Tag Archives: data privacy

Weekly Roundup: lack of data protection budgeting among UK businesses; international resolution to secure transparency among subcontractors; fine for ex-council worker

1 in 5 UK businesses have no data protection budget – compared to 4 in 5 local authorities 

GDPR Budget

A report by international email management company Mimecast states that a fifth of surveyed UK businesses do not have a specific budget dedicated to information security or data protection – a source of great concern ahead of the stringent General Data Protection Regulation (GDPR) in May 2018.

495038416

Over 80% of councils were found to have no funding towards meeting mandatory GDPR requirements

This reinforces the concerns over the information provided in response to a FOI  request by M-Files Corporation in July, which found that four out of five councils had, at that time, yet to allocate funding towards meeting the new requirements of the GDPR.  That research also found that 56% of local authorities contacted had still not appointed a data protection officer despite this being mandated by GDPR.

That such a substantial proportion of businesses have no explicit budgetary or financial commitment to combatting cybercrime and personal data abuse may be particularly unwelcome news to proponents and enforcers of the new GDPR. The Information Commissioner’s Office, the independent data protection authority, has been working hard over the last year to publicise and prepare British organisations for the impending legislation.

The lack of data protection budgeting is compounded by Mimecast’s findings that many UK businesses may not be monitoring their data efficiently. For instance, 15% of the surveyed organisations stated that they did not know whether they had suffered a data loss incident during the last year or not. 27% blamed human error for previous losses, which would indicate that a large number of organisations will need to start taking employee data protection and handling training much more seriously.

44% of the surveyed organisations suspect that their email system contains personal sensitive information as defined under the GDPR, but only 17% of them believed that this information could be retrieved immediately. The average amount of hours it would take British organisations to track down sensitive personal information was calculated as 8.

The report suggests that a significant number of organisations are very underprepared for the increased responsibility and accountability demanded by the GDPR. For help and information on preparing for the GDPR, see the Data Compliant main site.

10th International Conference of Information Commissioners (ICIC 2017) resolves to tackle difficulties of access to information on outsourced public services

The Information Commissioner’s Office (ICO) has confirmed a resolution on international action for improving access to information frameworks surrounding contracted-out public services, a system which has seen increased use throughout Europe, and rapid growth in the UK since 2010.

Challenges have been arising for a couple of decades concerning the transparency of information about the “new modes of delivery for public services.” This is often because the analysis of the efficacy of subcontracted services can be rendered difficult when, due to the principle of competition in the private sector, certain information – particularly regarding the production process of public services – can escape public scrutiny on the grounds of the protection of commercial confidentiality.

The International Conference, jointly hosted by Information Commissioner Elizabeth Denham and Acting Scottish Information Commissioner Margaret Keyse, was attended by Commissioners of 39 jurisdictions from 30 countries and seven continents. The resolution was passed in Manchester on 21st September following dialogue with civil society groups.

The resolution highlights the “challenge of scrutinising public expenditure and the performance of services provided by outsourced contractors” and “the impact on important democratic values such as accountability and transparency and the wider pursuit of the public interest.”

The Conference summarised that the first step to be taken would be the promotion of “global open contracting standards,” presumably as a means of garnering consensus on the importance of transparency in this regard for the benefit of the public, researchers and policy-makers. A conference working group is to be formed to “share practice about different initiatives that have been developed to tackle the issue.”

The event lasted two days and ran with the title: ‘Trust, transparency and progressive information rights.’ Contributions were heard from academics, journalists, freedom of information campaigners and regulators.

Access to information on the grounds of individual rights and the safeguarding of public interests will be strengthened by the provisions of the GDPR. This resolution provides a reminder and opportunity for organisations working as subcontractors to review the ways in which they store and handle data. Transparency and accountability, longer considered in any way contradictory, are key watchwords for the clutch of data protection reforms taking place throughout the world. Many organisations would do well to assess whether they are in a position to meet the standards of good governance and best practice regarding data management, which will soon become a benchmark for consumer trust.

