Category Archives: Uncategorized

GDPR Re-Permissioning needs careful planning

Morrisons becomes the latest high-profile company fined for breaking Privacy and Electronic Communications Regulations (PECR)

The ICO, the independent authority responsible for investigating breaches of data protection law, has fined the fourth largest supermarket chain in the UK £10,500 for sending 130,671 of their customers’ unsolicited marketing emails.

These customers had explicitly opted-out of receiving marketing emails related to their Morrisons ‘More’ loyalty card when they signed up to the scheme. In October and November 2016, Morrisons used the email addresses associated with these loyalty cards to promote various deals. This is in contravention of laws defining the misuse of personal information, which stipulate that individuals must give consent to receive personal ‘direct’ marketing via email.

‘Service emails’ versus ‘Marketing emails’

While the emails’ subject heading was ‘Your Account Details,’ the customers were told that by changing the marketing preferences on their loyalty card account, they could receive money off coupons, extra More Points and the company’s latest news.

The subject heading might suggest to the recipient that they are ‘service emails,’ which are defined under the Data Protection Act 1998 (DPA) as any email an organisation has a legal obligation to send, or an email without which an individual would be disadvantaged (for instance, a reminder for a booked train departure). But there is a fine line between a service email and a marketing email: if an email contains any brand promotion or advertising content whatsoever, it is deemed the latter under the DPA. Emails that ask for clarification on marketing preferences are still marketing emails and a misuse of personal contact data.

Morrisons explained to the ICO that the recipients of these emails had opted-in to marketing related to online groceries, but opted-out of marketing related to their loyalty cards, so emails had been sent for the ostensible purpose of qualifying marketing preferences which also included promotional content. Morrisons could not provide evidence that these customers had consented to receiving this type of email, however, and they were duly fined – although in cases such as this it is often the losses from reputational damage that businesses fear more.

Fines and reputational damage

This comes just three months after the ICO confirmed fines – for almost identical breaches of PECR – of £13,000 and £70,000 for Honda and Exeter-based airline Flybe respectively. Whereas Honda could not prove that 289,790 customers had given consent to direct e-marketing, Flybe disregarded 3.3 million addressees’ explicit wishes to not receive marketing emails.

Even a fine of £70,000 – which can currently be subject to a 20% early payment discount – for sending out emails to existing customers with some roundabout content in them for the sake of promotion, will seem charitable when the General Data Protection Regulation (GDPR) updates the PECR and DPA in 2018. Under the new regulations, misuse of data including illegal marketing risks a fine of up to €20 million or 4% of annual global turnover.

The ICO has acknowledged Honda’s belief that their emails were a means of helping their firm remain compliant with data protection law, and that the authority “recognises that companies will be reviewing how they obtain customer consent for marketing to comply with stronger data protection legislation coming into force in May 2018.”

These three cases are forewarnings of the imminent rise in stakes for not marketing in compliance with data protection law. The GDPR, an EU regulation that will demand British businesses’ compliance irrespective of Brexit, not only massively increases the monetary penalty for non-compliance, but also demands greater accountability to individuals with regard to the use and storage of their personal data.

The regulators recent actions show that companies will not be able cut legal corners under the assumption of ambiguity between general service and implicit promotional emails. And with the GDPR coming into force next year, adherence to data protection regulations is something marketing departments will need to find the time and resources to prepare for.

Harry Smithson, 22/06/17

Data Compliant’s Weekly Round Up

data-protection-type-writer

What a week!  We’ve had another hack using log in credentials stolen from another provider (see my Camelot breach blog), hundreds of thousands of pounds worth of fines issued by the ICO for millions of unsolicited calls and text, an ‘accidental’ Brexit strategy leak and people being exploited by cyber blackmail (now called Sextortion).

ICO fines and GSMA
This week Oracle Insurance was reported by consumers to the Global System Mobile Association’s (GSMA) SPAM reporting service, which the ICO accesses. After investigation the ICO found that Oracle had sent 136,369 marketing texts where sufficient consent hadn’t been given.  The ICO levied a fine of £30,000.

Similar to this Silver City Tech have been fined an explosive £100,000! The Dorset-based company denies sending any unsolicited texts, let alone 1,132,149 of them. A third party company sent the texts on behalf of Silver City Tech. However the ICO sees the third party as a postman just delivering the message – it’s the company behind the message (ie the data controller) that is held responsible. Again the company couldn’t provide any evidence of consent. After being approached by the ICO in Dec 2015 a further 1,942,182 texts were sent, resulting in Silvery City Tech being being fined £100,000.  There’s a clear message here -if the ICO investigates and advises you not to do something …. it’s as well to stop!

