Data Protection Update

There’s a growing awareness of the impact on individuals when personal information is used in a way that people wouldn’t reasonably expect and It’s been clear for some time that individuals don’t trust organisations with their personal information. The General Data Protection Regulation (GDPR) applied from May 2018 and brought into focus the ways in which personal information is handled not only in Europe, but across the world.

Recently, a University of Oxford based researcher successfully requested the personal information of his fiancee from various companies in the UK and USA with surprising ease via Subject Access Requests (SARs) submitted in her name. 24% of organisations responded to the requests without any form of ID required and a further 16% of organisations accepted ID which was deemed to be weak.

The research successfully showed that many organisations are yet to implement stringent SAR procedures which protect individuals from fraud and allow legitimate access for data subjects. The identity of a requester should always be verified by the organisation to ensure that the request comes from a legitimate source such as the data subject themselves or an authorised representative.

As expected, we’re witnessing the shoots of a burgeoning compensation industry. Expect to see “no win, no fee” style advertisements from firms who are willing to take on compensation claims where an individual’s data protection rights have been infringed. We suspect that the sector’s growth may have more than a little to do with the winding down of PPI claims as the deadline for claims passed (29th August). We wouldn’t want our PPI friends to hang up the telephone!

Data sharing is an area that has been a feature in many of the regulators enforcement actions in recent months. Of course personal information can be shared but this must be in a transparent way and only where there is a genuine requirement and legal basis.

We strongly recommend that schools review their policies and procedures to ensure that they are able to respond to individuals who exercise their data protection rights. It is also worth checking that existing complaint handling procedures are robust
enough to withstand scrutiny.

The true value of data is only just being realised by the masses. Of course, there are those whose who have known of the value of data for many years. Were Tesco handing out clubcard vouchers as a manifestation of the love pouring out of their corporate heart? Perhaps, although the introduction of the clubcard in the 1995 coincides very neatly with Tesco’s rise to become the UK’s
leading supermarket.

Coffee shops springing up all over the world which appear to provide free coffee! Who could resist? Well, no cash is exchanged and card payments are not accepted. Customers ‘pay’ for their coffee with their personal information.

It’s important to recognise that your personal information has a real life monetary value to commercial organisations, fraudsters, governments and anyone else who would like to know whether you prefer holidays abroad, if you have a pet or a penchant for a particular brand of baked beans. Effectively, personal information has become a form of currency in its own right and it should be treated with equal or even more care than that which is given to physical cash.

As the vast majority of personal information is held electronically, cyber security is high on the agenda when it comes to the public’s concerns. It is imperative that organisations take measures to safeguard personal information which has been entrusted to them by data subjects. Recently we’ve seen international companies hit the headlines with regard to their mishandling of personal information.

British Airways suffered a security breach which resulted in thousands of credit and debit cards being harvested by criminals. The Information Commissioner’s Office (ICO) have issued their intention to fine BA a record £183 million for infringements of The GDPR.

In addition to the massive fine, the impact upon the firm’s reputation cannot be underestimated. Whilst an enforcement fine would be unlikely for a school, it is the risk of reputational damage that schools cannot afford to sustain, particuarly as it may affect roll numbers and funding.

Our view at The Education Space is that data protection will increasingly come into focus as public awareness grows. The ICO have (and quite rightly so) been tirelessly campaigning over the last year to promote the rights of individuals to the general public.

This ‘power shift’ to individuals has resulted in what can be a heavy burden on schools and other data controllers as the majority of SARs should be responded to within 1 month - irrespective of holidays or weekends.

ndividuals are now more aware than ever before of their data protection rights and they demand to know how
their personal information is being used. When data is handled correctly, this can improve trust and confidence in organisations. Conversely, when data is mishandled, the results can be devastating for both individuals and organisations.

Let us know if you have any queries relating to SARs or any other data compliance issues and we’ll be happy to help. DPO@theeducationspace.co.uk

References:

Using Privacy Laws to Steal Identities
https://www.bbc.co.uk/news/technology-49252501

BA Fine
https://www.theguardian.com/business/2019/jul/08/ba-fine-customer-data-breach-british-airways

Cookie	Duration	Description
ARRAffinity		This cookie is set by websites that run on Windows Azure cloud platform. The cookie is used to affinitize a client to an instance of an Azure Web App.
cookielawinfo-checkbox-advertisement	1 year	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Advertisement".
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
vuid	2 years	This domain of this cookie is owned by Vimeo. This cookie is used by vimeo to collect tracking information. It sets a unique ID to embed videos to the website.
_ga	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
_gat_gtag_UA_129094303_2	1 minute	This cookie is set by Google and is used to distinguish users.
_gid	1 day	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visted in an anonymous form.

Cookie	Duration	Description
ARRAffinitySameSite	session	No description available.
WFESessionId	session	No description available.

Journal

Journal

Data Protection Update

You might also like

JOIN OUR COMMUNITY

Our Partnerships

Our Partnerships

Airthings

NPW-LGfL recognised support

Citation