The ICO’s recent fine for a data breach at a GP surgery in Hertfordshire was the direct result of a subject access request (“SAR”) that had gone wrong.
The surgery revealed confidential details about a patient to an estranged ex-partner because there were insufficient systems in place for staff to deal with SARs.
Subject access is a fundamental right of individuals under the Data Protection Act, enabling individuals to find out what personal data you hold about them, why you hold it and who you share it with is fundamental to good information-handling practice. This right, commonly known as subject access, is set out in section 7 of the DPA. Individuals may exercise the right by making a written subject access request, or SAR.
Aside from a £40,000 fine this case caused huge damage to the organisation’s reputation. Such a significant and high profile data breach could have been avoided had suitable internal measures been put in place. No matter the size of the organisation, if you hold personal data, most organisations will have to respond to a SAR at some point.
Dealing with SARs involving third party data
As evidenced by the GP surgery, responding to a SAR may involve providing information that relates both to the requester and another individual. Under the DPA you will not have to comply with the SAR if to do so would mean disclosing information about another individual who can be identified from that information except where:
the other individual has consented to the disclosure; or
it is reasonable in all the circumstances to comply with the request without that individual’s consent.
So, although you may sometimes be able to disclose information relating to a third party, you need to decide whether it is appropriate to do so in each case. This decision will involve balancing the data subject’s right of access against the other individual’s rights in respect of their own personal data. If the other person consents to you disclosing the information about them, then it would be unreasonable not to do so. However, if there is no such consent, you must decide whether to disclose the information anyway. You should make decisions about disclosing third-party information on a case-by-case basis. It is not advisable to apply a blanket policy of withholding it.
For the avoidance of doubt, you cannot refuse to provide subject access to personal data about an individual simply because you obtained that data from a third party. The rules about third party data apply only to personal data which includes both information about the individual who is the subject of the request and information about someone else.
ICO figures show that 46% of all complaints made to the ICO last year were about SARs and the difficulties people face when trying to get hold of their personal information. This is a substantial figure and highlights that – however inconvenient – SARs should not be taken lightly by companies.
It is important to make sure staff are equipped to deal with SARs. The ICO has provided some helpful guidance as to best practice with dealing with SARs, alternatively for more information on this subject feel free to contact a member of the Fox Williams idatalaw team.
Daniel Geller is an associate in the commerce & technology team at City law firm Fox Williams LLP and can be contacted at email@example.com
The General Data Protection Regulation (GDPR) is expected to be introduced into the UK in mid-2018.
Many of the principles in the new legislation are much the same as those in the current Data Protection Act. If you are complying properly with the current law, then you have a strong starting point to build from. But there are important new elements, and some things will need to be done differently.
The Information Commissioner’s Office (ICO) has produced their first data protection guidance in relation to the GDPR. This is in the form of a 12 step guide to take now in preparation for the changes scheduled in 2018. Below is a summary of the ICO’s 12 step preliminary advice.
You should make sure that the decision makers and key people in your organisation are aware that the law is changing to GDPR. It would be useful to start by looking at your organisation’s risk register, if you have one.
The GDPR’s two year lead in period gives companies time as the GDPR may have significant resource implications especially for larger, more complex organisations. Compliance may therefore be difficult if you leave your preparations until the last minute.
Information You Hold
You should document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit, across the organisation, or within particular business areas.
It is good practice to start documenting the data you hold. Doing this will also help you to comply with the GDPR’s accountability principle, which requires organisations to be able to show how they comply with the data protection principles, for example by having effective policies and procedures in place.
Communicating Privacy Information
You should review your current privacy policies and put a plan in place for making any necessary changes in time for GDPR implementation.
On the whole, the rights individuals will enjoy under the GDPR are the same as those under the DPA but with some significant differences. The right to data portability is new. This is an enhanced form of subject access where you have to provide the data electronically and in a commonly used format.
If you are geared up to give individuals their rights now, then the transition to the GDPR should be relatively straightforward. This is a good time to check your procedures and to work out how you would react if someone asks to have their personal data deleted, for example. Would your systems help you to locate and delete the data? Who will make the decisions about deletion? These questions should be considered in the lead up to GDPR implementation.
Subject Access Requests
The rules for dealing with subject access requests will change under the GDPR. In most cases you will not be able to charge for complying with a request and normally you will have just a month to comply, rather than the current 40 days.
You should update your procedures and plan how you will handle requests within the new timescales and provide any additional information.
If you want to refuse a request, you will need to have policies and procedures in place to demonstrate why the request meets these criteria.
