Category Archives: 7th principle

Data Protection (and other) compensation awarded against Ombudsman

I’ve been helpfully referred to a rather remarkable judgment of the Leeds County Court, in a claim for damages against the Local Government Ombudsman for, variously, declaratory relief and damages arising from discrimination under the Equality Act 2010, and breach of the Data Protection Act 1998 (DPA). The claim was resoundingly successful, and led to a total award of £12,500, £2,500 of which were aggravated damages because of the conduct of the trial by the respondent.

The judgment has been uploaded to Dropbox here.

I will leave readers to draw their own conclusions about the actions of the Ombudsman, but it’s worth noting, when one reads the trenchant criticism by District Judge Geddes, that one of the office’s strategic objectives is to

deliver effective redress through impartial, rigorous and proportionate investigations

One can only conclude that, in this case at least, this objective was very far from met.

Of particular relevance for this blog, though, was the award of £2500 for distress arising from failure to prepare and keep an accurate case file recording the disability of the claimant and her daughter. This, held the District Judge, was a contravention of the Ombudsman’s obligations under the DPA. As is now relatively well known, the DPA’s original drafting precluded compensation for distress alone (in the absence of tangible – e.g. financial – damage), but the Court of Appeal, in Vidal Hall & ors v Google ([2015] EWCA Civ 311), held that this was contrary to the provisions of the Charter of Fundamental Rights of the European Union and that, accordingly, there was a right under the DPA to claim compensation for “pure” distress. The award in question here was of “Vidal Hall” compensation, with the judge saying there was

no doubt in my mind that the data breaches have caused distress to the claimant in their own rights as well as as a result of the consequences that flowed.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under 7th principle, accuracy, Data Protection, human rights, local government

Carphone Warehouse and the DPA risks

According to my less-than-reliable memory, I once purchased a mobile phone from Carphone Warehouse about twelve years ago. I seem to also remember buying a phone from a company with a name like mobiles.co.uk around the same time (we’re they even going then?). Since then, my telephone number, postal address and email address have all changed, but my main banking details have not. So when the news emerged in recent days that Carphone Warehouse and various subsidiaries and partners had been affected by a data security breach involving the data of 2.4m customers I was understandably concerned. I have asked Carphone Warehouse several times how far back they held data which has been compromised, and explained that my contact details will have changed from any they might hold, but I have just been referred to generic information on their website which says that affected customers will be sent an email or text message (which is clearly useless to me).

I think Carphone Warehouse need urgently to clarify how far back they were retaining customer data that was compromised in this incident: I will be extremely unhappy if my c.12 year old data was in fact involved, because as far as I can see there would have been no reason to retain it that long. The fifth principle in Schedule One of the Data Protection Act 1998 (DPA) states that personal data should not be kept for longer than is necessary to fulfil the original purpose for which it was gathered – I doubt that retaining for twelve-odd years would comply with Carphone Warehouse’s obligations under the DPA.

But on a more general, less personal, note, what might this incident mean in DPA terms for Carphone Warehouse and its customers? I note that the generic information referred to above states that the cause was “a sophisticated cyber-attack” and that such attacks are “part of the reality of the modern world”. This is true, but not all organisations suffer such a serious breach of their systems that more than two million people are affected. Carphone Warehouse, as a data controller with obligations to process customer data in accordance with their obligations under the DPA will have to satisfy the Information Commissioner’s Office (which is investigating) and its customers that it complied with the seventh data protection principle, and had appropriate technical and organisational measures in place to safeguard personal data. Failure to have done so would open Carphone Warehouse up to the risk of an ICO monetary penalty to a maximum of£500,000. But the reason I mentioned satisfying customers as to the appropriate measures in place is that the DPA affords individual data subjects the right to bring a compensation claim against a data controller for a contravention of the Act. Traditionally, this right only applied where the data subject had suffered quantifiable damage (in the form of monetary loss), but, since the decision of the Court of Appeal earlier this year in Google Inc v Vidal-Hall & ors. [2015] EWCA Civ 311, such claims can be made on the basis purely of the distress suffered as a result of the contravention. I’ve got to say, I’m feeling a certain level of distress just now at the thought that my data might have been compromised. If it transpires that it was, the distress will only increase. Although such distress payments are unlikely ever to be particularly large, when one then considers the emergence of group litigation of DPA claims, the financial risks to data controllers who suffer huge breaches of customer data is palpable: purely hypothetically, if Carphone Warehouse were found to have failed to comply with their DPA obligations, and half of the customers affected brought a money claim worth £100, they would be facing an exposure of more than £100 million. One wonders if the market’s continuing current confidence in the company allows for that.

Google has been granted permission to appeal Vidal-Hall to the Supreme Court, but pending that the Court of Appeal’s judgment remains good law. And, as I have predicted previously, I think there may be a number of law firms eyeing the case, and potential clients, expectantly.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under 7th principle, Data Protection, data security, Fifth principle, Information Commissioner

ACPO: contractor’s error, or data controller’s liability?

I blogged a week or so ago about the worrying fact that the Association of Chief Police Officers (ACPO) were encouraging people to send sensitive personal data over an unsecure HTTP connection.

 a tweet…by Information Security consultant Paul Moore alerted that ACPO’s criminal records office has a website which invites data subjects to make an online request but, extraordinarily, provides by an unencrypted http rather than encrypyted https connection. This is such a basic data security measure that it’s difficult to understand how it has happened…

Well now, thanks to Dan Raywood of ITSecurity Guru, we have a bit more information about how it did happen. Dan had to chase ACPO several times for a comment, and eventually, after he had run the story, they came back to him with the following comment:

The ACPO Criminal Records Office (ACRO) became aware of the situation concerning the provision of personal data over a HTTP rather than a encrypted HTTPS connection on Tuesday February 24. This was caused by a contractual oversight. The Information Commissioner was immediately advised. The secure HTTPS connection was restored on February 25. We apologise for this matter.

It’s good to know that they acted relatively quickly to secure the connection, although one is rather led to wonder whether or when – had not Paul Moore raised the alert – ACPO would have otherwise noticed the problem.

But there is potentially a lot of significance in the words “caused by a contractual oversight”. If ACPO are saying that a contractor is responsible for the website, and that it was the contractor’s error which caused the situation, they should also consider the seventh data protection principle in the Data Protection Act 1998 (DPA), which requires a data controller (which ACPO is, in this instance) to take

Appropriate technical and organisational measures…against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data

but also

Where processing of personal data is carried out by a data processor on behalf of a data controller, the data controller must in order to comply with the seventh principle—

(a)choose a data processor providing sufficient guarantees in respect of the technical and organisational security measures governing the processing to be carried out, and

(b)take reasonable steps to ensure compliance with those measures

What this means is that a failure to choose a data processor with appropriate security guarantees, and a failure to make sure the processor complies with those guarantees, can mean that the data controller itself is liable for those failings. If the failings are of a kind likely to cause substantial damage or substantial distress, then there is potential liability to a monetary penalty notice, to a maximum of £500,000, from the Information Commissioner’s Office (ICO).

In truth, the ICO is unlikely to serve a monetary penalty notice solely because of the likelihood of substantial damage or substantial distress – it is much easier to take enforcement action when actual damage or distress has occurred. Nonetheless, one imagines the ICO will be asking searching questions about compliance with the contract provisions of the seventh principle.

Thanks to IT Security Guru for permission to use the ACPO quote. Their story can be seen here.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under 7th principle, Data Protection, data security, Information Commissioner, police