What an interesting couple of months for data protection! See below for updates, particularly relating to how businesses can avoid prosecution.
Failure to register with the Information Commissioner’s Office (ICO)
Businesses that collect personal data are deemed to be data controllers and are required to register as such with the ICO. Failure to do so can result in prosecution and a financial penalty. The ICO has prosecuted several companies, the most recent being this week where a company was fined £400 and ordered to pay court costs of nearly £600. Although a fairly nominal sum, the result of prosecution can have a significantly adverse impact on the business concerned.
Registration takes approximately 15 minutes and for most companies will only cost £35. Businesses can register at https://ico.org.uk/for-organisations/register/
Companies Register – Right to be forgotten?
The European Court of Justice (ECJ) has confirmed that the ‘right to be forgotten’ needs to be balanced against other rights and does not apply under EU law in respect of personal data held in a companies register.
Case Study
Mr Manni, a company director, requested his personal data be removed from the companies register. He claimed that properties within a complex he was contracted to develop were not selling due to the companies register showing that he had been the sole director and liquidator of a company which had been declared insolvent in 1992 and struck off the companies register following liquidation proceedings.
The court found it was not disproportionate to include such personal data even where a company no longer exists, the reasoning given for the decision was that:
- The personal data within a company register is limited
- Individuals who choose to participate in dealings where company assets are the only safeguards for third parties should be required to disclose identifiable information and their functions within the company
Subject Access Requests (SAR) – Update
It has been confirmed that individuals have a right to receive a copy of their personal data regardless of their reason for requesting it. Three points of law were clarified in a recent case:
- Legal professional privilege can only be claimed if recognised by the UK courts, in this particular case, Bahamian trust law on disclosure could not apply
- A SAR is valid even if a collateral purpose of the request is to obtain information for the purposes of litigation (a reversal on previous case law)
- It is not necessary to supply personal data if it will involve disproportionate effort - both in terms of the work needed to find the information and to produce copies (the ICO has previously issued guidance to confirm that only the work to produce copies could be considered)
If you have any concerns as to your data protection compliance, or you would like some advice or assistance in preparation for the new General Data Protection Regulation (GDPR), please do contact me for an initial chat. Additionally I will be talking about GDPR on Tuesday 25 April at Bicester Buisness Lunch, for more details please see the link below.