a

Amendments to UK data protection law in the event the UK leaves the EU without a deal on 29 March 2019 - GOV.UK

Brexit: HM Government has issued updated guidance as the prospect of a withdrawal with no deal appears increasingly likely.

Article 29 Working Party Opinion 1/2006

On the application of EU data protection rules to internal whistleblowing schemes in the fields of accounting, internal accounting controls, auditing matters, fight against bribery, banking and financial crime (WP 117). Note: this predates GDPR but may still provide some useful guidance

c

Campbell v Secretary of State (Information rights - Data protection) [2018] UKUT 372 (AAC)

Appeal relating to data subject access rights did not survive death of the data subject.

Consent

Article 29 Working Party’s final Guidance on Consent

Consent

ICO Guidance on consent

Controller-Processor Agreements

Bar Council guidance: Signing Controller-Processor Agreements with Solicitors’ Firms

d

Data Protection Bill

Introduction to the Data Protection Bill (Please note that the Data Protection Act 2018 has received Royal Assent – see link above – and that some changes were made after this note was produced.  Nonetheless it may still be a source of useful background information to assist the understanding of the Act.)

Data Protection Officer

Law Society guidance on appointing a Data Protection Officer

Data transfers between EU and non-EU  countries

Standard contractual clauses for data transfers between EU and non-EU  countries.  Note: These predate GDPR

Dawson-Damer v Taylor Wessing [2019] EWHC 1258 (Ch)

High Court decision (following Court of Appeal decision) determining (1) whether paper files formed part of a relevant filing system, (2) application of legal professional privilege and waiver of privilege), (3) whether solicitors had carried out reasonable and proportionate searches for the claimants’ personal data under section 7 of the Data Protection Act 1998 and (4) whether the solicitors had breached their obligations under section 7 by redacting or withholding non-exempt data. (Lawtel subscriber link.)

e

Equifax – ICO Monetary Penalty Notice

The ICO decision notice fining Equifax £500,000 for data breaches contains some important points not only on the technical aspects which gave rise to the breaches but also on the compliance requirements when using standard contractual clauses.

EU-US Privacy Shield | European Commission

The European Commission has published its second review of the EU-US Privacy Shield. The Commission concludes that the United States continues to ensure an adequate level of protection for personal data transferred under the Privacy Shield from the Union to organisations in the United States, though some steps have only recently been implemented and developments need to be monitored.

f

Finjan, Inc. v. Zscaler, Inc.

Californian District Court decision ordering disclosure of emails despite objection based on GDPR.

g

GDPR

Corrigendum to GDPR

GDPR | ICO

Brexit: The ICO has issued updated guidance as the prospect of a withdrawal with no deal appears increasingly likely.

Green v Group Ltd & Others [2019] EWHC 954 (Ch)

Claim arising from the processing of data by Cambridge Analytica. Joint Administrators were not data controllers and were therefore not personally responsible for compliance with the provisions of the Data Protection Act 1998 in respect of the data processed by the company, including but not limited to Subject Access Requests.

h

Higinbotham (formerly BWK) v Teekhungam & Anor [2018] EWHC 1880 (QB)

Dismissal of claim for misuse of private information, breach of confidence and breach of the Data Protection Act 1998 as an abuse of process.

i

ICO Data Protection Audit Report on the Legal Ombudsman (June 2019)

The report contains some potentially useful pointers for law firms and others.

ICO Data sharing code of practice

Note: this predates GDPR and the Data Protection Act 2018. The ICO is working on updating the code.

ICO guidance on Data Controllers and Data Processors (Data Protection Act 1998)

Data controllers and data processors: what the difference is and what the governance implications are.  Note: this guidance relates to the law pre-GDPR

ICO guidance on Data Controllers and Data Processors (GDPR)

See ICO guidance: Contracts and liabilities between controllers and processors
https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/contracts-and-liabilities-between-controllers-and-processors-multi/

ICO Guide to Data Protection

This covers the Data Protection Act 2018 and the GDPR as it applies in the UK. The guide combines the existing ICO guides to the GDPR and Law Enforcement Processing.

Impact Assessments

ICO guidance on Data Protection Impact Assessments (DPIAs)

Ittihadieh v 5-11 Cheyne Gardens RTM Company Ltd& Ors [2017] EWCA Civ 121

Pre-GDPR appeal. Information is not disqualified from being “personal data” merely because it has been supplied to the data controller by the data subject. A person who processed data as agent for a data controller was not himself a data controller. Proportionality applied and there was no obligation to search for material covered by legal professional privilege. Whether it is reasonable to disclose information about another individual is an evaluative judgement.

l

Law Society

Preparing for the GDPR: A guide for law firms - The Law Society

Legitimate Interests

ICO Guidance on Legitimate Interests

Lloyd v Google LLC [2018] EWHC 2599 (QB)

Class action against Google dismissed.

Lonsdale v National Westminster Bank Plc [2018] EWHC 1843 (QB)

Disclosure of a Suspicious Activity Report ordered under CPR 31.14 in an action for defamation and breach of contract. Suspicious Activity Reports are subject to qualified, not absolute, privilege. Discussion as to entitlement to receive copies following a Subject Access Request under the Data Protection Act 1998 (pre-GDPR).

m

M, R (on the application of) v The Chief Constable of Sussex Police & Anor [2019] EWHC 975 (Admin) (15 April 2019)

Judgment on lawfulness of sharing of sensitive personal data relating to a 16 year old child, including bail conditions, under an information-sharing agreement between the police and a local business crime reduction partnership. The decision also determined that the parties to the agreement were joint controllers of the data, rather than controller and processor respectively, and held that the defendant had implemented ‘appropriate technical and organisational measures’ by using a secure intranet, which was encrypted and password protected.

Morrison Supermarkets Plc v Various Claimants [2018] EWCA Civ 2339

Morrisons’ unsuccessful appeal against a finding of vicarious liability for a data breach by a rogue employee, despite the adequacy of its data security measures.

Morrisons Supermarket Plc v Various Claimants (Rev 1) [2017] EWHC 3113 (QB)

Various Claimants v WM Morrisons Supermarket Plc (Rev 1) [2017] EWHC 3113 (QB)
Morrisons found vicariously liable for a data breach by a rogue employee, despite the adequacy of its data security measures.

n

National Cyber Security Centre (NCSC)

GDPR Security Outcomes – joint guidance from the ICO and National Cyber Security Centre describing a set of technical security outcomes that are considered to represent appropriate measures under the GDPR

p

Privacy Shield and the UK FAQs | Privacy Shield

Brexit: The US Department of Commerce has published guidance on its Frequently Asked Questions page on the application of the Privacy Shield to data transfers from the UK post-Brexit. It addresses both the deal and no-deal positions, and outlines steps which, in the case of no deal, must be taken by 29 March 2019.

r

Record keeping

ICO template Excel spreadsheets for record keeping (one for data controllers, one for data processors) in accordance with Article 30

Right to be informed

ICO guidance on the right to be informed

Rudd v Bridle & Anor [2019] EWHC 893 (QB) (10 April 2019)

Consideration of various issues in relation to a Subject Access Request under the Data Protection Act 1998, including an unsuccessful claim of legal professional privilege and what constitutes ‘personal data’.

s

Security Outcomes

GDPR Security Outcomes – joint guidance from the ICO and National Cyber Security Centre describing a set of technical security outcomes that are considered to represent appropriate measures under the GDPR

u

Unabhangiges Landeszentrum fur Datenschutz Schleswig-Holstein v Wirtschaftsakademie Schleswig-Holstein (Facebook Ireland Ltd and Vertreter des Bundesinteresses beim Bundesverwaltungsgericht intervening) Case C-210/16

The administrator of a fan page hosted on Facebook was held to be a joint controller with Facebook. By creating such a page, it gave Facebook the opportunity to place cookies on the computer or other device of a person visiting its fan page, whether or not that person had a Facebook account. (Preliminary ruling in relation to Directive 95/46/EC, so pre-GDPR.)

v

Various Claimants v WM Morrisons Supermarket Plc (Rev 1) [2017] EWHC 3113 (QB)

Morrisons found vicariously liable for a data breach by a rogue employee, despite the adequacy of its data security measures.

x

Xerpla Ltd v. Information Commissioner [2018] UKFTT 2017_0262 (GRC) (14 August 2018)

Consent: Successful appeal against monetary penalty notice imposed by the Information Commissioner relating to direct marketing by electronic communications contrary to the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR). Note: The facts predate the changes to the definition of ‘consent’ introduced by GDPR.

Return To Top

LATEST PUBLICATIONS, Events & News