Data protection issues are rarely far from the news. As the recent attack on Royal Mail, in January this year illustrated, not only are they publicly embarrassing, they can be commercially disastrous both for an attacked organisation and its customers.
For the optical profession, the matter has not all been plain sailing.
In December 2015, the General Optical Council (GOC) had to issue a public apology to registrants after it made a mistake when processing their personal data. In essence, the GOC had allowed the purchase of electronic copies of registrant information not with practice information, but instead, home addresses. Registrants were subsequently contacted at home by third-party firms. The GOC was lucky not to be fined.
Of course, practices use data for a number of reasons: to market themselves, hold patient data, to comply with obligations or monitor staff. However, the law places restrictions on activities.
The current position
As James Davies, an employment law solicitor at Cater Leydon Millard, comments, UK law is based on several different sources: the UK’s General Data Protection Regulation (GDPR), the Data Protection Act 2018 (DPA) and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR), which grants specific privacy rights concerning electronic communications.
He notes that a data subject under the DPA and the GDPR is defined as ‘an identified or identifiable living individual to whom personal data relates.’
Jessica Padget, an associate in the Regulatory and Compliance Team at Walker Morris, says different obligations apply to a data controller or a data processor; the former shouldering the highest level of compliance responsibility. She says: ‘A data controller is the natural or legal person who determines the purposes and means of the processing of personal data. Processors handle personal data on behalf of, and on the instructions of, controllers. All organisations are controllers of the personal data relating to their employees, and any customers or clients that they service.’
Notably, third parties, such as patient platform or payroll providers may act as processors on behalf of a controller who is their client.
Padget says the law sets out basic principles that underpin the rights and obligations in the GDPR. They are: lawfulness, fairness, and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality; and accountability.
This, she says, means that data cannot be processed with abandon. Rather, personal data may only be processed if certain conditions are true: if there’s an individual’s consent; a contractual necessity; a legal obligation; it protects vital interests; is a public task; or furthers a legitimate interest.
But there is another category to consider, Davies says; special category personal data. This covers any personal data that reveals an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership; data concerning their health, sex life, sexual orientation; or genetic or biometric data. In a healthcare setting, this is an important category to acknowledge.
He details that a practice ‘must justify why the processing of this specific data is necessary, and it must be a proportionate way of achieving one of those purposes. This must be recorded before any processing is undertaken.’
A key point for Padget is that individuals have rights. In particular, where a practice processes an individual’s personal data they have the right to be informed; have access to it; have errors rectified; have data erased; have processing limited; have a copy of their data and be able to reuse it; object to data being collected; and have rights in relation to automated decision-making and profiling.
Compliance
Of course, for any regime to work, it needs compliance. It is interesting that, as Padget comments: ‘The GDPR does not prescribe how such compliance should be achieved or demonstrated, so it is advisable to put in place an appropriate internal compliance programme that is tailored to the business.’
If there is a breach of data protection legislation, practices need to remember that individuals have the right to lodge a complaint with the Information Commissioner’s Office (ICO). They can also seek a judicial remedy against a controller or processor, as well as compensation from a relevant controller or processor for damage resulting from infringement of the GDPR.
Enforcement
Just as there is a need for compliance so there is a need for enforcement. Davies explains that the ICO can issue enforcement notices to organisations ‘requiring them to take, or refrain from taking, action under the regime’.
He says: ‘The ICO determines whether an infringement has occurred and the severity of the penalty: the maximum amount of the penalty that the ICO may impose is more than the amount of £17.5m or 4% of the undertaking’s total annual worldwide turnover.’
Padget clarifies that the penalties mentioned by Davies are generally applied to breaches of the basic principles for processing personal data and infringements of data subjects’ rights. However, she says that there is a lower tier of penalties with maximum amounts of £8.7m or 2% of total annual worldwide turnover, whichever is higher, for other infringements, such as breaches of administrative requirements.
And in relation to direct marketing breaches, under PECR, the ICO can issue a fine of up to £500,000. In fact, most fines relate to breaches of direct marketing rules.
The most recent large fine handed out was the £4.4m penalty given to construction firm Interserve in October 2022.
Here, a phishing email led to a colleague downloading content that resulted in malware being installed onto an employee’s workstation. A total of 283 systems were compromised, including four HR databases containing the personal data of up to 113,000 employees, which the attacker encrypted and made unavailable. Compromised employee personal data included contact details, national insurance numbers, bank details, salary information, sexual orientation and health information.
Direct marketing
As noted earlier, PECR has drawn red lines over what can be done when it comes to direct marketing. Padget says: ‘Strict rules apply to communicating direct marketing by text or email to an individual, in that firms must have the individual’s consent before they can market to them, unless the soft opt-in applies.’
She says a soft opt-in may apply where a practice has ‘sold a product or service to an individual or has collected personal data in negotiations for a sale and subsequently messages similar products or services’, and the individual is provided with the opportunity to opt out of the marketing at any point.
Chris Else, managing partner of Else Solicitors LLP, emphasises the role consent plays in the marketing process. He thinks practices could protect themselves by reviewing the information they collect and store, while also having their terms and conditions of business correctly incorporated into each transaction. Doing this, he says, ‘will give customers an option to consent to GDPR policies.’
Interestingly, Padget says: ‘Consent is not required for postal marketing; either to a corporate entity or individual, or marketing by email or text to corporate subscribers.’ Regardless, she says any associated personal data must be processed in line with data protection legislation.
Else reminds that compliance with the GDPR also means ‘making available, to each customer, the name and contact details of the organisation’s data protection officer, or the same for any representatives that also deal with individuals contracting with the business… highlighting to individuals any transfer of their personal data to third parties or other organisations.’
Also, Else says firms need to understand the law as it concerns retention periods and the deletion of information that is no longer needed.
He explains that ‘individuals have the right to rescind consent; it follows that businesses correctly observing the law make sure they regularly check with individuals that they are still happy to have their information retained.’
Monitoring staff
We have seen that individuals have rights. Employees have the same, says Davies. However, he warns: ‘An employer cannot rely on an employee’s consent when processing personal data, as such consent is considered not to be freely given in an employment relationship.’
Apart from the legal basis, employers must also have regard to general employment law principles and ‘make sure the monitoring is transparent and fair,’ says Davies.
Lastly, he highlights one more area of concern for employers (and other data subjects too): subject access requests where individuals seek the data held about them. ‘Subject access requests,’ he says, ‘have been increasingly weaponised. They must be dealt with without undue delay and, at the latest, within the month of receiving the request.’
The vultures circle
The optical profession needs to be aware that there are a number of firms offering to help patients upset when they feel that their data rights have been breached. Firms, such as legalhelpline.co.uk and accidentclaims.co.uk, offer individuals a free consultation with a view to establishing if there is a claim to be made against an optician. They both feature data breach compensation calculators with figures that would encourage any would-be litigant to consider making a claim on a no-win, no-fee basis.
In summary
The UK has a patchwork of legislation to protect an individual’s rights and their data. Practices can choose to ignore the law but authorities have powers and are not afraid to use them.
As for the future, the government recently introduced new data protection legislation to cut down on paperwork for businesses and reduce cookie pop-ups. Only time will tell how that plays out.
