More than 200 senior members of the legal profession – including QCs, law professors, senior lawyers and former judges – have signed an open letter to the UK Government condemning the Investigatory Powers Bill currently before Parliament. The letter describes the Bill as “unfit for purpose”, citing its failure to reflect international standards for surveillance powers, especially in relation to bulk data collection, targeting, and grounds for the issuing of warrants.
The UK Information Commissioner’s Office has fined Crown Prosecution Service (CPS) £200,000 for failing to maintain the security of recorded police interviews with victims and witnesses. The interviews concerned 31 police investigations, nearly all of which were on-going and of a violent or sexual nature.
CPS couriered unencrypted DVDs containing the videos of the police interviews to a private film company for editing. The film company used a residential flat as a studio. The studio was burgled and two laptops containing the videos were stolen. The laptops, which were left on a desk, were password protected but unencrypted and the studio had no alarm and insufficient security.
The Commissioner considered that CPS failed to take reasonable steps to prevent the breach. On the facts, the Commissioner concluded that reasonable steps would have included:
- inspecting the film company’s premises to ensure that they were suitable for the editing of videos containing police interviews;
- having a guarantee that the unencrypted DVDs would be stored in a lockable cabinet;
- having a guarantee that any laptops containing the videos were encrypted by the film company; and
- provision had been made for the return or destruction/erasure of the DVDs/videos at the end of the case.
The UK Information Commissioner’s Office has a released a new guide to help organisations not to disclose personal data by mistake when responding to information requests under the Data Protection Act 1998 and the Freedom of Information Act 2000.
Handy tips include:
- hiding personal data in “hidden data fields” of the document is not good practice, and is an ineffective way of removing or masking personal data for the purposes of redaction.
- when using a highlighter tool to mark text for someone else to redact, do not use a black highlighter. A different colour (eg yellow) should be used to clearly indicate which text requires redaction yet also show that the original text remains. Further, for permanent redaction, organisations should specific redaction software.
- a large amount of meta-data can be embedded within files (such as word documents, spreadsheets, and emails). If one intends to redact information such as the sender’s or recipients’ email address or part of the email subject, this information should also be removed from the meta-data or remove the meta-data entirely.
Link(ICO): ICO Guide
The Information Commissioner’s Office has fined Pharmacy2U Ltd (UK’s largest NHS approved online pharmacy) BGP$130,000 for selling more than 20,000 customers’ personal data to marketing companies without their informed consent.
The Commissioner emphasised that Pharmacy2U:
- ought to have known that its customers had a reasonable expectation of confidentiality when using an online pharmacy, especially when the company’s own website described the service as “discreet and confidential”, and
- should have displayed a notice in a prominent position on its website which provided its customers with a simple way to opt out of the sale of their personal data to third party organisations.
Link (ICO): ICO’s Decision
Some recent case law from the UK:
Dr Ranger twice sought to be appointed to the House of Lords as a non-party-political life peer, both times without success. He brought a claim for disclosure of two letters sent by third parties to the House of Lords Appointment Commission concerning his application. He asserted that he had a right to see the letters under section 7 of the Data Protection Act (UK) 1998. He also sought material produced by the Commission in considering his application. The UK High Court dismissed the claim, based on the exemption in s37 of the Act for personal data processed for the purposes of “the conferring by the Crown of any honour or dignity”.
Two points may be of general interest:
First, although not determinative of the case, the Court expressed doubt over whether the letters would necessarily be regarded as containing “personal data” merely because they expressed views on Dr. Ranger’s application. The Court referred to the previous High Court decision in Durant v Financial Services Authority  EWCA Civ 1746, holding that “mere mention of the data requester in a document held by the data controller does not necessarily amount to [personal data under section 7 of the Act]“.
Second, the Court rejected arguments that the exemption in s37 was disproportionate and therefore not “a necessary measure to safeguard the protection of the rights and freedoms of others” permitted by the Data Protection Directive 95/46/EU. In doing so, the Court explicitly recognised the need to protect the privacy interests of those submitting information in confidence, as well as the broader public interest in encouraging full and candid submissions to the House of Lords Appointment Commission.
Link (BAILII): Ranger v House of Lords  1 WLR 4324
When data breach incidents occur and businesses begin internal investigations they are unlikely to know precisely what conclusions they will reach. It is clear that documents created following a serious, adverse incident could have far reaching implications in any subsequent litigation or prosecution
She goes on to recommend:
- Having a pre-prepared plan (and a pre-selected team) for investigating and managing data breaches
- Ensuring only the designated team can access documents relating to investigation/management of a breach
- Limiting the extent to which these documents are circulated to any broader group
Link (Outlaw.com): Data breach management – making use of legal privilege