Take Subject Access Requests Seriously

Daniel Geller
Daniel Geller

The ICO’s recent fine for a data breach at a GP surgery in Hertfordshire was the direct result of a subject access request (“SAR”) that had gone wrong.

The surgery revealed confidential details about a patient to an estranged ex-partner because there were insufficient systems in place for staff to deal with SARs.

Subject access is a fundamental right of individuals under the Data Protection Act, enabling individuals to find out what personal data you hold about them, why you hold it and who you share it with is fundamental to good information-handling practice. This right, commonly known as subject access, is set out in section 7 of the DPA. Individuals may exercise the right by making a written subject access request, or SAR.

Aside from a £40,000 fine this case caused huge damage to the organisation’s reputation. Such a significant and high profile data breach could have been avoided had suitable internal measures been put in place.  No matter the size of the organisation, if you hold personal data, most organisations will have to respond to a SAR at some point.

Dealing with SARs involving third party data

As evidenced by the GP surgery, responding to a SAR may involve providing information that relates both to the requester and another individual.  Under the DPA you will not have to comply with the SAR if to do so would mean disclosing information about another individual who can be identified from that information except where:

  1. the other individual has consented to the disclosure; or
  2. it is reasonable in all the circumstances to comply with the request without that individual’s consent.

So, although you may sometimes be able to disclose information relating to a third party, you need to decide whether it is appropriate to do so in each case. This decision will involve balancing the data subject’s right of access against the other individual’s rights in respect of their own personal data. If the other person consents to you disclosing the information about them, then it would be unreasonable not to do so. However, if there is no such consent, you must decide whether to disclose the information anyway. You should make decisions about disclosing third-party information on a case-by-case basis. It is not advisable to apply a blanket policy of withholding it.

For the avoidance of doubt, you cannot refuse to provide subject access to personal data about an individual simply because you obtained that data from a third party. The rules about third party data apply only to personal data which includes both information about the individual who is the subject of the request and information about someone else.

ICO figures show that 46% of all complaints made to the ICO last year were about SARs and the difficulties people face when trying to get hold of their personal information.  This is a substantial figure and highlights that – however inconvenient – SARs should not be taken lightly by companies.

It is important to make sure staff are equipped to deal with SARs. The ICO has provided some helpful guidance as to best practice with dealing with SARs, alternatively for more information on this subject feel free to contact a member of the Fox Williams idatalaw team.

 

Daniel Geller  is an associate in the commerce & technology team at City law firm Fox Williams LLP and can be contacted at dgeller@foxwilliams.com

Advertisements

Privacy in the Workplace?

Audrey Williams
Audrey Williams

Personal relationships at work are often a source of concern and some confusion for employers. Should it be accepted as part of the reality of modern workplaces? Or should employers recognise that such relationships have an impact on the working environment and thus adopt the position that it is legitimate to intervene when it comes to light? This is not so much on the basis of moral indignation but to protect work colleagues, where resentment or worse feelings may arise and the potential risk of a relationship breaking down.

When a relationship is suspected how far can an employer investigate, accessing personal emails for example? Or is there an obligation to respect employees’ privacy?

When things go sour

A recent Appeal Tribunal case shows just how difficult such situations can become and illustrates the balance expected between the right to privacy and legitimate intervention. In Garamukanwa v Solent NHS Trust problems arose after G’s relationship with a staff nurse ended and he began to suspect her of starting a relationship with another member of staff. He sent both of them emails, threatening to inform their manager if they did not and a letter was also sent anonymously to the manager alleging an inappropriate sexual relationship, which was denied.

An unpleasant campaign then began using fake accounts, Facebook and more anonymous emails. The staff nurse complained to the police who investigated the matter but brought no charges.

This then left matters to the Trust to deal with and conduct their own investigation. The police provided the investigating officer in the Trust with photos from G’s mobile, others found at his home, and information including a notebook. G was dismissed for gross misconduct for sending malicious emails, relying on the evidence supplied by the police.

Unfair and invasion of privacy?

In the subsequent claim for unfair dismissal G accused the Trust of breaching his Article 8 right to privacy by relying on issues to do with his private life. The Tribunal was very clear that the circumstances here were impacting on the employment relationship and work matters; that being the case, the Trust was entitled to rely upon the evidence, investigate and address concerns especially given the fact:

• emails were being circulated using work addresses;
• the issues and allegations raised concerned the work environment and relationships; and
• was impacting on other employees.

The EAT agreed rejecting G’s argument that there was a distinction between the police using private emails and the Trust – or that the Trust should have distinguished between the public emails sent to Trust employees and his private information ( the notebook and photographic evidence).

Limits to privacy in work

The EAT reiterated that whilst the material might have been private, it was G who by his actions had brought personal matters and the personal relationship into the workplace. Even though some of the earlier emails to the staff nurse had been sent to her personal email address, because she had raised a complaint about them and G, he could not expect the employer not to address the concerns raised.

