ICO issues another fine under the DPA following sensitive data loss by a local authority

Published May 16, 2012 Data Protection Leave a Comment

The Information Commissioner’s Office (ICO) has announced this morning that it has issued another monetary pentalty under the Data Protection Act.

Background
Once again, the recipient is a local authority, and once again the penalty has been imposed following the loss of sensitive personal data (in this case relating to the sexual abuse of children). A social work service manager took home a laptop bag containing printed papers and an encrypted laptop. The manager’s house was burgled and the laptop bag (including the papers) stolen.

In this case, it appears that there was no alternative to the manager taking the papers home and the work could not have been carried out using secure electronic means. Whilst the local authority had an information security policy in place, the policy did not address the risks identified by this breach. In particular, the local authority did not have a paper handling policy in place at the time of the incident. This is despite the local authority having signed an undertaking with the ICO following an earlier incident 10 months earlier.

The ICO issued a fine of £70,000.

Appropriate measures
Whilst the burglary might be “bad luck”, the ICO pointed to the obligations on data controllers to put in place appropriate techical and organisational means to protect personal data.

In determining what is “appropriate” the data controller must ensure a level of security that is appropriate to the harm that might result from unauthorised disclosure and the nature of the data to be protected.

In other words, the more senstive the data (and the more harm and distress that might arise in the event of its loss or unauthorised disclosure), the more the ICO expects data controllers to do to guard against such loss or unauthorised access.

A data controller might not be able to stop a burglary taking place, but it can take steps to reduce the likelihood of it occurring, and minimise the fallout.

These themes were covered in a recent talk I gave at a conference on data handling in health and social care, and I will be blogging again in the next few days to pull together some key principles that organisations can take from the pattern of fines issued by the ICO to date.

Watch this space.

Techblogger quoted in article on new cookies law

Published May 14, 2012 Cookies , eCommerce , Web law Comments

I am quoted in an article on the new cookies regulations in this month’s edition of B2B Marketing magazine.

B2B Marketing is a magazine for business marketers, and the article looks at some of the practical issues around implementating the necessary changes required to comply with the new regulations.

As I note in my comments, even at this late stage there is a lack of clarity on exactly what the Information Commissioner’s Office (ICO) is expecting organisations to do to achieve compliance. Interestingly, the ICO now appears to be briefing against its official guidance in media interviews, commenting that enforcement is not a priority and that things frowned upon under the guidance are unlikely to lead to enforcement action. It’s a shame that this informal briefing hasn’t been reflected in clarifications to the formal guidance.

Email campaign tracking
One last point.

I see that one of the other interviewees in the B2B Marketing article states that the new rules don’t apply to web beacons used for tracking the success of email campaigns. Whilst the ICO may not have focussed on this issue in its guidance, I don’t think that you can definitively conclude this from either the original directive or the UK regulations.

As I have noted previously, whilst the law is often referred to as the “cookies law”, the law makes no specific reference to cookies – Instead, the regulations simply talk about “information stored [on the user's] terminal equipment.”

In practice, this means any software or code on a user’s device that can be used to track or identify that user, regardless of whether that it through a web browser or an email client. This will include mobile apps and could include open tracking in emails, depending on how the tracking is carried out.

The DMA is, understandably, lobbying the ICO to issue guidance that the new regulations do not apply to email tracking. However, the DMA is at the same time also advocating that, as a matter of good practice, marketers are up front with their users about the use of email tracking.

This is consistent with data protection principles generally, and the reasons that the European Commission introduced changes to the previous cookie law. Organisations may therefore wish to think carefully before deciding not to review how they inform users about their use of email tracking.

Beware of the link? English High Court raises possibility of liability for linking to defamatory material

Published May 11, 2012 In the Media , Intellectual Property , On Line Defamation Leave a Comment

A recent English High Court decision in McGrath and another v Dawkins and others [2012] EWHC B3 (QB) (you can read the decision herehas indicated that a person who links to a webpage containing defamatory material could themselves be liable for defamation.  The case is particular to its facts but it serves as a reminder of the need to be cautious when linking to material online and to be aware of what the link actually contains. 