Legal Basis for Processing Personal Data
Many organisations will not have thought about their legal basis for processing personal data. This will be different under the GDPR because some individuals’ rights will be modified depending on your legal basis for processing their personal data. One clear example is that people will have a stronger right to have their data deleted where you use consent as your legal basis for processing.
It should be possible to look at the various types of data processing you carry out and to identify your legal basis for doing so. Again, you should document this in order to help you comply with the GDPR’s ‘accountability’ requirements.
You should review how you are seeking, obtaining and recording consent and whether you need to make any changes.
Consent has to be a positive indication of agreement to personal data being processed, it cannot be inferred from silence, pre-ticked boxes or inactivity. If you rely on individuals’ consent to process their data, you must make sure it will meet the standards required by the GDPR. If not, you should alter your consent mechanisms or find an alternative to consent. Note that consent has to be verifiable and that individuals generally have stronger rights where you rely on consent to process their data.
You should start thinking about putting systems in place to verify individuals’ ages and to gather parental or guardian consent for the data processing activity.
For the first time, the GDPR will bring in special protection for children’s personal data. If your organisation collects information about children (in the UK this will probably be defined as anyone under 13) then you will need a parent or guardian’s consent in order to process their personal data lawfully. This could have significant implications if your organisation aims services at children and collects their personal data.
Some organisations are already required to notify the ICO (and possibly some other bodies) when they suffer a personal data breach. However, the GDPR will bring in a breach notification duty across the board. Not all breaches will have to be notified to the ICO, only ones where the individual is likely to suffer some form of damage, such as through identity theft or a confidentiality breach.
You should start now to make sure you have the right procedures in place to detect, report and investigate a personal data breach. This could involve assessing the types of data you hold and documenting which ones would fall within the notification requirement if there was a breach.
Data Protection by Design and Data Protection Impact Assessments
You should familiarise yourself now with the guidance the ICO has produced on Privacy Impact Assessments (PIAs) (or DPIA as the GDPR terms it) and work out how to implement them in your organisation. The ICO guidance shows how DPIAs can link to other organisational processes such as risk management and project management. You should start to assess the situations where it will be necessary to conduct a DPIA. Who will do it? Who else needs to be involved? Will the process be run centrally or locally?
Note that you do not always have to carry out a DPIA. A DPIA is required in high-risk situations, for example where a new technology is being deployed or where a profiling operation is likely to significantly affect individuals.
Data Protection Officers
The GDPR will require some organisations to designate a Data Protection Officer (DPO), for example public authorities or ones whose activities involve the regular and systematic monitoring of data subjects on a large scale. The important thing is to make sure that someone in your organisation, or an external data protection advisor, takes proper responsibility for your data protection compliance and has the knowledge, support and authority to do so effectively. Therefore you should consider now whether you will be required to designate a DPO and, if so, to assess whether your current approach to data protection compliance will meet the GDPR’s requirements.
If your organisation operates internationally, you should determine which data protection supervisory authority you come under.
It would be helpful for you to map out where your organisation makes its most significant decisions about data processing. This will help to determine your ‘main establishment’ and therefore your lead supervisory authority.
The GDPR leaves a lot for organisations to consider in the lead up to its implementation. It is best to get ahead of the game here and leave yourself plenty of time to incorporate any new changes into your organisation’s current data protection compliance procedures.
For any further information on this please contact Daniel Geller at firstname.lastname@example.org.
Daniel is an associate lawyer in the commerce and technology department of law firm Fox Williams LLP, London
Market forecasts predict that the commercial and civil drone market will boom over the next decade. The use of drones, also called unmanned aerial systems (UAS) or unmanned aerial vehicles (UAVs), is becoming increasingly popular with their use already being championed by the likes of Amazon, DHL and Shell. Companies such as Royal Mail are considering both drones for air-mail as well as autonomous delivery vans and major insurance companies are investing in drone technology in order to monitor crop yields amongst other things.
The global economic potential for commercial drone use is looking extremely positive with a recent US study estimating that over the 10 year span from 2015 to 2025, drone integration within national air space will account for $82.1 billion in US job creation and economic growth. These figures aren’t surprising given the advantages of drones to assist businesses whether by offering the capability to streamline delivery, efficient aerial photography and contribute to safe infrastructure maintenance and management.
And so with the prospect of drones being integrated into businesses on a larger scale it is absolutely crucial that businesses understand the legal and other risks attributed to drone use.
