U.K. December Update: Six Enforcement Actions, Draft Code, Smart Meter Plan

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Ali Qassim  

LONDON--The U.K. Information Commissioner's Office announced six enforcement actions in December, including monetary penalties on three local government authorities, undertakings with two councils, and a court judgment against a bank employee for unlawfully accessing an individual's bank details.

In non-enforcement-related action, the ICO sought public comment on a new draft code that will help organizations handle subject access requests, while the U.K. Department of Energy and Climate Change published its plans on how it will safeguard customer data obtained from smart electricity and gas meters.

Three Fines on Local Government Entities.

The ICO Nov. 16 slapped a £95,000 ($153,145) fine on Leeds City Council after it sent a letter containing a child's personal details to the wrong address after reusing an envelope. The letter contained details about the child's criminal offense, school attendance, and maternal relationship.

The data protection authority Dec. 10 handed a penalty of £90,000 ($145,085) to Devon County Council after a social worker sent an old copy of an adoption panel report instead of a new one, revealing the personal data of 22 people, including details of alleged criminal offenses and mental and physical health.

The ICO Dec. 12 issued its third fine of £70,000 ($112,849) to the London Borough of Lewisham after a social worker left sensitive documents in a plastic shopping bag on a train. The files, which were recovered, included medical and police reports.

'Underlying Problem’ in Local Government.

These latest penalties mean that the ICO has fined almost 20 local government authorities a total of £1.88 million ($3.03 million) since it gained its fining powers in April 2010, the ICO said in a Dec. 17 statement.

“It would be far too easy to consider these breaches as simple human error,” Information Commissioner Christopher Graham said in a statement. “The reality is that they are caused by councils treating sensitive personal data in the same routine way they would deal with more general correspondence.”

Stating “there is clearly an underlying problem with data protection in local government,” Graham said the ICO will be meeting in 2013 with stakeholders from across the sector to discuss how the ICO can support them in addressing these problems.

In addition, the ICO is pressing the Ministry of Justice for stronger powers to audit local councils' data protection compliance, if necessary without consent, the ICO said.

Court Fines Bank Employee for Unlawful Access.

The ICO Dec. 6 announced that Derby Crown Court fined bank employee Lara Davies a total of £1,925.80 ($3,104.64) for serious breaches of the Data Protection Act (1998) (DPA) for unlawfully obtaining the personal details of her partner's ex-wife during a divorce settlement (In re Davies, Derby Crown Ct., docket number unavailable, sentencing 6/12/12).

The court ordered Davies to pay £500 ($806), prosecution costs of £1,410.80 ($2,274.39), and a £15 ($24.10) victim surcharge after she pleaded guilty to 11 offenses under Section 55 of the DPA, which covers the unlawful obtaining or accessing of personal data, the ICO said.

In a statement, Graham said that the “only surprise here is that--in an age where our personal information is being stored and accessed by more organizations than ever--the penalties for abusing the system are so inadequate.”

ICO Signs Two Undertakings with Councils.

The ICO announced in December two undertakings, which are signed agreements committing an organization to make certain improvements to its data security measures by a certain date or face further enforcement action. These included undertakings with:

• Leeds City Council, after a private area on the council's “Leeds Initiative” website became accessible to members of the public and compromised personal data in 7 spreadsheets, including name, address, date of birth, and disability details; and

• Isle of Anglesey County Council, following reports that: the entity had inappropriately disclosed or disposed of personal data; its data protection policy was outdated and did not provide sufficiently detailed guidance; and the only mandatory training in data protection matters was a basic overview provided at induction.

ICO Seeks Input on Draft Code.

The ICO Dec. 13 announced the launch of a consultation--a call for public comment--on a new draft code aimed at helping organizations handle subject access requests.

Explaining the need for a code, the ICO said that during the last financial year, the highest category of complaints (6,000) came from individuals unhappy that organizations were not complying with the law by allowing them to view their files under the so-called “subject access request” (SAR).

The ICO said that the final version of the code will clear up any confusion by clearly and simply explaining an organization's legal responsibilities and individuals' rights under the DPA.

SARs can also benefit organizations by highlighting inaccuracies in their records and giving them the opportunity to update the information they keep about individuals, the ICO's Deputy Commissioner David Smith said in a statement.

The consultation closes Feb. 21, 2013, and the ICO aims to publish a final version of the code in the spring of 2013, the ICO said.

Government Unveils Plans for Smart Meters.

The U.K. Department of Energy and Climate Change (DECC) Dec. 17 announced how it plans to protect customer data when it rolls out smart electricity and gas meters in 2014. Smart meters allow energy suppliers to periodically use customer data to monitor the overall levels of energy consumption.

The government's response follows a period of public input on these proposals, which began in April 2012 (72 PRA, 4/16/12).

The safeguards for data include ensuring that suppliers will:

• only be able to use energy consumption data for marketing purposes where the consumer has given his or her explicit consent;

• have to give consumers the chance to object if they wish to access energy consumption data relating to a period of less than one month;

• only be able to access the most detailed level of data (up to a half-hour's worth) if the customer has given his or her explicit consent; and

• be required to explain clearly to their customers which energy consumption data they will be accessing, for which purposes, and what choices consumers have.

According to the DECC's response, the next step is gaining approval from the U.K. Parliament. “The licence conditions on network operators would come into force following successful completion of the Parliamentary process, with the licence conditions on suppliers coming into force from the end of June 2013 … ,” DECC said.

Regarding the sharing of energy consumption data with third parties, DECC will put in place arrangements through the Smart Energy Code to protect consumers, such as steps to verify that the request for third-party services has come from the individual in question, according to DECC's response.

By Ali Qassim  

The ICO's Monetary Penalty Notice to Leeds City Council is available athttp://www.ico.gov.uk/news/latest_news/2012/~/media/documents/library/Data_Protection/Notices/leeds_city_council_monetary_penalty_notice.ashx.

The ICO's Monetary Penalty Notice to Devon County Council is available athttp://www.ico.gov.uk/news/latest_news/2012/~/media/documents/library/Data_Protection/Notices/devon_county_council_monetary_penalty_notice.ashx.

The ICO's Monetary Penalty Notice to the Borough of Lewisham is available athttp://www.ico.gov.uk/news/latest_news/2012/~/media/documents/library/Data_Protection/Notices/lewisham_monetary_penalty_notice.ashx.

The ICO's unsigned undertaking with Leeds City Council is available athttp://www.ico.gov.uk/enforcement/~/media/documents/library/Data_Protection/Notices/leeds_city_council_undertaking.ashx.

The ICO's unsigned undertaking with Isle of Anglesey County Council is available athttp://www.ico.gov.uk/enforcement/~/media/documents/library/Data_Protection/Notices/anglesey_cc_undertaking.ashx.

The ICO's “Draft subject access code of practice” is available athttp://www.ico.gov.uk/about_us/consultations/~/media/documents/library/Corporate/Research_and_reports/draft_subject_access_cop_for_consultation.ashx.

The U.K. Department of Energy and Climate Change's response to “Smart Metering Implementation Programme: Data access and privacy” is available athttp://www.decc.gov.uk/assets/decc/11/consultation/smart-metering-imp-prog/7225-gov-resp-sm-data-access-privacy.pdf.

Request Bloomberg Law: Privacy & Data Security