Skip to content

Kelsey Farish

  • Home
  • About
    • portfolio
    • Contact
    • T&Cs
    • Privacy Notice
  • LEGAL TOPIC
    • Confidentiality
    • Copyright
    • Data Protection
    • Expression
    • Image Rights
    • Publicity
    • Privacy
    • Reputation
    • Trade Marks
  • BUSINESS SECTOR
    • Advertising
    • Artificial Intelligence
    • Brand Management
    • Deepfakes
    • Digital Platforms
    • ecommerce
    • Fashion
    • Film and TV
    • Music
    • News Media
    • Photography
    • Social Media
    • Sports
    • Start-ups
  • Student Resources
    • Frequently Asked Questions
    • Buy my Bar Exam Study Schedule
    • upcoming events
    • case references
  • Home
  • About
    • portfolio
    • Contact
    • T&Cs
    • Privacy Notice
  • LEGAL TOPIC
    • Confidentiality
    • Copyright
    • Data Protection
    • Expression
    • Image Rights
    • Publicity
    • Privacy
    • Reputation
    • Trade Marks
  • BUSINESS SECTOR
    • Advertising
    • Artificial Intelligence
    • Brand Management
    • Deepfakes
    • Digital Platforms
    • ecommerce
    • Fashion
    • Film and TV
    • Music
    • News Media
    • Photography
    • Social Media
    • Sports
    • Start-ups
  • Student Resources
    • Frequently Asked Questions
    • Buy my Bar Exam Study Schedule
    • upcoming events
    • case references

Silent Witness: silent on data protection officers

January 22, 2018October 22, 2020 Kelsey Farish 1 comment
Silent Witness: silent on data protection officers

Silent Witness is a BBC crime drama about a team of forensic pathology experts and their investigations into various crimes – it’s a bit like American hit shows Bones and Law & Order. In a recent episode, a cyber hacker steals the files of 30,000 patients from a hospital, and then extorts the hospital for payment. As medical secrets are leaked, several murders are tied to the data breach.

In addition to the criminal investigations, boardroom drama ensues when the hospital chief is questioned about the (apparently awful) cyber security firm he selected. It was at this point that I turned to my husband in disbelief and said, “where on Earth is the hospital’s data protection officer!?”

Of course, television dramas are entitled their artistic licence. I’m not sure data protection officers make for enthralling plot devices, if I’m honest. But shows like this demonstrate just how mainstream data breaches, cyber security and hacking personal data have become. In fact, many non-lawyers are now familiar with at least some concept of data protection legislation.

With just four months to go until the new General Data Protection Regulations (“GDPR”) come into effect and replace the Data Protection Act 1998, here is a reminder as to when a private organisation is required by law to have a data protection officer (“DPO”).

not pictured: the data protection officer

Firstly, the GDPR applies to all organisations within the European Union which collect, handle, process or store personal data. Under Article 37, DPOs are mandatory for private organisations – to include private hospitals and the Lyell Centre of forensic pathology on Silent Witness, presumably – whose core activities include either of the following on a large scale:

  1. regular and systematic monitoring of data subjects; or
  2. processing special categories of data, or data relating to criminal offences.

Unhelpfully, the GDPR provides little explanation as to what this actually means, and several of the terms used above are not defined by the law itself. It is important to remember that it’s not only businesses confused about compliance: uncertainty and ambiguity are key complaints from lawyers, too. The Article 29 Working Party (“WP29”), a European Union advisory body, does however provide guidance on practical interpretation of the GDPR:

  • “Regular and systematic monitoring” means all forms of tracking and profiling on the internet, as well as credit scoring and location tracking. This includes using behavioural advertising practices and website cookies.
  • “Special categories of personal data” includes racial or ethnic origins, political opinions, religious or philosophical beliefs, and “data relating to criminal offences” is rather self-explanatory. Due to the sensitivity of this information, the GDPR requires additional protections for processing such data.
  • “Core activities” are the key operations necessary to achieve the organisation’s goals or primary objectives, usually within a commercial context. For example, processing data for payroll and employment purposes is considered “ancillary” activity, rather than a core activity. Conversely, a hospital needs to process patient health data to provide healthcare services safely and effectively. This is a key objective for the hospital, so processing should therefore be considered a core activity.
  • “Large scale” processing operations are those which involve a considerable amount of personal data at regional, national or supranational level, or those which concern a large number of data subjects. Again, “large scale” is a term not defined by the GDPR, but an organisation should consider the number of data subjects, the volume or range of data items, and the geographical extent.

From a practical perspective, failure to manage data security policies under proper care and supervision may leave an organisation vulnerable to certain operational risks. In addition to financial penalties and regulatory sanctions (up to €10 million or 4% of annual turnover), a company should consider the non-financial harm a data breach can cause. These often include reputational damage, loss of customer good will, and the costs of litigation associated with a company’s failure to protect personal data.

To be fair, the Silent Witness episode in question aired only last week, well in advance of the GDPR implementation date of May 25th. But after the regulations come into effect this spring, perhaps BBC scriptwriters will entertain the idea of writing the role of a DPO into some of their shows. Who knows – doing so might even inspire a young viewer to consider data protection careers…

cyber crimedata protectiondata protection officersDPOsGDPRSilent Witness

Related Posts

A Lawyer’s Take on Social Media Misdeeds: Part 2
A Lawyer’s Take on Social Media Misdeeds: Part 2
A Lawyer’s Take on Social Media Misdeeds: Part 1
A Lawyer’s Take on Social Media Misdeeds: Part 1
Have European laws improved American privacy protections?
Have European laws improved American privacy protections?
Privacy Day 2019
Privacy Day 2019

Post navigation

A Soundtrack for Data Security
Google prepares for the first “Right to Be Forgotten” trials in England

One comment

  1. practicejack says:
    January 24, 2018 at 2:58 pm

    I thought the same thing

    Reply

Leave a Reply to practicejack Cancel reply

Kelsey Farish

Kelsey Farish

Media + Tech Lawyer

Got lost on my way to drama school, now a media and technology lawyer in London.

I write about deepfakes, publicity, privacy, advertising, the audiovisual sector, and creative industries from a legal perspective.

Follow me on Twitter

My Tweets

You might also like to read:

Weekend in Prague – Mucha’s Slav Epic in Autumn
Uncategorized ➤ October 30, 2016

Weekend in Prague – Mucha’s Slav Epic in Autumn

One of the best parts of living in the UK is that I’m only a short flight away from some incredibly beautiful European destinations. This weekend, I finally made it to Eastern Europe, and visited one of...

Read More
Privacy Day 2019
Data Protection ➤ January 27, 2019

Privacy Day 2019

In 2006 the Council of Europe officially recognised 28 January as a data privacy holiday, to celebrate the date The Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data was signed in...

Read More
Have European laws improved American privacy protections?
Data Protection ➤ May 20, 2019

Have European laws improved American privacy protections?

On the one hand, some American companies have retreated from the EU. On the other, local governments have begun to take consumer privacy more seriously, by introducing new domestic data protection legislation.

Read More

Subscribe

Stay up to date by subscribing and receive my posts by email.

  • Law
    • copyright
    • human rights
    • privacy law
    • trade marks
  • Fashion
    • advertising
    • celebrities
    • ecommerce
    • instagram
    • marketing
    • personality rights
  • Media and Entertainment
    • celebrities
    • cinema
    • digital media
    • free speech
    • journalism
    • music
    • sports
    • television
  • Digital Culture
    • artificial intelligence
    • image rights
    • deepfakes
    • privacy
    • reputation
© 2021Designed by Little Theme Shop