25th August 2017
The complexities of UK data protection law
Who does data protection law protect and what are the parameters?
The Information Commissioner’s Office (ICO) recently published a blog that caused a few eyebrows to rise among the Switch2IT team. Steve Eckersley ICO Head of Enforcement, who aims to “take purposeful risk-based regulatory action where obligations are ignored, examples need to be set or issues need to be clarified, based on the ICO’s Regulatory Action Policy” revealed that the ICO did not find Virgin Trains East Coast at fault when publishing CCTV footage of Labour Party Leader Jeremy Corbyn searching for a seat on a train from London to Newcastle.
Not a data breach!
We feel that, when you remove the politics from Traingate, the ruling is odd as the individual had not provided consent for his image to be used. Surely this makes a mockery of the Data “Protection” Act and the ICO as a regulator.
The ICO’s reasoning is that the Data Protection Act recognises valid reasons for processing personal data under the “legitimate interests” condition and Eckersley made the following statement:
“In this case, the ICO’s view was that Virgin had a legitimate interest, namely correcting what it deemed to be misleading news reports that were potentially damaging to its reputation and commercial interests.
“It would not have been possible to achieve Virgin’s legitimate interests without publishing Mr Corbyn’s image. Virgin could only show that there were empty seats on Mr Corbyn’s journey if they showed Mr Corbyn on that journey.”
The ICO believed Corbyn would carry different expectations to other passengers regarding his privacy while on the journey in question because he had allowed for campaign footage showing him making the journey to be filmed and shared with the media. Also, because he had raised issues about his train journey in that video, it would be reasonable to expect Virgin to respond in a similar way.
The first requirement of the “legitimate interests” condition is a “need to process the information for the purposes of your legitimate interests or for those of a third party to whom you disclose it.” They provide the following as an example:
A finance company is unable to locate a customer who has stopped making payments under a hire purchase agreement. The customer has moved house without notifying the finance company of his new address. The finance company engages a debt collection agency to find the customer and seek repayment of the debt. It discloses the customer’s personal data to the agency for this purpose. Although the customer has not consented to this disclosure, it is made for the purposes of the finance company’s legitimate interests – i.e. to recover the debt.
This is of particular interest to the Switch2IT team who experienced a similar incident, where the boot was on the other foot, and where legitimate interest was clearly not taken into account:
A financial company admits that, despite everything regarding the customer’s account and funds being in order, a “system malfunction” saw a faster payment to the HMRC not complete. When, facing a fine, the customer asked the financial company if they could explain the issue to HMRC – giving permission for their data to be discussed so that the solution to a robust, secure and trustworthy banking platform might be found – the answer was a resounding no, as this would breach data protection…
What a data breach!
Virgin Trains East Coast was, however, seen to breach the first principle of the Data Protection Act when they published images showing the faces of other passengers travelling on the same London service. Images of other passengers were not essential to sharing their side of the story in response to Corbyn.
Seen as a one-off incident, and because no complaints were made by those members of the public exposed in the CCTV footage, no formal action has been taken. Instead, Virgin is being watched by the ICO and the train company has vowed to “strengthen its data protection training for everyone from new starters to the top tier executives” and get its CCTV policy into shape.
This leaves us somewhat open-mouthed. Perhaps a redraft of the 1998 Data Protection Act is in the pipeline, to prepare for the post-Brexit GDPR. But, in order to see the UK retain “its world-class regime protecting personal data”, the powers that be need to ask some serious questions about this recent ICO ruling.
Cyber security protection, here to stay
Regardless of the post-Brexit fall out and any changes afoot for data protection and IT security laws, one thing you can rely on is skilled, experienced technical support from Switch2IT.
Whether you need IT support in London, Hampshire or Sussex, we are here to provide everything from interim IT management to IT networking services for a new or expanding office to ad-hoc remote IT support at a time to suit you to ongoing managed IT support contracts that suit your budget. Whatever your business size and sector, give us a call on 0800 083 3416 and we will discuss your needs.
12th October 2017
Cyber Security: The Good, the Bad and the Ugly
Cyber Security: The Good, the Bad and the Ugly From tides of positive change via the IT networking bods at Netgear to despair in the tiresome encryption debate to undignified squirming from Microsoft about paying their taxes, this month Switch2IT explores the Good the Bad and the Ugly from the IT security and technology industries. Gettin...Read More >
22nd September 2017
Switch2IT says On Your Bike to data breaches like Equifax
On Your Bike, Data Breaches! There has been so much news about data breaches just lately that it is unreal – at least, the Switch2IT team wishes it was. The latest reports reveal that the Equifax data breach was a lot worse than first thought and that investigations into the extent of its impact are ongoing. As well as 143 million Americans...Read More >
25th August 2017
The complexities of UK data protection law
Who does data protection law protect and what are the parameters? The Information Commissioner’s Office (ICO) recently published a blog that caused a few eyebrows to rise among the Switch2IT team. Steve Eckersley ICO Head of Enforcement, who aims to “take purposeful risk-based regulatory action where obligations are ignored, exam...Read More >
18th July 2017
What's the future for technology post-Brexit?
We realise there are an influx of “what-now-post-Brexit” articles circulating but there is no getting away from the fact that the decision of that marginal majority to pack their bags and move out of the EU will have (and is already having) a significant impact on UK businesses, especially with regard to data protection. What the Switc...Read More >