Tag Archives: data compliance

Lessons from Darts: Team Dynamics in Data Protection

Teams are an essential part of life – from school to adulthood, from sports to business. A well-functioning team leads to extraordinary achievements, whether in a local darts league or a data governance team.

The Darts Team Triumph

Consider my local darts team, which recently won the team title, along with individual singles titles. This victory wasn’t just about individual knowledge and talent; it was the result of shared goals, a strategy to achieve them, collaboration, strong mentoring, and mutual support. Each of our players’ unique skills, camaraderie and collective effort all contributed to the team’s overall success.

Transferring Team Dynamics to Data Governance

The same principles apply to data protection governance teams. Every member of the Team must understand its overall objectives ensuring that they are responsible and accountable for data management and governance. The Team will need a framework for success, including communication and collaboration, and creating and maintaining policies and procedures around data collection, privacy, compliance, integrity and security. And it must provide regular reports to senior management who are ultimately accountable.

Roles, Goals and Data Stewardship

Individuals within the team will take on data stewardship roles. In essence they will oversee the entire lifecycle of personal data from collection to deletion, and be accountable for compliance and security at all stages. All team members will support each other, sharing knowledge and expertise to help manage challenges and foster a culture of continuous improvement. And each will have their own individual areas of responsibility including embedding data protection throughout their own area of the business.

Education and Continuous Improvement

Like in darts, governance team members learn from each other’s techniques, and share knowledge, best practices and insights. This knowledge is then used to help build awareness throughout the organisation about data protection and data security, and to educate employees about crucial data protection principles.

Risk Management

Sports and business both carry risks, and the team must take responsibility for identifying, assessing and mitigating them – in data governance, for example through Data Protection Impact Assessments (DPIAs). The team must also develop and execute its response plans so that it knows how to respond if there is a data breach or security incident.

Enabling Team Leaders

Team Leaders are crucial. They are pivotal in flowing down information to their specific areas of the business – in data governance, for example, it’s helpful to have leaders from IT, HR, Marketing, Operations, Payroll and so on. It’s those Team Leaders who will then ensure that everyone in their team understands their roles and responsibilities, and who provide the resources and training so that every individual in an organisation can thrive and contribute effectively.

Conclusion

Effective teams enable the individuals in your organisation to achieve more together than they ever could alone. With a data governance team that fosters collaboration, shared problem-solving and continuous education, your organisation will benefit from strong and highly successful outcomes.

Data Compliant International

If you would like help or assistance with any of your data protection obligations, please email dc@datacompliant.co.uk or call 01787 277742. And for more information about how to meet your Accountability and Governance obligations, please see here.

EU Standard Contractual Clauses – Public Consultation

This month (September 2024), the European Commission has announced that it plans to ask for public feedback on the EU Standard Contractual Clauses (SCCs) under the General Data Protection Regulation. The public consultation will take place in the fourth quarter of 2024, giving you an opportunity to have your views and opinions heard.

This is not unexpected – the GDPR’s Article 97, requires the Commission to review the GDPR’s implementation every four years (see the 2020 Evaluation Report here). The upcoming 2024 review was expected to include an evaluation of the practical application of the SCCs.

New SCCs in 2025

According to the timeline, the public consultation is imminent and due to take place in the 4^th quarter of 2024. This would be followed by a draft act, planned for Commission adoption in 2^nd quarter of 2025. You can find more information and a timeline here.

What are SCCs?

Standard contractual clauses are standardised, pre-approved model data protection clauses, which allow controllers and processors to meet their obligations under EU and / or UK data protection law.

They are widely used as a tool for data transfers to third countries (which means those countries outside the EEA or the UK who do not have adequacy status). It is quite a simple matter for controllers and processors to incorporate them into their contractual arrangements.

The clauses contain data protection safeguards to make sure that personal data benefits from a high level of protection even when sent to a third country. By adhering to the SCCs, data importers are contractually committed to abide by a set of data protection safeguards.

