Category Archives: 7th principle

April 23, 2018 · 6:47 am

It’s all about the fineszzzzz

It can be unwise to make too much of reported and/or throwaway remarks, but I’m going to look at a recent reported, and possibly throwaway, remark by a senior manager from the Information Commissioner’s Office (ICO) at a recent Law Society conference on the General Data Protection Regulation (GDPR).

Giving “A perspective from the ICO” Richard Nevinson, Group Manager for Policy and Engagement, was reported by the Law Society Gazette to have said, on the subject of potential administrative fines under GDPR

If a breach warranted a fine of £30,000 under the Data Protection Act it probably warrants a similar fine under GDPR

This perhaps doesn’t at first blush sound that notable: the Commissioner herself – Elizabeth Denham – has been at pains, over the months leading up to GDPR coming into direct effect, to stress that, although the maximum fine will increase from £500,000 to €20m or 4% of annual global turnover (whichever is larger), such fines are not her focus:

Predictions of massive fines under the GDPR that simply scale up penalties we’ve issued under the Data Protection Act are nonsense

(despite this, somecommentators have continued to employ such “nonsense”).

What Nevinson said though, goes further than anything I’ve seen so far from the ICO. Because, if what he is reported to have said is correct, it would mean that we should see no change in frequency or amount of fines, unless there is a contravention on an unprecedented scale. The highest fine levied under the existing Data Protection Act 1998 (DPA) has been £400,000 (twice – once to Talk Talk and once to Carphone Warehouse) – only 80% of the current maximum. This means that the ICO cannot feel that the current maximum sets a cap which frustrates them by preventing them from issuing higher fines. One would assume, therefore, that the ICO would (must?) see GDPR’s legislative intent as being to “scale up” fines in some way. But no – says Nevinson – £X under DPA will equate to £X under GDPR.

Following that line of argument, as we have never seen a fine of £500,000 under DPA we will not see one of that size (or higher) under GDPR, unless a contravention emerges that is worse than anything seen before.

I may be wildly over-analysing what he was reported to have said, but I thought it noteworthy enough to blog about it at 06:00 in the morning, so I thought you might too.

Oh, and Nevinson might not be right or might not have been accurately reported, and I definitely might not be right. So you’d be silly to pay too much attention, and you certainly shouldn’t forget about the risks that fines may represent under GDPR.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

4 Comments

Filed under 7th principle, Data Protection, GDPR, Information Commissioner, monetary penalty notice

October 29, 2017 · 11:46 am

A royal letter before claim

Media reports suggest a USB stick from Heathrow Airport containing security information, including details of measures used to protect the Queen has been found on a street

Letter before small claims court claim

Mrs E Windsor
Buckingham Palace
London
SW1A 1AA

The Chap in Charge of Security
Heathrow Airport
The Compass Centre,
Nelson Road,
Middlesex,
TW6 2GW

Dear Subject*

Reference: cock-up with one’s personal data

As it has not been possible to resolve this matter amicably, and it is apparent that court action may be necessary, We write in compliance with the Practice Direction on Pre-Action Conduct (we considered treason charges, but One wishes to be tolerant).

We are informed that Heathrow Airport says it has launched an internal investigation after a USB stick containing security information was reportedly found on the street. The beastly communist Sunday Mirror reported that the USB stick had 76 folders with maps, videos and documents, including details of measures used to protect Us. A subject found it in west London and handed it into the paper.

From you We are claiming fifty guineas for distress.

We have calculated this sum on the basis that section 13(1) of our Data Protection Act 1998 (DPA) provides that one can grab a bit of extra money for the races by showing that one has suffered damage cos of a cock-up with one’s personal data. When We agreed the old DPA by and with the advice and consent of the Lords Spiritual and Temporal, and Commons, in the then Parliament assembled, and by the authority of the same, We thought one couldn’t grab said moolah merely if one was a bit peeved, but thought one had to have suffered tangible harm first. However, some of Our ghastly judges [who the bleeding hell do they work for?] decided a while ago, on the basis of a law passed by one’s distant relations that they would simply disapply Our section 13(2) [arses]. Given that, We might as well chuck Our Crown into the ring.

