Tag: data protection

California court says don’t cry before you’re hurt

Posted on | by Timothy Pitt-Payne KC

In November 2007 it was announced that HMRC had lost two CDs containing personal information about 25 million people.  Since then there has been a steady stream of stories about data losses, mainly from the public sector.

The Data Protection Act 1998 requires appropriate measures to be taken against the accidental loss of personal data.  Breach of this requirement can lead to enforcement action by the Information Commissioner. An individual whose data was lost could claim compensation from the data controller under section 13 of the Act, but only on proof of damage.  If the individual had suffered identity fraud as a result of the breach then this would probably be sufficient.  What if the individual argued that he was now at a higher risk of ID fraud, even though no fraud had yet taken place?  Would this count as damage?

A US district court in California has recently considered a similar question.  In Ruiz v Gap and Vangent a laptop was stolen containing unencrypted personal data of 750,000 Gap job applicants.  In a class action, the plaintiff sued for negligence, contending that he and the other class members had suffered damage consisting of exposure to an increased risk of ID fraud.  The Court granted summary judgment to the defendants and dismissed the claim.  Speculative harm, or the threat of future harm, was not enough for a cause of action in negligence.  The plaintiff relied on cases where recovery had been allowed for medical monitoring after negligent exposure to toxic substances; the court rejected the analogy.  It also noted that Gap had informed those whose information was on the laptop, and had offered to provide them with 12 months of free credit monitoring.  The plaintiff had not taken up this offer.

In policy terms it is questionable whether strengthening individual rights of action is the best way to deal with data loss.  Of course, individuals who suffer direct financial loss – through ID fraud or otherwise – should be compensated.  But in the Ruiz type of claim individual damages are likely to be modest.  There is no great social benefit in spending a lot of time and money in order to provide a wide class of individuals with low-level compensation.  Instead the focus should be on deterring breaches and avoiding recurrence.  The Information Commissioner’s new power to fine for serious data protection breaches (DPA section 55A) is a step in the right direction, though not yet in force.

If the UK regulatory framework needs further strengthening then one option would be legislation requiring data controllers to notify affected individuals where information is lost or stolen.  Last year the Thomas/Wolpert data sharing review recommended notification to the Information Commissioner as good practice, but not as a mandatory requirement.  The Government agreed.  Its response (see page 19) made clear that it had considered, and rejected, the possibility of a US-style law requiring notification of data breaches to the individuals affected.

Incidentally, I found the Ruiz case via the excellent blog maintained by InfoSecCompliance LLC, a US firm specialising in privacy, information law and data security. David Navetta is their founding member.

Rethinking RIPA

Posted on | by Anya Proops KC

On 17 April 2009, the Home Office launched a consultation on plans to stop investigatory powers being used under the Regulation of Investigatory Powers Act (RIPA) for trivial purposes. It seeks views on questions including: which public authorities should be able to authorise key investigatory techniques, for example, the use of communications data or covert surveillance in public places under RIPA; the purposes for which these investigatory techniques should be used; the option of raising the rank of the local authority employee authorising the use of investigatory techniques to senior executive; and whether elected councillors should play a role in the authorisation. The consultation follows on from a spate of public outcrys about the use of surveillance powers by public authorities, including not least the use of covert cameras by local authorities to watch how residents use their rubbish bins and the use of covert surveillance techniques to track a family which the local authority suspected may be living outside the local school catchment area. The issue of how the investigatory powers available under RIPA should be used is particularly current in view of the recent controversy over techniques used by the police to photograph protesters, many of whom it is argued are merely peaceful demonstrators.

Bad Phorm?

Posted on | by Anya Proops KC

The European Commission has announced that it is mounting a legal challenge in respect of the use of targeted online advertising in the UK. The challenge follows complaints which were made to the Commission in response to BT’s act of testing the technology on BT broadband users without their consent. The technology, which is the brainchild of a company called Phorm, enables internet service providers (ISPs) to profile what sites internet users visit so as to enable advertising companies more astutely to target their adverts on individual users. The Commission has taken the view that the UK has breached EU data protection laws by permitting the deployment of the technology in the absence of user consent. The Information Commissioner’s Office has previously stated that the use of the technology would be permissible if operated on the basis that users have opted in to the system. The Commission’s challenge raises real questions as to the legality of Google’s recently launched behavioural targeting system. See further my post on this system below.

DPA/FOIA overlap

Posted on | by Timothy Pitt-Payne KC

The overlap between FOIA and the DPA gives rise to  a number of difficult problems.

In a paper just posted on 11KBW’s website (and originally delivered to a JUSTICE/Sweet & Maxwell conference in December 2008) I discuss some of these issues.  In particular, I deal with the practical problems that arise when an individual makes a request for information to a public authority and some (but not all) of the information constitutes his own personal data.  Because the request falls under both the DPA and FOIA, the Information Commissioner will need to deal with any complaint under two different legal regimes; if the requester subsequently appeals, the Information Tribunal will not have jurisdiction to deal with all the issues raised by the request.  The article suggests that the present position is unsatisfactory and discusses options for reform.

The Age of Internet Surveillance

Posted on | by Anya Proops KC

With effect from today, all UK internet service providers (“ISP”) will be required to retain data relating to every email which is sent and every online telephone call which is made using their services. The data, which must be stored by ISPs for 12 months, will not include the content of the email or the call. It will however include the date, time, duration and routing of the online communication as well as information as to the internet subscriber or user. The obligation to retain this data is imposed under the Data Retention (EC Directive) Regulations 2009 (“the Regulations”). The regulations were enacted in order to bring into effect the provisions of the Data Retention EU Directive 2006/24/EC. The Directive was itself enacted in response to concerns that a lack of consistency of approach to data collection across Europe, particularly in the field of internet communications, was hampering the fight against crime, including international terrorism. The effect of the Regulations, which come into force today, is that the data retention principles which already apply to telecoms providers under the Data Retention (EC Directive) Regulations 2007 will now also apply to internet providers. As well as retaining the communications data, the internet service provider must afford access to particular data where they are required to do so by law (regulation 7). They must also abide by certain principles relating to the protection and security of the data (regulation 6).

Rowntree Report on Database State

Posted on | by Anya Proops KC

The Joseph Rowntree Reform Trust has today published its report ‘The Database State’. The report purports to amount to the most comprehensive map of central government databases yet created. In total 46 databases across the major government departments were considered in the report, including, for example, the national DNA database, the national pupil database, the NHS detailed care record system and the automatic number-plate recognition system. In summary, the report concluded that:

  • a quarter of the 46 databases reviewed were ‘almost certainly illegal under human rights or data protection law; that they should be scrapped or substantially redesigned’ (including, for example, the Contactpoint index of all children in England and the national DNA database – on the latter database, see further the January 2009 post on the Marper case);
  • ‘more than half have significant problems with privacy or effectiveness and could fall foul of a legal challenge’ (including, for example, the NHS Summary Care Record and the National Pupil Database);
  • fewer than 15% were ‘effective, proportionate and necessary with a proper legal basis for any privacy instrusions’;
  • Britain was generally out of line with other developed countries as a result of its comparably greater tendancy to centralise and share records on sensitive matters like healthcare and social services; that ‘the benefits claimed for data sharing are often illusory’.

Along with the House of Lords Report on the Surveillance Society published in February 2009 (see further the February 2009 post on the Lords Report), this report is likely to increase pressure on the Government to reexamine a raft of policies on data collection, management and storage.

https://www.jrrt.org.uk/uploads/Database%20State.pdf

Executive Summary:

https://www.jrrt.org.uk/uploads/Database%20State%20-%20Executive%20Summary.pdf