Welcome to the July Global Data & Privacy Update. This update is dedicated to covering the latest legislative developments affecting the way data is managed and protected, as well as reporting on the most recent news governing data breaches and industry developments.
Article 29 Working Party guidance on employee monitoring
The Article 29 Working Party has adopted an opinion, which provides guidance on the processing of employee personal data. The opinion has been released to give guidance on the significant challenges to privacy and data protection created by the proliferation of new technologies that enable more systematic processing of employees’ personal data at work.
Generally, the opinion emphasises that consent should not be used by employers as a legal basis for processing employee personal data unless employees can genuinely refuse to give their consent without adverse consequences.
It also provides guidelines for different scenarios where employee monitoring might be used. An interesting example discussed in the opinion is the use of social media profiles in recruitment. The paper states that employers should not presume they can inspect a candidate's social media profile, even where it is publically available. Employers need to consider, if there is an appropriate legal basis to process data, whether the profile is for business or private purposes and if the data is necessary and relevant to the performance of the job. It also recommends that the data is deleted as soon as an offer of employment is either not made or rejected, and that individuals should be informed of this type of processing before the recruitment process is started.
Click here to open the Article 29 Working Party website from which the opinion can be downloaded.
ICO International Strategy 2017 – 2021
The Information Commissioner's Office (ICO) has published its international strategy for the next four years, recognising that to effectively protect the UK public’s personal information in a digital global environment, the ICO needs to co-operate and act internationally.
Part 1 of the strategy sets out the ICO's key challenges and priorities in tackling the digital global environment.
From a European perspective, the plan addresses how the ICO intends to continue to operate as an effective and influential data protection authority at European level while the UK remains a member of the EU and when the UK has left the EU, or during any transitional period.
From a wider international perspective, the ICO plans to grow and strengthen its existing international networks and develop new relationships, such as with the Asia Pacific region data protection authorities. It will also look to develop new mechanisms and tools to facilitate international transfers of personal data, such as through codes of conduct and certification and through supporting initiatives like the APEC Cross Border Privacy Rules.
Part 2 of the strategy looks at how the ICO plans to structure and resource itself to implement its international plans. The ICO is establishing, for the first time, a department with international activity as its core focus, called the International Strategy and Intelligence Department. It will also bid to host the International Conference of Data Protection and Privacy Commissioners, to promote the UK as a data protection gateway.
Click here to read the ICO's International Strategy in full.
ICO fines supermarket for marketing emails
Morrisons sent emails, in October and November of last year, to over 130,000 of their customers who had previously opted out of receiving marketing materials, related to their Morrisons loyalty card, inviting them to change their preferences to start receiving money off coupons, points and latest news.
The ICO found that, by sending these emails, the supermarket had committed a serious breach of its obligations under the Privacy and Electronic Communications Regulations (PECR) to not send unsolicited emails (except in specific circumstances) and fined Morrisons £10,500.
This fine serves as a further reminder to businesses that you cannot email an individual to consent to future marketing messages as the email itself is sent for the purposes of direct marketing, and so is subject to the same rules as other marketing emails.
Click here to read the monetary penalty notice.
ICO fines company £60,000 for inadequate website protection
Boomerang Video Ltd, an online video game renting platform, has been fined by the ICO for a serious breach of the seventh data protection principle.
Boomerang suffered an attack on its website. The attacker used SQL injection to access the site and downloaded over 26,000 cardholder details, including the cardholders' security codes. The hacker accessed the decryption key using information in files on the web server. Guidelines in the industry prohibit the storage of security codes after payment authorisation.
The ICO found that, in breach of the seventh data protection principle, the company did not have in place appropriate technical measures as required by law to prevent such an incident, regular testing had not occurred, passwords were not sufficiently complex and the decryption key was not kept securely.
Click here to read the monetary penalty notice.
ICO fine for unsolicited marketing texts reduced
The First-Tier Tribunal (Information Rights) has upheld the ICO's decision that LAD Media Ltd (LAD) wrongly sent marketing texts without specific consent, but reduced the fine from £50,000 to £20,000.
In order to send marketing text messages, LAD purchased data from a third party supplier. The third party when obtaining consent had general privacy notices contained on their website. The ICO ruled that LAD had breached PECR as the privacy notices were insufficiently clear for it to have received the specific consent required to send such communications.
On appeal, while the Tribunal agreed with the ICO in respect of the breach of PECR, it considered that the fine should be reduced. There is no binding guidance from higher courts on how to approach the assessment of fines. In this case the Tribunal in reducing the fine took into account, the circumstances of the offence, the size of the company, that it was its first offence and the financial impact on the company. It also highlighted that the fine should be of a level to deter future offences by the recipient of the fine, or others.
This case also serves as a reminder of the level of due diligence you need to carry out when buying personal data from third parties for your own use.
Click here to read the case in full