In April 2014, social work case files were discovered in a cabinet purchased by a member of the public from a second hand shop. The cabinet had been used by the children’s social work team at Norfolk County Council and the case files included information relating to seven children.
The Information Commissioner’s Office found that the Council did not have in place appropriate organisational measures for ensuring that such an incident would not occur and in particular did not have an adequate written procedure governing how office furniture disposal should be managed.
The Council was issued with a monetary penalty under the Data Protection Act for a serious contravention of the seventh data protection principle, and was fined £60,000.
The right to be forgotten enables an individual to request the deletion or removal of personal data whether there is no compelling reason for its continued processing. However, the European Court of Justice (ECJ) has decided that the right does not apply to personal data in a companies register.
An Italian company director believed that various properties in a tourist complex failed to sell because the companies’ register disclosed that his previous company had been declared insolvent and struck off the register. He applied to the Chamber of Commerce requiring it to anonymise or block data linking him to his previous liquidation and to pay damages. The ECJ was asked to consider whether member states may allow individuals to request that access to their personal data on the companies register is limited to a specified period of time following dissolution of a company.
The ECJ decided that the public disclosure requirements took precedence over the protection of personal data in the interests of promoting legal certainty and protecting third parties in relation to limited liability companies.
The High Court has found two ex-employees of a claimant (C) liable for breaching their duties of confidence, but has rejected C’s claim for substantial damages. Instead, C was awarded the nominal sum of £2.
C had sought damages of £15 million, based on breaches of duty in copying and retaining confidential files. Crucially, the case was not brought on the basis that the defendants’ misuse of confidential information had caused C to suffer any loss or resulted in the defendants making any financial gain.
In the case of one of the defendants, the copied files were never subsequently accessed or used. The other defendant had made limited use of a few files, but C had not sought a remedy for the use actually made.
This case provides a useful illustration of the court’s approach to damages in cases where liability and breach of duty can be swiftly established, but establishing a loss to the claimant or gain to the defendant is less clear-cut. The judgment highlights the importance of focusing a claim for damages on the realities of the situation, rather than hypothetical outcomes. It also demonstrates that, even in cases of clear wrongdoing, the court’s role is not to punish but to recognise loss suffered, or gains illegitimately made.
An English private health company has been fined £200,000 after its Indian subcontractor failed to keep fertility patients’ personal information secure.
An investigation was commenced in April 2015 when a patient found that transcripts including details from interviews with hospital patients could be freely accessed by searching online.
The investigation revealed the hospital had been routinely sending unencrypted audio records of the interviews by email to the Indian subcontractor. Details of private conversations between a doctor and various hospital patients wishing to undertake fertility treatment were transcribed in India and then sent back to the hospital. It was found that the Indian company could not restrict access to the personal information because it stored audio files and transcripts using an unsecure server.
The English company was fined as it had breached the Data Protection Act 1998 by failing to ensure that its sub-contractor acted responsibly in compliance with the Data Protection Act.
This case shows the importance of ensuring that appropriate subcontracts are in place and enforced. If you feel your subcontracts might need checking, I would be happy to help.
Please drop me an email or give me a call.
The IP Enterprise Court has decided that certain sales of clothing branded with the registered trade mark “VEUVE CLICQUOT” were not covered by the scope of consents from the trade mark owners to the use of the marks.
The sales by the defendants therefore amounted to trade mark infringement and passing off. There were a number of defendants and the court said they were all liable.
The court awarded the trade mark owners £125,000 in damages and granted an injunction to prevent further infringement and passing off.
This case demonstrates the importance of ensuring that your licences to use intellectual property are wide enough for the needs of your business, and the necessity to stay within the remits of those licences.
If you need any advice on such issues, please email Karen.Mason@Novalex.co.uk