More delays to the European Data Protection Regulation?

Leave a reply

European Data Protection RegulationIt is becoming increasingly difficult to say when the European Data Protection Regulation will come into force.  The legislation is currently at the point where three-way negotiations need to take place between the Justice and Home Affairs Ministers, the European Commission and the European Parliament to finalise the text .  It was broadly anticipated that the draft EU Data Protection Regulation would be passed later this year, making it law in the UK by 2016.

However, the recent European elections and new parties now represented in the European Parliament may impact the timescale of the passing of the Regulation and delay it even until early 2015, in which case it would become UK law in 2017.  The new Parliament now needs to elect the MEPs to take part in the three-way negotiations, and reappoint members to its various committees etc to reflect the changes in party strength.

One of the interesting issues is that Viviane Reding has just been elected as MEP.   In her role as Justice Commissioner, she has been an extraordinary force for the development and implementation of the DP Regulation.  But as an MEP she will need to step down from her current role, and there is no guarantee that the new Justice Commissioner will be as driven in terms of getting the legislation passed.

So it is somewhere between difficult and impossible to determine when the European Data Protection Regulation will come into force in the UK, but it is increasingly unlikely to be before early 2017.

What has been clear since March, however, is that the legislation is coming, and businesses will benefit from being ready for the changes that it will bring.  If you’d like any help assessing your readiness for the upcoming legislation, please contact Data Compliant on 01787 277742

Data Security – Microsoft Office XP and 2003

Leave a reply

8 April 2014On 8 April 2014 , office support for Microsoft’s Windows XP and Microsoft Office 2003 will come to an end.  Not the end of the world, you’d think, but if your organisation keeps personal information on those versions, this is a significant problem.

Though PCs will continue to run, the issue is that Microsoft will not be providing any further updates or fixes to these products. This means that in the event of any security flaw, your system will be vulnerable, and so in turn will any personal data you hold.

It is inevitable that, over time, attackers will increasingly find the vulnerabilities within these products, which will provide them with more and more opportunities to access and manipulate your systems.  To prevent the risk of personal data breaches in these circumstances, the best advice is to migrate to a supported system before the deadline of 8th April.

It’s not just Microsoft where stopping system support is an issue – the same is true of other providers who do not support their systems.  So it’s well worth making sure that you and your organisation have ‘appropriate technical organisational measures in place to keep individuals’ personal data safe.

Failure to do so puts you in breach of the Data Protection Act, and the ICO has the power to levy a fine of up to £500,000 to any organisation whose failure to comply with the DPA has led to serious issues of data security.

The size of fine varies enormously depending on the scale and potential damage caused by the breach.  For example the ICO has recently fined the British Pregnancy Advice Service £200,000 after a hacker obtained thousands of individuals’ personal details due entirely to poor data security.  And, on a smaller scale, the owner of a loans company, Jala Transport, was fined by the ICO after his car was broken into.  The thief stole £3,600 and a hard drive. Even though the hard drive was password protected, the data within was not encrypted and it included customers’ names, dates of birth, payments made, and the identity documents provided to support the loan application.  His fine could have been as high as £70,000, but was reduced to £5,000 to reflect the limited financial resources of the company and the fact that the breach was reported voluntarily.

In both cases, the breaches were perpetrated by a malicious third party.  But it was the lack of the businesses’ security and protection of the personal data that was the root cause of the fines. This is why it is so important that companies remain ready for the security issues which will inevitably arise when their service providers switch off support – whether the provider is Microsoft or another.

Data Compliant helps businesses build policies and processes to enable them to become and remain secure and compliant both in terms of systems and governance – if you have any concerns over your data security, don’t hesitate to contact us on 01787 277742 or email tony@datacompliant.co.uk

Electronic Communications – ICO Updates March 2014

Leave a reply

Last week, the Information Commissioner’s Office issued PECR guidelines with updates that are very much in line with the presentations they gave at the ICO conference on March 3rd. The changes impact marketing in two key areas:

Time Limits for Consent – the new guide states that there is “no fixed time limit” in relation to the validity of consent between consent being obtained and the first contact being made.

Essentially, the period between consent and first contact depends on two main areas

  • the expectation of the customer
  • the context under which consent was obtained.

