Politician in hot water after data leak – a lesson for businesses
Sensational headlines hit the news in 2021 following leaked CCTV footage of a senior politician caught in a compromising position in his office with one of his aides. Ed Jaffa, an expert in data protection, considers the extent of the data leak and what businesses can learn this story. You’ll remember the press last year, but what might not be so well known are the criminal and data protection ramifications resulting from the incident.
The ICO (Information Commissioner’s Office) opened a criminal investigation in the leak, but has recently closed its inquiry, saying that there was a lack of sufficient evidence to bring a prosecution.
The incident is not just in the political public interest as a breach of the politician’s own Covid-19 rules (or even just as parliamentary gossip).
It also shows the potentially huge practical ramifications which can result from a data leak or breach of data protection laws. Ramifications which could cost businesses quite a lot, in terms of time, money and reputation if they found themselves in a similar position.
Data Protection and the ICO
Let’s take a step back for a moment and briefly remind ourselves of the UK’s data protection landscape.
- We know that the ICO is the UK regulator, watchdog and general enforcer of the UK’s data protection regime. The ICO has the power to investigate companies and to issue substantial fines for serious data protection breaches.
- GDPR says that ‘personal data’ is any information relating to an ‘identified or identifiable’ person, and that a person can be identifiable if (among other things) his or her physical features are included within the relevant data.
- The CCTV footage of the politician and his aide is therefore personal data, because:
- the CCTV footage consists of data (obviously), and
- this data satisfied the definition of ‘personal data’ because the identities of the MP and his aide could clearly be seen from the footage. In layman’s terms – anyone who watched the footage would know, or would be able to find out, the identity of the MP and his aide, and so it therefore constitutes personal data.
- The leaking of the CCTV footage was a personal data breach because such leaking was not GDPR-compliant. Under data protection law, there was no legal reason for allowing the footage to be passed to the media (the newspapers would likely argue that there is a strong public interest argument for the footage being leaked and published, but that’s a separate issue which we’re not considering today).
A quick reflection of this particular CCTV leak
The CCTV in the government office where the incident took place was apparently operated by a private company, which quite properly notified the ICO of the data breach after it became aware of the footage having been leaked to the press.
Due to the seriousness of the data breach and the clear wide-ranging public interest implications, the ICO launched a criminal investigation.
The ICO stated that, as a result of forensic analysis, the leaked footage was most likely obtained by someone recording the CCTV monitor-screen on a mobile phone. It therefore obtained warrants and carried out raids, retrieving six mobile phones in the process.
However, the ICO has recently decided that there is insufficient evidence to charge anyone with criminal offences under UK data protection laws, and so has closed its investigation. Meaning that the people who had those mobile phones in their possession are off the hook (at least with regards to the data protection breach).
Here’s why this is of interest to businesses…
That’s all very intriguing, but why is this of interest to business?
Well, aside from the political ramifications, the saga shows:
- the need to have proper data security procedures in place. Whilst there are technological measures which could be taken to (for example) stop staff or contractors illegally taking footage or personal data out of the office on memory sticks, is there anything which could be done to stop people taking pictures of sensitive data on their own mobile phones?
- the need to ensure that any data breaches are considered immediately and, if serious, that a report is submitted to the ICO. Serious data breaches must be notified to the ICO within 72 hours of becoming aware of the incident, which poses a particular challenge if a breach comes to light during a public holiday such as Christmas or Easter.
- the risk of a criminal investigation being opened. In the most serious cases, the ICO has the power to open criminal investigations where it believes that there has been intentional wrongdoing.
- the risk of being raided and for computers, phones and other equipment to be seized by the ICO. If it all goes very wrong, your business could face the disruption and reputational issues of being raided, and potentially having vitally important equipment seized.
- the risk of being fined. Businesses should be alive to the risk of incurring substantial fines from the ICO if there are serious data breaches.
So, all in all, there are various risks of being caught out on data protection, and in ways which aren’t immediately obvious.
How we can help
GL Law offers strategic data protection advice and support to businesses, from taking proactive steps to reduce data protection risks to advising in the event of a data breach. To contact Ed Jaffa please call 0117 906 9253 or email email@example.com. Alternatively, please complete our contact form.