The passing of evidence seized from G to the employer is surprising here and an employer would be well advised to treat such information with caution. However, what is clear from this case is that where personal issues and private relationships begin to impact the work environment, privacy rights are likely to come second especially where other individuals are facing consequences.

The writer has experience of many cases where evidence from personal devices and work equipment has been accessed and produced as part of an investigation, and in a range of content (videos, security footage, text messages). This case emphasises the need to weigh carefully the relevance and ability to make use of such evidence, and the personal rights of individuals in the workplace.

Audrey Williams is a Partner in the HR law team at Fox Williams LLP

Amwilliams@foxwilliams.com

Monitoring Employees – A New Outlook

Audrey Williams
Audrey Williams

There has been a lot of commentary on the recent European Court of Human Rights (ECHR) case of Barbulescu. The issue in the case was whether the Employer’s investigation of Mr Barbulescu’s Yahoo Messenger account (which he had opened in order to respond to client enquiries) was in breach of his right to Privacy (Article 8 of the European Convention on Human Rights). See previous article on idatalaw (https://idatalaw.com/2016/01/14/european-court-of-human-rights-echr-finds-that-monitoring-an-employees-internet-use-was-justified/)

Key to the Court’s decision was the company’s internal regulations in that case which stated: “It is strictly forbidden ….to use computers, photocopiers, telephones, telex and fax machines for personal purposes”. Whether this was clearly communicated to Mr Barbulescu appears to have been disputed.

It would be wrong to read this case as giving employer’s carte blanche to monitor employees’ usage of equipment and technology and of much more interest are the observations made by the Court, particularly Judge Pinto de Albuquerque, who disagreed on some aspects with the majority of his fellow judges.

Judge Pinto made this interesting comment about the increasingly blurred division between work and home life…”Strict limits apply to an employer’s surveillance of Internet usage by employees during their worktime and, even more strictly, outside their working hours, be that communication conducted through their own computer facilities or those provided by the employer.” When organisations are encouraging employees to bring their own devices and expect greater accessibility, this becomes even more important. One of the key issues is the need to protect freedom of expression and not just privacy. An employer drafting (or updating) their Email/ Electronic Communication, Internet and Social Media Policy or undertaking related investigations, must bear this in mind. The acid question is why interfering with these rights is necessary for the business?

The blanket ban relied upon in the Barbaluscu case is increasingly impractical – even more so where that policy operates across borders and where, in many European jurisdictions, there are stronger privacy rights than the UK. A more expansive and comprehensive policy is recommended, dealing not just with usage but also rules around monitoring and investigations. These need to address emails, instant messaging, social networking, blogging and web surfing – or in the Court’s words “cyberslacking”.

  • When and why would checks i.e. monitoring and investigations be required in your business?
  • Who is authorised to conduct these?
  • The way in which any investigations are conducted must also be managed carefully. It is essential to balance each individual’s right to privacy against concerns which the business is looking to address:
  • If the concern is the amount of time spent cyberslacking, not much more is needed than to assess the time spent – without needing to access the content of messages;
  • By contrast, if the concern is abusive or offensive emails which are being sent to colleagues, there is no need to access what are clearly personal emails.In the UK the Information Commissioner has issued detailed guidance on such matters (see https://ico.org.uk/media/for-organisations/documents/1064/the_employment_practices_code.pdf) and recommends that before conducting any monitoring or investigation, an impact assessment is conducted; the Code also sets out some core principles:
  • In Barbalescu there was some criticism about the investigation into emails sent to the employee’s fiancé and brother but the employer was given credit for basing the decision on the evidence of use of the system for personal purposes during working hours, rather than on the content of the communications and had analysed usage over a short period, limiting the intrusion.
  • Workers have legitimate expectations that they can keep their personal lives private and are entitled to a degree of privacy in the work environment
  • It will usually be intrusive to monitor your workers
  • Employers who wish to monitor should be clear about the purpose and satisfied that the particular monitoring arrangement is justified by real benefits that will be delivered.
  • Workers should be made aware of the nature, extent and reasons for any monitoring,
  • Covert monitoring is justified only in exceptional cases.
  • Workers’ awareness and giving warnings about monitoring will influence their expectations.

Those undertaking the monitoring/investigation must be aware of the employer’s responsibilities under the Data Protection Act 1998 and rights to privacy attached to these provisions, particularly around personal and sensitive personal data.
Audrey Williams is a partner in the HR team at City law firm Fox Williams LLP and can be contacted at Amwilliams@foxwilliams.com

New Code of Practice on Privacy Policies

Sian Barr
Sian Barr

The ICO’s new Code of Practice on Communicating Privacy Information to Individuals goes beyond the form of privacy notice that we are accustomed to seeing when we hand over our personal information. It advocates a blended approach of selecting a number of different techniques to communicate privacy details to individuals when they hand over their personal data.

According to the ICO, the benefits of the blended approach include:

  • greater control for individuals over how their personal data is used;
  • greater choice for individuals over how their personal data is used;
  • can be used to demonstrate that personal data is being used fairly and transparently;
  • preference management tools will mean that you are more likely to get better and more specific information from individuals; and
  • more likely to demonstrate that informed consent has been provided.