Can I change the text?

The core text can not be changed. If parties do change the text themselves, they will no longer have the legal certainty offered by the EU act. If you amend the clauses, then they can no longer be used as a basis for data transfers to third countries, unless they are approved by a national data protection authority as “ad hoc clauses”

Even so, there are areas where the parties can make choices:

To select modules and / or specific options offered within the text
To complete the text where necessary (eg to specify time periods, supervisory authority and competent courts
To complete the Annexes
To include additional safeguards that increase the level of protection for the data.

Impact on UK use of SCCs

There is not yet any indication of the potential impact on the UK’s international data transfer Agreement (IDTA) or the Addendum to the EU’s SCCs; we would expect to hear more after the EU’s public consultation.

Victoria Tuffill – 13th September 2024

If you have any questions or concerns about how and when to use SCCs, please call 01787 277742 or email dc@datacompliant.co.uk

And please take a look at our services.

Politics. Fines. Data Deletion.

GDPR Regulations begin to bite

We are now beginning to see the impact of the GDPR regulations across politics, businesses and public services. With the upcoming UK general election, the ICO is issuing timely reminders. In Europe we are starting to see large fines being levied for GDPR breaches.

ICO Issues Letter to UK Political Parties

In a timely reminder the Information Commissioner has written to 13 political parties in the UK. The letter reminds them of their legal obligations regarding the use of Personal Data in the lead-up to the General Election. The ICO letter highlights the need for parties to:

provide individuals with clear and accessible information about how their personal data is being used. This includes
- data obtained directly from individuals
- data obtained from third parties, including data brokers
- inferred data – ie data that is inferred from observed behaviour, such as reading or buying habits, responses to advertising and so on
demonstrate compliance with the law. The scope here includes any third-party data processors. For political parties, this specifically includes data analytics providers and online campaigning platforms
have the appropriate records of consent from individuals (where consent is the legal basis for processing) to send political messages through electronic channels (texts, emails)
identify lawful bases for processing special category data, such as political opinions and ethnicity.

This places political parties on the same basis as commercial organisations under UK law.

Record Fine in Austria

The Austrian Data Protection Authority has imposed an €18 million fine on the Austrian Postal Service, Österreichische Post AG (“ÖPAG”). After an investigation, the Austrian DPA established that ÖPAG processed and sold data regarding its customers’ political allegiances amongst other violations.This is a violation of the GDPR.

The fine is subject to an appeal.

Record Fine in Germany

On November 5, 2019, the Berlin Commissioner for Data Protection and Freedom of Information announced that it had imposed the highest fine issued in Germany since the EU GDPR became applicable. Deutsche Wohnen SE, a real estate company, was fined €14.5 million.

After onsite inspections, the Berlin Commissioner noticed the company was retaining personal data of tenants for an unlimited period. It had not examined whether the retention was legitimate or necessary.

Data should be removed without delay. once it is no longer needed for the specific purpose for which it was collected. Deutsche Wohnen SE was using an archiving system that did not enable the removal of such data. Affected data related to financial and personal circumstances, such as bank statements, training contracts, tax, social and health insurance data.

This fine should act as a strong reminder to all companies to review and update their data retention and deletion policies, processes and supporting procedures.

More news later this week. In the meantime, if you have any questions about data protection, please contact us via email team@datacompliant.co.uk or call 01787 277742. You can find more blogs here.

Gareth Evans, 11th November 2019

Politics, Social Media and Data Protection

This has been a week where the combination of politics, social media and data protection have been much in evidence.

Twitter political advertising ban

Twitter boss Jack Dorsey decided to ban political advertising on Twitter globally, which has focussed attention on the use of personal data in targeting political messages. This has gained traction in the UK particularly as it coincides with an unscheduled General Election campaign.

