And the Information Commissioner’s Office seems to be keen to show that it intends on keeping up momentum when it comes to enforcing the DPA.

The Data Protection Act 1998 has been in force now for some years, and yet I am surprised daily by the number of large businesses who do not have their “data” house in order. Maybe this is partly the fault of the lawyers for not standing their ground when it comes to compliance - it is very easy to dismiss minor breaches of the Act as low risk.

Well, perhaps no more.

Not only has the Ministry of Justice published the draft legislation making breach of s55 an offence which can attract a custodial sentence, the ICO has issued an annual report which promises to make it tougher for those organisations who do not seek to handle personal information well (and easier for those that do).

And putting its money where its mouth is, the ICO has required undertakings from two more organisations.

What is particularly surprising here is the nature of the breaches. Many organisations may currently believe that there will need to be a major leak of personal data or similar issue before complaints will be heard by the ICO, or that a minor breach would need to lead to significant damage to many individuals before it would be escalated above a slap on the wrist.

But no.

No more marketing please

The first breach involved an individual who found it difficult to stop one company sending her marketing communications.

Clearly, “unsubscribe” requests should always be honoured by companies and it is hard to see why this should slip through the net.

However, there is one aspect of dealing with “unsubscribe”s that I’ve found that many clients (and lawyers) struggle with.

When a request to cease sending marketing information to an individual is received, the organisation should not just remove that individual from their marketing database.

Why not? Well, this can cause problems later down the line. For example, what happens if the organisation later purchases (which I wouldn’t necessarily advise…) a marketing database which includes the details of this individual? They will have no way of knowing that that individual had asked not to receive marketing from them in the past.

Instead, the details of that individual should be suppressed - maintained on the database but clearly flagged as “no marketing”.

Secure systems

The second breach involved new employees sharing log-in details before they were set up on the IT system. Why does this matter? Because if employees gain access to customer details under a generic or shared log-in, there is no audit trail to follow - no way of telling who has dealt with the personal data at any particular time.

There was no suggestion here that any damage had been caused - but the data controller had not complied with the 7th principle - the obligation to keep personal data secure.

Only the beginning

OK, so being required to give an undertaking to the ICO might not be that severe a sanction; but I think we’re seeing a clear message from our friendly regulator. Where you are a large, consumer facing organisation, the ICO will react to complaints even if damage hasn’t been caused (yet), and even though the breaches may seem trivial. Why? Because these types of breaches could lead to problems in the future, and with the number of customers these organisations have, breaches need to be nipped in the bud.

It is all too easy to disregard data protection compliance, particularly when there is no immediate penalty for doing so. However, consumers are becoming much more aware of their rights, and I can only see the importance of protecting personal data and privacy growing as time goes on.

It seems that there is an expectation that people will be late for conference calls and so the real time for the call is 5 or 10 minutes after the scheduled beginning.

But why continue with this fiction? If we all just turned up on time, then we wouldn’t have to spend the first 15 minutes calling around to see where everyone was…

In my opinion, it really shows a certain level of arrogance in those that arrive late - their work/meetings/calls etc are so important that they cannot possibly build in the time to be on time, unlike those that they expect to wait for them. Internal meetings are the worst, where a number of lawyers will be sat around waiting for some time before the protagonists arrive, wasting cumulative hours of chargeable time. Now, does that make good business sense for the firm?

Legal Village: Don’t you just love conference calls?

Those great folks at the Society for Computers and Law have commented on just this point in this useful explanation of the history and use of force majeure provisions.  Concluding that:

“From a business continuity planning point of view, force majeure clauses require detailed examination, since they will come into effect under many circumstances where a business continuity plan is invoked. If you fail to do this you are leaving the door wide open to unexpected withdrawal of key services at a critical point in time.”

Standard clauses which you may rightfully accept in other circumstances may not be acceptable when looking at disaster recovery or business continuity services.  Keep your eye out for them!

