Peter A Clarke

The Federal Trade Commissioner has been taking action against companies for misusing the personal information of children.  The UK Information Commisioner’s Office has also taken action on that front, against TikTok.  It has issued a notice of intent against TikTok for failing to protection children’s privacy.  The statement Read the rest of this entry »

The UK Information Commissioner has highlighted the case of Christopher O’Brien who was prosecuted for unlawfully accessing patient records of 14 patients of the South Warwickshire NHS Foundation Trust, all of whom were known to him.  The media release provides:

and

A former health adviser has been found guilty of accessing medical records of patients without a valid legal reason.

Christopher O’Brien, 36, was working at the South Warwickshire NHS Foundation Trust when he unlawfully accessed the records of 14 patients, who were known personally to him, between June and December 2019. He did so without a valid business reason and without the knowledge of the Trust.

One of the victims said the breach left them worried and anxious about Mr O’Brien having access to their health records, with another victim saying the breach put them off from going to their doctor.

Mr O’Brien pleaded guilty to unlawfully obtaining personal data in breach of section 170 of the Data Protection Act 2018 when he appeared at Coventry Magistrates’ Court on 3 August 2022. He was ordered to pay £250 compensation to 12 patients, totalling £3,000.

Stephen Eckersley, ICO Director of Investigations, said:

“This case is a reminder to people that just because your job may give you access to other people’s personal information, especially sensitive data such as health records, that doesn’t mean you have the legal right to look at it.

“Such behaviour can be extremely distressing for the victims. Not only is it an invasion of their privacy, it potentially jeopardises the important relationship of trust and confidence between patients and the NHS.

“I would urge organisations to remind their staff about their data protection and information governance responsibilities, including how to handle people’s sensitive data responsibly.”

This sort of misbehaviour is not confined to the United Kingdom. The National Public Radio in 2015 did a piece on hospital workers snooping on celebrities medical records, including George Clooney, Kim Kardashian and Michael Jackson, to name a few.  It is a chronic problem in Australia within the health sector.  Last year the Health Care Complaints Commission prosecuted a complaint against registered nurse Ms Cody Rae Payne at the NSW Civil and Administrative Tribunal (‘the Tribunal’). Between January and August 2019  Payne accessed her own medical records as well as those of 34 other persons, including family members involved in family court legal proceedings without lawful authority. She provided information to her husband that she acquired as a result of that unauthorised access.

The hearing before the NSWCAT occurred after Payne had been criminally prosecuted for Read the rest of this entry »

The UK Information Commissioners Office has just released a significant and detailed report titled Behind the screens: ICO calls for review into use of private email and messaging apps within government on the use messaging apps and technologies within government with the associated the issues of privacy, data security and transparency.  The flexibility that comes with using messaging apps has unwelcome consequences when used for official business.  The lack of record of important exchanges goes to proper transparency.  The use of apps and texts have real security issues.  Private exchanges for public business can be problematical.

The media release provides:

The Information Commissioner’s Office (ICO) has today called for a government review into the systemic risks and areas for improvement around the use of private correspondence channels – including private email, WhatsApp and other similar messaging apps. Read the rest of this entry »

To pay or not to pay ransomware demands, that is a vexed question for organisations.  And what advice should their legal representatives give. As far as the Information Commissioner’s Office (“ICO”) is concerned ransomware demands should be paid. The ICO and the UK National Cyber Security Centre (the”NCSC”) wrote to the UK Law Society and as a reminder that lawyers in the UK should not advise Read the rest of this entry »

The UK Information Commissioner has imposed a significant fine of £7,552,800 on Clearview AI for illegally collecting personal data of UK residents. The facial images of UK residents were scraped from the internet and fed into Clearview’s database where, with the aide of artificial intelligence, it could use that data to identify those people and monitor them.

Clearview AI continues to maintain that it has done nothing wrong, saying that its technology and intentions have been “misinterpreted.” and claimed that Clearview AI is not subject to the ICO’s jurisdiction.

Clearview has already been the subject of act ion by other regulators. In March 2022 the Italian data protection agency fined Clearview €20 million penalty for breaches of EU law.  In December last year France’s data watchdog, CNIL,found that Clearview had committed two breaches of the the GDPR.    Similarly in February 2021 Canadian privacy commissioners stated that Clearview violated Canadian Privacy laws .  In the United States Cook County, effectively Chicago, and Clearview entered into agreement in settlement of a suit whereby Clearview has agreed to stop providing its technology to most private clients and doing business in Illinois. 

