Brian Pennington

A blog about Cyber Security & Compliance


December 2011

Data Security Survey to gauge organisations’ perception of their own IT security

As we near the end of 2011 Hitachi ID Systems has run its first annual Data Security Survey to gauge organisations’ perception of their own IT security.

Survey background

Hitachi’s survey focused on Identity and Access Management (IAM) and had several “hundred” respondents from 16 different industries including agriculture, aerospace, construction media and retail.

The largest group of respondents (69%) employed less than 5,000 people

Key findings of the survey

  • 52% of businesses were “somewhat confident” in their Data Protection Measures
  • 39% of business had “some” Data Protection Measures in place
  • 33% of business said they had “strict” controls in place
  • 15% had privileged access management systems in place (who has all the keys to all the safes?)

More findings are in the graph below:

Sticking with Hitachi. Hitachi ID Systems CTO, Idan Shohamn “Looking Ahead to 2012” predicts the following as future trends in the IAM space:

1. Bring your own device (BYOD)

The “BYOD” trend is both unavoidable and troubling. Users, including executives, insist on the undeniable convenience of using their own, integrated and super-portable endpoint device. IT professionals are struggling to control access to sensitive corporate data on devices — which they do not control. It’s going to take a lot of innovation to resolve this conflict, but maybe we’ll see some progress in 2012.

2. Market Consolidation (in the IAM marketplace)

3. Identity and Access Management as a Service (IAMaaS)

Hosting an IAM system in the cloud (IAMaaS) and using it to manage identities and entitlements both inside the perimeter and in the cloud is still a new, risky game. This said, there will undoubtedly be some uptake in 2012, but just early adopters.

4. Identity Administration and Access Governance

Another interesting development in 2011 was the emergence of “access governance” as a separate product category, layered on top of “identity administration.” Currently, there are vendors in this market such as SailPoint, Aveksa and Approva (News – Alert). The thinking is that a requests portal, approvals workflows, access certification and policy enforcement should be layered on top of whatever IAM system an organization already has; something simple like incident management or more robust like a user provisioning system.

“In 2012, I predict that we will see the market begin accepting identity administration and access governance as two sides of the same coin. Here at Hitachi ID Systems, we used to provide a separate access certification product; at some point we realized this was a mistake and simply folded the features into our Identity Manager. I expect that some of our competitors will do the same in 2012; they may even clean up their user interfaces and lower their TCO.

So what does this mean for the “access governance” vendors? They have to learn to compete with the big boys. Their solutions need to scale; running access certification for just finance and HR users does not qualify as an enterprise solution. They will have to offer connectors. And password management. And user enrollment. While developing an aesthetically pleasing user interface to cover up old junk is okay to sell for a little while, it’s certainly not enough in the long run.”

The full article can be found here.


Eight Ways to Reduce PCI DSS Audit Scope by Tokenizing Cardholder Data

Credit card
Image via Wikipedia

Eight Ways to Reduce PCI DSS Audit Scope by Tokenizing Cardholder Data

Merchants are constantly seeking ways to simplify and reduce the scope of the Payment Card Industry’s Data Security Standard (PCI DSS) compliance by shrinking the footprint where cardholder data is located throughout their organization.

By reducing the scope, these Merchants can dramatically lower the cost and anxiety of PCI DSS compliance and significantly increase the chance of compliance be that an audit or a Self Assessment Questionnaire (SAQ).

The White Paper “Eight Ways to Reduce PCI DSS Audit Scope by Tokenizing Cardholder Data” explores the use of tokenization as a best practice in improving the security of credit card transactions, while at the same time minimising the cost and complexity of PCI DSS compliance by reducing audit scope.

The 8 Ways are

  1. Centralized data vault
  2. Tokens as data surrogates
  3. Tokens as surrogates for masked data
  4. No mathematical relationship between tokens and data values
  5. One-to-one or one-to-many token/data relationships
  6. Format Preserving Tokenization™
  7. Centralized key management
  8. Tokenization as a Service™ (TaaS)

For the full description of the 8 methods simply download the white paper here

Registration is required, some personal email accounts do not work e.g. Hotmail and Gmail. If you are having a problem please leave a comment and I will try to email the paper directly to you.

Also see a Free eBook  “Tokenization for Dummies” here.


7 experts predict the IT security and compliance issues and trends of 2012

Here we are on the edge of another year and it is the time of year when the predictions start.

Everyone has an opinion on what could be around the corner, some are based on extensive research and market trends, and some are based on customer expectations and experience.

Rather than bore you with my predictions I thought I would extract the predictions of several leading vendors and consultants and put them into one single post.

The plan is to use a range of industry specialisations, for example Anti-Virus and Authentication, and run them side by side for an easy comparison and to see if there is a trend in the predicted trends.

The 7 specialist predictors are from the organisations listed below

  1. Confident Technologies
  2. Cryptzone
  3. Deloitte
  4. Lancope
  5. Trend Micro
  6. Varonis
  7. WatchGuard

Other opinions and predictions are available and the full predictions of the specific organisation are within the links and the end of each prediction.

Top 5 Authentication Predictions for 2012 from Confident Technologies

  1. BYOMD (bring your own mobile device) will spell big trouble for businesses in terms of data loss in 2012.
  2. There will be a large data breach (reminiscent of the Sony online gaming breach of 2011) which will finally cause organizations across many industries to realize they cannot rely solely on passwords to protect user accounts.
  3. Targeted Variations of Zeus-in-the-Mobile style attacks will grow
  4. Smart devices enable smart authentication: image-based authentication, biometrics and more.
  5. Retailers and mobile payment providers will lead the adoption of new mobile authentication techniques in 2012

Find the Confident Technologies predictions here.

Cryptzone predicts Trends for 2012

Cryptzone, the IT Threat mitigation experts, announced its 8 key predictions for the top security trends for the coming year.

  1. Targeted Attacks
  2. Bring Your Own Device (BYOD)
  3. Greater Security for Production Systems
  4. Intranets on the iPAD
  5. Incident Response Management
  6. Context Awareness for Access Rights
  7. Content Security verses Hardware Security
  8. Shortened Product Development Lifecycles

Peter Davin, CEO of Cryptzone, comments “Employees are now demanding to use their own devices for work with security as a prerequisite. On the other side, hackers have become more sophisticated in whom they target, opting away from indiscriminate strikes. 2012 will see these trends develop even further.”

Find Cryptzone’s predictions here.

Deloitte’s Top five security threats in 2012

  1. Mobile devices (34%)
  2. Security breaches involving third parties (25%)
  3. Employee errors and omissions (20%)
  4. Faster adoption of emerging technologies (18%)
  5. Employee abuse of IT systems and information (17%)

Find Deloitte’s predictions here.

Trend Micro 2012 Threat Predictions:

Attacks Take on More Sophistication in the Post-PC, BYOD Era Trend Micro’s “12 Threat Predictions for 2012” include:

  1. The real challenge for data center owners will be the increasing complexities of securing physical, virtual, and cloud-based systems
  2. Security and data breach incidents in 2012 will force companies worldwide to face BYOD (Bring-Your-Own-Device) related challenges
  3. Security vulnerabilities will be found in legitimate mobile apps, making data extraction easier for cybercriminals
  4. More hacker groups will pose a bigger threat to organizations that protect highly sensitive data
  5. The new social networking generation will redefine “privacy.”
  6. Supporting assets

Find Trend Micro’s predictions here.

Lancope Announces Top Five Security Predictions for 2012

Lancope, Inc., a leader in flow-based security, network and application performance monitoring, unveiled its top five security predictions for 2012.

  1. Advanced persistent threats (APTs) will become more predominant
  2. Insider threats will grow
  3. Industrialized attacks will remain stable
  4. Employee misuse and abuse will create steady risk
  5. Fully automated attacks will trend down

If 2011 taught us anything, it’s that the targeted, highly motivated attacker is real. Tomorrow’s threat landscape requires a new level of preparation when it comes to security,” said Adam Powers, chief technology officer at Lancope.

