Phishing, e-commerce and retail

Leave a reply

phishing

Britain is targeted by up to 10,000 cyber attacks per hour, making it a business imperative for organisations to strengthen their data security systems and processes.

Retail and financial services websites are at the highest risk from attack, and Christmas – with a projected online spend of £17.4bn** – is the most popular time of year for cyber criminals.

A Google study from a couple of weeks ago made an astonishing statement:

Phishing stats 45%

This is a particularly worrying statistic given that data security breaches carry a huge cost – both to reputation and financially.

phishing stats Nov 2014

The costs of a breach increase every year, and will inevitably continue to rise as new legislation comes in with greater powers to the ICO.

So it’s time for retailers to make sure their staff don’t fall into the 45% of successful phishing attacks, and understand how to minimise security risks to the business.

Christmas Offer

25% Christmas Discount

Data Compliant  provides data security training workshops for companies who want their employees to understand how to keep their data secure.

2-hour security workshops for up to 10 attendees per session are available from January 5th 2015.  The usual cost is £1,100*.  Within the workshop, we’ll demonstrate how to recognise and avoid phishing attacks.

Any organisation making a firm booking for a data security workshop before 23rd December will receive their 25% discount – ie a reduction in cost from £1,100 to just £825.*

For more information or to book your workshop, call 01787 277742 or email victoria@datacompliant.co.uk

* Stats taken from UK 2014 Information Security Breaches Survey – Department for Business Innovation and Skills

**stats from internetretailing.net

* Costs exclude VAT and expenses.

 

EU Data Protection Regulation – Getting closer?

Leave a reply

EU dpaThe EU Regulation is designed to replace the current multiplicity of EU data protection laws with a single set of rules to be applied throughout all Member States.  Time is moving on so it’s important to keep on top of the discussions and updates being published.

Last month’s proposed revisions to Chapter IV (which deals with data controller and data processor obligations) are summarised below.  However, it is worth remembering that “nothing is agreed until everything is agreed” in relation to the Regulation.

Greater discretion for data controllers – risk-based compliance

Businesses will be relieved to see greater discretion for data controllers in complying with the legislation as recent Chapter IV discussions in Europe have moved towards a risk-based approach to compliance.

A balance between privacy and entrepreneurship

EU balanceThe proposed amendments to Chapter IV suggest that data compliance obligations should be proportional to the organisation’s specific data processing activity and associated risks.

Once these activities and risks have been assessed, appropriate privacy and data protection tools should be instigated by the organisation.

Different activities, even where the same data is involved, may quite often have different consequences, requiring different levels of protection. The risk-based approach allows data controllers a more flexible approach in assessing their data compliance responsibilities within the context of their own particular business.

It appears that most countries welcome the risk-based approach, which they view as providing a good balance between protecting personal data and safeguarding businesses and entrepreneurship.

Chapter IV Proposed Revisions 

Below are some examples of the revisions proposed by the EU Council:

  • Data protection impact assessments are only required where “high” risk (for example identity theft, fraud or financial loss) to the rights and freedoms of individuals is involved
  • The appointment of Data Protection Officers is voluntary (unless individual Member State legislation states otherwise)
  • Only data breaches that are likely to result in “high risk for rights and freedoms of individuals” need be reported
  • If stolen or breached data is encrypted or protected in such a way that the data remains indecipherable, there is no requirement to report the breach.
  • Required levels of security measures will be established by considering multiple factors, including the nature, scope, context and purpose of the data processing to be undertaken, in combination with the cost of implementation and the technology available.
  • Only where a data privacy impact assessment indicates that data processing would result in “high risk” to the rights and freedoms of individuals, the supervisory data protection authority should be consulted prior to the start of such processing

There is also a suggestion that data controllers may use “adherence of the processor to an approved code of conduct or an approved certification mechanism” to demonstrate compliance with the obligations of a controller.  So organisations may find it well worth considering selecting only those data processors who have appropriate data security certification such as ISO 27001 or DMA DataSeal.