Reporting Spam
It’s worth knowing that if you want to report SPAM, just forward the text message to 7726 (spelling out SPAM).  Then you don’t need to text STOP back to the marketing company – which is always a risk as doing so validates your telephone number, and unscrupulous organisations may well then sell your number to another marketing company.

Brexit Strategy Leak
According to Sky News, the latest victim caught carrying an unguarded document in Downing Street is thought to be Julia Dockerill who works for Conservative Party vice-chairman (international) Mark Field.lady has been papped on her way to a cabinet meeting carrying a note pad detailing notes on the Brexit strategy. Now, personally I’m conflicted on this story. With all of the papping, data breaches, hacks and data-in-transit news stories that we all hear about on a daily basis, surely the victim must know that she needs to be safer than this?  Who doesn’t close their notepad after using it – especially outside Number 10? (Or is that me being fussy?)  There are arguments saying that this was planned and wasn’t an accident at all. What do you think?

Sextortion
If you’d asked me what sextortion was on Monday I would have looked at you blankly and thought you were speaking a different language. However on Wednesday the term was everywhere – on the radio, all over the BBC website and all over social media. If you haven’t heard about it, it’s organised criminal gangs enticing individuals (mainly young men) to perform sexual acts on a webcam.  The criminals then threaten to release the footage to their friends and family unless they pay them. Police say that the number of cases that the victims have been brave enough to report has over doubled from last year.. There are victims as young as 15 although statistics show that the majority of victims fall into the 18-21 age bracket, and there have been 4 suicides this year. Police are advising not to pay anything to blackmailers and contact the police immediately. The force has arrested 40 men responsible in the Philippines.

TalkTalk and Post Office Hack
Reports are coming in that TalkTalk and Post Office customer’s internet access has been cut after a number of routers were targeted. The Post Office have said that it has affected 100,000 of it’s customers and the problem started on Sunday. (A lot happened on Sunday, first the National Lottery, now the Post Office – is no one safe on a Sunday!?) Although it has affected a lot of people, we should thank our lucky stars we’re not in Germany where a similar hack affected an unlucky 900,000 customers.

I think we’ll all be thankful when this week ends. It just seems to be getting worse. However on a positive note it’s December now! Only 22 days until Christmas!!! (Not that I’m counting).

charlotte-seymour-2016

 

Written by Charlotte Seymour, 2nd December 2016

Data Transfer Security – Not so safe

data-transferA Historical Society (the ICO haven’t released the name of which one) has been fined after a laptop was stolen,  holding sensitive personal data on those who had donated or loaned artefacts. The laptop was unencrypted and the ICO found that there were no policies in place when it came to encryption or homeworking. The organisation was fined just £500 to be reduced to £400 if paid early.  Not much of a punishment if you ask me – who doesn’t encrypt sensitive personal data now-a-days??

This announcement was released less than a week after Essex, Suffolk and Norfolk had fallen into a debacle where thousands of highly sensitive medical records were lost in transit between GP surgeries. It seems extraordinary that, even in this age of drones and virtual reality, doctors’ surgeries are still using hard copy of our medical records which, if you change practices,  have to be physically picked up from your old doctor’s surgery and transferred to your new GP.

Just imagine moving house – it’s very exciting, and stressful and can be overwhelming. Whether you are just moving down the road or across counties, you have the worry of unpacking, making your new house a home, changing your address on things like your driver’s license, bank account etc. You also have to think about changing your dentist and of course your doctor.

Capita, an outsourced company, took on the national £400 million, 7 year NHS contract in September last year to do a number of things, including transferring patient notes from one GP practice to another. It has just been reported that over 9,000 patient records have gone missing in the last couple of months across East Anglia alone. The GPC (the General Practitioners Committee) ran a survey of 281 practices and found that just under a third had received the wrong patient notes, over a quarter of practices failed to have records collected from them on the agreed date with Capita and over 80% of urgent requests for records were not processed within 3 weeks.

The NHS is always under scrutiny for something but when they don’t have the correct information for their patients, it makes you feel a little sorry for them.

The main question on my mind is why are there still physical records for such sensitive information like your medical history? The target to reach the utopia of paperless patient records is currently 2020, so for another 4 years our physical records will still need to be transferred physically if we move to another practice. Given the ransomware attacks, breaches and hacks already prevalent within not only the NHS but across all organisations and business sectors, you have to hope that greater care will be taken with our digital records than we are currently seeing with our physical records.

