It seems that it has, suggest Rachel Waller and Michael Kashis, two of our specialist Data Protection law experts. The Secretary of State for Health, Matt Hancock said last week that it will now be compulsory for pubs and restaurants to take customers’ details for the Test and Trace programme.
He told BBC Radio 4’s Today programme last week: “We’re also going to enforce more strictly the rules around hospitality, including for instance you need to give your contact details when you go to hospitality, which has so far been voluntary”.
“Large swathes of the hospitality industry have followed it. Some have chosen not to, so we’re going to make that compulsory as well.”
All well and good. But how is the information being stored?
Millions of names, addresses and contact phone numbers have now been recorded as a consequence of the track and trace efforts of the government. Now the government wants the recording of names to be mandatory.
Lawyers working on behalf of privacy and free speech organisation Open Rights Group (ORG) have issued health secretary Matt Hancock and the Department of Health and Social Care (DHSC) with a pre-action legal letter that says they have breached requirements of the Data Protection Act 2018 and GDPR by failing to properly conduct a Data Protection Impact Assessment (DPIA) for the whole Test and Trace system.
Reported here the UK’s data protection regulator, the Information Commissioner’s Office, says it is reviewing a DPIA for parts of the Test and Trace system and is looking at the risks. “The ICO recognises the urgency in rolling out the Test and Trace service during a health emergency, but for the public to have trust and confidence to hand over their data and that of their friends and families, there is also work needed to ensure the risks to that personal data are properly and transparently mitigated,” a spokesperson says.
Alongside the benefits brought by advanced technology, businesses now often find themselves holding and dealing with vast amounts of data.
The law sets out strict regulations in terms of how data should be stored and managed by businesses, and also the rights that individuals have in relation to their own data. Given that technology continues to advance rapidly, this is a swiftly developing area of law, and it is imperative that businesses are aware of their obligations and rights and equipped to deal with any matters that might arise.
General Data Protection Regulation (GDPR) came into effect across the EU on 25 May 2018, and significantly revised the regulatory system relating to data protection and privacy. The changes have sought to align general data protection legislation more closely with the technological advances that have been seen over the last 20 years since the UK’s Data Protection Act 1998 came into force.
Individuals are now able to access and share their own and others’ personal information in ways which were previously unimaginable. It is also possible to collect and share personal data on an unprecedented scale and, while this can be for legitimate business purposes or to streamline daily living, the potential for misuse is huge. GDPR seeks to protect and regulate personal privacy rights across the EU and, alongside the general Data Protection Act 2018 (DPA), forms the central core of the data protection regime in the UK.
Essentially, the new regime means that everyone responsible for using personal data has to follow 7 “data protection principles”, the first being that “data controllers” (that exercise overall control over the purposes and means of the processing of personal data) comply with Article 5(1) of the GDPR, itself requiring that personal data shall be:
- processed lawfully, fairly and transparently;
- used for specified, explicit and legitimate purposes;
- processed in a way that is adequate, relevant and limited to only what is necessary;
- accurate and, where necessary, kept up to date;
- kept for no longer than is necessary;
- “processed in a manner that ensures appropriate security… including protection against unauthorised or unlawful processing… loss, destruction or damage”
There is stronger legal protection for more sensitive information, such as race, ethnic background, religious and political beliefs, trade union membership, biometrics, genetics, sex life or orientation, and health, and additional regulations concerning personal data relating to criminal convictions and offences.
The regime also provides individuals with more power to demand that organisations reveal or delete the personal data they hold. This includes the right to access personal data, have data corrected or erased, halt or restrict the processing of data, obtain information about how their data is being processed and, in some circumstances, object to that processing.
As businesses handle their customers data, legally they are classified as a data controller which means that they have responsibility to handle their customers’ personal information in an appropriate and lawful manner and are obliged to comply with the general data protection principles. It is quite possible that in the course of their work, landlords and managing agents could have obtained sensitive personal data, and should therefore be mindful of their enhanced obligations in that regard.
Nevertheless, despite best efforts, breaches can happen. Penalties under GDPR are significant, with the maximum fine now reaching the higher of €20m (£17.5m) or 4% of a company’s global turnover. And if that is not enough, in English law the penalties for breach of privacy are not limited to those covered by the general data protection regime. Depending on the nature of the breach, the legal arsenal can extend to claims for Defamation, Misuse of Private Information, Breach of Confidence and Harassment. In addition, a wronged party may not wish for the ICO alone to resolve data protection breaches, and might chose to bring an action for injunctive relief for breaches of the legislation to force a Defendant’s immediate compliance. As hinted above, this might not be simple to do at short notice, and could result in costly restorative work as well as legal costs.
Finally, it should be remembered that the right to privacy is encompassed within the right to private and family life ensured by Article 8 of the European Convention of Human Rights, brought into UK law by the Human Rights Act 1998 (HRA). The HRA applies to all government organisations, and so ensures that any government organisation that handles data must be mindful of the right to privacy when doing so. However, it also obliges the Courts to keep this right in mind when considering cases brought before it and determining any breaches. This means that, if in doubt, the Courts should weigh in favour of the aggrieved party with respect to privacy breaches.
If you feel that your privacy rights have been breached, if someone has alleged that you have breached their rights, or if you are otherwise struggling to comply with your obligations, please contact Rachel Waller (with respect to general breaches) or Michael Kashis (with respect to reviewing commercial contracts to ensure compliance of Data Processor and Data Controller obligations under GDPR).
For more general property dispute matters, please contact our expert Litigation and Dispute Resolution team on commercial@bishopandsewell.co.uk or call them on 020 7631 4141.
The above is accurate as at 15 September 2020. The information above may be subject to change during these ever-changing times.
The content of this note should not be considered legal advice and each matter should be considered on a case by case basis.
