13 December 2017
When is a data controller liable for the criminal acts of a rogue employee?
The acquisition from organisations of large databases of personal data by external parties (usually hackers) is an increasingly modern phenomenon – think Ashley Madison, PlayStation, TalkTalk. Less common, and perhaps of greater concern for employers, is the ‘inside job’ where a trusted employee is responsible for a major breach of data security. The High Court case of Various Claimants v Wm Morrisons Supermarket PLC [2017] EWHC 3113 (QB) has shown that a data controller can be held vicariously liable for the misuse of date by one of its employees even where it has done everything it reasonably can do to prevent such a breach.
28 November 2017
The real impact of the GDPR… new notification obligations
To date, GDPR headlines have mainly focused on the threat of heavy fines. However, the Information Commissioner’s Office (the ‘ICO’) has made it clear that issuing fines has always been, and will continue to be under the GDPR, a last resort. Rather, the most immediate impact of the GDPR following a data breach is the new obligation under Article 29 to notify both the ICO and those individual data subjects affected by data breaches. These individuals are most likely to be the clients, customers, suppliers and other contacts upon which your organisation relies and, following any significant data breach, notification may lead to that breach becoming public.
28 November 2017
Coroners to investigate still born deaths
Today, the Health Secretary announced “a new maternity strategy to reduce the number of stillbirths. This strategy centres on the investigation of still birth deaths by the new Healthcare Safety Investigations Branch but it also included a planned change in the law to allow coroners to investigate full term still birth deaths. Currently there is no requirement for a doctor to refer a still birth death to the local coroner.
21 November 2017
An introduction to Data Protection Officers under the GDPR: Should you appoint one?
There is currently no legal requirement for companies to appoint a dedicated officer responsible for data protection; the Information Commissioner’s Office merely encourages this as good practice. However, this will change when the General Data Protection Regulation (“GDPR”) comes into force in May 2018 and introduces a requirement for certain organisations to appoint a Data Protection Officer (“DPO”).
20 November 2017
Legal update: When an inquest is still necessary after criminal proceedings in order to comply with Article 2
In the recently reported case of R (Silvera) v HM Senior Coroner for Oxfordshire [2017] EWHC 2499 (Admin), the Divisional Court looked at the investigative duties placed on the state by Article 2 of the European Convention on Human Rights and the importance of the coronial process in ensuring that those duties have been met.