What are your rights if you are ‘named and shamed’?
A restaurant in Cardiff recently hit the news after its owner took to Twitter when a customer missed her reservation. The screenshot of the booking, posted on Twitter, revealed the customer's name, telephone number and email address. Not only did the post disclose her personal details, but it also triggered a torrent of abuse from other users of the social media site.
When that prospective diner made her reservation, she likely didn't bank on her personal information being shared all over the Internet. And, while diners who don't show up are undoubtedly a genuine problem for restaurants, the owner's decision to 'name and shame' the customer wasn't just poor etiquette, it was a serious violation of her privacy.
We live in a world in which we've grown accustomed to sharing our personal information with relative ease - be it on social media sites, through online shopping, or even making a reservation at a restaurant. Unfortunately, this means we are sometimes at risk of that information being shared or used in ways that are inappropriate, or even illegal. So what happens when you become the victim of a data breach?
The use of personal data is currently governed by the Data Protection Act 1980. This Act is designed to protect storage of personal data, and its rules apply to any organisation, public or private, that has access to third-party data. While data seems like a very technical term, it actually covers all manners of personal information - from things such as name, address, or ethnicity, to more sensitive material such as religious beliefs, expressions of opinion, and sexual orientation.
The Data Protection Bill is currently making its way through Parliament in order to better protect people who share their data. It is intended to update British law, paralleling the EU's incoming General Data Protection Regulation. This modernisation is a response to the ever-increasing amount of data that is processed, and according to Government, it will strengthen regulations, with tougher sanctions for breaches.
Those sanctions are implemented by The Information Commissioner's Office (the ICO). The ICO is an independent body that investigates breaches - any individual can report a concern to the ICO, and it will be looked into. The ICO has a range of tools open to it - it can serve enforcement notices, conduct audits, and most notably, it has the power to impose fines of up to £500,000.
Further, when a breach is so serious as to constitute a criminal offence, the ICO can take the matter to court. Recent examples of those prosecuted include a nurse who inappropriately accessed patient files, and a counsellor who sent details of vulnerable clients to his personal email address - data breaches can occur in many different ways, and the consequences can be severe.
However, the ICO does not have the power to award compensation to those who have been directly affected by a data breach. In a case like that of restaurant reservation, where the violation was not only intentional but also arguably malicious, a victim may want to take further action. If the ICO has found an organisation guilty of a data breach, lawyers can work with the evidence that it provides to take private legal action. It isn't strictly necessary to go to the ICO first, but their findings can strengthen any claim made.
When you supply your information to an organisation, you trust that that information will be used and stored appropriately. This isn't just a social nicety - it can constitute a legal relationship. The organisation has a duty to you. If that duty is breached, and that breach causes you to suffer a loss, you may be entitled to compensation.
This suffering can be both financial and emotional. In 2015, a group of people brought a successful claim against Google after learning that the company had used their personal information to create targeted advertisements. This was deemed to be misuse of private information. The claimants suffered no financial loss - their claim was based purely on the fact that knowledge of third party access to private information caused them to feel distress and anxiety.
While the customer whose information was shared on Twitter might not necessarily have incurred a financial loss, she was subject to abusive comments from other people online. If this caused her distress, or anxiety, she could be entitled to damages to cover that loss.
In this case, the abuse may well be considered as an aggravating element of the data breach, but online abuse can constitute a separate criminal offence. "Trolling" - the abuse of individuals online - can be prosecuted under the Malicious Communications Act 2003. The threshold for prosecution is high, but with cybercrime on the increase, more measures are being taken to protect victims of online abuse. Another recent cybercrime phenomenon is "doxxing" - the publication of personal information that encourages harassment or criticism of the individual to whom it relates. Perpetrators can be charged under the Serious Crime Act 2007 - naming and shaming can in effect be a criminal offence.
Violations of your right to privacy are extremely serious, and the consequences can be so too. If you think you've been the victim of a data breach, you can contact the ICO, or get in touch with a lawyer. It's easy to become desensitised to the importance of protecting your information, but if something as simple as making a dinner reservation can lead to a stream of online abuse, it shows that when it comes to data protection, it's important to know your rights.