Included in this issue of Data & Privacy News: Mock Data Breach and GDPR Investigation Event; ICO publish consultation on access to information strategy; Advocate general gives opinion that 'right to be forgotten' could threaten global free speech and more

Mock Data Breach and GDPR Investigation Event 

Would your business be prepared for a data breach? 

Come along to our Mock Data Breach event at our Edinburgh office on Thursday 31st January to hear from experts about the impact it could have on your business, and how to prepare yourself post GDPR.

ICO publish consultation on access to information strategy

The ICO have published a consultation on their proposed strategy for the next three years with the aim of launching the final version later in 2019.

The ICO have identified 5 high-level priorities in their draft strategy, including raising awareness of access to information rights, and working in partnership to improve standards of openness, transparency and participation amongst public authorities.

Public authorities, private contractors who provide public services, journalists, campaigners, MPs, councillors and members of the public are all invited to comment by Friday 8 March 2019.

Advocate general gives opinion that 'right to be forgotten' could threaten global free speech

In a preliminary hearing, the European Court of Justice has found that the "right to be forgotten", which allows claimants to request removal of online links to irrelevant or out of date information about them, should not be globally enforced as it could threaten free speech.

Advocate general, Maciej Szpunar, said that there needs to be a balance against other "fundamental rights" such as the right to data protection and privacy when accessing the information. 

The case, which relates to a dispute between Google and France's National Commission for Information and Civil Liberties (CNIL), arose after the CNLI fined Google €100,000 for failing to remove an individual’s name from all of its domains across the internet. 

Google has received millions of requests for removal of material from online searches since the "right to be forgotten" was established in a landmark ruling in 2014.

Unauthorised access of Alex Ferguson's medical records by Salford Royal hospital could result in fines

Currently, some medical staff at Salford Royal Hospital are under investigation for allegedly reviewing Alex Ferguson's medical records without reason or consent when he was admitted with a brain haemorrhage last year.

The hospital made a public apology and the ICO were informed, however consequences could still lie ahead for the individuals involved, as well as for the hospital.

Under s170 of the Data Protection Act 2018, it is an offence to obtain personal data without consent. The ICO could impose fines on the specific individuals who accessed the records without consent. In September 2018, a nurse who accessed records without consent received a fine of £400 from the ICO. 

The hospital, as a data controller, may face a harsher fine than under a standard data breach since health data is classed as a "special category". Data controllers also have to ensure their systems are adequate for observing and managing the viewing of patient records. The maximum fine for a statutory breach is the higher of either €20 million euros or 4% of global turnover.