Tag Archives: data protection law

42 days and counting….

With the countdown to Brexit clock still ticking it seems that all has gone (relatively) quiet on the Brexit front. Parliament is not sitting and won’t be back until 14th October but this has not stopped politicians and commentators on all sides of the debate from re-iterating their deeply-held positions.   

Behind the scenes, it is reported, there is a great deal of shuttle-diplomacy taking place. Both the Prime Minister and his chief negotiator, David Frost, have become frequent passengers on the Eurostar as they dash between London, Brussels and the other capitals of Europe.  Yet the details of the discussions are still far from clear.

The “non-paper”

On Thursday it emerged that apparently the Government has issued a ”non-paper” to the EU outlining some thoughts on how an acceptable Brexit deal can be achieved.  “Non paper” is a particularly bizarre EU concept for written proposals that have no formal status. At the risk of sounding like something from Alice through the Looking Glass, it is a paper that is not a ”paper”. 

The details contained in the non-paper are unlikely to be officially released. But, if past experience is anything to go by, non-papers tend to see the light of day through unofficial and unattributable leaks.

The Law’s Delay

With little information to go on it is perhaps unsurprising that attention has turned to the other burning issue in UK politics – the judgement of the Supreme Court on the legality of the decision to prorogue Parliament.   Whilst this is not a Brexit issue in itself, the plaintiffs in the two cases before the Court clearly suspect that Parliament was suspended in order to prevent scrutiny of the Brexit negotiations. 

At the time of writing the judges are still out and the judgement is yet to be issued. Whatever the decision it is clearly going to have an impact on the course of the Brexit countdown. 

With attention focussed on legal matters it is perhaps worthwhile spending a little time looking at an often misunderstood aspect of data protection law, specifically the legal basis for processing data. 

On what legal basis can companies process personal data?

The collection and processing of personal data must be first and foremost be lawful under the GDPR and Data Protection Act 2018.  There are six legal grounds for processing and one of them MUST apply.  They are summarised below in no particular order:

  • Consent – a person must have given their consent for one or more specific purpose(s) (e.g. for consumer electronic marketing purposes)
  • Contract – the processing is necessary for the performance of a contract to which a data subject is a party or has requested before entering into a contract (e.g. for employee, client or third-party contracts)
  • Legal obligation – for compliance with a legal obligation such as HMRC
  • Vital interests – processing is necessary to protect a data subject or another person (e.g. medical records in the case of an accident)
  • Legitimate interests – where data processing is necessary for the purposes of the legitimate interests of the data controller, except where such interests are overridden by the interests or fundamental rights or freedoms of the individual (a Legitimate Interests Assessment must take place e.g. for some direct marketing purposes)
  • Public interest – for a task carried out in the public interest or in the exercise of official authority vested in the controller

Please feel free to contact us if you have any queries or concerns about how Brexit will affect your business, by calling 01787 277742 or email teambrexit@datacompliant.co.uk

Gareth Evans, 20th September 2019

Data Breaches in Cloud Computing

The cloud computing economy is expected to grow to $191 billion by 2020, an increase of $100 billion in five years, according to the analysts at Forrester. After Monday’s mega-leak, Ecuadorians may be a little hesitant to embrace this secular shift to cloud computing.

The advantages of this system for storage and productivity are well-documented, but cloud computer servers come with several serious security risks.

High-profile breaches of cloud platforms at Evernote, Adobe, Slack and LastPass over the last few years have led to extra scrutiny of cloud computing from a security perspective, as these online databases are more and more relied upon for storing sensitive data.

Outrage over cloud platform Ecuador personal and financial data leak

This massive data breach was made possible by a vulnerability on an unsecured AWS Elasticsearch server.  It was discovered on 16th September and caused outrage throughout the Andean state.

Roughly twenty million people, including 6.7mn children, were affected, comprising nearly the entire population. Even the President of Ecuador was affected, as well as Julian Assange, who was given a ‘cedula,’ or national ID number, during his stay at the Ecuadorean embassy in London.

Collectively, the information was described by one journalist “as valuable as gold in the hands of criminal gangs.”

The scale and detail of the 18GB cache of personal information exposed by the leaky server was such that the researchers were actually able to reconstruct entire family trees.

The types of personal and confidential information available on the database included:

  • names;
  • national ID numbers;
  • DOBs;
  • places of birth;
  • home addresses;
  • genders;
  • phone numbers;
  • family and marriage records;
  • education and work records;
  • financial information including tax records.

It is not known whether any agents took advantage of the leaky server before it was plugged by the Ecuador’s computer emergency security team shortly after the discovery.

How did the breach happen?

A local data analytics company, Novaestrat held vast amounts of Ecuadorian data on an Elasticsearch server, which had no password protection, allowing anyone access. 

Though there is no evidence that the government’s database was hacked or breached by Novaestrat, these revelations led to the swift arrest of the company’s executive, and a full investigation over how the company possessed the data it held.

Novaestrat was awarded several government contracts by the former political regime, so it is likely that these were reason the company gained access to the personal data.

Plans for Data Protection Law

This breach has caused the Ecuador’s Ministry of Telecommunications to speed up the process of passing a new data privacy law.  This is intended to match rising international standards of data protection (for example, the GDPR).

Why Data Retention and Deletion Schedules are vital

There is a clear lesson here, both to data controllers and data processors.  You must make sure, whether you are a data controller or a data processor, that you have robust data retention and deletion schedules in place

Data controllers

Data Processors 

1. Make sure your data processors are legally obliged to delete the data

1. Ensure that you have procedures in place to enable you to meet the requirements of your data processor agreement

2. Demand evidence that the deletion has taken place

2. Ensure you have a robust mechanism for the destruction of the data

3. Exercise your audit rights

3. Be prepared to provide evidence of the destruction

a) Once the  purpose of the data sharing has been met and / or

4. Consider backup files as well as live

b) According to your own retention and deletion policies

  

  

If you have any questions about data retention and deletion policies or data processor agreement, please contact us via email team@datacompliant.co.uk or call 01787 277742