healthcheck-step-1 Created with Sketch. 1 image/svg+xml
Business, taken personally.

Data Protection: what’s new?

Posted by Anna Aldred on 28th February 2022

So, what recent legal updates have occurred which could impact our data protection practices?

Privacy Reform

After Brexit, the UK GDPR was put in place, which mirrors the provisions in the EU GDPR. Of course, the UK can now take its own path and reform the legislation if it wishes to.

At the end of 2021, the government introduced a “Privacy Reform”. The reform includes proposals for UK businesses, aimed at reducing some of the compliance hurdles including the additional costs and time that businesses incur to comply with GDPR.

Some of the preliminary proposals are:

  • the introduction of whitelisted grounds for processing on the basis of legitimate interests;
  • changes to cookie consent requirements, to make it easier to use analytical cookies; and
  • raising data breach reporting thresholds, such that only breaches resulting in a material risk to individuals need to be reported to the ICO.

Other proposals include the requirement for a “privacy management programme” and the replacement of UK DPOs with a “suitable individual responsible for the privacy management programme” position within organisations, but these suggestions have been criticised as confusing and not actually helping with the administrative burden that the current legislation causes.

We will keep you updated on which of these proposals make it through the consultation process.

PECR Reform

There have also been suggestions that the Privacy and Electronic Communications Regulations (PECR) needs to be reformed so that fines are increased in line with the UK GDPR. This suggestion follows on from big companies like American Express and Sports Direct being issued fines for continuing to send unsolicited marketing communications.

Don’t forget about your cookies banner!

Ecolog (a third-party company commissioned by the European Parliament) was instructed to set up a Covid-19 test booking website and in doing so, engaged in unlawful data transfers and cookie consents. In short, the complaints concerned third-party trackers and cookie consent banners. When investigated it was found that health data was not processed through the European Parliament’s website, but in fact cookies associated with Google Analytics and Stripe were being utilised to capture “online identifiers” of the website’s visitors, and this data was then transferred to the US. This is a useful reminder to businesses to use a cookies banner and to work with website designers to ensure that all information on cookies is detailed in a website privacy policy or cookies policy.

On a separate note, a reform to PECR and its approach to cookies may be considered in the next year. There have been concerns raised about ‘cookie fatigue’ from pop-ups and users not actually considering the content in relation to cookies and just clicking “I Agree” in order to access the website – most of us are guilty of this I suspect!

Managing Data Protection Requirements in Employment

It has been suggested that the ICO reviews its current employer guidance in 2022 and updates this to reflect how working life and technology has changed (quite significantly!) since the last review. It will include guidance on how to handle personal data in relation to recruitment and selection, employment records, monitoring of workers and information about workers’ health.

As staff continue to return to the office or to hybrid working, employers will continue to face issues such as monitoring of employee productivity at home, and collection of vaccination status and data on work patterns. All of these raise potential compliance issues which employers need to carefully consider.

Case update – minor data breach for sending email to the wrong recipient

It is no surprise that the ICO has reported that data emailed to the wrong recipient continues to be the most common incident type reported and that the health sector reported the largest number of breaches during the pandemic.

The case of Rolfe and others v Veale Wasbrough Vizards LLP [2021] will provide some comfort where such a situation arose as a claim for damages for misuse of confidential information and under data protection legislation was summarily dismissed (meaning it did not proceed to trial) as there was no real prospect of success.

In this case, a school instructed the defendant to send a letter to parents who had missed school fee payments. It included the claimants’ names and home addresses, but no other personal data. When the letter was sent via email it was sent to the wrong email address. The defendant took immediate steps to rectify the issue, and, as soon as it realised that the email address was incorrect the recipient was asked to delete the email.

The claimants brought a claim for damages and held that the data breach caused significant distress and worry.

In the summary, the judgment stated that it was understood that damages can be recovered for misuse of private information, including for the distress caused even when a specific financial loss is absent and that loss of control of personal data can constitute damage (See Vidal-Hall v Google and Lloyd v Google which was recently heard in the Supreme Court). However as held in Lloyd v Google, a claim cannot succeed where the loss or distress is not made out or is considered trivial/minor. It seems unlikely that for claims where there has been an accidental one-off data breach that has been quickly remedied (like the one in this case) it would pass the threshold of seriousness to result in an award of damages.

Please keep your eye out for further updates in this area as we will update you if any of the proposals will impact your data protection policies and practices that you currently follow.

Share this post: