Monthly Archives: September 2017

Weekly Roundup: lack of data protection budgeting among UK businesses; international resolution to secure transparency among subcontractors; fine for ex-council worker

1 in 5 UK businesses have no data protection budget – compared to 4 in 5 local authorities

GDPR Budget

A report by international email management company Mimecast states that a fifth of surveyed UK businesses do not have a specific budget dedicated to information security or data protection – a source of great concern ahead of the stringent General Data Protection Regulation (GDPR) in May 2018.

Over 80% of councils were found to have no funding towards meeting mandatory GDPR requirements

This reinforces the concerns over the information provided in response to a FOI request by M-Files Corporation in July, which found that four out of five councils had, at that time, yet to allocate funding towards meeting the new requirements of the GDPR. That research also found that 56% of local authorities contacted had still not appointed a data protection officer despite this being mandated by GDPR.

That such a substantial proportion of businesses have no explicit budgetary or financial commitment to combatting cybercrime and personal data abuse may be particularly unwelcome news to proponents and enforcers of the new GDPR. The Information Commissioner’s Office, the independent data protection authority, has been working hard over the last year to publicise and prepare British organisations for the impending legislation.

The lack of data protection budgeting is compounded by Mimecast’s findings that many UK businesses may not be monitoring their data efficiently. For instance, 15% of the surveyed organisations stated that they did not know whether they had suffered a data loss incident during the last year or not. 27% blamed human error for previous losses, which would indicate that a large number of organisations will need to start taking employee data protection and handling training much more seriously.

44% of the surveyed organisations suspect that their email system contains personal sensitive information as defined under the GDPR, but only 17% of them believed that this information could be retrieved immediately. The average amount of hours it would take British organisations to track down sensitive personal information was calculated as 8.

The report suggests that a significant number of organisations are very underprepared for the increased responsibility and accountability demanded by the GDPR. For help and information on preparing for the GDPR, see the Data Compliant main site.

10^th International Conference of Information Commissioners (ICIC 2017) resolves to tackle difficulties of access to information on outsourced public services

The Information Commissioner’s Office (ICO) has confirmed a resolution on international action for improving access to information frameworks surrounding contracted-out public services, a system which has seen increased use throughout Europe, and rapid growth in the UK since 2010.

Challenges have been arising for a couple of decades concerning the transparency of information about the “new modes of delivery for public services.” This is often because the analysis of the efficacy of subcontracted services can be rendered difficult when, due to the principle of competition in the private sector, certain information – particularly regarding the production process of public services – can escape public scrutiny on the grounds of the protection of commercial confidentiality.

The International Conference, jointly hosted by Information Commissioner Elizabeth Denham and Acting Scottish Information Commissioner Margaret Keyse, was attended by Commissioners of 39 jurisdictions from 30 countries and seven continents. The resolution was passed in Manchester on 21^st September following dialogue with civil society groups.

The resolution highlights the “challenge of scrutinising public expenditure and the performance of services provided by outsourced contractors” and “the impact on important democratic values such as accountability and transparency and the wider pursuit of the public interest.”

The Conference summarised that the first step to be taken would be the promotion of “global open contracting standards,” presumably as a means of garnering consensus on the importance of transparency in this regard for the benefit of the public, researchers and policy-makers. A conference working group is to be formed to “share practice about different initiatives that have been developed to tackle the issue.”

The event lasted two days and ran with the title: ‘Trust, transparency and progressive information rights.’ Contributions were heard from academics, journalists, freedom of information campaigners and regulators.

Access to information on the grounds of individual rights and the safeguarding of public interests will be strengthened by the provisions of the GDPR. This resolution provides a reminder and opportunity for organisations working as subcontractors to review the ways in which they store and handle data. Transparency and accountability, longer considered in any way contradictory, are key watchwords for the clutch of data protection reforms taking place throughout the world. Many organisations would do well to assess whether they are in a position to meet the standards of good governance and best practice regarding data management, which will soon become a benchmark for consumer trust.