Listed below are the documents on which We intend to rely in Our claim against you:

Beastly seditious rag
Jolly old skit from the chaps at 11 Kings [WHAT?] Bench Walk
Treason Act 1351 (no harm in a quick reminder eh?)

We can confirm that We would be agreeable to mediation and would consider any other system of Alternative Dispute Resolution (ADR) in order to avoid the need for this matter to be resolved by Our (n.b. “Our”) courts.

We would invite you to put forward any proposals in this regard.

In closing, We would draw your attention to paragraphs 15 and 16 of the Practice Direction which [should give Our courts the power to imprison grotty oiks] gives courts powers to impose sanctions on the parties if they fail to comply with the direction including failing to respond to this letter before claim.

We look forward to hearing from you within the next 28 days.

Should We not receive a response to my letter within this time frame then We anticipate that court action will be commenced with no further reference to you [where’s Albert Pierrepoint when you need him?]

Yours faithfully,

E.

*Not “data subject”, naturally. We are the data subject.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

1 Comment

Filed under 7th principle, damages, Data Protection, data security, not-entirely-serious

Tagged as

October 29, 2017 · 10:22 am

This old world will never change

Complacency about data protection in the NHS won’t change unless ICO takes firm action

Back in September 2016 I spoke to Vice’s Motherboard, about reports that various NHS bodies were still running Windows XP, and I said

If hospitals are knowingly using insecure XP machines and devices to hold and otherwise process patient data they may well be in serious contravention of their [data protection] obligations

Subsequently, in May this year, the Wannacry exploit indicated that those bodies were indeed vulnerable, with multiple NHS Trusts and GP practices subject to ransomware demands and major system disruption.

That this had enormous impact on patients is evidenced by a new report on the incident from the National Audit Office (NAO), which shows that

6,912 appointments had been cancelled, and [it is] estimated [that] over 19,000 appointments would have been cancelled in total. Neither the Department nor NHS England know how many GP appointments were cancelled, or how many ambulances and patients were diverted from the five accident and emergency departments that were unable to treat some patients

The NAO investigation found that the Department of Health and the Cabinet Office had written to Trusts

saying it was essential they had “robust plans” to migrate away from old software, such as Windows XP, by April 2015. [And in] March and April 2017, NHS Digital had issued critical alerts warning organisations to patch their systems to prevent WannaCry

Although the NAO report is critical of the government departments themselves for failure to do more, it does correctly note that individual healthcare organisations are themselves responsible for the protection of patient information. This is, of course, correct: under the Data Protection Act 1998 (DPA) each organisation is a data controller, and responsible for, among other things, for ensuring that appropriate technical and organisational measures are taken against unauthorised or unlawful processing of personal data.

Yet, despite these failings, and despite the clear evidence of huge disruption for patients and the unavoidable implication that delays in treatment across all NHS services occurred, the report was greeted by the following statement by Keith McNeil, Chief Clinical Information Officer for NHS England

As the NAO report makes clear, no harm was caused to patients and there were no incidents of patient data being compromised or stolen

In fairness to McNeil, he is citing the report itself, which says that “NHS organisations did not report any cases of harm to patients or of data being compromised or stolen” (although that is not quite the same thing). But the report continues

If the WannaCry ransomware attack had led to any patient harm or loss of data then NHS England told us that it would expect trusts to report cases through existing reporting channels, such as reporting data loss direct to the Information Commissioner’s Office (ICO) in line with existing policy and guidance on information governance

So it appears that the evidence for no harm arising is because there were no reports of “data loss” to the ICO. This emphasis on “data loss” is frustrating, firstly because personal data does not have to be lost for harm to arise, and it is difficult to understand how delays and emergency diversions would not have led to some harm, but secondly because it is legally mistaken: the DPA makes clear that data security should prevent all sorts of unauthorised processing, and removal/restriction of access is clearly covered by the definition of “processing”.

It is also illustrative of a level of complacency which is deleterious to patient health and safety, and a possible indicator of how the Wannacry incidents happened in the first place. Just because data could not be accessed as a result the malware does not mean that this was not a very serious situation.