SCL: ‘Greater Force’ - or A Good Excuse for Non-Performance? [paid subscription required]

The guidance makes interesting reading and is a godsend for those of us who deal with consumer contracts. In particular, it contains an annex which sets out examples of clauses which were rejected by the OFT as being in breach of the regulations, and the final clause accepted by the OFT.

Reponses are required by 22 May 2007.

The Office of Fair Trading: Unfair contract terms guidance

I agree with this post - the problem isn’t powerpoint per se, but the way that it is used.  Your slides should not be your crib notes - as the post says, if your slides give the full picture without you being there, what’s the point of your presence?  Slides, if used, should be there to address the needs of the audience, not the speaker, and therefore should be a learning aid.

Presentation Zen

Information commissioner Richard Thomas reinstated until June 2009 - 04/04/2007 - Personnel Today

And last month it published details of enforcement action taken against 11 organisations for failure to dispose of personal data in accordance with the 7th principle (obligation to put in place adequate security for personal data) of the Data Protection Act 1998.  Each organisation had to give a written undertaking, detailing the nature of the various breaches, to the ICO, stating that they will comply with the DPA.

And we have already reported on the government’s approval for the ICO’s plan to impose custodial sentences for obtaining data unlawfully.

A taste of things to come?  The ICO has been promising for some time to step up enforcement action, and it seems that it is beginning to live up to this promise.  If nothing else, it is also clear that the ICO’s tactic of targetting high profile offenders is also bearing fruit.  Both peices of legislation are often criticised for being toothless, and whilst neither of these steps have resulted in any prosecutions or fines, I think they are likely to be the first steps in a gradual increase in enforcement proceedings.

That being said, those organisations required to give undertakings had already been “outed” in the mainstream media, and it still remains that one of the biggest drivers towards DPA and FOIA compliance are the adverse publicity that breaches bring, and for DPA, the growing insistence by consumers that their data be handled securely and fairly.

To recap for those of you who are not familiar with the case, Mr Johnson had had his membership, and therefore insurance, revoked by the Medical Defence Union, something that they were contractually entitled to do.  However, his claim was that the information which lead to this decision had been obtained through unfair processing of his personal data in breach of the Act.  A risk manager had reviewed his claims files, and inputted information from those files onto a summary sheet which incorporated a scoring system.  It was this sheet which, when presented to a committee set up to decide such things, lead to the withdrawal of his membership. 

Case law in this area is scarce, and so judicial interpretation of wide terms such as “processing” and “fairness” as are set out in this decision - even if the judges are divided - are welcome.  Even if it is just so that those of use who work in this sector can breathe a sigh of relief that the courts find as much difficulty in interpreting them as we do!

The court had to consider whether the Act applied, and if it did, if there had been a breach.  Mr Johnson claimed the breach arose from:

“Selecting the information contained in the personal data and thereby presenting a false picture of the situation.”

It was not sufficient to show that there was personal data processed, and the result was unfair.  Mr Johnson had to show which act of processing was in itself unfair. 

“However, that said, the difficulty for Mr Johnson remains that the selection, and thus the carrying out of operations, of which he complains was done by Dr Roberts, using her own judgement, and not by any computer or by any automatic means. To the extent that the material on which she worked was already recorded on a computer Dr Roberts had to operate that computer in order to access the information, but no complaint is made of that: because it is not suggested that in looking at Mr Johnson’s record Dr Roberts shut her mind to, and therefore refused even to look at, any particular data. Similarly, having made her decisions Dr Roberts recorded them, or caused them to be recorded, in electronic form; but by that stage Dr Roberts had already made her decision, so the subsequent mechanical recording of her decision did not add to the alleged unfairness.”

In other words, and to summarise an incredibly complicated analysis in one sentence, the judges held (by a majority) that the act of selecting data was not in itself processing of data for the purposes of the Act - it was not automatic processing. 

