So, what recent legal updates have occurred which could impact our data protection practices?
After Brexit, the UK GDPR was put in place, which mirrors the provisions in the EU GDPR. Of course, the UK can now take its own path and reform the legislation if it wishes to.
At the end of 2021, the government introduced a “Privacy Reform”. The reform includes proposals for UK businesses, aimed at reducing some of the compliance hurdles including the additional costs and time that businesses incur to comply with GDPR.
Some of the preliminary proposals are:
- the introduction of whitelisted grounds for processing on the basis of legitimate interests;
- changes to cookie consent requirements, to make it easier to use analytical cookies; and
- raising data breach reporting thresholds, such that only breaches resulting in a material risk to individuals need to be reported to the ICO.
Other proposals include the requirement for a “privacy management programme” and the replacement of UK DPOs with a “suitable individual responsible for the privacy management programme” position within organisations, but these suggestions have been criticised as confusing and not actually helping with the administrative burden that the current legislation causes.
We will keep you updated on which of these proposals make it through the consultation process.
There have also been suggestions that the Privacy and Electronic Communications Regulations (PECR) needs to be reformed so that fines are increased in line with the UK GDPR. This suggestion follows on from big companies like American Express and Sports Direct being issued fines for continuing to send unsolicited marketing communications.
Don’t forget about your cookies banner!
On a separate note, a reform to PECR and its approach to cookies may be considered in the next year. There have been concerns raised about ‘cookie fatigue’ from pop-ups and users not actually considering the content in relation to cookies and just clicking “I Agree” in order to access the website – most of us are guilty of this I suspect!
Managing Data Protection Requirements in Employment
It has been suggested that the ICO reviews its current employer guidance in 2022 and updates this to reflect how working life and technology has changed (quite significantly!) since the last review. It will include guidance on how to handle personal data in relation to recruitment and selection, employment records, monitoring of workers and information about workers’ health.
As staff continue to return to the office or to hybrid working, employers will continue to face issues such as monitoring of employee productivity at home, and collection of vaccination status and data on work patterns. All of these raise potential compliance issues which employers need to carefully consider.
Case update – minor data breach for sending email to the wrong recipient
It is no surprise that the ICO has reported that data emailed to the wrong recipient continues to be the most common incident type reported and that the health sector reported the largest number of breaches during the pandemic.
The case of Rolfe and others v Veale Wasbrough Vizards LLP  will provide some comfort where such a situation arose as a claim for damages for misuse of confidential information and under data protection legislation was summarily dismissed (meaning it did not proceed to trial) as there was no real prospect of success.
In this case, a school instructed the defendant to send a letter to parents who had missed school fee payments. It included the claimants’ names and home addresses, but no other personal data. When the letter was sent via email it was sent to the wrong email address. The defendant took immediate steps to rectify the issue, and, as soon as it realised that the email address was incorrect the recipient was asked to delete the email.
The claimants brought a claim for damages and held that the data breach caused significant distress and worry.
In the summary, the judgment stated that it was understood that damages can be recovered for misuse of private information, including for the distress caused even when a specific financial loss is absent and that loss of control of personal data can constitute damage (See Vidal-Hall v Google and Lloyd v Google which was recently heard in the Supreme Court). However as held in Lloyd v Google, a claim cannot succeed where the loss or distress is not made out or is considered trivial/minor. It seems unlikely that for claims where there has been an accidental one-off data breach that has been quickly remedied (like the one in this case) it would pass the threshold of seriousness to result in an award of damages.