Financial firms: protecting customer personal data

A recent case provides a rare example of the criminal prosecution of an individual (in this case the former employee of an insurer) for breach of the Data Protection Act 1988 (DPA).

David Barlow Lewis was a former employee of the insurer LV. He offered an ex-colleague £3,000 a month to send him the details of customers involved in road accidents. She refused to do so, and Lewis was subsequently prosecuted at Bournemouth Magistrates’ Court for attempting to commit an offence under section 55 of the Data Protection Act 1998 . He had knowingly or recklessly attempted to obtain personal data without the data controller’s consent.

Penalty

The Information Commissioner's office reports that Barlow was convicted in April 2016, fined £300 and ordered to pay £614 costs and a £30 victim surcharge.

Penalties for section 55 breaches are limited. The possibility of making them a "recordable offence" has been discussed but is not supported by the Government. If they were a recordable offence they could give rise to a criminal record. The Government has pointed out, however, that in serious cases a section 55 breach would also give rise to an offence under a statutory provision carrying a custodial penalty, such as bribery, or unlawful access to computer material.

Prosecutions rare

Prosecutions under section 55 seem rare. Perhaps they are seen as requiring more trouble than they are worth. The last one, in 2014, involved a pharmacist who unlawfully accessed the medical records of family members, work colleagues and local health professionals. He was fined £1,000 and ordered to pay a £100 victim surcharge and £608 prosecution costs.

FSMA breaches

In the Lewis case, LV handled the situation as it should have done. When such issues arise firms regulated under the Financial Services and Markets Act 2000 (FSMA) need to make sure that their actions do not make them complicit in the section 55 breach. In that event the firm and any controlled persons knowingly concerned might be the subject of FCA enforcement action for poor governance, systems and controls. In other cases the individual committing the primary section 55 breach might be an existing employee of a regulated firm.

The GDPR

The EU General Data Protection Regulation has now been agreed. It is expected to come into force in the European Economic Area in 2018. The GDPR does not contain an equivalent provision to section 55, although there is a basic requirement for personal data to be processed lawfully. So anyone who processes personal data that has been unlawfully obtained would be in breach of one of the basic data protection principles in the GDPR.

Whilst breach of the GDPR carries no criminal sanctions, the GDPR does allow supervisory authorities to apply administrative (i.e. non-criminal) sanctions for breaches. Fines of up to €20,000,000 or 4% of annual worldwide turnover are envisaged for breaches of the basic principles for processing.

Suppose a situation similar to the one in the Lewis case were to occur in the post-GDPR world. In other words someone was able to obtain unauthorised access to personal data held by a FSMA regulated firm. The firm would itself be subject to a requirement to notify the Information Commissioner of the data breach within 72 hours of becoming aware of it. This is a new requirement under the GDPR. Failure to provide such a notification could lead to a fine for the data controller organisation of up to €10,000,000 or 2% of annual worldwide turnover, whichever is greater. Moreover, the FCA might well take the view, now and in the post GDPR world, that it too should be notified of a serious data breach under its Principle 11 or under SUP15.

Financial Ombudsman cases

Complaints are sometimes made to the Financial Ombudsman Service about firms giving third parties unlawful access to the personal data of complainants. Many of these complaints are rejected on the grounds that the firm was justified in acting as it did.

When they are upheld, the amounts awarded as compensation are very modest, e.g. £50-200. Section 13 of the DPA limits the circumstances in which an individual can claim damages for distress for a breach of the DPA. Those limitations will, however, go when the GDPR comes into force. Even then, however, compensation for distress is likely in most cases to be a modest sum.

By Karen Anderson, partner, Jonathan Goodliffe, professional support lawyer and Miriam Everett, professional support consultant, Herbert Smith Freehills LLP