In defending personal injury claims, the ability of compensating insurers and their representatives to seek access to the claimant's medical records is often important in enabling claims to be scrutinised and medical evidence to be obtained. However, the implementation of the General Data Protection Regulation and the Data Protection Act 2018 has affected the ability of compensators to obtain access to those records.
It is well publicised that there has been an upward trend of data protection and privacy claims in recent years. There has been a particular increase in claims against small and medium-sized enterprises and unincorporated associations, as reflected by a recent study that suggests that 61% of data breaches affect organisations with fewer than 1,000 employees. As duties on how businesses process data become more onerous, it is vital that they are aware of their obligations and have adequate procedures in place.
The Crown Commercial Service (CCS) has issued a guide to CCS suppliers about the actions which they must take in light of the implementation of the General Data Protection Regulation (GDPR). Under the GDPR, data processors will face direct legal obligations and can be fined by the Information Commissioner's Office for non-compliance. In addition, data processors will face claims for compensation if they fail to comply with their obligations.
The EU General Data Protection Regulation and the incoming Data Protection Bill (UK) will introduce a range of new liabilities into the data protection landscape. Data controllers have been warned of a corresponding increase in data protection claims under the new regulatory regime for some time. These warnings have largely focused on the level of fines and new data breach response requirements. However, the brewing perfect storm surrounding compensation claims should also be firmly on solicitors' radars.
The Crown Commercial Service has published a procurement policy note (PPN) in relation to the new data protection legislation that will be implemented shortly. The PPN highlights the fact that the EU General Data Protection Regulation now strikes a more even balance between data processors and data controllers and requires organisations to act immediately to ensure compliance. As the new legislation will apply to the wider public sector, other public bodies may wish to apply the principles of the PPN.