Your All-in-One AI-Powered Toolkit for Academic Success.

+13062052269

info@desklib.com

Available 24*7 on WhatsApp / Email

Company

Tools

Support

University Assignment: Data Breach and Data Protection Law Report

Verified

Added on 2020/06/06

AI Summary

This report provides a detailed analysis of data breaches within the context of UK data protection law. It begins by defining the concept of a 'data breach' and explores the legal ramifications as outlined in the UK Data Protection Act (DPA), including the powers of the Information Commissioner's Office (ICO) to issue notices, conduct assessments, and impose penalties. The report examines the legal consequences of data breaches, including enforcement notices, information notices, and criminal sanctions. It also discusses the potential for monetary penalties and the various criminal offences associated with non-compliance. Furthermore, the report critically evaluates how regulators, specifically the ICO, have handled data breaches in practice, referencing recent examples. Finally, it considers specific mitigation strategies companies can implement to reduce the risk of a data breach and minimize potential fines, concluding with a comprehensive overview of the subject matter.

Contribute Materials

Your contribution can guide someone’s learning journey. Share your documents today.

Data Breach - Data Protection Law

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

Table of Contents
QUESTION 1.............................................................................................................................1
A) Explain the concept of a ‘data breach’..............................................................................1
B) What are the legal ramifications set out in the UK Data Protection Act (DPA) in relation
to the consequences of data breaches?...................................................................................2
C) Discuss critically, with reference to some recent examples produced by the UK
Information Commissioner’s Office, how regulators have handled data breaches in practice
................................................................................................................................................8
D) Consider specific mitigations companies could apply to reduce the risk of a data breach
and reduce the potential fines as a result..............................................................................10
CONCLUSION........................................................................................................................12
REFERENCES.........................................................................................................................13
BIBLIOGRAPHY....................................................................................................................15

QUESTION 1
A) Explain the concept of a ‘data breach’
There is no doubt that in today’s climate one of the key threats that data protection
laws are trying to mitigate is the risk of “data breach”1.
The security concern and the concept of ‘data breach’ has increased with the advent of
new technologies and ever increasing technological threats and bulk data processing,
According to the Information Commissioners’ Office, a personal data breach is:
“A breach of security leading to the accidental or unlawful destruction, loss, alteration,
unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise
processed in connection with the provision of a public electronic communications service”.2
Recently, there has been major data breaches is large companies in the UK and
globally. One example is Sony who suffered from a number of high profile data breaches. In
this case, the hackers had broken the security of the company's computers and released
thousands of items of personal information in an attempt to derail the release of the North
Korea-themed comedy. Many high-level Sony execs fell victim to fake Apple ID verification
emails which asked individuals to enter the details into a fake form that enabled the hackers
to collect personal passwords, and then rely on the fact that these passwords were also used
for business networks, this way the hackers obtained access to the full Sony Network.
This data breach could have been avoided simply by more robust password policies
with mandatory requirement to usage of unique, strong and frequently rotated passwords.
This is only an example of the numerous data breaches which took place in the world 3.
1 Kuner, Christopher. "Data protection law and international jurisdiction on the
Internet (part 1)." International Journal of Law and Information Technology. 18(2)
(2010): 176-193.
2'Security Breaches' (Ico.org.uk, 2017)
<https://ico.org.uk/for-organisations/guide-to-pecr/communications-networks-and-services/
security-breaches/> accessed 29 July 2017
3 Ho, Vincent, Ali Dehghantanha, and Kamalanathan Shanmugam. "A guideline to
enforce data protection and privacy digital laws in Malaysia." In Computer Research
and Development, 2010 Second International Conference on. pp. 3-6. IEEE, 2010.
1

Therefore, it would be assumed that the legislative framework on the concept of data
breaches is ‘water tight’.
To many people’s surprise, although data breaches represent one of the most serious
consequences of a privacy breach – and the core focus of most regulatory activities, the
notion of a data breach is not defined under the Data Protection Directive 95/46/EC.
However, the PEC Regulations in the UK4 has implement the definition to some extent
through the amended e-Privacy Directive defining data breach as:
“A breach of security leading to the accidental or unlawful destruction, loss,
alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or
otherwise processed in connection with the provision of a publicly available electronic
communications service in the Community”5.
Although the Data Protection Act has an inclusive definition of what ‘data’ is, the
Data Protection Directive does not have a definition of what ‘data’ is. Therefore, as Carey
explains, the ‘starting point in the UK is to make a determination as to whether the
information being processed amounts to ‘data’.6
Having said this, the concept of data breaches is one that is defined to some extent by
the legislative framework, however, there are no formal framework for data breaches and
each member of the European Community is at their discretion to implement their own
framework and we discuss the implementation by the UK below.
B) What are the legal ramifications set out in the UK Data Protection Act (DPA) in relation
to the consequences of data breaches?
Firstly, in terms of enforcing the law on data beaches, Part V of the Data Protection
Act provides ways by which the Information Commissioner can ensure that data controllers
comply with the law. These include the power to serve notices and could require them to
supply information to them. Section 42 of the DPA allows individuals to apply to the
Commissioner for an ‘assessment’ to see whether their information is being processes
lawfully. There are also safeguards in place within the Act ensuring compliance with the
4 'What Are PECR?' (Ico.org.uk, 2017) <https://ico.org.uk/for-organisations/guide-to-
pecr/introduction/what-are-pecr/> accessed 29 July 2017
5 Protection, Patient, and Affordable Care Act. "Patient protection and affordable care
act." Public law. 111 (148) (2010): 1.
6
2

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

principles as set out in the DPA, for examples Section 4(4) states “it shall be the duty of the
data controller to comply with the data protection principles in relation to all personal data in
respect of which he is the data controller” and the data protection principles are set out in
Schedule 1 DPA7. Having said this, what are the ‘legal ramifications’ and consequences of a
data breach?
As said above, Part V of the DPA provides methods or tools for the ICO to ensure
compliance of the Act.
ICO Powers to Issue Notices
Firstly, under section 40 the ICO can issue an ‘Enforcement Notice’ provided the
following:
“40 (1) If the Commissioner is satisfied that a data controller has contravened or is
contravening any of the data protection principles, the Commissioner may serve him with a
notice (in this Act referred to as “an enforcement notice”) requiring him, for complying with
the principle or principles in question, to do either or both of the following—
1) To take within such time as may be specified in the notice, or to refrain from taking after
such time as may be so specified, such steps as are so specified, or
2) To refrain from processing any personal data, or any personal data of a description
specified in the notice, or to refrain from processing them for a purpose so specified or in
a manner so specified, after such time as may be so specified.”
This is usually done where a contravention is seen to be causing a person or
individual damage or distress. It is a criminal offence to fail to comply with an Enforcement
Notice under section 47(1). Moreover, the Act under section 42 allows the Commissioner to
serve a data controller an ‘assessment notice’ with the purpose being that it allows the
Commissioner to determine whether the data controller has complied or is complying with
the data protection principles8. This is a form filled in by all individuals or company applying
7 Kuner, Christopher. "Data protection law and international jurisdiction on the
Internet (Part 2)." International Journal of Law and Information Technology. 18(3).
(2010): 227-247.
8 Natanzon, Assaf, Evgeny Drukh, and Shlomo Ahal. "Method and apparatus to
recover data in a continuous data protection environment using a journal." U.S.
3

to the Commissioners to ‘check’ whether their private data is being processed correctly in
accordance with the Data Principles Act9. These requests may also have civil or criminal
consequences, there is an initial assessment done by the Commissioner’s office whether the
breach has a criminal element to it. If it does have a criminal element to it, the investigation
will be carried out in accordance with the Police and Criminal Evidence Act 1984, at which
point this turns into an ‘investigation’ from an ‘assessment’.
Following the assessment, if it is concluded that the assessment has yielded adverse
results, the ICO has discretion on how to proceed, it could obtain an undertaking of no future
breaches or it could issue and Enforcement notice.
Further, under section 43 the Commissioner has the power to issue Information notices as
follows:
“Information notices.
1) If the Commissioner—
2) Has received a request under section 42 in respect of any processing of personal data, or
3) Reasonably requires any information for the purpose of determining whether the data
controller has complied or is complying with the data protection principles10,
He may serve the data controller with a notice (in this Act referred to as “an
information notice”) requiring the data controller, [F1to furnish the Commissioner with
specified information relating to the request or to compliance with the principles.]”
These ‘Information notices’ must inform the data controller that this is following an
assessment and in particular must state why the ICO regards the information requested as
being relevant for the purpose of determining whether that particular data controller has
complied with the principles of the DPA11. The notice must also include the Appeal rights as
set out under section 48. Further, it is worth mentioning the ‘Special Information Notice’ as
Patent 7,860,836, issued December 28, 2010.
9 Svantesson, Dan Jerker B. "Data protection in cloud computing–The Swedish
perspective." Computer Law & Security Review. 28(4). (2012): 476-480.
10 Reding, Viviane. "The European data protection framework for the twenty-first
century." International Data Privacy Law 2(3). (2012): 119-129.
4

this applies in terms of ensuring that the exemptions under the DPA are only used in
appropriate circumstances. The DPA allows exemptions for the processing for ‘special
purposes’ for example journalistic purposes and the ICO may issue this special notice to
ensure that the exemptions were correctly applied in accordance with the DPA principles, as
set out in section 44 of the DPA.
The compliance with this notice is serious and it is an offence under section 47(1) to
fail to comply with a Special Information Notice. Moreover, it is also an offence to make a
false statement (either knowingly or recklessly) in response to information request under the
Special Information Notice (section 47(2)
Further, in terms of checking and auditing, under section 51(7) of the Act there is a
possibility of a consensual audit essentially an assessment made with the agreement of an
organisation, as to whether the organisation’s processing of personal data follows good
practice12. In the similar vein, section 41A of the Act has ‘compulsory auditing’ which is
made following the issuing of an assessment notice, as to whether an organisation has
complied or is complying with the data protection principles 13.
Additional Powers of Entry and Inspection the ICO has a considerable amount of
backing from the DPA in terms of accessing and investigating through powers of entry,
inspection and seizure on application to a judge based on ‘reasonable grounds for suspecting
an offence under the Act. These powers are set out in Section 50, Schedule 9 of the Act.
As if the above was not enough, the Act provides that a sanction is available where
there has been a ‘criminal’ breach of the Act under Section 60, and a Monetary Penalty notice
which must not exceed £500,000 (Section 55A-E DPA) is available to be issued provided a
notice of intent has been issued under section 55B.Criminal Sanctions and Powers for breach
of the Data Protection Act. The Data Protection Created a number of criminal offences and
11 Yılmaz, İlay. "Turkey: Long-Awaited Data Protection Act Adopted." Computer
Law Review International. 17(3). (2016): 91-93.
12 Svantesson, Dan Jerker B. "Data protection in cloud computing–The Swedish perspective."
Computer Law & Security Review. 28(4). (2012): 476-480
13 Yılmaz, İlay. "Turkey: Long-Awaited Data Protection Act Adopted." Computer
Law Review International. 17(3). (2016): 91-93.
5

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

some of these are there to ensure compliance, retribution and to stop future risk. Firstly, as
mentioned above, section 17 of the Act provides that ‘personal data must not be processed
unless an entry in respect of the data controller is included in the register maintained by the
Commissioner’. The Act under section 21 makes processing of data without entry in the
register a criminal offence. This section sets the tone of the offenses under it14.
The criminal offence in regards to this occurs when the data controller is unable to
show that he carried out ‘due diligence’ to comply with the duty of notification under the Act,
and the maximum penalty under this provision is £5000 in the magistrate’s court or unlimited
fine in the Crown Court.
Additionally, under section 20 of the Act the requires the data controller to notify the
commissioner of any change in their operations, failure to notify such changes is a criminal
offence by virtue of section 21(2). In terms of ‘processing of data, under section 22(5) and
(6) it is a criminal offence to carry on assessable processing after a notification of such to the
ICO.
As there is a duty of disclosure under the Act, failure to comply with a duty to
disclose under section 24 is therefore a criminal offence under section 24 (4). With most of
these offences mentioned above, it has been a defence where the data processor can show that
due diligence has been applied. Considering the climate today and the phone hacking scandal
which led to the UK’s most notorious civil litigation, the Parliament has done well to enact
the DPA in order to take precautions and dealt with the issue of ‘blagging’ under section 55
of the Act, i.e. obtaining information by deception15.
An example of a case on how this may occur was seen in the case of R v Rooney
[2006] EWCA Crim 1841, where ‘Jacqueline Mary Rooney on the 20th day of July 2004,
knowingly or recklessly, without the consent of the data controller, disclosed personal data or
14 Natanzon, Assaf, Evgeny Drukh, and Shlomo Ahal. "Method and apparatus to
recover data in a continuous data protection environment using a journal." U.S.
Patent 7,860,836, issued December 28, 2010.
15 Svantesson, Dan Jerker B. "Data protection in cloud computing–The Swedish
perspective." Computer Law & Security Review. 28(4). (2012): 476-480.
6

the information contained in personal data16, namely the address of Tracey Booth and Adam
Syred.’ She was charged under and convicted under section 55 of the Act, there are of course
Defences to the offences and the main one used would be that the information either
obtaining, disclosing or procuring was necessary for the purpose of detecting crime or was
required or authorized by or under any enactment. However, it should be noted here that
these Act is strict on these points and the defences often fail.Similarly, it is illegal to sell or
offer to sell personal data under section 55(4) and 55(5) and this is strictly enforced
accordingly, and under section 56(1) a person must not require another person to supply him
with records or a subject access record in regards to recruiting or any contracting or services
with that person.
Disclosure has always been a hot topic in terms of Data Protection Laws and under
the Act Section 59(1) contains a prohibition on disclosing certain information which has been
provided to the office of the Commissioner. As mentioned above, the ICO has the power to
obtain warrants and search property and seize it, any obstruction of the enforcement of such
procedure is a criminal offence under Schedule 9 of the Offence17. As notifications by the
ICO are serious and the purpose of issuing such notifications is to ensure compliance with the
data protection principles, section 47(1) makes it an offence if one fails to comply with one of
the notices mentioned above, Enforcement notice, Information Notice or Special Information
notice. Other offences include the ICO’s power to inspect any personal data on Overseas
Information systems; this will be particularly interesting to how this is shaped following
Brexit as the ICO currently has access to the Europol information system18.
16 Rumbold, John Mark Michael, and Barbara Pierscionek. "The effect of the General
Data Protection Regulation on medical research." Journal of medical Internet
research 19(2). (2017).
17 Barnard-Wills, David. "The technology foresight activities of European Union data
protection authorities." Technological Forecasting and Social Change 116 (2017):
142-150.
18 Natanzon, Assaf. "Leveraging array snapshots for immediate continuous data
protection." U.S. Patent 8,521,694, issued August 27, 2013.
7