Facebook agrees to pay maximum fine

At the same time, the ICO announced an agreement with Facebook over their investigation into the misuse of personal data in political campaigns. The investigation began in 2017.

As part of that investigation, on 24 October 2018 the ICO issued a monetary penalty notice (MPN) of £500,000 against Facebook. £500,000 was the maximum allowed under the Data Protection Act (DPA) 1998. The ICO identified “suspected failings related to compliance with the UK data protection principles covering lawful processing of data and data security”.

Following an appeal referred to a Tribunal, Facebook and the ICO have agreed to withdraw their respective appeals. Facebook has made no admission of liability, but has agreed to pay the £500,000 fine.

In a statement following the joint agreement, Facebook’s General Counsel said:

“The ICO has stated that it has not discovered evidence that the data of Facebook users in the EU was transferred to Cambridge Analytica. However, we look forward to continuing to cooperate with the ICO’s wider and ongoing investigation into the use of data analytics for political purposes.”

The ICO’s fine is the maximum available under DPA 1988. Under current law (which implements the GDPR), sanctions can be up to 4% of annual global turnover or €20 million – whichever is greater.

Facebook withdraws political campaigns

In the spirit of cooperation on the responsible use of data analytics in political communications, Facebook has withdrawn a number of political communications. The Government’s MyTown campaign was aimed at key marginal seats. It was withdrawn as it did not contain the appropriate disclaimers. In addition, an advert by the Fair Tax Campaign was withdrawn because it did not disclose that it was sponsored content.

More news next week. In the meantime, if you have any questions about data protection, please contact us via email team@datacompliant.co.uk or call 01787 277742. You can find more blogs here.

Gareth Evans, 5th November 2019

Brexit “landing zone” in sight? Less than 30 days to find out …

So now we have it. On Wednesday the Prime Minister wrote to Jean-Claude Junker, President of the European Commission, with the Government’s proposals for a new “Protocol on Northern Ireland/Ireland”. This is an attempt to break the logjam of the Northern Ireland backstop which has held up progress on a Brexit deal for so long in the UK Parliament.

Perhaps PM Johnson’s key line in his covering letter to Juncker is that the Proposal offers “a broad landing zone”. This suggests that the paper is a step in the direction of further talks and not necessarily the take-it-or-leave-it offer which had been briefed in advance. This clearly indicates the intention to secure a Brexit deal remains. But there is very little time left with only 27 days remaining on the Brexit countdown clock.

The fact that Parliament is sitting following last week’s Supreme Court ruling gives the Government an opportunity to test the waters with MPs, particularly those that objected fundamentally to the backstop arrangements. This is important as the EU are only likely to re-enter into negotiations if they feel the resultant deal has a chance of passing with a majority in the Westminster Parliament.

Data Transfer has moment in the limelight

Meanwhile Secretary of State for Exiting the EU, Steve Barclay, has been on manoeuvres stressing the importance of a deal, but also the importance of flexibility in negotiations. A speech in Madrid on 19^th September 2019 contained a rare reference to data protection and the status of data sharing if there is a no deal Brexit. Barclay said:

“even though the UK has adopted in full the EU aquis [the body of EU law] on data, the Commission position is businesses here in Spain will be restricted in what data they can share with the UK

That affects not just the tourism industry, not just the 45 million flights from the UK to Spain each year, that affects businesses much more widely, and I wonder within this audience how confident it is that small and medium sized businesses across Spain are fully prepared for that sort of change.”

Clearly there is still a lot to play for in the Brexit negotiations. As the Secretary of State points out it is vital that the outcome is mutually beneficial for all parties. To quote the text of his Madrid speech

“A rigid approach now – at this point – is no way to progress a deal – the responsibility sits with both sides to find a solution. We [the UK Government] are committed to carving out a landing zone.”

Data Compliance – Impact on UK Businesses

The UK government’s approach to transfers, is to recognize existing EEA countries as offering adequate data protection from the point at which the UK leaves the EU. Any formal discussion of the UK’s adequacy, in contrast, will not take place until after the UK has left the EU.

