondaq websites you are visiting.
  • To enable features such as password reminder, newsletter alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our information providers who provide information free for your use.

Mondaq (and its affiliate sites) do not sell or provide your details to third parties other than information providers. The reason we provide our information providers with this information is so that they can measure the response their articles are receiving and provide you with information about their products and services.

If you do not want us to provide your name and email address you may opt out by clicking here .

If you do not wish to receive any future announcements of products and services offered by Mondaq by clicking here .

Information Collection and Use

We require site users to register with Mondaq (and its affiliate sites) to view the free information on the site. We also collect information from our users at several different points on the websites: this is so that we can customise the sites according to individual usage, provide 'session-aware' functionality, and ensure that content is acquired and developed appropriately. This gives us an overall picture of our user profiles, which in turn shows to our Editorial Contributors the type of person they are reaching by posting articles on Mondaq (and its affiliate sites) – meaning more free content for registered users.

We are only able to provide the material on the Mondaq (and its affiliate sites) site free to site visitors because we can pass on information about the pages that users are viewing and the personal information users provide to us (e.g. email addresses) to reputable contributing firms such as law firms who author those pages. We do not sell or rent information to anyone else other than the authors of those pages, who may change from time to time. Should you wish us not to disclose your details to any of these parties, please tick the box above or tick the box marked "Opt out of Registration Information Disclosure" on the Your Profile page. We and our author organisations may only contact you via email or other means if you allow us to do so. Users can opt out of contact when they register on the site, or send an email to unsubscribe@mondaq.com with “no disclosure” in the subject heading

Mondaq News Alerts

In order to receive Mondaq News Alerts, users have to complete a separate registration form. This is a personalised service where users choose regions and topics of interest and we send it only to those users who have requested it. Users can stop receiving these Alerts by going to the Mondaq News Alerts page and deselecting all interest areas. In the same way users can amend their personal preferences to add or remove subject areas.

Cookies

A cookie is a small text file written to a user’s hard drive that contains an identifying user number. The cookies do not contain any personal information about users. We use the cookie so users do not have to log in every time they use the service and the cookie will automatically expire if you do not visit the Mondaq website (or its affiliate sites) for 12 months. We also use the cookie to personalise a user's experience of the site (for example to show information specific to a user's region). As the Mondaq sites are fully personalised and cookies are essential to its core technology the site will function unpredictably with browsers that do not support cookies - or where cookies are disabled (in these circumstances we advise you to attempt to locate the information you require elsewhere on the web). However if you are concerned about the presence of a Mondaq cookie on your machine you can also choose to expire the cookie immediately (remove it) by selecting the 'Log Off' menu option as the last thing you do when you use the site.

Some of our business partners may use cookies on our site (for example, advertisers). However, we have no access to or control over these cookies and we are not aware of any at present that do so.

Log Files

We use IP addresses to analyse trends, administer the site, track movement, and gather broad demographic information for aggregate use. IP addresses are not linked to personally identifiable information.

Links

This web site contains links to other sites. Please be aware that Mondaq (or its affiliate sites) are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of these third party sites. This privacy statement applies solely to information collected by this Web site.

Surveys & Contests

From time-to-time our site requests information from users via surveys or contests. Participation in these surveys or contests is completely voluntary and the user therefore has a choice whether or not to disclose any information requested. Information requested may include contact information (such as name and delivery address), and demographic information (such as postcode, age level). Contact information will be used to notify the winners and award prizes. Survey information will be used for purposes of monitoring or improving the functionality of the site.

Mail-A-Friend

If a user elects to use our referral service for informing a friend about our site, we ask them for the friend’s name and email address. Mondaq stores this information and may contact the friend to invite them to register with Mondaq, but they will not be contacted more than once. The friend may contact Mondaq to request the removal of this information from our database.

Security

This website takes every reasonable precaution to protect our users’ information. When users submit sensitive information via the website, your information is protected using firewalls and other security technology. If you have any questions about the security at our website, you can send an email to webmaster@mondaq.com.

Correcting/Updating Personal Information

If a user’s personally identifiable information changes (such as postcode), or if a user no longer desires our service, we will endeavour to provide a way to correct, update or remove that user’s personal data provided to us. This can usually be done at the “Your Profile” page or by sending an email to EditorialAdvisor@mondaq.com.

Notification of Changes

If we decide to change our Terms & Conditions or Privacy Policy, we will post those changes on our site so our users are always aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it. If at any point we decide to use personally identifiable information in a manner different from that stated at the time it was collected, we will notify users by way of an email. Users will have a choice as to whether or not we use their information in this different manner. We will use information in accordance with the privacy policy under which the information was collected.

How to contact Mondaq

You can contact us with comments or queries at enquiries@mondaq.com.

If for some reason you believe Mondaq Ltd. has not adhered to these principles, please notify us by e-mail at problems@mondaq.com and we will use commercially reasonable efforts to determine and correct the problem promptly.