DATA PROTECTION/PRIVACY

When Facebook founder Mark Zuckerberg declared in ­January 2010 that privacy was no longer a social norm he was articulating a profound shift in attitude over information.

This, along with the Freedom of Information (FOI) Act 2000 which requires public bodies to be more transparent, makes it clear that lawyers are operating in a changed environment.

Harrow Council legal chief Hugh Peart is proposing a radical rethink of his organisation’s attitude to FOI, while The Guardian’s legal counsel Gill Phillips had to balance the newspaper’s ­commitment to publish information from WikiLeaks with ­protecting some of the individuals involved.

Legislative moves

Elsewhere, there has been much legislative movement on data ­protection. The use of online behavioural advertising has been a hot topic in the advertising and publishing industries in the wake of ­revisions to what is usually referred to as the EU e-privacy directive (properly known as Directive 2002/58 on Privacy and Electronic Communications) in December 2009. Those amendments could mean an opt-in regime for targeted content. This is a marked change from the present industry practice of allowing users and ­consumers to opt out through browser settings. We speak to Melanie Hatton, legal head of digital marketing company Latitude, and hear what her response is.

Data transfer is another hugely important issue for in-house lawyers, particularly in multinational companies. The regulations have affected ­corporate attempts to deal with transborder dataflows. We interview Heinz general counsel Janice More about her ­experience in transferring employee data outside of the EU.

Since April last year the Information Commissioner’s Office (ICO) has been able to impose financial penalties on companies and ­bodies that breach the Data Protection Act (DPA) 1998. This has significantly upped the power and reach of the ICO, and moved effective data ­protection policies up the agenda for many general counsel. Until 6 April the ICO was only able to issue enforcement notices. The power to fine companies is now included in Sections 55A to 55E of the act, and was inserted via Section 144 of the Criminal Justice and ­Immigration Act 2008.

Fine time

Back in 2008, when the move was announced, deputy information ­commissioner David Smith said in a statement that the change in law would send “a very clear signal that data protection must be a ­priority and that it is ­completely unacceptable to be cavalier with people’s ­personal information”.
He continued: “The prospect of substantial fines for deliberate or reckless breaches of the DPA will act as a strong deterrent and help ensure that organisations take their obligations more seriously.”

The ICO, perhaps not surprisingly, has wasted little time in using its new powers. At the time of writing, four bodies had been fined: public sector ­contractor A4e, Hertfordshire County Council, Ealing Council and Hounslow Council. The four were fined £60,000, £100,000, £80,000 and £70,000 respectively. We speak to one of the four – A4e – about how it fell foul of the DPA, how it reacted when it discovered the breach and the steps it has taken to ensure it never has to pay the ICO again.

We also speak to the head of legal at food processor Moy Park. When ­Debbie Bloomfield joined the company she was faced with a series of outdated and poorly understood data protection policies. With a background in financial services Bloomfield knew only too well the importance of compliance, and was also very conscious of the ICO’s new powers. She talks us through the way she overhauled the company’s policies and then set about ensuring the 8,000 or so UK staff understood what the new procedures were and how they ­affected them and the company – with only a chicken to help her.