To ensure that data continues to flow businesses must act to:

review data flows from the EU,
ensure that all data transfers from the EU are covered by the appropriate transfer mechanism such as the standard contract clauses;

ensure internal documentation states that transfers will be made to the UK; and
update privacy notices to inform individuals that transfers will be made to the UK;

Consider whether not you need to appoint a Data Protection Representative in the EU.

Please feel free to contact us if you have any queries or concerns about how Brexit will affect your business, by calling 01787 277742 or email teambrexit@datacompliant.co.uk

Gareth Evans, 4th October 2019

HMRC’s 28 days to delete unlawfully obtained biometric data

Leave a reply

In a statement released on 3rd May, the Information Commissioner’s Office reiterated their decision to issue HMRC a preliminary enforcement notice in early April. This initial notice was based on an investigation conducted by the ICO after a complaint from Big Brother Watch concerning HMRC’s Voice ID service on a number of the department’s helplines since January 2017.

blurred-background-cellphone-cellular-1426939

The voice authentication for customer verification uses a type of biometric data considered special category information under the GDPR, and is therefore subject to stricter conditions. ICO’s investigation found that HMRC did “not give customers sufficient information about how their biometric data would be processed and failed to give them the chance to give or withhold consent.” HMRC was therefore in breach of GDPR.

The preliminary enforcement notice issued by the ICO on April 4th stated that HMRC must delete all data within the Voice ID system for which the department was never given explicit consent to have or use. According to Big Brother Watch, this data amounted to approximately five million records of customers’ voices. These records would have been obtained on HMRC’s helplines, but due to poor data security policy for the Voice ID system, the customers had no means of explicitly consenting to HMRC’s processing of this data.

Steve Wood, Deputy Commissioner at the ICO, stated, “We welcome HMRC’s prompt action to begin deleting personal data that it obtained unlawfully. Our investigation exposed a significant breach of data protection law – HMRC appears to have given little or no consideration to it with regard to its Voice ID service.”

The final enforcement notice is expected 10th May. This will give HMRC a twenty-eight-day timeframe to complete the deletion of this large compilation of biometric data.

The director of Big Brother Watch, Silkie Carlo, was encouraged by the ICO’s actions:

“To our knowledge, this is the biggest ever deletion of biometric IDs from a state-held database. This sets a vital precedent for biometrics collection and the database state, showing that campaigners and the ICO have real teeth and no government department is above the law.”

Harry Smithson, May 2019.

Data Protection Roundup: GDPR undermined by Facebook? Morrisons’ breach liability; Google’s iphone snooping

Leave a reply

I find it fascinating to watch how data protection in general and GDPR in particular play out with the huge multinationals which it has been designed to capture, and which arguably have the most to lose in terms of fines. Facebook and Google are once again in the news in relation to their use of personal data. And the High Court judgement against Morrisons sets a precedent which aligns with GDPR’s intention of individuals’ rights to have their data protected.

Google accused of bypassing privacy settings to harvest personal information of 5.4 million iPhone users between 2011 and 2012

The search engine tech giant Google is being taken to court by a group called Google You Owe Us, led by ex-Which director Richard Lloyd. The group claims that several hundred pounds could be owed in compensation to the millions of victims of Google’s transgression against privacy rights, meaning Google could face a massive financial penalty.

Google breached DPA and PECR by misusing cookies

Google exploited cookies, which are small pieces of computer text that collect data from devices, to run large-scale targeted ad campaigns. In the UK Google’s actions were in breach of the Data Protection Act (DPA) and the Privacy and Electronic Communication Regulation (PECR). For such breaches after the General Data Protection Regulation (GDPR) comes into force in late May 2018, organisations could face a fine of up to €20 million or 4% of annual global turnover (whichever is higher – and for the billion-dollar giant Google, obviously the latter). However, this case relates to a period prior to GDPR.

Did you go online with your iPhone? Were your privacy preferences ignored?

For several months in 2011 and 2012, Google stands accused of bypassing the default privacy settings on Apple phones in order to track the online behaviour of Safari users, by placing ad-tracking cookies onto the devices. This then enabled advertisers to target content to those devices and their users.

The Google activity has become known as the ‘Safari workaround,’ and while it affected various devices, the lawsuit filed in the High Court addresses the targeting of iPhone users.

Over 5 million people in Britain had an iphone during the period. “In all my years speaking up for consumers,” Mr Lloyd from Google You Owe Us states, “I’ve rarely seen such a massive abuse of trust where so many people have no way to seek redress on their own. Through this action, we will send a strong message to Google and other tech giants in Silicon Valley that we’re not afraid to fight back.”

According to the veteran privacy rights campaigner, Google claimed that he must go to California, the heartland of the Silicon revolution, if he wanted to pursue legal action against the firm, to which he responded, “It is disappointing that they are trying to hide behind procedural and jurisdictional issues rather than being held to account for their actions.”

According to the BBC, the broadcaster was told by Google that these legal proceedings are “not new” and that they “have defended similar cases before.” Google has stated that they do not believe the case has any merit and that they intend to contest it.

While there is no precedent in the UK for such massive action against Google, in the US Google has settled two large-scale litigation cases out of court. Regarding the same activity, the tech company agreed to pay a record $22.5m (£16.8m) in a case brought by the US Federal Trade Commission in 2012. It also made out of court settlements with a small number of British consumers.

According to the BBC, the case will probably be heard in the High Court in Spring 2018, a month or so prior to the enforcement of the GDPR.

Morrisons found liable for employee data breach

Morrisons workers brought a claim against the supermarket after a former member of staff, senior internal auditor Andrew Skelton (imprisoned as a result of his actions) stole and posted online confidential data (including salary and bank details) about nearly 100,000 employees.

In an historic High Court ruling, the Supermarket has been found liable for Skelton’s actions, which means that those affected may claim compensation for the “upset and distress” caused.

The case is the first data leak class action in the UK. Morrisons has said it will appeal the decision.

Facebook claims European data protection standards will not allow for their pattern-recognition “suicide alert tool” to be usable in EU.

Facebook blames GDPR for its plans to withhold Suicide Prevention software from EU

Facebook’s decision to deny EU countries a pattern-recognition tool to alert authorities to users possibly suffering from depression or suicidal thoughts has been criticised as a move to undermine the upcoming tightening of EU-wide data protection standards, enshrined in the General Data Protection Regulation (GDPR).

Facebook has argued that their Artificial Intelligence (AI) programme which scans the social media network for troubling comments and posts that might indicate suicidal ideation will not be employed in EU countries on the grounds that European policy-makers and the public at large are too sensitive about privacy issues to allow site-wide scanning.

In a blogpost, Facebook’s VP of Product Management stated, “we are starting to roll out artificial intelligence outside the US to help identify when someone might be expressing thoughts of suicide, including on Facebook Live. This will eventually be available worldwide, except the EU.”

Tim Turner, a data consultant based in Manchester, has suggested that the move might be “a shot across the EU’s bows […] Facebook perhaps wants to undermine the GDPR — which doesn’t change many of the legal challenges significantly for this — and they’re using this as a method to do so.”

Mr Turner continues, “nobody could argue with wanting to save lives, and it could be a way of watering down legislation that is a challenge to Facebook’s data hungry business model. Without details of what they think the legal problems are with this, I’m not sure they deserve the benefit of the doubt.”

Written by Harry Smithson 1st December, 2017

GDPR and Accountants

Leave a reply

GDPR Debate

On Monday, 16th October, Data Compliant’s Victoria Tuffill was invited by AccountancyWeb to join a panel discussion on how GDPR will impact accountants and tax agents.

