General Data Protection Regulations – Will apply from the 25th May 2018
General policy of General Data Protection Regulations
“…Under the GDPR a consumer has the right to work with us and then be forgotten, never to be hassled again where there is no legitimate reason to process their information…”
Potential consequences for breach of the General Data Protection Regulation 2016
Information Currently Held
It applies when a business is processing personal information to an identified or identifiable living individuals
Personal Data can include:
Personal data is covered by a new definition “Biometric Data” which is any personal data relating to the physical, psychological, or behavioral characteristics of an individual which allows their unique identification.
Bank Account details
Credit card details
Date of birth
Correspondence from the client containing personal data
Other info e.g. Supports Brexit
*We are not authorised to disclose a client’s email address to a third party without their consent. Many email addresses do not provide an identity to a third party e.g. firstname.lastname@example.org. However if an individual is identifiable from the email address e.g. email@example.com then displaying it to third parties reveals that they have had dealing with this firm in the past. For some organisations (e.g. political parties, or organisations that deal with specifically sensitive issues) this may be a serious breach of privacy. The individuals can complain to the information commissioner who has power to issue enforcement notices, or they may seek compensation under s13 of the Data Protection Act 2018 for any contravention which causes them damage.
A staff member of a company sent a blind carbon copy (‘’bcc”) email to 90 participants. The staff member then erroneously sent a correction by entering the participant’s email addresses into the “to” field instead of the “bcc”. As a result the recipients of the email could therefore see the email addresses of all the other recipients – a security breach. Many of the email addresses contained the full names of the participants. The company was reported to the ICO as the identity of the participant had been disclosed to third parties without consent. The company was fined £200,000 as details of possible victims of non-recent child sexual abuse were distributed.
By keeping on laptops/pc’s/iPad’s
Paper in a filing system
Intend to record in a filing system
USB memory Sticks
DRD- RW drives
CD and DVD disks
Media player hard drives
Portable external hard drives
Methods of processing personal data
Handwritten notes on job application if put on a file
Information received from a client
Jottings in your notebook are not processing unless you intend to put into a filing system
Info in your mobile phone if in connection with work
Information displayed on a white board which can be viewed by third parties
Files in view around the office which have the names of clients on the outside front cover
Moral is “Any information stored about anyone is covered by data protection law”
There is implicit consent to add the information in the card to Outlook.
You should include a note to record the fact that the information was provided from a
business card that was given to you.
However, you cannot include information which you were also verbally told e.g. they support Manchester Unit and have 3 daughters, unless you have specific consent, or it is necessary for work.
This is not allowed unless you have specific consent to opt-in
In 2017 Morrisons Supermarket deliberately sent 130,000 emails to customers who had previously opted out of receiving marketing relating to their Morrisons More Card. They were fined £10,500
Where express consent has been given, or it is necessary for:
Where express consent has been given, or it is necessary for:
Sensitive personal data which cannot be processed without specific consent
*Unless in connection with employment, social security, occupational health assessment or in connection with legal action.
“you do not make unsolicited approaches in person or by telephone to members of the public in order to publicise your firm or in-house practice or another business;”
Data held about an individual must:
Security of Data
A data protection breach is defined as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise”. If the data is unavailable, for example when it has been encrypted by ransomware, or accidentally lost or destroyed – e.g whilst working on a client matter, data is stored on a desktop PC and it’s hard drive is corrupted and the data has not been backed up so is then unable to be backed up, so unable to be restored when the hard drive is replaced.
It includes but is not limited to:
(1) Hacking by a cyber attack
(2) Loss of theft of devices or equipment on which personal data is stores
(4) Disasters at business premises e.g. fire or flood
Scenario – off to a meeting
Any documents (maybe in the case that there is no local internet access e.g. on a train) on the desktop should be password protected. All documents should stored with IT Farm so that they are not on the computer desktop, and have to be
accessed with IT Farm by internet connection by inserting a name and password. We may introduce a second level of security by a password being sent to an individual’s mobile which then has to be used to access the IT Farm website.
Scenario – On a train and want a cup of tea
Scenario – Talking by mobile on a train
Scenario – Using a Laptop on a train
Scenario – Laptop taken home
Scenario – Files on Reception / In meeting rooms
Scenario – Accidentally sending confidential documents to a client
Use of Mobiles – Security of Data
ICO Advice for Lawyers:
Do not talk to somebody about a confidential matter until you are sure they are who they claim to be
If there has been any breach of security notify the DPO and he will then decide a course of action notify the ICO, or e.g. simply request to a third party to delete the information, and confirmation that it has been done will be sufficient.
Subject Access Request
Confidential job references
The right to be forgotten
The right to be forgotten is also known as Data Erasure. It entitles an employee, or client to have their personal data erased, for further dissemination of the data to be disseminated, and potentially have third parties ceasing to process the data.
For example, it may be requested by a leaving employee to delete all personal data. However, the right is not absolute and:
The 6 Data Protection Principles
1 Processes lawfully, fairly and in a transparent manner
2 Collected for specific, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes
3 Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
4 Accurate and, where necessary, kept up to date
5 Kept no longer than necessary
6 Appropriate security including protection against unauthorized, or unlawful processing and accidental loss, destruction or damage
7 Accountability for documenting policies, measures and controls, process procedures to demonstrate we are compliant.
Rights under GDPR
1 The right to be informed
2 The right of access
3 The right to rectification
4 The right to erasure
5 The right to restrict processing
6 The right to restrict data portability
7 The right to object
8 Rights in relation to automated decision making and profiling
Vicarious liability for data breaches
In October 2018 the Court of Appeal decided that Morrisons were vicariously liable for the malicious criminal conduct of its IT Auditor who deliberately accessed Morrison’s database and posted online the personal data of 100,000 employees names, addresses, gender, date of birth, phone numbers (home and mobile), national insurance numbers, bank sort codes and account numbers, and salary details. Morrisons now have to pay compensation to the employees. The case will now be taken to the Supreme Court.
1 A client’s identity, and personal data must be kept confidential
2 Electronic data must be kept confidential by the use of passwords for laptops, PC’s, Ipads etc…and mobiles, together with encryption where possible
3 Whilst the use of in the cloud storage such as IT Farm has encryption when using on a public network, ideally you should connect to your own 4G / 5G network rather than a public network. e.g. Starbucks it is still possible for a third party to “set up” their own network in a coffee bar by creating a false network with a name similar to the e.g. “starbucksnetwork” that you may log on to with no password required. Always check the identity of the network with the host and enquire whether a password is required. Hackers can eavesdrop, intercept and alter traffic between two devices.
4 Linda Kirk is the Data Protection Office – Any data breach must be immediately reported to him
5 If you have any client data on your mobile or you are unable to locate your phone, you must inform the Data Protection Officer immediately so that it can be deactivated remotely. Any online accounts accessed through the device must have their passwords changed immediately e.g. IT Farm, Ochresoft, etc….
6 Never allow applications or files to be installed from unknown sources particularly smartphones/tablets