US firm starts microchipping employees – Science fiction or the future?

Microchip reader Yes, you read that correctly. Microchipping employees. And, no, that’s a real headline. A technology company in the USA has been widely reported as microchipping employees in place of their security and identity cards.

The first thing to get out of the way here is that they aren’t implanting an actual, square computer chip. Rather, they insert a tiny implant (the same size as a grain of rice) between an employee’s thumb and forefinger with a syringe. Apparently, removing it is akin to taking out a splinter (ouch?)

Now, apparently, the ‘younger generation’ are most likely to get onboard with this in the future. Well, I’m in my twenties and I’m not tempted in the slightest. Saying that, I hate needles, so that’s a poor starting point…

Looking at the wider picture, we live in a world of fingerprint ID on phones and being able to unlock the latest phone handsets with your own face. So why is an implant so controversial?

is it any wonder that incompetence thrives?

Employers necessarily gather, store and use personal data about applicants and employees and so must comply with the Data Protection Act 1998. Halliday v Creation Consumer Finance Ltd considers what sort of compensation should be awarded if that information is misused. It arose in the context of consumer credit finance. After Mr Halliday bought a new television on credit, there began something of a saga. The credit company, CCF, was ordered to delete the information they held on Mr Halliday and pay him £1500 compensation and costs for breaches of the Act. Initially they mistakenly paid the sum into the wrong bank account, but then made the payment correctly and attempted to get the money back from the bank. When the bank refused, they started proceedings to try to claw back the double payment from both the bank and Mr Halliday. Next, they made a further mistake and passed information to Equifax, with the result that anyone checking Mr Halliday’s credit rating for a period of four months would have seen a debt of £1500 owed to CCF without a credit agreement governing it.
Mr Halliday successfully counterclaimed for these further breaches of the Data Protection Act but was awarded only nominal damages. On appeal to the Court of Appeal, he argued that nominal damages, or even nominal damages plus damages for distress were not an effective remedy. He also proposed that damages for distress should be assessed in the same way as compensation for injury to feelings in discrimination cases (applying Vento guidelines).
Lady Justice Arden, while confirming that that an individual can be awarded damages for distress arising from a contravention of the Act, pointed out that it was “not the intention of the legislation to produce some kind of substantial award”. She remarked that that the breach complained of was a single episode, had not led to any actual damage to Mr Halliday’s reputation and that there was no evidence of injury to feelings or distress over and above what might normally be expected “from frustration at these prolonged and protracted events”. In the circumstances nominal damages of £1 plus £750 for distress were “appropriate and sufficient”. She went on to reject any analogy with discrimination claims which, she said, are liable to involve distinct and well-known distress to the complainant.
In the meantime the Information Commissioner is doling out swingeing fines for data protection breaches.

how to deal with subject access requests

On 8 August 2013 the Information Commissioner’s Office published a new Subject Access Code of Practice. The 58 page guide offers a great deal of practical information concerning how to deal with requests.

It is comprehensive and commendably straightforward and, as such, it’s essential reading and reference for anyone who has to deal with subject access requests.

Introducing the Code the Information Commissioner, Christopher Graham, said:
We are all being asked to provide organisations with more and more information about ourselves and subject access requests are a useful tool for keeping control of our data. They can be particularly important when checking your credit rating or applying for a loan, but the ICO’s complaints figures show that many organisations still need to improve their processes for dealing with these requests.
Handling subject access requests correctly can also benefit organisations by highlighting errors and helping them to make sure the information they are using is accurate and up-to-date
Our new subject access code of practice will help organisations deal with these types of requests in a timely and efficient manner, allowing them to demonstrate that they are looking after their customers’ data and being open and transparent about the information they collect. This can only be a good thing for organisations and consumers.
The Code attempts to tackle the thorny question of whether there is an obligation to comply with a subject access request when the person making the request is contemplating or has already commenced legal proceedings. My view, based on my experience of the rules concerning disclosure of documents in civil proceedings is that making such a request with the express purpose of securing “back door disclosure” is an obvious and plainly unacceptable abuse of the process. Why have court rules concerning disclosure if they can effectively be disregarded by utilising the subject access procedure?
Unsurprisingly the Information Commissioner disagrees.