The other members of the panel were our host, John Stokdyk, Global Editor of AccountingWEB, who kept us all on the straight and narrow, while asking some very pertinent questions; Ian Cooper from Thomson Reuters who gave strong insights into technical solutions; and Dave Tucker from Thompson Jenner LLP, who provided a very useful practitioner viewpoint.

GDPR in General

There is a presumption that every professional body is fully informed of all compliance regulations within their field of expertise. But the continuing barrage of changes and adjustments to European and British law makes it easy to drop the ball.

GDPR is a typical example. To quote the Information Commissioner, Elizabeth Denham, it’s “The biggest change to data protection law for a generation”. Yet for many accountants – and so many others – it’s only just appearing on the radar. This means there’s an increasingly limited amount of time to be ready.

GDPR has been 20 years coming, and is intended to bring the law up to date – in terms of new technology, new ways we communicate with each other, and the increasing press coverage and consumer awareness of personal data and how it’s used by professional organisations and others. GDPR has been law for 17 months now, and it will be enforced from May 2018.

GDPR and Accountants

So what does GDPR mean for accountants in particular?

Accountants will have to deal with the fact that it’s designed to give individuals back their own control over their own personal information and strengthens their rights.
It increases compliance and record keeping obligations on accountants. GDPR makes it very plain that any firm which processes personal data is obliged to protect that data – for accountants that responsibility is very significant given the nature of the personal data an accountant holds.
There are increased enforcement powers – I’m sure everyone’s heard of the maximum fine of E20,000 or 4% of global turnover, whichever is higher. But also, the media have a strong hold on the whole area of data breaches – and often the reputational damage has a far greater impact than the fine.
Accountancy firms must know precisely what data they hold and where it’s held so they can they assess the scale of the issue, and be sure to comply with the demands of GDPR.

The video covers key points for practitioners to understand before they can prepare for compliance, and summarises some initial steps they should take today to prepare their firms.

The session can be found here: Practice Excellence Live 2017: GDPR.

It is a 45 minute video, so for those with limited time, I have broken down the areas covered into bite-size chunks:

video accountants timings Data Compliant is working with its clients to help them prepare for GDPR, so if you are concerned about how GDPR will affect your firm or business, feel free to give us a call and have a chat on 01787 277742 or email dc@datacompliant.co.uk if you’d like more information.

Victoria Tuffill 19th October, 2017

Weekly Roundup: lack of data protection budgeting among UK businesses; international resolution to secure transparency among subcontractors; fine for ex-council worker

Leave a reply

1 in 5 UK businesses have no data protection budget – compared to 4 in 5 local authorities

GDPR Budget

A report by international email management company Mimecast states that a fifth of surveyed UK businesses do not have a specific budget dedicated to information security or data protection – a source of great concern ahead of the stringent General Data Protection Regulation (GDPR) in May 2018.

Over 80% of councils were found to have no funding towards meeting mandatory GDPR requirements

This reinforces the concerns over the information provided in response to a FOI request by M-Files Corporation in July, which found that four out of five councils had, at that time, yet to allocate funding towards meeting the new requirements of the GDPR. That research also found that 56% of local authorities contacted had still not appointed a data protection officer despite this being mandated by GDPR.

That such a substantial proportion of businesses have no explicit budgetary or financial commitment to combatting cybercrime and personal data abuse may be particularly unwelcome news to proponents and enforcers of the new GDPR. The Information Commissioner’s Office, the independent data protection authority, has been working hard over the last year to publicise and prepare British organisations for the impending legislation.

The lack of data protection budgeting is compounded by Mimecast’s findings that many UK businesses may not be monitoring their data efficiently. For instance, 15% of the surveyed organisations stated that they did not know whether they had suffered a data loss incident during the last year or not. 27% blamed human error for previous losses, which would indicate that a large number of organisations will need to start taking employee data protection and handling training much more seriously.