The new PECR guidelines reflect this interpretation stating:  “consent … will remain valid as long as it is still reasonable to treat it as an ongoing indication of the person’s current wishes.”  At the conference, the ICO stated that, for example in the case of annual renewals, “it is reasonable that consent may be relied upon 12 months after consent was obtained”. However, during the same presentation the ICO categorically stated that they do not accept the concept of indefinite 3rd party consent.  This position is included within the new guidelines by “…even if consent is not withdrawn, it will become less reliable as time passes.”

Third party mailing list – there is a tricky area within the whole area of use of a third party mailing list for emails, texts and automatic telephone calls.  PECR requires that the customer has notified the data user that he or she consents specifically to the user’s message.  Indirect consent, of course, does not meet that requirement as the consumer has not notified the data user – he or she has notified a third party.

Although it is best practice to send marketing texts or emails only where you have yourself obtained consent, the ICO has made it clear that use of third party mailing lists can be acceptable, as long as:

  • the third party has made absolutely clear and transparent the use to which the data is to be put.   “In essence the customer must have anticipated that their details would be passed to you and that they were consenting to messages from you. “
  • you as the data user are cautious and carry out due diligence, seeking evidence that consent covers your organisation and the medium through which you want to communicate – email, text and automated calls each require specific consent for that specific communication channel.

Within the ICO, there is a small team investigating PECR breaches and taking appropriate complaint-based actions, which range from civil monetary penalties,  enforcement orders, criminal prosecution, and publication of who has been prosecuted and why.  

At the Conference, the ICO shared information on the number of PECR investigations which are taking or have taken place.

To date 296,000 concerns have been reported, as a result of which just 7 monetary penalty notices have been served.  In addition, there have been 11 formal undertakings, 19 enforcement notices and – as at 3 March – there were 79 investigations ongoing. 

The number of fines is low because ,in order to levy a monetary fine, “substantial damage” must  be caused by the breach – and the impact of a text message is not generally enough to trip businesses into the area of monetary penalties.
There is a proposal to lower the PECR threshold, and the expectation is that we can expect to see some sort of legislative change by the end of the year.

It is clear from the seriousness with which the ICO treats PECR breaches, that the ICO, like the recently approved EU Data Protection regulations, is trying to put the individual back in control of their own data.  And, for those of us who believe that targeted ‘one-to-one’ marketing is the way to the future, surely making sure that a prospect really wants to receive your message is not such a bad thing?

If you have any concerns over the changes to PECR guidelines, or would like to discuss your business’s personal data compliance and security, please call us on 01787 277742, or email victoria@datacompliant.co.uk

EU Parliament votes in favour of Data Protection amendments …

1 Reply
EU Parliament DP regs vote

EU Parliament DP regs vote

The European Parliament voted on March 12th to adopt the amendments put forward by the LIBE Committee.  An overwhelming 95% voted in favour (621 for, 10 against and 22 abstained).

What does that mean to UK businesses? 

Essentially the European Parliament has now given its backing both to the structure and fundamental principles of the European Commission’s data protection reform proposals – the General Data Protection Regulation and the Data Protection Directive.

However, to become law the proposed Regulation still has to be adopted by the EU Council of Ministers, who, on March 4th 2014, supported the principle that non-European companies who provide goods and services to European individuals will have to apply the EU data protection law in full.

The next meeting is scheduled for June 2014, and even though this falls after the European elections, yesterday’s vote means that Parliament has now made its decision, and its position will not change regardless of the results of the May elections.

Should these amendments ultimately become law, UK businesses will be affected by a number of issues, many of which have been raised in previous blogs

BUSINESS ADVANTAGES

While there are undoubtedly restrictive disadvantages to businesses, there are also some advantages which will help establish a level playing field as well as saving time, money and legal costs.

A single law throughout Europe – A single law for data protection across Europe will replace the individual countries’ existing laws, making it easier for companies who will no longer have to work within 28 inconsistent and diverse laws.  According to Europa EU, this will benefit business to the tune of 2.3 billion euros per annum.

One-stop-shop – under current legistlation, a business is subject to the national data protection authority in each and every country in which it operates.  The new one-stop-shop rule means that a business will only be subject to the national data protection authority in the country where its Head Office is based.

While this is of significant benefit to businesses, it does make it unwieldy for consumers to keep control of complaints they make against a company whose head office is in a different country.  The one-stop-shop rule means that such consumers will have to complain to their own national data protection authority, who will then pass the complaint to the authority in the relevant country for action under their jurisdiction.  This is quite different from current regulations, where the business is responsible to the data protection authority in the country in which it operates.

Same rules for everyone – Companies based outside Europe will have to apply the same rules as those within.  Currently European businesses work under much stricter rules than their counterparts elsewhere so this will level the playing field.  In addition, there will be an increased level of fines for breaches of the regulations. The ICO can currently levy fines of up to £500,000, but the new legislation proposes fines for businesses who break the data protection rules of up to £85,000,000 or 5% of annual worldwide turnover – whichever is the higher. This should certainly concentrate the minds of some of the data-using giants of industry.

BUSINESS DISADVANTAGES

However, there are significant disadvantages to businesses as the EU proposals seek to empower the data subject far more strongly than ever before:

Right to erasure  – originally this was the “right to be forgotten” – and it allows data subjects to demand that their data is erased by businesses. The latest version states that not only must the business erase the data, but must pass that request on to other businesses where the data is replicated. Thjis amendment will cause severe difficulties for businesses such as social networks, cloud providers and search engines.  However, the right to erasure does not apply where there is a legitimate reason to keep data within a database.  And the right to erasure may not encroach on the freedom of expression and information of the media.

Consent – obtaining consent from the data subject will become significantly more difficult for businesses who collect and use personal data.  Currently consent may be “inferred” based both on consumers’ actions and their lack of action. Under the current legislation, if somebody buys a product online, and does not opt out; or if an individual does not “unsubscribe” from communication messages, then – depending on the circumstance – it can be “inferred” that the individual has given their consent to receipt of communications, services or offers.

However, the LIBE amendments require “explicit indication of the individual’s wishes” and “clear affirmative action”.  The implications are significant, as it is unlikely that current opt-out or unsubscribe mechanisms will meet the required level of consent. There will also be increased restrictions over relating the consent to the “Purpose” of collecting the data.  If the original Purpose no longer exists, then the company may not rely on that consent to process the customer’s personal data.

This is likely to have a significant impact businesses – research from fast.map shows that just 30% of consumers today are likely to opt in compared to 51% choosing not to opt out.  Clearly, over time, there will be changes to these statistics – consumers will become more aware as a result of businesses being forced to become more transparent about how they intend to use the personal data provided.  It is also noteworthy that, from the same research, currently 40% of people state they will provide information in return for something they perceive to be of value.  Some creative thinking is required to find real, tangible benefits to consumers in return for them providing their data.

Profiling – the use of profiling is widespread among UK businesses and direct marketers.  The EU regulations state that data subjects are required to be provided with a clear explanation of any profiling.  There is even provision to ban profiling entirely in those circumstances where profiling affects fundamental rights or causes potentially discriminatory results such as race, religion etc).  The impact of this on financial services organisation or those who use credit checking is likely to be inconvenient at best.

Data Protection Officers – The LIBE amendment requires that a data controller or data processor must appoint a Data Protection Officer (DPO) for a minimum of four years when processing personal data in relation to more than 5,000 data subjects within any 12-month period. And even where an organisation processes under 5,000 individual records but those records include sensitive personal information such as children’s personal information, then they too must also appoint a DPO. Having said that, SMEs are exempt as long as data processing is not their core business activity.

Data Subject Compensation policy – Individuals who have suffered damage can claim compensation for breaches of the Regulation. This would mean that an individual woken up by an unsolicited telemarketing call could claim damages for being disturbed.

There is still a long way to go before the EU legislation is finalised, and in the meantime discussions will continue.  Many countries are clear that getting the legislation right is more important than hitting an arbitrary deadline so both the content and the timetable are subject to change.

Nonetheless it is well worth UK businesses preparing for changes to the data protection landscape.  Although the new legislation is not expected to be in place before 2016, and it may possibly lapse to early 2017, changes are definitely going to happen, and planning for compliance will need to begin now.

If you have any concerns over how the new EU legislation may affect your business, or would like advice on becoming and remaining compliant, please contact us on 01787 277742.

NHS Data Sharing – why the delay?

Leave a reply

iStock_000006820636Medium

It’s good to see that common sense has prevailed, and the roll-out of care.data has been deferred until Autumn – primarily, it would seem, to allow time to make absolutely certain that all patients have been made aware of the plans to do so.