What I find interesting is that Capita, according to a report from the BBC, has refused to recognise these claims. If that is the case, you have to ask why, only last week, Health minister Nicola Blackwood told MPs that she expects Capita to consider “compensation as an option” and stated that Capita had been ‘inadequately prepared’ to take over the primary care support services contract earlier this year. She also made it plain that there should have been greater scrutiny of Capita’s competence in delivering the contract.

A Capita spokeswoman said: ‘NHS England contracted Capita to both streamline delivery of GP support services and make significant cost savings across what was a highly localised service with unstandardised, generally unmeasured and in some cases, uncompliant processes.

We have taken on this challenging initiative and we have openly apologised for the varied level of service experienced by some service users as these services were transitioned and are being transformed.’ She said the company did not recognise ‘whatsoever’ claims that thousands of patient records were missing.

Regardless of the above, what is absolutely clear is that whether you are transferring data either physically, like in this case, or electronically it is highly important to have appropriate security procedures in place. Keep records of the data you are transferring. Know that it has – or has not arrived. And, if you’re using digital transfers, the ICO has recommended encrypting not only your files but also the connection you are using to transfer them.

Now if you excuse me I’m just off to call my doctor’s surgery and see if they still are in possession of my medical notes!

charlotte

 

Written by Charlotte Seymour – November 2016

 

Insider Threats – Charlotte’s View

Insider Threats – Charlotte’s View

Something that is being spoken about more and more (due to the unfortunate higher frequency) is insider threat. It’s in the news an awful lot more than it ever used to be.

Do you remember the auditor of Morrisons who released a spreadsheet detailing just shy of 100,000 members of staff’s (very) personal details? He did end up getting jailed for 8 years but I heard a saying recently, it’s not a digital footprint you leave it’s more of a digital tattoo. Even two years after the incident Morrisons is still suffering the effects.

Now obviously that was what you would call a malicious breach. It does unfortunately happen, but there are ways for you to protect your company against this. Firstly we here at Data Compliant believe that if you have detailed joiner processes in place (i.e. thorough screening and references and criminal checks where appropriate), ongoing appraisals with staff and good leaver processes you can minimise your risk.

Other ways of insider breaches occurring, and much more likely in my opinion, are negligence, carelessness and genuine accidents. Did you know that over 50% of data breaches are cause by staff error? This may be because staff do not follow company procedures correctly and open up pathways for hackers. Or it could be that your staff are tricked into handing over information that they shouldn’t.

Your staff could be your company’s weakest point in relation to protecting it’s personal and confidential data. But you can take simple steps to minimise this risk by training your staff in data protection.

Online training has some big advantages for businesses, it’s a quick, efficient and relatively inexpensive way of training large numbers of employees while “taking them out of the business” for the least possible time.

The risk of breaches isn’t just your business’ reputation, or even a hefty fine from the ICO but as mentioned before, also a criminal conviction. Now that is a lot to risk.

If you’re interested in online training have a look at this video.

 

charlotte

Written by Charlotte Seymour, November 2016

 

EU – US Privacy Shield has been adopted

Privacy ShieldAt last agreement has been reached on the EU – US Privacy Shield agreement which now replaces the Safe Harbor agreement.  Safe Harbor was ruled invalid in 2015 by the EU Court of Justice, because they said there were not sufficient safeguards for personal data under the voluntary scheme.

The new agreement is intended to protect the privacy of EU citizens when their personal information is processed in the US.

Companies will be able to sign up to the EU – US Privacy Shield from August 1st once they have implemented any necessary changes to comply with the strict compliance obligations.

The EU – US Privacy Shield is based on a system of self-certification by which US organisations commit to a set of privacy principles entitled the EU – US  Privacy Shield Framework Principles.

The new framework was unveiled in February and has been under review since then.  Back in June the European Data Protection Supervisor, Giovanni Buttarelli advised that it ‘needed significant improvements’ because it was not ‘robust enough’ and that the Commission should negotiate improvements to the Privacy Shield in three main areas:

  • limiting exemptions to its provisions;
  • improving its redress and oversight mechanisms,
  • integrating all the main EU data protection principles.

For the Privacy Shield to be an effective improvement on Safe Harbour it must provide adequate protection against indiscriminate surveillance as well as obligations on transparency, and data protection rights for people in the EU.

In Brussels on July 12th Věra Jourová, Commissioner for Justice, Consumers and Gender Equality said: “The EU – US  Privacy Shield is a robust new system to protect the personal data of Europeans and ensure legal certainty for businesses. It brings stronger data protection standards that are better enforced, safeguards on government access, and easier redress for individuals in case of complaints”

In summary the EU-US Privacy Shield is based on the following principles:

  • Strong obligations on Companies handling data and robust enforcement
  • Clear safeguards and transparency obligations on US government access
  • Effective protection of individual rights
  • Annual joint review mechanism
  • Easier and cheaper redress possibilities in case of complaints —directly or with the help of the local Data Protection Authority

The Privacy Shield agreement applies to both data controllers and processors (agents), and specifies that processors must be contractually bound to act only on instructions from the EU controller and assist the latter in responding to individuals exercising their rights under the Principles.

Whilst the UK remains a member of the EU (which it will be for least the next 2 years) UK based companies that process data in the US will be able to use the Privacy Shield where appropriate.

Michelle Evans, Data Compliance Director

14th July 2016

GDPR and Data Processors – a New World

data processors

Now that GDPR has been approved, companies need to start work on preparing their governance, employees and technology for the new legislation.

Among those organisations most affected by GDPR are Data Processors.    Data processors process data on behalf of, and under the instruction of their data controller.  Now data processors must comply with the statutory requirements of GDPR and, for the first time, can be held accountable.

Failure to meet the requirements of GDPR carries significant sanctions, up to 4% of global turnover OR 20 million euros – whichever is the greater.   In addition, processors still run the risk that, in the event of non-compliance or breach, their data controller can sue for breach of contract – all eye-wateringly expensive to the point of breaking the business.

So it’s a new world for data processors, who need to take steps immediately to protect themselves against compliance and security risk. For example:

  • They must have appropriate technical and organisational measures to ensure security of the data they are processing.
  • They must maintain written records relating to all personal data processing carried out for each of its data controllers
  • They may no longer appoint new or alternate sub-processors without the authorisation of the data controller
  • They must cooperate with the relevant supervisory authority
  • They must notify the data controller without undue delay in the event of a data breach
  • They must comply with GDPR in relation to cross-border data transfers

So what kind of organisation does this affect? Data processors include a multitude of businesses from call centres, to data providers, to data service providers – cleansing, hygiene, analysis – to cloud providers and technology vendors.

Mandated contract clauses have been specified in detail under GDPR, so all existing and future contracts will need review and are likely to need revision as negotiations between controllers and processors become ever tougher as each party tries to tie down the areas of liability and responsibility.

There is an argument that the costs of processing may increase, which will have a negative impact for data controllers.  But there’s no doubt – data processors are now firmly in a new world of liability and penalty.

Safe Harbour out .. EU-US Privacy Shield in

eu us privacy seal

EU Commission and United States agree on new framework for transatlantic data flows: EU-US Privacy Shield

On Tuesday 2nd February an agreement was reached after several months of negotiations between Europe and the USA. This has come about following the Schrems case and the European Court of Justice ruling on 6th of October 2015 which declared the old so called ‘Safe Harbour’ framework invalid.  The Safe Harbour expiry deadline was 31st January.

The EU-US Privacy Shield

Some of the key elements of the new framework are listed below:

  • Strong obligations on companies handling Europeans’ personal data and robust enforcement: U.S. companies wishing to import personal data from Europe will need to commit to robust obligations on how personal data is processed and individual rights are guaranteed. The Department of Commerce will monitor that companies publish their commitments, which makes them enforceable under U.S. law by the US. Federal Trade Commission. In addition, any company handling human resources data from Europe has to commit to comply with decisions by European DPAs.
  • Clear safeguards and transparency obligations on U.S. government access: For the first time, the US has given the EU written assurances that the access of public authorities for law enforcement and national security will be subject to clear limitations, safeguards and oversight mechanisms. The U.S. has ruled out indiscriminate mass surveillance on the personal data transferred to the US under the new arrangement. To regularly monitor the functioning of the arrangement there will be an annual joint review. The European Commission and the U.S. Department of Commerce will conduct the review and invite national intelligence experts from the U.S. and European Data Protection Authorities to it.
  • Effective protection of EU individuals’ rights with several redress possibilities: Any individual who considers that their data has been misused under the new arrangement will have several redress possibilities. Companies have deadlines to reply to complaints. European DPAs can refer complaints to the Department of Commerce and the Federal Trade Commission. In addition, Alternative Dispute resolution will be free of charge. For complaints on possible access by national intelligence authorities, a new Ombudsperson will be created.

EU-US Privacy Shield Next Steps

 Vice-President Ansip and Commissioner Jourová   have been mandated to prepare a draft “adequacy decision” in the coming weeks, which could then be adopted by the College of Commissioners after obtaining the advice of the Article 29 Working Party and after consulting a committee composed of representatives of the EU Member States. In the meantime, the U.S. side will make the necessary preparations to put in place the new framework, monitoring mechanisms and new Ombudsperson.