Ex-employee of Leicester City Council fined for stealing vulnerable people’s personal information

The ICO has confirmed the prosecution of an ex-council worker for unlawfully obtaining the personal information of service users of Leicester City Council’s Adult Social Care Department.

vulnerable

Personal data, including medical conditions, care and financial records were “unlawfully” obtained by an ex-council worker

The personal details of vulnerable people were taken without his employer’s consent, and breached the current Data Protection Act 1998. 34 emails containing the personal information of 349 individuals, including sensitive personal data such as medical conditions, care and financial details and records of debt, were sent to a private email address prior to the individual having left the council.

The ICO’s Head of Enforcement Steve Eckersley stated, “Employees need to understand the consequences of taking people’s personal information with them when they leave a job role. It’s illegal and when you’re caught, you will be prosecuted.”

 

Harry Smithson  29th September 2017

 

 

 

Data Compliant News Blog: Cyberattack threatens over 400,000 British consumers, Data Protection Bill 2017 published and fines levied on councils mishandling data

Equifax data breach – hackers may have access to hundreds of thousands of British consumers’ personal details

The Information Commissioner’s Office (ICO) is investigating a hack on Equifax, a large credit rating agency based in Atlanta, USA, to find out whether and to what extent the company’s British consumers’ personal details have been obtained by the hackers. The FBI is also said to be monitoring the situation.

The cyberattack, reported earlier this month, occurred in May and July. The company has already admitted that 143 million American customers’ personal details have been obtained by the hackers.

Credit Cards

400,000 UK customers may be affected by Equifax breach

The US information that the hackers may have accessed includes names, social security numbers, dates of birth, addresses and driving licence details, as well as over 200,000 credit card numbers.

The ICO told Equifax that the company must warn British residents of the data breach and inform them of any information relating to them which has been obtained by the cyber attackers. The credit agency promptly issued alerts to the affected Britons, stating however that an ‘identity takeover’ was unlikely.

Britons would do well to be mindful that, once a hacker has  name, date of birth,  email addresses, and telephone numbers, it takes little effort to acquire the missing elements, which is why the ICO has warned members of the public to remain vigilant against unsolicited emails and communications.  They should also be particularly wary of unexpected transactions or activity recorded on their financial statements.

Shares in Equifax saw considerable reductions throughout the week, and two of the company’s senior executives, the Chief Information Officer and Chief Security Officer have resigned with immediate effect..

The Data Protection Bill 2017, which includes GPDR, has been published

New Law 2

GDPR is included in its entirety in the UK’s Data Protection Bill 2017, now going through Parliament

On 14th September, the Department for Digital, Culture, Media and Sport published the Data Protection Bill 2017. The Bill has been anticipated since the Queen’s speech in June, in which the government outlined its plan to implement the European-wide data protection game-changer GDPR into British law.

Culture secretary Karen Bradley explains: “The Data Protection Bill will give people more control over their data, support businesses in their use of data, and prepare Britain for Brexit.  In the digital world strong cyber security and data protection go hand in hand. This Bill is a key component of our work to secure personal information online.”

While the Bill inculcates the GDPR, and therefore provides the basis for data-sharing and other adequacy agreements with the EU after Brexit, the government has stated that it managed to negotiate some ‘vital’ and ‘proportionate’ exemptions for the UK.

Some of the exemptions are provided for journalists accessing personal data to expose wrongdoing or for the good of the public; scientific and research organisations such as museums if their work is hindered; anti-doping bodies; financial firms handling personal data on suspicion of terrorist financing; money laundering; and employment where access may be neededs to personal data to fulfil the requirements of employment law.

The second reading of the Bill in Parliament will take place on 10th October, after which a general debate on Brexit and data protection takes place on the 12th.

As yet, there have been few critics of the proposed legislation outside certain industries whose use of big data makes them particularly susceptible to possible data protection breaches and massive fines (£17m or 4% annual global turnover). Some industry leaders have called for exemptions, including the private pension giant Scottish Widows, who claimed GDPR-level regulations would make it impossible for them to contact some of their customers without breaking the law. However, according to the government, 80% of Britons do not believe that they have control over their information online, and the Bill enjoys widespread support at this point. The Shadow Cabinet has yet to offer any official response or criticism.

Islington Council fined £70,000 

The Information Commissioner’s Office (ICO) fined Islington Council £70,000 for failing to secure 89,000 peoples’ personal information on an online parking ticket system.

