Jayana Morgan Davis forwarded several emails containing personal information from her work account at V12 Sports and Classics Ltd to her personal email account. The information related to customers and employees of V12 Sports and Classics Ltd.
She was fined under the Data Protection Act 1998 of unlawfully obtaining personal data, and ordered to pay costs of £590 and a victim surcharge of £30.
“People expect that their personal information will be treated with respect and privacy. Unfortunately, there are those who abuse their position of trust and the ICO will take action against them for breaking data protection laws.”
The GDPR UK implementation and the UK Data Protection Act 2018 govern how organisations can process personally identifying information.
If your organisation needs to process personal information, it needs to be registered on the ICO database, and have a Data Protection Policy in place detailing the use of personal information.
Personal Information is any information that can identify an individual, such as employee names, customer id’s or CCTV footage.
If you need help assessing your GDPR compliance, contact us immediately for a GDPR review.
Faye Caughey, a former Heart Of England NHS Foundations Trust administrator, has been prosecuted for accessing the medical records of patients without authorisation and without any need to do so. The records related to family members and children known to her, and came from the HEFT iCare and CareFirst system.
She was fined £1000 under the Data Protection Act 1998, and ordered to pay costs of £590 and a victim surcharge of £50
“People expect that their personal information will be treated with respect and privacy. Unfortunately, there are those who abuse their position of trust and the ICO will take action against them for breaking data protection laws.”
The GDPR UK implementation and the UK Data Protection Act 2018 govern how organisations can process personally identifying information.
If your organisation needs to process personal information, it needs to be registered on the ICO database, and have a Data Protection Policy in place detailing the use of personal information.
Personal Information is any information that can identify an individual, such as employee names, customer id’s or CCTV footage.
If you need help assessing your GDPR compliance, contact us immediately for a GDPR review.
Regulation EU 2016/679, known as the GDPR or The Data Protection Act 2018 in the UK relates to the use of individuals personally identifiable information.
What is Personally Identifiable Information?
Any information that can be used to identify an individual directly or indirectly is personally identifiable information and so covered under the GDPR.
Common types of Personally Identifiable Information are;
Names
Email Address (personal ones and business ones if they identify the individual such as joe.blogs@company.com)
Address
Unique Reference Numbers
Registration Plates
Photos
Phone Numbers
Some types of Personally Identifiable Information have a special category status, these include things like;
Health Information
Bio-metric Information
Sexual information
Religious Information
If you handle any of the special category information, you need to provide additional levels of security and have explicit consent from the data subject to process it.
Do I handle Personally Identifiable Information?
If you have any of the following, it’s likely that you are handling Personally Identifiable Information;
Employee Information
Customer Information
Prospects Information
Suppliers Information
What do I have to do to be compliant?
You need to make sure you are registered with the ICO as being compliant to handle Personally Identifiable Information.
You need to make sure you know how your organisation is processing information under the GDPR, where is it coming from, how is it being used, who has access to it, where does it go, how long do you hold it for?
You need a Privacy Policy to document how your are managing the security of the information you have, in this you need to identify the lawful basis for processing the information, and keep records of how you have come to the lawful basis, how you have processed information, and how you have ensured the security of the information.
You need a Privacy Notice to notify the individuals who’s information you have, about how you have obtained that information, how you’re going to use it, your lawful basis for using it, how you’re going to protect it and how they can submit requests to update or prevent processing on it.
You also need a means of monitoring your information store, either paper based or digital, that can identify when a breach happens. A breach could be as simple as accidentally deleting information or it could be as serious as someone unauthorised getting access to the information.
Responding to individual requests
Individuals have various rights to their data depending on your lawful basis for processing. You are required to respond to these requests in 30 days, and without any fee. You must provide any information in an easy to access format, and explain any technical terms used.
Responding to individual requests is something you should have a documented process for, this will save you time and trouble if and when you receive any requests, and will help keep you compliant with the GDPR.
#WeCanHelp
There’s a lot of work that needs to be done getting your organisation GDPR compliant, we can take the burden off you and create the policies, documentation and processes you need to make sure your organisation is compliant.
We can continue to support you by processing your incoming user requests and monitoring your processes to make sure your organisation remains GDPR compliant.
General Data Protection Regulations
Data Protection Act 2018
The GDPR UK implementation and the UK Data Protection Act 2018 govern how organisations can process personally identifying information.
If your organisation needs to process personal information, it needs to be registered on the ICO database, and have a Data Protection Policy in place detailing the use of personal information.
Personal Information is any information that can identify an individual, such as employee names, customer id’s or CCTV footage.
If you need help assessing your GDPR compliance, contact us immediately for a GDPR review.
