ICS Data Protection Blog Part of the ICS Blogs Network

When an organisation that holds itself out as an advisor to many of Ireland’s leading companies on matters of corporate governance, management practice, and compliance finds itself in the eye of the media as a result of staff engaging in inappropriate commentary via email about photographs of female staff members then we have the makings of a Perfect Data Protection Storm.

There are two key areas of Data Protection concern which arise from the coverage.

1. The breaches of the Data Protection Acts and the evidence of a disconnect between culture and policy in a leading international consulting firm.
2. The question of whether the publication of images of the women involved by newspapers and websites in and of itself raises questions of Data Protection breaches.

The PWC issues.

The old saying goes that “it’s all fun and games until somebody loses an eye”. In the case of PWC, it may be that people should have had a closer eye on their obligations under the Data Protection Acts when they considered sending photos of newly hired staff around in a manner that was not compatible with the purpose for which the images were taken.

Section 2 of the Data Protection Acts 1988 and 2003 requires that personal data be obtained and processed fairly for specified lawful purposes. Any processing which is incompatible with those purposes is unlawful and constitutes a breach of the legislation.

Question:  Where the new hires to PWC informed that their images would be used in a “Top 10″ competition? If not, then the processing was not compatible with the stated purposes (which were probably for security and to identify them in internal staff directories or on the intranet).

Section 22  of the Acts says that any person who obtains personal data without prior authority and then discloses that data will have committed an offence under the Acts. So, if people took copies of the photos from the HR department in PWC without authority and then disclosed them (i.e. sent them around the office) then they may have committed an offence under the Data Protection Acts.

Reference needs to be made to Section 22(2) though, which says that this section doesn’t apply if the person who obtains and discloses the data without authority is an employee or agent of the Data Controller or Data Processor (thanks to TJ McIntyre for reminding me about this). What this means is that as the people involved were, for the most part it seems, PWC employees then S.22 doesn’t apply to them and the most likely Data Protection breach would be under S.2(1)(c)(ii) – the prohibition on processing for purposes incompatible with the stated purpose.

If, however, there were any recipients on the mailing list who were not PWC employees or agents who then forwarded the mail onwards then they may have obtained the data without authority and could fall foul of S.22. Sharing the information outside of  PWC would also raise the issue of failing to keep personal data safe and secure, another requirement on the Data Controller (PWC) under S.2 of the Acts.

So, who is liable under the Acts? This question brings us neatly to S.29.  S.29 basically establishes a clear chain of liability for breaches.

29.(1)Where an offence under this Act has been committed by a body corporate and is proved to have been committed with the consent or connivance of or to be attributable to any neglect on the part of a person, being a director, manager, secretary or other officer of that body corporate, or a person who was purporting to act in any such capacity, that person, as well as the body corporate, shall be guilty of that offence and be liable to be proceeded against and punished accordingly.

(2)Where the affairs of a body corporate are managed by its members, subsection (1) of this section shall apply in relation to the acts and defaults of a member in connection with his functions of management as if he was a director or manager of the body corporate.

So, PWC as the Data Controller may have liability, but so too might any identifiable manager or employee who neglected to take action to prevent the breach or engaged in the activities resulting in the breach and who can be shown to bear personal responsibility. While there may be policies and procedures in place, if it is clear on the evidence that there was a lack of congruence between the stated policies in the organisation and the day to day practices arising from neglect on the part of identifiable people in management, then things might get tricky for PWC.

We must bear in mind that just because there has been a breach of the Acts doesn’t mean that an offence has been committed in the absence of any  intent to commit an offence. Carelessness and ignorance can lead to “accidents”.  In the case, where an “accident” has happened, there is no offence therefore there is no liability cascading to the management and officers of the body corporate. (This is one of the reasons I’ve suggested a “parking ticket” type penalty system for accidental breaches of the duty of care under the Acts to bring some additional enforcement powers to bear short of criminal prosecutions).

As things stand, the penalties for breaches would, for the corporate entity, up to €3000 per instance of offence (so potentially up to €39,000) on Summary conviction or up to €100, 000 per instance of offence (potentially €130,000) if convicted on indictment.

It is worth comparing this to the UK where the penalty has recently been raised to £500,000 per instance of offence and the ICO is expected to announce their first conviction under the new regime soon, or to consider my earlier discussions of a new model for penalties in this blog.

Of course, there would first need to be an investigation by the Commissioner. S.10 of the Acts allows for the Commissioner to commence an investigation off his own initiative, but usually there needs to be a complaint from an affected party.  It may be that the women involved wouldn’t want to initiate a complaint, preferring to put the matter behind them. In which case it falls to the Commissioner to take action on his own account.

The Media

Of course, PWC aren’t the only villains in this piece. There has been negative comment about the publication of images of the women by the Irish Independent, and the Irish Daily Mail thought it appropriate to include the names of some of the women along side their photos on its front page today.

The media enjoys certain exemptions from the various duties and obligations that normally are associated with the processing of personal data. This arises out of the roots of the EU Directives in seeking to balance the right to privacy and the right to freedom of expression. S.22A of the Acts is where these exemptions arise from, with only the obligation to keep personal data safe and secure being imposed on journalists at all times.

However, these exemptions only hold where the processing of the personal data in question is “in the Public Interest”. This is a very different concept to “in the interest of the public” and represents the very fine line that journalists must walk when dealing with personal data and matters of privacy.  S.22A provides guidance that what is “in the Public Interest” may be determined by reference to a Code of Practice approved by the Commissioner under the Acts.

No such approved code of practice for media exists in Ireland.  There is an Industry Code of Practice for Newspapers and Periodicals. While this code of practice makes reference to the Right to Privacy, and the rights to privacy of individuals, it does so in the context of publication in “the Public Interest”. Similar wording exists in the UK Press Complaint’s Commission’s Code of Practice for Editors.

The only case study published by the Data Protection Commissioner to date addressing the area of journalistic privilege related to the photographing of the children of well-known individuals. In this case study the DPC held that there was insufficient “Public Interest” to justify the photographing of the children of a well known person, irrespective of the level of “interest of the public” that might sell newspapers.

So… what “Public Interest” was served by publishing those photographs? Unfortunately the answer to that question will likely require one or more of the women to either lodge a formal complaint against the newspapers with the Data Protection Commissioner or take legal action against the newspapers in question to test that point.

++++

As an aside: If anyone reading this post would be interested in learning more about the ins and outs of Data Protection Regulation in Ireland, the ICS Data Practitioner Certificate courses are running in Cork and Dublin in December. If you book before the end of next week you can get a 2-for-1 discount on the course cost (it’s a 3 day course). Email dp@ics.ie for details.