Find Lancope’s predictions here.

Varonis gives its top predictions for Data Governance in 2012

Varonis Systems Inc., the leading provider of comprehensive data governance software announced its top-level predictions for the Data Governance field in 2012.

  1. Secure Collaboration Goes Viral in 2012. It will be the year data owners take back access control decisions from IT, and demand automation to analyze data, make better decisions, and eliminate costly, ineffective manual processes
  2. Big data analytics will expand its focus to the biggest data of al unstructured information sitting on file servers, NAS devices, and in email systems
  3. We will see some IT departments taking drastic measures, such as shutting down “at risk” servers or access to e-mail if the proper audit trails are not in place
  4. Internal threats will still be a major worry for corporates in 2012 despite the demise of Wiki Leaks

David Gibson, Director of Technical Marketing and Strategic Sales at Varonis said: “When it comes to data loss, threats from inside the organization have become as worrisome, if not more so, than those from outside. In many of the security breaches in 2011, employees or contractors were able to delete or download thousands of files without raising concerns because often no one was able to determine what sensitive data they had access to and secure it before information could be stolen, view an audit trail of what they actually did access after the fact, and certainly not hear any alarms go off while the breach was in progress, when access activity was unusual. Corporates will have to address this issue properly in 2012.”

Find Varonis’s predictions here.

WatchGuard Unveils Top 10 Security Predictions for 2012

WatchGuard Technologies’ security analysts provide their 2012 security predictions

  1. A major cloud provider will suffer a significant security breach. Cloud Computing brings chance of malware-storms
  2. Organized criminals will leverage Advanced Malware techniques in targeted attacks against businesses
  3. The barrage of noteworthy data breaches continues through 2012
  4. Increased reliance on virtualization reawakens need for virtual security. Unprotected virtual machines make bad neighbors
  5. Smartphone app stores and marketplaces help proliferate mobile malware in the real world
  6. Adoption of BYOD and IT self-service results in more data loss. Bring your own device means clean your own infections
  7. As the top vector for social engineering and malware, Facebook is forced to increase its security. In 2012 WatchGuard forecasts Facebook-based attacks will increase and Facebook will be forced to sit up and take notice. Specifically, Facebook will implement new security solutions on their site to avoid losing fed-up users
  8. Attackers launch a digital attack that affects physical infrastructure or equipment. My power plant got a virus infection. Expect at least one digital attack in 2012 to cause a significant repercussion to a physical infrastructure system
  9. Location aware malware customizes its attacks. Spyware knows where you live
  10. HTML5 offers five times the ways to hijack your website. New web technologies like HTML5 fuel the growth for next year’s web application attacks

2012 stands to be a dynamic year for network security as criminals and hackers take threats to new levels,” said Eric Aarrestad, Vice President at WatchGuard Technologies. “Given how new threats are constantly evolving, WatchGuard remains ever vigilant in staying one step ahead of these threats, which gives our customers unparalleled protection for their networks, applications and data.”

Find WatchGuard predictions here.

It appears the common theme is “mobile” as the biggest threat, whether the device is employee owned or not. Similarly they agree that the bad guys will continue to focus of target attacks.

Let’s just hope that 2012 is a more secure year that 2011.


Illicit access of medical records leads to a breach of the Data Protection Act

A medical record folder being pulled from the ...
Image via Wikipedia

A receptionist who unlawfully obtained her sister-in-law’s medical records in order to find out about the medication she was taking has been found guilty of an offence under section 55 of the Data Protection Act (DPA).

Usha Patwal, of Romford, was given a two year conditional discharge and ordered to pay £614 prosecution costs by Havering Magistrates Court after unlawfully obtained her sister-in-law’s medical records in order to find out about the medication she was taking.

The offence was uncovered when Patwal’s sister-in-law received text messages indicating that the texter knew about the medication she was taking.

She then contacted her doctors’ surgery – Gateway Medical Practice, Gravesend, Kent – to express her concerns.

