Sept 2008 - Virgin Media Limited is found by the Information Commissioner’s Office to breach the Data Protection Act following the loss of an unencrypted CD containing personal details of some of its customers.

June 2009 - Manchester Council is found to breach the Data Protection Act after the theft of laptops containing personal details.

July 2009 - FSA fines three HSBC firms over £3m for its careless handling of personal data following an investigation of the firms’ data security systems and control.

The above cases are only a handful of data protection cases that have been reported in the past couple of years. As well as the financial implications of breach, the integrity of an organisation can be severely tarnished.

It is clear that it is important that organisations (whether in the private or public sector) need to take the management and security of data seriously and need to ensure that systems are in place to ensure compliance with the relevant legislation. 

Data Protection Legislation

In the UK, the protection of personal data is mainly governed by the Data Protection Act 1998 (the “DPA”) which implements the European Directive 95/46/EC. The DPA sets out eight principles when processing Personal Data. These principles are as follows:

  1. Personal Data must be processed fairly and lawfully and subject to certain conditions.
  2. Be obtained only for specified lawful purposes and not processed in any manner incompatible with those purposes.
  3. Be adequate, relevant and not excessive in relation to the purposes for which it is processed.
  4. Be accurate and, where necessary, kept up to date.
  5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
  6. Be processed in accordance with the rights of individuals.
  7. Be subject to appropriate measures to protect against unauthorised or unlawful use.
  8. Not be transferred to a country or territory outside the European Economic Area (the European Union, plus Norway, Iceland and Liechtenstein) unless that country or territory ensures an adequate level of data protection.

If there is to be a transfer of data outside the UK, it is important to ensure that sufficient data protection provisions are in place, so:

  1. Where data is to be transferred to a country within the European Economic Area, each country within the European Economic Area will have implemented the European Directive 95/46/EC.
  2. Where data is to be transferred to a country outside the European Economic Area (other than the US), the data protection terms that have been approved by the European Commission must be put in place.  A copy of these terms can be found at: http://ec.europa.eu/justice_home/fsj/privacy/modelcontracts/index_en.htm
  3. Where data is to be transferred to the US:

    (i) it is important to check whether the organisation based in the US is a member of the US Safe Harbor; and

    (ii) if the US company is not a member of the US Safe Harbor, then the data protection terms that have been approved by the European Commission must be put in place (as above).

Breach of Data Protection

The Information Commissioner’s Office (the “ICO”) is the independent public body that enforces and oversees the DPA. The powers of the ICO include the following:

  1. Serving an Information Notice on an organisation requesting specific information. Such information will need to be provided within a set period, and is requested to allow the ICO to assess the organisation’s compliance with the DPA ;
  2. Serving an Enforcement Notice requiring the breaching organisation to take the necessary steps to comply with the DPA.

Failure to comply with either of the above notices is a criminal offence and can lead to a financial penalty being imposed.

It can be seen in the handful of cases above, the Financial Services Authority also has the authority to impose unlimited fines on organisations that breach data protection.

It is anticipated however that, with effect from April 2010, the enforcement powers of the ICO will be extended to include the right to impose penalties of up to 24 months imprisonment as well as a substantial fine for any individuals and businesses convicted of knowingly or recklessly committing serious breaches of the DPA, such as lost data due to inadequate security procedures.

A data controller’s duty under the DPA means that it is not only responsible for its own data security breaches but potentially also for breaches by organisations that process personal data on its behalf (such as payroll processors or webhosts).

Fung-Ling Leung
Law BCS

October 2009