The Information Commissioner’s Office (the ICO) has fined the Independent Inquiry into Childhood Sexual Abuse (IICSA) £200,000 following a data leak on 27 February 2018. The leak occurred when a member of staff sent a ’round-robin’ email, but mistakenly used the ‘to’ field instead of the ‘bcc’ field, inadvertently disclosing the email addresses of 90 individuals (known as ‘Participants’) who had anonymously submitted evidence to the inquiry about their childhood sexual abuse. The security breach was exacerbated because 39 ‘reply to all’ emails were sent by 22 of the recipients.
The Information Commissioner’s Office (‘the ICO’) has published a progress report on its investigation into the “invisible processing” of individuals’ personal data and the “micro-targeting” of political adverts during the EU referendum campaign. The investigation is principally concerned with the Facebook-Cambridge Analytica scandal in which third party developers used apps (for example, a personality test) to “scrape” users’ personal data and that of their [Facebook] friends. This was ostensibly done under the guise of academic research, but the demographic information gathered is said to have been used in political campaigns in the UK and overseas. Up to 87 million Facebook users are believed to have been affected, including one million in the UK.
In Sabados v Facebook Ireland Ltd (2018; unreported) His Honour Judge Parkes QC (sitting as a Judge of the High Court) ordered Facebook Ireland to disclose information pertaining to a request which it had received (and acted upon) to delete the account of a deceased person.
In The Secretary of State for the Home Department & Anor v TLU & Anor  EWCA Civ 2217 the Court of Appeal, was asked to review one aspect of Mr Justice Mitting’s decision in TLT & Ors v The Secretary of State for the Home Department & Anor  EWHC 2217 (QB). The first instance decision (discussed at our blog here) considered a number of important issues relating largely to the assessment of quantum in “data leak” cases, including whether damages for accidental leaks should be assessed in the same way as deliberate privacy breaches (no), whether there was a de minimis principle in such cases (yes) and whether regard had to paid to the objective “rationality” of the level of distress pleaded (yes). However, the appeal (brought by the Defendant Home Office) was restricted to the issue of any liability owed to individuals affected by a data leak, but not specifically named in a leaked electronic document.
It was reported last month in various newspapers that Max Mosley, the Former Formula One boss, has threatened to issue legal proceedings against The Daily Mail, The Times, The Sun and The Daily Mirror in respect of articles that he claims breach the Data Protection Act 1998 (“DPA”). He also apparently seeks the destruction of specified personal data retained by the papers.
In January 2014, Andrew Skelton, an apparently disgruntled employee of Morrisons Supermarket posted a file containing the personal data (including salaries, bank details, and National Insurance numbers) of 99,998 Morrisons’ employees on a file-sharing website. It seems his intention was to cause mass-scale damage to the supermarket. In March 2014, a CD containing the data was sent to three UK newspapers, one of whom alerted Morrisons. Chief among the company’s concerns was the possibility of the data being used to aid theft or identity theft from the staff concerned. They acted quickly to get the file removed from the Internet within a few hours.
Miles Savory, the director of Accident Claims Handlers Ltd, has been convicted of breaching the Data Protection Act 1998 following a prosecution brought by the Information Commissioner’s Office (‘ICO’) for unlawfully obtaining the name and address of the owner of personalised number plates that he was seeking to purchase.