0370 270 6000

already registered?

Please sign in with your existing account details.

need to register?

Register to access exclusive content, sign up to receive our updates and personalise your experience on brownejacobson.com.

Privacy statement - Terms and conditions

data protection disaster

8 October 2010

Data protection, or, more accurately a lack of it, has dominated the headlines recently. Law firm ACS:Laws website was attacked by the anonymous masses of infamous web community "4chan" in retaliation for its pursuit of alleged illegal file-sharers. The attack took the site offline and exposed the names and addresses of 5,300 people who are thought by ACS:Law to have been illegally sharing pornographic films. It later surfaced that a further list of 8,000 Sky and 400 PlusNet broadband customers had also appeared online.

The UKs Information Commissioner, Christopher Graham, is now investigating the leak and will be asking questions about how secure the information was and why it could be accessed so easily.

The Data Protection Act 1998 (DPA) requires those who process and store personal information to use appropriate technical and organisational measures, such as encryption and firewalls, to ensure that personal data is not lost or destroyed.

As of 6 April 2010 the Information Commissioners Office (ICO) has been granted extensive powers to assist its role as data protection watchdog. Companies can now be fined up to £500,000 for serious breaches of the DPA. Given the volume and distressing nature of the personal information that was leaked it seems likely that a fine near to the maximum may well be imposed.

ACS:Law obtains personal information from Internet Service Providers (ISP) by the use of Norwich Pharmacal orders. These orders require a respondent to disclose certain documents or information to the applicant. The respondent must be a party who is involved or mixed up in a wrongdoing, whether innocently or not, and is unlikely to be a party to the potential proceedings. Whilst applications for these orders can be opposed, ISPs have generally taken a "dont agree but wont oppose" stance. This approach has led to these orders being widely used (and some may say abused) with increasing regularity in recent years. However, having now seen the dramatic financial and reputational damage that can be caused by a data leak, change is in the air.

BT, owner of ISP PlusNet, which has faced criticism this week after it was found to have sent personal data in an unencrypted document to ACS:Law, is now leading the resistance. Earlier this week BT announced it is seeking a moratorium on all pending Norwich Pharmacal applications until a "test case" can be heard in January next year. Competitors Virgin Media, Talk Talk and Zen have followed suit by saying that they will refuse to disclose any further customer details until the test case has been heard.

The test case involves a Norwich Pharmacal application made by law firm Gallant Macmillan, who are seeking to obtain the names and addresses of a large number of broadband users from PlusNet, BSkyB and Be Internet suspected of illegally downloading and sharing music from the nightclub and record label The Ministry of Sound. The case was set to be heard on the 4 October 2010, however BTs lawyers asked for an adjournment, arguing that the firm needed to see details of the security system that would be used to store its customers data before it could comply with any order.

There is no doubt that public confidence in the current process has been shaken by the ACS:Law data leak. It is likely that broadband subscribers will expect their ISP to ensure more robust protection of their personal information in the future.

The whole debacle has highlighted the vital importance of taking proper data protection precautions, such as:

  • Protecting all computers and mobile devices with strong alpha-numeric passwords;
  • Encrypting any personal information held electronically if it will cause damage or distress if it is lost or stolen;
  • Ensuring all the personal information on old computers has been securely removed (by using technology or destroying the hard disk) before disposing of them;
  • Shredding all confidential paper waste; and
  • Installing firewalls, virus checkers and anti-spyware on all computers.

Browne Jacobson can offer bespoke on-site training and a full data protection audit to ensure you are complying with the terms of the Data Protection Act 1998.

training and events

14Oct

ISBL regional Conference Sheffield

Browne Jacobson’s Associate Sophie Jackson discusses the rise in growth of SEN and the impact of this on schools. Please note that this event was postponed from June 2020.

View event

4Mar

ISBL regional Conference Park Regis Hotel, 160 Broad St, Birmingham, B15 1DT

Browne Jacobson’s Associate Philip Wood discusses the rise in growth of SEN and the impact of this on schools. Please note that this event was postponed from May 2020.

View event

focus on...

Guides

Executive pay setting in school trusts

For many years now the Education and Skills Funding Agency (ESFA) have written to academy Chairs asking for justification and rationale on executive pay. School trusts have reached out to us for advice to help them meet their obligations within the Academies Financial Handbook.

View

150th Anniversary of State Education – Lessons Learned: reflections of 12 former Secretaries of State

Our on-demand video was hosted by the BBC’s Education Correspondent Branwen Jefferys with special guests including Baroness Nicky Morgan, Kenneth Clarke QC, Michael Gove, Justine Greening and Lord David Blunkett discussing past successes of education, the unintended consequences of past policy, and to envision what still remains to be done.

View

150th anniversary of State Education – looking back, moving forward

Watch our on-demand video where we joined the Secretary of State for Education, the Rt Hon Gavin Williamson, Dame Julia Cleverdon, Sir Michael Barber and the recently appointed President of the CBI Lord Karan Bilimoria to launch a year of celebration for those delivering education.

View

Legal updates

What is a higher education course for the purposes of access to the Office of the Independent Adjudicator’s (OIA) complaints process?

The Office of the Independent Adjudicator’s (OIA) has recently published a reminder of its remit in relation to dealing with complaints, which is a timely reminder as the new academic year begins.

View

The content on this page is provided for the purposes of general interest and information. It contains only brief summaries of aspects of the subject matter and does not provide comprehensive statements of the law. It does not constitute legal advice and does not provide a substitute for it.

mailing list sign up



Select which mailings you would like to receive from us.

Sign up