In 2015 a Council breached the Data Protection Act (DPA) when it published the information in planning application documents which it made publicly available online.
The Council was fined £150,000 by the Information Commissioner’s Office (ICO).
The ICO is an independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
When the ICO did an investigation, they found that on the 16th July 2015, the Council received a written statement in support of a householder’s planning application for proposed works in a green belt.
The statement contained sensitive personal data relating to a static traveller family who had been living on the site for many years. In particular, it referred to the family’s disability requirements, including mental health issues, the names of all the family members, their ages and the location of their home.
The Council published the statement in full on its online planning portal later that day.
The ICO investigation found that this was due to failings in data protection procedures and training. An inexperienced Council officer did not notice the personal information in the statement, and there was no procedure in place for a second person to check it before the personal data was inadvertently published online.
The information was only removed on the 4th September 2015 when the concerns came to light.
The General Data Protection Regulation (GDPR)
If the same data breach was to happen after the 25th May of this year, the Council could have faced a fine of £17,000,000!
There is a new data protection law coming into force and anyone who handles data about ‘people’ has to be compliant.
Currently, the maximum fine the ICO can issue is £0.5m. After this May, larger fines of up to £17m (€20m) or 4% of global turnover will be allowed, enabling the ICO to respond in a proportionate manner to the most serious data breaches.
The GDPR is based on a set of common-sense principles:
- A “right to be forgotten”: When an individual no longer wants her/his data to be processed and provided that there are no legitimate grounds for retaining it, the data will be deleted. This is about protecting the privacy of individuals, not about erasing past events or restricting freedom of the press
- Easier access to your data: Individuals will have more information on how their data is processed and this information should be available in a clear and understandable way. A right to data portability will make it easier for individuals to transmit personal data between service providers
- The right to know when your data has been hacked: Companies and organisations must notify the national supervisory authority of data breaches which put individuals at risk and communicate to the data subject all high-risk breaches as soon as possible so that users can take appropriate measures
- Data protection by design and by default:‘Data protection by design’ and ‘Data protection by default’ is now essential elements in EU data protection rules. Data protection safeguards will be built into products and services from the earliest stage of development, and privacy-friendly default settings will be the norm – for example on social networks or mobile apps
- Stronger enforcement of the rules: Data protection authorities will be able to fine companies who do not comply with EU rules up to 4% of their global annual turnover or £17,000,000 – whichever is more
If you are an organization that handles data about people, you should note the following…
Identify where you or your company are storing data, for example:
- Your website
- Telesales – do you store names and numbers for your agents to call?
- Direct mail – do you have completed order forms stored away with contact details?
- Customer service departments – calls taken from potential customers and those recorded details
- Personal contact with people – the exchange of business cards from a tradeshow or exhibition
Prepare yourself and your staff, make them well aware of the changes that are coming.
- Make sure that they understand the principles of good data protection and that they don’t write down details of people on a piece of paper that could go astray, end up in the bin or taken home on computers or memory sticks where information could get stolen
- Evaluate your environment and how you document personal data – where did it come from, who have you shared it with?
- How will you audit the data? Review current policy notices and put a plan in place – procedures and timescales
- Be compliant, review your practices and make sure that, to the best of your ability, you look after the data as if it were your own
- Decide how you will be able to prove that your data is secured safely and how to seek consent moving forwards.
Do you need a Data Officer?
A data protection officer (DPO) is an enterprise security leadership role required by the General Data Protection Regulation (GDPR). Data protection officers are responsible for overseeing data protection strategy and implementation to ensure compliance with GDPR requirements. A DPO would be recommended for any organization that processes or stores large amounts of personal data, whether for employees, individuals outside the organization, or both. Seek advice as to whether your company should employ a DPO.
The GDPR is a very hot topic at the moment and we will be keeping you up to date with any developments.
Read more about the ICO and the GDPR