Archive for November, 2010

First Fines under new Data Protection Regime

The Information Commissioner, Chris Graham, has today announced that he has served monetary penalty notices on two organisations for serious data security breaches. It is the first time that the Commissioner has exercised the new powers to serve monetary penalty notices, which came into force in April this year, and the Commissioner hopes that they will send a “strong message” to organisations handling personal data that they risk being fined if they fail to take the necessary care to protect the information that they hold about individuals.

Hertfordshire County Council was issued with a fine of £100,000 for two serious incidents in which the Council’s childcare litigation unit sent two faxes to the wrong recipients. The first fax contained sensitive information about a child abuse case; the second contained information relating to the care proceedings of three children as well as details of previous convictions and domestic violence records of other individuals. Clearly, the fact that the second incident happened at all was seen as an aggravating factor since it suggested that the measures adopted by the Council to prevent a recurrence of the first incident were inadequate.

In the Commissioner’s view, the sensitive nature of the information involved was such that if that information was to be faxed, the Council should have ensured that it had a ‘phone ahead’ and ‘confirmation of receipt of fax’ process in place at the very least.

In the second case, A4e Limited was fined £60,000. The company operated Community Legal Advice Centres in Hull and Leicester for the Legal Services Commission. It issued one of its employees with a laptop for home working. The laptop was stolen from the employee’s home. It contained personal data and sensitive personal data relating to 24,000 legal advice centre clients – including the case type (for example, debt, welfare or employment), the name, postcode, date of birth and gender of the data subject together with whether or not the client was a lone parent, care leaver, carer, a victim of violence, ex-offender, young offender or gypsy traveller. While the laptop had password protection, it was unencrypted and the Commissioner also noted that the company had not provided the employee with a cable lock or other security device to secure the laptop. Furthermore, the fact that the company had policies in place which required data secured on laptops to be encrypted suggested that it was aware of the risks of a data security breach, but had not actually ensured they had been addressed.

The most striking feature of both cases is simply the routine nature of the security incidents. Neither involved high-tech data security theft. In each case, simple technical and organisational measures could have prevented either of these incidents (or at least mitigated the effects of them).

Reading the monetary penalty notices themselves, it is evident that the Commissioner has chosen to clearly document the reasoning he has adopted in determining that a fine is appropriate and within the scope of his powers. The Commissioner is also likely to have one eye on the potential for an aggrieved organisation to apply for a judicial review of his decision – although that appears unlikely in either of these cases. Both of the organisations themselves seem to have accepted the Commissioner’s findings and the fines they have been given.

The Commissioner has the power to levy fines of up to £500,000 and these fines are well below that maximum level. Not only will he want to give himself plenty of headroom to increase the level of fines for cases that he deems to be more serious than this, but he will also want to see if the message sinks in that he will use his powers. Only time will tell – but both of these organisations will today be facing up to the reputational damage that the publicity generated by these fines has caused, which may ultimately be more costly than the fines themselves.

The wisdom of Clouds?

If, like me, you’re suffering from Cloud-fatigue, you may not be keen to read another post about it.   However, like it or not, the Cloud hype of recent years is turning into Cloud reality as the mist clears.

Is The Cloud maturing?

Yesterday there was an announcement that the Cloud Industry Forum has released it’s code of practice for cloud computing services.  The wild frontier of “Cloud” is being tamed it seems as the industry grows up.  Amazon, Google, Microsoft and other cloud platform and services providers have been upping their game, publishing extensive security white papers to give comfort to larger corporate and public sector organisations.  Toes that have been dipped into using Cloud services have been followed by ankles and knees and in some cases have gone right up to the neck – or maybe they’ve got their head in the clouds (sorry).

Just another decision

So where have we got to with the Cloud?  Well, hopefully there’s more pragmatism and sense being applied now in that people realise it’s not so much a revolution as just another way of delivering technology.  As I saw a commentator recently put it, “Going into the cloud is nothing more than a make vs. buy decision” in an article called, provocatively, “Why ‘the cloud’ doesn’t matter“.  The point being, it’s just another purchasing/procurement/planning exercise – i.e. where are we going to put this new system, on site or in the cloud?  The difference is that you’re buying a service rather than a software licence, so you need to take the appropriate approach.

Due diligence

This chimed with a great presentation from our very own Grant Campbell a few weeks back, entitled “Navigating through the Cloud…a guide to the legal issues”.  To paraphrase Grant, “going into the Cloud” is basically outsourcing, so you should treat it as such, approach it carefully, do your due diligence and consider the implications: where is our data going to be, who controls it, what are the risks, what will the service level be, what happens if it all goes wrong, how do we exit/get our data back, and so on.

Ever increasing circles

I’ll be speaking at The Cloud Circle Forum tomorrow on a similar topic – sharing a platform with Mimecast – and providing a customer’s perspective on Cloud.  I’ll be talking about what we’ve done when considering moving services to the cloud, and borrowing liberally from taking inspiration from Grant’s presentation regarding the legal questions to consider.  Will it live up to the Cloud hype?  Probably not, but then the delivery is always more difficult and more mundane than a sales pitch and we’re really looking at bringing the Cloud back down to earth.

Potential changes to Scottish defamation laws

It is often said that you shouldn’t speak ill of the dead. From a lawyer’s point of view, this is an odd saying, as you can’t defame a dead person. Accordingly, all bets are off once a person has died.

It looks like that could soon change in Scotland though. The Scottish Government is considering changing the law so that an action for defamation can be brought after death.

This potential change in the law raises a couple of interesting issues.

  • Firstly, any proceedings could be frought with difficulties. Often, the person alleging the defamation is a key witness in any defamation proceedings, but if that person is dead then he will not be available to the court. As the onus is on the person who made the statement to show that the statement was justified, this may make it particularly difficult for the person making the statement to defend an action if the basis of the statement is a matter personal to the two parties.
  • Secondly, under Scots law, in order for a defamation action to succeed, it is also necessary to show that harm has been caused. In many instances, it is difficult to see what harm can be suffered after death and how that harm can be quantified in damages. Whilst it is possible that the estate of a well–known individual could suffer financial loss through a drop in sales, in many instances the noterietary of arising out of the accusation may actually contribute to the estate through an increased interest in that individual’s works.
  • Thirdly, it may lead to increased forum shopping, as such actions are not currently permitted in other countries that are traditionally popular for bringing defamation actions (for example, England or the USA). This may lead to an influx of cases (and business) for the Scottish courts where the statement is also published or made available in Scotland.
  • The Scottish Government plans to issue a consultation on the proposed changes by the end of this year.

Twitter: @BrodiesTechBlog feed

November 2010
« Oct   Dec »

%d bloggers like this: