Category Archives: Weekly Roundup

Data Compliant’s Weekly Round-Up

hacker-1

It’s the weekend before Christmas. Have you done all your Christmas shopping? If you’re shopping online, this is the last weekend you can really do your online shopping and still get everything delivered on time. 

Now you may be bored of hearing it but please be careful, look after your passwords, change them regularly, don’t have devices store your information! Lets start the year without a stranger stealing money from your credit cards and bank accounts!

Yahoo…Again 

This week brings us the news that Yahoo had announced a hack from 2013 – a separate breach to the 500,000 hacked records announced in September. 

Yahoo was investigating the 2014 breach when it uncovered the earlier hack – this time discovering that a billions accounts had been compromised. 

The reputational damage to Yahoo is enormous – a clear pattern of poor security is emerging and if I had an account with Yahoo, I’d be considering changing my provider immediately.  Having said that, though,  how can we be certain that other companies haven’t had similar breaches and we just don’t know about them yet?

The ICO’s deputy commissioner, Simon Entwisle has released a statement saying that they are talking to Yahoo and will try to find out how many UK users have been affected by the latest hack. Their immediate advice is to recommend  strongly that customers change their passwords if they haven’t already.

TalkTalk
An update on the huge TalkTalk hack has been released. One of the hackers, a 17 year old, has admitted to 7 offences relating to the hack and has been given a 12-month rehabilitation order and an £85 fine. He was 
told his excellent computer skills need to be used for the good. 19-year old Daniel Kelley also pleaded guilty. He has been told that a jail sentence is inevitable, and has been released on bail prior to sentencing in March.

Uber
Uber has come under fire after an ex-worker claimed that staff could track fares of celebrities, politicians and even ex-partners. If that’s true, it’s lucky for me I’ve only ever used it in Australia where no exes live and unfortunately I’m not yet a celeb!

Uber released a statement to the Standard stating that the claims made by Mr Spangenberg are “absolutely not true … we have hundreds of security and privacy experts working round the clock  to protect our data … all potential violations are quickly and thoroughly investigated.” Uber also makes it clear that access to personal data is limited to approved workers who may only access the data they need in order to perform their job function. 

Lionhead Studio just as bad as ‘Trolls”?
It has been released this week at a BAFTA event that a teenager targeted Sam van Tilburgh and his team, back in 2003, when they were creating the game Fable. The teen released a screen shot of the hero stabbing a child in the head – something no one was expecting to see. 

Rather than go through official routes, Tilburgh and team decided adopt an unconventional aporiach. They were able to track the boy’s IP address and let care the teenager. They then ‘acquired’ some of his school work from and published a part of it, with a demand that he stop or they would publish more and tell be his family what he was up to. He did indeed stop.

Tilburgh said Lionhead’s legal team knew nothing of the retaliating hack, and it has taken 13 years for the story to surface! I wonder if there’ll be repercussions.

The National Lottery hit with fine
So it wasn’t so long ago we heard that hackers had attacked The National Lottery (TNL). Today we hear TNL’s operator Camelot has been issued with a fine of £3m because of a fraudulent payout back in 2009. How this happened has not yet been announced but  it sounds as if a ‘deliberately damaged ticket’ was to blame. The prize fund payout is suspected to be around £2.5m but the actual figure has not yet been officially released.

I, for one will continue to buy my lottery tickets. Although The National Lottery has come under fire recently, it has fuelled a whopping £36 billion into good causes such as sports, community and heritage projects. Also imagine if you won.. (legitimately)

charlotte-seymour-2016

Written by Charlotte Seymour, 17th December 2016

Data Compliant’s Weekly Round Up

data-protection-type-writer

What a week!  We’ve had another hack using log in credentials stolen from another provider (see my Camelot breach blog), hundreds of thousands of pounds worth of fines issued by the ICO for millions of unsolicited calls and text, an ‘accidental’ Brexit strategy leak and people being exploited by cyber blackmail (now called Sextortion).

ICO fines and GSMA
This week Oracle Insurance was reported by consumers to the Global System Mobile Association’s (GSMA) SPAM reporting service, which the ICO accesses. After investigation the ICO found that Oracle had sent 136,369 marketing texts where sufficient consent hadn’t been given.  The ICO levied a fine of £30,000.

Similar to this Silver City Tech have been fined an explosive £100,000! The Dorset-based company denies sending any unsolicited texts, let alone 1,132,149 of them. A third party company sent the texts on behalf of Silver City Tech. However the ICO sees the third party as a postman just delivering the message – it’s the company behind the message (ie the data controller) that is held responsible. Again the company couldn’t provide any evidence of consent. After being approached by the ICO in Dec 2015 a further 1,942,182 texts were sent, resulting in Silvery City Tech being being fined £100,000.  There’s a clear message here -if the ICO investigates and advises you not to do something …. it’s as well to stop!

Reporting Spam
It’s worth knowing that if you want to report SPAM, just forward the text message to 7726 (spelling out SPAM).  Then you don’t need to text STOP back to the marketing company – which is always a risk as doing so validates your telephone number, and unscrupulous organisations may well then sell your number to another marketing company.

Brexit Strategy Leak
According to Sky News, the latest victim caught carrying an unguarded document in Downing Street is thought to be Julia Dockerill who works for Conservative Party vice-chairman (international) Mark Field.lady has been papped on her way to a cabinet meeting carrying a note pad detailing notes on the Brexit strategy. Now, personally I’m conflicted on this story. With all of the papping, data breaches, hacks and data-in-transit news stories that we all hear about on a daily basis, surely the victim must know that she needs to be safer than this?  Who doesn’t close their notepad after using it – especially outside Number 10? (Or is that me being fussy?)  There are arguments saying that this was planned and wasn’t an accident at all. What do you think?

Sextortion
If you’d asked me what sextortion was on Monday I would have looked at you blankly and thought you were speaking a different language. However on Wednesday the term was everywhere – on the radio, all over the BBC website and all over social media. If you haven’t heard about it, it’s organised criminal gangs enticing individuals (mainly young men) to perform sexual acts on a webcam.  The criminals then threaten to release the footage to their friends and family unless they pay them. Police say that the number of cases that the victims have been brave enough to report has over doubled from last year.. There are victims as young as 15 although statistics show that the majority of victims fall into the 18-21 age bracket, and there have been 4 suicides this year. Police are advising not to pay anything to blackmailers and contact the police immediately. The force has arrested 40 men responsible in the Philippines.

TalkTalk and Post Office Hack
Reports are coming in that TalkTalk and Post Office customer’s internet access has been cut after a number of routers were targeted. The Post Office have said that it has affected 100,000 of it’s customers and the problem started on Sunday. (A lot happened on Sunday, first the National Lottery, now the Post Office – is no one safe on a Sunday!?) Although it has affected a lot of people, we should thank our lucky stars we’re not in Germany where a similar hack affected an unlucky 900,000 customers.

I think we’ll all be thankful when this week ends. It just seems to be getting worse. However on a positive note it’s December now! Only 22 days until Christmas!!! (Not that I’m counting).

charlotte-seymour-2016

 

Written by Charlotte Seymour, 2nd December 2016

Data Compliant’s Weekly Round Up

cowboy-round-up-cropped

This week has been a bit hectic when it comes to data breaches and news. We started off with Snoopers’ Charter being passed, then we heard that Deliveroo had been hacked and many of its customers had been paying for someone else’s dinner after passwords were stolen from another business.

We heard of yet another colossal hack – mobile network Three had been infiltrated by 3 hackers dotted all over the country now putting two thirds of the 9,000,000 Three customers at risk. The hackers accessed the upgrade system using an employee log in and were able to intercept the new phones before they reached the customers that the hackers had upgraded. Could this be an insider threat? Although Three can confirm no financial data was appropriated the information that was obtainable were things like names, telephone numbers, addresses and date of birth all of which is classed as personal data in accordance with the Data Protection Act. It’s all very handy data for criminals to steal someone’s identity.

Police are investigating Broxtowe Borough Council after an email containing allegations about someone’s conduct was sent to all staff members (730 people in total) in which they were told about in September. The ICO have said they are not going to take any action.

Hatchimals
Hatchimals are the latest craze with the kids these days and I bet they’re on everyone’s Christmas wish list. For those who don’t know what Hatchimals are, they’re Furby-like toys inside an egg that the child has to nurture until it hatches. Once hatched the toy will learn how to speak from it’s owner – so I’m told by my overly eager nephew. However due to these toys being so popular, scammers are out in force and are taking to social media to encourage loving parents to hand over more than double what these toys are going for. Once the scammers have got the money, the parents are then blocked and never hear from them again. Sometimes over £100 worse off. These toys are out of stock in every retailer that sells children’s toys in the UK so if there is an ad online, on social media, or in an email saying they’re still available and better yet – they’re on sale, don’t be fooled, if it’s too good to be true, it usually is.

Black Friday and Cyber Monday
I would imagine due to it being Black Friday this Friday (25th November) and cyber Monday on the 28th fake adverts and phishing emails are going to be on the rise this week and most of next week too. Although it is sad to think that hackers take to this time of year to steal from loving friends and family to earn themselves a bit of extra money, it does unfortunately happen every year. Now some of these hacks are easy to spot, it just takes a bit of common sense, however they are also getting more and more sophisticated and harder to recognise.

Last year UK consumers spent £2 billion in 24 hours online and in stores on Black Friday and £3.3billion over the whole weekend. Predictions this year are even higher than the last. So if you’re anything like me and are planning to get home from work, make yourself a cup of tea, put your feet up and do your Black Friday shopping online, here are some hints and tips for you to stay safe this weekend.

  • Make sure the websites you are visiting have https: at the front of the URL. The s actually stands for secure! Who knew?
  • If you receive any emails from your bank, paypal or anything asking you to confirm your payment details with a link to click on to do so, hover your mouse over the link to see what the URL is, if it isn’t the company’s name .com/.co.uk etc it’s a scam.
  • Look at the email address you receive an email from, is that the company’s name?
  • Use strong passwords, and different passwords for each log in (this is how many people got stung with Deliveroo as they used the same password for their account with them and with other websites and apps).
  • Read the websites privacy policy before handing over all of your sensitive information. These are legally binding and have to inform you of what the company plans to do with your data.

I could go on and on but these main 5 steps should keep you fairly safe this weekend. Don’t be put off by the minority of people who do wish to scam you into handing over all of your money. There are some good people (and even better bargains) out there, so happy shopping!

charlotte-seymour-2016
Written by Charlotte Seymour – 25th November 2016.

Data Compliance October Round-up

What’s happening in Europe … and beyond?iStock_000025602036Small

Update 28.10.13

The new date for implementation of a proposed new data protection regulation (DPR) – has been pushed back to “by 2015”, thanks in part to David Cameron’s efforts to protect the interests of UK business.  Germany were also supportive though Merkel’s reasoning was slightly different “… to ensure that it can reconcile the existing rights of its citizens.”

23.10.13

On 21st October, 2013, the European Parliament approved its Compromise Text of the proposed EU General Data Protection Regulation.  Still a long way from being complete, but the latest from Europe is:

1. Pseudonymous data now has its own definition – currently “personal data that cannot be attributed to a specific data subject without the use of additional information, as long as such additional information is kept separately and subject to technical and organisational measures to ensure non-attribution”.

2. Data Protection Officers:  a data controller or processor must appoint a Data Protection Officer when processing personal data relation to over 5,000 data subjects in any consecutive 12-month period.  Also where the core processing activities relate to processing location data, children’s data, sensitive personal data, or employees in large scale filing systems.

3.  A new concept has been introduced – a European Data Protection Seal -a certification process which allows international data transfers outside the EEA to recipients that also hold a Seal.

4.  Right to erasure:  the right of data subjects to have their personal data erased if requested is still in the draft (originally “right to be forgotten”).  And it’s been strengthened – if the data subject asks a controller to erase his data, the company should also forward the request to others where the data is replicated.

Pulling NSA’s teeth …

Spheres of monitors with eyeballs in a curved field of blue digiThe Compromise text had some other changes, including new data protection rules designed to curb America’s spying activities.  The intention is to make US secret court orders powerless, and to force companies based outside the EU, like Google and Facebook, to comply with European data protection laws if they operate in Europe.  Powers to levy fines running into billions of Euros are being made available to discourage violation of the new rules.

For example, if a third country’s court, tribunal or other administrative authority requests a company (such as a social network or cloud provider) to disclose personal data processed in the EU, that company must notify the data protection authority and obtain their authorisation before any such data transfer can be made.

This step is largely due to Edward Snowden’s information about the American companies, platforms and social networking sites which have been forced to share substantial volumes of EU citizens’ personal online data (from emails and phone calls to video chats and web searches) with the National Security Agency (the US intelligence organisation which collects, monitors, decodes, translates and analyses foreign intelligence and counterintelligence information and data).

The third country issue has been ongoing since January 2012, when the proposed reform to the law was dropped after intense US lobbying.  It now seems clear that the EU has had enough, particularly since the revelations that the NSA systems collected – in the single month from February 8th to March 8th – 24.8 billion telephone data and 97.1 billion computer data from across the globe – including UK, Germany and France.

In addition the French are aggrieved that, from December 2012 to January 2013, the NSA were reported to have made 70.3 million recordings of French individuals’ telephone data.

While the NSA is known to collect and store all phone records of all American citizens, their profligate global approach to privacy is clearly unacceptable, and Europe has taken steps to limit their – and other agencies and countries’ – powers.

So now it’s just the simple matter of balancing the need to combat terrorism versus people’s protection of the rights to privacy.  Which makes it hardly surprising that this legislation is taking so long with a record-breaking 4,000 amendments so far.  It is thought that there is a less than 50% chance of the new regulations going through in the time-frame, though final legislation is still anticipated before the European elections in May 2014.

India’s Draft Privacy Protection Bill

Abstract internet security illustrationThe issue of data protection in India has been generated for a number of reasons – not least, Europe’s concerns given the sheer volume of personal data that is transferred to India.  Also, within India itself, there is concern among Indian citizens in relation to the combination of the use of personal identifiers (including biometric data) and extensive individual profiles.

India has been holding a set of roundtable talks since April 2013, with the goal of generating recommendations for a privacy regulatory framework.  The last of those talks was held on October 19th between the Center for Internet and Society, the Federation of Indian Chambers of Commerce and Industry, and the Data Security Council of India. Christopher Graham, the UK Information Commissioner, was among the speakers.

We’ll send more updates as they come through – in the meantime, if you have any concerns over how these or the existing DPA and PECR regulations might affect your business, don’t hesitate to contact us.

001
Victoria Tuffill
01787 277742
victoria@tuffillverner.co.uk
Michelle gallery size compressed
Michelle Evans
01206 392909
michelle@tuffillverner.co.uk

Data Compliance October Round-up UK

Meanwhile, back in the UK …

Telephone iconTelemarketing – Caller identification spoofing …

Earlier this week, Canada, the United States and the United Kingdom issued a joint statement making it clear that they intend to combine their resources to tackle the problem of caller ID spoofing.

Spoofing is a practice conducted by telemarketers who want to conceal their true identity rather than fulfil their legal obligation to identify themselves.  Spoofers provide their caller ID with false information which may be a string of digits, or a random or stolen number belonging to a real person or organisation.   It is on the increase, and makes it particularly difficult for the authorities to track down those responsible for non-compliant or illegal calls.

