Privacy & Data Snapshot – Summer Edition
Tuesday 19th September 2023
Deja-vu: Another adequacy decision for EU-US data flows
In July, the European Commission announced its adequacy decision for the EU-US Data Privacy Framework. The decision will enable organisations within the European Economic Area to freely transfer personal data to participating companies in the United States without the need to meet any additional criteria or put additional safeguards in place. This means that alternative transfer mechanisms, such as applying prescribed ‘Standard Contractual Clauses’ will no longer be needed for many EU-US transfers.
Whilst this is a significant decision for the European Commission, is not currently effective in the United Kingdom. It will apply only to those with processing activities in the EU. However, in June 2023, the UK and US governments announced that they had reached a commitment to form a Data Privacy Framework, which will enable UK organisations to send personal data to the US without having to incorporate burdensome and timely clauses into contracts. We are expecting this to be implemented promptly.
When DSARs hit the spotlight: Farage v NatWest
Earlier this summer, Nigel Farage accused NatWest and its subsidiary Coutts of passing his personal and financial data to the BBC. The accusation came after the BBC published a controversial and inaccurate report which claimed that Farage did not meet the financial threshold required to hold an account with the bank. NatWest’s former CEO admitted that she was the source of the headline, and has since resigned.
Farage’s lawyers made a complaint to the ICO stating that the bank had failed to adhere to its duty of confidentiality and in turn this constituted a serious data breach. Farage has subsequently made a subject access request.
Despite the fact this it is a high-profile case, the Information Commissioner’s Office are maintaining their usual processes and are allowing NatWest to respond to the complaint before it begins to investigate the matter. In the interim, Information Commissioner John Edwards commented: “Nigel Farage’s experience shows why data protection rights remain so important. The right to require an organisation to show you the information they hold about you, known as a subject access request, is a powerful one, and is one that is open to us all”.
Farage’s feud is a helpful reminder that companies and organisations should ensure that they have the necessary subject access request policies and procedures in place. If you need any advice about implementing a DSAR request process or support with responding to a DSAR, our team would be happy to assist.
WhatsApp in the workplace: A reminder
Staff at NHS Lanarkshire, an NHS board in Scotland, were recently found to have been sharing patient information within an unauthorised WhatsApp group, resulting in a reprimand from the ICO.
On 24 March 2020, in response to an increasing workload caused by the Coronavirus pandemic, a team in NHS Lanarkshire created a WhatsApp group within which staff shared personal data of patients under the team’s care. WhatsApp was not approved by NHS Lanarkshire for processing patients’ personal data, rather, the team adopted the use of WhatsApp for this purpose without the NHS boards’ knowledge, otherwise referred to as “shadow IT”.
Between 1 April 2020 and 25 April 2022, 26 staff members had access to the WhatsApp group, and there was a minimum of 533 entries within the chat which included patient names and clinical information (therefore special category under the UK GDPR). They also shared personal data of children. Additionally, a member was added to the WhatsApp group in error and had access to the contents of the chat, resulting in an inappropriate disclosure to an unauthorised individual.
The decision to issue the NHS board with a reprimand is in line with the ICO’s recent approach of leniency when investigating public bodies, although it appears unlikely that the same leniency would have been offered had an organisation which was not a public body committed the same offences. This decision serves as a reminder that organisations should engage with their staff about the tools they need to do their job, so that such tools can be properly assessed, and appropriate processes and safeguards put in place. Equally, it serves as a warning that messaging platforms that are used in everyday life, such as WhatsApp and iMessage, are not always appropriate for the workplace, and caution should be taken before these are introduced into an organisations’ infrastructure.
Case law update – misuse of private information and failing to deal with a DSAR
£6,000 damages awarded for Council’s misuse of private information and failure to deal with a DSAR.
The recent case of Bekoe v Mayor and Burgesses of the London Borough of Islington [2023] EWHC 1668 (KB) acts as a stark reminder for organisations to comply with the ‘Accountability’ principle under UK GDPR.
In this case, the defendant Council obtained private financial information belonging to the Claimant and his son during possession proceedings. The Council said it had gained the information as part of its statutory duties, but this was found to be disproportionate and a misuse of the Claimant’s personal data. The Council also failed to adequately respond to the Claimant’s DSAR (Data subject access request) over a period of four years, including by deleting certain data and failing to locate and disclose data. The Council was found to have operated a ‘slapdash’ approach to providing adequate security for the Claimant’s personal data. The Claimant was awarded £6,000, which included aggravated damages.
The Council’s failure to adequately deal with the DSAR over a significant length of time, and intrusive actions into the Claimant’s financial affairs resulting in aggravated damages, highlights the seriousness of GDPR breaches and misuse of private information.
ICO publishes draft biometric data guidance
The Information Commissioner’s Office has published draft guidance on how data protection law applies to organisations which use biometric data in biometric recognition systems.
Biometric data is personal data relating to someone’s behaviour or appearance, which has been extracted by using technology and uniquely identifies the person it relates to. Examples may include facial recognition, fingerprints, retina scans or even a person’s voice.
The guidance will be particularly relevant for data controllers who have, or may want to implement, biometric data processing systems in their organisations and covers topics including:
- what biometric data is;
- when it is considered special category data;
- its use in biometric recognition systems; and
- data protection requirements applicable to the above.
You can respond to the biometric data guidance consultation before it closes on 20 October 2023.