Design faults in the Council’s ‘Ticket Viewer’ system, which keeps CCTV images of parking offences, compromised the security of 89,000 peoples’ personal data. Some of this data is under the category of sensitive personal information, e.g. medical details disclosed for the sake of appealing against a parking fine.

Harry Smithson 23rd September 2017

GDPR – ICO Puts Trust at the Heart of Data Processing

Trust & data

Information Commissioner’s Annual Report

The Information Commissioner’s Office (ICO) published its annual report on the 13th July. It is the first time the Information Commissioner Elizabeth Denham has compiled an annual report, having taken up the post a year ago.

The report highlights the increased powers and expanding caseload and capacities  of the regulator. At a time of increasing concern about the use (and abuse) of personal information, the ICO is seeing a great deal more work.  This is, in part, reflected by an increase in staff numbers of around 8% year on year.

GDPR and Public Trust

The ICO’s foreword emphasises its commitment to regaining public trust in data controllers and processors. It is hoped that changing laws provide the regulator with an opportunity to enable individuals to trust in large organisations handling personal information. The Commissioner  states that “trust” will be “at the heart of what the Information Commissioner’s Office will do in the next four years.” Confidence in the digital economy is a consideration that the regulator acknowledges and aims to encourage, especially since the digital sector is growing 30% faster than any other part of the economy.

This echoes the government’s concerns regarding the digital economy and its relation to data protection principles that were enumerated in the Queen’s Speech and addressed by several measures including a Data Protection Bill, which is designed to implement the General Data Protection Regulation (GDPR).

In a year characterised by the impending replacement of the Data Protection Act 1998 (DPA) with the GDPR in May 2018, the report’s outline of major work undertaken leads with a nod to the many public, private and third sector organisations that will be preparing for the new legislative framework.

Consent

‘Consent,’ which has become one of the watchwords for the GDPR (and a word that will be increasingly found on the bulletin boards and coffee mugs of marketing departments) will take on a stricter legal definition soon – a marketing monolith for which the ICO anticipates organisations will seek detailed guidance.

Data Breaches

But the GDPR by no means eclipsed the ICO’s other responsibilities. Nuisance calls, unsolicited marketing and data sharing have routinely seen organisations facing fines and other civil measures. Breaches of the DPA and Privacy and Electronic Communications Regulations 2003 (PECR) such as these by a number of charities, of which the Daily Mail reported allegations in 2015, have led the ICO to issue 13 civil monetary penalties to the value of £181,000.

Indeed, some companies, Honda (whom we reported about last month) being an explicit example, have been issued fines for unsolicited marketing in breach of the DPA due to emails which asked for clarification regarding customers’ marketing preferences – which Honda for example maintained were a means of preparing for the GDPR. So while preparation for the GDPR is something to which the ICO has committed a great deal of resources, they have by no means neglected upholding the current law. The ICO has consistently made clear that it is not acceptable to break the law in preparation for another.

Monetary penalties

Overall, the ICO issued more civil monetary penalties for breaches of PECR than ever before (23), to the value of £1,923,000. It has also issued 16 fines for serious breaches of data protection principles totalling £1,624,500. It cannot be stated enough that after May 2018, these figures could skyrocket if organisations do not find ways of being compliant with the new, more expansive and rigorous legislation. Criminal prosecutions have seen a 267% increase, and the ICO has received 18,300 concerns regarding data protection brought to them – 2,000 more than last year.

Subject Access Requests (SARs)

Data controllers or organisations handling a wide range of personal data may have increasing requests for Subject Access Requests (SARs). The report states that 42% of all concerns brought to the ICO where the nature was specified were related to subject access. While these requests for data are provided under the DPA (and will be upheld with more rigour as one the data subject ‘rights’ by the GDPR) and not the freedom of information legislation, it nonetheless falls upon organisations of whatever size to be co-operative and compliant when the disclosure of information is required. It is important for organisations to train their staff to be able to recognise a SAR and act promptly.  Data controllers must recognise the importance of compliance not only with the law but with ICO audits and investigations, as well as of the necessity for efficient and conscientious data handling.

