HIPSSA Project
Support for Harmonization of the ICT Policies
in Sub-Sahara Africa,
TRAINING /DATA PROTECTION LAW
Case Studies on Data Protection Violations
Zambia, August 2013
Gertrude Mukuwa
National Expert on Data Protection
International
Telecommunication
Union
Summary of the Content
•
International case studies on data protection law
violations
•
Reveals the approach of the Data Protection
Commissioner/ Authority
•
Reveals how the Data Protection Act and the
principles are interpreted
Allianz requesting excessive personal
information at quotation stage
(Ireland)
 The insurance agent asked the potential provide her date of
birth and her mother's maiden name for a quote for pet
insurance.
 The data protection law in Ireland provide that personal data
shall be adequate, relevant and not excessive in relation to the
purpose or purposes for which they are collected or are further
processed
 Following intervention, Allianz confirmed its intention to cease
using its ID verification screen and request for mothers maiden
name at quotation stage.
Unlawful use of CCTV to remotely
monitor an employee (Ireland)
 Complaint to Commissioner - personal privacy was affected in
workplace - inappropriate use of CCTV.
 Phone calls from the employer allegedly described to him what
he had been doing at a particular time.
 Employee said that the CCTV system was installed without
prior staff notification as to the reason for its installation or its
purpose.
 Commissioner noted rule that CCTV be proportionate response
to risk taking into account of the legitimate privacy and other
interests of workers. Furthermore requirement of meeting
transparency staff must be informed – Employer ordered to
cease use of CCTV.
Credit card transaction – use of details from
previous transaction without consent
(Ireland)
 A customer of a car rental company alleged that the company
had used his credit card data – obtained in a previous
transaction – to process a disputed charge without his consent,
and in spite of his objections to the charge
 The specific data protection issue in this case was whether the
rental firm obtained and processed the complainant's credit
card details fairly, with the appropriate level of consent from
the individual.
 Commissioner “credit card data obtained for a particular
transaction cannot be used subsequently for other transactions
without express consent, without violating the ‘fair obtaining’
rule. The principle of transparency and fairness, which are key
tenets of data protection law and practice, apply in this area
just as in any other”
Bank of Scotland – appropriate and
effective security measures (UK)
 5 August 2013
 A monetary penalty notice has been served to the
Bank of Scotland after customers’ account details
were repeatedly faxed to the wrong recipients. The
information included payslips, bank statements,
account details and mortgage applications, along
with customers’ names, addresses and contact
details.
 75 000 pounds monetary penalty
http://www.ico.org.uk/enforcement/~/media/documents/library/Data_Protection/Notices/ban
k-of-scotland-monetary-penalty-notice.pdf
NHS Surrey - appropriate and
effective security measures (UK)
 12 July 2013
 A monetary penalty notice has been served on NHS Surrey
following the discovery of sensitive personal data belonging to
thousands of patients on hard drives sold on an online auction
site. Whilst NHS Surrey has now been dissolved outstanding
issues are now being dealt with by the Department of Health.
 A member of the public informed the data controller that he had
purchased a PC with confidential medical information from a
third party company (the “third party company”) via an online
auction site. Files contained confidential sensitive personal data
and HR records including patient records relating to
approximately 900 adults and 2000 children
 200 000 pounds monetary penalty
http://www.ico.org.uk/enforcement/~/media/documents/library/Data_Protection/Notices/nhssurrey-monetary-penalty-notice.pdf
Glasgow City Council - appropriate
and effective security measures –
encryption of laptops (UK)
 7 June 2013
A monetary penalty notice has been
served to Glasgow City Council, following the loss of
two unencrypted laptops, one of which contained
the personal information of 20,143 people.
 150 000 pounds penalty
http://www.ico.org.uk/enforcement/~/media/documents/library/Data_Protection/Notices/Gla
sgow-city-council-monetary-penalty-notice.ashx
Concluding Thoughts
•
Case studies reveal the approach of the Data Protection
Commissioner/ Authority
•
Reveals how the Data Protection Act and the principles are
interpreted
•
Private and public sector, as data controllers, must assess their
practices against the requirements of the Act
•
A transition period must be applied in the Bill for organisations
to conform their practices
•
Ultimately, it is important that an Authority is established to
enforce the Bill and realise data protection safeguards in
Zambia
Thank You
Questions?
Gertrude M. Imbwae
National Legal Expert on Data Protection