What happens if through no fault of your own there is an unauthorised release of data? Answer – you run the risk of fines up to £500,000 and criminal prosecution. Under UK law, any entity (i.e. companies, partnerships or individuals) that processes personal data must take ‘appropriate technical and organisational measures’ to protect data, as a requirement of the Data Protection Act 1998 . Protection is needed against a data security breach, for example, where there is a deliberate attack on the system and unauthorised people gain access to personal data.
Who is responsible?
The way the law works is to ensure that in any business there is a “data controller” with responsibility and there is no way of avoiding responsibility. The data controller is given the job to manage and check the work of the data processors, and, under the Data Protection Act supplemented by the ICO’s Guide. The ICO’s Guide, outlines the steps that data controllers are expected to take to ensure data security, for instance assessing the level of security required, for which the ICO’s Guide recommends assessing the extent of access to personal data. Crucially, the data controllers must develop a sophisticated data security breach management strategy, which should ensure all potential risks are accounted for and that personal data can be effectively recovered should a breach occur.
How do you go about complying with the data protection laws?
There are various directives on processing personal data and best advice is to devise a data protection strategy that complies. The strategy involves first identifying and evaluating various issues including potential entry points in the system like computer viruses or potential areas subjected to risk like e-mails and sources of personal data collection. Not all businesses are the same and hence compliant strategies are not all the same. Having acknowledged all the issues, it is necessary to determine a personal data protection approach: either centralised where there is a single officer, devolved where there is local personnel with varying roles of authority and a high level of consensus and communication or a mid-range approach where there is a single decision making body of people.
The ICO monitors all activity very closely, for example in 2007, 11 banks were publically condemned for their poor standards of personal data disposal (they were dumped in the bins outside). In Aug 2014, the ICO fined the Ministry of Justice £180,000 following the loss of a single unencrypted hard drive.
All persons processing personal data need to register with the ICO before processing personal datahttp://ico.org.uk/for_organisations/data_protection/registration . However, registration is not enough. Businesses must at all times meet the ICO’s standards for information security but the standards have to be taken from various sources as they are unhelpfully not all in one publication. The data protection rules and regulations in practice only get reviewed when it is too late and there has been a breach and the risk of fines and criminal sanctions is live. This occurred in September 2013 when a bank employee released information about a customer to the customer’s then partner via unauthorised and illegal means resulting in prosecution for the employee at a Magistrates court and a fine for her actions. One of the points about the data protection laws in the UK is that the ICO can decide to pursue the employee or the employer or both.
Unauthorised snooping
Security has become increasingly important with the use of modern technology especially with the trouble of encryption of emails. With inadequate protection employees/employers may have unauthorised access to confidential information leading to increased risks of a data security breach. This commonly occurs when employees/employers physically or electronically access e-mail accounts of others, in particular the account of those in the HR or finance departments. A likely remedy for snooping employees is disciplinary action, where the employee can expect to face suspension or dismissal however this depends on the type of conduct committed, for which there are different levels of responses an employer can take without risk of an unfair dismissal claim. For example, the employee/employer may be in ‘breach of the business’ internet and e-mail policy’ or they may be in ‘breach of trust’ with their employer or such an action is recognised in the disciplinary procedures as ‘gross misconduct’ but this does assume there is a policy in place and communicated in the first place. Without a policy the employer will find the steps open to him are curtailed and there is greater risk of an employment law related claim against the employer. In 2010 a Google employee was fired on the grounds of ‘breach of trust’ after he accessed clients’ email accounts without approval or instruction.
Right to know
People are allowed to access information held about them. However, the Proceeds of Crime Act 2002 means that data processors are obliged not to release information at all regarding people with suspicious transaction reports. There is also the European Convention on Human Rights to consider. There are various issues arising under the Human Rights Act which implements the European Convention such as but not limited to Article 8 which preserves the right to privacy and Article 10 which upholds the freedom of expression. In many respects the Data Protection Act conflicts with the Human Rights Act but that does not make it any easier to work out what the best step is and invariably expert assistance is needed. The case will be stronger in many cases if you can point to a documented policy complying with the laws and communicated to all concerned. That is where our expert commercial lawyers will improve your position.
Written by: Catherine Gannon
Catherine Gannon is a commercial law specialist solicitor who works with businesses of all descriptions to help them stay within the law and operate commercially.