• No results found

Data Protection Compensation Claims. White Paper

N/A
N/A
Protected

Academic year: 2021

Share "Data Protection Compensation Claims. White Paper"

Copied!
6
0
0

Loading.... (view fulltext now)

Full text

(1)

White Paper

(2)

Background

The DPA implemented the EU Directive on Data Protection. The Directive’s aim was to ensure that those han-dling personal information protected and respected the fundamental rights and freedoms of individuals, notably ‘the right to privacy.’

From the start, questions were raised as to whether Section 13 of the DPA (fig.1) had fully im-plemented the requirements of the Directive; Section 13 limited compensation claims for dis-tress caused by a breach of the DPA to only those situations where the individual could also show they had suffered finan-cial loss, whereas the Directive talked of ‘damage’ in a wider sense.

The court — in the notorious Johnson v Medical Defence Union case of 2007 — re-enforced the position: com-pensation claims for distress will only be possible if financial damage can also be proven.

Fig.1. Right to Compensation Section 13, Data Protection Act 1998

(1) An individual who suffers damage by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller...

(2) An individual who suffers distress...is entitled to compensation from the data controller for that distress if

(a) the individual also suffers damage by reason of the contravention, or (b) the contravention relates to the processing of personal data for the

spe-cial purposes [journalism, artistic or literary purposes].

(3) ...it is a defence to prove that he had taken such care as in all the circum-stances was reasonably required to comply with the requirement concerned.

Executive Summary

The recent Vidal-Hall v Google case marks a dramatic change in Data Protection law. For the first time, the courts made a definitive ruling that individuals can claim compensation for the distress caused by a breach of the Data Protection Act 1998 (DPA).

Previously, the DPA had placed restrictions on when a claim for compensation could be made—an individual had to show they had suffered financial loss in order to claim for the distress caused by a breach. This meant the vast majority of breaches would not result in claims — because whilst the breach may have caused dis-tress, it did not result in a financial loss.

Any individual who feels they have suffered distress as a result of an organisation committing an infor-mation security breach; unjustly denying access to their personal inforinfor-mation; using inaccurate data, or oth-erwise failing to comply with a requirement of the DPA, may now seek compensation from the organisation. The Vidal-Hall v Google case therefore places an even greater need on all organisations to take seriously the reputational and financial risks posed by poor or outdated approaches to handling personal information. It will be essential for organisations to defend compensations claims by explaining the reasonable measures they implemented to manage data protection risk.

(3)

Vidal-Hall v Google — the death of Section 13(2)

In the Vidal-Hall v Google case, the court looked again at the DPA and how compatible Section 13(2) was with the EU Directive. Their conclusions (Fig.2. and Fig.3.) mean that Section 13(2) of the DPA has been disposed.

Fig.3.

Court judgement—Vidal-Hall v Google.

“What is required in order to make section 13 (2) compatible with EU law is the disapplica-tion of secdisapplica-tion 13(2), no more and no less. The consequence of this would be that compen-sation would be recoverable under section 13 (1) for any damage suffered as a result of a contravention by a data controller of any of the requirements of the DPA.” Para 105.

failure to comply with the requirements of the DPA.

Regardless of whether a breach of information security put sensitive personal information at risk of unauthorised access; an organisation was using inaccurate personal information, or out of date information, to make decisions and judgements about an individual; rights of access to personal information were being denied—in any and all cases, the distress caused to the individual would not be enough to enable them to claim for compensation.

2010—Fines for serious breaches

The introduction of possible fines of up to £500,000 for serious breaches of the DPA, along with the new policy of the Information Commission’s Office to ‘name and shame’ CEOs for less serious (but still significant) breaches, increased the potential reputational and financial risks posed by failing to handle personal information appropri-ately.

The thresholds for triggering a fine were significant: the breach had to be serious, and likely to cause substantial damage or distress. The or was important: for the first time, an organisation could be fined by the ICO for the

possible distress a breach had caused: the distress did not actually have to materialise (e.g. people did not actually

have to complain) and no financial loss had to occur.

However, for the individuals affected by any such ‘serious breach’ the barrier to claiming compensation imposed by Section 13(2) of the DPA remained….

Fig.2.

Court judgement—Vidal-Hall v Google.

“Since what the Directive purports to protect is privacy rather than economic rights, it would be strange if the Directive could not compensate those individuals whose data privacy had been invaded by a data controller so as to cause them emotional dis-tress (but not pecuniary damage).

It is the distressing invasion of privacy which must be taken to be the primary form of damage (commonly referred to in the European context as “moral damage”) and the data subject should have an effective remedy in respect of that damage.”

(4)

Anyone who believes they have suffered distress as a result of an organi-sation failing to comply with the requirements of the DPA can now bring a claim for compensation against the organisation—even if the individual has suffered no financial loss.

More claims for compensation

1

3

2

Handling any breach uses unplanned resources—e.g. staff time fire-fighting the breach, then investigating the cause and implementing any remedial actions. If claims reach the courts, the increase in legal costs could be significant.

Loss of one memory stick | 1,000 records £100 per person

£100,000

The likelihood of having to make com-pensation payments for “distress only breaches” is heightened by three factors:

1. The ICO encourages self-reporting of breaches to itself and the individ-uals affected. Why? Because the ICO considers it a sign that an organi-sation takes their DPA responsibilities seriously; that its staff are alert to actual or possible breaches (and what they might mean for individu-al expectations of fairness, privacy and confidentiindividu-ality) and that senior management have instilled a culture that seeks to proactively address breaches.

2. The rise of social media and ‘citizen journalism’ means that a the loss of a memory stick or paper file, or the misdirected email could be news before you even know about it.

3. In the near future, the EU Data Protection Regulation is scheduled to make reporting of breaches man-datory —to both the ICO and the individuals affected.

One way or another, the ICO and the individuals affected by a breach are increasingly likely to learn of a breach. The ICO may investigate it and individuals may now claim compensation for distress. The chance of the ICO investigation leading to a fine is relatively low (only serious breaches likely to cause ‘substantial dis-tress’ will trigger a fine). The chance of being named and shamed is greater (there have been over 225 since 2009). The chance of an individual making a claim is greater still, because the individual only has to show that the breach caused ‘distress’ and that a breach occurred. And as the following hypothetical examples show, a high number of small compensation claims for ‘distress only breaches’ can soon mount up.

Loss of two case files | sensitive history of 20 friends and family £1,000 per person

£20,000

Misdirected email with spreadsheet | 20,000 records £10 per person

£100,000

Increased likelihood that a breach causes a financial impact

Increased legal costs

+

+

+

=

=

=

(5)

Section 13 provides a defence to any claim for compensation; as with fines for serious breaches, the key will be your ability to

Next steps

Recognise what is likely to cause distress to individuals and/or lead to significant claims

1

2

3

For example: signed terms and conditions of employment /

confiden-tiality statements / Acceptable Use Policy; records of attendance and understanding of training; documented policies and procedures; an action plan to audit the level of compli-ance, with reports escalated to senior management and discussed at minuted meetings.

The following factors may affect the level of distress that an individual would feel in the event of a breach: a. Nature of the personal information: e.g. is it basic demographic data; information provided in

confi-dence; medical information? Is the data held in a sensitive context (e.g. basic data, but related to a sen-sitive clause or subject)? Is the data about employees, volunteers, donors or service users? Is it current or historic?

a. Type of breach: e.g. theft and misuse of data by a criminal; accidental disclosure: to a colleague; an-other professional; a family friend; loss of data leading to access by the public.

a. Volume of data: this means both volume of records (100; 1,000; 10,000 etc…) as well as volume of information on an individual and/or family (e.g. their entire history / interaction with you).

a. Mitigating factor: whether technical and organisational measures were being deployed according to the sensitivity and volume of personal information and the likely impact of any breach on individuals. Explain the measures you decided were

appropriate to try and achieve compli-ance with the requirements of the DPA;

Prove you

implemented them, and

Prove you

monitored them on an ongoing basis.

Bottom line: can you defend your position? Can you prove you took ‘reasonable steps’ to prevent the breach? Can you prove you took ’such care as in all the circumstances was reasonably required’ to comply with the DPA?

Review your cur-rent data protec-tion policy, any related policies, and training content to ensure they address the technological changes of recent years—e.g. home and remote working; Bring Your Own Device; the use of cloud-based services; the use of external third party suppliers.

Ensure you document compliance

(6)

Data Protection Compensation Claims White Paper

April 2015

Copyright Protecture Limited

40 High Street, St Martins, Stamford, Lincolnshire, PE9 2LP

References

Related documents

The Data Protection Act 1998 explains how personal information should be processed and this applies to all information whether held on paper or electronically on

The Information Technology Act, 2000, as amended, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011

If a covered entity determines that the unauthorized acquisition of sensitive financial account information or sensitive personal information involved in a breach of data security

Oracle Identity Manager is a robust provisioning and de­provisioning product that enables organizations to provision users quickly and easily based on business requirements,

In addition, the attributes Dept_No of relation SALESPERSON and Account# of relation EXPENSE are probably also foreign keys referencing other relations of the database not..

 take all reasonable steps to ensure the security of that information to minimise the risk of an information security breach, including the loss of personal or

Slika 52: Promjena sadržaja vode uzoraka drva ariša i drva jasena površinski obrađenih sustavom CPES i alkidnim lakom tijekom sedam dana kondicioniranja. na sobnim uvjetima 5 10 15

To ensure the privacy and security of sensitive personal information, to prevent and mitigate identity theft, to provide notice of security breaches involving sensitive