Welcome to the September Global Data & Privacy Update. This update is dedicated to covering the latest legislative developments affecting the way data is managed and protected, as well as reporting on the most recent news governing data breaches and industry developments.

ICO fine company for data being put at risk

The Information Commissioner's Office (ICO) has fined TalkTalk for failing to hold customer data securely. A large amount of customer data was accessible on a TalkTalk portal to an external company, Wipro Limited (Wipro), who provided assistance with resolving complaints and network coverage problems. The access was provided without sufficient security or access restrictions.

TalkTalk carried out an internal investigation following customer complaints of scam callers pretending to be providing technical support and in possession of their TalkTalk account number. The investigation uncovered that three of Wipro's employees had misused their right to the data on the portal and unlawfully gained access to the details of up to 21,000 individuals. Although no causal link was found between the unauthorised access and these calls, the ICO found that TalkTalk had breached its duty to have appropriate safeguards in place around customers' data on the platform.

The ICO found three major concerns in respect of the forty Wipro employees with access to the portal. First, while the portal had controlled access by the use of log-in details, there were no controls over the devices that could connect to the portal. Second, there was no restriction on the data accessible to the Wipro staff, i.e restrictions to specific customers as required, instead some 25,000 to 50,000 customer records were available to the Wipro employees. Third, the Wipro employees could make wildcard searches capable of generating up to 500 records at any one time. The ICO found that this level of access was unacceptable.

The ICO fined TalkTalk £100,000 for breaching the seventh principle of the Data Protection Act, failing to take adequate measures to keep personal data secure.

Click here to read the monetary penalty in full.

ICO Draft Guidance on Contracts and Liabilities between Controllers and Processors

The Information Commissioner has published draft guidance on the contractual clauses to be in place between data controllers and data processors under the GDPR and their respective liabilities. The GDPR, coming into force in May 2018, requires specific written contractual provisions to be in place between data controllers and data processors.

As the publication is draft guidance, the ICO are requesting feedback on the guidance by 10 October 2017. We plan to submit our views as part of the consultation and encourage all our readers to do the same. If you would like to discuss the paper further, please feel free to contact Mark Williamson or Isabel Ost.

Click here for the ICO draft guidance and consultation papers.

ICO fine council for personal data exposed online

Nottingham County Council was fined £70,000 by the ICO for failing to take adequate measures to keep sensitive information secure.

The Council launched in July 2011 an online portal, Home Care Allocation System, to assist with assigning support to elderly and disabled persons. The portal contained an online directory with contact details, individuals' care requirements and whether the person was currently in hospital, but did not include the individual's name. The portal did not have any security or access restrictions and the data was discovered to be accessible using a search engine with no username or password requirements to access the data. At the time the breach was reported, the system contained details of 81 (unnamed) individuals, but is understood to have held information relating to about 3,000 people over the 5 years before the issue was flagged.

The online portal had no authentication process to identify users or provide a secure access route. The ICO found that the Council breached the seventh data principle of the Data Protection Act by failing to take appropriate technical measures to prevent unauthorised and unlawful processing of personal data.

Click here to read the monetary penalty notice.

Restrictions on employee monitoring in the German workplace

The highest labour court in Germany has ruled that unless there is a firm suspicion of a criminal violation or a serious breach of duty German employers are not permitted under current data privacy law to monitor employees in the workplace, for example by the use of key logging software. Key logging software records and monitors computer activities and this particular software also took screen shots.

In this case the employer suspected that an employee was spending significant amounts of time using his computer for private activities. The key logging software showed that the employee had been spending time during working hours doing private activities and the employer decided to terminate his contract. The court held that the information gained from the key logging software was not admissible as it was obtained in violation of German domestic data protection legislation. The court stated that the employer could have used alternative ways to investigate the case that were not so invasive, such as checking the employee's computer in the presence of the employee. The court went on to hold that monitoring by employers was not permitted unless there was a well-founded suspicion of a criminal offence or other serious breach of duty.

This decision in Germany is along similar lines to the Article 29 Working Party's recent opinion on monitoring in the work place. A case this month before the Grand Chamber of the European Court of Human Rights considered the monitoring of personal messages sent and received from a work related messaging application. On the facts of that case the court found that Article 8 of the European Convention of Human Rights (right to respect one's private life) had been infringed, however, it did not hold that there should be a blanket ban on employee monitoring but set out factors to be considered in examining whether the Article 8 right has been breached. These factors include:

  1. whether the employee has received notification that the employer might take steps to monitor communications, the implementation of such measures and that notification about the nature of monitoring should be clear and given in advance;
  2. the extent of the employer's monitoring and the level of intrusion into the employee's privacy;
  3. whether the employer has provided legitimate reasons to justify monitoring communications and the actual content;
  4. consideration over whether monitoring by less intrusive means would have been possible and whether directly accessing the full contents of the employee's communications was required;
  5. the consequences of the monitoring and whether the results achieved the initial stated aim of the measures; and
  6. the safeguards that have been put in place, particularly with intrusive monitoring operations.

German Judgment case reference 2 AZR 681/16, 27 July 2017

Băbulescu v Romania (Application no.61496/08) [2017] ECHR 742, 5 September 2017

Click here to open the Article 29 Working Party website from which the opinion can be downloaded.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.