Category Archives: Data Compliant

Queens' Speech - Data Reform Bill

Data Reform Bill – Queen’s Speech

In the Queen’s Speech on 10th May, 2022, The Prince of Wales stated that a Data Reform Bill will be introduced. This follows the Government’s September 2021 consultation paper on reforms to the UK’s data protection regime. There is no time-frame for delivery of the bill, but the announcement is encouraging for businesses who want to see less red tape around data protection.  

However, there are concerns that following this course may lead to the EU withdrawing the UK’s adequacy status.  Adequacy status is designed to make it easy to transfer personal data between the UK and the EEA. So its loss could increase both administration and costs of such transfers.

More details of the Data Reform Bill will be provided over time.  In summary:

Purpose

  • Create a new pro-growth, trusted UK data protection framework 
  • Focus on privacy outcomes rather than box-ticking
  • Protect UK citizens’ personal data to a gold standard
  • Modernise the Information Commissioner’s Office (‘ICO’)
  • Ensure the ICO has the power it needs to take stronger action against organisations who breach data rules
  • Increase industry participation in Smart Data Schemes (where customer data is shared with authorised third-party providers on the customer’s request).

Benefits

The Data Reform Bill promises benefits both to business and consumers:

  • Increase competitiveness and efficiency of UK businesses
  • enable public services to share data to improve delivery of services
  • enable data to be used to empower citizens and improve their lives, through more effective delivery of public healthcare, security, and government services
  • create a clearer regulatory environment
  • enable personal data to fuel responsible innovation and drive scientific progress
  • provide citizens with greater clarity on their rights

More on Data Protection in Queen’s Speech

There are two other noteworthy bills mentioned in the Queen’s Speech:

  • Product Security and Telecommunications Infrastructure Bill, whose purpose is to improve cyber resilience and digital connectivity for individuals and businesses; and make sure that smart consumer products (for example smartphones and televisions) are more secure against cyber attacks.
  • Draft Digital Markets, Competition and Consumer Bill, whose purpose is to “promote competition, strengthen consumer rights and protect households and businesses. Measures will also be published to create new competition rules for digital markets and the largest digital firms.”

 

Victoria Tuffill

16th May 2022

If you need help with your data protection, or have concerns over current issues, just get in touch.  Have a look at our services.  Or call us on 01787 277742.

Trans-Atlantic Data Privacy Framework

What’s next for data transfers between US and EU?

Agreement in principle

U.S. President Biden and the European Commission President Ursula von der Leyen have reached agreement in principle over a new trans-Atlantic Data Privacy Framework.  While this is encouraging, the process of drawing up the detail within the agreement is likely still to take several months.

The White House issued a statement. This demonstrated how the two core issues that caused previous agreements to break down have been addressed:

  • intelligence surveillance of EU personal data:  the U.S. is agreeing to limit its intelligence gathering activities to that which is necessary “to advance legitimate national security objectives”.
  • an effective remedy to address complaints raised about US authorities’ access to EU citizens data: the U.S. proposes to provide an independent Data Protection Review Court. This will include individuals from outside the US government

Whether these measures will be enough to satisfy the EU is unclear, and will depend on the detail of how these issues will be handled in practice.

What does this mean for the UK?

One of the ongoing considerations of the UK government is that of “adequacy decisions”.  UK adequacy decisions are designed to enable data transfers between the UK and countries which meet data protection standards equivalent to those in the UK.  The government has been considering implementing a number of new “adequacy” decisions, including the U.S.

However, there is always a tricky balance between UK issuing adequacy decisions, and the impact that may have on the UK adequacy decision in place with the EU. 

So from a UK perspective, an EU-US data transfer agreement will make it more straightforward for the UK and US will reach their own separate agreement to enable transfers between UK and US.  Or the UK may adopt the EU/US adequacy decision to retain parity with EU laws.  Watch this space…..

 

Victoria Tuffill

8th April 2022

 

If you need help with your data protection, have concerns over data transfers, just get in touch.  Have a look at our services.  Or call us on 01787 277742.

 

 

Data Protection and Fingerprints

Under the EU General Data Protection Regulation (GDPR), biometric data is considered special category data, which requires more stringent conditions for processing.  Fingerprints are an example of biometric data, and employers need to consider carefully how and where they use such data.

When processing any personal data, an organisation needs to have legal grounds for doing so.  And, in the case of special category data such as fingerprints, an additional Article 9 Condition must be applied.

A company in Holland, who used fingerprints inappropriately to monitor their employee’s attendance and time registration, was recently fined E750,000.

The company had obtained Consent from its employees, but under the GDPR Consent must be freely given, which means that the individuals must be allowed to refuse to give Consent.  Because there is a significant imbalance in power between an employer and an employee, it can be difficult for employers to demonstrate that employees have been given an genuine opportunity to refuse Consent.

In this case, some employees had felt obliged to give Consent, so the Dutch DPA found that the company did not have valid legal grounds to process the data for this purpose. 

Though there may be an appeal, this illustrates the seriousness of processing special category data in a way that is not considered unnecessary or disproportionate.

If you have any questions about biometric data or data protection in general, please contact us via email team@datacompliant.co.uk or call 01787 277742.

Victoria Tuffill, 25th May, 2020

 

Cybercriminals are increasingly impersonating WHO and the UN

Research by British security software and hardware company Sophos found that coronavirus email scams tripled in the last week of March, and we can expect the volume to be increasing. Over 3% of global spam is related to coronavirus, with many of these fraudulent emails impersonating the World Health Organisation or even the United Nations.

Chester Wisniewski, Principal Research Scientist at Sophos, said:

“Cybercriminals are wasting no time in shifting their dirty, tried-and-true attack campaigns towards advantageous lures that prey on mounting virus fears. Criminals often dip a toe in the water when there is a new or sensational topic in the news.”

He detailed a case in which his company tracked an email pretending to come from a WHO address, purportedly giving health advice in an attachment. But after inspection, the text matched a previous spam campaign from “a familiar criminal.”

While most of these spam operations are used to get information from people, there are even more aggressive cybercriminals out there.

Threatening extortion campaigns are also being pursued. In these, messages over social media or email threaten to give the victim or the victim’s family coronavirus unless they pay up. With the amount of information online, and the procedures used to construct holistic user profiles based on miscellaneous knowledge, attackers can make it seem like they know everything about a victim just by giving a few details. This makes the attacker seem like they have the capacity to execute their threats, and inevitably, people end up being exploited.

Other more sophisticated scammers use HMRC or departmental logos and graphics to get information from consumers, offering spurious sums of money under the guise of lockdown or furlough relief. In the United States, there has been evidence of insurance scams, such as fake COVID-19 health insurance offered at competitive rates.

Scammers and con-artists are sensitive to the news cycle, trends and the current political or economic climate. They will often seem persuasive because what they claim will seem salient, despite the content having most likely been tweaked from a previous scam based on a different news item or trending phenomenon.

Do not let criminals make you take rash decisions over fear of current market turmoil.

If you have any questions about data protection, please contact us via email team@datacompliant.co.uk or call 01787 277742.

Harry Smithson, 10th April 2020

Fighting fake science: the Counter Disinformation Cell’s crackdown on coronavirus lies

Claims that gargling water for 15 seconds can cure COVID-19 symptoms, or that holding your breath for a certain amount of time is a valid test for the virus, have made the rounds on social media – with some organisations emailing their employees or clients statements along these lines. As Paymaster General Penny Mordaunt explained, “this is the kind of false advice we have seen coming from sources claiming to be medical experts.”

Following advice from the National Cyber Security Centre, who discovered a spike in cyber-attacks exploiting the coronavirus in March, the government has stepped up its measures against disinformation, with the Rapid Response Unit operating from No.10 and the Cabinet Office around the clock.

This unit is part of the wider DCMS’s Counter Disinformation Cell. So far, the Cell has been collaborating with social media platforms to remove misinformation and in some cases challenge misleading or false statements with direct rebuttal.

Accuracy is at the heart of the General Data Protection Regulation (GDPR). While that regulation applies to personal data, ensuring that your organisation has a healthy and robust data policy with accuracy at its heart is important not just for data protection compliance, but for the fight against disinformation.

