General Data Protection Regulations (GDPR) - 12 months on .....

21 May 2019

Andrea Palmer, Head of HR reports on the General Data Protection Regulations (GDPR) – 12 months on ……

Since the implementation of the GDPR on 25 May 2018, the Information Commissioners Office (ICO) has been cracking down on data breaches. Here are a few examples which we thought you might find of interest:

A former administrator at Heart of England NHS Foundation Trust (HEFT) has been prosecuted for accessing medical records without authorisation – April 2019

Faye Caughey admitted two offences of unlawfully obtaining personal data, in breach of s55 of the Data Protection Act 1998.

Did you know?? You have a responsibility for ensuring your frontline staff have received appropriate training in GDPR and it is good practice for staff to be provided with all policies and procedures and made fully aware of their responsibilities under GDPR as part of their induction.

Outcome: Fined £1000, ordered to pay costs of £590 and a victim surcharge of £50.

Six-month prison sentence for motor industry employee in first ICO Computer Misuse Act prosecution – November 2018

Mr Kasim, worked for accident repair firm Nationwide Accident Repair Services (NARS), accessed thousands of customer records containing personal data without permission, using his colleagues’ log-in details to access a software system that estimates the cost of vehicle repairs, known as Audatex. 

He continued to do this after he started a new job at a different car repair organisation which used the same software system.  The records contained customers’ names, phone numbers, vehicle and accident information.

Did you know??  The ICO usually prosecutes cases like this under the Data Protection Act 1998 or 2018, depending on the individual case.  However, in appropriate cases, it can prosecute under other legislation - in this case s1 of the Computer Misuse Act 1990.

Outcome: Six-month prison sentence!

Noble Design and Build of Telford – July 2018

Noble Design and Build of Telford, Shropshire, which operates CCTV systems in buildings across Sheffield, broke data protection laws by failing to comply with an Information Notice.

The company also failed to register with the ICO, despite it being a criminal offence to do so.

Did you know??  If your business uses CCTV, you must tell people they may be recorded which is usually done by displaying signs, which must be clearly visible and readable. You should control who can see the recordings, and make sure the system is only used for the purpose it was intended for.

You must also notify the ICO why you’re using the CCTV.

Outcome: Convicted at Telford Magistrates Court and fined £2,000

Gloucestershire Police fined for revealing identities of abuse victims in bulk email – June 2018

The force was at the time investigating allegations of abuse relating to multiple victims. On 19 December 2016, an officer sent an update on the case to 56 recipients by email but entered their email addresses in the ‘To’ field and did not activate the ‘BCC’ function, which would have prevented their details from being shared with others.

Did you know?? This case was dealt with under the provisions and maximum penalties of the Data Protection Act 1998, and not the 2018 Act which has replaced it, because of the date of the breach. However, if the breach had taken place after 25 May 2018, a much more significant fine would have been issued.   

The following month, (July 2018), the Independent Inquiry into Child Sexual Abuse (IICSA) was fined £200,000 by the ICO after sending the bulk email that identified possible victims of non-recent child sexual abuse.

Outcome: Gloucestershire Policy were fined £80,000

Can we help?

Since 25 May 2018, we have had numerous enquiries and assisted businesses with data breaches - some not dissimilar to those mentioned. 

Often, they can be attributed to human error, not always intentional, but more importantly they need to be reported to the ICO.  Interestingly, we have also seen an increase in the number of employees who have also exercised their right to a Subject Access Request. 

A subject access request, or SAR, is a written request to a company or organisation asking for access to the personal information it holds on an employee.

Aspire have extensive experience of managing data breach reporting and handing subject access requests and auditing your own HR documentation including CCTV and Vehicle Tracking Policies to ensure GDPR compliance.

However, at Aspire we believe that Prevention is Better than Cure, so whether it’s drafting relevant documents or communication and training your workforce in all aspects of GDPR, we can help so get in touch.

See our other GDPR news articles:

Santa Clause is coming to town, but has he considered the GDPR implications?

Brexit data firm hit with the first formal notice under GDPR

GDPR is still on the agenda

Data Protection Act 2018 comes into force today