The ICO investigation uncovered that Ms Patwal had made a call to Gateway posing as an employee of the King George Hospital in Romford, Essex, on 29 December 2010.

Further enquiries found that medical information had been faxed to Ms Patwal at the Lawns Medical Centre where she was employed as a receptionist. The fax has never been found and Mrs Patwal did not co-operate with the ICO investigation by giving an explanation for her actions.

Christopher Graham the Information Commissioner said:

“Medical records contain some of the most sensitive information possible. The medical centre’s receptionist was in a position of trust and abused her position for her own personal gain. This case demonstrates just how easy it can be to misuse personal data.

“Ms Patwal used her insider knowledge of the healthcare system to blag this information in an act that she believed would go undetected. The message from this case is clear: if you unlawfully obtain personal information there is always an audit trail, and you could end up in court.”


Clarification given on private email details and the Freedom of Information Act

The Information Commissioner has clarified the Freedom of Information Act’s regulations affecting the storing of personal email address.


  • FOIA applies to official information held in private email accounts (and other media formats) when held on behalf of the public authority. Such information may be exempt and will not necessarily have to be disclosed
  • It may be necessary to request relevant individuals to search private email accounts in particular cases. The occasions when this will be necessary are expected to be rare
  • Adherence to good records management practice should assist in managing risks associated with the use of private email accounts for public authority business purposes

The ICO recommends that, as a matter of good practice, public authorities establish procedures for dealing with such situations. These should outline the relevant factors to be taken into account in deciding whether it is necessary to ask someone to search their private email account for information which might fall within the scope of an FOI request the public authority has received. Relevant factors are likely to include:

  • The focus of the request, indicated by the words used by the requester
  • The subject matter of the information which falls within the scope of the request
  • How the issues to which the request relates have been handled within the public authority
  • By whom and to whom was the information sent and in what capacity (e.g. public servant or political party member)
  • Whether a private communication channel was used because no official channel was available at the time

Key points set out in Information Commissioners the guidance include:-

  • Where a public authority has decided that a relevant individual’s email account may include official information which falls within the scope of the request and is not held elsewhere, it will need to ask that individual to search their account
  • Where people are asked to check private email accounts, there should be a record of the action taken. The public authority needs to be able to demonstrate, if required, that appropriate searches have taken place
  • Although the main emphasis of the guidance is on official information held in private email accounts, public authorities should be aware that the law covers information recorded in any form
  • Public authorities should remind staff that deleting or concealing information with the intention of preventing its disclosure following receipt of a request is a criminal offence under section 77 of the Act
  • It is accepted that, in certain circumstances, it may be necessary to use private email for public authority business. There should be a policy which clearly states that in these cases an authority email address should be copied in to ensure the completeness of the authority’s records

Christopher Graham the Information Commissioner said:-

“It should not come as a surprise to public authorities to have the clarification that information held in private email accounts can be subject to Freedom of Information law if it relates to official business. This has always been the case, the Act covers all recorded information in any form.

“It came to light in September that this is a somewhat misunderstood aspect of the law and that further clarification was needed. That’s why we’ve issued new guidance today with two key aims first, to give public authorities an authoritative steer on the factors that should be considered before deciding whether a search of private email accounts is necessary when responding to a request under the Act. Second, to set out the procedures that should generally be in place to respond to requests. Clearly, the need to search private email accounts should be a rare occurrence; therefore, we do not expect this advice to increase the burden on public authorities.”

Related posts:

Information Commissioner gets tough with the largest fine for the breach of the Data Protection Act

The Freedom of Information Act. Power to the people or a tool for busy bodies?


Websites failing cookie regulations

Earlier this year the UK government tried to implement Privacy and Electronic Communications Regulations after an EU Directive. The regulations were to have taken effect on the 25th may 2011 but after a series of lobbies and petitions the regulations were put back to the 26th May 2012.

As part of the process the Information Commissioner implemented a 12 month lead-in process and 6 months into the process has released a statement.

“The guidance we’ve issued today builds on the advice we’ve already set out, and now includes specific practical examples of what compliance might look like. We’re half way through the lead-in to formal enforcement of the rules.

