26 September, 2019
After a well-earned summer break no doubt a myriad of issues require addressing by schools and establishments, with data protection compliance being amongst them. Returning back from any break brings about its own unique data protection challenges after a long period of reduced staffing as inevitably there will be a change in how the school normally operates.
Some of the chief concerns regarding data protection during the periods include how schools respond to time critical compliance requirements; namely responding to subject access requests (SARs) and data breaches. With this in mind, there have been developments for dealing with subject access requests as well as some key developments in post-GDPR data breach fines given out by the Information Commissioner's Office (ICO).
Change to Subject Access Request timescales
Following a ruling by the Court of Justice of the European Union (CJEU), there has been a change in how to interpret timescales for responding to a subject access request (SAR), as well as other individual rights requests.
The GDPR states that requests by individuals (such as a SAR) must be dealt with within 1 month. The timescale has now been clarified to make clear that the day of receipt if the SAR should be treated as 'day one', as opposed to the day after receipt e.g. a request received on 23rd Aug should be responded to by 23rd September, not 24th September as was previously calculated prior to this ruling.
This offers a good reminder to schools of the importance placed on timelines by the GDPR, an importance which does not abate during a holiday and therefore it is imperative to ensure that procedures are in place to respond in time to a request even when school is out.
Data breach trends
Over the summer break we have seen the ICO give notice of its intention to implement the first major fines under the new higher limits provided for under GDPR.
Firstly, on 8th July British Airways (BA) was issued a notice by the ICO regarding its intention to fine the airline £183.39 million for violation of the GDPR.
The violation in question relates to a cyber-attack suffered by BA starting in June 2018. By September 2018, the airline informed the ICO that it had become aware that customer and user traffic from its own website had been fraudulently diverted to a fake site set up by the attackers. Through this method, around 500,000 customer details were breached, including payment information, names, addresses and travel details.
After a significant investigation, the ICO has reported in their findings that BA's poor security procedures directly led to the breach being able to occur. BA has stated that it cooperated with the ICO investigation, implementing numerous changes and improvements to its security systems in response to the attack.
The total fine of £183,390,000 equates to 1.5% of BA's global turnover for the year ending 31 December 2017. This falls short of the maximum fine that the ICO could have issued, 4% of global turnover, however the scale of the fine should be seen as reflective of not only the size of BA itself, but the magnitude of the failings found by the ICO.
Information Commissioner Elizabeth Denham said: "People's personal data is just that - personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That's why the law is clear - when you are entrusted with personal data you must look after it. Those that don't will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights."
In response to the ICO notice the chief executive of BA parent organisation the International Airlines Group (IAG), Willie Walsh, stated the airline would discuss the decision with the ICO and potentially lodge an appeal. The ICO itself has confirmed that it will consider carefully BA's representations, as well as representations from other concerned data protection authorities before it takes its final decision.
There remains the chance that a class action may be pursued by the victims of the attack themselves against BA, however the airline is adamant that no fraud or fraudulent activity has been linked to the affected accounts as a result of the breach.
Marriot International, Inc
Immediately after the announcement of their intention to fine BA, on 9th July the ICO announced that it intended to fine Marriott International, Inc more than £99 milllion for breaches of the GDPR.
The ICO confirmed that it has conducted an investigation into Marriot International following a cyber security incident. It is understood that there was a hack of around 30 million guest records, including credit card details, passport numbers and dates of birth. The guest records contained details of guests in 31 different countries in the European Economic Area (EEA) and around 7 million of those related to residents in the UK. The ICO has stated that the cyber security incident appeared to begin when the systems of the Starwood hotels group were compromised in 2014.
Marriot International then acquired the Starwood hotels group in 2016 but the hack of guest records was not discovered until last year. The announcement from the ICO stated that Marriot International had failed to undertake sufficient due diligence when it acquired Starwood hotels group and should have done more to make sure its IT systems were secure.
Marriot International will now have the opportunity to make representations to the ICO as to the findings of the investigation and the proposed level of fine. The ICO has conducted the investigation alongside other European supervisory authorities whose residents have been affected by the breach and they will also have the opportunity to make representations to the ICO about its findings.
Once the ICO has considered the representations made by Marriott International and the other EU supervisory authorities, it will publish a notice of the fine along with an explanation as to how that figure has been reached. The level of fine will take into account how Marriott International responded to the breach when they were notified and its cooperation with the ICO.
This proposed fines set out above are clear evidence of the ICO flexing its new powers under the GDPR, with it now able to levy fines far higher (up to 4% of global turnover) than the previous £500,000 cap. With that in mind, it is important to remember that the majority of organisations handling personal data would face fines far lower for breaching data protection regulations.
As stated above, fines are relative to the size of the organisation and the scale of the breach (number of individuals involved, types of data breached etc.) therefore this news should not cause undue distress for those looking to ensure their GDPR compliance although this does reiterate the need for ongoing GDPR vigilance in any organisation, including schools.
Department for Education GDPR Update: On 21 August 2019, the Department for Education published updated suggested privacy notice templates for schools and local authorities about the collection of data. The changes reflect the need for parental consent if a parent objects to the sharing of additional pupil information with local authorities and youth support services.
More information can be found at www.gov.uk/government/publications/data-protection-and-privacy-privacy-notices