The media, privacy lobby groups and, most notably, both the ICO and The Royal College of General Practitioners flagged their concerns that communicating the NHS data sharing plans with patients had been inadequate, leaving many individuals throughout the country unaware either of the plans to share their sensitive, confidential patient data, or indeed of their right to refuse to participate (see more here about how and why your patient data is to be held in a central NHS database).

There has been some attempt to inform the public – primarily by GPs (mine was excellent, providing information and opt-in / opt-out forms with repeat prescriptions; issuing leaflets and showing posters in the surgery; and showing information on the website ).  The NHS distributed some 22 million leaflets which were apparently delivered in January / February, but there has been a great deal of criticism of the leaflet’s creative approach, which has been described as bland … appalling … one-sided … and more.  I have to say, I never received it … or if I did, I threw it away unread on the assumption that it was “junk mail”.

I was interested to read what the Royal College of General Practitioners think, and of their own strong desire that GPs, patients and the nation are all properly informed and able to make their own decision whether to support the development of the NHS database or opt out. http://www.rcgp.org.uk/news/2014/february/college-welcomes-decision-to-delay-care-data.aspx

On the subject of making people aware … I find it quite fascinating to watch the government’s delight in using broadcast channels like TV and radio to promote themselves when it suits them.  Yet they seem curiously reluctant to use these same channels to inform the public of an issue as significant and important as the sharing of our own sensitive and confidential medical data.

However, it is quite clear that the NHS must now decide how it will ramp up its communication campaign before the Autumn in order to satisfy the public, the ICO, the RCGP and the media.  Only then will it be possible for the launch of care.data to take place.

Data Compliant Ltd provides advice on data compliance, data security, and runs training classes and workshops.  If you or your business have any concerns over your data being compliant and secure, please contact Michelle or Victoria.  

victoria@datacompliant.co.uk                        michelle@datacompliant.co.uk

 

Delays to the EU Data Protection Regulation …

Leave a reply

iStock_000025602036SmallThere has been little progress on the draft EU Data Protection Regulation since October.  However, the Greek Government took over the Presidency of the Council of the European Union in January 2014, so it is now up to them to progress this legislation.

It is clear that delays are inevitable. Even if the draft is agreed at the Justice and Home Affairs Ministers Council meeting in June, the process then continues with three-party negotiations between Justice and Home Affairs Ministers, the European Commission and the European Parliament.

That process is unlikely to start before the autumn, which would mean that the EU Regulation must be delayed until the end of this year or, more likely, until early 2015.  This will delay the law coming into force until the end of 2016 at the earliest, and more likely in 2017.

Three aspects of the new legislation that we have not covered in previous blogs are:

·         International Data Transfers:  this is a new certification programme which will allow data controllers and processers to apply for certification under The European Data Protection Seal. The certificate will be gained through an audit of data processing activity and certification granted by data protection authorities or accredited third parties.  The European Data Protection Seal will enable legitimate transfers of data outside the EEA to recipients who also hold a Seal.

·         Data Protection Officers:  though still in the draft stage, it is clear that firms will be encouraged or required to appoint data protection officers (DPOs) to ensure an organisation uses, controls and processes data compliantly, nationally and / or globally.  There are 500 million citizens within Europe, and currently, a DPO is to be appointed if an organisation processes data on more than 5,000 individuals per annum.

·         One Stop Shop continues to be a subject of fierce debate.  It is significantly different from current legislation where a business is always subject to the data protection authority in each and every country in which it operates.  Under the new One Stop Shop rule, a business which operates in several of the EU Member states would only be subject to the national data protection authority in the country where its Head Office is based.

The debate relates to citizens’ human rights – any data protection complaint made against a company whose head office location is in a different country, will mean that individuals must complain to their own national data protection authority, who will then pass it onto the authority in the relevant country.  This complexity will make it difficult for individuals to complain simply and effectively, and argument rages over whether and to what extent this might undermine human rights.

If you are concerned about how the new European legislation might affect you or your business, don’t hesitate to get in touch with Victoria or Michelle on 01787 277742.  Or emailvictoria@tuffillverner.co.uk  or michelle@tuffillverner.co.uk

Safe Harbor – how does it work?

1 Reply

safe harbor pic

The Data Protection Act 1998 prohibits the transfer of personal data to non-European Union countries unless those countries meet the EU “adequacy” standard for privacy protection. Although both the US and EU profess to similar goals of protecting individuals’ privacy, their actual approaches are quite different.

As a result, the US Department of Commerce consulted with the European Commission, and developed the “Safe Harbor” framework – a cross-border data transfer mechanism that complies with European data protection laws and allows businesses to move personal data from the EU to the United States.  There is a similar but separate framework between the US and Switzerland.

To join the Safe Harbor framework, a company self-certifies to the Department of Commerce that it complies with seven data privacy principles (notice, choice, onward transfer, security, data integrity, access and enforcement) and that it meets the EU adequacy standard.  This self-certification needs to be renewed annually.  If a company fails to complete the annual re-certification process in time, the organisation’s certification is changed to “not current”.

The Federal Trade Commission addresses any violations – indeed on 21st January 2014, the FTC identified twelve companies who claimed in their marketing material that they currently complied with the US – EU Safe Harbor Framework, but who had allowed their certification to expire.  The twelve companies range from technology, consumer products and accounting – as well as National Football League teams.

To “set an example” and to help ensure the ongoing integrity of the Safe Harbor framework, the twelve companies have been prohibited from misrepresenting the extent to which they participate in any privacy or security programme sponsored by the government or any other self-regulatory or standard-setting organisation (including the Safe Harbor Framework).

It is worth noting that agreeing to adhere to the Safe Harbor Frameworks is a permanent undertaking in that an organisation must continue to apply the Safe Harbor Privacy Principles to personal data obtained through the Safe Harbour Frameworks for as long as the organisation stores, uses or discloses the data, even if the organisation has left the Safe Harbor.

There is a Safe Harbor list, which anybody can check to verify an organisation’s status:   https://safeharbor.export.gov/list.aspx

If you are planning to transfer data between the EU and the US, and would like us to help you, just call Michelle or Victoria on 01787 277742 or email victoria@tuffillverner.co.uk or michelle@tuffillverner.co.uk

NHS … patient data … what’s next?

1 Reply

According to the ICO, there were 388 data breaches relating to health data in the first nine months of 2013.  That is 34% of all the data breaches in the UK during the same period, and the proportion has increased from 27% at the end of March to 38% by the end of September 2013.  The chart below compares the number data breach levels by industry sector over the same period.  Given the sensitivity of the health data held by medical organisations in this country, those are shocking statistics.Data breaches by sector to Sept 30 2013

Centralised medical records database

Despite this poor track record, very soon the NHS is going to combine all our medical records into one massive database. Every GP practice in the UK will shortly begin to disclose their patients’ personal and sensitive data to care.data at the Health and Social Care information Centre (HSCIC).  The process is monthly, automatic, and assumes patient consent unless patients actively opt out – which is not necessarily a simple process.

nhs databaseSo what does this mean to patients?  Essentially, personal confidential data (PCD) such as family history, vaccinations, diagnoses, referrals, blood pressure, BMI, cholesterol and NHS prescriptions and more will be extracted from GP systems and shared with care.data.

In order to match data from the GP surgeries with data acquired by the HSCIC from other sources (such as hospitals) identifying data such as data of birth, postcode, NHS number and gender will be included within the data extracts.  Once matched across all the data sources, the data is pseudonymised (ie identifying characteristics are removed).

Once an individual is flagged as “deceased” no further data will be collected – though the data already provided will continue to be processed by the HSCIC.

medical data chartsWhat are the benefits?

If it were possible to trust the security and intentions of those collecting the data, there are some fantastic potential benefits, for example improved patient care; the effective prevention, treatment and management of illness; hospital performance, management of NHS resources; or the analysis and understanding of specific treatment benefits; even planning new health services.

What are the risks?

The poor track record of the NHS in terms of protecting our medical data is alarming and raises concerns over confidentiality of our medical records.  In addition, there are increasing numbers of private companies who provide services to the NHS, from physiotherapists to care homes; from private hospitals to insurance companies.  Members of the public are likely to be uneasy about private companies benefiting from their health data, and equally concerned that their GP will no longer be the “gatekeeper” of their confidential medical data.

Furthermore, although the data will be pseudonymised, single-minded analysts may undoubtedly try and will probably succeed to some degree in finding a way of matching the data against other commercial data sets to “re-identify” the individuals.

Who can use the data?

The data can be released for five listed reasons:  health intelligence, health improvement, audit, health service research and service planning. That’s a pretty broad spectrum, and it is evident that the number and range of potential customers for this centralised database of our medical records is enormous.

