08May

A UK Court of Appeal judgement of March 31 2015 could have far reaching consequences for firms that do not strictly adhere to the provisions of the Data Protection Act 1998 (DPA).
It ruled that three defendants were entitled to pursue further legal proceedings as a result of mis-use of information they provided when browsing the internet.

The claimants: Judith Vidal-Hall, Robert Hann and Marc Bradshaw, alleged that internet search engine giant Google Inc. had collected confidential information via their use of the Apple Safari search engine, without their knowledge or consent.

A crucial point of the ruling was that the claimants were entitled to pursue their case even though they had not suffered any financial loss as a result of Google’s actions. The judgement also decided that browser generated information could meet the definition of personal data, as this data does allow the individual to be clearly identified and distinguished from other individuals. Hence the DPA provisions could be applied to the way firms use information gathered in this way

Now, a specialist lawyer has called on financial advisory firms to review their own Data Protection procedures and practices in the light of the ruling. John Warchus, partner at commercial and technology law firm Moore Blatch, said he believes that an increase in claims alleging ‘emotional distress’ from misuse of data can now be expected.
Mr Warchus commented:
“Brokers, or indeed anyone in control of data, will now have an even stronger incentive to comply with data protection rules.

“Brokers should urgently review their data protection procedures and strengthen where necessary as more compensation claims are likely and the amount of damages awarded is also likely to increase.”

Chris Hannant, director general of the trade association the Association of Professional Financial Advisers, echoed the need for firms to take a look at this issue: “Advisers need to take care with people’s data because it is an increasingly sensitive issue. They have to look after the data but they also have to make sure they get rid of it.”

Personal data is defined as data which relates to a living individual who can be identified either from those data, or from those data and other information which is in the firm’s possession. The individual whom the data concerns is the ‘data subject’.
The eight Data Protection principles require personal data to be:
• Fairly and lawfully processed
• Processed for limited purposes
• Adequate, relevant and not excessive
• Accurate and up to date
• Not kept for longer than is necessary
• Processed in line with the individual’s rights
• Secure
• Not transferred to other countries without adequate protection
Firms should ensure that the Terms of Business document, Client Agreement or similar that a client is given at the start of their contractual relationship with the firm covers the issue of Data Protection. This is to ensure the individual knows exactly what is going to happen to the personal data they provide, how it is going to be used, and if applicable, which other parties it could be passed to.

The Information Commisisoner’s Office, the data protection watchdog, can impose fines of up to £500,000 on firms who breach their Data Protection obligations. It can also require firms to give undertakings to cease certain practices, and can initiate criminal prosecutions in serious cases.

The information shown in this article was correct at the time of publication. Articles are not routinely reviewed and as such are not updated. Please be aware the facts, circumstances or legal position may change after publication of the article.