We are all familiar with these headlines: 'Laptop left behind on
train' or 'Mobile phone forgotten in a pub', where the device
involved contained personal and confidential information. The
latest news to rock the public's trust in businesses is the phone
hacking scandal involving the News of the World newspaper. The
terms 'confidential information' is by now familiar to everyone, as
is the fact that handling confidential information can be a risky
business. / has become a risky business. What a lot of people may
not yet know is that recent legislative changes mean that the
Information Commissioner's Office (ICO) may now fine a business up
to £500,000 for breaches of the regulations when dealing with
confidential/private information.
Handling personal information can be risky business. Predictive
advertising and whether leaving a laptop containing personal
information on a train should be a sackable offence are regular
topics. The use, information, protection and exploitation of
personal information has become dangerous business - just ask News
of the World.
Most people who run websites are familiar with basic data
protection regulations. What a lot of people may not yet know is
that recent legislative changes have come into force 26 May 2011,
which amend the Privacy and Electronic Communications Regulations
(PECR).
In brief, the changes are as follows:
Increased Powers: The Information Commissioner has the following
enhanced powers:
- to serve a monetary penalty of £500,000 for the most
serious breaches of the PECR. This covers organisations
sending unwanted marketing emails and texts, or making
marketing phone calls;
- to require telecommunications companies and Internet
Service Providers (ISPs) to provide the Information Commissioner
Office (ICO) with cooperation and information in relation to
breaches of the PECR;
- to be notified by telecommunications providers and ISPs if
certain data breaches occur, and impose a £1000 penalty for failure
to do so; and
- to audit telcos and ISPs in relation to the measures taken
for safeguarding personal information and compliance with new
personal data breach notofication and reporting requirements.
Changes to Cookie laws: Previously a business operating a
website had to tell customers that cookies were being used, and
that customers could 'opt out' if they objected. Under the new
PECR, it will now be necessary to gain the user's consent before
cookies are used, and the exceptions are very narrow.
In practice, this could mean that users have to constantly
accept new cookies as they browse through a site, or,
alternatively, the business may be liable for breach of the PECR.
To make this issue more complicated, there will be a phased
approach to implementation, and the steps the individual businesses
need to take will depend on the types of cookies they use. More
guidance on cookies in particular is provided by the Information
Commissioner on
http://www.ico.gov.uk/for_organisations/privacy_and_electronic_communications/~/media/documents/library/Privacy_and_electronic/Practical_application/advice_on_the_new_cookies_regulations.pdf.
The issues thrown up by these changes are varied, and the
practical effects not yet fully understood. It is suggested to
consult the ICO website for more guidance (http://www.ico.gov.uk/).