If you have any concerns about your data compliance in general or the impact of EU changes in your business, contact us on 01787 277742.  Or email victoria@datacompliant.co.uk

Services

CCTV Data Protection Guidelines from ICO

1 Reply

drone delivering parcelClearly surveillance has both benefits and drawbacks, and the level of public interest and debate about both is increasing. Technology is advancing swiftly, and surveillance cameras are no longer simply passively recording and retaining images. They are now also used proactively to identify people of interest, to keep detailed records of people’s activities both for social (eg schooling, benefits eligibility) and political (eg terrorist) reasons.

There’s a real risk that, despite the benefits, use of CCTV can be very intrusive.

The ICO’s new CCTV code of practice continues its focus on the principles that underpinned the previous code of practice. However, it has been updated to take into account both the changes in the regulatory environment and the opportunities to collect personal data through new technology.

There is some fascinating information in the guidelines – specifically around some of that new technology, where three of the key recommendations are:

  • Privacy Impact Assessments – a requirement that involves ensuring that the use of surveillance systems is proportionate and addresses a pressing need (see the
  • Privacy Notices / Fair processing – a key issue for many of the new technologies is finding creative says of informing individuals that their personal data is being processed – particularly where such processing is simply not obvious.
  • Privacy by design – for example, the ability to turn the recording device (audio and / or sound) on and off as appropriate to fulfil the purpose; the quality must be high enough to fulfil the purpose; the use of devices with vision restricted purely to achieve the purpose

The new technology specifically covered in the guide includes:

Automatic Number Plate Recognition (when to use it, data storage, security issues, sharing the data and informing individuals that their personal data is being processed – something of a challenge needing some creative thinking);

Body Worn Video (warnings against continuous recording without justification; the use of BWV in private dwellings, schools, care homes and the like – and, again, the thorny issue of informing subjects that they are being recorded);

Unmanned Aerial Systems drones are now increasingly used by businesses as well as the military (Amazon has stated its intention to use drones to deliver parcels …). Some of the key issues are privacy intrusions where individuals are unnecessarily recorded when the drone has some other purpose; the distinction between domestic and commercial use; providing justification for their use; the ability to switch the recording system on and off; the whole system of data collection, storage, accessibility, retention periods and disposal requires compliance.

Automated recognition technologies are increasingly used commercially to identify individuals’ faces, the way they walk, how they look at advertising and suchlike. Again, the issues of fair processing, degree of accuracy of images and their identification, storage, retention, transfer, disposal and security are all key to compliance.

If you are using surveillance devices to view or record and / or hold information about individuals, then it’s worth noting that such use is subject not only to the Protection of Freedoms Act (and its Surveillance Camera Code of Practice), and the Data Protection Act, but you also need to consider your obligations under The Freedom of Information Act 2000 and the Human Rights Act 1998.

If you have any concerns about your data compliance in general or your surveillance camera compliance specifically, contact us on 01787 277742.  Or email victoria@datacompliant.co.uk

Services

Surveillance Camera Code of Practice – 12 Principles

2 Replies

security cameraDo you use a surveillance camera system within your organisation?  If so, it’s worth noting that the Surveillance Camera Code of Practice must not only comply with the Data Protection Act and its 8 Principles, but also provides its own 12 guiding principles:

  1. Purpose: Use of a surveillance camera system must always be for a specified purpose in pursuit of a legitimate aim, and necessary to meet an identified pressing need
  1. Privacy Impact: Use of a surveillance camera system must take into account its effect on individuals and their privacy, with regular reviews to ensure its use remains justified
  1. Transparency: There must be as much transparency in the use of a surveillance camera system as possible, including a published contact point for access to information and complaints.
  1. Accountability: There must be clear responsibility and accountability for all surveillance camera system activities including images and information collected, held and used.
  1. Policies and procedures: Clear rules, policies and procedures must be in place before a surveillance camera system is used, and these must be communicated to all who need to comply with them
  1. Relevance and Retention: No more images and information should be stored than that which is strictly required for the stated purpose of a surveillance camera system, and such images and information should be deleted once their purposes have been discharged
  1. Access to retained images and information should be restricted. There must be clearly defined rules on who may gain access for what purpose; the disclosure of images and information should only take place where it is necessary for such a purpose or for law enforcement purposes
  1. Standards: Surveillance camera system operators should consider any approved operational, technical and competency standards relevant to a system and its purpose, and work to meet and maintain those standards
  1. Security: Surveillance camera system images and information should be subject to appropriate security measures to safeguard against unauthorised access and use.
  2. Audit: Effective review and audit mechanisms should be in place to ensure legal requirements, policies and standards are complied with in practice.  Regular reports to be published.
  3. Public Safety: When the use of a surveillance camera system is in pursuit of a legitimate aim, and there is a pressing need for its use, it should then be used in the most effective way to support public safety and law enforcement with the aim of processing images and information of evidential value.
  4. Accuracy: Any information used to support a surveillance camera system which compares against a reference database for matching purposes should be accurate and kept up to date.

If you have any concerns about your data compliance in general or your surveillance camera compliance specifically, contact us on 01787 277742.  Or email victoria@datacompliant.co.uk

Services

Smartphone Security

1 Reply

SmartphoneSmartphones are becoming cleverer by the day. I use mine as an address book … to read books … listen to music … search the internet … look at emails … find my husband … use social media … keep track of the news … take pictures … and so much more. I even use it to make and receive calls and texts.

But from a security point of view, smartphones can be leaky, and increasingly it’s down to the user rather than the provider to take responsibility for their own protection. Here is some simple guidance and some references for those who’d like more information:

Smartphones – as important as your wallet and credit / debit cards

Ofcom advises that you treat your smartphone as carefully as your wallet or a bank card, and that’s excellent advice. Losing your smartphone is inconvenient at best and a disaster at worst. There’s the potential expense of any charges that a thief might run up before you report it as lost. And, unless it’s insured, the cost of replacing a smartphone can be horribly expensive.

Not only that, but any confidential information is at risk – your contacts, your emails, even your bank account. And it’s no longer just your own data at risk. If you use your smartphone for business, losing it may have potentially serious implications for you and your company in the event of a data breach.

What to do before you lose your smartphone

  • Set and use a pin or password both on your phone and your SIM for secure access
  • Make sure you know your IMEI number – if you haven’t already done so, just type *#06# into your handset and it should flash up. If not, look behind your phone battery and you’ll find it there. Make a note of it and keep it somewhere safe.
  • Have a look at Immobilisewhere you can register your phone and may then stand some chance of being reunited with it in the event of loss or theft. All UK police forces and various other lost property offices and agencies use it as an online database to trace owners of lost and stolen property.
  • If you are registered with Immobilise, mark your phone as being registered – it just may help deter opportunistic theft
  • Download an app such as findmyiphone or findmyphone. Not only will this help you trace your phone if it is lost or stolen, but it will also allow you to wipe details from it remotely to allow you at least to minimise theft of your data.

How to keep your data safe

  • In the same way that you’d keep your computer data backed up, you should do the same for your smartphone – keep it backed up, either in the cloud or on some other device. That way you stand to lose the minimum amount of data.
  • Keep up-to-date with your operating system – accept updates as they become available as they will include any fixes to security vulnerabilities within the previous software.
  • Use antivirus software to protect your phone from attack by virus or spyware. I use Lookout, but there are various other excellent options.
  • Make sure your apps are only downloaded from trusted sources. Check them out before you download them – read the reviews and check their privacy policies.
  • Keep you apps updated when updates are offered.
  • Bear in mind that a rogue app may allow access and control rights to a hacker who can then make calls, download content, send or intercept messages using your phone without your knowledge. You also run the risk that your smartphone becomes the entry point to other devices to which it may be connected.
  • Check the permissions you grant when you download an app – for example, it may request to use your current location, or to access your photos etc. Make sure that you only provide the data that you require the apps to have, and ideally only provide the information the app needs in order to work.

What to do if you lose your smartphone

  • If you lose your phone, contact your provider and (if you are insured) your insurer immediately.
  • Get your phone blocked – to do this you’ll need to give your provider your phone’s IMEI number, make and model number.

What to do when you get rid of your phone

Before disposing of your smartphone, make sure that you:

  • Erase any apps
  • Erase any data held on it, including media cards
  • Then go into your Settings menu and reset to Factory settings

Above all, smartphones should be treated as the valuable assets they really are, and kept safe to protect both personal and company assets data and assets.

If you have any concerns about your data security in general or your smartphone security specifically, contact us on 01787 277742.  Or email victoria@datacompliant.co.uk

Services

Data Privacy and the Internet of Things

Leave a reply

iStock_000044457776Small (1) Earlier this month (August 2014) Offcom announced that UK adults spend an average of eight hours and 41 minutes a day on media devices – which compares with an average night’s sleep of eight hours and 21 minutes …

I have to admit to being something of a science fiction fan and it seems to me that our own world has some interesting parallels with that created by E M Forster in his short novel, The Machine Stops.

The setting is a world where humans live in isolation in underground cells, and where everything is provided by the global “Machine” – music, art, literature, conversation, education, knowledge, interaction with other humans, food, religion, medicine – truly everything that humankind allegedly requires. In Forster’s world, travel is available, but unpopular and treated with suspicion. The physically strong are culled at birth. The weak survive.  When the Machine breaks down, the humans – its subjects – perish, leaving the only hope for the human race with those who had previously escaped the underground world and made their way to the surface to live outside the Machine’s jurisdiction.

In our own world, we have the internet, social media, online music, art, and the ability to educate, work and communicate, both personally and in business, from a distance.

And, of course, we have the Internet of Things, which is currently generating a great deal of interest and discussion, and which brings us ever closer to Forster’s world.

What is the Internet of Things?

The answer lies in the name, though it’s worth mentioning that “Things” include people.

??????????????????????????????????????????????????????In a nutshell, we are living in a world where broadband is an ubiquitous fact of life, technology is moving faster and faster – and becoming increasingly less expensive, and more and more devices are being created with wifi capability and sensors – from smartphones to fridges,  remote household heating systems to tumble-dryers, razors to kettles, and TVs to wearable devices.

According to Gartner (a Connecticut-based IT research and advisory company) by 2020 there will be over 26 billion connected devices.  With an assumed 8 billion people on the planet in the same year, that’s an average of over 3 ¼ ‘smart’ devices per man, woman and child!

For example, LG has developed a fridge that has a camera which allows owners to see what food is inside.  It scans items as they’re added, tracks expiry dates and recommends recipes based on the food available. The owner can also programme Body Mass Index (BMI) and weight loss targets.  Using smart TV and voice recognition technology, the fridge can see who is opening the door, recommend a recipe … and even in future turn on the oven to the right temperature if you choose that recipe!

It’s intended that this fridge will link with online food shopping services so that it can restock itself when supplies run low.  The fridge’s data will all be accessible to the owner vie smartphone, tablet or PCF so the owner can stay in control. (If you like the idea, the fridge is scheduled to be on sale in the UK later this year for around £2,000.)

RFID Tags and Security Issues

There is no doubt that the opportunity for automated household management may be appealing and is possibly unavoidable in the future.   And there are many other potential uses too, including tracking wildlife, chipping pets (and even humans), providing access to a person’s medical records, and monitoring our medical conditions to notify us of drugs and dosages to be taken.  We already have RFID technology in our passports, our travel passes, even our clothes (though primarily for stock control reasons rather than intended tracking).

But privacy is a real concern.  Given the sensitivity of some of the data to be collected, it is alarming to read that the default security settings on these devices are often very weak, making it straightforward for hackers to break into devices.  This has been amply demonstrated already:

‘Smart’ Devices Send out Spam emails …

Between December 23rd 2013 and January 6th 2014, about 750,000 spam messages were sent out by smart gadgets.  The malware involved was able to instal itself on a range of kitchen appliances, home media systems and web-connected televisions.  It was able to do so because the gadgets had not been set up securely, used default passwords, and the owners were unaware of the potential for security issues – if they even knew the devices carried RFID tags.

Privacy and Security

Data Compliant Cloud considerationsBusinesses must be mindful of the consumer’s privacy and security when they develop products that can gather and share data about what they, their owners, and other, linked “smart” products do.  This new technology will be collecting private, and sometimes deeply personal and sensitive data about the owners who may be wearing the technology or installing it in their homes.

Currently it seems that companies are storing data from these smart devices onto the cloud, without necessarily informing the consumer or giving them a choice.  Even with the antiquated Data Protection legislation currently in place, if such data would allow individuals associated with that data to be personally identified, that must be a breach of the DPA.

There’s no doubt that becoming compliant and secure in the RFID environment will be much simpler for businesses if they start the process at the very beginning of the technological developments.  They would also be well advised to make their compliance and security solutions scalable to avoid significant problems in the future.

The EU Directive on the Protection of Personal Data states that a person must freely give specific consent and be informed before their personal information is processed.  EU Member States are required to ensure confidentiality of communications by prohibiting unlawful interception and surveillance of personal information unless consent has been provided.

This suggests that using RFID chips unleashes serious privacy implications.  To remain compliant with EU data protection legislation, organisations should make it absolutely clear that:

  • The merchandise includes RFID tags
  • Whether the user’s data will be will be collected and stored by the organisation
  • What data will be collected
  • How the data will be used

 

EU RFID Technical Standards

RFD-Blue-1bAt the end of July, the European Commission has put out a series of recommendations to protect consumers from privacy risks associated with RFID chips.  Viviane Reding, former EU Commissioner said: “While smart chips working with RFID technology can make businesses more efficient and better organised, I am convinced they will only be welcomed in Europe if they are used by the consumers and not on the consumers. No European should carry a chip in one of their possessions without being informed precisely what they are used for, with the choice of removing or switching it off at any time. The ‘Internet of Things’ will only work if it is accepted by the people.”

Privacy Impact Assessments

While the sentiment is admirable, it has, until now, been difficult to see quite how it is enforceable.  A good starting point, however, is that an RFID Privacy Impact Assessment has been agreed, which should ensure data protection within current EU privacy regulations.

rfid logo

RFID Logo

In the meantime, the European Commission’s new RFID logo has been developed for items that include RFID tags so that individuals will know that they are carrying items that can be tracked – eg Oyster cards, fashion items, wearable technology and so on.   Unfortunately the scheme is voluntary, which means that businesses are not obliged to use the logos.

The Future

RFID items are increasingly widespread and popular – the technology is cheap and efficient, retailers find it enormously helpful from a stock control perspective, consumers find it useful.  It will be fascinating to see how the development of RFID products impacts on our lives, our privacy and our security.  Perhaps we’re not so very far away from the world envisioned by EM Forster back in 1909 – long before the internet and all its trimmings were in place.

As Shakespeare so tellingly put it:  “O brave new world that has such people in’t”

Big Data and the Data Protection Act

1 Reply

big data privacyBig data is a big issue for organisations across the world.  Businesses, governments, health organisations, analysts and scientists are all looking at the opportunities to be gained from using big data.

Another big issue is the matter of individuals’ privacy and data protection. The EU data protection principles are already established throughout the member states, and in the UK we have the Data Protection Act, which is regulated and enforced by the ICO.

So what is big data?

I first wrote about big data in 2012.  Analyst Doug Laney described it as being three-dimensional – a combination of volume, velocity and variety.

It probably began when customers started shopping over the internet.  Businesses started to save and analyse data from clicks, searches, registrations, purchases and so on. Then came social networks where individuals post personal and business information about themselves, hold conversations with their friends, family and colleagues, post updates and opinions, store their photographs and music and films and videos in the cloud…

This technology is continuing to develop at speed, while big data analysis and algorithms are becomng ever more sophisticated.  As a result, big data’s relationship with data protection and privacy regulations is becoming a serious and significant issue.

Big Data and the Data Protection Act

Of course, not all big data actually uses personal information.  For example, researchers analysing data from particle physics experiments at CERN’s Large Hadron Collier sift through approximately 16 million gigabytes of data every year.  This is hardly a serious threat to individuals’ privacy.

On the other hand, businesses using data from social media, in combination with sales transactions and loyalty cards does indeed use personal data, and in this case the Data Protection Act (DPA) comes into force to protect the individual.

Regardless of whether or not we think the DPA is adequate to protect individuals against organisations working with data, it is the only legislation we have.  And the ICO has just produced a report suggesting a number of areas where organisations must be mindful of their big data regulatory responsibilities:

  1. Fair processing: Where big data is used to make decisions affecting individuals, a key requirement is that such processing – including the initial collection of that individual’s data – is fair and transparent.  A clear explanation of why the data is being collected (the Purpose) and, where necessary, consent of the individual to that purpose is a key element in the compliant use of such data.
  2. Consent: any consent must be ‘freely given, specific and informed’.  People must be able to understand how their data is to be used, and there must be a clear indication that they have consented to such use. If an organisation is relying on consent as a condition for processing big data, it is important that the data subjects have a clear choice and are able to withdraw their consent if they wish. Otherwise, the consent does not meet the requirements of the DPA.
  3. Repurposing: where data has been collected for one reason, and is now being used for a completely different purpose, then the organisation needs to make its users or customers aware of this – most particularly if the data is being used for a purpose that the individual could not reasonably have expected at the time the data was initially collected.  In this case, where consent is relied on, consent is required.
  4. Excessive, relevant data: using all the available data for analysis might be expected to contravene Principle 3 of the data protection act which states that data must be adequate, relevant and not excessive.  An organisation must be clear from the outset what they expect to learn or do by processing all the data.  They must also be in a position, if necessary, to demonstrate how they have satisfied themselves that the data they are using from perhaps a multiplicity of sources is relevant and not excessive.
  5. Security: organisations using personal data should always be mindful of security and the potential for data security breaches.  The use of big data is no different in this respect – but the number of new datasets that may be acquired in combination with the existing data used may make the security issues a little more widespread, and will require robust risk assessment and risk management policies and procedures.
  6. Anonymisation: if data is correctly anonymised it will no longer be considered personal data and will therefore not be subject to the DPA.  However, when using the multiple data sources associated with big data analytics, achieving genuine anonymisation can be difficult to achieve and the ICO advises organisations to carry out a robust risk assessment of the risk of re-identification, and provide solutions proportionate to the risk.
  7. Privacy Impact Assessment (PIA): a PIA is an important part of being compliant as it helps gain an understanding of how the processing will affect the individuals concerned.  For example, there is a difference between using personal data to identify general trends, and using it to make decisions that affect those individuals.
  8. Long-term use: using big data for analytics does not waive the requirement that data should be kept only for the period required for the stated business purposes.  If a business wants to hold the data for long-term use, the reasons must be articulated and justified.
  9. Subject access: don’t forget that people can request to see the data you are processing about them.  When using big data, systems can become complex and unwieldy making such requests difficult, time-consuming or expensive to fulfil.  Keeping the system simple will obviously benefit the organisation.
  10. Third parties: if data has been purchased from a third party in order to run its big data analytics, the purchaser becomes the data controller for the purchased data.  It is now responsible for ensuring it has met the DPA’s conditions for further use of that data, and, if it is relying on the original consent obtained by the supplier, then the purchaser must ensure that this is adequate to cover its further processing requirements.

In summary

When using big data, always make sure you comply with the DPA.

Don’t be secretive, deceptive or misleading.  Make sure you obtain appropriate consents as required.  Explain clearly what you’re doing with big data to your users, your customers and those from whom you’re collecting data.  And make sure the information is utterly transparent.  It’s also worth being creative about how you tell them what you’re doing, by finding, describing and providing visible benefits that they will appreciate.

If you have any compliance or security questions on your own use of big data, please contact victoria@datacompliant.co.uk or call 01787 277742. Data Compliant offers the following services:

Services

Data Protection and the ICO

Leave a reply

Data privacy

Data Protection Complaints 2013 – 2014

Yesterday I read that the Information Commissioner’s Office handled 259,903 calls to its helpline and has resolved 15,492 data protection complaints last year. This is an increase of 10% over the previous year.  And here’s another staggering figure – the ICO received 161,720 reports from people about spam texts and nuisance calls.

Half the total complaints received related to “subject access”, with a range of organisations about whom complaints were made, including lenders, local government, educational providers and local health providers.

The importance of data protection in business

Organisations and businesses can no longer ignore the importance of data protection governance, compliance and security – they now have no choice but to understand and meet their regulatory requirements to avoid the penalties of non-compliance.  Last year’s attitude to and handling of ‘subject access requests’ is a perfect illustration of the current complacency seen among some data users.

The sheer volume of personal data being collected physically and digitally every day is multiplying at an extraordinary rate and organisations are continuing to find ever more complicated ways of using data.  Use of big data continues to develop with organisations trying to navigate their way through woefully outdated legislation.

The importance of the ICO

As a result, the data protection challenges to business, the consumer and the ICO are spiralling. It’s increasingly important for the data subject to know that a strong, independent body – which means the ICO – can be trusted to keep watch and offer protection.

With this increase in volume and demand, it’s hardly surprising that the ICO is calling for greater powers, greater independence, and additional funding.

Funding is a particularly difficult area as the EU data protection reforms currently propose the removal of the notification requirement and accompanying fees that fund the ICO’s DPA work. Lack of funding will inevitably give rise to cuts in the services provided by the ICO – for example, it has no legal obligation to provide a helpline, and reduced funding makes it unlikely to be able to continue to handle its current – let alone future – volumes of calls a year.

So it’s absolutely vital not only to individuals but also to businesses, organisations, government and the ICO itself that necessary resource, funding, independence and evolving powers are provided to allow the Information Commissioner to continue to protect, update and enforce data protection legislation.

ICO’s internal data security breach

However, it is somewhat unfortunate that at the time the ICO is asking for greater funding, independence and stronger powers, they are also admitting to their own “non-trivial” data breach. The incident was treated as a self-reported breach and was apparently investigated and treated no differently from similar incidents reported to the ICO by others. After an internal investigation the ICO concluded that the likelihood of damage or distress to any affected data subjects was low, and that it did not amount to a serious breach of the Data Protection Act. A full investigation was carried out with recommendations made and adopted.

However, later information suggests that this breach is now linked to a criminal investigation. So the breach investigation has not, seemingly, been closed.

Data Compliant

Services

If you have any concerns over data protection compliance or security, don’t hesitate to get in touch – call 01787 277742 or email victoria@datacompliant.co.uk

 

 

Data Compliance and Cloud Computing

Leave a reply

It’s clear that the innovative and accessible technical services provided by cloud computing are increasingly being selected and used by businesses.  And there are good reasons for doing so – not least accessibility, cost, reliability, resilience, and innovative products.  However, there are also risks to data protection which data controllers need to consider and be sure that such their cloud processing activity complies with the Data Protection Act.

What is cloud computing?

Cloud computing covers a broad range of services and technology, but the Information Commissioner’s Office (ICO) defines it as:

“access to computing resources, on demand, via a network”

To explain:

Resources include storage, processing, software

On Demand simply means that the resources are available to the customer or user on a scalable, elastic basis, typically through virtualised resources

Via a Network refers to the transit of data to and from the cloud provider, which may be over a local or private network, or across the internet.

The Data Protection Act (DPA) and Cloud Computing

All operations involving personal data that take place in the cloud – including storage – must comply with the DPA, and it is the data controller who has ultimate responsibility for that compliance.

However, if layered cloud services are being used (eg different cloud providers of software, platforms or infrastructure) then it’s quite possible that there will be a number of data controllers and data processors working together to deliver services which included processing personal data.

The cloud customer is most likely to be the data controller, and will therefore have overall responsibility for complying with the DPA.  However, depending on precisely the role of the cloud provider, the customer must assess whether the cloud provider is simply a contracted data processor or is, indeed, a data controller in its own right – which may be the case if a cloud provider in any way determines the purpose(s) for which the personal data are to be processed. In this case the cloud provider will be responsible for its own data protection compliance.

12 Cloud-specific DPA Considerations

Data Compliant Cloud considerationsThere are some specific considerations for data controllers who have moved or are considering moving personal data to the cloud.  Below are twelve:

  1. What personal data is to be processed (and how) in the cloud, and what are the inherent data protection risks
  2. What steps can be taken to mitigate those risks (eg authorisation protocols)
  3. Who is the data controller
  4. What additional personal data may be collected in the cloud (eg usage stats, transaction histories of users and other such ‘metadata’)
  5. Does the cloud customer’s privacy policy provide adequate information about processing data in the cloud
  6. Does the cloud customer need to run a privacy impact assessment to identify any privacy concerns and address them from the beginning of the process
  7. Does customisation of an existing cloud service cause any additional privacy risks
  8. What monitoring, review and assessment requirements between cloud customer and cloud provider should be put in place to ensure the cloud service runs as expected and to contract
  9. What commitment does the cloud provider have to keep the cloud customer informed in the event of changes in the chain of sub-processors taking place during the provision of the cloud service
  10. A written contract is required by the DPA between the data controller and the data processor – beware of a cloud provider which offers terms and conditions with no opportunity for negotiation.  The risk that those terms and conditions may subsequently change needs to be taken into consideration.
  11. The data controller is responsible for the security of its data processor – assessment of the security of the cloud provider is mandatory
  12. Data outside the UK / EEA – the data controller must check the countries where data is likely to be processed and satisfy itself that the relevant security arrangements are in place

8 Essential Policies and Processes

Cloud with lock on white background. Isolated 3D imageAny business will benefit from formal, documented policies and procedures.  Having made a decision to use cloud services, there are some specific requirements that are particularly important from a personal data compliance perspective:

  1. Access control – the data is, by the nature of cloud computing, accessible from any location – home, the office or on a range of devices.  Sufficient measures need to be put in place to prevent unauthorised access to the data
  2. Authentication processes – to verify that a cloud user is authorised to access the data
  3. A system is required to create, update, suspect and delete user accounts
  4. Leaver protocols need to be put in place
  5. Data retention and deletion policies are required – consider your cloud provider’s deletion issues across multiple locations and back-ups
  6. Cloud provider access policies need to be in place for occasions when the cloud provider needs access in order to provide services
  7. Staff training on cloud processes and controls is required to maintain the security of the cloud service
  8. Regular audits of procedures and policies in place will help ensure ongoing compliance

The cloud is here to stay.  If you’d like any information or have any concerns about your own cloud provider contracts, policies or compliance issues, please don’t hesitate to contact us:

victoria@datacompliant.co.uk

01787 277742

Data protection breaches make great news stories …

Leave a reply

breach and bad publicity June 2014

I read today that the BBC is in trouble for “lack of transparency” after it apparently rejected 17.9% of requests for information under the Freedom of Information (FOI) Act, and answered fully only 35% of FOI requests.

Bad press causes rise in volume of FOI requests

Much more interesting to me is the information that the number of FOI requests received by the BBC rose by almost a quarter to just under 2,000 during the 2-year period from 2011 and 2013.  The timing of the rise directly coincides with various scandals including the Jimmy Savile investigation, the profligate spending of £100 million on the disastrous digital archive project and the uproar over the extravagant pay-outs to departed senior executives.  Not, I think, a coincidence.

All publicity is good publicity …

Some claim that all publicity is good publicity. This is simply untrue.  Take data breaches for example. The frequency of data compliance and security breaches is leading to growing press interest and coverage, which in turn is rapidly educating the general population – ie the data subjects (and that’s you and me). And when huge players like eBay and Morrisons are affected – well, breaches of that magnitude become a dripping joint to the media.  The news spreads like wildfire, causing further lack of confidence that big companies have any respect for our privacy or personal data.

So as data subjects, we are more likely than ever to demand that organisations account for the way in which they handle and use our personal data; and to take steps to understand the data held about us and how it is used.  Subject access requests are a case in point, and a well-publicised data security or compliance breach inevitably results in increased subject access requests.

Worse yet, many businesses still don’t know what their legal obligations are once a subject access request is received – which means they run the risk of a further potential breach.

Subject Access Requests (SARs)

Individuals are perfectly entitled to request a copy of the personal data an organisation holds on them.  Once an SAR is received, generally the organisation has a maximum of 40 days to respond and provide the information.  Most business can charge a fee of up to £10 for provision of the data – more complex requests, such as those received by schools and the NHS use a sliding scale up to a maximum of £50.  Every company should have a documented Subject Access Request policy, and keep records of SARs received, and the way – and timescale – in which they have been handled.

If you have any concerns about SARs specifically, or your data governance, data compliance or data security in general, we’ll be happy to have a chat or answer your queries.  Just call us or email victoria@datacompliant.co.uk