UK: Data Protection And Privacy Newsletter - January 2013

Sony fined £250,000 following hacking attack

Sony operated the PlayStation network platform, and was the data controller in respect of the personal data provided by customers when they created an account to access the network platform. The network platform, including customer databases, was administered and maintained on Sony's behalf by a US service provider (which was part of the Sony group). The network platform was used by millions of customers in Europe, the Middle East, Africa, Australia and New Zealand. The network platform was infiltrated following hacking attacks on various online networks of the Sony group. The attacker accessed personal data stored on the network platform, including millions of customers' names, addresses, email addresses, dates of birth and account passwords. The incident was voluntarily reported by Sony to the ICO.

The Commissioner held that there had been a serious breach of the data protection principle that "appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data". Sony failed to ensure that appropriate technical measures were taken, such as additional cryptographic controls to protect passwords and updating the relevant software. Sony had been subject to hacking attacks prior to this attack, and should have therefore anticipated a further attack and taken appropriate security measures. The Sony group is part of a multinational group of companies with sufficient resources to address security issues. The breach was likely to cause substantial damage or distress to the affected accountholders, and Sony was therefore fined £250,000.

ICO discusses EU data protection reforms

The ICO has published a blog post on EU data protection reforms. The ICO suggests that the planned reforms could amount to one of the biggest changes to the data protection regime that the UK has ever experienced. The ICO is heavily involved in the UK's input on the reforms and states that it is playing close attention to developments in the legislative process.

The initial reform proposals were published by the European Commission in January 2012. The next step in the legislative process involves the European Parliament and the Council of the European Union looking at the proposals separately, before coming together to approve a final text.

There are five committees of the European Parliament appointed to examine the proposed data protection reforms. Each committee is required to submit its own amendments before negotiating a consolidated European Parliament view on the reforms, which is expected in late April.

Running alongside this process, the Council itself is looking at the proposed reforms. The Council is made up of relevant ministers and government officials from each Member State. The Ministry of Justice represents the UK in respect of the proposed data protection reforms. It works closely with the Home Office and is being advised by the ICO.

The ICO describes how the parliamentary committees are well advanced in their scrutiny, but the Council is further behind. However, more meetings of the Council are being scheduled to ensure that the negotiations can be completed as quickly as possible, to try to keep the process on track.

Once both the European Parliament and the Council have their consolidated views, they will need to negotiate with one another, possibly over the summer, to seek agreement on the text of the legislation. Failing agreement, there will need to be another reading of the texts by the European Parliament and the Council, followed by further negotiations. According to the ICO, there is an imperative to have a package adopted by 2014, when the European Parliament and the European Commission are due for re-appointment.

In relation to the content of the discussions that are ongoing, there is a debate about whether the reforms should be in the form of a regulation (which will apply directly in every Member State) or a directive (which will need to be transposed into each Member State's national law). The current proposal is for a general regulation which will have direct effect in each Member State and a directive specifically for the criminal justice sector. According to the ICO, there is speculation that the directive will be put on the back burner. There is also a move to confine the regulation to the private sector and develop a new directive to cover the public sector, which the ICO and other data protection authorities are resisting.

Bank employee fined for unlawfully obtaining bank statements

An employee (D) of Barclays unlawfully accessed bank statements of her partner's ex-wife. At the time, D's partner was involved in a legal dispute over the terms of the divorce settlement with his ex-wife. According to the ICO's announcement, when certain eBay transactions were raised in a meeting between the estranged couple, the ex-wife became suspicious that her account had been viewed. Barclays were contacted and, when they began investigating, D left her job. D pleaded guilty to unlawfully obtaining personal data, which is a criminal offence under section 55 of the Data Protection Act 1998 (DPA). D was fined £500 by the Derby Crown Court, and ordered to pay a £15 victim surcharge and £1,410.80 prosecution costs.

The Information Commissioner commented that he felt the level of the fine was inadequate and that there is a need for more effective sentences (which the ICO believes should include prison sentences) to deter the unlawful access and use of personal information. The ICO's statement on the case can be found here.

Information Commissioner's response to the Leveson Report

The Information Commissioner has published his response to the Leveson Report, which can be found here. The Leveson Report sets out proposals designed to improve the culture, practices and ethics of the press, and includes comments on and recommendations for the ICO and the DPA.