For information about how DC can help you meet the requirements of GDPR,  please email dc@datacompliant.co.uk.

Harry Smithson, July 25th 2017

GDPR and Data Privacy Impact Assessments (DPIAs)

DPIA blog image

When are they needed?  How are they done?

Next year under the new GDPR data protection legislation, Privacy Impact Assessments will become known as Data Privacy Impact Assessments, and will be mandatory instead of merely recommended.

The ICO currently describes PIAs as “a tool which can help organisations identify the most effective way to comply with their data protection obligations and meet individuals’ expectations of privacy.”

While the soon-to-be-rechristened DPIAs will be legally required, data controllers should continue to fully embrace these opportunities to ensure that heavy fines, brand reputational damage and the associated risks of data breaches can be averted from an early stage in any planned operation.

When will a DPIA be legally required?

Organisations will be required to carry out a DPIA when data processing is “likely to result in a high risk to the rights and freedoms of individuals.” This can be during an existing or before a planned project involving data processing that comes with a risk to the rights of individuals as provided by the Data Protection Act. They can also range in scope, depending on the organisation and the scale of its project.

DPIAs will therefore be required when an organisation is planning an operation that could affect anyone’s right to privacy: broadly speaking, anyone’s right ‘to be left alone.’ DPIAs are primarily designed to allow organisations to avoid breaching an individual’s freedom to “control, edit, manage or delete information about themselves and to decide how and to what extent such information is communicated to others.” If there is a risk of any such breach, a DPIA must be followed through.

Listed below are examples of projects, varying in scale, in which the current PIA is advised – and it is safe to assume all of these examples will necessitate a DPIA after the GDPR comes into force:

  • A new IT system for storing and accessing personal data.
  • A new use of technology such as an app.
  • A data sharing initiative where two or more organisations (even if they are part of the same group company) seek to pool or link sets of personal data.
  • A proposal to identify people in a particular group or demographic and initiate a course of action.
  • Processing quantities of sensitive personal data
  • Using existing data for a new and unexpected or more intrusive purpose.
  • A new surveillance system (especially one which monitors members of the public) or the application of new technology to an existing system (for example adding Automatic number plate recognition capabilities to existing CCTV).
  • A new database which consolidates information held by separate parts of an organisation.
  • Legislation, policy or strategies which will impact on privacy through the collection of use of information, or through surveillance or other monitoring

How is a DPIA carried out?

There are 7 main steps that comprise a DPIA:

  1. Identify the need for a DPIA

This will mainly involve answering ‘screening questions,’ at an early stage in a project’s development, to identify the potential impacts on individuals’ privacy. The project management should begin to think about how they can address these issues, while consulting with stakeholders.

  1. Describe the information flows

Explain how information will be obtained, used and retained. This part of the process can identify the potential for – and help to avoid – ‘function creep’: when data ends up being processed or used unintentionally, or unforeseeably.

  1. Identify the privacy and related risks

Compile a record of the risks to individuals in terms of possibly intrusions of data privacy as well as corporate risks or risks to the organisation in terms of regulatory action, reputational damage and loss of public trust. This involves a compliance check with the Data Protection Act and the GDPR.

  1. Identify and evaluate the privacy solutions

With the record of risks ready, devise a number of solutions to eliminate or minimise these risks, and evaluate the costs and benefits of each approach. Consider the overall impact of each privacy solution.

  1. Sign off and record the DPIA outcomes

Obtain appropriate sign-offs and acknowledgements throughout the organisation. A report based on the findings and conclusions of the prior steps of the DPIA should be published and accessible for consultation throughout the project.

  1. Integrate the outcomes into the project plan

Ensure that the DPIA is implemented into the overall project plan. The DPIA should be utilised as an integral component throughout the development and execution of the project.

  1. Consult with internal and external stakeholders as needed throughout the process

This is not a ‘step’ as such, but an ongoing commitment to stakeholders to be transparent about the process of carrying out the DPIA, and being open to consultation and the expertise and knowledge of the organisation’s various stakeholders – from colleagues to customers. The ICO explains, “data protection risks are more likely to remain unmitigated on projects which have not involved discussions with the people building a system or carrying out procedures.”