Drafting privacy notices in accordance with the Code

The Code is full of detailed and helpful guidance on preparing privacy notices, including the following:

Have a plan – consider whether your intended uses of the information would be reasonably expected by the individual?  If not, your privacy notice should explain the uses in greater detail. Make predictions of likely future uses, especially as part of big data, and include this information in the notice.  Put yourself in the shoes of the individual: carry out a privacy impact assessment.

Blended approach – make use of the privacy-enhancing technologies available such as just-in-time solutions, voice or video, privacy dashboards, icons and symbols.

Avoid catch-all privacy notices – instead, have separate notices tailored to groups.

Control – it is good practice to link the notice to a preference management tool such as a privacy dashboard; be clear about the information that is required and that which is optional

Adapt to your business model – the privacy notice should cover all platforms through which the individual can access your services.

Consent – consider whether the individual needs to consent to the processing described in the privacy notice and, if so, include a mechanism for giving and obtaining consent at the appropriate time.

Active communication – when appropriate privacy information should be actively communicated to individuals (as opposed to the individual having to seek it out through, e.g., a web link), for example if the uses are likely to be unexpected, or if information could be shared with other sources to build a more detailed picture about an individual.

Collaborative resource – where several data controllers are involved, the ICO suggests that in addition to individual privacy notices, a collaborative resource which brings together all privacy information could be the way forward.  Such a resource could allow the individual to make and apply privacy preferences across all data controllers.

Encourage individuals to take notice – word privacy notices in an engaging way and embed them into the user journey.

Comment

When dealing with complex transactions or platforms which involve personal data collection, compliance with the principles may require a range of privacy communication techniques to be used.  The key is to employ these techniques with a focus on how they can enhance the user experience, rather than over-complicate it.

What do you think about the proposed new Code? The Code is open for consultation until 24 March 2016.

Protecting the quantified self: data protection issues related to wearable tech

Emma RoakeThe market for and consumer awareness of wearable tech has rocketed over the last few years, and is predicted by some analysts to be worth $25 billion by 2019.  From fitness bands for wrists and the first generation of smartwatches and smart eyewear, we will soon be able to purchase smart clothes with sensors to monitor fitness and athletic performance.  And with the technology developing at a dizzying pace, ingestibles and embeddables are just over the horizon, taking the form of digital pills, and chips to be inserted into muscles or under the skin.

Each new generation of wearable tech aims to be more sophisticated and less obtrusive than the last.   The less obtrusive it becomes, however, the greater the risk of it becoming more intrusive, as the wearer (and potentially third parties who come into close proximity with the wearer) are at risk of having their personal data used in ways which they may not have anticipated.

The data protection concerns inherent in wearable tech have been exercising regulators for some time.  Part of the problem is that the current legislation in the UK – the Data Protection Act 1998 – was drafted in a time when smart technology was in its very early development phase.  Despite this, regulators have emphasised that all stakeholders involved in the production and operation of wearable tech must comply with data protection laws.

Wearable tech companies will be “data controllers” for the purposes of the data protection legislation if their device collects “personal data” from users, and if (as is likely) the wearable tech company determines the purposes for which and the manner in which such data is to be used.

“Personal data” is any data which relates to a living individual who can be identified from that data alone, or from that data when it is combined with other information which is in the possession of the data controller. A common assumption is that personal data is limited to someone’s name, photograph, email address and mobile number, but in fact the definition goes much wider.  Data such as an IMEI number of a smartwatch can be personal data, if it is used to differentiate an individual from others.

There are various requirements with which data controllers have to comply under data protection legislation, including the following:

  1. The processing of the data must be fair and lawful. As part of this, the company will need to tell the user what data it is collecting and what the data will be used for.  Given that some wearable tech devices collect different sorts of data using different sensors, it is crucial that the user is aware of all the data being collected by all enabled sensors.
  2. The consent of the user to the processing of their personal data will almost always be needed for the processing to be fair. Consent must be freely given, specific and informed. In relation to sensitive personal data (such as data relating to an individual’s health) the requirements for consent are more stringent. Data controllers collecting data relating to an individual’s health (which will be a large proportion of the wearable tech industry) will need to ensure that their users give “explicit” consent before such data is collected.  Opt-in consent is required in these circumstances, not opt-out consent.
  3. The data must be protected by appropriate technical and organisational measures against unauthorised or unlawful use, and against accidental loss, destruction or damage. Given the extent of the personal data collected by many wearables, the sensitivity of that data and the rise of hacking, data security must be a top priority for wearable tech companies.
  4. Personal data must not be transferred to a country outside the EEA unless that country ensures an adequate level of protection of personal data. For US-based wearable tech companies selling into the EU, it should be borne in mind that the US is not considered by the European Commission to adequately protect personal data and that it is no longer possible to rely on Safe Harbors. An alternative solution should be put in place to ensure transfers outside of the EEA are lawful.