But, come 26 May next year, when our 12 month grace period ends, there will not be a wave of knee-jerk formal enforcement actions taken against those who are not yet compliant but are trying to get there.”

“Our mid-term report can be summed up by the schoolteacher’s favourite clichés “could do better” and “must try harder.” Many people running websites will still be thinking that implementing the law is an impossible task. But they now need to get to work. Over the last few months we’ve been speaking to and working with businesses and organisations that are getting on with it and setting the standard. My message to others is – if they can do it, why can’t you?

“Some people seem to want us to issue prescriptive check lists detailing exactly what they need to do to comply. But this would only get in the way and would be too restrictive for many businesses and organisations. Those actually running websites are far better placed to know what will work for them and their customers.”

Key points set out in the amended cookies advice include:

  • More detail on what is meant by consent. The advice says ‘consent must involve some form of communication where an individual knowingly indicates their acceptance.’
  • The guidance explains that cookies used for online shopping baskets and ones that help keep user data safe are likely to be exempt from complying with the rules.
  • However, cookies used for most other purposes including analytical, first and third party advertising, and ones that recognise when a user has returned to a website, will need to comply with the new rules.
  • Achieving compliance in relation to third party cookies is one of the most challenging areas. The ICO is working with other European data protection authorities and the industry to assist in addressing the complexities and finding the right answers.
  • The ICO will focus its regulatory efforts on the most intrusive cookies or where there is a clear privacy impact on individuals.

ICO claims he wants:

  • We will allow for a greater focus on wilful non-compliance by letting those who are making genuine attempts to comply get on with the job without unnecessary interference from the regulator.
  • We will further reduce the burden on those trying to comply by ensuring that our response to complaints recognises ongoing work
  • We will give realistic and practical advice to those who ask for it
  • We will be clear about how this work fits in with our strategy on regulatory action
  • We will apply the rules consistently

What the ICO expects from website owner

There is no silver bullet and we are not expecting you to invent one. If we approach your organisation about this topic, perhaps because we have received complaints, we expect you to be able to tell us what you have done so far, how you expect to be compliant and how long it will take. Exactly what you tell us will depend on who you are, the sophistication and complexity of your website and who your users are but we will expect that you can tell us something.

Two general questions that might help in this regard might be, “is my website doing anything that my users don’t know about?” and “am I confident that I am giving them appropriate options?” Your confidence might stem from the fact that you have switched all your cookies off until users tell you to switch them on again. It might stem from the fact that many of your users are registered with you and as part of the registration process they have indicated to you that they are happy for your site to work in a certain way. Or it might stem from the fact that your users will know that some things are more likely than not going to happen when they arrive at your site and that if they want to make choices about those things they know where to go and what to do.

The first option is the safest one. The second is just as safe provided that you are honest and upfront with registered users and that you can rely on the fact that they have made an informed decision to click that “Agree” button. It also, of course, only applies to some of your users – how will you ensure that the one-off or casual user is not left with a browser full of persistent and unwanted cookies?

The third option relies on a lot of factors that might be out of your control such as the general level of user awareness. You can and should, though, do whatever you can to demonstrate your compliance. Three things will help: following the ICO advice, looking for and implementing the ‘quick wins’ and keeping an eye out for industry or sectoral standards and codes. After all, if everyone else in your area of business has done a cookie audit, is changing the way they explain things to users and has engaged with industry peers to come up with consistent messages, the ICO might reasonably ask “if they can do it, why can’t you?”


Last chance to review your PCI readiness before the holiday season

As we enter the busiest period of credit card spending it is probably a good time for a bit of last minute house keeping to ensure your business is meeting the Payment Card Industry Data Security Standard (PCI DSS), or as much of it as you can.

First things first, DO NOT STORE CREDIT CARDS unless you really really have to.

  • If you know you are un-necessarily storing credit cards, delete them and delete them with a deletion tool so there is no way they can come back to haunt you.
  • If you have to retain credit card data make sure they are encrypted and never ever store the CVV/CV2/etc. As a short term fix, to get you through the next couple of weeks encrypt hard drives and put in a plan to have effective credit card encryption and tokenization in place for early 2012. For a better understanding of how tokenization can help you reduce the risks and the scope of PCI DSS download a white paper called  “Eight Ways to Reduce PCI DSS Audit Scope by Tokenizing Cardholder Datahere.
  • Check to see if there are cards being stored that you do not know about. In a recent survey SecurityMetrics found an “8 Percent Increase of Unencrypted Cards”, read the press release here. There are some excellent scanning tools that will scan your network and devices for the existence of credit cards so you can then decide to delete or secure.

You now need to revisit the Payment Card Industry Data Security Standard’s Version 2 to ensure you are meeting as much of the standard as possible. The best place to start is with the PCI DSS Prioritized Approach (find it here). The Prioritized Approach will ensure the efforts you make are directed towards the most important areas with the quickest wins.

The Prioritized approach consists of 6 key milestone and Merchants are advised to start with number 1.

  1. Milestone 1 Remove Sensitive Authentication Data and limit data retention
  2. Milestone 2 Protect the perimeter, internal, and wireless networks
  3. Milestone 3 Secure payment card applications (e.g. PA DSS approved)
  4. Milestone 4 Monitor and control access to your systems
  5. Milestone 5 Protect stored cardholder data
  6. Milestone 6 Finalize remaining compliance efforts, and ensure all controls are in place

Another reason to revisit your PCI DSS posture are revealed in Verizon‘s 2011 Global report which reports that many organisations lose sight of compliance after their initial compliance activity. Some specific findings from the report are below:-

  • 21 % of organizations were fully compliant at the time of their Initial Report on Compliance (IROC)
  • 78% of organisations met all test procedures at the IROC stages
  • 20% of organizations passed less than half of the PCI DSS requirements
  • 60% scored above the 80% mark

The full review of the Verizon report is here.

If you want to look at a range of other documents and guides have a visit to my PCI Resources page here.

Good luck with your Christmas and the New Year business and compliance activities.


RSA’s November Online Fraud Report

Below is a summary of RSA’s November Online Fraud Report:-

The humble beginnings of phishing

The term ‘phishing’ was coined in 1996 by hackers who managed to steal America Online (AOL) accounts by coaxing username and passwords from unsuspecting users. At the time, hacked accounts were dubbed ‘phish’; within a year, ‘phish’ was actively being traded between hackers as a form of electronic currency that was of value to them. ‘Phishers’ used to go after compromised e-mail accounts in order to send out spam.

In its early days, phishing was not looking to steal bank account information or even financially driven for that matter. It was only when phishers realized that it was relatively easy to convince web users to divulge their passwords that they inevitably saw it as a way to monetize data. Now going beyond spam, phishers added a criminal layer to their activities and began thinking of ways to compromise more valuable credentials, especially those which afforded online access to bank accounts.

Phishing became a fraudster’s gold rush.

Phishing Attacks per Month

In October, phishing volume dropped nearly 40 percent – from 38,970 attacks in September to 24,019 attacks. This decline was mainly due to a drastic reduction in the number of phishing attacks targeting brands that were heavily attacked in September.

Number of Brands Attacked

Last month, 298 brands were targeted with phishing attacks, marking just a slight drop from September. Eleven brands endured their first attack in October while 51 percent of the brands targeted last month endured less than five attacks each.

US Bank Types Attacked

The portion of brands targeted among U.S. credit unions increased eight percent while brands targeted among U.S. regional banks saw a 13 percent decrease in October (from 25% to 12%). However, U.S. nationwide bank brands continue to endure the highest number of attacks, accounting for nearly 75 percent in October.

Top Countries by Attack Volume

In October, the UK continued to be the country that endured the most phishing attacks, just slightly ahead of the U.S. by a mere one percent. South Africa endured eleven percent of the phishing volume in October, followed by Brazil and Canada.