The various agencies responsible for enforcing telemarketing and privacy laws announced that they will coordinate their efforts through the international law enforcement network of the London Action Plan and the International Do Not Call Network. If they need the telecoms industry to provide help, they will ask those organisations within their respective countries.

Next steps are exploratory discussions, to be held later this month, to identify options focusing on enforcement, industry compliance and consumer education, technology and regulatory issues with the goal of considering solutions available to stop spoofing and to take action against those responsible.

DATA BREACHES AND FINES

What a monumental blunder …

iStock_000012526327SmallWe heard yesterday that The Ministry of Justice was on the receiving end of the ICO’s judgement, when it received a fine of £140,000 – after details of ALL the prisoners serving time at HMP Cardiff were emailed to three of the inmates’ families.

The fine goes back to 2011 – when, on 2nd August, the recipients received an email from a prison clerk which included a file containing details of the 1,182 inmates – including names, ethnicity, addresses, length of sentence, release dates, and the offence codes.  Worse yet – this wasn’t the first time such a breach had occurred.  Within the previous four weeks, the same error occurred twice – with details sent to different inmates’ families.

The ICO’s investigation found:

  • Clear lack of management and supervision at the prison, where the clerk concerned was found to have received limited training and experience, though he was left to work unsupervised.
  • Audit trails were lacking and the only reason the breach was identified was because one of the recipients reported receipt of the information to the prison.
  • Problems with the methods used to handle the prisoners’ records, such as the use of unencrypted floppy discs to transfer large volumes of data between networks

 

The importance of being registered …

handcuffs and money computerIf organisations process personal data, with a very few exceptions, they must register with the ICO and spell out the type of information they process.  Not doing so is a criminal offence – as Hamed Shabani, sole director of payday loan company First Financial, discovered.

After failing to register, he and his company were prosecuted by the ICO and convicted in the Magistrate’s Court. As Director of the company, he was fined a modest £150 and ordered to pay £1,010.66 towards the costs of prosecution and a £20 victims’ surcharge.  In addition, the company itself was fined £500, and also made to pay £1,010.66 towards costs plus a £50 victims’ surcharge.

The total bill of £2,741.32 compares rather unfavourably against the annual £35 notification fee he should have paid.  It is also interesting to note that Hamed Shabani tried to remove his name from the company’s registration at Companies House in an attempt to avoid prosecution.

To quote Stephen Eckersley, ICO Head of Enforcement:

“Pay day loans companies hold important information about some of the most financially vulnerable people in the UK. This makes this company and its director’s decision not to face up to their legal responsibilities all the more concerning.

“Businesses must commit to looking after the information of their customers and this begins with making sure that they are registered. We will continue to use our enforcement powers to safeguard people’s information.”

 The importance of a strong BYOD policy …

mobile commerceBYOD (Bring your own device) continues to be high on the ICO’s priority list – earlier this month, the Royal Veterinary College breached the DPA when a member of staff lost their camera whose memory card held 6 job applicant passport pictures. Unfortunately, the RVC had not briefed staff on how personal information stored for work should be looked after on personal devices.

Nearly half of all UK employees now use their smartphones, tablets, PCs for work purposes, and the number is growing.  As a result, organisations must update their data protection policies to take this into account.

Stephen Eckersley said:

“Organisations must be aware of how people are now storing and using personal information for work and the Royal Veterinary College failed to do this. It is clear that more and more people are now using a personal device, particularly their mobile phones and tablets, for work purposes so its crucial employers are providing guidance and training to staff which covers this use.”

The importance of encryption …

thief stealing laptop from the carIf you are unlucky enough to have a portable device containing personal data stolen, it could cost you much more than simply replacing the device.  As the owner of loans company Jala Transport discovered to his cost.  He stopped his car at a set of traffic lights, only to have his car boot broken into. A hard drive – containing financial details of his 250 customers – was stolen, along with £3,600 cash.