It’s not clear whether the ICO will be investigating further, or taking action as a result of the NAO report (their response to my tweeted question – “We will be considering the contents of the report in more detail. We continue to liaise with the health sector on this issue” was particularly unenlightening). I know countless dedicated, highly skilled professionals working in the fields of data protection and information governance in the NHS, they’ve often told me their frustrations with senior staff complacency. Unless the ICO does take action (and this doesn’t necessarily have to be by way of fines) these professionals, but also – more importantly – patients, will continue to be let down, and in the case of the latter, put at the risk of harm.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under 7th principle, Data Protection, data security, enforcement, Information Commissioner, NHS

Tagged as , , ,

June 29, 2017 · 8:39 pm

Data Protection (and other) compensation awarded against Ombudsman

I’ve been helpfully referred to a rather remarkable judgment of the Leeds County Court, in a claim for damages against the Local Government Ombudsman for, variously, declaratory relief and damages arising from discrimination under the Equality Act 2010, and breach of the Data Protection Act 1998 (DPA). The claim was resoundingly successful, and led to a total award of £12,500, £2,500 of which were aggravated damages because of the conduct of the trial by the respondent.

The judgment has been uploaded to Dropbox here.

I will leave readers to draw their own conclusions about the actions of the Ombudsman, but it’s worth noting, when one reads the trenchant criticism by District Judge Geddes, that one of the office’s strategic objectives is to

deliver effective redress through impartial, rigorous and proportionate investigations

One can only conclude that, in this case at least, this objective was very far from met.

Of particular relevance for this blog, though, was the award of £2500 for distress arising from failure to prepare and keep an accurate case file recording the disability of the claimant and her daughter. This, held the District Judge, was a contravention of the Ombudsman’s obligations under the DPA. As is now relatively well known, the DPA’s original drafting precluded compensation for distress alone (in the absence of tangible – e.g. financial – damage), but the Court of Appeal, in Vidal Hall & ors v Google ([2015] EWCA Civ 311), held that this was contrary to the provisions of the Charter of Fundamental Rights of the European Union and that, accordingly, there was a right under the DPA to claim compensation for “pure” distress. The award in question here was of “Vidal Hall” compensation, with the judge saying there was

no doubt in my mind that the data breaches have caused distress to the claimant in their own rights as well as as a result of the consequences that flowed.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under 7th principle, accuracy, Data Protection, human rights, local government

August 11, 2015 · 6:51 am

Carphone Warehouse and the DPA risks

According to my less-than-reliable memory, I once purchased a mobile phone from Carphone Warehouse about twelve years ago. I seem to also remember buying a phone from a company with a name like mobiles.co.uk around the same time (we’re they even going then?). Since then, my telephone number, postal address and email address have all changed, but my main banking details have not. So when the news emerged in recent days that Carphone Warehouse and various subsidiaries and partners had been affected by a data security breach involving the data of 2.4m customers I was understandably concerned. I have asked Carphone Warehouse several times how far back they held data which has been compromised, and explained that my contact details will have changed from any they might hold, but I have just been referred to generic information on their website which says that affected customers will be sent an email or text message (which is clearly useless to me).

I think Carphone Warehouse need urgently to clarify how far back they were retaining customer data that was compromised in this incident: I will be extremely unhappy if my c.12 year old data was in fact involved, because as far as I can see there would have been no reason to retain it that long. The fifth principle in Schedule One of the Data Protection Act 1998 (DPA) states that personal data should not be kept for longer than is necessary to fulfil the original purpose for which it was gathered – I doubt that retaining for twelve-odd years would comply with Carphone Warehouse’s obligations under the DPA.

But on a more general, less personal, note, what might this incident mean in DPA terms for Carphone Warehouse and its customers? I note that the generic information referred to above states that the cause was “a sophisticated cyber-attack” and that such attacks are “part of the reality of the modern world”. This is true, but not all organisations suffer such a serious breach of their systems that more than two million people are affected. Carphone Warehouse, as a data controller with obligations to process customer data in accordance with their obligations under the DPA will have to satisfy the Information Commissioner’s Office (which is investigating) and its customers that it complied with the seventh data protection principle, and had appropriate technical and organisational measures in place to safeguard personal data. Failure to have done so would open Carphone Warehouse up to the risk of an ICO monetary penalty to a maximum of£500,000. But the reason I mentioned satisfying customers as to the appropriate measures in place is that the DPA affords individual data subjects the right to bring a compensation claim against a data controller for a contravention of the Act. Traditionally, this right only applied where the data subject had suffered quantifiable damage (in the form of monetary loss), but, since the decision of the Court of Appeal earlier this year in Google Inc v Vidal-Hall & ors. [2015] EWCA Civ 311, such claims can be made on the basis purely of the distress suffered as a result of the contravention. I’ve got to say, I’m feeling a certain level of distress just now at the thought that my data might have been compromised. If it transpires that it was, the distress will only increase. Although such distress payments are unlikely ever to be particularly large, when one then considers the emergence of group litigation of DPA claims, the financial risks to data controllers who suffer huge breaches of customer data is palpable: purely hypothetically, if Carphone Warehouse were found to have failed to comply with their DPA obligations, and half of the customers affected brought a money claim worth £100, they would be facing an exposure of more than £100 million. One wonders if the market’s continuing current confidence in the company allows for that.

Google has been granted permission to appeal Vidal-Hall to the Supreme Court, but pending that the Court of Appeal’s judgment remains good law. And, as I have predicted previously, I think there may be a number of law firms eyeing the case, and potential clients, expectantly.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under 7th principle, Data Protection, data security, Fifth principle, Information Commissioner

March 3, 2015 · 3:10 pm

ACPO: contractor’s error, or data controller’s liability?

I blogged a week or so ago about the worrying fact that the Association of Chief Police Officers (ACPO) were encouraging people to send sensitive personal data over an unsecure HTTP connection.

 a tweet…by Information Security consultant Paul Moore alerted that ACPO’s criminal records office has a website which invites data subjects to make an online request but, extraordinarily, provides by an unencrypted http rather than encrypyted https connection. This is such a basic data security measure that it’s difficult to understand how it has happened…

Well now, thanks to Dan Raywood of ITSecurity Guru, we have a bit more information about how it did happen. Dan had to chase ACPO several times for a comment, and eventually, after he had run the story, they came back to him with the following comment:

The ACPO Criminal Records Office (ACRO) became aware of the situation concerning the provision of personal data over a HTTP rather than a encrypted HTTPS connection on Tuesday February 24. This was caused by a contractual oversight. The Information Commissioner was immediately advised. The secure HTTPS connection was restored on February 25. We apologise for this matter.

It’s good to know that they acted relatively quickly to secure the connection, although one is rather led to wonder whether or when – had not Paul Moore raised the alert – ACPO would have otherwise noticed the problem.

But there is potentially a lot of significance in the words “caused by a contractual oversight”. If ACPO are saying that a contractor is responsible for the website, and that it was the contractor’s error which caused the situation, they should also consider the seventh data protection principle in the Data Protection Act 1998 (DPA), which requires a data controller (which ACPO is, in this instance) to take

Appropriate technical and organisational measures…against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data

but also

Where processing of personal data is carried out by a data processor on behalf of a data controller, the data controller must in order to comply with the seventh principle—

(a)choose a data processor providing sufficient guarantees in respect of the technical and organisational security measures governing the processing to be carried out, and

(b)take reasonable steps to ensure compliance with those measures

What this means is that a failure to choose a data processor with appropriate security guarantees, and a failure to make sure the processor complies with those guarantees, can mean that the data controller itself is liable for those failings. If the failings are of a kind likely to cause substantial damage or substantial distress, then there is potential liability to a monetary penalty notice, to a maximum of £500,000, from the Information Commissioner’s Office (ICO).

In truth, the ICO is unlikely to serve a monetary penalty notice solely because of the likelihood of substantial damage or substantial distress – it is much easier to take enforcement action when actual damage or distress has occurred. Nonetheless, one imagines the ICO will be asking searching questions about compliance with the contract provisions of the seventh principle.

Thanks to IT Security Guru for permission to use the ACPO quote. Their story can be seen here.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under 7th principle, Data Protection, data security, Information Commissioner, police

Tagged as , ,