An analogy (one of many) which particularly caught my eye was this one:

“Judges when they have decided what their reserved judgments should say place those conclusions on a computer, or dictate those conclusions for typing up by their clerk, again by use of a computer. Judgments tend to contain or to refer to a good deal of personal data in respect of the parties to the case. Judges are for that reason data controllers under the terms of the 1998 Act; but one does not need to stress the oddity of a conclusion that the typing of the judgment brings the decision-making process that preceded the typing within the “fairness” terms of the first Data Processing Principle.”

I have a lot of sympathy with the analysis of Buxton LJ, but Arden LJ, in the minority, disagreed.  Like the definition of personal data before it, as explored in the Durant case, “processing” can mean so many different things in so many different scenarios that the effect of making a firm decision as to its meaning could lead to a whole manner of unjust effects where the facts differ.  Like Durant, I can tell that this case will require some time before its effects are fully understood.

As an aside however, the commentary on the purpose of the Act and indeed the data protection directive contained in this judgement is also of interest.  Buxton LJ draws our eye to recital 10 of the directive, which states that:

“Whereas the object of national laws on the processing of personal data is to protect fundamental rights and freedoms, notably the right to privacy, which is recognised both in Article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms and in the general principles of Community law;”

The judges seemed to agree on this point - the Act is primarily there to protect privacy - not employment related detriment which occurs as a result of a decision taken with reference to personal data.  It is not there to create a new cause of action for an injustice where no other cause would assist.  With the Data Protection Act being held as the reason for so much nonsensical bureaucracy, it is worth bearing in mind this overriding theme.

The court briefly considered the relevant domestic law, which included the Regulation of Investigatory Powers Act 2000, the tort of misfeasance in public office, the Data Protection Act 1984 (now replaced, but this was the relevant legislation at the time), the obligation of trust and confidence between employer and employee, and the lack of a distinct law of privacy.

It went on to consider whether there was a breach of Article 8 - namely whether the College had interfered with her right to respect for private life and correspondence.  The court referred to the existing case law which states that telephone calls made from work do consititute an element of private life.  It therefore summised that emails must also fall within this category, together with information gathered from internet monitoring.

As this was information relating to the private life of the individual, and it was monitored, the court found that there was interference with Article 8.  It then turned on whether this interference was “in accordance with the law”.

Whilst the government argued that College was authorised under its statutory powers to do “anything necessary or expedient” for the purposes of providing higher and further education, the court found this unpersuasive.

There was nothing in law at the time which permitted such monitoring (and in particular the provisions of Telecommunications (Lawful Business Practice) Regulations 2000, which permit monitoring under certain conditions) were not yet in force.  The individual in question had not been notified of the monitoring and so could not have expected that this monitoring was going to take place.

There had therefore been a breach of Article 8, and the court awarded damages for non-pecuniary loss of €3,000, as well as legal costs of €6,000 (which were limited due to the other complaints which had been brought but not upheld - total costs claimed had been £9,363).

This case doesn’t impact greatly on monitoring taking place today under the regime now in place.  However, it does stress the fact that an employee does  carry out his or her private life whilst at work, and as such there is some expectation of privacy. 

Tip: Monitoring if it does occur should take place only within the realms of the Lawful Business Practices Regulations, and employers should ensure that employees are informed of and understand the monitoring that takes place.

COPLAND v. THE UNITED KINGDOM - 62617/00 [2007] ECHR 253 3 April 2007 [link from BAILII]

Anyway, in a vain attempt to encourage more lawyers to give internal training in law firms, I’m pointing you towards an article which aims to help those who are scared of speaking in public - and the key tip is practice, practice, practice.

All joking aside, preparation really is the key to confident public speaking - not only do you have to practice the physical side of the presentation, but you need to be comfortable with the subject matter and the structure and timing of the presentation, otherwise you will falter.

There are plenty of courses available if you would like to hone your skills in this area - or alternatively, just get up and try!

How to get over your fear of public speaking - lifehack.org