The In-House Lawyer

Substantial volumes of personal data are held by both private- and public-sector organisations. Data protection legislation exists to balance the legitimate rights of organisations to hold and process this data and the interests of the individual concerned.


recent breach


On 6 March 2009 the Information Commissioner’s Office (ICO) announced that it had uncovered a database held by a business containing details of over 3,000 construction workers, which the ICO claimed had been used by more than 40 construction companies to vet individuals for employment. The ICO states that the information included sensitive personal details, such as construction workers’ personal relationships, trade union activities and employment histories. The ICO claimed that construction firms could subscribe to this database service, paying an additional fee for specific details on named individuals.


Press coverage has indicated that records uncovered at the business’s offices included descriptions of individuals such as ‘ex-shop steward, definite problems’ and ‘Irish, ex-Army, bad egg’.


The ICO announced that it would take enforcement action to prohibit any further processing of the information held, that the owner of the business would be individually prosecuted and that action would also be taken against the construction firms alleged to have been involved. David Smith, the Deputy Information Commissioner, expressed disappointment that so many construction firms appeared to have been involved in an allegedly illegal system for many years and that they were not meeting their obligations under data protection legislation.


Public concern


Public concern regarding the security of personal data has increased as a result of high-profile incidents involving the loss of confidential information. Such cases include the loss of the details of over 25 million recipients of child benefit and of nearly 600,000 individuals interested in joining the armed forces.


Against this background, the Joseph Rowntree Reform Trust Ltd published a report on 23 March 2009 reviewing the data held by the state.1 The authors concluded that 11 of the 46 biggest schemes, including the national DNA database, were in breach of domestic or European data protection legislation.


Although the highest-profile cases have related to the public sector, the press coverage given to them demonstrates that the consequences of breaching data protection laws go far beyond the penalties that can be imposed.


Data Protection Legislation


The Data Protection Act (DPA) 1998 controls formal use of all personal information. DPA 1998 applies to all organisations that hold and use information about individuals in a systematic way. This includes information held on computers and in manual records. Information about an individual is referred to as ‘personal data’, the individual concerned is the ‘data subject’, and the organisation holding and using personal data is referred to as the ‘data controller’.


DPA 1998 requires the data controller to register with the ICO and tell it:


1. what type of information it holds;

2. what it uses that information for; and

3. to update the ICO accordingly if the type of information or how it uses it changes.


DPA 1998 only allows the data controller to hold and use personal data if it meets one of six conditions:


1. the person to whom the information relates has given their consent;

2. it is necessary to enable the data controller to comply with a legal obligation;

3. it is necessary to be able to enter or complete a contract with the individual;

4. it is necessary to be able to protect the vital interests of the individual concerned;

5. it is necessary to assist the administration of justice; or

6. it is necessary for the legitimate purposes of the data controller, unless this is unwarranted by reason of prejudice to the rights and freedoms of the data subject.


More restrictive conditions apply where the personal data relates to racial or ethnic origin, political and religious beliefs, trade union membership, sexual life, health, and criminal convictions or cautions.


The conditions that may justify the use of this particularly sensitive information include where:


• the data subject has given their explicit consent;

• it is necessary to exercise or perform a right or obligation that is conferred or imposed by law upon the data controller in connection with employment;

• it is necessary to protect the vital interests of the data subject and their consent cannot be obtained or their consent has been unreasonably withheld;

• it is carried out in the course of the legitimate activities of a not-for-profit political, philosophical, religious or trade union organisation;

• the data has been deliberately made public by the data subject; or

• where it is necessary to conduct legal proceedings or to obtain legal advice.


Even when a data controller can meet one of the required conditions it must also ensure compliance with eight data principles. The eight principles are:


1. to use and process the information fairly;

2. only to use the information for a specified and lawful purpose;

3. to ensure the personal data is adequate, relevant and proportionate to the purpose for which it is held;

4. to ensure that the information is accurate and up to date;

5. not to hold the information for longer than necessary;

6. to take appropriate measures to prevent unauthorised/unlawful use and to prevent accidental loss of the personal data;

7. to process data in accordance with the rights of individuals set out in DPA 1998, including the rights to be notified and have access to the data held; and

8. not to transfer information abroad unless there is appropriate legal protection.


Penalties and Enforcement


It is a criminal offence for a data controller to fail to comply with its obligation to register with the ICO or to notify a change in the data that it holds and how it is processed.


Information notice


At present, however, the ICO has limited powers to regulate compliance with the provisions of DPA 1998. When considering whether there has been a breach the ICO may issue an ‘information notice’. This requires the organisation to provide details about what information it holds and how it is used. Failing to comply with an information notice or providing false information is a criminal offence. However, the requirements of the information notice do not take effect until after the expiry of the time limit allowed for an appeal or the conclusion of any such appeal.


Enforcement notice


If the ICO is satisfied that there has been a breach of the provisions of DPA 1998, it may issue an ‘enforcement notice’ requiring the data controller to take measures to rectify the breach. In a case such as that involving the construction workers’ database, the enforcement notice may have the practical effect of requiring the data controller to cease all of its commercial activities. As with an information notice, the requirements do not have to be complied with until after the expiry of the appeal period, or after the appeal itself. Failure to comply with an enforcement notice is a criminal offence.


In both the information and enforcement notices, the ICO may certify that the notice must be complied with urgently. However, even this power is subject to appeal and the data controller cannot be ordered to comply within less than seven days.


Where the data controller is a corporate body, it can be prosecuted for failure to comply and can be penalised with an unlimited fine if convicted. In addition, a director, manager, secretary or similar officer of a corporate body can be held personally liable under DPA 1998 if the offences related to failing to register, breach of an enforcement notice, or breach of an information notice are committed with their consent, connivance or neglect.


