EU Data Protection and Information Security for Banking & Financial Service sectors 4 th December 2014

Transcription

1 EU Data Protection and Information Security for Banking & Financial Service sectors 4 th December 2014 Janine Regan, Associate George Willis, Associate charlesrussellspeechlys.com

2 Janine Regan Associate Janine Regan, a solicitor in the data protection team, advises on global data protection compliance and outsourcing projects for multinationals in sectors such as financial services pharmaceutical, construction and marketing and advertising. Janine is also a Certified Information Privacy Professional for Europe. Very impressive data privacy knowledge Client Tel: +44 (0) Janine.regan@crsblaw.com 2

3 George Willis Associate George Willis, a solicitor in the team, has particular experience in data protection issues relating to the financial services sector, having recently completed a six month secondment at a global investment bank. George balances technical ability with a commercial approach Client Tel: +44 (0) George.willis@crsblaw.com 3

4 EU Data Protection and Information Security for Banking & Financial Service sectors Topics 1. Data Protection in Ts&Cs 2. Disclosing personal data to a foreign regulator / the police / HMRC 3. Principles for the Reporting of Arrears, Arrangement and Defaults at Credit Reference Agencies 4. SARs (incl. Elliott v Lloyds TSB) 5. FS under proposed GDPR 6. Consequences for non-compliance 4

5 1. Data Protection in Ts&Cs

6 Data Protection in Ts&Cs Customer Ts&Cs Consent ICO Guidance: Direct marketing: organisations will need to be able to demonstrate that consent was knowingly given, clear and specific, and should keep clear records of consent Data analytics : the complexity of big data analytics is not an excuse for failing to obtain consent where it is required 09 December

7 Data Protection in Ts&Cs Customer Ts&Cs GDPR Consent to be explicit and opt-in Pre-ticked boxes or continued use of a service not sufficient 09 December

8 Data Protection in Ts&Cs Vendor contracts Don t compromise on data protection provisions Target data breach - millions of customers' credit and debit card information accessed via third party systems 09 December

9 2. Disclosing personal data to a foreign regulator / the police / HMRC

10 Disclosing personal data to a foreign regulator / the police / HMRC You are only required to disclose personal data to a regulator if you are under a legal obligation to do so Example An employer is legally required to disclose details of its employees pay to HMRC in the usual course of administering its PAYE arrangements. The employer may disclose this information irrespective of any objection which an employee may raise. 09 December

11 Disclosing personal data to a foreign regulator / the police / HMRC but they say that the request is to prevent crime / fraud and that under section 29 of the DPA we are required to disclose it Data protection law does not compel the disclosure of personal data 09 December

12 Disclosing personal data to a foreign regulator / the police / HMRC but they say that the request is for regulatory purposes 09 December

13 Disclosing personal data to a foreign regulator / the police / HMRC Under the EU Parliament s version of the proposed general DP Regulation Article 43a(1): No judgment of a court or tribunal and no decision of an administrative authority of a third country requiring a controller or processor to disclose personal data shall be recognised or be enforceable in any manner, without prejudice to a mutual legal assistance treaty or an international agreement in force between the requesting third country and the Union or a Member State Article 43a(2): Where a judgment of a court or tribunal or a decision of an administrative authority of a third country requests a controller or processor to disclose personal data, the controller or processor and, if any, the controller s representative, shall notify the supervisory authority of the request without undue delay and must obtain prior authorisation for the transfer of disclosure by the supervisory authority 09 December

14 3. Principles for the Reporting of Arrears, Arrangements and Defaults at Credit Reference Agencies

15 Principles for the Reporting of Arrears, Arrangements and Defaults at Credit Reference Agencies Keith Smearton v Equifax [2013] EWCA Civ 108. The judge held that: 1. Equifax had breached the DPA, in particular the fourth principle (accuracy of data), the first principle (fair processing) and the fifth principle (retention of personal data) on the basis that Equifax had failed to take reasonable steps to ensure the accuracy of its data 2. Equifax owed Smearton a duty of care in tort, which was co-extensive with its duties under the DPA 3. Equifax s breaches of duty caused Smearton loss, in that they prevented Smearton s record company from obtaining a loan in and after mid December

16 Principles for the Reporting of Arrears, Arrangements and Defaults at Credit Reference Agencies Published by the Information Commissioner s Office on 1 Jan 2014 in collaboration with the credit industry, including CRAs and trade associations Purpose is to set out the principles under which information about arrears, arrangements and defaults are filed with the CRAs Addressed to Consumers but will be of interest to regulators, lenders and consumers and their representatives 09 December

17 Principles for the Reporting of Arrears, Arrangements and Defaults at Credit Reference Agencies 1. Data that is reported on a credit file must be fair, accurate, consistent, complete and up to date 2. Should a payment not be made as expected, information to reflect this should be reflected on the credit file 3. If an individual offers or makes a reduced payment, how it is reported will depend on whether it is agreed with the lender 4. If an individual falls in to arrears or does not keep to the revised terms of an arrangement, a default may be recorded to show that the relationship has broken down 5. When an account is closed, the record should properly reflect the closing payment status of the account and any agreement between the parties. 09 December

18 Principles for the Reporting of Arrears, Arrangements and Defaults at Credit Reference Agencies Published September December

19 Principles for the Reporting of Arrears, Arrangements and Defaults at Credit Reference Agencies 09 December

20 4. Subject Access Requests

21 SARs (incl. Elliott v Lloyds TSB) SAR Framework Rights (s7-9a DPA) Personal data (Act vs Durant) Search parameters reasonable and proportionate (Ezsias v Welsh Ministers [2007]), or extensive efforts, leave no stone unturned (ICO)? 09 December

22 SARs (incl. Elliott v Lloyds TSB) Elliott v Lloyds Two key issues Improper purpose? Proportionate search? 09 December

23 5. Financial Services under the proposed general data protection Regulation

24 FS under proposed GDPR GDPR 10 Oct 2014 Council of EU agreed partial general approach on Chap IV GDPR (obligations on controllers and processors) Could be in force by December

25 FS under proposed GDPR Breach Notification Reminder on current position (UK, Germany, Russia, Italy) Articles 31 and 32 GDPR will impose data breach reporting requirements on all data controllers. Data breaches must be notified to the DPA within 72 hours DPA will keep public register Breaches may also need to be notified to the affected individuals 09 December

26 FS under proposed GDPR Obligations on processors Processors required to comply with the GDPR. More of a level playing field with controllers. 09 December

27 FS under proposed GDPR Appointment of DPO Articles 35-37: Mandatory for certain businesses (5000 subjects in consecutive 12-months?) Minimum terms (4 years for internally appointed, 2 for externally) expert knowledge of data protection law 09 December

28 FS under proposed GDPR Fines Up to 5% of annual worldwide turnover or EUR 100m (whichever is greater) DPAs will have the power to investigate organisations without prior notice. 09 December

29 6. The Cost of Non- Compliance

30 Consequences for non-compliance 09 December

31 Consequences for non-compliance 09 December

32 Consequences for non-compliance 09 December

33 Consequences for non-compliance 09 December

34 Consequences for non-compliance 09 December

35 Consequences for non-compliance 09 December

36 Consequences for non-compliance 09 December

37 Consequences for non-compliance 09 December

38 Janine Regan George Willis charlesrussellspeechlys.com