In the case, the Claimant had brought an action against the Defendant as they had a camera on their shed and a doorbell system from a well-established company which links to their smart phone.

It was revealed that the doorbell system showed not only the defendant’s own driveway but also the Claimant’s house and garden whilst the camera placed on the Defendant’s shed was capable of displaying images of the Claimant moving around their property.

It was decided by the Judge that the audio data collected by the devices had been processed unlawfully (although it was not possible to turn off the audio recording facility of the camera until an update for the software became available later).

The Judge stated that “Personal Data may have been captured from people who are not even aware that the device is there, or that it records and processes audio and personal data” and therefore it was a breach of UK data laws.

Although measures may have been taken to try to ensure privacy, the court stated that “If an activation zone is disabled so that the camera does not activate to film by movement in that area, activation by movement in one of the other non-disabled activation zones will cause the camera to film across the whole field of view”.

This decision has made the position very clear, if you are using CCTV then you must take into account and respect the privacy wishes regarding your neighbours and take measures to minimise any surveillance that might affect them.

If you have any concerns or are involved in a dispute with a neighbour over their use of cameras and other recording devices, do not hesitate to contact BTTJ today, our Litigation Team will be happy to help.

The post Development in Data protection law: Is your Neighbour’s doorbell and camera compliant? appeared first on Brindley Twist Tafft & James.

In October British Airways was fined £20 million by the UK’s data protection authority after a hacker accessed personal and payment card information relating to more than 400,000 of its customers.

The case highlights the dangers of failing to take your company’s data responsibilities seriously. It is far better – and cheaper – to invest in putting your data responsibilities in order before a breach.

Despite the risks, a number of businesses still don’t have GDPR policies and are not registered with the ICO (more on that later). The COVID-19 pandemic has seen many companies grow their online activity and increase the data they hold on their customers, and therefore increase their exposure to falling foul of the legislation.

While managers should always seek out tailored advice from a legal expert, here is a basic overview of the main issues from Samantha Wright:

What is personal data?

Put simply, personal data is data owned by the individual (who is known as the data subject). They effectively control who can have it and what is done with it purely by their consent

It is any data that can be used to identify a living person directly or in conjunction with other information. It doesn’t need to be ‘private’ information – even information that is public knowledge or is about someone’s professional life can be personal data.

What are the GDPR and ICO?

The General Data Protection Regulation 2016/679 (GDPR) is a regulation in EU law on data protection and privacy in the European Union and the European Economic Area. It also addresses the transfer of personal data outside the EU and EEA areas.

The Information Commissioner’s Office (ICO) is the UK’s independent body set up to uphold information rights. It has the power to issue fines to companies for breaching data protection laws.

You need to comply if you collect or hold information about individuals for any reason.

What data responsibilities do you have?

All businesses must have an assigned data protection officer to ensure that the organisation processes the personal data of its staff, customers, providers or any other individuals in compliance with the applicable data protection rules.

The role can be filled as a full-time position or by an existing employee. Data issues will barely affect many businesses, but those with large databases of customer information should have preparations in place to more easily resolve a data breach by a hacker, for example.

In addition to the above, businesses must also register with the ICO and pay a data protection fee which is renewable annually.

Companies such as those selling online for the first time are likely to be vulnerable as they may have launched an online arm during COVID just to survive and have not put all their policies in place.

As soon as it is no longer necessary to hold the data or the individual withdraws their consent the data must be irreversibly deleted/destroyed.

What are the risks?

If a business is in breach of data protection laws, there is a potential fine which is a percentage of turnover, but the level of management time violations can take to resolve can be crippling.

Each company and sector is different so the risks and responsibilities of each must be approached on a case-by-case basis. However, here are some common issues:

Don’t assume that the only risks businesses face are from cybercriminals trying to break into their systems. Data is also vulnerable to accidental or unlawful destruction, loss, or disclosure.

The transfer of data to third parties in other countries is tightly regulated – some huge fines have been issued – and the issue has become particularly thorny because of Brexit. There is a UK GDPR policy and an EU one, and the UK transfer rules broadly mirror the EU GDPR rules. However, this situation may change and BTTJ has seen instances where the UK is starting to be looked at as a third-party country by companies dealing with data transfers from the EU to the UK.

Another factor to be borne in mind is that a lot of servers where people hold data are not always in the UK, so businesses could be inadvertently transferring data to other countries without proper measures in place.

What should you do?

Pay attention to your terms and conditions – they are critical to making sure you are fully compliant. Ensuring you have the active consent of customers and staff to use their data is always the best way to avoid any confusion. 

Companies need to assess whether they hold data on behalf of customers and employees. As soon as you handle any personal data, you should be registered with the ICO.

Anonymise the data you collect where possible and don’t hold on to data for any longer than is necessary.  

Have a policy setting out how what data is used for and how long it is held.

Review your data security measures and other procedures regularly to ensure your data is secured. And training is key to ensure staff are aware of the issues.

Assess whether you send data out of the country, there are requirements for the level of protection to be supplied for such data transfers.

And finally, if you are in any doubt about the issues above, consult a solicitor with extensive GDPR experience.

The post PRIVACY PERIL: Is your business compliant with data law? appeared first on Brindley Twist Tafft & James.