The law on data protection, despite some thinking that it’s as recent as the General Data Protection Regulation (GDPR) that was introduced in 2018, actually stretches back to the 1970s. Several attempts to introduce legislation in the 1960s were unsuccessful, but the 1970s saw the publication of the Younger Report on Privacy in 1972 and the Lindop Report on Data Protection in 1978.
The first UK legislation on the subject came in 1984 following government action to comply with a Council of Europe Convention. This provided for the free movement of personal data between countries that had ratified the Convention with restrictions potentially being placed on the movement of data outside that group. The government of the day was concerned more about the convention’s impact on business than it was privacy.
Firms use data for a number of reasons – to market themselves, to comply with obligations or monitor staff. However, the law places restrictions on corporate activities.
The current position
As James Davies, an employment law solicitor at Cater Leydon Millard, comments, UK law is based on several different sources: the UK’s GPDR, which retains the EU General Data Protection Regulation, the Data Protection Act 2018 (DPA) and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) which gives people specific privacy rights concerning electronic communications.
He notes that a data subject under the DPA and the GDPR is defined as “an identified or identifiable living individual to whom personal data relates”.
Of course, just as data is held by someone, so Jessica Padget, an associate in the Regulatory and Compliance Team at Walker Morris, says that different obligations apply to a data controller or a data processor – the former shouldering the highest level of compliance responsibility. Expanding, she says, “a data controller is the natural or legal person which determines the purposes and means of the processing of personal data. Processors handle personal data on behalf of, and on the instructions of, controllers. All organisations will be controllers of the personal data relating to their employees, and any customers or clients that they service”.
Notably, third parties such as payroll providers may act as processors on behalf of a controller who is their client.
Padget says that the law sets out basic principles which underpin all of the rights and obligations set out in the GDPR. They are lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality; and accountability.
She adds that organisations “must consider and comply with the principles in all decisions and actions relating to personal data.
This, she says, means that data cannot be processed with abandon. Rather, personal data may only be processed if certain conditions are true: if there’s an individual’s consent; a contractual necessity; a legal obligation; it protects vital interests; is a public task; or furthers a legitimate interest such as that of an organisation or that of a third party.
But there is another category to bear in mind and it’s one that’s mentioned by Davies: special category personal data. This covers any personal data which reveals an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, data concerning an individuals’ health, sex life or sexual orientation, or genetic or biometric data.
As he says, here a firm “must justify why the processing of this specific data is ‘necessary’, and it must be a proportionate way of achieving one of those purposes. This must be recorded before any processing is undertaken”. He recommends that “policies and procedures must be clear, that the firm must not collect more health data than it needs and that there are appropriate technical or organisational measures to ensure the data’s security”.
A key point for Padget is that individuals have rights. On this she says that where a firm processes an individual’s personal data they have the right to be informed; have access to it; have errors rectified; have data erased; have processing limited; have a copy of their data and be able to reuse it; object to data being collected; and have rights in relation to automated decision-making and profiling.
She adds that “not all of these rights are absolute, and the parameters and application are set out in articles 12 to 22 of GDPR”.
Compliance
Of course, for any regime to work it needs compliance from those subject to it. And this needs to be demonstrable. It’s interesting that, as Padget comments, “GDPR does not prescribe how such compliance should be achieved or demonstrated, so it is advisable to put in place an appropriate internal compliance programme that is tailored to the business.”
She thinks that such a programme would consist of six points, the first of which is oversight that covers clear responsibilities and lines of authority for staff in relation to data-protection activities. Next comes policies and procedures, and staff training – this “provides clarity and consistency by communicating what individuals in the business must do and why they must do it”.
Third on her list is transparency. Here Padget says that “compliance with the requirement under GDPR necessitates providing certain information to individuals about how firms process their personal data; the standard form for this is in a privacy notice”.
After transparency is the need to have records of processing which cover the type of personal data processed and the legal basis relied on in each case.
Contracts and data sharing is Padget’s fifth element. Of this she says that “where controllers share personal data with any third-party processor, parties must have a contract in place which includes all of the requirements under article 28 of the GDPR”. This may be within a contract or put as an addendum to an existing agreement.
Lastly, there’s the need for a data protection impact assessment (DPIA). This is particularly important to Padget where data protection processing is likely to result in a high risk to the rights and freedoms of individuals. A DPIA effectively involves an analysis of the risks and steps to neutralise them.
If there is a breach of data protection legislation, organisations need to remember that individuals have the right to lodge a complaint with the Information Commissioner’s Office (ICO). They can also seek an effective judicial remedy against a controller or processor as well as compensation from a relevant controller or processor for damage resulting from infringement of GDPR.
In practice, however, Padget says that individual claims brought by data subjects against a controller or processor are rare “but may increase based on the use of collective action.”
Enforcement
Just as there’s a need for compliance so there a need for enforcement. Data protection law is overseen by the ICO, the UK’s independent body set up to uphold information rights through the courts. Davies explains that the ICO can issue enforcement notices to employers “requiring them to take – or refrain from taking – action under the regime.”
He details that “the ICO determines whether an infringement has occurred and the severity of the penalty: the maximum amount of the penalty that the ICO may impose is the higher of the amount of £17.5m or 4% of the undertaking’s total annual worldwide turnover”. To this he adds that “the reputational damage caused by data infringements and breaches, should highlight for all employers the importance of taking data protection compliance seriously”.
Padget clarifies that the penalties mentioned by Davies are generally applied to breaches of the basic principles for processing personal data and infringements of data subjects’ rights. However, she says that there is a lower tier of penalties with maximum amounts of £8.7m or 2% of total annual worldwide turnover, whichever is higher, for other infringements such as breaches of administrative requirements.
And in relation to direct marketing breaches, under PECR, the ICO can issue a fine of up to £500,000.
