Data Protection five months on: an update from Penningtons Manches
1 November 2018

Education and data law specialists Penningtons Manches will be providing a Data Protection helpline for English UK members from Wednesday 7 November 2018.

Members can access advice on all aspects of data protection law, from contractual issues to how to appoint a Data Protection Officer to writing privacy policies .

Daff Richardson, education and employment partner at Penningtons Manches, considers some of the trends that she has noticed; case law on data protection; and what the ICO has been focusing on since the GDPR took effect in May 2018.

Trends under GDPR

The most significant trend we have noticed is a rise in individuals exercising their rights under GDPR, perhaps due to the amount of publicity and information about the new rules.

The ICO noted a doubling of complaints brought by individuals after 25 May in relation to data breaches. Our clients have experienced a noticeable rise in the number of data subject access requests, often brought by employees, students or applicants. Given that there is only one month in which to respond to such requests, organisations should plan how to respond to requests in general, maintain good protocols about data retention, and ensure that their staff can recognise a subject access request so that action can be taken swiftly.

Employee requests can involve huge amounts of data, so establishing sensible search parameters is vital to avoid disproportionate effort: as yet, we do not have any guidance or case law on the circumstances in which requests can be refused or extensions of time permitted, so caution is needed. It is also reasonable to ask the data subject to define the scope of a request, if it is very wide.

Case law

The most important reported case relating to data protection is the group action brought against Morrisons Supermarkets by a number of their staff, whose salary details were leaked to the press by the criminal actions of a rogue employee.

At the end of October 2018, the Court of Appeal confirmed that the employer was vicariously liable for the actions of the employee, even though his motives were to damage his employer. Whilst employers should put in place robust checks and balances to reduce the risk of damaging leaks of information, clearly it might not be possible to stop a determined rogue employee, and employers could face very significant liability where there is this sort of breach.

The Court of Appeal has suggested that employers consider insuring against this risk. The case is likely to be appealed to the Supreme Court, so further developments may follow.

What has the ICO been doing?

The ICO's website contains a wealth of information and is frequently updated with guidance notes and commentary: it includes specific GDPR guidance for the education sector.

In the past few months, the ICO has been dealing with serious, high profile data breaches and has been issuing some notable fines in relation to poor data handling practices: for example in September 2018 BUPA was fined £175,000 in relation to the extraction and sale of customers' data by an employee; and in October, Heathrow Airport Limited was fined £120,000 in connection with data that was found on a lost USB stick.

Most reported fines are under the old legislation but in a number of cases the ICO is considering which regime (pre or post-GDPR) applies: for example there has been a widely reported data breach by Dixons Carphone which may postdate the GDPR and which may therefore attract a much higher potential fine.

The ICO has also been involved in action against individuals who have inappropriately accessed data, including health care professionals: unlawfully accessing data may be a criminal offence and criminal proceedings have been taken against individuals resulting in fines and a criminal record.

Daff Richardson, Education and Employment Partner, Penningtons Manches LLP


previous entry << >> next entry