The use of facial recognition technology by police, is belatedly being scrutinised Read the rest of this entry »

Artificial Intelligence (“AI”) is becoming a significant issue for lawyers generally and regulators in particular.   Its impact on the law is apparent with the Full Bench, of 5 justices, ruling in Commissioner of Patents v Thaler [2022] FCAFC 62 last month that an inventor in terms of patent law must be a natural person, not AI.  This was an appeal from a decision of Justice Beach on 30 July 2021 in Thaler v Commissioner of Patents [2021] FCA 879 who relevantly ordered:

• The determination of the Deputy Commissioner that s 15(1) of the Patents Act 1990 (Cth) is inconsistent with an artificial intelligence system or device being treated as an inventor be set aside.
• The matter as to whether patent application no. 2019363177 satisfies the formalities under the Patents Regulations 1991 (Cth) and its examination be remitted to the Deputy Commissioner to be determined according to law in accordance with these reasons.

In its reasons the Full Court found  that identification of the “inventor” was central to the operation of the legislation. Under s 15, only the inventor or someone claiming through the inventor is entitled to a patent.

Thaler will probably make its way to the High Court. 

But the use of AI is more prosaic and ubiquitous than in inventing devices.  That is likely to be both a public good and a cause for concern.  At the moment the technology and its implementation is far outpacing the law and regulation.  That is a concern given the potential forseeable and unforseeable consequences.  In that regard I thoroughly recommend Machines Behaving Badly; the Morality of AI by Toby Walsh.   I attended a presentation by Professor Walsh organised by the Centre for Artificial Intelligence and Digital Ethics (CAIDE) last Wednesday. 

Regulators in the United Kingdom and Europe have been much more alive to the need for guidance and consideration of AI and its effect on privacy and data security than in Australia where the regulator takes a more languid approach and seems to be letting the ACCC to take the running on big tech issues.  In that vein the Information Commissioner’s Office (‘ICO’) announced, on 4 May 2022, that it had launched its updated AI and data protection risk toolkit. It is an important document for Read the rest of this entry »

The UK Information Commissioner’s office has fined Mermaids £25,000 for failing to keep personal information secure.  The nature of the breach was personal information found in emails and documents created by staff at Mermaids or its clients were publicly available on line.  Mermaids were advised by a newspaper of this fact in June 2019.  Mermaids contacted the Commissioner that day.

Mermaids is a charity that offers support to young people and their families regarding gender non comformity.  As such the nature of discussions and personal information were very sensitive.

The media release provides:

The Information Commissioner’s Office (ICO) has fined transgender charity Mermaids £25,000 for failing to keep the personal data of its users secure.

The ICO’s investigation began after it received a data breach report from the charity in relation to an internal email group it set up and used from August 2016 until July 2017 when it was decommissioned. The charity only became aware of the breach in June 2019. Read the rest of this entry »

The UK Information Commissioner’s Office (“ICO”)has fine British Airways (BA) £20 million for a data breach in 2018.  I did a post on it in September 2018. The ICO initially intended to fine BA nearly £184 million and made a statement in July 2019 to that effect in response to BA’s statement to the London Stock Exchange.  The Commissioner decided to reduce the sum in light of the impact COVID 19 has had on BA’s business and finances.

As often happens the investigation into the cyber attack by the regulator turned up multiple failings by BA in both protecting its network but also failing to detect the attack. And that attack was both wide and deep in its penetration. Through the attack addresses of 244,000 customers were accessed, the credit card details with CVV numbers of 77,000 customers and credit card numbers Read the rest of this entry »

With the General Data Protection Regulation in force in the United Kingdom the Information Commissioner has greatly enhanced powers to fine those who breach data protection laws.  And in that vein the Commissioner announced on 8 July 2019 an intention to fine British Airways £183.39 million for a data breach in September 2018 which resulted in personal information of 500,000 were compromised.  As is often the case investigation after the breach revealed Read the rest of this entry »

Organisations and agencies that collect and use personal information have a chronic problem of staff accessing that information without authorisation.   It is a very significant problem in the health industry with staff looking into the health records of celebrities; George Clooney in 2007, of Brittany Spears in 2008, Michael Jackson’s health records in 2011 and Kim Kardashian in 2013 to name a few. Last year 2 staff members at the Ipswich Hospital were reprimanded and one sacked for accessing Ed Sheeran’s health records relating to his treatment for a writs injury caused by a bicycle accident.  These instances are a fraction of the breaches of this nature that occurs. The breaches rarely come to light because the organisations notify those whose personal information have been compromised.  And they are only occasionally notified to the regulator. 

A case of snooping that was reported to the regulator resulted in a successful prosecution. In the United Kingdom unauthorised access of personal information is criminal offence. The UK Information Commissioner successfully prosecuted a former customer services officer at Stockport Homes who unlawfully accessed personal data, being anti social behaviour cases 67 times in 2017.  The breaches were Read the rest of this entry »