- RIPA consultation launched
- PL&B survey addresses likelihood of data breach legislation across Europe
- RIPA allows bugging of lawyers’ communications
- Data Retention Regulations on Internet data now in force
- New self-regulatory guidelines for online behavioural advertising
- ICO issues data security undertakings signed by three NHS trusts
1. RIPA consultation launched
The Government wants to review the Regulation of Investigatory Powers Act (RIPA) in order to make sure that public authorities do not use their powers under RIPA inappropriately or excessively. The Government wants stricter rules on when surveillance should be used.
The consultation, available at http://www.homeoffice.gov.uk/documents/cons-2009-ripa runs until 10 July 2009.
Responses by email to RIPACONSULTATION@homeoffice.gsi.gov.uk; or by post to Tony Cooper, Home Office, 5th Floor Peel Building, 2 Marsham Street, London SW1P 4DF.
2. PL&B survey addresses likelihood of data breach legislation across Europe
European Data Protection Authorities consider that a specific law on data breach is not always necessary because amending an existing law or introducing new regulations, guidelines or codes would be sufficient in most of the 21 countries surveyed.
There should be a balance between preventing data losses and imposing fines or other sanctions on public or private sector organisations which fail to protect the personal data in their care.
The survey, which includes detailed country reports, was launched last week at a PL&B Conference in Edinburgh. It is available to order at
3. RIPA allows bugging of lawyers’ communications
The House of Lords has ruled that the Regulation of Investigatory Powers Act (RIPA) can override legal professional privilege.
The appeal case heard in March raised two important points;
- What impact, if any, does RIPA have on the common law right of legal professional privilege ("LPP")
- What impact, if any, does RIPA have on the right accorded by a number of statutory provisions of a person detained in a police station or in prison to consult a lawyer privately?
Normally, LLP provides special protection to communications between a lawyer and his client. This current appeal case concerned Solicitor, Manmohan Sandhu, who was charged at Antrim Magistrates' Court with incitement to murder and intending to pervert the course of justice. The case against Sandhu was based on covert electronic surveillance carried out by the police of conversations between himself and clients at Antrim Police Station. Sandhu based his appeal on breach of LLP by the police.
However, the Lords ruled that RIPA does allow for the surveillance of privileged communications, as LLP cannot be absolute.
Lord Carswell said: "If it were not possible to exercise covert surveillance of legal consultations where it is suspected on sufficiently strong grounds that the privilege was being abused, the law would confer an unjustified immunity on dishonest lawyers."
"There may be other situations where it would be lawful to monitor privileged consultations, for example, if it is necessary to obtain information of an impending terrorist attack or to prevent the threatened killing of a child. The limits of such possible exceptions have not been defined and I shall not attempt to do so, but they could not exist if the rule against surveillance of privileged consultations were absolute."
“Parliament intended that the covert surveillance provisions of RIPA should extend to the type of lawyer/client and doctor/patient consultations which are ordinarily protected by legal professional privilege.”
See the ruling of 11 March at http://www.bailii.org/uk/cases/UKHL/2009/15.html
4. Data Retention Regulations on Internet data now in force
The Data Retention Regulations 2009, which oblige Internet service providers and telephone companies to retain traffic and location data for 12 months, entered into force on 6 April. While the content of the emails will not be monitored, the regulations allow the monitoring of log-in times, duration of communications, and the IP address of the sender and receiver of the communication.
These Regulations implement the Data Retention Directive 2006/24/EC. The UK had postponed implementation with regard to communications data on Internet access, Internet telephony and e-mail until now. These new regulations implement the Data Retention Directive with respect to these forms of data, and revoke the Data Retention Regulations 2007 which applied to fixed network and mobile phone communications data.
The regulations can be seen at http://www.opsi.gov.uk/si/si2009/pdf/uksi_20090859_en.pdf
5. New self-regulatory guidelines for online behavioural advertising
The Internet Advertising Bureau (IAB) has issued self-regulatory guidelines to help companies respect individuals’ privacy when collecting and using data for online behavioural advertising purposes. As behavioural advertising is based on people's browsing activity, it is highly targeted.
The IAB’s ‘Good Practice Principles for online behavioural advertising’ comes into force on 4th September 2009. The principles stress giving individuals notice about data collection, providing choice as to whether to participate, and education about behavioural advertising and its benefits.
Signatories of the Good Practice Principles include:
Read more about DP concerns regarding online behavioural advertising in the next issue of PL&B UK Newsletter.
6. ICO issues data security undertakings signed by three NHS trusts
The ICO is continuing to push its stronger enforcement message - three NHS trusts were asked to sign formal undertakings in March following their breaches of the DP Act.
St Georges Healthcare NHS Trust, based in South West London, signed a formal undertaking on 27 March agreeing to comply with the seventh data protection principle (data security). This follows the theft of laptop computers containing the personal data of approximately 22,000 of the Trust’s patients.
Stockport NHS Foundation Trust’s undertaking from 25 March obliges it to comply with the seventh data protection principle. This follows the theft of a laptop computer containing the personal data of 1,588 of the Trust’s patients.
A further undertaking has been signed by 2gether NHS Foundation Trust, based in Gloucester, on 24 March, again to comply with the seventh data protection principle. This follows the theft of a laptop computer and a memory stick containing the personal data of 56 of the Trust’s patients.
Click here to view PDF of the St Georges Healthcare NHS Trust undertaking
Click here to view PDF of the Stockport NHS Foundation Trust undertaking
Click here to view PDF of the 2gether NHS Foundation Trust undertaking
For further details on the Privacy Laws & Business UK Newsletter, please click here.
Copyright Privacy Laws & Business 2009