Public bodies will be pleased to hear that another significant court decision (Ali v Luton Borough Council [2022] EWHC 132 (QB)) has been made that is favourable to data controllers.
Further to the welcome relief that followed the Supreme Court’s judgment in Lloyd v Google LLC [2021] UKSC 50 and the decisions of the High Court in both Warren v DSG Retail Ltd [2021] EWHC 2168 and Rolfe & Ors v Veale Wasbrough Vizards LLP [2021] EWHC 2809 (QB) (see our update here for a discussion of how these decisions will help to stem the tide of data breach claims), public bodies will be pleased to hear that another significant court decision has been made that is favourable to data controllers.
In Ali v Luton Borough Council [2022] EWHC 132 (QB) (“Ali”), a claim was brought against a local authority on the basis that one of its social workers had accessed a social care database to obtain sensitive information about the claimant which was then disclosed to the claimant's estranged husband with whom the social worker had been in a relationship. The High Court, applying Various Claimants v Wm Morrison Supermarkets plc [2020] AC 989, held that whilst the social worker had gained the opportunity to access the data on an unrestricted basis during the course of her employment, it should not be held liable when the employee went off on a “frolic of her own” by accessing these records for reasons that were unconnected with her role.
The scenario dealt with in Ali is unfortunately not uncommon. Public bodies often have to deal with security breaches that arise as a result of employees accessing records without the proper authority or business reason to do so. The good news is that if the actions of the employee were in no way part of the work in the ordinary course of their employment or to further the interests of the employer and adequate security measures are in place (such as appropriate data protection policies and training for staff, and any restrictions to access that information are necessary), then the employer should be able to avoid liability (either directly or vicariously) for a breach of the data protection legislation.
Robust employment policies and procedures should also be in place to ensure that the unacceptable nature of such conduct is clear and that appropriate consequences will follow. Data protection training for staff and security measures should be kept under regular review.
If this is all done then it will be very difficult for a claimant to obtain damages from a public body for a data breach that occurs as a result of the actions of a rogue employee. Public bodies should therefore thoroughly investigate the cause of any such breach before deciding whether to settle a claim.
Senior Associate
matthew.alderton@brownejacobson.com
+44 (0)330 045 2747
Law firm Browne Jacobson has collaborated with Wiltshire Council and Christ Church Business School on the launch event of The Council Company Best Practice and Innovation Network, a platform which brings together academic experts and senior local authority leaders, allowing them to share best practice in relation to council companies.
In the Autumn Statement delivered on 17 November, rises to the National Living Wage and National Minimum Wage rates were announced, to take effect from 1 April 2023.
Announced in September but scrapped on 17 November the investment zone proposals were very short lived. The proposal has now morphed into the proposal for a smaller number of clustered zones earmarked for investment.
Settlement agreements are commonplace in an employment context and are ordinarily used to provide the parties to the agreement with certainty following the conclusion of an employment relationship.
On 2 November 2022, the Supreme Court handed down its judgment in the much awaiting case of Hillside Parks Ltd v Snowdonia National Park Authority [2022] UKSC 30. The Court’s judgment suggests that the long established practice of using drop-in applications is in fact much more restricted than previously thought. This judgment therefore has significant implications for both the developers and local planning authorities.
In ‘failure to remove’ claims, the claimant alleges abuse in the family home and asserts that the local authority should have known about the abuse and/or that they should have removed the claimant from the family home and into care earlier.
Across the UK, homelessness is an urgent crisis, and one that is set to grow amid the rising cost of living. Local authorities are at the forefront of responding to this crisis, but with a lack of properties that are suitable for social housing across the UK, vulnerable individuals and families are often housed in temporary accommodation.
A deepfake of Bruce Willis is advertising Russian mobile phones. Many great artistic and metaphysical questions are raised by this performance. However, this article is going to look at the intellectual property law implications, from a UK perspective.
The Digital Services Act (the “DSA”) has today (27 October) been given the go-ahead by the EU Council and will enter into force by early 2024.
Updates include UK Shared Prosperity Fund, contracts, Subsidy Control Bill, data controller liability, Government Covid-19 procurement and Highway Code revisions.
The complex and rather nebulous transitional subsidy control regime set out in the UK-EU Trade and Co-operation Agreement and the UK’s wider international commitments has made it difficult for public authorities and those working with them to proceed with certainty where subsidies are involved.
Investment zones have been introduced by the Conservative party to get the United Kingdom (UK) ‘working, building and growing’. They are to be designated sites which provide time-limited tax incentives, streamlined planning rules and wider support for local growth to encourage investment and accelerate the development of housing and infrastructure that the UK needs to drive economic growth. Processes and requirements that slow down development will be stripped back with the intention of attracting new investment.
Created at the end of the Brexit transition period, Retained EU Law is a category of domestic law that consists of EU-derived legislation retained in our domestic legal framework by the European Union (Withdrawal) Act 2018. This was never intended to be a permanent arrangement as parliament promised to deal with retained EU law through the Retained EU Law (Revocation and Reform) Bill (the “Bill”).
It is clear that the digital landscape, often termed cyberspace, is a man-made environment, in which human behaviour dominates and where technology both influences and aids our role in it — through the internet, telecoms and networked computer systems, which are often interdependent. The extent to which any organisation is potentially vulnerable to cyber-attack depends on how well these elements are aligned.
Three months on from the commencement of the new statutory Integrated Care Systems (ICS) Anja Beriro and Gerrard Hanratty reflect on the main themes and issues that have come from the new relationship between local government and health.