The biggest fines issued by the ICO relate to security breaches leading to loss or unauthorised access to individuals’ personal data (such as the £20m fine issued to British Airways in 2020, and the £18.4m fine issued to Marriott Hotels). The most frequent fines relate to breaches of the direct marketing rules in PECR.
The most recent large fine handed out was the £4.4m penalty given to construction firm Interserve in October 2022. Laura Steel, an associate at Wright Hassall, thinks it pertinent to the story.
Although the case involved a firm in a different sector, a phishing attack – typified by scam emails, text messages or phone calls that seek to trick their victims into allowing data breaches or fraud to be committed – was forwarded internally. That led to a colleague downloading its content that resulted in malware being installed onto the employee’s workstation. This gave a cyber attacker remote access to the workstation and other corporate systems.
Steel comments that this in turn “led to 283 systems being compromised, including four HR databases containing the personal data of up to 113,000 employees which the attacker encrypted and made unavailable. The compromised employee personal data included contact details, National Insurance numbers, bank details, salary information, sexual orientation, and health information”.
Apart from the breach, Steel says that the ICO was unhappy with multiple aspects of Interserve’s response, namely, a failure to implement appropriate end-point protection and undertake adequate vulnerability scanning and penetration testing; that personal data was being processed on unsupported and outdated operating systems, including the HR systems which processed significant volumes of special category data; that appropriate security training was not implemented for all employees; that a proper investigation was not undertaken following the initial attack; and that there was a failure to implement appropriate technical and organisational measures to promptly restore the availability and access to personal data.
She comments that “the ICO said that many of the failures were due to Interserve contravening its own information security protocols, as well as industry standards and best practice guidance”. A salutary lesson for the board.
Direct marketing
Direct marketing is, by definition, important to print. However, as noted earlier, PECR has drawn red lines over what can be done. Here Padget says that “strict rules apply to communicating direct marketing by text or email to an individual, in that firms must have the individual’s consent before they can market to them unless the soft opt-in applies”.
She says that a soft opt-in may apply to allow communications. This might apply where a business has sold a product or service to an individual or has collected personal data in negotiations for a sale and subsequently messages similar products or services – and the individual is provided with the opportunity to opt out of the marketing at any point.
Chris Else, managing partner of Else Solicitors LLP, emphasises the role that consent plays in the marketing process. He thinks that firms could protect themselves by reviewing the information they collect and store while also having their terms and conditions of business correctly incorporated into each transaction. Doing this, he says, “will give customers an option to consent to GDPR policies – either directly or by implication because they are contained in terms of business”.
As for the legal basis for processing, Else considers this to be a contractual obligation upon the business to do so. The example he gives is where a customer shops around for a quotation – the business needs to process data to ensure that the best quote is given.
Alternatively, it could be an employer who processes personal data on employees to deal properly with taxation obligations, or if a court order obliges the disclosure of personal information.
Padget points out that “consent is not required for postal marketing – either to a corporate entity or individual, or marketing by email or text to corporate subscribers”. Regardless, she says that any associated personal data must be processed in line with the obligations under data protection legislation.
Back to Else. He reminds that compliance with the GDPR means “making available, to each customer, the name and contact details of the organisation’s data protection officer, or the same for any representatives that also deal with individuals contracting with the business... highlighting to individuals any transfer of their personal data to third parties or other organisations”.
Also, Else says that firms need to understand the law as it concerns retention periods and the deletion of information that is no longer needed. Here he explains that “individuals have the right to rescind consent; it follows that businesses correctly observing the law make sure that they regularly check with individuals that they are still happy to have their information retained”.
Monitoring staff
We’ve seen that individuals have rights. Employees have the same says Davies, noting that “processing must be lawful and fair” and “an employer must identify a lawful basis for the processing under the UK GDPR”. In practice, he thinks that this is most likely to be the legitimate interests pursued by the employer or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.
However, while this would apply when an employer processes personal data in ways in which a data subject would expect, he warns that “an employer cannot rely on an employee’s consent when processing personal data, as such consent is considered not to be freely given in an employment relationship”. He also reminds employers to be mindful of special category personal data.
With a growing number of employees working remotely employers may wish to implement some form of monitoring. Where this is desired Davies points out that employers must “identify a lawful basis for processing and be aware that some forms of monitoring are, by their nature, more intrusive than others.” He reckons that the most likely basis to monitor employees is the legitimate interests pursued by the employer.
Apart from the legal basis, employers must also have regard to general employment law principles and, says Davies, “make sure that the monitoring is transparent and fair”. This is why he says that “in certain situations, in addition to informing employees of the monitoring in its employment privacy notice and an employee monitoring policy, it may also be appropriate to consult with them about the monitoring before it is introduced”.
Lastly, Davies highlights one more area of concern for employers (and other data holders too): subject access requests where individuals seek the data held about them. “Subject access requests,” he says, “have been increasingly weaponised and often used as a first step in litigating against a current or former employer.” He adds that “this is a perfectly good use of a data subject’s rights absent something exceptional about the request which would make it manifestly unfounded. An employer must comply with the request and provide copies of the employee’s personal data”.
He says that “subject access requests must be dealt with without undue delay and, at the latest, within a month of receiving the request”. His advice to employers is to run an employee data audit so that before a subject access request is received it is known where personal data is located and how it can be retrieved.
In summary
The UK has a patchwork of legislation to protect an individual’s rights and their data. Organisations can choose to ignore the law but as has been illustrated, the authorities have powers and are not afraid to use them.
As for the future, the government has indicated that the UK data protection regime will be subject to proposals for legislative reform following Brexit. What will be retained from the current regime is unknown. But as the 1984 legislation proved, in order to permit data flows into and out of the EU, some form of equivalence between the two regimes will be required.