Data access and privacy templates toolkit

Data access and privacy refer to the principles and practices that govern how data is accessed, used, and protected within an organisation.

Data access involves the ability to retrieve, view, or use data stored in a system. Key aspects of data access include:

• Permissions: Determining who can access specific data.

• Authentication: Verifying the identity of individuals accessing the data.

• Authorisation: Granting access rights based on user roles and responsibilities.

• Accessibility: Ensuring data is available and retrievable when needed.

Data privacy, also known as information privacy, focuses on the handling and protection of personal and sensitive information. Key aspects of data privacy include:

• Confidentiality: Ensuring that personal information is not disclosed to unauthorised individuals or systems.

• Data Protection: Implementing measures to safeguard personal data from breaches, leaks, or unauthorised access.

• Compliance: Adhering to laws and regulations (such as GDPR, CCPA) that govern data protection and privacy.

• Consent: Obtaining permission from individuals before collecting, using, or sharing their personal data.

• Transparency: Being clear with individuals about how their data is collected, used, and shared.

Here are key UK employment legislations and best practices that may govern or be relevant to data access and privacy templates:

• Data Protection Act 2018 (incorporating GDPR): Establishes the legal framework for handling personal data, including individuals' rights to access their data and requirements for data privacy and security.

• Privacy and Electronic Communications Regulations (PECR) 2003: Regulates electronic communications and the handling of data, ensuring privacy in digital communications.

• Equality Act 2010: Ensures that data handling practices do not discriminate against individuals based on protected characteristics, promoting fairness and equality.

• Freedom of Information Act 2000: Grants individuals the right to access information held by public authorities, complementing data access rights under GDPR.

• Best Practice: Transparency and Clarity: Ensure data access and privacy templates clearly inform individuals about their data rights, the purposes of data processing, and how their data will be protected.

Navigating Data access and privacy processes correctly is crucial.

Recent UK case law has highlighted key aspects of good Data access and privacy management. Knowing how courts have handled claims can help you assess whether your proposed actions are likely to be seen as reasonable.

Here are some notable rulings and their implications:

• Lloyd v. Google LLC (2021):

  Facts: Mr. Lloyd brought a representative action on behalf of approximately four million iPhone users, claiming that Google had unlawfully collected their personal data without consent through the Safari Workaround, a technique that bypassed privacy settings in Apple's Safari browser.

  Outcome: The Supreme Court ruled in favour of Google, stating that claimants must show material damage or distress caused by the data breach to claim compensation. The court emphaszed that mere loss of control over personal data, without proving actual damage, is not sufficient for a claim.

• Key takeaway: This case underscores the importance of demonstrating actual harm when seeking damages for data breaches.

  WM Morrison Supermarkets plc v. Various Claimants (2020):

  Facts: This case involved a rogue employee of Morrison’s who leaked payroll data of around 100,000 employees. The employees claimed that Morrison’s was vicariously liable for the data breach.

  Outcome: The Supreme Court ruled in favour of Morrison’s, stating that the company was not vicariously liable for the actions of the rogue employee. The court found that the employee was acting outside the scope of his employment when he committed the data breach.

  Key takeaway: This case clarified the limits of vicarious liability for employers in data breach incidents.

• Barclays Bank plc v. Various Claimants (2020):

  Facts: The case concerned a doctor hired by Barclays Bank to conduct medical examinations of employees and prospective employees. The doctor was accused of sexually assaulting individuals during the examinations. The claimants argued that Barclays should be held vicariously liable.

  Outcome: The Supreme Court ruled that Barclays was not vicariously liable because the doctor was an independent contractor rather than an employee.

  Key takeaway: This decision highlighted the distinction between employees and independent contractors in cases of vicarious liability, impacting how companies handle data privacy and access issues involving third-party contractors.

• R v. Mucavele (2020):

  Facts: Mr. Mucavele was convicted under the Computer Misuse Act 1990 for unauthorised access to personal data stored on his employer’s systems. He accessed and shared personal data of clients and colleagues without permission.

  Outcome: The court upheld his conviction, reinforcing that unauthorised access to personal data is a serious offense under the Computer Misuse Act.

  Key takeaway: This case illustrates the criminal consequences of unauthorised data access and the importance of maintaining strict data access controls.

• Driver v. Crown Prosecution Service (2020):

  Facts: Mr. Driver requested access to personal data held by the Crown Prosecution Service (CPS) under the Data Protection Act 2018. The CPS failed to provide the data within the statutory time limit, leading to Mr. Driver filing a complaint.

  Outcome: The court ruled that the CPS had breached its obligations under the Data Protection Act 2018 by failing to provide the requested data within the required time frame.

  Key takeaway: This case underscores the importance of timely compliance with data access requests under data protection laws.

• R (on the application of Bridges) v. Chief Constable of South Wales Police (2020):

  Facts: Mr. Bridges challenged the use of Automated Facial Recognition (AFR) technology by South Wales Police, arguing that it violated his privacy rights under the European Convention on Human Rights (ECHR) and data protection laws.

  Outcome: The Court of Appeal found in favour of Mr. Bridges, ruling that the use of AFR technology was unlawful because the police had not adequately assessed its impact on privacy rights and had not complied with data protection laws.

  Key takeaway: This case highlighted the need for rigorous privacy assessments and compliance with data protection laws when deploying new surveillance technologies.

Here are some conplex but common Data access and privacy-related workplace scenarios that need careful planning and execution to resolve.

We show you the steps to take to manage the specific case, along with what you should consider doing to minimise and mitigate any repeat.

🔒 To access the answers to the following questions you will need to make a purchase.