All blog posts from Amanda Doyle Law Services
In separate cases the Information Commissioner’s Office (ICO) has fined a GP surgery £40,000 and a nursing home £15,000 for breach of the Data Protection Act.
In the case of the GP surgery, details sent to an estranged ex-partner regarding the medical records of the couple’s son included the woman’s contact details, those of her parents and information an older child who was not related to the man. As far as the nursing home was concerned the breach related to the theft of a laptop which held unencrypted patient information. For details see:
Whilst the fines are relatively small, this reflects the nature of the businesses and no doubt represent significant sums to them. Nevertheless they add to our overall impression that ICO is putting increasing efforts into enforcement.
Almost a year ago the European Court of Justice ruled that the EU-US Safe Harbour process that had long been in place to authorise personal data transfers from the EU to the US was inadequate to protect the rights of European citizens. Whilst most small businesses may not actively transfer data to the US they may find that their email provider does or they inadvertently do through use of cloud based file sharing systems like Dropbox.
After much debate, discussion and no doubt political wrangling a new process has finally been agreed and implemented. Called the EU-US Privacy Shield, this places stronger privacy requirements on US companies. The Information Commissioner’s Office (ICO) has recently published a blogpost summarising the new position on what steps organisations that transfer personal data to the US should take. For more details see:
To check whether your provider is signed up to the new EU-US Privacy Shield see the US Department of Commerce Privacy Shield website:
In a decision that is being seen as precedent for protecting the privacy of information stored on the cloud, a US court has said that the US government cannot force Microsoft to grant access to its servers based in Ireland. It seems likely that the Department of Justice will appeal though.
For more details see:
The Small Business, Enterprise and Employment Act 2015 takes effect this June (2016) and changes a number of requirements for filing information at Companies House, that said the changes do not appear to be overly dramatic.
Annual returns now become “confirmation statements” but generally the information required is the same.
There is, however, a new requirement to file details of persons with significant control as part of confirmation statement. Persons with significant control:
- own more than 25% of the company’s shares
- hold more than 25% of the company’s voting rights
- hold the right to appoint or remove the majority of directors
- have the right to, or actually exercise significant influence or control over the company
It has been a requirement since April 2016 for companies to keep a register of this information as part of their statutory books.
The Act also now provides an option for private limited companies to keep their formal registers (members details, directors, secretaries, directors residential addresses) on a central register at Companies House rather than as part of their own statutory books.
Our suspicion is that many small companies do not actually maintain proper registers currently and may, therefore, be tempted to provide this information to Companies House as part of the new confirmation statement process. Whilst this will no doubt improve overall compliance it is worth bearing in mind that it does put information like dates of birth and private addresses into the public domain.
For a more detailed look at this subject see:
Businesses that use direct marketing should note from the 16th May 2016 all direct marketers are now required to display their telephone numbers when making (or instigating) automated or live direct marketing telephone calls. This applies to all UK registered companies even if their call centres are based abroad. Businesses risk large fines for failing to comply as the Information Commissioner’s Office can levy a monetary penalty of up to £500,000 and Ofcom (which considers “abandoned” or “silent calls” created by automated dialling systems to constitute persistent misuse of an electronic communications network or service) can issue a monetary penalty of up to £2 million.
For an overview of the rules relating to marketing and data protection see, http://doylelaw.co.uk/useful-resource/
The Information Commissioner’s Office (ICO) has prosecuted a former employee who transferred information about company clients before moving to his new job.
The employee was working at a waste management company in Shropshire when he sent an email containing the details of 957 clients to his personal email address. He was leaving to start a new role at a rival company. The email contained personal data such as contact details and purchase history of customers and other commercially sensitive information.
The employee was prosecuted under section 55 of the Data Protection Act 1998 (DPA). He appeared at Telford Magistrates’ Court where he pleaded guilty to unlawfully obtaining personal data and was fined £300 and ordered to pay a victim surcharge of £30 and £405.98 in costs.
The Information Commissioner’s Office (ICO) has fined Brighton and Sussex University Hospitals NHS Trust £325,000 following a serious breach of the Data Protection Act 1998…
The High Court recently held that the Advertising Standards Authority (ASA) was entitled to find that a company had breached the British Code of Advertising for misleading advertising…
Munir Patel a former magistrates’ court clerk has become the first person to be prosecuted and convicted under the Bribery Act 2010…
Recent months have seen another couple of IR35 victories for IT contractors. Given it is such a commonplace way of working independent IT consultants should take heart…