News of the World - Lessons to be learned

Updated August 2011

The hacking scandal at the News of the World has dominated headlines in recent weeks. It is clear that there has been widespread disregard for privacy rights and data protection laws, with journalists and private investigators hacking into voicemail accounts, 'blagging' private information and paying for the unlawful disclosure of data by police and other trusted organisations.

These practices are, of course, shocking but what is perhaps even more surprising is that it has taken so long for these practices to be exposed and investigated. As long ago as 2006 Richard Thomas (then the Information Commissioner) published a report, 'What Price Privacy?' (see related links) which highlighted the unlawful trade in personal information (in particular by journalists and private investigators) and called for a custodial sentence for such activities.

Although the power to impose custodial sentences is now on the statute books, the implementing legislation to bring it into force has not yet been forthcoming. This is seemingly due to pressure put on government from the media who have expressed concerns about restrictions of freedom of expression. In the wake of the current scandal the Information Commissioner (Christopher Graham) is again calling for the custodial sentencing powers to be brought into force.

What is not yet clear in the News International context is how far up the organisation knowledge of illegal activities went. Rupert Murdoch, James Murdoch, Rebekah Brooks and Andy Coulson have all categorically denied any knowledge of illegal phone hacking activities. From a legal perspective, however, not having knowledge of privacy breaches is no defence for senior managers and directors who are responsible for ensuring that proper procedures and practices are in place.

Both the Data Protection Act 1998 (DPA) and the Regulatory of Investigatory Powers Act 2000 (RIPA) (the latter being the Act under which illegal voice hacking activities are caught), contain express provisions which make it clear that senior managers remain on the hook if they ought to have known about and prevented illegal activities. Section 61 of the DPA provides as follows:

'Where an offence under this Act has been committed by a body corporate and is proved to have been committed with the consent or connivance of or to be attributable to any neglect on the part of any director, manager, secretary or similar officer of the body corporate or any person who was purporting to act in any such capacity, he as well as the body corporate shall be guilty of that offence and be liable to be proceeded against and punished accordingly.'

There are similar provisions in RIPA. Denying all knowledge of illegal activities is not therefore a 'get out of jail free' card. Directors and senior managers are advised to take stock of their internal privacy compliance arrangements to ensure they are confident that they are sufficient to prevent significant data breaches so that if a breach does occur they will not be personally liable due to their 'neglect'.

The News of the World revelations highlight the need for organisations to ensure that there is real accountability for privacy compliance at all levels. The underlying culture of an organisation is key. If the message from senior management is to 'get the job done' with no questions asked about the means of obtaining results, disregard for the law can very easily become the norm.

So, what lessons can be learned from the News of the World saga? Firstly, responsibility for privacy compliance needs to start at the top and drill down to all parts of an organisation. This requires a holistic approach to compliance, including:

• Ensuring that policies are regularly reviewed and updated;
• Ensuring that appropriate training is provided to all employees who handle personal data;
• Carrying out regular internal compliance reviews;
• Making breaches of privacy policies a disciplinary offence.

Perhaps most importantly, the method of implementing policies and training programmes needs to be tailored to the individual organisation so that key messages are communicated effectively. This will allow staff to understand both their personal obligations and the wider obligations of the organisation as a whole.

Finally, and on a slightly separate note, it appears to have been astonishingly easy for journalists and investigators to obtain personal details by simply telephoning organisations and 'blagging' (i.e. pretending to be the individual in question). This highlights a serious shortfall in security procedures to verify the identity of callers. All organisations who handle personal data should ensure that they have robust identification procedures in place before any personal details are disclosed in telephone calls.

If you would like more information about TLT's privacy compliance review service and compliance implementation packages, please contact Alison Deighton.

This publication is intended for general guidance and represents our understanding of the relevant law and practice as at August 2011. Specific advice should be sought for specific cases; we cannot be held responsible for any action (or decision not to take action) made in reliance upon the content of this publication.

The information you access via the links on this update is subject to the terms and conditions of the website provider accessible via their home page and we recommend that you read such terms.

TLT LLP is a limited liability partnership registered in England & Wales number OC 308658 whose registered office is at One Redcliff Street, Bristol BS1 6TP England. A list of members (all of whom are solicitors or lawyers) can be inspected by visiting the People section of this website. TLT LLP is authorised and regulated by the Solicitors Regulation Authority under number 406297.