Supermarket Held Vicariously Liable in UK’s First Data Leak Class Action
Posted on November 13, 2018
UK supermarket chain Morrisons has been held vicariously liable for the acts of a malicious employee in the UK’s first data leak class action. The issue began in 2014, when a disgruntled Morrison’s internal IT auditor posted to a public file-sharing website the payroll data of nearly 100,000 employees (including names, addresses, dates of birth, national insurance numbers and bank details). The employee was found criminally liable in 2015 and jailed for eight years. A class action of 5,500 employees filed claims against Morrisons alleging breaches of the Data Protection Act 1998 (DPA). Although Morrisons acted swiftly and responsibly after the leak, and was found not to be primarily liable, the court of appeals has nonetheless now affirmed the lower court ruling that Morrisons is vicariously liable for the unlawful acts of its employee carried out in the course of his employment.
PUTTING IT INTO PRACTICE: Though sound policies and practices can reduce companies’ risk, choosing the right employees and carefully restricting access to sensitive data are also important.
UK Issues Fine for Unsolicited Funeral Marketing Emails
Posted on October 26, 2018
The U.K. data protection authority recently fined a lead generation company £90,000 ($118,000) for a 2017 unsolicited email marketing campaign. The company, Boost Finance Ltd, sent over 4 million emails promoting pre- paid funeral plans under the name findmeafuneralplan.com. In reaching its decision, the ICO (the UK data protection regulator), said that the company violated the UK’s Privacy and Electronic Communications Regulations by sending the messages without consent.
The recipients of the messages were subscribers of websites operated by Boost’s affiliates. While the individuals had, according to Boost, consented with its affiliate sites to receive generic “third party marketing,” the ICO noted that the request for consent did not specifically mention either Boost or findmeafuneralplan.com. The ICO did acknowledge that in one case the subject matter (funeral plans) was mentioned, but neither Boost nor findmeafuneralplan.com were mentioned by name. One site did mention Boost, but it was “embedded in a very lengthy list of organizations.” The sites also did not give individuals the ability to opt-out of marketing from third parties. The ICO concluded that the consents were inadequate, generic, vague and misleading, and as such insufficient to meet the requirements of the law.
PUTTING IT INTO PRACTICE: This enforcement demonstrates the type of consent -informed and specific- that the ICO expects companies to receive before sending marketing emails.
France Imposes Fine for Unauthorized Use of Fingerprint Timeclocks
Posted on October 15, 2018
French data protection authority CNIL has issued a fine against company Assistance Centre d’Appel related to the use of biometric technology in the workplace. During an audit at the end of 2016, CNIL found that the company was using fingerprint timeclocks to track employee hours without prior authorization from CNIL as required by the French Data Protection Act. In France, an employer may not use biometric data to monitor employees’ hours absent prior approval from CNIL, which is only granted in exceptional circumstances. During the 2016 audit, CNIL also found that the company was recording employee phone calls without informing the employees or other call participants, and lacked adequate workstation security. While the company has since ceased the use of fingerprint timeclocks, a 2018 audit by CNIL revealed that the company had failed to properly inform telephone call participants about call recording, and that workstations remained insecure. The fine was set at € 10,000, which was based upon the partial
                        37 Eye on Privacy 2018 Year in Review