Ex-employee of Leicester City Council fined for stealing vulnerable people’s personal information

The ICO has confirmed the prosecution of an ex-council worker for unlawfully obtaining the personal information of service users of Leicester City Council’s Adult Social Care Department.

Personal data, including medical conditions, care and financial records were “unlawfully” obtained by an ex-council worker

The personal details of vulnerable people were taken without his employer’s consent, and breached the current Data Protection Act 1998. 34 emails containing the personal information of 349 individuals, including sensitive personal data such as medical conditions, care and financial details and records of debt, were sent to a private email address prior to the individual having left the council.

The ICO’s Head of Enforcement Steve Eckersley stated, “Employees need to understand the consequences of taking people’s personal information with them when they leave a job role. It’s illegal and when you’re caught, you will be prosecuted.”

Harry Smithson 29th September 2017

Data Compliant News Blog: Cyberattack threatens over 400,000 British consumers, Data Protection Bill 2017 published and fines levied on councils mishandling data

Leave a reply

Equifax data breach – hackers may have access to hundreds of thousands of British consumers’ personal details

The Information Commissioner’s Office (ICO) is investigating a hack on Equifax, a large credit rating agency based in Atlanta, USA, to find out whether and to what extent the company’s British consumers’ personal details have been obtained by the hackers. The FBI is also said to be monitoring the situation.

The cyberattack, reported earlier this month, occurred in May and July. The company has already admitted that 143 million American customers’ personal details have been obtained by the hackers.

400,000 UK customers may be affected by Equifax breach

The US information that the hackers may have accessed includes names, social security numbers, dates of birth, addresses and driving licence details, as well as over 200,000 credit card numbers.

The ICO told Equifax that the company must warn British residents of the data breach and inform them of any information relating to them which has been obtained by the cyber attackers. The credit agency promptly issued alerts to the affected Britons, stating however that an ‘identity takeover’ was unlikely.

Britons would do well to be mindful that, once a hacker has name, date of birth, email addresses, and telephone numbers, it takes little effort to acquire the missing elements, which is why the ICO has warned members of the public to remain vigilant against unsolicited emails and communications. They should also be particularly wary of unexpected transactions or activity recorded on their financial statements.

Shares in Equifax saw considerable reductions throughout the week, and two of the company’s senior executives, the Chief Information Officer and Chief Security Officer have resigned with immediate effect..

The Data Protection Bill 2017, which includes GPDR, has been published

GDPR is included in its entirety in the UK’s Data Protection Bill 2017, now going through Parliament

On 14^th September, the Department for Digital, Culture, Media and Sport published the Data Protection Bill 2017. The Bill has been anticipated since the Queen’s speech in June, in which the government outlined its plan to implement the European-wide data protection game-changer GDPR into British law.

Culture secretary Karen Bradley explains: “The Data Protection Bill will give people more control over their data, support businesses in their use of data, and prepare Britain for Brexit. In the digital world strong cyber security and data protection go hand in hand. This Bill is a key component of our work to secure personal information online.”

While the Bill inculcates the GDPR, and therefore provides the basis for data-sharing and other adequacy agreements with the EU after Brexit, the government has stated that it managed to negotiate some ‘vital’ and ‘proportionate’ exemptions for the UK.

Some of the exemptions are provided for journalists accessing personal data to expose wrongdoing or for the good of the public; scientific and research organisations such as museums if their work is hindered; anti-doping bodies; financial firms handling personal data on suspicion of terrorist financing; money laundering; and employment where access may be neededs to personal data to fulfil the requirements of employment law.

The second reading of the Bill in Parliament will take place on 10^th October, after which a general debate on Brexit and data protection takes place on the 12^th.

As yet, there have been few critics of the proposed legislation outside certain industries whose use of big data makes them particularly susceptible to possible data protection breaches and massive fines (£17m or 4% annual global turnover). Some industry leaders have called for exemptions, including the private pension giant Scottish Widows, who claimed GDPR-level regulations would make it impossible for them to contact some of their customers without breaking the law. However, according to the government, 80% of Britons do not believe that they have control over their information online, and the Bill enjoys widespread support at this point. The Shadow Cabinet has yet to offer any official response or criticism.