The Information Commissioner acknowledges that the Leveson Report is critical of the work of the ICO relating to the regulation of the press. However, he points out that since the period during which the bulk of the activity analysed by the Leveson Inquiry took place (2003-2007) the ICO has changed a lot, with the ICO having an enhanced enforcement tool kit and a more effective management structure.

In response to the Leveson Report's specific recommendations for the ICO, the Information Commissioner has proposed, among other things, the following action points:

  • Revising the ICO's Data Protection Regulatory Action Policy to include details on how the ICO will use its regulatory powers in relation to the press
  • In consultation with the press and broadcasting industry and the new press regulator, developing a Code of Practice on the DPA and the media
  • Preparing and issuing guidance to the public on their individual rights in relation to the obtaining and use of their personal data by the press, and how to exercise those rights
  • Adding a section to the ICO's website dedicated to giving advice to individuals on their information rights vis-à-vis the media
  • Drafting a stakeholder engagement plan detailing the key stakeholders in the press and the nature and frequency of contact required. Once completed, considering establishing a media reference panel, to ensure a ready source of expertise is available to the ICO on key media issues
  • Continuing to digest the Leveson Report and considering whether the ICO should establish a cross-office Enforcement Board to oversee the application of all the ICO's prosecution and civil enforcement powers

The Information Commissioner also provided his views on certain recommendations of the Leveson Report directed at the Ministry of Justice, including those regarding:

  • Scaling back the exemption from the obligations to comply with certain data protection principles and individual information rights, currently contained in section 32 of the DPA, in relation to the publication of journalistic material
  • Allowing compensation for pure distress (not just distress associated with damage) for breach of the DPA.
  • Increasing the severity of the sentences available for criminal offences under section 55 of the DPA (concerning the unlawful use of personal data)
  • Increasing the scope of the prosecution powers of the Information Commissioner
  • Reconstituting the ICO as an Information Commission, led by a Board of Commissioners with a suitable range of expertise

The recommendations of the Leveson Report covered in the Information Commissioner's response would, if implemented, clearly have a major impact on the ICO and the DPA. In the Information Commissioner's blog post accompanying his response to the Leveson Report, he points out that he anticipates "many long and arduous telephone conferences as the new regulatory landscape takes shape in 2013".

ICO consults on subject access code of practice

The DPA provides individuals with the right of access to their personal information held by organisations, by making a subject access request. Once received, an organisation normally has 40 days to respond to the request.

The ICO has announced a consultation on a new draft code of practice on subject access requests, to help organisations handle subject access requests while supporting the public in taking control of their personal information. According to the ICO, during the last financial year the ICO received nearly 6,000 complaints from individuals regarding subject access requests, which was more than any other type of complaint. The new code of practice will aim to explain clearly and simply an organisation's legal responsibilities and individual's rights under the DPA.

The draft code of practice and consultation document can be found here. The ICO is requesting individuals and organisations that have experience in handling or making subject access requests to review the draft code and provide their opinions. The closing date for the consultation is 21 February 2013, and the final code will be published in spring 2013. Clyde & Co will be submitting their comments on the consultation and will publish a summarised form of these once the consultation period has closed. If you have any comments which you would like to be fed in to the consultation, please do let your usual Clyde & Co contact know, or email Isabel Ost (

ICO comments on the draft Communications Data Bill

The draft Communications Data Bill proposes, among other things, to expand the powers of certain public authorities (in particular law enforcement authorities) to obtain "communications data" from "telecommunications operators", requiring them to log data of internet activity for the purpose of countering crime committed online. These powers will require additional data collection and retention by telecommunications operators. The new powers will be subject to certain safeguards, including as to data security and integrity and the destruction of data. Under the current draft, the ICO would be responsible for policing these safeguards.

The Joint Committee of both Houses of Parliament recently published a report on the Bill, which can be found here. The ICO has published a statement responding to this report, which is available here.

The Information Commissioner stated that he is concerned about the adequacy of the proposed safeguards that the ICO will be responsible for regulating. In addition, to ensure the security of retained personal information and its destruction after a certain period of time, the ICO believes it will require increased powers and resources. The Information Commissioner was therefore pleased to see this issue referred to in the report of the Joint Committee. The Information Commissioner emphasised (in a theme that seems to run through much of this month's news) that the report added to calls for stronger deterrent sentences for those misusing personal information, which the Information Commissioner calls to be implemented without delay.

The draft Communications Data Bill is currently being redrafted.

ICO highlights concerns over protection of personal data in local government

The ICO has highlighted its concerns relating to the standard of data protection in local government, following its recent issuance of a number of monetary penalties against local councils. The ICO has criticised local governments' attitudes towards protecting personal data. The Information Commissioner stated that recent fines have been caused by councils "treating sensitive personal data in the same routine way they would deal with more general correspondence" and that councils are often not appearing to have "acknowledged that the data they are handling is about real people, and often the more vulnerable members of society". The recent penalties mean that 19 local councils have now received monetary penalties for breaching the DPA, totalling £1,885,000. The ICO states that it is pressing the Ministry of Justice for stronger powers to audit local councils', as well as NHS bodies', data protection compliance, if necessary without consent.

The facts of some of the recent decisions are summarised below:

Leeds City Council: A support assistant in the children services department re-used (in line with the Council's policy) an envelope, which was originally intended for an unrelated external third party, for internal mail, but forgot to cross out the original address. The envelope was delivered to the originally-marked external recipient. The enclosed documents contained personal data relating to four data subjects, including confidential and highly sensitive personal data relating to a young person (including details of a criminal offence). Although the Council had overarching policies relating to data protection and information security, which were available to staff on its intranet together with limited training, there were no specific policies or training on security measures to be applied when sending sensitive personal data to internal or external third parties. The unintended recipient (a grandmother who had previously received correspondence from the Council relating to one of her grandchildren) sent an email to inform the Council that she received the documents. The Council collected the documents and sent a letter of apology to the affected individuals.

Devon County Council: A social worker prepared an adoption panel report using another family's report as a template, to remind her of the type of information to be included. The social worker was asked to send additional copies of her report to its original recipients, but accidentally sent copies of the template family's report. The template family's report contained confidential and highly sensitive personal data relating to approximately 22 data subjects, including information on the ethnic origin, religion, mental and physical health and alleged criminal activities of a couple being considered as part of the adoption process. The recipients did not return the template family's report for over two months. The Council had overarching policies on data protection and personal information security, but could not demonstrate that the social worker had read the policies and there was no specific guidance on the handling or posting of sensitive information. Data protection training, although available, was not mandatory and the social worker had not undertaken any of the Council's information governance training packages.

London Borough of Lewisham: A social worker on his probationary period took case papers relating to a child protection matter out of the office so that he could prepare for an upcoming court hearing over the weekend. Social workers were allowed by the Borough to take case papers out of the office without permission. The papers were carried in an opaque shopping bag, which the social worker mistakenly left on the train on his journey home. The bag containing the papers was recovered from the train company's lost property office seven days later. The papers contained confidential and highly sensitive personal data relating to a family who were the subject of care proceedings due to allegations of abuse and neglect against the perpetrators, including sexual abuse. Although the Borough had overarching policies on data protection and information security, there was no specific guidance on how sensitive personal data should be transported. Although training materials were available on the intranet, the social worked had not completed the relevant training.

In each of these cases, the Information Commissioner held that there was a serious breach of the data protection principle that "[a]ppropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data". In each case, the breach was considered likely to cause substantial distress to the affected data subjects.

Each of the councils failed to take appropriate organisational measures against unauthorised processing/accidental loss of personal data. The appropriate measures differed in each case and included:

  • Having different envelopes for internal and external mail that are clearly distinguishable
  • Having a peer checking process for envelopes containing confidential and sensitive personal data
  • Having appropriate and robust policies, guidelines, procedures and training for staff
  • Providing security locks for bags and considering a more secure means of accessing sensitive personal data out of the office (e.g. encrypted USB pens)

Leeds City Council was fined £95,000, Devon County Council was fined £90,000 and the London Borough of Lewisham was fined £70,000.

ICO highlights FOI requests made in 2012

The ICO has published a news release illustrating the kind of information that has successfully been obtained during 2012 by way of freedom of information requests made under the Freedom of Information Act 2000. Under the Act, individuals have the right to ask public authorities for official documents (eg minutes of council meetings and details of public spending). The public authority must then provide the information or explain why the information should not be disclosed. Individuals can complain to the ICO if a public authority wrongly refuses to release the requested information.

