25th August 2017
The complexities of UK data protection law
Who does data protection law protect and what are the parameters?
The Information Commissioner’s Office (ICO) recently published a blog that caused a few eyebrows to rise among the Switch2IT team. Steve Eckersley ICO Head of Enforcement, who aims to “take purposeful risk-based regulatory action where obligations are ignored, examples need to be set or issues need to be clarified, based on the ICO’s Regulatory Action Policy” revealed that the ICO did not find Virgin Trains East Coast at fault when publishing CCTV footage of Labour Party Leader Jeremy Corbyn searching for a seat on a train from London to Newcastle.
Not a data breach!
We feel that, when you remove the politics from Traingate, the ruling is odd as the individual had not provided consent for his image to be used. Surely this makes a mockery of the Data “Protection” Act and the ICO as a regulator.
The ICO’s reasoning is that the Data Protection Act recognises valid reasons for processing personal data under the “legitimate interests” condition and Eckersley made the following statement:
“In this case, the ICO’s view was that Virgin had a legitimate interest, namely correcting what it deemed to be misleading news reports that were potentially damaging to its reputation and commercial interests.
“It would not have been possible to achieve Virgin’s legitimate interests without publishing Mr Corbyn’s image. Virgin could only show that there were empty seats on Mr Corbyn’s journey if they showed Mr Corbyn on that journey.”
The ICO believed Corbyn would carry different expectations to other passengers regarding his privacy while on the journey in question because he had allowed for campaign footage showing him making the journey to be filmed and shared with the media. Also, because he had raised issues about his train journey in that video, it would be reasonable to expect Virgin to respond in a similar way.
The first requirement of the “legitimate interests” condition is a “need to process the information for the purposes of your legitimate interests or for those of a third party to whom you disclose it.” They provide the following as an example:
A finance company is unable to locate a customer who has stopped making payments under a hire purchase agreement. The customer has moved house without notifying the finance company of his new address. The finance company engages a debt collection agency to find the customer and seek repayment of the debt. It discloses the customer’s personal data to the agency for this purpose. Although the customer has not consented to this disclosure, it is made for the purposes of the finance company’s legitimate interests – i.e. to recover the debt.
This is of particular interest to the Switch2IT team who experienced a similar incident, where the boot was on the other foot, and where legitimate interest was clearly not taken into account:
A financial company admits that, despite everything regarding the customer’s account and funds being in order, a “system malfunction” saw a faster payment to the HMRC not complete. When, facing a fine, the customer asked the financial company if they could explain the issue to HMRC – giving permission for their data to be discussed so that the solution to a robust, secure and trustworthy banking platform might be found – the answer was a resounding no, as this would breach data protection…
What a data breach!
Virgin Trains East Coast was, however, seen to breach the first principle of the Data Protection Act when they published images showing the faces of other passengers travelling on the same London service. Images of other passengers were not essential to sharing their side of the story in response to Corbyn.
Seen as a one-off incident, and because no complaints were made by those members of the public exposed in the CCTV footage, no formal action has been taken. Instead, Virgin is being watched by the ICO and the train company has vowed to “strengthen its data protection training for everyone from new starters to the top tier executives” and get its CCTV policy into shape.
This leaves us somewhat open-mouthed. Perhaps a redraft of the 1998 Data Protection Act is in the pipeline, to prepare for the post-Brexit GDPR. But, in order to see the UK retain “its world-class regime protecting personal data”, the powers that be need to ask some serious questions about this recent ICO ruling.
Cyber security protection, here to stay
Regardless of the post-Brexit fall out and any changes afoot for data protection and IT security laws, one thing you can rely on is skilled, experienced technical support from Switch2IT.
Whether you need IT support in London, Hampshire or Sussex, we are here to provide everything from interim IT management to IT networking services for a new or expanding office to ad-hoc remote IT support at a time to suit you to ongoing managed IT support contracts that suit your budget. Whatever your business size and sector, give us a call on 0800 083 3416 and we will discuss your needs.
22nd December 2017
Switch2IT looks towards a green future
As we sky-rocket towards 2018, the Switch2IT team is looking to the future of the technology sector and the many UK businesses it impacts. Do you not think it is time that the big tech brands started to think more about the world we live in and its ecological future, not just the now and the money-making opportunities available? Likewise, is it not...Read More >
24th November 2017
Significant technological innovation, from India to Sussex
Are you confident that the UK government is putting enough effort and investment into the security of British business? Do you think other countries are leaps and bounds ahead, moving towards safe and successful futures? Switch2IT explores whether more could be done to strengthen our cyber security and infrastructure in order to make a significant ...Read More >
12th October 2017
Cyber Security: The Good, the Bad and the Ugly
Cyber Security: The Good, the Bad and the Ugly From tides of positive change via the IT networking bods at Netgear to despair in the tiresome encryption debate to undignified squirming from Microsoft about paying their taxes, this month Switch2IT explores the Good the Bad and the Ugly from the IT security and technology industries. Gettin...Read More >
22nd September 2017
Switch2IT says On Your Bike to data breaches like Equifax
On Your Bike, Data Breaches! There has been so much news about data breaches just lately that it is unreal – at least, the Switch2IT team wishes it was. The latest reports reveal that the Equifax data breach was a lot worse than first thought and that investigations into the extent of its impact are ongoing. As well as 143 million Americans...Read More >