A key area of concern is privacy. As a result drone use is an area that the Information Commissioners Office (ICO) has looked to become more involved with as the issue of drones and their impact on privacy has become more prominent. The ICO gave evidence to a Parliamentary Committee in autumn last year, on the risk to privacy posed by UAS and underlined that their use for commercial purposes must be carried out in accordance with the Data Protection Act (DPA).
Earlier this year the ICO issued guidance on drone use for individuals and organisations. The ICO recommends that users of drones, also called unmanned aerial systems (UAS) or unmanned aerial vehicles (UAVs) with cameras should be operated in a responsible way to respect individuals’ privacy rights. Therefore, if a drone has a camera, its use has the potential to be covered by the DPA. If a business is using a drone for commercial purposes, then it is important that you understand your legal obligations as a data controller. Where UAS are used for business purposes, operators will need to comply with data protection obligations and it will be good practice for users to be aware of the potential privacy intrusion which the use of UAS can cause to make sure they aren’t in breach of any data protection or privacy provisions.
The ICO has provided guidance as to the potential data protection risks that businesses may be exposed to when using drones:
The use of UAS has a high potential for collateral intrusion by recording images of individuals unnecessarily and therefore can infringe individuals’ privacy rights. For example, there is a high probability of recording individuals inadvertently, because of the height they can operate at and the unique vantage point they can obtain. Individuals may not always be directly identifiable from the footage captured by UAS, but can still be identified through the context they are captured in or by using the devices zoom capability.
As such, it is very important that you can provide in your Privacy Impact Assessment (PIA) (discussed later in this article) that there is a strong justification for the recording use of the drone. You may be able to reduce the risk of privacy infringement by incorporating privacy restrictive methods in the design of the drone. For example, you may be able to procure a device that has restricted vision so that its focus is only in one place. Privacy by design can be incorporated into your PIA and can form part of your procurement process.
It is important that the recording system on UAS can be switched on and off when appropriate. This is particularly important given the potential for the cameras to capture large numbers of individuals from a significant height. Unless you have a strong justification for doing so, and it is necessary and proportionate, recording should not be continuous. This is something which you should look at as part of your PIA.
One major issue with the use of UAS is the fact that on many occasions, individuals are unlikely to realise that they are being recorded, or may not know that UAV have a camera attached. Businesses can however introduce innovative ways of providing this information. The ICO recommends examples such as, wearing highly visible clothing identifying yourself as the UAS operator, placing signage in the area you are operating UAS explaining its use and having a privacy notice on a website that you can direct people to, or some other form of privacy notice, so they can access further information.
Coverage of the ‘whole’ system
The ICO guidelines advise organisations that data protection issues concerning UAS cover the whole system, rather than just the device in the air, so you need to ensure that the whole system is compliant. You should ensure that any data which has been collected is stored securely. This can be achieved by using encryption or another appropriate method of restricting access to the information. It is also important to ensure that data is retained for the minimum time necessary for its purpose and disposed of appropriately when no longer required.
Unencrypted data links found within drones are particularly vulnerable to jamming, interception and manipulation. There are clear cyber security risks that may arise because a drone could be hacked, its data link or live feed intercepted, or the aircraft could be “spoofed” i.e. its GPS signal manipulated during flight. Businesses should be aware that when operating in an urban environment, due to the heavy use of communications, equipment and other sources of electromagnetic spectrum/radio frequency are at risk of being manipulated or interfered with. Businesses also need to consider mitigation for the consequences of weak or lost GPS signal due to masking by buildings along with the general radio frequency saturation level.
How to be best prepared
Privacy Impact Assessments
A PIA is a process which helps a business to identify and reduce the privacy risks of a project. They enable an organisation to systematically and thoroughly analyse how a particular project or system will affect the privacy of the individuals involved. A PIA will help you decide if using UAS is the most appropriate method to address the need that you have identified.
With regard to the use of drones, a PIA should consider identifying the drone’s potential effects upon privacy and data protection compliance, how detrimental effects of the drone may be overcome and how the use of the drone can comply with data protection principles.
The DPA does not oblige organisations to conduct PIAs, but the ICO has said they are useful tools for organisations to use in order to help them comply with the requirements set out in the DPA.
It is possible that organisations who undertake PIAs can also hope to be treated more leniently by regulators if they experience a data protection breach and are subject to legal action. There is an understanding by the regulator that not all data breaches are preventable. It is possible to show through a PIA that you assessed the risks of processing personal data, took measures to mitigate those risks, or otherwise identified the reasons why it decided to proceed with certain projects, despite data protection risks being present.