Category Archives: EU Data News

ICO updates Subject Access Requests (SARs) advice for data controllers following Court of Appeal decisions

Leave a reply

The Information Commissioner’s Office (ICO) has updated its ‘Code of Practice on Subject Access Requests’ chiefly in response to several Court of Appeal decisions made earlier this year related to SARs. Under the Data Protection Act 1998, individuals (‘data subjects’) may request access to their personal information held by a ‘data controller.’

These requests for information are called SARs, and can range from the request for specific or limited information to the request for the entirety of held information including why it is held and to whom it may have been disclosed. The scope of a data controller’s obligations, therefore, will vary from case to case, and will be particularly burdensome for large organisations. Currently, data controllers may charge a fee of up to £10 for processing a SAR, and must provide the requester the relevant information within 40 calendar days. When the GDPR comes into force next year, data controllers will normally not be entitled to charge a fee, irrespective of the inconvenience, and will be expected to provide the information within a shorter timeframe of 30 calendar days.

However, the ICO has revised its guidance in dealing with SARs to prepare controllers for data compliance in light of the Court of Appeal’s judgements on a string of cases in which SARs took place alongside ongoing or threatened litigation – cases which in the opinion of numerous legal commentators, therefore, highlight the potential for widespread abuse of SARs to redress grievances outside the purview of data protection law.

The three key changes to the ICO’s Code

  1. Scope for assessing ‘disproportionate effort’

The DPA includes an exemption from having to respond to SARs if this would involve ‘disproportionate effort’ for the data controller. Whereas the Code previously indicated that a refusal to provide information on the grounds of it being difficult is unacceptable, it now, with greater lenience, states: “there is scope for assessing whether, in the circumstances of a particular case, supplying a copy of the requested information in permanent form would result in so much work or expense as to outweigh the requester’s right of access to their personal data.” The ICO expects controllers to evaluate the benefits to the data subject as a result of the SAR against the difficulties in complying with the request, and assess whether the scope of the request is reasonable.

  1. Dialogue between controller and requester

The ICO now advises controllers to enter into dialogue with data subjects following a SAR. This may allow the requester to specify which information they require, thereby refining the request, and making the process more manageable and less likely to result in disproportionate effort. The Code continues to explain how it will take into account both controller’s and subject’s willingness to participate in this dialogue if they receive a complaint about the handling of a SAR.

  1. Information management systems and redaction of third-party data

 The ICO now expects controllers to have information management systems wherein personal information, including archived or back-up data, can be found expediently in anticipation of a SAR. Moreover, the information management system should allow for the redaction of third-party data. This is important, since certain SARs may be declined if the information requested would result some way in the disclosure of personal information about another living person.

Subject Access Requests: For more information have a look at the 4 Court of Appeal decisions that informed the ICO’s revised guidance:  Dawson-Damer v Taylor Wessing LLP, Ittihadieh v 5-11 Cheyne Gardens, Deer v Oxford University, Holyoake v Candy

Harry Smithson 7th July 2017

Weekly Roundup: Global Cyber-Attack, Google Scan Emails, Political Party Under Investigation, Nuisance Calls Fine

Leave a reply

Malware outbreak in 64 countries, Google scrap email scans, and the Conservative Party face ‘serious allegations’

Global cyber-attack disrupts companies in 64 countries

Corrupted Ukrainian accountancy software ‘MEDoc’ is suspected to be the medium of a cyberattack on companies ranging from British ad agency WPP to Tasmanian Cadbury’s factory, with many European and American firms reporting disruption to services. Banks in Ukraine, Russian oil giant Rosneft, shipping giant Maersk, a Rotterdam port operator, Dutch global parcel service TNT and US law firm DLA Piper were among those suffering inabilities to process orders or else general computer shutdowns.

Heralded as “a recent dangerous trend” by Microsoft, this attack comes just 6 weeks after the WannaCry attack primarily affecting NHS hospitals. Both attacks appear to make use of a Windows vulnerability called ‘Eternal Blue,’ thought to have been discovered by the NSA and leaked online – although the NSA has not confirmed this. The NSA’s possible use of this vulnerability, which has served to create a model for cyber-attacks for political and criminal hackers, has been described by security experts as “a nightmare scenario.”

A BBC report suggests that given 80% of all instances of this malware were in Ukraine, and that the provided email address for the ‘ransom’ closed down quickly, the attack could be politically motivated at Ukraine or those who do business in Ukraine. Recent announcements suggest it could be related to data not money.

The malware appears to have been channelled through the automatic update system, according to security experts including the malware expert credited with ending the WannaCry attack, Marcus Hutchins. The MEDoc software would have originally begun this process legitimately, but at some point the update system released the malware into numerous companies’ computer systems.

 

Google to stop scanning Gmail accounts for personalised marketing data

In a blog published at the end of last week, the tech firm Google have confirmed that they will stop scanning Gmail users’ emails for the sake of accruing data to be used in personalised adverts, by the end of the year. This will put the consumer version of Gmail in line with the business edition.

Google had advertised their Gmail service by offering 1GB of ‘free’ webmail storage. However, it transpired that Google was paying for this offer by running these scans.

This recent change in tactic has been met with ‘qualified’ welcome by privacy campaigners. Executive director Dr Gus Hosein of Privacy International, the British charity who have been campaigning for regulators to intervene since they discovered the scans, stated:

When they first came up with the dangerous idea of monetising the content of our communications, Privacy International warned Google against setting the precedent of breaking the confidentiality of messages for the sake of additional income. […] Of course they can now take this decision after they have consolidated their position in the marketplace as the aggregator of nearly all the data on internet usage, aside from the other giant, Facebook.

Google faced a fairly substantial backlash on account of these scans when they were discovered, notably from Microsoft, with their series of critical ‘Gmail man’ adverts, depicting a man searching through people’s messages.

However, digital rights watchdog Big Brother Watch celebrated Google’s move, describing it as “absolutely a step in the right direction, let’s hope it encourages others to follow suit.”

UK Conservative Party under investigation for breaching data protection and election law

A Channel 4 News undercover investigation has provoked ‘serious allegations’ of data protection and election offences against the Conservative Party.

The investigation uncovered the party’s use of a market research firm based in Neath, South Wales, to make thousands of cold calls to voters in marginal seats ahead of the election this month. Call centre staff followed a ‘market research’ script, but under scrutiny this script appears to canvass for specific local Conservative candidates – in a severe breach of election law.

Despite the information commissioner Elizabeth Denham’s written warnings to all major parties before the election began, reminding them of data protection law and the illegality of such telecommunications, the Conservatives operated a fake market research company. This constitutes a breach separate to election law, and mandates the Information Commissioner’s Office to investigate.

The ICO’s statement on 23rd June reads,

The investigation has uncovered what appear to be underhand and potentially unlawful practices at the centre, in calls made on behalf of the Conservative Party. These allegations include:

  • Paid canvassing on behalf of Conservative election candidates – banned under election law.
  • Political cold calling to prohibited numbers
  • Misleading calls claiming to be from an ‘independent market research company’ which does not apparently exist

MyHome Installations Ltd fined £50,000 for nuisance calls

Facing somewhat less public scrutiny and condemnation than the Conservative Party, Maidstone domestic security firm MyHome Installations has been issued a £50,000 fine by the ICO for making nuisance calls.

The people who received these calls had explicitly opted out of telephone marketing by registering their numbers with the Telephone Preference Service (TPS), the “UK’s official opt-out of telephone marketing.”

The ICO received 169 complaints from members of the public who’d received unwanted calls about electrical surveys and home security from MyHome Installations Ltd.

Harry Smithson 28 June 2017

GDPR Re-Permissioning needs careful planning

Leave a reply

Morrisons becomes the latest high-profile company fined for breaking Privacy and Electronic Communications Regulations (PECR)

The ICO, the independent authority responsible for investigating breaches of data protection law, has fined the fourth largest supermarket chain in the UK £10,500 for sending 130,671 of their customers’ unsolicited marketing emails.

These customers had explicitly opted-out of receiving marketing emails related to their Morrisons ‘More’ loyalty card when they signed up to the scheme. In October and November 2016, Morrisons used the email addresses associated with these loyalty cards to promote various deals. This is in contravention of laws defining the misuse of personal information, which stipulate that individuals must give consent to receive personal ‘direct’ marketing via email.