The facts

The action was raised by Mr McGrath on behalf of himself and his company MCG.  They sued Professor Richard Dawkins, The Richard Dawkins Foundation, the online retailer Amazon and Mr Jones for comments made by Mr Jones on various online fora, relating to Mr McGrath’s book “The Attempted Murder of God: Hidden Science You Really Need To Know”.   It is fair to say that the ‘religion versus science’ debate got very heated and the exchange of comments became very personal.

The case against Amazon

In respect of the case against Amazon, the judge, HHJ Moloney QC, found that as Mr McGrath had not used Amazon’s standard online complaint system to notifiy it of the alleged defamatory material, Amazon could not be deemed to have actual knowledge of the comments in terms of Regulation 19 of the E-Commerce Regulations 2002.  Therefore the claim against Amazon was struck out. 

Liability for linking?

However, what emerged as one of the main issues in the case was whether The Richard Dawkins Foundation was liable for providing a link to the alleged defamatory comments which were posted on the website www.richarddawkins.net.  That website was operated by a separate US company which was not a party to the action.  However, The Richard Dawkins Foundation operated the website www.richarddawkinsfoundation.org in the UK and it provided a link to the comments on the .net website.  HHJ Moloney QC held that “the two websites are very closely associated [and] the link is hidden”.  In addition, he found that when a party clicked on the “Home” button of the .org site, it resolved to the index of the forum on the .net site without the user being given any indication that he was being directed away from the original website.

Ultimately it was a matter of fact whether the .org website could be responsible and liable for content on the .net website.  However, the judge said that he was not prepared at this early stage in proceedings to strike out Mr McGrath’s claim until further evidence is heard. 

Comment 

Whilst this case is very ‘fact specific’ and no decision has yet been made, it is a sobering reminder to be wary of linking to the content of third parties on the internet.  This case is particularly relevant against the background of Attorney General Dominic Grieve’s comments today that social media users should be more aware of how easy it is to break the law by posting comments online.

Mark Cruickshank

Do you know who’s looking at that picture on your wall?

Published May 8, 2012 Employment law , Social Media Leave a Comment

Reblogged from Brodies Employment Blog:

Click to visit the original post

My article in the Times Educational Supplement Scotland warns teachers of the dangers of the “misuse” of social media sites. Increasingly, tribunals are finding that dismissals connected to an employee’s social media “misuse” are fair – even where the individual has set their privacy settings so that only friends can view their posts.

http://www.tes.co.uk/article.aspx?storycode=6220016

Andrew McConnell in Brodies' Employment Law team has an article in this week's Times Educational Supplement Scotland on the dangers of the "misuse" of social media by teachers. Many of the issues he discusses are equally applicable to other employees in positions of responsibility. Follow the link above to find out more.

The Patent Box – what is it and how does it work?

Published May 4, 2012 In the Media , Intellectual Property , Patents Leave a Comment

This blog post was published earlier today as an e-update to our email subscribers. To receive e-updates from Brodies’ Technology, Information and Outsourcing Group please register your details or contact your usual TIO Group contact.

GlaxoSmithKline recently announced that it is to invest more than £500m in the UK’s research and development sector, creating 1,000 jobs. The Patent Box, which the Government had been consulting on since November 2010, was cited as a key influence in making this investment in Britain rather than elsewhere.

The Patent Box was formally announced in the recent Budget as an initiative that would encourage innovation and growth. It seems to have done so, making the UK an appealing and dynamic location for organisations that derive income from patents, particularly in the technology, manufacturing and R&D sectors.

What is the Patent Box?
The Patent Box is a form of tax relief that means that organisations will be able to elect to pay UK corporation tax at a reduced rate of 10% on profits attributable to qualifying patents.