Though the hard drive was password protected, the data within was not encrypted, and it included customers’ names, dates of birth, the payments made, and the identity documents provided to support the loan application.  Because the hard drive had not been encrypted, all those customers were left  wide open to the threat of identity theft.

The penalty could have been £70,000, but was reduced to £5,000 to reflect the limited financial resources of the company and the fact that the breach was reported voluntarily.

Stephen Eckersley said of this case:

“We have continued to warn organisations of all sizes that they must encrypt any personal data stored on portable devices, where the loss of the information could cause clear damage and distress to the customers affected…

 “The penalty will have a real impact on this business and should act as a warning to all businesses owners that they must take adequate steps to keep customers’ information secure.”

Rates of identity fraud continue to rise

Identity fraud is the most significant threat facing the UK, making security a key issue not only for businesses but also for individuals.  Not taking steps to protect personal data just gives fraudsters a license to steal.   This is clearly illustrated by the stats – identity fraud now accounts for over half of all committed fraud and is still growing.  CIFAS confirmed 114,000 frauds in the first half of 201, of which 52% involved impersonation or fake identity details.  An additional 14% of frauds involved account takeover.

All the stories above reflect the importance of being and remaining data compliant and illustrate the penalties that can be imposed by the ICO.  If you would like any advice on how to become and remain compliant, just call us for a no-obligation chat.

001
Victoria Tuffill
01787 277742
victoria@tuffillverner.co.uk
Michelle gallery size compressed
Michelle Evans
01206 392909
michelle@tuffillverner.co.uk

Data Compliance – Monthly Round-Up

September 2013 Round-up

Information Commissioner toughens up Direct Marketing Guidelines

data compliance consentThis month the ICO has published new guidelines for direct marketers, with a particular emphasis on consent.  Those companies who make it difficult for their customers to find the “small print” run the risk of finding their so-called consent is invalid.  Essentially the ICO is looking to tighten up current consent policies, by, for example, putting tighter time limits on the period covered by consent, ensuring that the customer is not forced into consenting as part of any service policy.  Users of personal data are going to need to get used to a greater transparency and trust between themselves and their customers.  It is likely that a more creative approach to obtaining consent will be required – such as an explanation of the benefits designed to appeal to the consumer.

Third party use of data is going to become increasingly difficult too, with the onus put on the user for evidence that consent really has been given to the list provider (see Steve’s article on email marketing success).

If you are concerned that you are not entirely certain what is needed to keep your future campaigns compliant, then contact Victoria – victoria@tuffillverner.co.uk

Unsolicited direct marketing calls – the penalties

telemarketingThe Information Commissioner’s Office (ICO) is clamping down on businesses who make unsolicited direct marketing calls.  The law currently requires the ICO to prove that calls or texts are causing substantial damage or substantial distress before issuing a penalty to the perpetrator.  The ICO is now asking the government to reduce the degree of harm that needs to be proven – the aim is that an investigation would have to simply prove annoyance or nuisance before acting.

The ICO routinely collects data from complaints both to their own office and to TPS, which helps identify organisations who may cause concern.

As a result of that activity, in the first quarter of 2013, the ICO issued their first fine for making unsolicited live marketing calls.  DM Design, was fined £90,000.  In the last quarter the ICO has issued two further monetary penalty notices for making unsolicited calls – against Nationwide Energy Services (£125,000 penalty) and We Claim you Gain (£100,000 penalty) – not insubstantial amounts.

The main topics of cold marketing calls are still PPI, then Energy / Green energy and Accident claims.  These are closely followed by debt management.

Automated calls can be made from outside the UK, in which case the steps to be taken against those companies making the calls are obviously limited.

It is clear that the ICO is determined to make it very plain to all companies and organisations using (or selling) data for marketing purposes, that they must follow the law.

They select a number of companies for monitoring based on the complaints they – and TPS receive. They then review the complaints levels – and it’s amazing what a little fear can do to make even quite large companies adjust their thinking in this area.  For example, Talk Talk saw a massive 75% reduction in complaints in the nine months of monitoring; British Gas a 59% reduction in complaints over the same period; while Scottish Power complaints were reduced by 30%.

If you have any concerns over how to ensure your telemarketing is compliant, please contact Victoria – victoria@tuffillverner.co.uk

Encryption: do you understand the  options available and how you can use them?

data protection encryptionThe Data Protection Act requires organisations that are storing personal information electronically to have appropriate measures in place to keep the information secure. If the loss of this information would cause damage and distress to those affected then the Information Commissioner’s Office (ICO) expect the information to be encrypted.

If it isn’t, then an organisation is not keeping the information secure and leaving themselves open to possible enforcement action. Penalties totalling £700,000 have so far been issued to organisations who have failed to properly encrypt their data.

So it’s definitely worth looking at the different types of encryption available and making them work for your organisation.  If you are thinking about the need for encryption but don’t fully understand the different options available to you, then do contact Tony at tony@tuffillverner.co.uk

Subject access requests – failure to comply can be costly

Keyboard -  blue key AccessFollowing the publication last month of the Subject Access Code of Practice, the handling of subject access requests is becoming increasingly important.  After a complaint from a member of the public, action has been taken against Cardiff City Council systemic failures leading to the inability for the council to respond to individuals’ subject access requests within the 40 day time limit.

So it’s worth noting the importance of tightening up procedures and making sure staff are properly trained to handle such requests in compliance with the DPA.

If you are unclear of your obligations and would like advice on the matter, do contact michelle@tuffillverner.co.uk

Do your employees work from home?  Or use a smartphone?

istock multi media croppedIt is well worth reviewing the measures you have in place to make sure personal information being accessed and used by home workers is being kept secure.  It is now becoming increasingly popular for individuals to work from home, and to access data via tablets and smartphones.

Aberdeen City Council has just been served with a penalty of £100,000 after sensitive personal information relating to the care of vulnerable children was inadvertently posted online by one of their home workers. The information was freely available for a three-month period before a council employee spotted it and the information was taken down.

An investigation found that the council had no means of monitoring how personal information was being accessed and used by their home workers and, worse yet, provided no guidance to help people working from home keep personal information secure.

So do make sure you follow the guidelines, especially if your employees are using smartphones and other personal devices to access personal data outside the office.  If you’d like some information on the sorts of measures you should be taking, please contact Michelle – michelle@tuffillverner.co.uk

New teaching materials will help young people to take control of their information

Great news that the ICO has published new teaching materials for schools to help teachers explain to young people the importance of looking after their personal information.  Especially since a 2011 survey showed that, although 9 out of 10 secondary school pupils were using a social networking website, 60% paid no attention to that website’s privacy policy.

The educational material has been developed by teachers and tailored to specific areas of the curriculum with a focus on helping youngsters understand the value and importance of their personal information and teaching them how they can look after it.

No surprise after Leveson consultation that the Press is deemed to need further guidance on conduct and ethics

Last year’s Leveson Inquiry provided a number of recommendations relating to the conduct and ethics of the press. The most high-profile recommendation for the ICO office was that it should better educate the press about their legal obligations under the DPA.

A consultation was launched in March to find out stakeholder’s views on a potential code of practice to explain the law as it stands. Responses were received from several media companies, individuals, regulators and representative bodies. The responses have raised concerns that any new code of practice would cause confusion with the existing editor’s code!

Tuffill Verner Associates provides data compliance advice – if you have any concerns or are unclear on a particular issue, just drop us an email or give us a call.

victoria@tuffillverner.co.uk   01787 277742 / 07967 148398

michelle@tuffillverner.co.uk   01206 392909 / 07760 257427