Morrisons Supermarkets have been confirmed as being responsible for the wrongful actions of their employees who have authority to have and use personal data as part of their employment, even if they then wrongfully use it. What all employers need to do is look at what they have authorised employees to do with personal data, check if it can be made safer and implement appropriate technical and organisational measures. This is not startling news as vicarious liability of employers for the acts of their employees is a long standing legal concept. It can be insured against but taking simple actions to protect personal data is the strongest protection a business can implement.
There is a view that once an individual demands that a business removes all its records on that individual, the, “right to be forgotten,” that it must then comply with the request. That is clearly incorrect, or it would mean an individual could take out a loan for £50,000 today, then tomorrow demand the bank forget all about it. There are risks, however, for those businesses that have not paid attention to the content of their Privacy Notices – because if it is not clear why the business has data, or not set out what it uses it for, then the individual can demand the data is removed. This will cause difficulties for many businesses, not just large ones. The understanding of what is collected by way of personal data, what it is used for, why, where it is shared is all critical now for every business to understand. Business can no longer ignore this critical issue of personal data (and don’t forget, business people are people too). Privacy Notices are a crucial protection for business. Spend time getting them right.
Court awards employee £9,000 under the Data Protection Act 1998 and Human Rights Act because their employer used personal information for a purpose which was not set out in their privacy notices to the individual employee.
In January 2017 the Information Commissioner fined two businesses for electronic marketing they carried out after accessing lists provided by data brokers. Although the buying companies had made sure the data broker had warranted the contacts were clean and fit for use, it turns out that they weren’t. One company was fined £40,000 and the other was fined £50,000. Could you pay those fines?
The Federal Trade Commission of the USA has reacted to reports that various routers, baby monitors and other IoT (Internet of Things) devices manufactured by D-Link Systems Inc are unsafe as they do not take appropriate measures to protect these devices against hacking activity. This is a major issue for all of us in business, as evidenced by the recent DdoS attack against Dyn. Not securing the billions of these IoT devices which will cover everything from your fridge to your TV, your home heating to you smart TV means there will soon be massive attack networks capable of bringing down even the largest business.