According to the news release, Ministry of Justice figures showed that 37,313 information requests were made to central government offices in the first three quarters of 2012, with many more being made to local councils, NHS bodies, police forces and other public authorities. Freedom of information requests revealed, for example, that there are 43,586,400 fake one pound coins in circulation and the amount of gifts given to the Metropolitan Police Force by businesses.

Looking forward, the Deputy Information Commissioner describes how he expects more information to become available in 2013. Changes to the regime are being explored to look at the way public authorities release information, which could include providing data in formats that make it easier to process and analyse and providing licences for others to re-use information to benefit the public.

ICO announces freedom of information monitoring of four public authorities

The ICO has announced that the Department for Education, the Department for Work and Pensions, the Office of the First Minister and Deputy First Minister in Northern Ireland and Wirral Metropolitan Borough Council will be monitored for the first quarter of 2013 over concerns about the timeliness of their responses to freedom of information requests. These public authorities were selected for monitoring as they either failed to respond to 85% of freedom information requests within the time limit of 20 working days or had exceeded the time limit by a significant margin on numerous occasions. The Information Commissioner stated that the ICO may take further action after the monitoring period has expired if there is not the necessary improvement in the authorities' standard of compliance.

International Focus - Dubai

The DIFC Data Protection Law Amendment Law was enacted on 23 December 2012, with the intention of increased transparency, efficiency and effectiveness in the exercise of the DIFC Commissioner of Data Protection's (the Commissioner's) powers. It amends the existing DIFC Data Protection Law and the Data Protection Regulations. The Dubai International Financial Centre (DIFC) is a federal free zone in Dubai, UAE. It is one of very few jurisdictions in the Middle East to have implemented a specific data protection regime.

The key changes to the Law and Regulations are:

  • A new requirement for Data Controllers to notify the Commissioner of any changes to their data processing activities within 14 days of the change(s) occurring
  • An express provision that a Data Controller may contravene the Law by any act or omission that is not compliant with the Law or the Regulations
  • An ability for the Commissioner to apply to the DIFC Court for an order directing compliance and the payment of costs by Data Controllers
  • A formal system under which the Commissioner may impose a fine (with fines ranging from USD 5,000 to USD 25,000 depending on the relevant contravention)
  • A change to the definition of Personal Data to cover personally identifiable data processed by automatic means or recorded as part of any filing system where specific information relating to a particular individual is readily accessible

The amendments are not extensive but help to clarify Data Controllers' practical obligations under the Law. Further, the introduction of a formal system of fines is likely to assist in encouraging increased understanding of and compliance with the Law.

Please click here to view the full update

SCL Seminar – Have you got IT covered?

On 29 January 2013 Clyde & Co hosted and sponsored an IT event for the Society for Computers and Law. This seminar entitled 'Have you got IT covered?' was attended by many in-house and private practice lawyers, and representatives of insurers.

The session was chaired by Dr David Sharp of Charteris plc and the panel included Andrew Horrocks, partner in Clyde & Co's Professional and Commercial Disputes team who has wide IT-related claims experience, and Phil Mayes of Lockton's Global Technology practice. The talk looked at insurance contracts and policy coverage within the IT sector, assessing IT risks and liabilities when taking out insurance, and the effect of insurance on limitation of liability clauses in IT contracts. The seminar also covered likely future developments in this developing area of insurance including cyber-liability, BYOD (bring your own device) and cloud computing plus other legal pitfalls and issues.

For further information on any of the issues discussed, please contact Andrew Horrocks (

For more details about SCL please visit

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on

Click to Login as an existing user or Register so you can print this article.

Similar Articles
Relevancy Powered by MondaqAI
In association with
Related Topics
Similar Articles
Relevancy Powered by MondaqAI
Related Articles
Related Video
Up-coming Events Search
Font Size:
Mondaq on Twitter
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
Email Address
Company Name
Confirm Password
Mondaq Topics -- Select your Interests
 Law Performance
 Law Practice
 Media & IT
 Real Estate
 Wealth Mgt
Asia Pacific
European Union
Latin America
Middle East
United States
Worldwide Updates
Registration (you must scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of

To Use you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.


The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.


Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions