Morrisons vindicated: A landmark judgment in data protection and vicarious liability
DWF acted for Wm Morrison Supermarkets in their successful defence of a group action for vicarious liability arising out of a mass employee data theft perpetrated by a rogue employee. It is the first mass data breach claim of its kind before the Courts.
The claim for direct fault-based liability was successfully defended at the original trial. Morrisons was found to have met all the relevant statutory data protection standards and did not foresee, nor could they reasonably have foreseen, the covert criminal enterprise their rogue employee had embarked upon.
However, Morrisons was found liable for no-fault vicarious liability as employer. In Morrisons' successful appeal, the Supreme Court has clarified how the law of vicarious liability should be applied and in so doing reversed the High Court and Court of Appeal decisions against Morrisons.
Click here to read more about this landmark judgment or click here to watch the team who worked on the case discuss what the outcome means for businesses.
If you would like to be introduced to our data protection litigation team, please feel free to contact your usual contact, and we will connect you.
Atkinson v Equifax: representative action withdrawn
In another large-scale privacy case, this time relating to the 2017 cyber attack on Equifax, the claimant has withdrawn the action. He had brought the claim on the basis of loss of control over personal data, on behalf of himself and a class of over 15 million people. In the Lloyd v Google case, where Mr Lloyd is taking action against Google on behalf of a large class of unnamed claimants on an "opt-out" basis, the Court of Appeal gave Lloyd permission to serve proceedings on Google, but the Supreme Court has given Google leave to appeal.
These cases are both interesting to see how the law and procedure for large-scale privacy cases develops. We will continue to monitor developments and report any news in future editions of DWF DP insights.
Brexit Preparation
Between 20 and 24 April, the second round of negotiations on the future UK-EU relationship was held by videoconference. On 24 April the European Commission published a statement setting out 4 areas where progress was disappointing. These include law enforcement and internal security and police and judicial co-operation in criminal matters, where the Commission states that the UK refuses to provide firm guarantees on fundamental rights and individual freedoms, and insists on lowering current standards and deviating from agreed mechanisms of data protection. This creates serious limitations for the future UK-EU security partnership.
COVID-19
Click here if you would like to read about how our data protection specialists can support you with critical Data Protection and Cyber Security issues.
Click here to read our data protection specialists' legal insight on the data protection issues which arise with working from home.
Regulatory guidance/campaigns/other news from the Information Commissioner's Office (ICO)/European Data Protection Board (EDPB)/ The European Union Agency for Cybersecurity (ENISA)
ICO data protection and coronavirus information hub
The ICO has set up an information hub for its guidance on processing personal data during the pandemic. This includes:
• A guidance note on the ICO’s regulatory approach during the coronavirus public health emergency. This emphasises that the ICO will take a flexible approach at this time, but will take firm action against those looking to exploit the public health emergency through nuisance calls or by misusing personal information.
• Working from home guidance. This includes a security checklist, guidance on BYOD (allowing your employees to use their own phones, computers, etc. for work purposes), tips on working from home securely and a blog about how to use video conferencing safely.
• A blogpost on the ICO's approach to combatting COVID-19 through data. This sets out 6 questions that organisations must consider if they are planning to process personal data to combat the pandemic
• Have you demonstrated how privacy is built in to the technology?
• Is the planned collection and use of personal data necessary and proportionate?
• What control do users have over their data?
• How much data needs to be gathered and processed centrally?
• When in operation, what are the governance and accountability processes in your organisation for ongoing monitoring and evaluation of data processing – to ensure it remains necessary and effective, and to ensure that the safeguards in place are still suitable?
• What happens when the processing is no longer necessary?
• A statement published on 24 April that the ICO has been working with NHSX on the development of their digital tracing app to help them ensure a high level of transparency and governance. The ICO will continue to offer that support during the life of the app as it is developed, rolled out and when it is no longer needed.
Biometrics Commissioner statement on the use of symptom tracking applications
The UK Biometrics Commissioner has issued a statement on the use of symptom tracking applications, digital contact tracing applications and digital immunity certificates. This states that use of biometric data for these purposes needs a new framework of governance backed by legislation, and this legislation should be limited to the duration of the pandemic.
If you are contemplating using personal data to combat the spread of coronavirus, whether within your organisation or more widely, please contact one of our data protection specialists, who can support you to ensure that your use of the personal data is lawful.
EDPB Guidelines
On 21 April the EDPB adopted 2 sets of COVID-19-related guidelines:
• Guidelines on the processing of health data for research purposes in the context of the COVID-19 outbreak
These address the most urgent legal questions concerning the use of health data, such as the legal basis of processing, further processing of health data for the purpose of scientific research, the implementation of adequate safeguards and the exercise of data subject rights.
The guidelines state that the GDPR contains several provisions for the processing of health data for the purpose of scientific research, which also apply in the context of the COVID-19 pandemic, in particular relating to consent and to the relevant national legislation. The GDPR envisages the processing of certain special categories of personal data, such as health data, where it is necessary for scientific research purposes.
In addition, the guidelines address legal questions concerning international data transfers involving health data for research purposes related to the fight against COVID-19, in particular in the absence of an adequacy decision or other appropriate safeguards.
• Guidelines on geolocation and other tracing tools in the context of the COVID-19 outbreak
These aim to clarify the conditions and principles for the proportionate use of location data and contact tracing tools, for two specific purposes
- using location data to support the response to the pandemic by modelling the spread of the virus in order to assess the overall effectiveness of confinement measures;
- using contact tracing, which aims to notify individuals who may have been in close proximity to someone who is eventually confirmed as a carrier of the virus, in order to break the contamination chains as early as possible.
The guidelines emphasise that both the GDPR and the ePrivacy Directive contain specific provisions allowing for the use of anonymous or personal data to support public authorities and other actors at both national and EU level in their efforts to monitor and contain the spread of COVID-19. The general principles of effectiveness, necessity, and proportionality must guide any measures adopted by Member States or EU institutions that involve processing of personal data to fight COVID-19.
The EDPB states that it stands by and underlines the position expressed in its letter to the European Commission (14 April) that the use of contact tracing apps should be voluntary and should not rely on tracing individual movements, but rather on proximity information regarding users. This letter emphasised the importance of accountability, including the need to conduct and document a DPIA (data protection impact assessment). On 24 April the EDPB published three further letters which reinforce elements from its previous guidance.
Please contact one of our data protection specialists if you would like our support in conducting a DPIA.
Please also scroll down if you would like to read about the National Cyber Security Centre (NCSC) blogpost on cloud backup options for mitigating the threat of ransomware.
European eHealth Network Toolbox
On 16 April the European eHealth Network (a voluntary network connecting national authorities responsible for eHealth designated by EU Member States) published a common EU toolbox for the use of contact tracing and warning apps in response to the coronavirus pandemic.
As you can see from the wealth of guidance and tools available at UK and EU level, the regulatory framework surrounding the use of contact tracing apps is very complex. Please contact one of our data protection specialists if you need assistance navigating this framework.
Enforcement action
The ICO has not reported any enforcement action during April, demonstrating its stated prioritisation of providing guidance rather than taking action which could cause a detrimental effect.
The ICO has stated that it will take a strong regulatory approach against any organisation breaching data protection laws to take advantage of the pandemic, so we will continue to monitor any such enforcement action and report it in future editions of DWF data protection insights.
Industry News
ENISA tips for buying and selling online
The European Union Agency for Cybersecurity (ENISA) has published 10 tips for SMEs and citizens to stay secure when buying and selling online. ENISA states that many SMEs have set up new online shops in response to the closure of their physical shops due to the COVID-19 pandemic. Its tips for SMEs selling online are:
- Secure your website for customers: use appropriate security, test its effectiveness and provide adequate support for your customers.
- Protect your assets: Ensure that a security policy is in place, together with all necessary technical and organisation security measures.
- Store passwords securely: If customers need to create accounts to buy from your website, ensure that all passwords are stored securely. Make sure your client data is protected according to data protection law and industry rules. Where possible, encode sensitive data.
- Ensure compliance with data protection requirements: When processing personal data of customers, make sure that you comply with data protection laws on processing.
- Monitor and prevent incidents – Have a security incident response policy in place and take appropriate measures to prevent, monitor and respond to security incidents, including personal data breaches.
National Cyber Security Centre (NCSC) blogpost on cloud backup options for mitigating the threat of ransomware
The NCSC has published a blogpost urging organisations to back up their data securely following an increase in coronavirus (COVID-19) related cyber-attacks. The NCSC sets out what factors to consider when checking your data backup regime is fit for purpose, which is particularly vital given the rapid increase in the numbers of people working from home.
The NCSC states that the most important points to consider are:
- Could ransomware overwrite your backup, preventing your recovery? Look for a service that keeps multiple versions of backed up data, or which allows you to undo changes to backups.
- Does the cloud service provider you have chosen have multi-factor authentication (MFA) available to protect the backup? If it does, then ensure you have implemented it.
- Do you carefully manage the ability to modify or delete backups ? Make sure you limit the number of accounts with the ability to access backups.
- Will your cloud service provider ship data back to you to aid recovery from an incident?
- If you have client software on-premise, check the schedule of incremental cloud backups.
