Author: Eddie Powell
New Subject Access Code of Practice
Subject Access Requests (SARs) are the device under which individuals can ask businesses to supply them with details of what personal information is held on the individual concerned, as a statutory right under the UK’s Data Protection Act 1998 (DPA).
The body responsible for enforcing the DPA, the Information Commissioner’s Office (ICO), has published a new Code of Practice which provides guidance for businesses in complying with these requests. The Code of Practice can be found on the ICO‘s website here. Running to over 50 pages, the Code of Practice is not exactly light reading, but it is written in clear English and so should be easy to digest.
Even if you do not think of your business as a heavy user of personal data, most organisations will at some point or another be required to comply with a SAR (often in the context of a complaint or a dispute). It is therefore worth having a director or manager read the Code of Practice and make sure that, as and when this happens, you have a plan for how to deal with it.
Of course, Fladgate can provide guidance on and assistance in setting up a compliance programme, or dealing with individual SARs.
ICO power to fine for serious DPA breaches
Most readers will recall that the enforcement provisions of the DPA were considerably beefed up in 2008 by giving the power to the ICO to raise a “Monetary Penalty” (i.e. a fine) for serious breaches of the DPA. The amount of the fine can be up to £500,000.
The ICO has used this power fairly extensively, particularly against organisations which it considers have not taken adequate technical and organisational security measures to protect personal data which they hold.
The ICO fined the Scottish Borders Council £250,000 when confidential records which had been sent to a digitising company for scanning were discovered by a member of the public in a public recycling bin in a supermarket car park. The Council appealed the fine to the Appeal Tribunal . The Tribunal recognised that the penalty should reflect the breaches of the DPA committed by the Council, but not the digitising company’s unauthorised actions. The Council had contracted with the same company for a number of years without incident and it was not aware that the company had changed its approach to document disposal (clearly for the worse), although it did not have a proper contractual framework which required appropriate disposal processes to be used.
The Tribunal considered that although the Council was at fault, given the history of dealings with the company, the Council never dreamt their actions would be likely to result in public disclosure of the information, and that, because the statutory test was that the contravention was of a kind which was “likely to cause substantial damage or substantial distress”, the test was not satisfied – the Council did not know and could not have known that the contravention was likely to lead to any damage whatsoever. The Tribunal therefore revoked the fine.
The decision puts a bit of a brake on the ICO‘s power to fine, because it is not now enough, in order to fine a data controller, to establish that its contractor has not performed or even that no adequate contract was in place, if there are circumstances that did not give rise to any suggestion that a problem was likely to occur.
Nevertheless, the circumstances of the case were fairly unique, so businesses should make sure that if they entrust personal data to contractors, they do so with a solid written contract and include strong commitments by the contractor to keep the information held secure. In addition a system for verifying that this is actually happening should be put in place.
Damages for DPA breach
Cases in which individuals have sued businesses to claim compensation for breach of the DPA and recovered substantial damages are rare. The DPA provides that an individual can sue for a breach, but he or she can only recover damages for distress caused by the breach where real monetary damage has occurred as well.
Recently, the Court of Appeal heard a case brought by a consumer against a credit provider who had put incorrect information on their system which had then been disclosed to credit reference agencies . The information only appeared for a fairly short time and it was a single incident, so the Court decided that the individual had suffered only nominal real damage as a result. This nominal award was set at £1 but the individual also claimed for damages due to the distress that the error had caused him. The Court considered that the fact that nominal damages had been awarded gave the Court the ability to award damages for distress but, given that the episode was a single incident and there was not a huge amount of evidence of what distress the consumer had suffered, it set the award for distress at £750.
The £750 is not a set figure, but it is likely to be used as a benchmark and a starting point for future awards of damages by the courts for distress due to data protection breaches, where there is little or no evidence of real distress being caused.
The European data protection reforms
Negotiations are still underway regarding the European Commission’s proposals to fundamentally reform data protection law throughout Europe. The proposals, which were extensive and far reaching, have been subjected to extensive rewriting by the European Parliament and, in July, a compromise text was proposed by the Irish Presidency of the EU and is now being considered.
There remains a great deal of opposition to much of the prescriptive nature of the proposals, although the latest Irish proposal does suggest movement towards a more risk-based approach preferred by countries such as the UK. This month has also seen extensive negotiation (without agreement) on the proposed ‘one stop shop’ supervisory authority for multinational businesses. Concepts such as “the right to be forgotten”, “privacy by design” and the application of the rules to non-European businesses which deliver services to European customers are all likely to remain in some shape or form.
Under the provisions, data processing contractors could be directly liable for their failure to comply with the rules, so Scottish Borders Council’s shoddy contractor would have been liable to fines itself if the new rules had been in force today.
Please keep an eye on our website for further updates on the reform proposals.
Eddie Powell, Partner, Fladgate LLP