Top Hosting Countries

In October, the US hosted 54 percent of the world’s phishing attacks, followed by Germany with seven percent and the UK with four percent. Since October 2010, the only countries that have consistently hosted the highest portions of phishing attacks have been the US, UK, Germany, France and Russia.

The full RSA Report can be found here.

The RSA October Online Fraud Report Summary is here.

The RSA September Online Fraud Report Summary is here.


Information Commissioner gets tough with the largest fine for the breach of the Data Protection Act

The Information Commissioner’s Office (ICO) has served a penalty of £130,000 on Powys County Council for breaching the Data Protection Act.

Powys County Council sent the details of a child protection case to the wrong recipient.

The £130,000 penalty is the highest that the ICO has served since it was given the power in April 2010 and follows a similar incident, which was reported by the council to the ICO in June last year.

The latest breach at Powys county Council occurred in February when two separate reports about child protection cases were sent to the same shared printer. It is thought that two pages from one report were then mistakenly collected with the papers from another case and were sent out without being checked. The recipient mistakenly received the two pages of the report and knew the identities of the parent and child whose personal details were included in the papers.

The recipient made a complaint to the council and a further complaint was also submitted by the recipient’s mother via her MP.

Assistant Commissioner for Wales, Anne Jones said:

“This is the third UK council in as many weeks to receive a monetary penalty for disclosing sensitive information about vulnerable people. It’s the most serious case yet and it has attracted a record fine. The distress that this incident would have caused to the individuals involved is obvious and made worse by the fact that the breach could have been prevented if Powys County Council had acted on our original recommendations.

“The ICO has also issued a legal notice ordering the council to take action to improve its data handling. Failure to do so will result in legal action being taken through the courts.

“There is clearly an underlying problem with data protection in social services departments and we will be meeting with stakeholders from across the UK’s local government sector to discuss how we can support them in addressing these problems.”

The Information Commissioners Office is pressing the Ministry of Justice for stronger powers to audit local councils’ and the NHS on their Data Protection Compliance.

Related Posts on the actions of the Information Commissioner:


Internet regulation – Government plans for managing and monitoring of the internet revealed

On the 1st December 2011 the UK Parliament produced guidance on its plans for monitoring and managing the internet. It was published as a “Commons Library Standard Note“.

The remit of the document is:-

The practicalities of blocking and filtering harmful material on the internet have generated interest in a range of contexts: the misuse of social media during the August 2011 riots, child sexual abuse images and copyright infringement.

The communications regulator, Ofcom, considered arange of blocking techniques in the context of combating copyright infringement. Ofcom reported in May 2011. In August 2011, the Department for Culture, Media and Sport published Next steps for implementation of the Digital Economy Act. This referred to Ofcom’s assessment of website blocking and the fact that the Government would not be proceeding with this for the time being.

Other legislation can also be invoked to control internet content. Section 127 of the Communications Act 2003 proscribes the improper use of a public electronic communications network. It has recently been applied, apparently for the first time, to a social networking site (Twitter ).

Online activity is also subject to general offline legislation such as the Obscene Publications Act 1959 and the Human Rights Act 1998.

Tackling internet hate crime is another area that poses a challenge to the adaptation of law to this medium. A new service for reporting all hate crimes online was launched by the police in April 2011.

The paper then went on to address 6 specific sections

  1. Website blocking
  2. Digital Economy Act
  3. Communications Act
  4. Obscene Publications Act
  5. Human Rights Act
  6. Internet hate crime

A summary of the 6 sections is below:-

1 Website blocking

Access to harmful content can be stopped in a number of ways. Most internet service providers (ISPs) block access (by anyone) to websites known to contain images of child sexual abuse (“child pornography”). The Internet Watch Foundation (IWF) maintains a list of offending websites which is updated twice daily. The list typically contains details of 500 websites.

The IWF considers this kind of blocking to be

“a short-term disruption tactic which can help protect internet users from stumbling across these images, whilst processes to have them removed are instigated.”

It is highly unlikely to be a suitable approach for adult pornography or violent material much of which is legal (at least if it is unavailable to minors)1 and which is prevalent on the internet. However, this kind of blocking (known as uniform resource locator blocking) is only one of a number of available techniques.