Islington Council fined £70,000

The Information Commissioner’s Office (ICO) fined Islington Council £70,000 for failing to secure 89,000 peoples’ personal information on an online parking ticket system.

Design faults in the Council’s ‘Ticket Viewer’ system, which keeps CCTV images of parking offences, compromised the security of 89,000 peoples’ personal data. Some of this data is under the category of sensitive personal information, e.g. medical details disclosed for the sake of appealing against a parking fine.

Harry Smithson 23rd September 2017

Data Protection Weekly Roundup: GDPR exemption appeals, gambling industry exploitation scandal, cyber attacks and data breaches

Corporate pensions company Scottish Widows to lobby for specific exemptions from the General Data Protection Regulation ahead of EU initiative’s May 2018 introduction.

Scottish Widows seeks derogations in relation to communicating with its customers in order to “bring people to better outcomes.”

The Lloyds Banking Group subsidiary Scottish Widows, the 202-year old life, pensions and investment company based in Edinburgh, has called for derogations from the GDPR.

A great deal has been written across the Internet about the impending GDPR, and much of the information available is contradictory. In fact many organisations and companies have been at pains to work out what exactly will be expected of them come May 2018. While it is true that the GDPR will substantially increase policy enforcers’ remits for penalising breaches of data protection law, the decontextualized figure of monetary penalties reaching €20 million or 4% of annual global turnover – while accurate in severe cases – has become something of a tub-thump for critics of the regulation.

Nevertheless, the GDPR is the most ambitious and widescale attempt to secure individual privacy rights in a proliferating global information economy to date, and organisations should be preparing for compliance. But the tangible benefits from consumer and investor trust provided by data compliance should always be kept in sight. There is more information about the GDPR on this blog and the Data Compliant main site.

Certain sectors will feel the effects of GDPR – in terms of the scale of work to prepare for compliance – more than others. It is perhaps understandable, therefore, why Scottish Widows, whose pension schemes may often be supplemented by semi-regular advice and contact, would seek derogations from the GDPR’s tightened conditions for proving consent to specific types of communications. Since the manner in which consent to communicate with their customers was acquired by Scottish Widows will not be recognised under the new laws, the company points out that “in future we will not be able to speak to old customers we are currently allowed to speak to.”

Scottish Widows’ head of policy, pensions and investments Peter Glancy’s central claim is that “GDPR means we can’t do a lot of things that you might want to be able to do to bring people to better outcomes.”

Article 23 of the GDPR enables legislators to provide derogations in certain circumstances. The Home Office and Department of Health for instance have specific derogations so as not to interfere with the safeguarding of public health and security. Scottish Widows cite the Treasury’s and DWP’s encouragement of increased pension savings, and so it may well be that the company plans to lobby for specific exemptions on the grounds that, as it stands, the GDPR may put pressure on the safeguarding of the public’s “economic or financial interests.”

Profiling low income workers and vulnerable people for marketing purposes in gambling industry provokes outrage and renewed calls for reform.

The ICO penalised charities for “wealth profiling”. Gambling companies are also “wealth profiling” in reverse – to target people on low incomes who can ill afford to play

If doubts remain that the systematic misuse of personal data demands tougher data protection regulations, these may be dispelled by revelations that the gambling industry has been using third party affiliates to harvest data so that online casinos and bookmakers can target people on low incomes and former betting addicts.

An increase in the cost of gambling ads has prompted the industry to adopt more aggressive marketing and profiling with the use of data analysis. An investigation by the Guardian including interviews with industry and ex-industry insiders describes a system whereby data providers or ‘data houses’ collect information on age, income, debt, credit information and insurance details. This information is then passed on to betting affiliates, who in turn refer customers to online bookmakers for a fee. This helps the affiliates and the gambling firms tailor their marketing to people on low incomes, who, according to a digital marketer, “were among the most successfully targeted segments.”

The data is procured through various prize and raffle sites that prompt participants to divulge personal information after a lengthy terms and conditions that marketers in the industry suspect serves only to obscure to many users how and where the data will be transferred and used.