44% of the surveyed organisations suspect that their email system contains personal sensitive information as defined under the GDPR, but only 17% of them believed that this information could be retrieved immediately. The average amount of hours it would take British organisations to track down sensitive personal information was calculated as 8.

The report suggests that a significant number of organisations are very underprepared for the increased responsibility and accountability demanded by the GDPR. For help and information on preparing for the GDPR, see the Data Compliant main site.

10^th International Conference of Information Commissioners (ICIC 2017) resolves to tackle difficulties of access to information on outsourced public services

The Information Commissioner’s Office (ICO) has confirmed a resolution on international action for improving access to information frameworks surrounding contracted-out public services, a system which has seen increased use throughout Europe, and rapid growth in the UK since 2010.

Challenges have been arising for a couple of decades concerning the transparency of information about the “new modes of delivery for public services.” This is often because the analysis of the efficacy of subcontracted services can be rendered difficult when, due to the principle of competition in the private sector, certain information – particularly regarding the production process of public services – can escape public scrutiny on the grounds of the protection of commercial confidentiality.

The International Conference, jointly hosted by Information Commissioner Elizabeth Denham and Acting Scottish Information Commissioner Margaret Keyse, was attended by Commissioners of 39 jurisdictions from 30 countries and seven continents. The resolution was passed in Manchester on 21^st September following dialogue with civil society groups.

The resolution highlights the “challenge of scrutinising public expenditure and the performance of services provided by outsourced contractors” and “the impact on important democratic values such as accountability and transparency and the wider pursuit of the public interest.”

The Conference summarised that the first step to be taken would be the promotion of “global open contracting standards,” presumably as a means of garnering consensus on the importance of transparency in this regard for the benefit of the public, researchers and policy-makers. A conference working group is to be formed to “share practice about different initiatives that have been developed to tackle the issue.”

The event lasted two days and ran with the title: ‘Trust, transparency and progressive information rights.’ Contributions were heard from academics, journalists, freedom of information campaigners and regulators.

Access to information on the grounds of individual rights and the safeguarding of public interests will be strengthened by the provisions of the GDPR. This resolution provides a reminder and opportunity for organisations working as subcontractors to review the ways in which they store and handle data. Transparency and accountability, longer considered in any way contradictory, are key watchwords for the clutch of data protection reforms taking place throughout the world. Many organisations would do well to assess whether they are in a position to meet the standards of good governance and best practice regarding data management, which will soon become a benchmark for consumer trust.

Ex-employee of Leicester City Council fined for stealing vulnerable people’s personal information

The ICO has confirmed the prosecution of an ex-council worker for unlawfully obtaining the personal information of service users of Leicester City Council’s Adult Social Care Department.

Personal data, including medical conditions, care and financial records were “unlawfully” obtained by an ex-council worker

The personal details of vulnerable people were taken without his employer’s consent, and breached the current Data Protection Act 1998. 34 emails containing the personal information of 349 individuals, including sensitive personal data such as medical conditions, care and financial details and records of debt, were sent to a private email address prior to the individual having left the council.

The ICO’s Head of Enforcement Steve Eckersley stated, “Employees need to understand the consequences of taking people’s personal information with them when they leave a job role. It’s illegal and when you’re caught, you will be prosecuted.”

Harry Smithson 29th September 2017

Data Compliant News Blog: Cyberattack threatens over 400,000 British consumers, Data Protection Bill 2017 published and fines levied on councils mishandling data

Leave a reply

Equifax data breach – hackers may have access to hundreds of thousands of British consumers’ personal details

The Information Commissioner’s Office (ICO) is investigating a hack on Equifax, a large credit rating agency based in Atlanta, USA, to find out whether and to what extent the company’s British consumers’ personal details have been obtained by the hackers. The FBI is also said to be monitoring the situation.