‘Service emails’ versus ‘Marketing emails’

While the emails’ subject heading was ‘Your Account Details,’ the customers were told that by changing the marketing preferences on their loyalty card account, they could receive money off coupons, extra More Points and the company’s latest news.

The subject heading might suggest to the recipient that they are ‘service emails,’ which are defined under the Data Protection Act 1998 (DPA) as any email an organisation has a legal obligation to send, or an email without which an individual would be disadvantaged (for instance, a reminder for a booked train departure). But there is a fine line between a service email and a marketing email: if an email contains any brand promotion or advertising content whatsoever, it is deemed the latter under the DPA. Emails that ask for clarification on marketing preferences are still marketing emails and a misuse of personal contact data.

Morrisons explained to the ICO that the recipients of these emails had opted-in to marketing related to online groceries, but opted-out of marketing related to their loyalty cards, so emails had been sent for the ostensible purpose of qualifying marketing preferences which also included promotional content. Morrisons could not provide evidence that these customers had consented to receiving this type of email, however, and they were duly fined – although in cases such as this it is often the losses from reputational damage that businesses fear more.

Fines and reputational damage

This comes just three months after the ICO confirmed fines – for almost identical breaches of PECR – of £13,000 and £70,000 for Honda and Exeter-based airline Flybe respectively. Whereas Honda could not prove that 289,790 customers had given consent to direct e-marketing, Flybe disregarded 3.3 million addressees’ explicit wishes to not receive marketing emails.

Even a fine of £70,000 – which can currently be subject to a 20% early payment discount – for sending out emails to existing customers with some roundabout content in them for the sake of promotion, will seem charitable when the General Data Protection Regulation (GDPR) updates the PECR and DPA in 2018. Under the new regulations, misuse of data including illegal marketing risks a fine of up to €20 million or 4% of annual global turnover.

The ICO has acknowledged Honda’s belief that their emails were a means of helping their firm remain compliant with data protection law, and that the authority “recognises that companies will be reviewing how they obtain customer consent for marketing to comply with stronger data protection legislation coming into force in May 2018.”

These three cases are forewarnings of the imminent rise in stakes for not marketing in compliance with data protection law. The GDPR, an EU regulation that will demand British businesses’ compliance irrespective of Brexit, not only massively increases the monetary penalty for non-compliance, but also demands greater accountability to individuals with regard to the use and storage of their personal data.

The regulators recent actions show that companies will not be able cut legal corners under the assumption of ambiguity between general service and implicit promotional emails. And with the GDPR coming into force next year, adherence to data protection regulations is something marketing departments will need to find the time and resources to prepare for.

Harry Smithson, 22/06/17

Queen’s Speech Confirms New Bill to Replace Data Protection Act 1998

1 Reply

As part of several of measures aimed at “making our country safer and more united,” a new Data Protection Bill has been announced in the Queen’s Speech.

The Bill, which follows up proposals in the Conservative manifesto ahead of the election in June, is designed to make the UK’s data protection framework “suitable for our new digital age, allowing citizens to better control their data.”

The intentions behind the Bill are to:

  • Give people more rights over the use and storage of their personal information. Social media platforms will be required to delete data gathered about people prior to them turning 18. The ‘right to be forgotten’ is enshrined in the Bill’s requirement of organisations to delete an individual’s data on request or when there are “no longer legitimate grounds for retaining it.”
  • Implement the EU’s General Data Protection Regulation, and the new Directive which applies to law enforcement data processing. This meets the UK’s obligations to international law enforcement during its time as an EU member state and provides the UK with a system to share data internationally after Brexit is finalised.
  • To update the powers and sanctions available to the Information Commissioner.
  • Strengthen the UK’s competitive position in technological innovation and digital markets by providing a safe framework for data sharing and a robust personal data protection regime.
  • Ensure that police and judicial authorities can continue to exchange information “with international partners in the fight against terrorism and other serious crimes.”

Ultimately, the Bill seeks to modernise the UK’s data protection regime and to secure British citizens’ ability to control the processing and application of their personal information. The Queen’s Speech expressed the Government’s concern not only over law enforcement, but also the digital economy: over 70% of all trade in services are enabled by data flows, making data protection critical to international trade, and in 2015, the digital sector contributed £118 billion to the economy and employed over 1.4 million people across the UK.

Written by Harry Smithson, 22nd June 2017

Insider Threats – Charlotte’s View

1 Reply

Insider Threats – Charlotte’s View

Something that is being spoken about more and more (due to the unfortunate higher frequency) is insider threat. It’s in the news an awful lot more than it ever used to be.

Do you remember the auditor of Morrisons who released a spreadsheet detailing just shy of 100,000 members of staff’s (very) personal details? He did end up getting jailed for 8 years but I heard a saying recently, it’s not a digital footprint you leave it’s more of a digital tattoo. Even two years after the incident Morrisons is still suffering the effects.

Now obviously that was what you would call a malicious breach. It does unfortunately happen, but there are ways for you to protect your company against this. Firstly we here at Data Compliant believe that if you have detailed joiner processes in place (i.e. thorough screening and references and criminal checks where appropriate), ongoing appraisals with staff and good leaver processes you can minimise your risk.

Other ways of insider breaches occurring, and much more likely in my opinion, are negligence, carelessness and genuine accidents. Did you know that over 50% of data breaches are cause by staff error? This may be because staff do not follow company procedures correctly and open up pathways for hackers. Or it could be that your staff are tricked into handing over information that they shouldn’t.

Your staff could be your company’s weakest point in relation to protecting it’s personal and confidential data. But you can take simple steps to minimise this risk by training your staff in data protection.

Online training has some big advantages for businesses, it’s a quick, efficient and relatively inexpensive way of training large numbers of employees while “taking them out of the business” for the least possible time.

The risk of breaches isn’t just your business’ reputation, or even a hefty fine from the ICO but as mentioned before, also a criminal conviction. Now that is a lot to risk.

If you’re interested in online training have a look at this video.

 

charlotte

Written by Charlotte Seymour, November 2016

 

EU – US Privacy Shield has been adopted

Leave a reply

Privacy ShieldAt last agreement has been reached on the EU – US Privacy Shield agreement which now replaces the Safe Harbor agreement.  Safe Harbor was ruled invalid in 2015 by the EU Court of Justice, because they said there were not sufficient safeguards for personal data under the voluntary scheme.

The new agreement is intended to protect the privacy of EU citizens when their personal information is processed in the US.

Companies will be able to sign up to the EU – US Privacy Shield from August 1st once they have implemented any necessary changes to comply with the strict compliance obligations.

The EU – US Privacy Shield is based on a system of self-certification by which US organisations commit to a set of privacy principles entitled the EU – US  Privacy Shield Framework Principles.

The new framework was unveiled in February and has been under review since then.  Back in June the European Data Protection Supervisor, Giovanni Buttarelli advised that it ‘needed significant improvements’ because it was not ‘robust enough’ and that the Commission should negotiate improvements to the Privacy Shield in three main areas:

  • limiting exemptions to its provisions;
  • improving its redress and oversight mechanisms,
  • integrating all the main EU data protection principles.

For the Privacy Shield to be an effective improvement on Safe Harbour it must provide adequate protection against indiscriminate surveillance as well as obligations on transparency, and data protection rights for people in the EU.

In Brussels on July 12th Věra Jourová, Commissioner for Justice, Consumers and Gender Equality said: “The EU – US  Privacy Shield is a robust new system to protect the personal data of Europeans and ensure legal certainty for businesses. It brings stronger data protection standards that are better enforced, safeguards on government access, and easier redress for individuals in case of complaints”

In summary the EU-US Privacy Shield is based on the following principles:

  • Strong obligations on Companies handling data and robust enforcement
  • Clear safeguards and transparency obligations on US government access
  • Effective protection of individual rights
  • Annual joint review mechanism
  • Easier and cheaper redress possibilities in case of complaints —directly or with the help of the local Data Protection Authority

The Privacy Shield agreement applies to both data controllers and processors (agents), and specifies that processors must be contractually bound to act only on instructions from the EU controller and assist the latter in responding to individuals exercising their rights under the Principles.

Whilst the UK remains a member of the EU (which it will be for least the next 2 years) UK based companies that process data in the US will be able to use the Privacy Shield where appropriate.

Michelle Evans, Data Compliance Director

14th July 2016

What does Brexit Mean for GDPR?

Leave a reply

brexit eggBritain has voted to leave the EU, and at this stage it seems that Parliament is going to honour the results and take us out of the EU. So what does this mean for data protection?

I don’t think there has ever been such uncertainty, confusion, difficulty and high risk over data compliance.  So I thought this might help clarify what Brexit is likely to mean in relation to the UK’s data protection legislation.

  1. If Article 50 is invoked in or after October 2016 (as suggested by David Cameron this morning) it will take at least two years and four months for the UK to leave the EU. And, given the complexities of the exit negotiations involved, it may well take longer than that.
  2. EU law will continue to apply until the moment the UK actually leaves the EU, which means that, for a minimum of 5 months, UK organisations – even those which do not process data in Europe – will be required to comply with GDPR. 
  3. If Britain leaves the EU and remains a part of the EEA (like countries such as Switzerland, Norway, Iceland and Lichtenstein), it will be required to comply with GDPR.     
  4. If Britain does not want to be part of the EEA, once it has left the EU it will NOT be required to comply with GDPR.
  5. However, if the UK wants to trade equally with the EU (to quote the Information Commissioner’s Office)UK data protection standards would have to be equivalent to the EU’s General Data Protection Regulation framework starting in 2018.”  To achieve this end, the ICO has already stated its intention to speak to the UK government to explain that reform of the UK law remains necessary Having clear laws with safeguards in place is more important than ever given the growing digital economy”

Although it’s too early to know exactly what will happen to UK Data Protection law, what is quite clear is that all UK businesses need to continue making preparations for GDPR compliance.  An excellent starting place is to ensure that you understand and comply with current legislation right now.  I’d suggest the following process:

brexit compliance process

If you have any questions about data protection governance, compliance or security and would like a no-strings chat, please don’t hesitate to call on 0203 815 8003 or email dc@datacompliant.co.uk.

GDPR is here – Data Protection is Changing

Leave a reply

shutterstock_128215814The General Data Protection Regulation (GDPR) will become law on 25th May 2018.  This is the biggest data protection shake-up for twenty years and impacts every organisation in the world that processes the personal data of UK and European citizens.

GDPR is designed to strengthen individuals’ rights and give them greater control over their data.  Data breaches and data theft … and the catastrophic publicity that goes with them … are now everyday events.  Just ask Morrisons, Talk Talk, eBay, Altzheimers Society and VTech. Under GDPR, these, and all other organisations will face fines of up to 4% of worldwide turnover or 20 million euros (whichever is higher).

The onus is on Boards, individual directors and management to understand and comply with the Regulation, and to make the critical changes required to the way in which organisations handle personal data.  And the clock is already ticking – there are only 24 months available to make the vital procedural, technical and resource changes required for compliance.

shutterstock_14154718The first issue is to understand exactly what personal data you hold.  This is not always simple. Data’s a bit like a river, and sometimes the flow can just be too fast to control. It may flow down the main stream, pause in a deep pool, join another river at a junction,  then wander off down tributaries, streams and burns, and disappear – only to bubble up unexpectedly in the middle of an isolated moor.  Like a river, data can be full of good and exciting things, or stagnant and disgusting.

 

It is essential to know what personal data you hold, where it is held, where it came from, how it was collected, what evidence you have that it has been collected and processed legally, with whom it has been shared (internally and externally), on what terms it has been bought or licensed, whether and where it has been archived or deleted, and who is responsible for its safekeeping.

Until all that information is in place, there is no chance that you can keep it clean, up-to-date and protect it from external or internal threats.  And there’s absolutely no chance you can comply with the Data Protection Act as it stands now – let alone GDPR.

Data Compliant has developed a quick GDPR Compliance Checker – if you’d like to know more about where you are compared to where you need to be for GDPR compliance, just click here, answer the questions, and we’ll send you a free report, including:

–  your topline level of compliance by category
–  a benchline summary of how you compare with other UK organisations
–  a summary of the key steps you need to take to become compliant
Remember, enforcement begins on May 25th, 2018 – now’s the time to start to get ready.

GDPR and Data Processors – a New World

Leave a reply

data processors

Now that GDPR has been approved, companies need to start work on preparing their governance, employees and technology for the new legislation.

Among those organisations most affected by GDPR are Data Processors.    Data processors process data on behalf of, and under the instruction of their data controller.  Now data processors must comply with the statutory requirements of GDPR and, for the first time, can be held accountable.

Failure to meet the requirements of GDPR carries significant sanctions, up to 4% of global turnover OR 20 million euros – whichever is the greater.   In addition, processors still run the risk that, in the event of non-compliance or breach, their data controller can sue for breach of contract – all eye-wateringly expensive to the point of breaking the business.

So it’s a new world for data processors, who need to take steps immediately to protect themselves against compliance and security risk. For example:

  • They must have appropriate technical and organisational measures to ensure security of the data they are processing.
  • They must maintain written records relating to all personal data processing carried out for each of its data controllers
  • They may no longer appoint new or alternate sub-processors without the authorisation of the data controller
  • They must cooperate with the relevant supervisory authority
  • They must notify the data controller without undue delay in the event of a data breach
  • They must comply with GDPR in relation to cross-border data transfers

So what kind of organisation does this affect? Data processors include a multitude of businesses from call centres, to data providers, to data service providers – cleansing, hygiene, analysis – to cloud providers and technology vendors.

Mandated contract clauses have been specified in detail under GDPR, so all existing and future contracts will need review and are likely to need revision as negotiations between controllers and processors become ever tougher as each party tries to tie down the areas of liability and responsibility.

There is an argument that the costs of processing may increase, which will have a negative impact for data controllers.  But there’s no doubt – data processors are now firmly in a new world of liability and penalty.

Safe Harbour out .. EU-US Privacy Shield in

Leave a reply

eu us privacy seal

EU Commission and United States agree on new framework for transatlantic data flows: EU-US Privacy Shield

On Tuesday 2nd February an agreement was reached after several months of negotiations between Europe and the USA. This has come about following the Schrems case and the European Court of Justice ruling on 6th of October 2015 which declared the old so called ‘Safe Harbour’ framework invalid.  The Safe Harbour expiry deadline was 31st January.

The EU-US Privacy Shield

Some of the key elements of the new framework are listed below:

  • Strong obligations on companies handling Europeans’ personal data and robust enforcement: U.S. companies wishing to import personal data from Europe will need to commit to robust obligations on how personal data is processed and individual rights are guaranteed. The Department of Commerce will monitor that companies publish their commitments, which makes them enforceable under U.S. law by the US. Federal Trade Commission. In addition, any company handling human resources data from Europe has to commit to comply with decisions by European DPAs.
  • Clear safeguards and transparency obligations on U.S. government access: For the first time, the US has given the EU written assurances that the access of public authorities for law enforcement and national security will be subject to clear limitations, safeguards and oversight mechanisms. The U.S. has ruled out indiscriminate mass surveillance on the personal data transferred to the US under the new arrangement. To regularly monitor the functioning of the arrangement there will be an annual joint review. The European Commission and the U.S. Department of Commerce will conduct the review and invite national intelligence experts from the U.S. and European Data Protection Authorities to it.
  • Effective protection of EU individuals’ rights with several redress possibilities: Any individual who considers that their data has been misused under the new arrangement will have several redress possibilities. Companies have deadlines to reply to complaints. European DPAs can refer complaints to the Department of Commerce and the Federal Trade Commission. In addition, Alternative Dispute resolution will be free of charge. For complaints on possible access by national intelligence authorities, a new Ombudsperson will be created.

EU-US Privacy Shield Next Steps

 Vice-President Ansip and Commissioner Jourová   have been mandated to prepare a draft “adequacy decision” in the coming weeks, which could then be adopted by the College of Commissioners after obtaining the advice of the Article 29 Working Party and after consulting a committee composed of representatives of the EU Member States. In the meantime, the U.S. side will make the necessary preparations to put in place the new framework, monitoring mechanisms and new Ombudsperson.