The government is asking the public to help stop the spread of potentially highly dangerous misinformation by following official guidance – the ‘SHARE’ checklist, which entails assessing these things before posting on social media:

  • Source: make sure information comes from a trusted source
  • Headline: always read beyond the headline
  • Analyse: check the facts
  • Retouched: does the image or video look as though it has been doctored?
  • Error: look out for bad grammar or spelling

Harry Smithson, 2nd April 2020

Be wary: the pandemic offers fraudsters a golden opportunity

For responsible citizens like most of us, washing our hands regularly and observing the lockdown measures will be our primary acts of vigilance against the pandemic. But some people will always find ways to exploit exceptional circumstances, and there is a further complication we should be vigilant against, too: fraud.

Coronavirus makes fraud much easier to perpetrate. Panic caused by the pandemic can make us think less clearly, and therefore make us more susceptible to pressure over the phone and to misinterpreting legitimate vs. illegitimate agents.

Here’s an example. You receive a call from your mobile network operator. They tell you that your account has been closed due to non-payment because of an expired debit card. He explains that the operator’s debt collection department is working from home due to coronavirus.

Such a call may not necessarily be suspect – but it would be easy to pull off fraud in this context. The man on the phone does not necessarily need to work for the operator to know that the debt collection department would be working from home – this would constitute external fraud. But there is also the possibility for internal fraud, in which someone who works for the network operator exploits their situation of working from home where there are fewer controls on phishing for card details.

If something like this happens to you, remember:

  • Don’t be fooled when people apply pressure on you, regardless of context;
  • If someone calls you and it sounds credible, go to their website and make your payment online, or call a number provided yourself;
  • Check whether someone is calling from home or not;
  • Even if the call is legitimate, you may prefer to avoid giving them your card details since they are in an uncontrolled environment;
  • Continue to be alert to emails with links to fraudulent website addresses.

Keep well and stay safe.

Harry Smithson, 26th March 2020

Google’s British service users’ data to get US oversight

Amid perceived (or professed) uncertainty around the UK’s future GDPR adequacy status, Google executives have opted to transfer oversight of their UK data subjects from their EU subsidiary Google Ireland Limited to their American HQ Google LLC.

Cited by outlets such as Reuters and The Guardian, Lea Kissner, Google’s former lead for global privacy technology, has stated,

“There’s a bunch of noise about the UK government possibly trading away enough data protection to lose adequacy under GDPR, at which point having them in Google Ireland’s scope sounds super-messy. […] Never discount the desire of tech companies not be caught in between two different governments.”

It’s important to remember that the UK doesn’t yet retain GDPR adequacy status, which is subject to current Brexit negotiations. Officially, the Government is seeking adequacy status, and data protection regulations are not expected to constitute an obstacle to any UK-EU departure deal.

Harry Smithson, 28th February 2020

European Commission publishes “White Paper on Artificial Intelligence”

19th February saw the release of the European Commission’s white paper on AI, which remains open to public consultation until May. While extolling the virtues of AI such as its much anticipated roles in fine-tuning medical diagnostics and mitigating climate breakdown, the white paper ranks intrusion and privacy risks among the four main issues facing policy-making around AI. The other three risks included opaque and/or discriminatory decision-making and criminal application.

The expected impact on governance that AI uptake could have, and the resulting conspicuous contrast with governance systems lacking cutting edge AI capacity, leads the Commission to go so far as to note that a common European framework for policy on AI is necessary to avoid “the fragmentation of the single market.”

The paper outlines a largely theoretical “European approach to excellence and trust,” emphasising the requirement for global competitiveness in AI innovation. It states however that “trustworthiness is a prerequisite for [AI] uptake.” For instance, safeguards on law enforcement’s expanded capacities due to AI technology are recommended, though currently not detailed. Much of this trust is purportedly to be garnered by taking the “human-centric approach” to AI application. This approach was explicated in a paper called “Communication on Building Trust in Human-Centric Artificial Intelligence” released by the Commission last year, in which privacy and data governance was among seven “key requirements that AI applications should respect.”

Concrete, technical policies for regulation are somewhat more elusive. Both papers reiterate the accuracy requirement for any datasets that AI may be using as fuel for thought, i.e. the necessity for data integrity, but the requirement for stored data to be accurate is enforced by the General Data Protection Regulation (GDPR), a framework which will remain in the UK after Brexit due to the Data Protection Act 2018 and is seeing emulation across the world. Quite how the Commission’s value system of human-centric ethics will manifest in AI development remains unclear.

