Privacy & Information Security Law Blog

Background

On November 9, 2009, the UK's Ministry of Justice launched a consultation seeking the public's views on the proposed implementation of a maximum penalty of £500,000 (approximately US$837,950) for serious breaches of the UK Data Protection Act 1998 (the "DPA").  This Consultation follows the Information Commissioners' publication of draft guidance this week, explaining the circumstances in which a fine will be imposed.  The launch of the Consultation puts to rest recent speculation as to the level of fine likely to be imposed for a deliberate or serious breach of the DPA, including for data security breaches.

The DPA imposes obligations on data controllers that process personal data to: (i) process personal data fairly and lawfully; (ii) obtain personal data only for specified lawful purposes, and not further process personal data in any manner incompatible with such purposes; (iii) ensure that personal data are adequate, relevant and not excessive in relation to the purposes for which they are processed; (iv) ensure that personal data are accurate and, where necessary, kept up-to-date; (v) keep personal data only for as long as is necessary for the purposes for which they are collected; (vi) process personal data in accordance with individuals' rights; (vii) implement appropriate technical and organizational measures against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data; and (viii) not transfer personal data to a jurisdiction outside the European Economic Area unless that jurisdiction affords adequate protection levels for individuals' rights and freedoms in relation to the processing of personal data.

The UK Financial Services Authority (FSA) has announced today fines for three HSBC entities totaling £3 million for failing to have adequate systems and controls in place to protect their customers' confidential data. HSBC Life UK Limited (HSBC Life) was fined £1,610,000, HSBC Actuaries and Consultants Limited (HSBC Actuaries) was fined £875,000 and HSBC Insurance Brokers Limited (HSBC Insurance Brokers) was fined £700,000.

The cost to register as a data controller in the United Kingdom is likely to increase significantly later this year, rising from £35 to £500 for companies with annual sales of at least £25.9 million and 250 or more employees.

The UK Information Commissioner has proposed a two-tiered fee structure as part of the Data Protection (Notification and Notification Fees) (Amendment) Regulations 2009 (the “Regulations”).  The Regulations are expected to come into force as of October 1, 2009.

Following numerous complaints about the use of behavioral advertising technology by internet service providers, the European Commission (the “Commission”) launched infringement proceedings against the United Kingdom for an alleged failure to keep people’s online details confidential. The EU Telecoms Commissioner, Viviane Reding, has called upon the UK to change its national laws to ensure the confidentiality of communications by prohibiting interception and surveillance without the user's consent. If the UK does not comply, the Commission can issue a final warning before taking the UK to the European Court of Justice.

The Information Commissioner’s Office (the “ICO”) has conducted a dawn raid on a business which operated a covert database containing details of 3,213 workers in the construction industry (the “Database”). Subscribers included over 40 construction companies, publicly named by the ICO, who used the database to vet prospective employees, without their knowledge or consent.