UK

Data ProtectionOver the past few years, there has been an increasing number of claims against businesses and public bodies for distress caused by data breaches. The pattern is, by now, a familiar one. A claimant will make a claim for breach of data protection legislation, seeking damages at a relatively low value for the distress and anxiety they say has been caused by the data breach. This claim will be accompanied by claims for one or more of: misuse of private information, breach of confidence and negligence. Added on to the damages claimed will be the legal costs of the claimant’s lawyers, together with the after-the-event (“ATE”) insurance premium for the policy the claimant will have procured to bring a privacy claim. As a result, the defendant is faced with a difficult decision – pay over the odds for a claim where the claimant has suffered no financial loss, or fight litigation with the risk of mounting costs on both sides if the decision goes against them.

Following a cyber-attack in 2017 and 2018, this is the situation that faced DSG Retail Limited (“DSG”), and which has led to an important judgment for these data breach claims, Warren v DSG Retail Ltd [2021] EWHC 2168 (QB).
Continue Reading Narrowing the Scope of Data Breach Claims? – Warren v DSG Retail Ltd

Laptop Data TransferOn 24th December 2020, the UK and the EU finally agreed on the terms of a Brexit deal, including an interim solution to the issue of personal data transfers from the EU to the UK.  This interim arrangement gives some much-needed breathing space to European organizations with UK affiliates or that use UK service providers, and renewed hope for an eventual adequacy decision from the European Commission covering transfers of personal data to the UK.

The interim solution agreed allows companies and organisations that transfer personal data from the EU to the UK, to continue to do so, for up to six months to give time for the European Commission to approve an adequacy decision in favour of the UK (under Article 36(3) of Directive (EU) 2016/680 and under Article 45(3) of Regulation (EU) 2016/679).


Continue Reading Brexit Updated: Interim Deal Reached on EU-UK Data Transfers

Brexit and EU keys on KeyboardWith the end of the Brexit transition period fast approaching, we have examined the potential impact on data privacy compliance in the UK and the EU/EEA and prepared a guide which provides practical advice on how to prepare to ensure that your organization is in the best position possible to deal with the outcome of the current UK/EU negotiations on 31 December 2020.

Organisations are advised to identify personal data flows between the EEA and the UK and to devise a plan to ensure that these data transfers will be able to lawfully continue from 1 January 2021, in the event that the UK does not obtain an adequacy decision from the European Commission (and no alternative agreement is reached) in advance of that date. Priority should be given to business-critical data flows and transfers of large volumes of personal data, special category data or criminal data.
Continue Reading The Brexit Transition Period: Are You Ready?

Digital Facial RecognitionLast week (9th July), the ICO announced that it would join forces with the Office of the Australian Information Commissioner (OAIC) to investigate the use of personal information, including biometric data, by Clearview AI, Inc. (Clearview). Limited information is available so far, but given the focus of the investigation, this is an important step in determining data protection rights and obligations, where information is ‘scraped’ from ‘publicly available’ sources, for the purposes of tackling crime.
Continue Reading ICO and Australian Information Commissioner Team-up to Investigate Clearview AI, Inc. Facial Recognition Tool and Data Scraping

As businesses in the hospitality and leisure industries are permitted to re-open in England, the Government is asking them to keep a temporary record of their customers and visitors, in order to support NHS Test and Trace.  This information will be requested by NHS Test and Trace in the event that someone who has tested positive for COVID-19 lists the business’s premises as a place that they visited recently, or because the premises has been identified as the location of a potential outbreak. This is viewed by the UK Government as a key part of their ongoing response to the virus, as the lockdown is lifted.
Continue Reading The UK Government and the Information Commissioner Provide Guidance on the Collection of Contact-Tracing Information by Hospitality & Leisure Businesses

Consulting helpAs businesses in the UK begin to re-open, as the lockdown lifts, they must ensure that they have effective measures in place to combat the spread of the virus within their workplace. This may include physical measures, such as the use of personal protective equipment and restructuring the office or site to enable social distancing. It may also include measures such as the use of temperature testing or thermal imaging cameras, rolling out a ‘track and trace’ app to employees or testing employees for the virus, all of which raise data privacy issues, as they involve the processing of ‘personal data’, which is governed by strict data protection laws.
Continue Reading COVID-19: Key Privacy Concerns Raised by the UK’s “Back-to-Work” COVID-19 Safety Measures

The use of data is a critical tool in the fight against COVID-19. In some cases, this will necessarily involve the use of personal data, which relates to identified individuals and of course, due to the nature of the current crisis, sensitive health data. The UK data protection regulator, the ICO, has made it clear that data protection laws do not seek to prevent the use of data in order to combat the spread of this dreadful disease, but are intended to work in the public interest and enable health and safety to be prioritised where necessary. However, there remains a need to ensure that personal data is used in a proportionate manner with due respect to privacy rights, wherever possible.
Continue Reading Data Privacy & COVID-19 in the UK: Q&A on Key Privacy Issues

On 23 April, the Department for Health & Social Care (DHSC) announced that, as part of its 5-pillar strategy, testing for Covid-19 has now been extended to all ‘essential workers’ in England and Scotland who exhibit symptoms. A new online portal now enables employers to refer self-isolating staff and members of their household for testing, and employees to book a test directly for themselves or any member of their household who is self-isolating due to coronavirus symptoms.
Continue Reading UK Government Rolls Out New Essential Worker Online Testing Portal

Computer securityThe ongoing Coronavirus pandemic and related Government guidance, requiring social distancing and individuals to work from home where possible, has resulted in many organisations rapidly having to adapt the way in which they operate.

Despite the unprecedented challenges that will need to be faced over the coming weeks, including in many cases significantly reduced resources (both in terms of staff and funds), it is important that organisations do what they can to try to maintain data security protections whilst taking the actions necessary to deal with this crisis. This may include the need to send unusual and sometimes urgent communications to individuals, which can increase the risk of breaching data protection laws.
Continue Reading A Timely Reminder: Maintain Data Security in the Face of the Pandemic

Photo_of_woman_holding_phoneRecently, the ICO published a statement about the use of mobile phone tracking during the COVID-19 crisis. The statement provided that generalised location data, where properly anonymised and aggregated, does not fall under the remit of data protection laws. In addition to this statement, the government has now set out further information on how it intends to use data during the pandemic.
Continue Reading The UK Government Sets Out How it Will Use Data During the Pandemic