Where the white paper on AI is most outspoken is the perceived limitations of current EU legislation to regulate or even conceptualise AI. Changes to the legal concept of ‘safety’ invoked by AI risk and predictive analysis are anticipated; ambiguity concerning responsibility between economic agents in the supply chain may pose judicial quandaries; and there is even a chapter dedicated to the problem of AI indecipherability: if human officials cannot ascertain how an AI programme reached a decision, how can they know whether such a decision was skewed by bias in a dataset? Human oversight of AI development is therefore recommended at each stage of the industrial chain.

Harry Smithson, 21st February 2020

Government expands Ofcom’s role to combat ‘Online Harms’

Online harms can take a variety of forms, privacy violations being among the most notorious. Regardless of how we categorise negative internet user experiences, we know from a recent Ofcom study that 61% of adults and 79% of 12-15 year olds have reported at least one potentially harmful online experience in the last 12 months.

As part of the government’s response to public consultation on the Online Harms White Paper, the DCMS announced on the 12th February that the UK’s telecoms and broadcasting regulator will also be the new online harms regulator. The Home Office and DCMS have been working together with Barnardo’s charity to provide greater protection for vulnerable internet users, particularly children, building upon growing institutional and regulatory oversight of digital services.

Unlike the General Data Protection Regulation (GDPR), which has far-reaching purviews, the regulation will likely only apply to fewer than 5% of UK business, as Ofcom will only be responsible for monitoring organisations that host user-generated content (comments, forums etc.).

But from a data protection perspective, it’s interesting to see how GDPR terminology and values have shaped this initiative – consider, for instance, former secretary of state Nicky Morgan’s statement on the government’s response to the white paper:

“We will give the regulator the powers it needs to lead the fight for an internet that remains vibrant and open but with the protections, accountability and transparency people deserve.”

We can expect to see the official anointing of the new Ofcom coming into force under Nicky Morgan’s recent successor, Oliver Dowden.

In the meantime, the Information Commissioner Elizabeth Denham, head of the UK’s enforcer for GDPR, has welcomed this expanded Ofcom as “an important step forward in addressing people’s growing mistrust of social media and online services.”

She continues, in an ICO press release on the heels of the DCMS announcement, “the scales are falling from our eyes as we begin to question who has control over what we see and how our personal data is used.”

If you have any questions about data protection, please contact us via email team@datacompliant.co.uk or call 01787 277742.

Harry Smithson, 14th February 2020

What does the law say about protecting your health and other sensitive data?

Health data, identity theft and fraud are among the most significant concerns of data protection, especially where sensitive personal data is concerned.  Now the Information Commissioners Office has published detailed guidance on how data controllers should protect and handle this ‘Special Category’ data. 

Special category data

Known as the most sensitive category of personal data, special category data concerns information on a person’s:

  • health
  • sex life or sexual orientation
  • racial or ethnic origin
  • political opinions
  • religious or philosophical beliefs
  • membership to a trade union
  • genetic data
  • biometric data for uniquely identifying a person such as a fingerprint, or facial recognition

Special care must be taken when processing sensitive data.  Because of its sensitive nature, there is a high risk to individuals if such data were to fall into the wrong hands.  It is illegal to process any of the above categories of data without a specific reason. 

So, data controllers MUST select one of the following legal grounds before processing:

  • explicit consent
  • obligations in employment
  • social security and social protection law
  • to protect vital interests
  • processing by non-for-profit bodies
  • manifestly made public
  • establish, exercise or defend legal claims
  • substantial public interest
  • preventative or occupational medicine
  • public health
  • research purposes.

‘Special Category’ data must also be given extra levels of security to protect it.  For example, limiting the number of individuals who may access such data, minimising the amount of data collected, stronger access controls – these and other such measures help protect the privacy of the individual, and to maintain the integrity and confidentiality of the data.

If you have any questions about data protection, please contact us via email team@datacompliant.co.uk or call 01787 277742

Gareth Evans, 15th November 2019