What IT contractors can take from October's array of data breaches
October was a busy month for data protection, including a major ruling from the EU Court of Justice affecting the lawfulness of transferring personal data out of the EU; £330,000 worth of monetary penalties imposed on UK companies for misusing customer data, and a multitude of high-profile data security breaches.
For IT contractors, these developments highlight the importance of being aware of data protection risks, so that they can help their clients to address these risks when designing and managing technology systems and processes which use customer and staff data, writes Olivia Whitcroft, principal at information and technology law firm OBEP.
Not so Safe Harbour
On 6 October 2015, the Court of Justice of the European Union ruled that the EU Commission's Safe Harbour Decision (2000/520/EC) is invalid. This means that EU organisations that transfer customer or employee data to the US can no longer rely on the fact that the recipient is listed on the US Safe Harbour register to guarantee that they have overcome legal restrictions on such transfers. This includes sending data to group companies, business partners or service providers located in the US or maintaining data storage facilities in the US.
The ruling also has wider implications, as the court confirmed that any measures taken to overcome restrictions on transfers of data outside the EU are open to examination by national data protection authorities on a case-by-case basis. In addition, a key risk of data transfers to the US (whether or not the Safe Harbour scheme applies) is the potentially unfettered access to data by US public authorities.
Misuse of customer data
On 14 October, the UK Information Commissioner's Office (ICO) imposed a monetary penalty of £130,000 on Pharmacy2U Ltd (a large online pharmacy) for unlawful sale of customer details. Using a third party list manager, it advertised customer lists for rental on its website, together with information about the types of ailments treated and age ranges. These were purchased for use by a health supplement company, to market a lottery and to seek donations to charity. The ICO found that Pharmacy2U did not provide sufficient information to customers about its data sharing nor obtain clear informed consents.
On 21 October, Help Direct UK Ltd was issued with a penalty of £200,000 by the ICO for sending thousands of marketing text messages without the consent of the recipient. Marketing texts sent during April 2015 related to PPI payments, bank refunds and loans, and prompted 6,758 complaints in one month.
High profile data breaches
TalkTalk, M&S, Vodafone and British Gas all suffered significant data security breaches during October. TalkTalk's systems were hacked and thousands of customers' financial details, dates of birth, email addresses, names and phone numbers were accessed. Criminals obtained Vodafone customer email addresses and passwords from an unknown source and were using them to try to gain access to customer accounts. M&S and British Gas both had breaches which enabled customer details to be viewed online; British Gas customer email addresses and account passwords were posted online, and M&S customers could see each other's names, date of birth, contacts and previous orders.
These breaches are currently under investigation and the full extent and impacts are not yet known. In addition to reputational damage, if it is found that the companies did not implement adequate security measures to protect the data or if they have not taken appropriate action to address the breaches, they could face penalties from the ICO and legal action may be taken by affected individuals. For example, it was also reported in October that Morrisons is facing group legal action from the supermarket’s customers following a data breach last year.
What can IT contractors do?
IT contractors can assist their clients to address data protection obligations and risks. As well as following a client's existing data protection and information security policies and procedures, IT contractors can help to integrate data protection into the design, development and management of technology systems and processes. In other words, data protection and privacy should be considered and addressed alongside matters such as functionality, coding and user experience.
Key to this is ensuring there is a full understanding of the information flows: how is information collected and used and where does it go within the relevant data systems? Taking into account October's developments, IT contractors will want to be particularly alert to the following.
- Systems hosted or accessed in other countries, or other transfers of data to organisations in other countries. There needs to be a formal legal and risk assessment prior to the transfer of personal data outside the EU; in particular the US, given the new uncertainty over the protection provided by the Safe Harbour regime and the risks of US government access. Contractors working at US (or other non-EU) organisations should consider how to facilitate data transfers out of the EU by ensuring standards of protection similar to those required by EU laws are applied to the relevant data systems and activities.
- Sharing customer data with other organisations, which may include the sale of databases, or allowing access to systems by group companies or business partners (within or outside of the EU). In addition to the data transfer restrictions discussed at (a), data protection law requires data to be used "fairly and lawfully". This includes informing customers how data may be shared or sold, and it will usually be necessary to give them a clear choice whether or not to do so. Mechanisms for providing information and obtaining consent need to be built into the design of the system which collects the data in the first place.
- Marketing activities. Customer consent is required before sending unsolicited marketing messages by SMS, email or automated calling systems. Marketing systems and databases need to obtain, capture and manage marketing contact details and consents appropriately.
- Data security measures. Data protection law requires organisations to implement appropriate measures to protect customer and employee data from loss or misuse. Risk assessments are needed to determine what is "appropriate", both at the time of system design and on an ongoing basis. Clear procedures on what to do if things go wrong should also be established. As highlighted above, security breaches do happen as a result of hacks, staff errors or otherwise, and how an organisation reacts can limit the negative impact. This should include containing and remediating the breach, and managing the relationship with customers, staff, the media and regulators.
Final thought
October was a busy month, but November doesn’t look set to be quieter. At the time of writing, we have already had a draft new law affecting access to and use of communications data; continuing debates on international data transfers, and more ICO monetary penalties for breaches. There is no pause to the flow of play – the time for you and your clients to take action is now.