The High Court of Justice in the UK has ruled that solicitorsfromhell.co.uk (“SFH”), has breached the Data Protection Act (DPA). It’s a reminder that the DPA is not just about protecting data. Just because many publicized DPA breaches are a result of not using data protection tools such as drive encryption software like AlertBoot doesn’t mean that there are other things to consider.
Name and Shame Site Breaches DPA
SFH provided, according to the owner of the site,
[a] ‘blacklist’ of firms and solicitors contained on the site helped people choose legal services and encouraged members of the public to “expose wrongdoing” in the legal profession. [theregister.co.uk]
Of course, seeing how he was essentially challenging solicitors (lawyers in the US), it was a matter of time before the case ended up in court. The Law Society, which represents solicitors in England and Wales, successfully argued that SFH contained “malicious and defamatory” allegations.
The High Court agreed. In its decision it noted, among other things,
because solicitorsfromhell.co.uk had contained false statements about lawyers Kordowski, as the data controller, had breached basic principles of UK data protection laws that require personal data to be accurately stored and processed fairly and lawfully.
Because Kordowski had not processed lawyers’ personal data in accordance with their rights – another principle of UK data protection laws – the judge ordered Kordowski to “block, erase and destroy the data which is the subject of this action”. [theregister.co.uk]]
Data Protection Act Governs More Than Data Protection
The DPA and the Information Commissioner’s Office, which is charged with upholding the DPA, have become “famous” over the last year due to 2011 being an explosive year when it comes to data privacy issues.
Many people understand that there are UK laws requiring personal data to be protected; that organizations that collect such data have a legal duty to protect it; that failing to do so can incur penalties and fines, and even prison sentences depending on the situation. Indeed, it’s one of the reasons why AlertBoot has seen an uptick in interest for its encryption software for securing computer hard drives.
However, there is more to the Data Protection Act than protecting data. You also have to ensure, as pointed out above, that the collected data is accurate.
If the information is not accurate, you must correct it if someone requests it. Of course, this also implies that people are allowed to see what data you hold on them, which the DPA covers as well. Furthermore, if the a person requests that a company delete the data that is being held on them, the company must comply under most circumstances.
One exception is organizations that deal with journalism, since it would have tremendous impact on free speech rights.
Related Articles and Sites: