Category Archives: Data protection

Right to be forgotten does not apply to company registry

The right to be forgotten enables an individual to request the deletion or removal of personal data whether there is no compelling reason for its continued processing. However, the European Court of Justice (ECJ) has decided that the right does not apply to personal data in a companies register.

An Italian company director believed that various properties in a tourist complex failed to sell because the companies’ register disclosed that his previous company had been declared insolvent and struck off the register. He applied to the Chamber of Commerce requiring it to anonymise or block data linking him to his previous liquidation and to pay damages. The ECJ was asked to consider whether member states may allow individuals to request that access to their personal data on the companies register is limited to a specified period of time following dissolution of a company.

The ECJ decided that the public disclosure requirements took precedence over the protection of personal data in the interests of promoting legal certainty and protecting third parties in relation to limited liability companies.

Health care firm fined £200,000 after patients’ confidential conversations were revealed online

An English private health company has been fined £200,000 after its Indian subcontractor failed to keep fertility patients’ personal information secure.

An investigation was commenced in April 2015 when a patient found that transcripts including details from interviews with hospital patients could be freely accessed by searching online.

The investigation revealed the hospital had been routinely sending unencrypted audio records of the interviews by email to the Indian subcontractor. Details of private conversations between a doctor and various hospital patients wishing to undertake fertility treatment were transcribed in India and then sent back to the hospital. It was found that the Indian company could not restrict access to the personal information because it stored audio files and transcripts using an unsecure server.

The English company was fined as it had breached the Data Protection Act 1998 by failing to ensure that its sub-contractor acted responsibly in compliance with the Data Protection Act.

This case shows the importance of ensuring that appropriate subcontracts are in place and enforced. If you feel your subcontracts might need checking, I would be happy to help.

Please drop me an email or give me a call.

Karen Mason

Custodial penalties for data protection offences?

The Information Commissioner expressed his views twice in January that the court should have a broader range of penalties at its disposal when sentencing offences under the Data Protection Act 1998, including custodial and suspended sentences and community service. The current maximum penalty is an unlimited fine.

The Criminal Justice and Immigration Act 2008 makes unlawfully obtaining personal data punishable by up to two years in prison, but the relevant section is yet to be enacted.

First fine under new powers for unsolicited marketing texts

The Information Commissioner’s Office (ICO) has fined Help Direct UK Ltd £200,000 for sending thousands of unsolicited marketing texts. This is the first time that the ICO has used its new enforcement powers under section 55A of the Data Protection Act 1998.

The lead generation company ran a marketing campaign in April 2015 which prompted 6,758 complaints in one month alone. People complained about a variety of messages offering services including the reclaim of PPI payments, bank refunds and loans.

As the ICO considers unsolicited text marketing “a matter of significant public concern” and as it is now be easier for it to issue fines for failing to comply with regulations 19 to 24 (relating to unsolicited direct marketing calls, texts and emails, automated calls, fax messages, identification of sender (when concealed) for email, and the information regulations), companies should ensure that their direct marketing activities comply fully with the Privacy Regulations 2003.

Cybersecurity and protection of personal data online

The Culture, Media and Sport Committee has launched an inquiry into cybersecurity and the protection of personal data online, following a cyberattack on TalkTalk’s website.

The Committee would like to receive views on matters including the following:

  • measures that telecoms and internet service providers are putting in place to maintain the security of their customers’ personal data and the level of investment being made to ensure systems remain secure and anticipate future threats;
  • adequacy of compensation for consumers affected by security breaches;
  • adequacy of current supervisory, regulatory and enforcement regimes; and
  • likely future trends in hacking, technology and security.

The deadline for written submissions is 23 November 2015.