The relief will also apply to certain lesser-known intellectual property rights, namely plant variety and data exclusivity rights. The latter is an intellectual property right relied upon in the pharmaceutical industry to protect drugs in their infancy while awaiting regulatory approval.

This reduced rate will be phased in over a five year period from April 2013.

What is a ‘qualifying’ patent?
In essence, a qualifying patent is one that has been granted either by the UK Intellectual Property Office (IPO) or by the European Patent Office. However, it is the Government’s intention to extend the Patent Box regime to patents granted by other EU Member States which have similar examination and patentability criteria as the UK. The list of qualifying jurisdictions is still to be confirmed.

While certain concessions have been made to accommodate group structures, in order for an organisation to claim the relief it must either hold the qualifying patent or have an exclusive licence to use the qualifying patent within a particular territory – sole licences will not qualify. It is worth clarifying here the distinction in the UK between an exclusive licence and a sole licence: if your organisation grants a licence to another party to use one of your patents on an ‘exclusive’ basis, but your organisation retains the right to use that patent itself, then this will actually be a sole licence.

As well as holding qualifying IP (or having an exclusive licence to use it) companies claiming the relief must also meet certain development conditions. The company seeking the relief must either be:

  • creating or making a significant contribution towards the creation of the patented innovation; or
  • further developing the patented invention or developing a product that incorporates the patent.

Which profits are attributable to a patent?
Assessing ‘profits that are attributable to a patent’ involves the application of a formula, which I shall leave accountants and tax advisors to comment on… Side stepping that, the definition of attributable profits is encouragingly wide and will apply to worldwide income generated from the qualifying right in the patent. Of course, the relief is a reduced rate of 10% UK corporation tax on worldwide income, and other taxes in other countries may be applicable.

The UK relief will cover a broad range of income streams. It will apply, as may be expected, to royalties, licence fees and income from infringement proceedings, but it will also encompass income from sales of patented products and, notably, will extend to the sale of products that incorporate patented technologies. This will be a very appealing aspect of the UK Patent Box, particularly to companies within the manufacturing sector.

If you’d like to find out more about how the Patent Box might help your business, then please contact Grant Campbell or Will McIntosh.

Leigh Kirktpatrick

Techblogger seminar on the new cookies law

Published May 4, 2012 Cookies , Data Protection , eCommerce , Events and seminars , Web law Leave a Comment

I’m taking part in a breakfast seminar next week, hosted by Edinburgh based usability consultants User Vision, on the new cookies law.

I’m sharing a platform with Andrew Hood, managing director of web analytics company, Lynchpin Analyytics, and our host, Chris Rourke, managing director of User Vision.

The seminar is proving so popular that we’ve decided to run it again the following week on Tuesday 15 May. If you’d like to come along then follow this link to book. The seminar is free, and will look at the legal, technical and usability issues arising out of the new laws.

The first seminar sold out in less than three hours (so quickly that I didn’t even get a chance to plug it on this blog), so if you are interested then you’d better sign up quickly!

Capturing the Pirates! Leading ISP’s agree to implement technical measures to block access to The Pirate Bay website

Published May 2, 2012 Copyright , In the Media , Intellectual Property , Web accessibility Leave a Comment

A recent English High Court decision, issued on 30 April 2012, has ordered several major Internet Service Providers (ISP’s) to block access to the file sharing website Pirate Bay.  The order was made following the decision of Mr Justice Arnold in February this year which held that The Pirate Bay had infringed the copyright of various music recordings (you can read the decision here) following an application by some of the biggest record companies in the UK, including Polydor, Sony and Virgin Records.  Although the details of the case and decision have not yet been fully reported (and may not be), it may be that the extent of the infringement which was being committed and facilitated by The Pirate Bay website was so great that the ISP’s voluntarily consented to the granting of the Court order rather than opposing it at a contested hearing.  A hearing had been provisionally scheduled for June to determine precisely what technical measures would be required to be implement to give effect to a blocking order.  The one exception to this was BT who requested further time to consider its position.

 Some surprise has been expressed about the ISP’s in this case apparently willingly agreeing to comply with a Court order of this nature and implementing technical restrictions to block access to a website which could in principle be used legitimately to share non-infringing material online (albeit following the earlier February ruling it was decided that significant amounts of infringing material was available on the site).  The order is a powerful measure and raises questions about balancing the rights of copyright holders and the freedom of expression of internet users under Article 10 of the European Convention of Human Rights.  Such an order also forces ISP’s to incur the cost of implementing the measures effectively and a failure to do so properly could put them in breach of the Court order.

Why have the ISP’s agreed to implement the Court order?

There could be a number of reasons for the ISP’s in question adopting this position. Firstly, Mr Justice Arnold’s decision in The Pirate Bay case echoes the decisions in the recent high profile Newzbin and Newzbin 2 cases (which can be found here and here) in which BT was ordered to implement similar technical restrictions to block access to file sharing websites.  In other words, there was a precedent for the Court to follow through on issuing an order requiring an ISP to put the technical restrictions in place, particularly where there is clear evidence of wide scale infringement.

Secondly, the Court issued an unequivocal decision on The Pirate Bay’s activity in February where Mr Justice Arnold stated:

In my judgment, the operators of [The Pirate Bay] do authorise its users’ infringing acts of copying and communication to the public. They go far beyond merely enabling or assisting.  On any view, they “sanction, approve and countenance” the infringements of copyright committed by its users. But in my view they also purport to grant users the right to do the acts complained of.”

Thirdly, Mr Justice Arnold went on to say that in his view, The Pirate Bay case was a stronger case of infringement than the Newzbin decision.

With all that in mind, it seems that the ISP’s have taken a pragmatic approach and rather than incur any further costs disputing the Court’s decision, they have accepted it and focussed their resources on complying with the order.

Is this the end of the matter?

The Pirate Bay decision shows that the UK Courts are prepared to tackle the problem of illegal file sharing head on by issuing these types of website blocking orders.  However, that is unlikely to be the end to the matter.  It is likely that there will always be a ‘work around’ to access the blocked website and it is unlikely that the Court’s decision will by any means dissuade those who are intent on accessing and using The Pirate Bay and infringing material anyway.  In addition, the Court order only applies to particular ISP’s, and those ISP’s that are not named are not required to put the blocking measures in place – albeit those caught by the order are the major UK players.

For the time being at least the copyright holders can claim to have won the battle and ‘captured the pirates’.  However, this may not be an end to these types of disputes.  Several  rulings in Europe have questioned the extent to which such blocking orders can be granted and enforced, particularly when ISP’s are required to monitor and prevent  infringing activity.

Mark Cruickshank

 

Law Society of Scotland World IP Day Conference 2012

Published April 27, 2012 Copyright , Intellectual Property , Trade Marks Leave a Comment

This year’s Law Society of Scotland World IP Day Conference was held at the Faculty of Advocates on 27 April 2012. The conference boasted two top notch speakers Pete Wishart MP and Aileen Alexander who will be active players in the field of IP over the next few years.

Mr Wishart is the MP for Perthand North Perthshire (and fomer member of Scottish band Runrig!).  He spoke about the importance of creative industries in Scotlandand the UK and the value that they bring to the economy.  He stressed the importance of adequate robust legal protection for the creative industries to ensure new content continues to be generated. He spoke in support of the Hargreaves Report (Digital Opportunity – A Review of Intellectual Property and Growth), which is aimed at modernising the UK’s IP laws to stimulate innovation and to allow it to be adequately protected and rewarded in the digital age.  One of the main themes of Mr Wishart’s talk was the creation and development of the Digital Copyright Exchange (DCE).  The DCE was propsed by Hargreaves to offer a quick and efficient licensing network of copyright works which had ‘opted in’ to the scheme. It would for example, allow someone wishing to use a piece of music in a film to quickly and efficiently find out who the owner is and the terms/cost on which they can use the track. Mr Wishart could provide an inside track view and advised that Richard Hooper will report on his recommendations to introduce the DCE in the summer of this year with a view to having the DCE up and running within the year.  Given the various legal challenges which the Digital Economy Act and previous Intellectual Property Reviews like the Gowers Review have faced, the progress and possible enactment of such a key plank of the Hargreaves’ report will be very interesting and could create a world first DCE.

