Computer Law & Artificial Intelligence
DataLoss have a permanent VPN connection to the computer in his Practice and monitor the CCTV images, climate control and lighting on his behalf. Their data systems also manage customer files, finance, client record keeping, eye scans and some basic medical information.
For a long time, Samuel did not ask for consent from his members for processing their data. He takes his members’ personal contact details, glasses prescription information, financial data and some medical information on a paper form. He has always relied on the pen and paper approach and did not accordingly feel that data protection applied. DataLoss uses a consent window Samuel uses to input his members’ data into DataLoss’ system, consenting on their behalf without input from them. This data is stored and managed on DataLoss’s servers on their site in Oxford.
Samuel originally signed an agreement that allowed DataLoss total authority over how they handled his data and was committed to a 12-month period. 2 weeks ago, DataLoss changed their terms of service and now give him the authority to demand they delete his members’ data without notice. DataLoss goes on to state “we are now encrypting your clients’ data for their security”. Samuel is concerned that this may not have been done previously.
On advice from an employee of DataLoss, Samuel now asks his members to tick a box on the form that says “I consent to Samuel’s Opticians processing my personal data”. The same employee alerts Samuel that DataLoss also offer an optional ‘AutoHire’ package, which allows their system to autonomously recruit, book and dismiss employees. Samuel is considering purchasing this package.
DataLoss themselves have also had a number of issues they have not disclosed to Samuel or anyone else at this stage.
Edward, the System Administrator, is additionally and unofficially tasked with maintaining DataLoss’ system security. Although he is unpaid for this role, he takes it very seriously as he is of the belief that DataLoss employs people who are not diligent with cybersecurity. Although he has been informally tasked with this role, Edward has been instructed by the Managing Director not to test the company’s security on several occasions and that it is absolutely forbidden to take data home or access work computers from home.
DataLoss suffered a ransomware attack 3 weeks ago at the hands of a notorious UK based cybercriminal ‘Reptile Squad’, causing them to become locked out of their own hard drives rendering them inaccessible. Edward raised this an emergency and said that it needs to be reported and dealt with immediately “as the attackers most likely have access to our clients’ data”. Senior management have ignored him, instructing him to remain silent and paid the attackers to recover their clients’ data quietly. Once access was restored, DataLoss instructed Edward to develop a new system of encryption to ensure it does not happen again.
In an attempt to educate his fellow employees, Edward developed and deployed an invasive and sophisticated piece of spyware to the computers of the Company’s Board of Directors from his home. This allowed him absolute access to the entire network that DataLoss uses, including all their client information and the information held on the computers used by the Board of Directors. Outraged and embarrassed, the Managing Director summarily dismissed him and wants him charged with computer crime offences. In a parting shot to the company, Edward used a trojan horse that he installed prior to leaving his employment (as a contingency plan) to gain entry to and shut down DataLoss’s system for several days.
Advise Samuel and Edward on issues surrounding data protection and computer misuse. Please also consider issues surrounding DataLoss and whether its conduct could impact Samuel’s business.