For example, how long it will be before insurers persuade the HSCIC that it is to the benefit of the health and social care system that they should model and predict medical claims rates based on the UK’s centralised medical database, and use the findings to price their medical insurance policies accordingly.

Can GP practices opt out?

Doctor Data ControllerThe Health and Social Care Act 2012 creates a statutory obligation for GP practices to disclose the information as directed.  GPs are unable to refuse to do so as such refusal would put them in breach of the statutory requirement.

But because the GP practice is actually the “data controller” of their patients’ confidential medical records, GP practices are also responsible for ensuring that their patients’ personal and sensitive data is handled fairly (as defined under the Data Protection Act 1998).

So it is up to GPs to ensure that patients are aware that their data will be shared with the HSCIC, that the HSCIC has powers to extract personal confidential data, and, arguably, what the HSCIC intends to do with the data.

And if a patient claims they were unaware that their data was to be shared, it would be the GP practice who would be investigated by the ICO.

The GP practices remain data controllers of the data they hold within the practice, but are no longer responsible for the data once it has been disclosed to the HSCIC.  Instead the HSCIC and NHS England become joint data controllers who are obliged to comply with the Data Protection Act.  NHS England will determine the “Purpose” for the data collection, while the HSCIC will determine the manner of processing.

How do patients opt out?

Normally one would expect the sharing of data of this sensitivity and confidentiality to be subject to patient opt-in, rather than the NHS assuming consent.  However, the Health and Social Care Act 2012 empowers the HSCIC to require providers (eg your GP practice) to send it personal confidential data when directed to do so.  And the Act overrides the requirement to seek patient consent.

A patient can inform their GP of their wish to opt out, and no reason is required.  It is worth noting that the right to opt out has been implemented as a constitutional rather than a legal right.  Having opted out, it is up to the GP practice to ensure that the right code is appended to the legal record.

However, the patient has no right to prevent his or her medical data leaving the GP practice if such data carries no identifiable information as this is anonymous data rather than personal data.  The question, really, is what is “identifiable information”?  It is DOB? Arguably in some circumstances, it may be.  And surely an NHS number is identifiable information.

The Secretary of State for Health has given a commitment that individuals’ objections to disclosure ot the HSCIC will be respected in “all but exceptional circumstance” (for example, a civil emergency).

Is the process compliant?

You could argue that this data sharing activity defies the second principle of the Data Protection Act:  “Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with the purpose or those purposes”.  In my view, you don’t talk to your doctor about a medical condition for any purpose other than to have him solve – or try to solve the problem for you.  And while that may include prescriptions, or visits to consultants, hospitals and clinics, making our medical records data available to commercial organisations cannot possibly be considered the “Purpose”.

Data Compliance October Round-up

1 Reply

What’s happening in Europe … and beyond?iStock_000025602036Small

Update 28.10.13

The new date for implementation of a proposed new data protection regulation (DPR) – has been pushed back to “by 2015”, thanks in part to David Cameron’s efforts to protect the interests of UK business.  Germany were also supportive though Merkel’s reasoning was slightly different “… to ensure that it can reconcile the existing rights of its citizens.”

23.10.13

On 21st October, 2013, the European Parliament approved its Compromise Text of the proposed EU General Data Protection Regulation.  Still a long way from being complete, but the latest from Europe is:

1. Pseudonymous data now has its own definition – currently “personal data that cannot be attributed to a specific data subject without the use of additional information, as long as such additional information is kept separately and subject to technical and organisational measures to ensure non-attribution”.

2. Data Protection Officers:  a data controller or processor must appoint a Data Protection Officer when processing personal data relation to over 5,000 data subjects in any consecutive 12-month period.  Also where the core processing activities relate to processing location data, children’s data, sensitive personal data, or employees in large scale filing systems.

3.  A new concept has been introduced – a European Data Protection Seal -a certification process which allows international data transfers outside the EEA to recipients that also hold a Seal.

4.  Right to erasure:  the right of data subjects to have their personal data erased if requested is still in the draft (originally “right to be forgotten”).  And it’s been strengthened – if the data subject asks a controller to erase his data, the company should also forward the request to others where the data is replicated.

Pulling NSA’s teeth …

Spheres of monitors with eyeballs in a curved field of blue digiThe Compromise text had some other changes, including new data protection rules designed to curb America’s spying activities.  The intention is to make US secret court orders powerless, and to force companies based outside the EU, like Google and Facebook, to comply with European data protection laws if they operate in Europe.  Powers to levy fines running into billions of Euros are being made available to discourage violation of the new rules.

For example, if a third country’s court, tribunal or other administrative authority requests a company (such as a social network or cloud provider) to disclose personal data processed in the EU, that company must notify the data protection authority and obtain their authorisation before any such data transfer can be made.

This step is largely due to Edward Snowden’s information about the American companies, platforms and social networking sites which have been forced to share substantial volumes of EU citizens’ personal online data (from emails and phone calls to video chats and web searches) with the National Security Agency (the US intelligence organisation which collects, monitors, decodes, translates and analyses foreign intelligence and counterintelligence information and data).

The third country issue has been ongoing since January 2012, when the proposed reform to the law was dropped after intense US lobbying.  It now seems clear that the EU has had enough, particularly since the revelations that the NSA systems collected – in the single month from February 8th to March 8th – 24.8 billion telephone data and 97.1 billion computer data from across the globe – including UK, Germany and France.

In addition the French are aggrieved that, from December 2012 to January 2013, the NSA were reported to have made 70.3 million recordings of French individuals’ telephone data.

While the NSA is known to collect and store all phone records of all American citizens, their profligate global approach to privacy is clearly unacceptable, and Europe has taken steps to limit their – and other agencies and countries’ – powers.

So now it’s just the simple matter of balancing the need to combat terrorism versus people’s protection of the rights to privacy.  Which makes it hardly surprising that this legislation is taking so long with a record-breaking 4,000 amendments so far.  It is thought that there is a less than 50% chance of the new regulations going through in the time-frame, though final legislation is still anticipated before the European elections in May 2014.

India’s Draft Privacy Protection Bill

Abstract internet security illustrationThe issue of data protection in India has been generated for a number of reasons – not least, Europe’s concerns given the sheer volume of personal data that is transferred to India.  Also, within India itself, there is concern among Indian citizens in relation to the combination of the use of personal identifiers (including biometric data) and extensive individual profiles.

India has been holding a set of roundtable talks since April 2013, with the goal of generating recommendations for a privacy regulatory framework.  The last of those talks was held on October 19th between the Center for Internet and Society, the Federation of Indian Chambers of Commerce and Industry, and the Data Security Council of India. Christopher Graham, the UK Information Commissioner, was among the speakers.

We’ll send more updates as they come through – in the meantime, if you have any concerns over how these or the existing DPA and PECR regulations might affect your business, don’t hesitate to contact us.

001
Victoria Tuffill
01787 277742
victoria@tuffillverner.co.uk
Michelle gallery size compressed
Michelle Evans
01206 392909
michelle@tuffillverner.co.uk

Data Compliance October Round-up UK

Leave a reply

Meanwhile, back in the UK …

Telephone iconTelemarketing – Caller identification spoofing …

Earlier this week, Canada, the United States and the United Kingdom issued a joint statement making it clear that they intend to combine their resources to tackle the problem of caller ID spoofing.

Spoofing is a practice conducted by telemarketers who want to conceal their true identity rather than fulfil their legal obligation to identify themselves.  Spoofers provide their caller ID with false information which may be a string of digits, or a random or stolen number belonging to a real person or organisation.   It is on the increase, and makes it particularly difficult for the authorities to track down those responsible for non-compliant or illegal calls.

The various agencies responsible for enforcing telemarketing and privacy laws announced that they will coordinate their efforts through the international law enforcement network of the London Action Plan and the International Do Not Call Network. If they need the telecoms industry to provide help, they will ask those organisations within their respective countries.

Next steps are exploratory discussions, to be held later this month, to identify options focusing on enforcement, industry compliance and consumer education, technology and regulatory issues with the goal of considering solutions available to stop spoofing and to take action against those responsible.

DATA BREACHES AND FINES

What a monumental blunder …

iStock_000012526327SmallWe heard yesterday that The Ministry of Justice was on the receiving end of the ICO’s judgement, when it received a fine of £140,000 – after details of ALL the prisoners serving time at HMP Cardiff were emailed to three of the inmates’ families.

The fine goes back to 2011 – when, on 2nd August, the recipients received an email from a prison clerk which included a file containing details of the 1,182 inmates – including names, ethnicity, addresses, length of sentence, release dates, and the offence codes.  Worse yet – this wasn’t the first time such a breach had occurred.  Within the previous four weeks, the same error occurred twice – with details sent to different inmates’ families.

The ICO’s investigation found:

  • Clear lack of management and supervision at the prison, where the clerk concerned was found to have received limited training and experience, though he was left to work unsupervised.
  • Audit trails were lacking and the only reason the breach was identified was because one of the recipients reported receipt of the information to the prison.
  • Problems with the methods used to handle the prisoners’ records, such as the use of unencrypted floppy discs to transfer large volumes of data between networks

 

The importance of being registered …

handcuffs and money computerIf organisations process personal data, with a very few exceptions, they must register with the ICO and spell out the type of information they process.  Not doing so is a criminal offence – as Hamed Shabani, sole director of payday loan company First Financial, discovered.

After failing to register, he and his company were prosecuted by the ICO and convicted in the Magistrate’s Court. As Director of the company, he was fined a modest £150 and ordered to pay £1,010.66 towards the costs of prosecution and a £20 victims’ surcharge.  In addition, the company itself was fined £500, and also made to pay £1,010.66 towards costs plus a £50 victims’ surcharge.

The total bill of £2,741.32 compares rather unfavourably against the annual £35 notification fee he should have paid.  It is also interesting to note that Hamed Shabani tried to remove his name from the company’s registration at Companies House in an attempt to avoid prosecution.

To quote Stephen Eckersley, ICO Head of Enforcement:

“Pay day loans companies hold important information about some of the most financially vulnerable people in the UK. This makes this company and its director’s decision not to face up to their legal responsibilities all the more concerning.

“Businesses must commit to looking after the information of their customers and this begins with making sure that they are registered. We will continue to use our enforcement powers to safeguard people’s information.”

 The importance of a strong BYOD policy …

mobile commerceBYOD (Bring your own device) continues to be high on the ICO’s priority list – earlier this month, the Royal Veterinary College breached the DPA when a member of staff lost their camera whose memory card held 6 job applicant passport pictures. Unfortunately, the RVC had not briefed staff on how personal information stored for work should be looked after on personal devices.

Nearly half of all UK employees now use their smartphones, tablets, PCs for work purposes, and the number is growing.  As a result, organisations must update their data protection policies to take this into account.

Stephen Eckersley said:

“Organisations must be aware of how people are now storing and using personal information for work and the Royal Veterinary College failed to do this. It is clear that more and more people are now using a personal device, particularly their mobile phones and tablets, for work purposes so its crucial employers are providing guidance and training to staff which covers this use.”

The importance of encryption …

thief stealing laptop from the carIf you are unlucky enough to have a portable device containing personal data stolen, it could cost you much more than simply replacing the device.  As the owner of loans company Jala Transport discovered to his cost.  He stopped his car at a set of traffic lights, only to have his car boot broken into. A hard drive – containing financial details of his 250 customers – was stolen, along with £3,600 cash.

Though the hard drive was password protected, the data within was not encrypted, and it included customers’ names, dates of birth, the payments made, and the identity documents provided to support the loan application.  Because the hard drive had not been encrypted, all those customers were left  wide open to the threat of identity theft.

The penalty could have been £70,000, but was reduced to £5,000 to reflect the limited financial resources of the company and the fact that the breach was reported voluntarily.

Stephen Eckersley said of this case:

“We have continued to warn organisations of all sizes that they must encrypt any personal data stored on portable devices, where the loss of the information could cause clear damage and distress to the customers affected…

 “The penalty will have a real impact on this business and should act as a warning to all businesses owners that they must take adequate steps to keep customers’ information secure.”

Rates of identity fraud continue to rise

Identity fraud is the most significant threat facing the UK, making security a key issue not only for businesses but also for individuals.  Not taking steps to protect personal data just gives fraudsters a license to steal.   This is clearly illustrated by the stats – identity fraud now accounts for over half of all committed fraud and is still growing.  CIFAS confirmed 114,000 frauds in the first half of 201, of which 52% involved impersonation or fake identity details.  An additional 14% of frauds involved account takeover.

All the stories above reflect the importance of being and remaining data compliant and illustrate the penalties that can be imposed by the ICO.  If you would like any advice on how to become and remain compliant, just call us for a no-obligation chat.

001
Victoria Tuffill
01787 277742
victoria@tuffillverner.co.uk
Michelle gallery size compressed
Michelle Evans
01206 392909
michelle@tuffillverner.co.uk