November 2016: A record fine imposed by the Information Commissioner’s Office (ICO) sends a strong message to businesses of the importance of keeping personal data secure, especially financial information. The ICO issued a £400,000 monetary penalty notice to TalkTalk Telecom Group plc for failing to keep personal data secure. The ICO’s investigation found that TalkTalk had failed to have appropriate security measures in place, which could have prevented the cyberattack.

September 2016: The Information Commissioner’s Office (ICO) has recently imposed fines on several organisations for data breaches:

  • Hampshire County Council was fined £100,000 for failing to implement effective contingency plans to protect personal data when decommissioning a disused building. Social care files of over 100 people, containing highly sensitive information about adults and children in vulnerable circumstances, were discovered in the disused building by the new owners. The building also contained 45 bags of confidential waste.
  • Regal Chambers, in Hitchin, Hertfordshire, was fined £40,000 for an unauthorised release of confidential information about a patient and her family. Despite express warnings from the patient that staff should take particular care to protect her details, the information was released in response to a Subject Access Request made by the patient’s estranged ex-partner.
  • Whitehead Nursing Home in County Antrim, Northern Ireland, was fined £15,000 for failing to keep the personal information they hold secure. The breach occurred when a member of staff took an unencrypted work laptop home, which was stolen during a burglary overnight. The laptop contained sensitive personal details relating to 46 staff and about 29 residents.

June 2016: The recent prosecution by the Information Commissioner’s Office of an employee who transferred information about company clients before moving to a new job sends a clear message about the consequences of unlawfully obtaining client data.

The former employee sent details of 957 clients to his personal email address before leaving to start a new role at a rival company. The email contained commercially sensitive information, which included personal data in the form of contact details and the purchase history of customers.

March 2016: The Information Commissioner’s Office (ICO) has launched a data protection self-assessment toolkit for small and medium sized enterprises (SMEs) on its website. The new tool is designed to help SMEs evaluate and improve their compliance with the Data Protection Act 1998 (DPA). It has also published an updated guide to IT security aimed at small businesses. The ICO encourages businesses to use the guide to assist with putting appropriate IT security systems in place, avoid data breach fines and comply with obligations under the DPA.

February 2016: The Information Commissioner has reiterated his call for stronger sentencing powers for people convicted of stealing personal data. His comments come after a former car rental company employee was convicted for unlawfully obtaining, disclosing and selling personal data, in the form of customer records.

While working from home as an administrative assistant for Enterprise Rent-A-Car, the defendant photographed on-screen customer records received from an insurance company. These included policyholder and claim information, typically concerning individuals involved in road traffic accidents. She sold copies of 28,000 records for £5,000 in cash to a man she claimed to have met after he approached her husband in a pub. The buyer of the records was also convicted under data protection legislation.

This serves as a reminder that businesses must put in place appropriate technological and organisational security measures to comply with data protection legislation. They should train staff on the importance of protecting personal data and ensure that they understand the dangers of unlawfully obtaining, disclosing, buying or selling personal data, for example, by alerting their staff to the risks of people trying to obtain personal data by deception.

December 2015: The Information Commissioner’s Office has fined an online pharmacy £130,000 for selling details of 21,500 customers (without their informed consent) to third parties. The penalty is the first of its type to be issued for a breach of the first data protection principle, regarding fair and lawful processing of personal data.

The company collected personal details through its customer registration process and, when registering, customers could untick a pre-ticked box to indicate they did not wish to receive marketing emails. However, extra optional click-throughs were required to access the company’s privacy policy, which explained that to opt out of personal data being shared with third parties, customers had to log into their account and change their settings.

This decision sounds a warning to businesses that collect personal data to ensure that they provide clear information, in a prominent position, to customers as to how their data will be used and who it will be shared with. They must also provide customers with a simple way in which to easily express their preferences in relation to the use of their personal data.

October 2015: The Information Commissioner’s Office (ICO) has fined a nationwide money lender £180,000 for failing to keep customers’ personal information secure. The fine illustrates, once again, the importance for businesses of being aware of their obligations under the Data Protection Act 1998.

In this case, one server was stolen from a company office and a second server was lost while being transported from the firm’s head office to a branch. Both servers held customer records and records relating to the company’s employees. The ICO found that the company did not encrypt the personal data held on its servers. In addition, some of its branches did not have a “safe haven” (in which to lock a server holding personal data overnight) or alternative physical security measures. The ICO considered that the loss of unencrypted personal data could cause distress and damage to the company’s customers if, for example, it was used for fraudulent purposes.

November 2014: The Information Commissioner’s Office (ICO) has published an updated code of practice for CCTV and other types of surveillance cameras. It provides best practice advice, for those involved in operating CCTV and surveillance cameras that view or record individuals’ information, on how to comply with the Data Protection Act 1998. The code now provides specific guidance on particularly intrusive technological developments that the ICO believes may become increasingly popular, including body worn video, automatic number plate recognition systems and automated recognition technologies.

This business briefing highlights the key legal obligations a business should consider when dealing with personal data about customers, suppliers, employees and any other individual who may be encountered during the course of business.

Penalties for failing to deal with personal data appropriately; There could be serious financial, commercial and reputational implications for a business (including possible criminal penalties and fines) if personal data is not handled properly.

Protecting and securing personal data: Personal data is any information about an individual held on computer or in organised filing systems that could identify the individual, either on its own or together with other information held by a business or a third party. Personal data needs to be protected and kept secure. This data may include:

  • Name
  • Email address
  • Telephone numbers
  • Date of birth, and
  • Notes written about someone (such as an annual performance review)

Particular care must be taken with sensitive personal data (for example, medical records) as more restrictive requirements apply to this type of data. The individual could be a potential or actual employee, customer or supplier, or possibly someone captured on a business’ CCTV footage.

Collecting personal data: A business can only collect personal data if it has a legitimate reason for doing so (for example, because a new employee is coming to work for the business). When a business collects data about an individual, the business will need to tell that individual what it intends to do with their data (for example, if the business is collecting a customer’s e-mail address to confirm an order). If the purposes for which the business wants to use someone’s data changes, the individual must be informed once again. Businesses should only collect information they require at that particular time. For example, a job applicant should not be asked for their bank details. This type of data should only be collected once the applicant has started to work for the business. If a business wants to use someone’s data for marketing purposes, the individual must be informed. It is good practice to do this at the time the data is collected. In some cases (such as text or e-mail marketing) a business will generally require the individual’s explicit consent.

Using data collected on individuals: A business is generally allowed to use someone’s personal data if they have given their consent. The data can also be used in other circumstances, for example, if the business:

  • Needs to use the data to fulfil a contract with a customer (such as using their address to deliver goods to them), or
  • Has a legitimate interest in using it, although this must be balanced with the individual’s rights. For example, if a part of a business has been sold to a third party and the business needs to transfer customer data to it

Data should only be used for the reason that it was collected (for example, if calls between staff and customers are recorded for training purposes only, they should not be used to discipline a member of staff). If a business wants a third party to manage data (such as carrying out payroll services) it should take legal advice. The business will still be responsible for protecting the data and will need to enter into a written contract with the third party. Businesses should take legal advice if they are considering transferring any data outside the countries in the European Economic Area. It is very easy to transfer data outside the country a business is based in (for example, by sending an e-mail to an office outside the UK). If the data is being used in marketing material, businesses should check that the recipient is aware that their data may be used for this reason and confirm they do not object. A business will generally need the individual’s explicit consent (opt-in) for e-mail, fax and text marketing. If the individual is an existing customer, the business may be able to market similar products to them by these means without prior explicit consent. Businesses should take legal advice in these circumstances. If a business is considering using sensitive personal data (for example, information about ethnic origin, trade union membership or criminal records), it should take legal advice.

Storing personal data: All data must be accurate and up to date. Databases should be regularly cleaned and out-of-date information must be deleted. Data should only be held for as long as it is required and for the reason it was collected. For example, if personal data was collected to deliver a product a year ago and has not been used since, it should not be held on the basis that it may be needed for another reason at some time in the future.

Keeping data secure and confidential: Personal data must be kept secure at all times. For example:

  • Computers and files should be password protected
  • Personal data on laptops and other portable devices should be kept to a minimum
  • Manual filing cabinets containing personal data should be locked and only accessible to authorised personnel
  • Confidential documents should not be left unattended on desks, and
  • Personal data should be removed promptly from fax machines, printers and photocopiers
  • Ensure staff are appropriately trained to handle personal data safely and securely

When a business sends personal data, it must be done in a secure way (for example, confidential information should not be sent in the internal mail). Personal data must be disposed of securely (for example, by shredding, placing in confidential waste bags, destroying or securely deleting electronic files). Confidential papers should not be put in the recycling bin. Security breaches (such as accidentally losing personal data) should be reported to the appropriate person immediately. Electronic documents, including calendar entries and meeting requests, should be password protected or designated private where appropriate.

When working away from the office or in public areas:

  • Ensure personal data stored on portable devices such as laptops, Blackberries, tablets or memory sticks is encrypted and kept secure at all times
  • Avoid leaving papers or electronic devices lying around
  • Make sure members of the public cannot see confidential documents or computer screens, and
  • Avoid talking about confidential matters when members of the public may be able to hear
  • Security breaches (such as accidentally losing personal data) should be reported to the appropriate person immediately
  • Electronic documents, including calendar entries and meeting requests, should be password protected or designated private where appropriate

Enquiries about personal data: Businesses should have a system in place to deal with individuals who request details of the personal information that the business holds on them. A business is permitted to charge an administration fee of up to £10 for responding to this type of request. Individual employees should not deal with this type of enquiry, unless they have been given specific authorisation to do so. The request should normally be passed to the person within the business who has responsibility for data protection issues. Personal data should not be given out to the friends or relatives of an individual without that individual’s specific consent.

The content of this Business Briefing is for information only and does not constitute legal advice. It states the law as at November 2016. We recommend that specific professional advice is obtained on any particular matter. We do not accept responsibility for any loss arising as a result of the use of the information contained in this briefing.