Like any busy solicitor, I receive a number of emails from all manner of people
on a daily basis. Some of them are from clients who need help, while others are
from the other side’s lawyers in a claim we’re handling. Still others fall in
the networking category; some are even from old friends.
Fortunately, very few emails invite my firm to break the law. That, though,
seems to be the effect of one particular email which a colleague received. I do
not propose to identify the sender, and so I won’t even give an extract, but
let’s just focus on one thing, for starters: the spelling! I am more forgiving
than most of poor spelling. I have mild dyslexia, but in this instance it is
indicative of a much deeper problem..
In fact this particular email – a round robin that many other law firms in the
personal injury sector will have received – has more spelling mistakes than
Fernando Torres has goals for Chelsea. In truth, the latter upsets me more.
Torres is a great player but his inability to find the back of the net is a
growing problem for my beloved Chelsea (although the less said about how the
team threw away a 3-0 lead over Manchester United last weekend, the better).
Moving swiftly on... Perhaps its errant spelling is symbolic of how not all is
right with this particular email. Certainly, if it were to be assessed for its
linguistic elegance alone, it would come up wanting. But such things are small
beer compared to what is really wrong with this email, which was sent by a
large claims management company (CMC).
The email seeks to acquire personal injury claims which have stalled, for
whatever reason, so that they can be placed with one of the CMC’s panel of
solicitors. The incentive is a referral fee which, on the face of it, is far
from insubstantial. In fact, it’s some £400 to £500 per case referred.
The problem with this is simple, and it’s to be found in the Data Protection
Act 1998 (the DPA). The DPA contains eight data protection principles, which
apply to anyone who processes personal data. Law firms and CMCs are governed by the Act, which, among other things, stipulates that data must be
processed fairly and lawfully, in accordance with the data subject’s rights and
for limited purposes. ‘Data controllers’ – again, for present purposes, law
firms and CMCs – must be open and honest about how data is used, ensure that
nothing unlawful happens with it, and handle it only in ways that are
reasonably expected.
My question is this. Is it reasonable for a client of any law firm to expect
that his or her data will be passed on to a CMC, in return for a referral fee?
Bear in mind that ‘sensitive personal data’ has an additional level of
protection under the Act; it would include matters of health, which, by
definition, is what is in issue in a personal injury claim.
It seems to me that what this particular CMC is doing is soliciting a breach of
the DPA. Of course, properly conducted law firms will baulk at the suggestion
and refuse to play ball, but there are bad apples in every walk of life and
some may be tempted. As such, this initiative goes to the heart of the malaise
presently afflicting the personal injury sector.
Interestingly, however, harsher penalties are expected for data protection
breaches following a review and new proposals by the European Commission. It is
proposed that fines are to be linked to annual worldwide turnover of up to 2%
(this could be a huge sum, depending on the size of the organisation), or may
be as high as one million Euros for serious breaches. It is also proposed that
the new law will apply to non-EU companies who market to or collect data about
individual citizens based in the EU. Moreover, compulsory notification of
data breaches is to be required: the Information Commissioner’s Office must be
told of data breaches within 24 hours and the individuals affected without
undue delay.
These and other proposed changes mean that data protection law may yet bite
those who refuse to take it seriously.
No comments:
Post a Comment