£3m pay out for “Crazy Miss Bonkers”

By Philip Brining

Data, like everything in life eventually reaches the end of its usefulness – it becomes un-necessary to fulfil or support the purpose for which it was collected. It’s a natural part of the data lifecycle. Unavoidable. And at that point it should be destroyed – properly. Within the Data Protection Act 1998 the 5th and 7th data protection principles cover this point: the 5th principle states that data should be kept for no longer than is necessary to fulfil the purpose for which it was collected, and the 7th principle obliges data controllers to utilise appropriate technical and organisational measures to keep data secure. An organisational measure might be to log, clearly mark-up, segregate and keep secure all hard disks awaiting destruction, and a technical measure might be to smash redundant hard disks into oblivion! I’ve witnessed such a process and it is immensely satisfying. There are several companies offering such a service and will bring a mobile unit to your site and totally destroy hard disk media by smashing it to bits with a compressed air-powered machine. Be sure that you don’t destroy any data accidentally in the process otherwise that too would be a breach of the Data Protection Act!

In the news last week was a £3m pay out for a former banker who was successful in a sexual discrimination case against her employer. Her argument was pretty well supported by information obtained via a Subject Access Request (SAR) – one of the rights a data subject has in accordance with the 6th Data Protection Principle. Svetlana Lokhova was supplied with a range of documents in which she was described by her male colleagues as “Crazy Miss Cokehead” and “Miss Bonkers”. The comments were generally contained in emails many of which were from Ms Lokhova’s line manager to others in the bank and even to clients. In one email, her boss told a client, “We are all quaking here awaiting arrival of Ms Cokehead in a puff of sulphurous smoke”.

Once comments of this nature are contained within a data system they are very difficult indeed to find and destroy. Most email systems helpfully retain deleted emails in a “deleted emails” folder and of course an email will at least be in one “sent items” folder and one “Inbox”. It is an offence to deliberately delete information relevant to a SAR once a SAR has been received – but not only is it good practice but it is an obligation under the DPA to destroy once it is past its useful life.

Contact Us

Send us a Message

    We would like to use your contact information to send you marketing and promotional materials and special offers by email from time to time. We may only send information to you in this way with your consent. Please indicate whether you consent to us contacting you in this way for those purposes. You may withdraw your consent at any time by clicking the unsubscribe link in our emails.

    We are always happy to make contact with you by either phone, email or a face to face meeting at our office or yours. We work standard UK office hours – every week day 0830 to 1730.


    We have been receiving complaints over the last few weeks from people who have received unsolicited direct marketing calls from a company called The Protection People.  We should like to point out that we are Data Protection People and have nothing to do with those calls.

    We have been advising those people who have contacted us that they should make a complaint to the Information Commissioner’s Office (ICO) using this link https://ico.org.uk/make-a-complaint/nuisance-calls-and-messages/spam-texts-and-nuisance-calls/.  It would be helpful to the ICO if you knew the number that called you, the date and time of the call and what the call seemed to be about.

    You might also want to register your phone number with the telephone preference service (TPS), a national suppression service which should cut down calls of this nature as it is not lawful to make unsolicited direct marketing calls to numbers registered on the TPS.  You can register your number here https://www.tpsonline.org.uk/register.

    We know that these kind of calls can be distressing and intrusive and you have our sympathy.  Please do not hesitate to contact us if you would like to discuss it with us otherwise we’d encourage you to report it to the ICO as notifying them of this kind of practice enables them to investigate and take enforcement action where necessary.  You can see the action that has been taken by the ICO here https://ico.org.uk/action-weve-taken/enforcement/.

    Data Protection People Limited – March 2021