As with Corporation Law and the Companies Act 2006, the DPA also creates liability
for corporate officers under section 61(1) who many punished for their actions such as
involvement in committing an offence by the corporate body. It is interested to see how the
ICO actually operates and exercise directions, and what kind of offences they in particular try
pursue and stop. The ICO website has available some of the cases it has done, under the
‘Action we’ve taken’ tab which is accessible to the public. For example, recently, the ICO
ruled that the Royal Free London NHS Foundation Trust failed to comply with the Data
Protection Act when it provided patient details to Google Deep Mind.It shows that the ICO is
actively pursuing data breaches, however with the increase of data breaches in large
corporation such as TalkTalk they have a busy time ahead.
C) Discuss critically, with reference to some recent examples produced by the UK
Information Commissioner’s Office, how regulators have handled data breaches in practice
The recent example of a data breach which the ICO handles is the cyber-attack on
TalkTalk. Between 15-21 October 2015’s cyber-attack exploited vulnerabilities in three
webpages which were operated by TalkTalk following its 2009 acquisition of the UK
operations of Tiscali. The exploitation of this vulnerability allows access to an underlying
database holding customers’ personal data including names, addresses, dates of birth, phone
numbers, email addresses and financial information’, thus a serious breach of the DPA19.
On or around 22 October 2015, TalkTalk informs the ICO of a potential data breach.
The ICO acts quickly and commences a preliminary investigation to look into the details of
the incident. The ICO writes to TalkTalk and asks them to provide more information about
the incident. Following which, the company starts notifying the public about the attack. On
23 October 2015 ICO issues a public statement and gives tips about the protection of data.
The House of Commons committee, Culture Media and Sports steps in and carries out their
inquiry. A report is issued following the ICO giving their evidence as well20.
19 Wachter, Sandra, Brent Mittelstadt, and Luciano Floridi. "Why a right to
explanation of automated decision-making does not exist in the general data
protection regulation." International Data Privacy Law. 7(2). (2017): 76-99.
20 Chua, Hui Na, Siew Fan Wong, Younghoon Chang, and Christian Fernando
Libaque-Saenz. "Unveiling the coverage patterns of newspapers on the personal data
protection act." Government Information Quarterly (2017).
8

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

Following the report, the ICO’s investigation concluded TalkTalk failed to take
appropriate measures against the unauthorised or unlawful processing of personal data, in
contravention of the Data Protection Act. The ICO report said: “For no good reason,
TalkTalk appears to have overlooked the need to ensure it had robust measures in place
despite having the financial and staffing resources available." It has been held that
"Appropriate technical and organisational measures shall be taken against unauthorised or
unlawful processing of personal data and against accidental loss or destruction of, or damage
to, personal data."in the Principle 7 of the Data Protection Act.
The ICO fined TalkTalk £400,000 and as soon as this is paid the case is settled21.
When looking at the whole process followed by the ICO, what strikes most is that there is no
mention of ever being an audit of this company before, despite the cyber-attacks on Tiscali
which TalkTalk took over.
Surely, there should have been regular checks and audits of company following take
over by the ICO, as TalkTalk is one of the largest providers of telecommunications in the
UK. Moreover, one other point which is of interest is that there is no mentioned of what
safeguards or what has been done following the breach to ensure that future breaches will not
take place, instead a fine of £400,000 was stamped and it was said by the ICO that22:
"Today’s record fine acts as a warning to others that cyber security is not an IT issue,
it is a boardroom issue. Companies must be diligent and vigilant. They must do this because
they have a duty under law, but they must also do this because they have a duty to their
customers."
Therefore,this approach by the ICO is one of retribution and one where it is making
an example out of a company, which might only be a temporary deterrent to the problem
21 'Talktalk Hit By Record £400,000 Fine Over Data Breach' (ComputerWeekly, 2017)
<http://www.computerweekly.com/news/450400451/TalkTalk-hit-by-record-400000-
fine-over-data-breach> accessed 27 July 2017
22 'Talktalk Gets Record £400,000 Fine For Failing To Prevent October 2015 Attack'
(Ico.org.uk, 2017) <https://ico.org.uk/about-the-ico/news-and-events/news-and-
blogs/2016/10/talktalk-gets-record-400-000-fine-for-failing-to-prevent-october-2015-
attack> accessed 27 July 2017
9