The second speaker Aileen Alexander, is a senior legal manager of Glasgow 2014 Limited, the Organising Committee of the Glasgow 2014 Commonwealth Games. She provided an interesting insight into the variety of steps which have been and will be taken to protect the intellectual property associated with the Commonwealth Games (a link to the act can be found here). This included the registration of the Glasgow Games’ trade marks and logos both in the UK and in other Commonwealth Countries, the measures they will take to monitor and prevent ‘ambush marketing’ (when unauthorised companies try to promote themselves at the games to the detriment of the official sponsors).

 Many thanks to the organisers of this excellent and thought provoking event!

 

Mark Cruickshank

ASA decision on misleading website prices

Published April 27, 2012 Contract Law , eCommerce , Web law Leave a Comment

The Advertising Standards Agency (ASA) has published another decision on misleading pricing information contained on an organisation’s website.

Background
In this case, an internet service provider, Heart Internet, omitted a £10 set-up fee from its price comparison table, and displayed prices that excluded VAT. A small white on grey footer at the bottom of the page stated that the prices were VAT exclusive.

Following the complaint, Heart agreed to update the product table so that customers were aware of the charge before commencing the ordering process. However, Heart argued that its footer complied with the ASA’s requirements.

The ASA’s decision
The ASA held that this breached the ASA’s CAP Code. Rule 3.18 of the Code states that:

…VAT-exclusive prices may be given only if all consumers to whom the price claim is addressed pay no VAT or can recover VAT; marketing communications that quote VAT-exclusive prices must prominently state the amount or rate of VAT payable

As a number of the packages were likely to be seen as packages for consumers (in particular those called Starter Pro and Home Pro), the ASA held that the prices should have been displayed as VAT inclusive prices.

Whilst the ASA agreed that the Business Pro package was aimed at businesses and a VAT exclusive price could be displayed, the ASA noted that the Code requires that the rate of VAT needs to be prominently stated. The ASA held that the footer at the bottom of the page was not sufficient, and therefore that the price claim in relation to the Business Pro package also breached the Code.

The ASA’s decision follows on previous decision about unclear pricing on websites, and serves as a timely reminder that businesses need to ensure that the pricing they display is clear and complies with the requirements of the Code.

Defining "personal data" - like nailing jelly to a wall

Published April 26, 2012 Data Protection , Freedom of Information Leave a Comment

Reblogged from Brodies PublicLawBlog:

Click to visit the original post

Here’s a phrase you won’t hear very often: the Information Tribunal has recently issued an interesting decision. (I of course use the word “interesting” the way all lawyers use it, which is to say quite wrongly. I also use the term “Information Tribunal” quite wrongly, as it is of course now the First-Tier Tribunal (Information Rights).)

The decision, involving the Financial Services Authority, concerns personal data – that most vexing of subjects – and in particular the interaction between Freedom of Information and the Data Protection Act.

Read more… 628 more words

Our colleagues over on Brodies PublicLawBlog have blogged on a recent decision of the Information Tribunal in relation to the definition of personal data. The Tribunal's decision places a strong emphasis on the Court of Appeal's 2003 decision in Durant v the FSA, a widely criticised decision which applied a particularly narrow interpretation to the term, and led many to think that the European Commission may commence infraction proceedings against the UK for a failure to properly implement the Data Protection Directive.

Next Page »

Twitter: @BrodiesTechBlog feed

 

May 2012
M T W T F S S
« Apr    
 123456
78910111213
14151617181920
21222324252627
28293031  
Follow

Get every new post delivered to your Inbox.

Join 177 other followers