Contract Flooring Journal (CFJ) the latest news for flooring contractors

HomeThought LeadershipThe problem with data

The problem with data

The flooring industry isn’t immune to data protection issues. And as the attack on Royal Mail in January illustrated, not only are they embarrassing, they can be commercially disastrous for a
targeted business and its customers. Adam Bernstein elaborates.

Businesses use data for several reasons – to market themselves, to comply with obligations or monitor staff. However, the law places restrictions on activities.

The current position
As James Davies, an employment law solicitor at Cater Leydon Millard, comments, UK law is based on several different sources – the UK’s General Data Protection Regulation, the Data Protection Act 2018 (DPA) and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) which grants specific privacy rights concerning electronic communications.

He notes that a data subject under the DPA and the GDPR is defined as ‘an identified or identifiable living individual to whom personal data relates’.

Of course, just as data is held, so Jessica Padget, an associate in the regulatory and compliance team at Walker Morris, says different obligations apply to a data controller or a data processor – the former shouldering the highest level of compliance responsibility. Expanding, she says ‘a data controller is the natural or legal person which determines the purposes and means of the processing of personal data. Processors handle personal data on behalf of, and on the instructions of, controllers.

Organisations are controllers of the personal data relating to their employees, and any customers or clients that they service.’ Notably, third parties such as payroll providers may act as processors on behalf of a controller who is their client.

Padget says the law sets out basic principles which underpin the rights and obligations set out in the GDPR. They are lawfulness, fairness, and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality; and accountability.

This, she says, means data cannot be processed with abandon. Rather, personal data may only be processed if certain conditions are true – if there’s an individual’s consent; a contractual necessity; a legal obligation; it protects vital interests; is a public task; or furthers a legitimate interest such as that of an organisation or that of a third party.

But there’s another category to consider and it’s one that’s mentioned by Davies – special category personal data. This covers any personal data which reveals an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, data concerning an individuals’ health, sex life or sexual orientation, or genetic or biometric data. In a healthcare setting this is an important category to acknowledge.

As he says, here a firm ‘must justify why the processing of this specific data is ‘necessary’, and it must be a proportionate way of achieving one of those purposes. This must be recorded before any processing is undertaken’.

A key point for Padget is that individuals have rights. On this she says that where a firm processes an individual’s personal data they have the right to be informed; have access to it; have errors rectified; have data erased; have processing limited; have a copy of their data and be able to reuse it; object to data being collected; and have rights in relation to automated decision-making and profiling.

Of course, for any regime to work it needs compliance. It’s interesting that, as Padget comments, ‘the GDPR doesn’t prescribe how such compliance should be achieved or demonstrated, so it’s advisable to put in place an appropriate internal compliance programme that is tailored to the business’.

And if there is a breach of data protection legislation, firms need to remember individuals have the right to lodge a complaint with the Information Commissioner’s Office (ICO) who oversees data protection law. They can also seek a judicial remedy against a controller or processor as well as compensation from a relevant controller or processor for damage resulting from infringement of the GDPR.

Just as there’s a need for compliance so there’s a need for enforcement. Davies explains that the ICO can issue enforcement notices to organisations ‘requiring them to take – or refrain from taking – action under the regime’.

He details that ‘the ICO determines whether an infringement has occurred and the severity of the penalty: the maximum amount of the penalty that the ICO may impose is the higher of the amount of £17.5m or 4% of the undertaking’s total annual worldwide turnover’.

Padget clarifies that the penalties mentioned by Davies are generally applied to breaches of the basic principles for processing personal data and infringements of data subjects’ rights. However, she says that there is a lower tier of penalties with maximum amounts of £8.7m or 2% of total annual worldwide turnover, whichever is higher, for other infringements such as breaches of administrative requirements.

And in relation to direct marketing breaches, under PECR, the ICO can issue a fine of up to £500,000. In fact, the most frequent ICO fines relate to breaches of direct marketing rules. But the most recent large fine handed out was the £4.4m penalty given to construction firm Interserve in October 2022.

Here a phishing email led to a colleague downloading content that resulted in malware being installed onto an employee’s workstation.

283 systems were compromised, including four HR databases containing the personal data of up to 113,000 employees which the attacker encrypted and made unavailable. The compromised employee personal data included contact details, national insurance numbers, bank details, salary information, sexual orientation and health information.

Direct marketing
PECR has drawn red lines over what can be done when it comes to direct marketing. On this Padget says that ‘strict rules apply to communicating direct marketing by text or email to an individual, in that firms must have the individual’s consent before they can market to them unless the soft opt-in applies’.

She says a soft opt-in may apply where a business has ‘sold a product or service to an individual or has collected personal data in negotiations for a sale and subsequently messages similar products or services – and the individual is provided with the opportunity to opt out of the marketing at any point’.

Chris Else, managing partner of Else Solicitors LLP, emphasises the role consent plays in the marketing process. He thinks businesses should protect themselves by reviewing the information they collect and store while also having their terms and conditions of business correctly incorporated into each transaction. Doing this, he says, ‘will give customers an option to consent to GDPR policies’.

Interestingly, Padget says ‘consent isn’t required for postal marketing – either to a corporate entity or individual, or marketing by email or text to corporate subscribers’. Regardless, she says that any associated personal data must be processed in line with data protection legislation.

Else reminds that compliance with the GDPR also means ‘making available, to each customer, the name and contact details of the organisation’s data protection officer, or the same for any representatives that also deal with individuals contracting with the business… highlighting to individuals any transfer of their personal data to third parties or other organisations’.

Also, Else says firms need to understand the law as it concerns retention periods and the deletion of information that is no longer needed. He explains that ‘individuals have the right to rescind consent; it follows that businesses correctly observing the law make sure they regularly check with individuals that they’re still happy to have their information retained’.

Monitoring staff
We’ve seen that individuals have rights. Employees have the same says Davies, noting ‘processing must be lawful and fair’ and ‘an employer must identify a lawful basis for the processing under the UK GDPR’. In practice, he thinks this is most likely to be the legitimate interests pursued by the employer or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.

However, while this would apply when an employer processes personal data in ways in which a data subject would expect, he warns ‘an employer cannot rely on an employee’s consent when processing personal data, as such consent is considered not to be freely given in an employment relationship’.

Apart from the legal basis, employers must also have regard to general employment law principles and, says Davies, ‘make sure the monitoring is transparent and fair’.

Last, he highlights one more area of concern for employers (and other data holders too) – subject access requests where individuals seek the data held about them. ‘Subject access requests,’ he says, ‘have been increasingly weaponised.’

He says: ‘Subject access requests must be dealt with without undue delay and, at the latest, within the month of receiving the request.’

In summary
The UK has a patchwork of legislation to protect an individual’s rights and their data. Businesses can choose to ignore the law but as has been illustrated, the authorities have powers and aren’t afraid to use them.

Adam Bernstein is an independent columnist

Please click to view more articles about

Stay Connected




Popular articles