rather than a long-term deterrent. In fact, following such a breach of data from
telecommunication companies there should be a framework or guidelines specific to all
telecommunications companies on technical and organisational measures to take so that there
is a uniform approach to such issues. That is not to say that every company should have the
same security system, but similar companies will face similar issues and the potential for data
breaches can be based on common factors.
D) Consider specific mitigations companies could apply to reduce the risk of a data breach
and reduce the potential fines as a result
There are number of risk mitigation strategies that firms might use to maintain data
security of their clients, discussed here as under:
 Companies must ensure full adherence and compliance with the Data Protection Act
(DPA) legislation and necessary provisions, standard norms and rules mentioned in
the act23. Data controller must ensure that all the legal requirements of the DPA have
beenmet out perfectly through regular compliance.
 Data protection Policy must be designed and conveyed properly to all the workers in
the employee handbook and manuals. Full disclosure to every worker along with the
necessary guidelines needs to be provided to the workers, so that, they will be familiar
with the privacy and confidentiality aspect and follow with the framed regulations to
ensure its proper adherence24.
 Strict policies and actions needs to be taken by the telecommunication organizations
against those persons who are found responsible for the non-compliance with the data
protection policy. It must be communicated to every member in the workforce so that
they will be aware about it and take proper care to comply with the privacy
requirements. Immediate and prompt actions required to be made by the firm to
combat the damages caused as a result of breach of confidentiality. For instance,
companies can conduct audit to investigate the complaints made by the audiences
23 What Is U.K. Data Protection Act 1998 (DPA 1998)? - Definition From Whatis.Com'
(WhatIs.com, 2017) <http://whatis.techtarget.com/definition/UK-Data-Protection-
Act-1998-DPA-1998> accessed 27 July 2017
24 Terry, Nicolas P. "Regulatory Disruption and Arbitrage in Health-Care Data
Protection." Yale J. Health Pol'y L. & Ethics 17 (2017): 143.
10

regarding breach of confidentiality and responsible person can be charged with the
penalty and fines and also can be terminated from the course of employment. It will
create a fear among staff member to not to violate the privacy requirement and assure
its full adherence.
 Encryption is also considered as a better way to minimize the possibility of data
breach and non-compliance25. In order to consider data safety & security concerns,
telecom companies can convert the useful and confidential client information into a
code so as to minimize the risk of its unauthorized and illegal use. Encrypted data are
of no use for the thieves and thereby prevent the business itself from the possible
consequences.
By taking into account the following things, firms will be able to consider the data
safety and security concerns of their clients and minimize the risk of its violation.
CONCLUSION
From the carried investigation, it becomes clear that each and every organization need
to give value to the safety and security concerns of their consumers otherwise, they can be
legally charged with the penalties and fines. In this regard, it is the legal liability of the
organization to follow the standard norms and legal provisions mentioned in UK Data
Protection Act and other legislative requirements. Lastly, firms have been suggested to make
data protection policy,to ensure its proper disclosure and communication to the workforce
and take strict actions against liable person so as to safeguard itself against possible risk of
breach.
25 The Impact Of A Data Breach Can Be Minimized Through Encryption' (Security
Intelligence, 2017) <https://securityintelligence.com/the-impact-of-a-data-breach-can-
be-minimized-through-encryption/.> accessed 27 July 2017
11

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

REFERENCES
Books and Journals
13

Online
14

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

BIBLIOGRAPHY
https://ico.org.uk/for-organisations/guide-to-pecr/communications-networks-and-services/
security-breaches/
http://www.bbc.co.uk/news/business-34589710
http://whatis.techtarget.com/definition/UK-Data-Protection-Act-1998-DPA-1998
http://www.computerweekly.com/news/450400451/TalkTalk-hit-by-record-400000-fine-
over-data-breach
15