An individual can be convicted of a criminal offence under s55 DPA 1998 if they obtain or disclose personal data without the consent of the data controller. The individual will not commit an offence if they can show that they believed that they had consent, or if they can justify their actions on the following grounds:


• that it was necessary to prevent or detect crime;

• that it was required to comply with a legal obligation; or

• that it was otherwise justified by the public interest.


At present, the offence of unlawfully obtaining or disclosing personal data can only be punished by way of a fine. The Criminal Justice and Immigration Act 2008 makes provision for the Secretary of State to alter the penalty for an offence under s55 DPA 1998 to enable a custodial sentence to be passed. As yet, the Secretary of State has not exercised that power.


Enforcement History


Over the past two years the ICO has prosecuted several organisations and those who manage them for failing to register as data controllers. Those prosecuted have included solicitors, accountants and debt-collection companies. The fines imposed have varied from £100 to £5,000.


The ICO has also acted as a result of often high-profile breaches of security in respect of personal data. In June 2008 the ICO announced that it would be serving an enforcement notice on HM Revenue & Customs (HMRC). On 18 October 2007 two CDs, holding the personal data of up to 25 million individuals, were sent by the Child Benefit Office to the National Audit Office using an internal postal system operated by a courier company. The CDs were lost and never found. As a result, an enforcement notice was served requiring HMRC to take steps to ensure the security of the data that it holds. The enforcement notice further required HMRC to publish progress reports, over the following three years, demonstrating how it was complying with its obligations.


Breaches of data security are not confined to the public sector. In January 2008 a well-known retailer was served with an enforcement notice following the theft of a laptop computer, containing details of the pension arrangements of its employees, from the home of one of its contractors. The data was not encrypted. The enforcement notice required the retailer to ensure that all laptop hard drives were fully encrypted within a matter of months. In similar situations, the ICO has been prepared to receive a formal undertaking from the data controller as an alternative to the service of an enforcement notice. In March 2007 several banks entered into such undertakings after discarded personal information was found in waste bins outside their premises.


The ICO has also used its enforcement powers to address the way in which data is


processed. In January 2008 two telephone retailers and service providers were served with an enforcement notice after an investigation revealed that they had been opening customer accounts in the wrong name and passing inaccurate information on to credit-reference agencies and debt-collection agencies.


With the recent case involving construction companies, the ICO has used a variety of its powers. The owner of the business is to be prosecuted for failing to register as a data controller. The business was served with an enforcement notice ordering it to cease its activities. The ICO regarded the breach as so serious that, for the first time, compliance with the enforcement notice was required within the minimum period of seven days.


Future Reform


For some time the ICO has expressed concern that it has insufficient powers to prosecute and to enforce compliance. As a result, in December 2007, the ICO published proposals for the amendment of DPA 1998.2


The ICO identified that, with the exception of failing to register, a breach of the DPA 1998 provisions by a data controller could only lead to criminal prosecution following a failure to comply with an enforcement or information notice. As a result, the ICO argued that a new offence should be created to deal with those who:


‘Knowingly or recklessly disregarded the requirements of DPA 1998 so as to create a substantial risk that damage or distress would be caused to any person.’


The ICO also highlighted the significant extent to which it relied on the co-operation of data controllers to investigate compliance with DPA 1998. The ICO highlighted the need for a power to inspect personal data, to be able to assess compliance with DPA 1998, and to be able to serve an information notice on any individual who may hold information relevant to an investigation, not just the data controller itself.


Furthermore, the ICO sought enhanced powers to bring serious unlawful processing to an immediate halt. At present, the data


controller does not have to comply with the terms of an enforcement notice pending an appeal. Even in serious cases, the shortest period in which a notice will take effect is seven days. The ICO, therefore, argued that it needed to be given injunctive powers to bring serious breaches of DPA 1998 to an immediate halt.


One of these issues will be addressed by the forthcoming Coroners and Justice Bill. The Bill is presently before Parliament. In its current form, it will make provision for the ICO to serve an assessment notice that will allow an inspection of an organisation to determine whether it is complying with DPA 1998. However, these powers are limited to government departments and some public authorities. There is also no sanction for failure to comply with an assessment notice. As a result, the ICO is continuing to argue that the Bill should provide for the power to serve an assessment notice on all data controllers and sanctions to deal with non-compliance.


While many of the wider powers sought by the ICO have not been included in the Bill, it is clear that the public remain extremely concerned about how their personal data is dealt with. In light of that pressure, the ICO is likely to continue its calls for greater powers to regulate and penalise breaches of data protection legislation.


At present, penalties for a breach of data protection legislation are modest and a business will normally have ample opportunity to avoid a prosecution. However, dealing with an investigation or ensuring compliance with an enforcement notice is likely to cause significant disruption. In many cases a greater concern may be the damage done to reputation. Cases involving large-scale data loss have created a lack of public confidence about how personal data is protected both the public and private sector. Consumers and other businesses may be very wary of dealing with those with a poor record in this regard.


By Tim Coolican, partner in the business and regulatory investigations department, Russell Jones & Walker.


E-mail: t.s.coolican@rjw.co.uk.

Notes


1. ‘Database State’ by Ross Anderson, Ian Brown, Terri Dowty, Philip Inglesant, William Heath and Angela Sasse from the Foundation for Information Policy Research (UK). Available online at www.jrrt.org.uk.

2. ‘Data Protection Powers and Penalties: the case for amending the Data Protection Act 1998.’ Available online at www.ico.gov.uk/upload/documents/library/corporate/detailed_specialist_guides/data_protection_powers_penalties_v1_dec07.pdf.