The cyberattack, reported earlier this month, occurred in May and July. The company has already admitted that 143 million American customers’ personal details have been obtained by the hackers.

400,000 UK customers may be affected by Equifax breach

The US information that the hackers may have accessed includes names, social security numbers, dates of birth, addresses and driving licence details, as well as over 200,000 credit card numbers.

The ICO told Equifax that the company must warn British residents of the data breach and inform them of any information relating to them which has been obtained by the cyber attackers. The credit agency promptly issued alerts to the affected Britons, stating however that an ‘identity takeover’ was unlikely.

Britons would do well to be mindful that, once a hacker has name, date of birth, email addresses, and telephone numbers, it takes little effort to acquire the missing elements, which is why the ICO has warned members of the public to remain vigilant against unsolicited emails and communications. They should also be particularly wary of unexpected transactions or activity recorded on their financial statements.

Shares in Equifax saw considerable reductions throughout the week, and two of the company’s senior executives, the Chief Information Officer and Chief Security Officer have resigned with immediate effect..

The Data Protection Bill 2017, which includes GPDR, has been published

GDPR is included in its entirety in the UK’s Data Protection Bill 2017, now going through Parliament

On 14^th September, the Department for Digital, Culture, Media and Sport published the Data Protection Bill 2017. The Bill has been anticipated since the Queen’s speech in June, in which the government outlined its plan to implement the European-wide data protection game-changer GDPR into British law.

Culture secretary Karen Bradley explains: “The Data Protection Bill will give people more control over their data, support businesses in their use of data, and prepare Britain for Brexit. In the digital world strong cyber security and data protection go hand in hand. This Bill is a key component of our work to secure personal information online.”

While the Bill inculcates the GDPR, and therefore provides the basis for data-sharing and other adequacy agreements with the EU after Brexit, the government has stated that it managed to negotiate some ‘vital’ and ‘proportionate’ exemptions for the UK.

Some of the exemptions are provided for journalists accessing personal data to expose wrongdoing or for the good of the public; scientific and research organisations such as museums if their work is hindered; anti-doping bodies; financial firms handling personal data on suspicion of terrorist financing; money laundering; and employment where access may be neededs to personal data to fulfil the requirements of employment law.

The second reading of the Bill in Parliament will take place on 10^th October, after which a general debate on Brexit and data protection takes place on the 12^th.

As yet, there have been few critics of the proposed legislation outside certain industries whose use of big data makes them particularly susceptible to possible data protection breaches and massive fines (£17m or 4% annual global turnover). Some industry leaders have called for exemptions, including the private pension giant Scottish Widows, who claimed GDPR-level regulations would make it impossible for them to contact some of their customers without breaking the law. However, according to the government, 80% of Britons do not believe that they have control over their information online, and the Bill enjoys widespread support at this point. The Shadow Cabinet has yet to offer any official response or criticism.

Islington Council fined £70,000

The Information Commissioner’s Office (ICO) fined Islington Council £70,000 for failing to secure 89,000 peoples’ personal information on an online parking ticket system.

Design faults in the Council’s ‘Ticket Viewer’ system, which keeps CCTV images of parking offences, compromised the security of 89,000 peoples’ personal data. Some of this data is under the category of sensitive personal information, e.g. medical details disclosed for the sake of appealing against a parking fine.

Harry Smithson 23rd September 2017

	Data Compliant on Queen’s Speech Confirms New Bi…
	Data Compliant’s Wee… on Insider Threats – Charlo…
	Data Compliant’s Wee… on Snoopers’ Charter – What do yo…
	James Middlehurst on Charities and Data Protection…
	James Middlehurst on EU DPA Regulation – 7 Ke…

The Data Compliant Blog

Helping you look after your data protection

Tag Archives: data compliance

Politics. Fines. Data Deletion.

GDPR Regulations begin to bite

ICO Issues Letter to UK Political Parties

Record Fine in Austria

Record Fine in Germany