Data Protection Update

There’s a growing awareness of the impact on individuals when personal information is used in a way that people wouldn’t reasonably expect and It’s been clear for some time that individuals don’t trust organisations with their personal information. The General Data Protection Regulation (GDPR) applied from May 2018 and brought into focus the ways in which personal information is handled not only in Europe, but across the world.

Recently, a University of Oxford based researcher successfully requested the personal information of his fiancee from various companies in the UK and USA with surprising ease via Subject Access Requests (SARs) submitted in her name. 24% of organisations responded to the requests without any form of ID required and a further 16% of organisations accepted ID which was deemed to be weak.

The research successfully showed that many organisations are yet to implement stringent SAR procedures which protect individuals from fraud and allow legitimate access for data subjects. The identity of a requester should always be verified by the organisation to ensure that the request comes from a legitimate source such as the data subject themselves or an authorised representative.

As expected, we’re witnessing the shoots of a burgeoning compensation industry. Expect to see “no win, no fee” style advertisements from firms who are willing to take on compensation claims where an individual’s data protection rights have been infringed. We suspect that the sector’s growth may have more than a little to do with the winding down of PPI claims as the deadline for claims passed (29th August). We wouldn’t want our PPI friends to hang up the telephone!

Data sharing is an area that has been a feature in many of the regulators enforcement actions in recent months. Of course personal information can be shared but this must be in a transparent way and only where there is a genuine requirement and legal basis.

We strongly recommend that schools review their policies and procedures to ensure that they are able to respond to individuals who exercise their data protection rights. It is also worth checking that existing complaint handling procedures are robust
enough to withstand scrutiny.

The true value of data is only just being realised by the masses. Of course, there are those whose who have known of the value of data for many years. Were Tesco handing out clubcard vouchers as a manifestation of the love pouring out of their corporate heart? Perhaps, although the introduction of the clubcard in the 1995 coincides very neatly with Tesco’s rise to become the UK’s
leading supermarket.

Coffee shops springing up all over the world which appear to provide free coffee! Who could resist? Well, no cash is exchanged and card payments are not accepted. Customers ‘pay’ for their coffee with their personal information.

It’s important to recognise that your personal information has a real life monetary value to commercial organisations, fraudsters, governments and anyone else who would like to know whether you prefer holidays abroad, if you have a pet or a penchant for a particular brand of baked beans. Effectively, personal information has become a form of currency in its own right and it should be treated with equal or even more care than that which is given to physical cash.

As the vast majority of personal information is held electronically, cyber security is high on the agenda when it comes to the public’s concerns. It is imperative that organisations take measures to safeguard personal information which has been entrusted to them by data subjects. Recently we’ve seen international companies hit the headlines with regard to their mishandling of personal information.

British Airways suffered a security breach which resulted in thousands of credit and debit cards being harvested by criminals. The Information Commissioner’s Office (ICO) have issued their intention to fine BA a record £183 million for infringements of The GDPR.

In addition to the massive fine, the impact upon the firm’s reputation cannot be underestimated. Whilst an enforcement fine would be unlikely for a school, it is the risk of reputational damage that schools cannot afford to sustain, particuarly as it may affect roll numbers and funding.

Our view at The Education Space is that data protection will increasingly come into focus as public awareness grows. The ICO have (and quite rightly so) been tirelessly campaigning over the last year to promote the rights of individuals to the general public.

This ‘power shift’ to individuals has resulted in what can be a heavy burden on schools and other data controllers as the majority of SARs should be responded to within 1 month - irrespective of holidays or weekends.

ndividuals are now more aware than ever before of their data protection rights and they demand to know how
their personal information is being used. When data is handled correctly, this can improve trust and confidence in organisations. Conversely, when data is mishandled, the results can be devastating for both individuals and organisations.

Let us know if you have any queries relating to SARs or any other data compliance issues and we’ll be happy to help.


Using Privacy Laws to Steal Identities

BA Fine