DPIAs – what are the benefits?

There are benefits to DPIAs for organisations who conduct them.  Certainly there are cost benefits to be gained from knowing the risks before starting work:

  • cost benefits from adopting a Privacy by Design approach:  knowing the risks before starting work allows issues to be fixed early, resulting in reduced development costs and delays to the schedule
  • risk mitigation in relation to fines and loss of sales caused by lack of customer and/or shareholder confidence
  • reputational benefits and trust building from being seen to consider and embed privacy issues into a programme’s design from the outset

For more information about DPIAs and how Data Compliant can help, please email dc@datacompliant.co.uk.

Harry Smithson   20th July 2017

Data Compliant’s Weekly Round Up

cowboy-round-up-cropped

This week has been a bit hectic when it comes to data breaches and news. We started off with Snoopers’ Charter being passed, then we heard that Deliveroo had been hacked and many of its customers had been paying for someone else’s dinner after passwords were stolen from another business.

We heard of yet another colossal hack – mobile network Three had been infiltrated by 3 hackers dotted all over the country now putting two thirds of the 9,000,000 Three customers at risk. The hackers accessed the upgrade system using an employee log in and were able to intercept the new phones before they reached the customers that the hackers had upgraded. Could this be an insider threat? Although Three can confirm no financial data was appropriated the information that was obtainable were things like names, telephone numbers, addresses and date of birth all of which is classed as personal data in accordance with the Data Protection Act. It’s all very handy data for criminals to steal someone’s identity.

Police are investigating Broxtowe Borough Council after an email containing allegations about someone’s conduct was sent to all staff members (730 people in total) in which they were told about in September. The ICO have said they are not going to take any action.

Hatchimals
Hatchimals are the latest craze with the kids these days and I bet they’re on everyone’s Christmas wish list. For those who don’t know what Hatchimals are, they’re Furby-like toys inside an egg that the child has to nurture until it hatches. Once hatched the toy will learn how to speak from it’s owner – so I’m told by my overly eager nephew. However due to these toys being so popular, scammers are out in force and are taking to social media to encourage loving parents to hand over more than double what these toys are going for. Once the scammers have got the money, the parents are then blocked and never hear from them again. Sometimes over £100 worse off. These toys are out of stock in every retailer that sells children’s toys in the UK so if there is an ad online, on social media, or in an email saying they’re still available and better yet – they’re on sale, don’t be fooled, if it’s too good to be true, it usually is.

Black Friday and Cyber Monday
I would imagine due to it being Black Friday this Friday (25th November) and cyber Monday on the 28th fake adverts and phishing emails are going to be on the rise this week and most of next week too. Although it is sad to think that hackers take to this time of year to steal from loving friends and family to earn themselves a bit of extra money, it does unfortunately happen every year. Now some of these hacks are easy to spot, it just takes a bit of common sense, however they are also getting more and more sophisticated and harder to recognise.

Last year UK consumers spent £2 billion in 24 hours online and in stores on Black Friday and £3.3billion over the whole weekend. Predictions this year are even higher than the last. So if you’re anything like me and are planning to get home from work, make yourself a cup of tea, put your feet up and do your Black Friday shopping online, here are some hints and tips for you to stay safe this weekend.

  • Make sure the websites you are visiting have https: at the front of the URL. The s actually stands for secure! Who knew?
  • If you receive any emails from your bank, paypal or anything asking you to confirm your payment details with a link to click on to do so, hover your mouse over the link to see what the URL is, if it isn’t the company’s name .com/.co.uk etc it’s a scam.
  • Look at the email address you receive an email from, is that the company’s name?
  • Use strong passwords, and different passwords for each log in (this is how many people got stung with Deliveroo as they used the same password for their account with them and with other websites and apps).
  • Read the websites privacy policy before handing over all of your sensitive information. These are legally binding and have to inform you of what the company plans to do with your data.

I could go on and on but these main 5 steps should keep you fairly safe this weekend. Don’t be put off by the minority of people who do wish to scam you into handing over all of your money. There are some good people (and even better bargains) out there, so happy shopping!

charlotte-seymour-2016
Written by Charlotte Seymour – 25th November 2016.