This practice, which enables ex-addicts to be tempted back into gambling by the offer of free bets, has been described as extremely effective. In November last year, the Information Commissioner’s Office (ICO) targeted more than 400 companies after allegations the betting industry was sending spam texts (a misuse of personal data). But it is not mentioned that any official measures were taken after the investigations, which might have included such actions as a fine of £500,000 under the current regulations. Gambling companies are regulated by the slightly separate Gambling Commission, who seek to ensure responsible marketing and practice. But under the GDPR it may well be that the ICO would have licence to take a much stronger stance against the industry’s entrenched abuse of personal information to encourage problem gambling.

Latest ransomware attack on health institution affects Scottish health board, NHS Lanarkshire.

According to the board, a new variant of the malware Bitpaymer, different to the infamous global WannaCry malware, infected its network and led to some appointment and procedure cancellations. Investigations are ongoing into how the malware managed to infect the system without detection.

Complete defence against ransomware attacks is problematic for the NHS because certain vital life-saving machinery and equipment could be disturbed or rendered dysfunctional if the NHS network is changed too dramatically (i.e. tweaked to improve anti-virus protection).

A spokesman for the board’s IT department told the BBC, “Our security software and systems were up to date with the latest signature files, but as this was a new malware variant the latest security software was unable to detect it. Following analysis of the malware our security providers issued an updated signature so that this variant can now be detected and blocked.”

Catching the hackers in the act

Attacks on newly-set up online servers start within just over one hour, and are then subjected to “constant” assault.

According to an experiment conducted by the BBC, cyber-criminals start attacking newly set-up online servers about an hour after they are switched on.

The BBC asked a security company, Cybereason, to carry out to judge the scale and calibre of cyber-attacks that firms face every day. A “honeypot” was then set up, in which servers were given real, public IP addresses and other identifying information that announced their online presence, each was configured to resemble, superficially at least, a legitimate server. Each server could accept requests for webpages, file transfers and secure networking, and was accessible online for about 170 hours.

They found that that automated attack tools scanned such servers about 71 minutes after they were set up online, trying to find areas they could exploit. Once the machines had been found by the bots, they were subjected to a “constant” assault by the attack tools.

Vulnerable people’s personal information exposed online for five years

Vulnerable customers’ personal data needs significant care to protect the individuals and their homes from harm

Nottinghamshire County Council has been fined £70,000 by the Information Commissioner’s Office for posting genders, addresses, postcodes and care needs of elderly and disabled people in an online directory – without basic security or access restrictions such as a basic login requiring username or password. The data also included details of the individuals’ care needs, the number of home visits per day and whether they were or had been in hospital. Though names were not included on the portal, it would have taken very little effort to identify the individuals from their addresses and genders.

This breach was discovered when a member of the public was able to access and view the data without any need to login, and was concerned that it could enable criminals to target vulnerable people – especially as such criminals would be aware that the home would be empty if the occupant was in hospital.

The ICO’s Head of Enforcement, Steve Eckersley, stated that there was no good reason for the council to have overlooked the need to put robust measures in place to protect the data – the council had financial and staffing resources available. He described the breach as “serious and prolonged” and “totally unacceptable and inexcusable.”

The “Home Care Allocation System” (HCAS) online portal was launched in July 2011, to allow social care providers to confirm that they had capacity to support a particular service user. The breach was reported in June 2016, and by this time the HCAS system contained a directory of 81 service users. It is understood that the data of 3,000 people had been posted in the five years the system was online.

Not surprisingly, the Council offered no mitigation to the ICO. This is a typical example of where a Data Privacy Impact Assessement will be mandated under GDPR.

Harry Smithson, 6th September 2017

	Peebles coupons in s… on GDPR Re-Permissioning needs ca…
	Data Compliant on Queen’s Speech Confirms New Bi…
	Data Compliant’s Wee… on Insider Threats – Charlo…
	Data Compliant’s Wee… on Snoopers’ Charter – What do yo…
	James Middlehurst on Charities and Data Protection…