UK Data Protection E-news - June 2011



  1. Court imposes fine of £73,700 on former T-Mobile employees
  2. ICO fines council £120,000
  3. ICO website complies with cookie rules but provides no answers
  4. Justice Secretary, Kenneth Clarke, says no to Directive revision
  5. Bribery Act in force 1 July

1. Court imposes fine of £73,700 on former T-Mobile employees

The Chester Crown Court on 10th June ordered two former employees of T-Mobile, who illegally stole and sold select customer data from the company in 2008, to pay a total of £73,700 in fines and confiscation costs. This decision was given after two individuals pleaded guilty to having unlawfully passed personal data of T-Mobile customers on to third parties.

The Information Commissioner, Christopher Graham, said: “Those who have regular access to thousands of customer details may think that attempts to use it for personal gain will go undetected. But this case shows that there is always an audit trail and my office will do everything in its power to uncover it. The lifestyle the pair gained from their criminal activities has been short lived and I hope this case serves as a strong deterrent to others. I am particularly grateful to T-Mobile for their help in this investigation.

2. ICO fines council £120,000

The Information Commissioner’s Office has fined Surrey County Council £120,000 for a serious breach of the Data Protection Act after sensitive personal information was emailed to the wrong recipients on three separate occasions. The misdirected file contained information relating to 241 individuals’ physical and mental health.

3. ICO website complies with cookie rules but provides no answers

In a hurry to comply with the new cookie-consent rules as per the amended European Union’s e-Privacy Directive, the Information Commissioner (ICO) has posted a banner on its website saying: ‘On 26 May 2011, the rules about cookies on websites changed. This site uses cookies. One of the cookies we use is essential for parts of the site to operate and has already been set. You may delete and block all cookies from this site, but parts of the site will not work. To find out more about cookies on this website and how to delete cookies, see our privacy notice.’

The ICO has admitted that this is not the best example of achieving compliance. The privacy notice lists all cookies that the site sends and advises that ‘you may delete and block all cookies from this site, but parts of the site will not work.’

The Information Commissioner Christopher Graham said:

"We’ve decided to place a header bar on our website giving users information about the cookies we use and choices about how to manage them. I am not saying that other websites should necessarily do the same. Every website is different and prescriptive and universal ‘to do’ lists would only hinder rather than help businesses to find a solution that works best for them and their customers."

As UK companies have been given a year to find compliance solutions, the ICO is expected to amend its interim guidance from 9 May in due course. In the meantime, The Department for Culture, Media and Sport issued an open letter on 26 May in response to criticism over the UK’s transposition of the amendments to the e-Privacy Directive. While default browser settings cannot be considered to meet the requirements of the Directive, the department says that there is no rationale for the government to specify the technical measures needed to obtain consent. It continues to work with browser manufacturers to see if browsers can be enhanced to meet the requirements.

See the ICO interim guidance.

4. Justice Secretary, Kenneth Clarke, says no to Directive revision

Justice Secretary Kenneth Clarke warned in a speech in Brussels 26 May that 'Imposing an inflexible, detailed data protection regime on the whole of the EU, regardless of the peculiarities of different cultures and legal systems, carries with it serious risks.’ Speaking at the British Chamber of Commerce in Belgium, Clarke indicated that the UK disagrees with many of the proposed changes to the DP Directive: ‘..let us keep the broad principles of the existing Directive and better understand the 27 laws we all in our nation states have, rather than setting out to create in detail an additional 28th radically different, and artificial new set of laws. More broadly, let’s learn to understand each other’s legal systems better, not rewrite our respective statutes and codes from scratch.‘

Read more about this in the next PL&B UK Report, to be published at the end of July. Also, PL&B’s 24th Annual International Conference includes an update by European Data Protection Supervisor, Peter Hustinx, on the Directive revision.  

5. Bribery Act in force 1 July

The Bribery Act, which enters into force on 1 July also has data protection implications. The Act creates new offences of offering or receiving a bribe, bribery of foreign public officials and of a failure to prevent a bribe being paid on an organisation’s behalf. The data protection aspects arise in terms of due diligence checks on third parties, subject access requests and training of staff on the new rules, as this may involve recording training results and attendance.

See PL&B’s UK Report , November 2010, p. 1. An update will be published in the July issue.

For further details on the Privacy Laws & Business UK Newsletter, please click here.

Copyright Privacy Laws & Business 2011