Snoopers’ Charter – What do you think?

big brother.pngThe Investigatory Powers Bill, also known as the Snoopers’ Charter, was passed by the House of Lords last week. This means that service providers will now need to keep – for 12 months – records of every website you visit, (not the exact URL but the website itself), every phone call you make, how long each call lasts, including dates and times the calls were made. They will also track the apps you use on your phone or tablet.

The idea behind the Bill is to prevent terrorism and organised crime, which, it goes without saying, we all fully support.  What it will also obviously do is to place massive amounts of personal information into the hands of the government and other bodies for that 12-month period.  And there has been and will continue to be a huge debate over whether and to what extent this is a breach of our privacy.

This Bill will also allow the police and authorities to look at a specific location and see which websites are highly used in that area, and even who is visiting that area. Dozens of public organisations and departments, such as HMRC, the Food Standards Agency and Gambling Commission, will also be able to access this information without needing evidence for ‘reasonable doubt’ to do so.

What has not changed is that security services still have the ability to hack in to your communications, and eavesdrop into your calls, read your texts and emails, only as long as they have the required warrant to do so. So in theory your actual conversations are still safe unless there is a reason to believe you are involved in something you shouldn’t be.

All this is very well, but is the Bill self-defeating?  Doesn’t it just encourage the use of VPNs which will bounce your IP around the world so you can’t be traced?  If you were doing something you didn’t want officials to know about, isn’t that just what you’d do?

Food for thought here is that the UK will expect companies like Google, Facebook and Apple to unencrypt some of their software so that the UK can gain access to those records. These companies aren’t British companies. So can they refuse? The thing that worries me is that if they do refuse, would they be tempted to pull out of working with the UK completely?  In which case, what does the government want more – the business and jobs these companies provide or the data they hold?

Not only that, but we are now living in the age where Yahoo can lose half a billion accounts, a Three Mobile breach can put millions of customers at risk, and thousands of Tesco customers can have money simply removed from their bank accounts.  And the list goes on. Is not keeping all this data stored for 12 months just like a huge red target for hackers?  Even though this Bill is driven by national security, the risk is that it still leaves an ocean of information that can be dipped into, hacked and misused.

I feel caught between a rock and a hard place.  I have no issues with the government bodies looking through my history should they choose to, but is it right that they can? And then you have to wonder … has anything really changed that much?  Hmmm…

What do you think? None of this will go away. Our children will inherit this Bill and will grow up with all of its implications.

charlotte

 

Written by Charlotte Seymour – November 2016

Insider Threats – Charlotte’s View

Insider Threats – Charlotte’s View

Something that is being spoken about more and more (due to the unfortunate higher frequency) is insider threat. It’s in the news an awful lot more than it ever used to be.

Do you remember the auditor of Morrisons who released a spreadsheet detailing just shy of 100,000 members of staff’s (very) personal details? He did end up getting jailed for 8 years but I heard a saying recently, it’s not a digital footprint you leave it’s more of a digital tattoo. Even two years after the incident Morrisons is still suffering the effects.

Now obviously that was what you would call a malicious breach. It does unfortunately happen, but there are ways for you to protect your company against this. Firstly we here at Data Compliant believe that if you have detailed joiner processes in place (i.e. thorough screening and references and criminal checks where appropriate), ongoing appraisals with staff and good leaver processes you can minimise your risk.

Other ways of insider breaches occurring, and much more likely in my opinion, are negligence, carelessness and genuine accidents. Did you know that over 50% of data breaches are cause by staff error? This may be because staff do not follow company procedures correctly and open up pathways for hackers. Or it could be that your staff are tricked into handing over information that they shouldn’t.

Your staff could be your company’s weakest point in relation to protecting it’s personal and confidential data. But you can take simple steps to minimise this risk by training your staff in data protection.

Online training has some big advantages for businesses, it’s a quick, efficient and relatively inexpensive way of training large numbers of employees while “taking them out of the business” for the least possible time.

The risk of breaches isn’t just your business’ reputation, or even a hefty fine from the ICO but as mentioned before, also a criminal conviction. Now that is a lot to risk.

If you’re interested in online training have a look at this video.

 

charlotte

Written by Charlotte Seymour, November 2016