The communications regulator, Ofcom, considered a range of blocking techniques – albeit in a different context – in its report of May 2011, “Site Blocking” to reduce online copyright infringement. The techniques considered were termed “primary” on account of their allowing ISPs to apply blocking at the level of their network infrastructure. Although none of the specific techniques are failsafe, they aim to prevent harmful material reaching any device within the home. The main alternative currently used is to install software on individual devices in the home to block the display of material identified as being harmful. One problem with filtering and blocking techniques is that legitimate websites can sometimes be captured. Deliberate circumvention by IT-literate users is also a challenge.

2 Digital Economy Act

Sections 17 and 18 of the Digital Economy Act 2010 cover website blocking, albeit in connection with copyright infringement:

  • “Power to make provision about injunctions preventing access to locations on the internet”
  • “Consultation and Parliamentary scrutiny”

In brief the effect of these sections is to introduce a power to bring in regulations for website blocking, subject to a “superaffirmative” parliamentary procedure. The Secretary of State could make the relevant regulations, but only a court could order the blocking of a website once (if ever) such regulations provide for this.

3 Communications Act

Section 127 of the Communications Act 2003 proscribes the improper use of a public electronic communications network. It has recently been applied, apparently for the first time, to a social networking site (involving a reference on Twitter to bombing an airport). Background to this case (currently subject to appeal) involving Paul Chambers is widely available online. It is worth commenting that the application and interpretation of the relevant statute law as it applies to the internet is still at a relatively early stage of development.

4 Obscene Publications Act

While the Obscene Publications Act 1959 tends to focus on sexual material, it could in principle also apply to violence in a non-sexual context.4 Publication of obscene material, including child pornography and extreme adult pornography, is illegal under the Obscene Publications Act 1959 (which extends to England and Wales). Section 2 (as amended by the Obscene Publications Act 1964) prohibits the “publication” of obscene material.

5 Human Rights Act

If feasible, preventing access to online media by individuals wishing to organise violent disorder would be unlikely to infringe their human rights. In the UK the relevant legislation is the Human Rights Act 1998 which gives further legal effect to the fundamental rights and freedoms contained in the European Convention on Human Rights. The right to free speech, is a qualified right.

6 Internet hate crime

A new service for reporting all hate crimes online was launched by the police in April 2011. The website, called True Vision, is supported by all forces in England, Wales and Northern Ireland.

All reports of incitement to racial hatred content hosted in the UK previously reported to the Internet Watch Foundation (IWF) should now be reported directly to True Vision.

The full document can be found here.


Estate Agent prosecuted for not disclosing he stored personal data

Merfyn Pugh Estate Agents pleaded guilty (1.12.11) to the offence of failing to notify the Information Commissioner’s Office (ICO) that his business processes personal data.

John Merfyn Pugh of the Estate Agents  Merfyn Pugh was prosecuted under section 17 of the Data Protection Act.

The Data Protection Act 1998 requires every organisation or person who is processing personal information in an automated form to notify, unless they are exempt. Failure to notify is a criminal offence and could lead to a fine of up to £5,000 in a Magistrates Court, or unlimited fines in a Crown Court.

Mr Pugh was given a conditional discharge of six months and was ordered to pay £614 towards prosecution costs.

If Mr Pugh had completed the required paperwork his costs would have been only £35 and he would have avoided a criminal record as well as damages to his business’s reputation damaged

Assistant information Commissioner for Wales, Anne Jones, said:

“Registering as a data controller is a basic legal requirement of the Data Protection Act. The fee for most businesses is £35 a year. Merfyn Pugh Estate Agents’ failure to register – even after being prompted to do so by the ICO – has cost them much more today. The message behind today’s prosecution is clear – ignore warnings and you too could end up in court.”

All organisations that handle personal data but have not yet registered as a data controller should proactively contact the ICO to ensure they are complying with the law. Some organisations will be exempt.


Blog at

Up ↑

%d bloggers like this: