Data blunders can breach human rights, rules ECHR

[lickthewallfatboy]

Data blunders can breach human rights, rules ECHR

The European Court of Human Rights has ordered the Finnish government to pay out €34,000 because it failed to protect a citizen's personal data. One data protection expert said that the case creates a vital link between data security and human rights.

 

The Court made its ruling based on Article 8 of the European Convention on Human Rights, which guarantees every citizen the right to a private life. It said that it was uncontested that the confidentiality of medical records is a vital component of a private life.

 

The Court ruled that public bodies and governments will fall foul of that Convention if they fail to keep data private that should be kept private.

 

The woman in the case did not have to show a wilful publishing or release of data, it said. A failure to keep it secure was enough to breach the Convention.

 

A Finnish woman worked in an eye clinic where she also received treatment, having been diagnosed as having AIDS.

 

The woman began to suspect that news of her disease had spread to other employees and asked to be shown who had accessed her medical records and when. The health authorities only kept a note of the last five people to have accessed a record.

 

The woman, known in the case as I, sued the District Health Authority for failing to keep her medical records confidential.

 

She lost that case because the court found that there was no firm evidence that her record had been accessed unlawfully. She also lost her appeal, and was refused permission to take her case to Finland's Supreme Court.

 

The Court of Human Rights found that there were privacy laws in place in Finland when the incidents occurred that required medical data to be properly protected. Had these been strictly followed, it found, I's records would have had enough protection.

 

The Court recognised that the Finnish courts did not find in I's favour because she could not prove that her record had been misused, but said that "to place such a burden of proof on the applicant is to overlook the acknowledged deficiencies in the hospital’s record keeping at the material time."

 

"It is plain that had the hospital provided a greater control over access to health records … the applicant would have been placed in a less disadvantaged position before the domestic courts," the Court said. "For [this] Court, what is decisive is that the records system in place in the hospital was clearly not in accordance with the legal requirements."

 

The Court said that the existence of the right to sue if information is disclosed is not the same as protecting privacy in the first place. "What is required in this connection is practical and effective protection to exclude any possibility of unauthorised access occurring in the first place. Such protection was not given here," it ruled. "The Court cannot but conclude that at the relevant time the State failed in its positive obligation under Article 8 (1) of the Convention to ensure respect for the applicant’s private life."

 

Data protection law expert Dr Chris Pounder of law firm Pinsent Masons said that the case establishes a vital link between the protection of personal information and a person's entitlement to privacy under human rights law. The European Convention on Human Rights is made into UK law by the Human Rights Act.

 

"The judgment is important because it links security of personal data to the human rights framework," said Pounder. "Organisations have to be proactive in their security practices and procedures. It is not sufficient to say that 'we will do something' security-wise – it will be important to show that that something has been done."

 

The Court awarded I €13,771 in damages and €20,000 in costs.

 

 

 

 

could this also apply to CRA's publicising invalid defaults,if in fact they're permitted to publicise defaults in the first place?

[Undercover-Elsa]

Good point Lickthewallfatboy

And how about getting an address wrong (after 12 years with same bank) sending a SAR bundle TWICE to a neighbours address as my bank did?

Elsa x

[lickthewallfatboy]

perhaps the ECHR is a better option than the poodle regulatory bodies here?

 

that was disgraceful abuse of your data U-E

[Undercover-Elsa]

Ohhh it's all going down in the book of doom, ready for the biggy to the ICO/OFT and everyone else I can think of, including Santa

[Undercover-Elsa]

On the ECHR, I quite agree, in fact if we really looked into it I bet there's a whole bundle of other transgressions that would apply. Worthy of research, methinks.

[lickthewallfatboy]

I agree....research is required

 

get beavering Caggers!!

[Undercover-Elsa]

One area that springs to mind is irresponsible lending, particularly in relation to mental illness/disability or people on benefits. I'll look into that.

[lickthewallfatboy]

good stuff Elsa

[spark1]

You could use in letters etc, Ive used it in a couple of letters, once to Experian to remove information, this is what I included:

 

We further support this notice and exercise my/our rights given to you under Article 8 of the European Convention on Human Rights which is embedded in the UK Human Rights Act (the right to privacy to home life and personal correspondence). With regard to personal data which states “all individuals have the right to have incorrect data about them corrected”.

Spark

[cerberusalert]

From April 2010 the ico have been given powers to fine companies that breach the Data protection Act.

[noomill060]

Unless the level of the fines are very very big with the possibillity of jail time, firms are likely to view such fines just as fees.

[cerberusalert]

There was an interview with one of the ico hierarchy a couple of days ago & on radio 4 this morning & they have been lobbying the government to introduce legislation which includes imprisonment;

ICO consults on privacy protection - Public Service

Linex Legal > Out-Law.com > Information Commissioner enjoys new powers to fine from April 2010

[noomill060]

Good news.

[cerberusalert]

Here is the business case for investing in proactive privacy protection;

Business case for investing in proactive privacy protection

[cerberusalert]

Laws should be tightened to give judges the option to jail people found guilty of serious abuses of personal data, the UK's Information Commissioner has said.

 

BBC NEWS | UK | Calls to tighten data abuse laws

[lickthewallfatboy]

it's about time,too......

[angry cat]

We do not have any Human Rights here in the UK!

 

I hope that Christopher Graham does a better job than Richard Thomas did

[lickthewallfatboy]

zanuliebour would like you to think you have no human rights

 

I don't like the EU one bit,but that doesn't mean I wouldn't use them to slap it right up the goons

[lickthewallfatboy]

bump for any more ideas

[jimdev1976]

How many times have people applied to the CRA's for their credit score and low and behold 2-3 weeks later start receiving letters from DCA's? I believe this issue is a serious case of passing personal data to other institutions so they can then harass the very people who came to them originally for information.

[lickthewallfatboy]

they are hand in glove with each other

[Undercover-Elsa]

...and how many of us start receiving offers from debt consolidation companies after going into dispute with banks?

The address of one that contacted me (by phone..and I'm ex directory, using my full name) was right across the road from the OC, in a business park