Search

Brian Pennington

A blog about Cyber Security & Compliance

Tag

Christopher Graham

ICO publishes it’s annual report

The Information Commissioner has released its annual report.

Christopher Graham points to the strengthening of his regulatory powers to show how the legislation continues to develop. In the past year, the ICO was given powers to compulsorily audit NHS bodies for their data handling, while forcing a potential employee to make a subject access request for, for example, their spent criminal record was also made an offence. A law change also made it easier to issue fines to companies behind nuisance calls and texts.

Information Commissioner Christopher Graham said:
“It’s thirty years since this office was established in Wilmslow. We’ve seen real developments in the laws we regulate during that time, particularly over the past year. Just look at the EU Court of Justice ruling on Google search results, a case that could never have been envisaged when the data protection law was established.

“Our role throughout has been to be the responsible regulator of these laws. More than that, we work to demystify some of this legislation, making clear that data protection isn’t to be seen as a hassle or a duck-out, but a fundamental right.

“A good example of that is our role in the new data protection package being developed in Brussels. We’ve been asked for our advice, based on our experience regulating the existing law, while we’ve also provided a sensible commentary on proceedings for interested observers.

“That role will continue this year, in what promises to be a crucial twelve months. The reform is overdue, but it is vital that we get the detail right on a piece of legislation that needs to work in practice and to last.”

“It is striking to see how decisions that were so hard fought in the early years have resulted in routine publication of information. Publication of safety standards of different models of cars, for example; or hygiene standards in pubs and restaurants; and surgical performance records of hospital consultants. Publication is now expected and unexceptionable.

“It’s been the ICO’s job to help public authorities to comply with requests,” Mr Graham will say. “The ICO’s role has led to information being released that time and time again has delivered real benefits for the UK.”

“Our Annual Report is our claim to be listened to in the debates around information rights. It shows the ICO knows what it is talking about.”

The ICO annual report reflects on the financial year 2014/15. Key stats include:

  • 14,268 – data protection concerns received
  • £1,078,500 – total CMPs issued, £386,000 of which were for companies behind nuisance calls or texts
  • 195,431 – helpline calls answered
  • 11.4% – rise in number of concerns raised about nuisance calls and texts (to 180,188)
  • 41 – audits conducted of data controllers (as well as 58 advisory visits to SMEs)
  • 1,177 – Information requests responded to
  • 4.9 million – number of visits to our website

The full report can be found here.

.

Information Commissioners Office provides data protection advice to the legal profession

The Information Commissioner’s Office (ICO) is warning barristers and solicitors to keep personal information secure, especially paper files. This follows a number of data breaches reported to the ICO involving the legal profession.

The ICO can serve a monetary penalty of up to £500,000 for a serious breach of the Data Protection Act provided the incident had the potential to cause substantial damage or substantial distress to affected individuals.

In most cases these penalties are issued to companies or public authorities, but barristers and solicitors are generally classed as data controllers in their own right and are therefore legally responsible for the personal information they process.

In the last three months, 15 incidents involving members of the legal profession have been reported to the ICO. The information handled by barristers and solicitors is often very sensitive. This means that the damage caused by a data breach could meet the statutory threshold for issuing a financial penalty. Legal professionals will also often carry around large quantities of information in folders or files when taking them to or from court, and may store them at home. This can increase the risk of a data breach.

Information Commissioner, Christopher Graham, said:

The number of breaches reported by barristers and solicitors may not seem that high, but given the sensitive information they handle, and the fact that it is often held in paper files rather than secured by any sort of encryption, that number is troubling. It is important that we sound the alarm at an early stage to make sure this problem is addressed before a barrister or solicitor is left counting the financial and reputational damage of a serious data breach.

“We have published some top tips to help barristers and solicitors look after the personal information they handle. These measures will set them on the road to compliance and help them get the basics right

The ICO has published the following top tips to help barristers and solicitors keep the personal information they handle secure

  • Keep paper records secure. Do not leave files in your car overnight and do lock information away when it is not in use.
  • Consider data minimisation techniques in order to ensure that you are only carrying information that is essential to the task in hand.
  • Where possible, store personal information on an encrypted memory stick or portable device. If the information is properly encrypted it will be virtually impossible to access it, even if the device is lost or stolen.
  • When sending personal information by email consider whether the information needs to be encrypted or password protected. Avoid the pitfalls of auto-complete by double checking to make sure the email address you are sending the information to is correct.
  • Only keep information for as long as is necessary. You must delete or dispose of information securely if you no longer need it.
  • If you are disposing of an old computer, or other device, make sure all of the information held on the device is permanently deleted before disposal.

The ICO is currently working with The Bar Council to update the Information Security Guidance provided to Barristers in England and Wales.

The original ICO post is here.

UK’s Information Commissioner believes 2013 will the year businesses handle data correctly…!

2013 is the year that commercial imperative of good data handling will be realised

Speaking at the launch of the ICO’s annual report today, Christopher Graham will highlight that consumers have a strong awareness of how their data should be handled, and how this affects their relationship with businesses.

An ICO study into public attitudes toward data protection found that 97% of those surveyed were concerned that organisations would pass or sell-on their personal details. The survey also found more than half (53%) considered details of the products they had bought to be personal information.

Yet in spite of these consumer concerns, only 10% of businesses were aware of the legal limitations of how they could use customer’s personal data.

Information Commissioner Christopher Graham said:

Education and empowerment have been two of the key areas we’ve focused on in the past twelve months. That work is having real benefits: consumers’ awareness of their rights remains strong, and that is empowering people to demand more in return for their data.

“The result is consumers expecting organisations to handle their personal data in a proper way, and in a legal way. Businesses that don’t meet that basic requirement are going to quickly find themselves losing customers.

I think 2013 is the year that organisations will realise the commercial imperative of properly handling customer data. The stats we’ve seen about public concern around personal data show that, as does a company the size of Microsoft choosing privacy as a theme of a national advertising campaign.

“The message to business is simple: consumers understand the value of their personal data, and they expect you to too.

Find the complete report here.

Finally a prosecution of a former employee stealing confidential information

Thousands of people everyday must copy, save or forward information for innocent or mischievous purposes but now there is a quotable case that can be used to deter such risky activities.

A former manager of a health service based at a council run leisure centre in Southampton has been prosecuted by the Information Commissioner’s Office (ICO) for unlawfully obtaining sensitive medical information relating to over 2,000 people.

Paul Hedges took the information hoping to use the data for a new fitness company he was setting up. He was prosecuted under section 55 of the Data Protection Act at West Hampshire Magistrates Court yesterday and fined £3,000 and ordered to pay a £15 victim surcharge and £1,376 prosecution costs.

Mr Hedges, who previously worked as a Community Health Promotions Manager based at Bitterne Leisure Centre, sent the information to his personal email account on 28 April 2011 after being told that he was being made redundant. The 42 year-old had previously been responsible for managing the council’s Active Options GP referral service, where patients would be referred by their GP or other health professional to attend fitness sessions, for a range of conditions including obesity, diabetes, arthritis, and cardiac and mild mental health issues.

The information included sensitive medical details relating to 2,471 patients. The council became aware of their former employee’s actions when they received complaints about patients being approached by Mr Hedges; who had since set up a similar service using the Active Options name and branding.

Christopher Graham the UK Information Commissioner was quoted as saying:

People have a right to privacy and the ICO works to maintain that right

Nobody expects that their health records will be taken and used in this way. Mr Hedges had been told by Southampton Council about the need to keep patients’ details confidential, but he decided to break the law.

This case shows why there is a need for tough penalties to enforce the Data Protection Act. At very least, behaviour of this kind should be recognised as a ‘recordable offence’ which it isn’t now. For the most serious cases the current ‘fine only’ regime will not deter and other options including the threat of prison should be available. The necessary legislation for this is already on the statue book but needs to be activated.

The government must ensure that criminals do not see committing data theft as a victimless crime and worth the risk.

Information Commissioner’s Office consults on new anonymisation code of practice

The Information Commissioner’s Office (ICO) has begun a public consultation on a new anonymisationcode of practice.

English: Information Commissioner's Office bra...

The code will provide guidance on how information can be successfully anonymised and how to assess the risks of identification. The ICO has also launched a tendering process to establish a network of experts to share best practice around the release of data in an anonymised form.

Anonymisation techniques can convert personal data into a form so that individuals are no longer identifiable. The consultation will be relevant to any organisation that wants to release anonymised data, for example under the government’s open data agenda.

Christopher Graham, Information Commissioner said:

“The UK is putting more and more valuable data into the public domain. The open data agenda will see this process continue and I welcome the power this information gives the average UK citizen to understand how the public sector operates and hold organisations to account.

“However, while the public wants to see openness, they want to see their privacy rights respected too. The risks of anonymisation can sometimes be underestimated and in other cases overstated; organisations need to be aware of what those risks are and take a structured approach to assessing them, particularly in light of other personal information in the public domain.

“Anonymisation can allow organisations to publish or share useful information derived from personal data, whilst protecting the privacy rights of individuals. Our code will aim to provide clear, practical advice on how data can be anonymised. We are now inviting individuals and organisations to submit their views on how this can best be achieved.”

The consultation will play an important role in making sure that the new code achieves the right balance between the protection of individuals’ privacy and the benefits of making information publicly available.

The consultation will remain open for the next 12 weeks, before closing on 23 August 2012. A copy of the draft code and consultation document is available in the consultation section of the ICO website.

A final version of the ‘Anonymisation Code of Practice’ – incorporating any changes recurring from comments received – is due for publication in September.

The code of practice will allow organisations to better achieve compliance against the proposed European Data Protection Act. Read my post Proposed European wide Data Protection Act – a review for further information.

Another alternative to anonymisation is Tokenization which is a recognised solution for PCI DSS. For details of a Free copy of the Tokenization for Dummies eBook click here.

.

School boy error at a University

How many other people will have done this? Taken a screenshot for training purposes, to demonstrate a technical error, share a section of a document, etc. and how many people have inadvertently included another application, image or data without realising or not thinking it was important.

What ever the reason, if we include Personal information in those screen shots and wrongly share them we could be breaching the Data Protection Act.

This happened at Durham University after disclosing personal information in screenshots used to demonstrate the use of University systems in training material on a website. The information included the details of up to 177 former students and staff.

Steve Eckersley, Head of Enforcement said:

“All documents should be checked for personal information before being made available on a website. This case also highlights the importance of organisations having comprehensive data protection training in place for all staff.

“It is vital that schools, colleges and universities introduce robust systems to handle their pupils’ information on electronic and paper based systems in compliance with the Data Protection Act and we will continue to work with those in the education sector to ensure they are keeping young peoples’ details secure.”

Personal Information is under threat from “social engineering”

This week as uncovered two more breaches of the Data Protection Actafter action was taken by the Information commissioner and the Serious and Organised Crime Agency (SOCA) against individuals who used social engineering for profit.

The more criminal of the two cases involved “private detectives” blagging confidential information for their clients to use.

SOCA defines blagging as “Blagging is the art of bypassing security measures through skilled persuasion and impersonating someone else

SOCA said of the case

SOCA’s focus during the investigation was criminal conspiracy. However in recognition of the fact that the operation might also uncover information relevant to other authorities, SOCA worked in partnership with a number of bodies including the Information Commissioner’s Office. SOCA will now hand over any such information to its partners to determine whether further action is appropriate

The Information Commissioner said:

“The scourge of data theft continues to threaten the privacy rights of the UK population. Whilst we welcome today’s sentencing of the private investigator, Graham Freeman, and his three accomplices, the outcome of the case underlines the need for a comprehensive approach to deterring information theft.  If   SOCA had been restricted to pursuing this case solely using their powers under the Data Protection Act then these individuals would have been faced with a small fine and would have been able to continue their activities the very next day. This is not good enough.

“Unscrupulous individuals will continue to try and obtain peoples’ information through deception until there are strong punishments to fit the crime. We must not delay in getting a custodial sentence in place for section 55 offences under the Data Protection Act.”

In the second example a letting agent tried to obtain details about a tenant’s finances from the Department for Work and Pensions (DWP) was found guilty of an attempt to commit an offence under section 55 of the Data Protection Act and the Criminal Attempts Act.

Pinchas Braun, of Tottenham, was fined £200 and ordered to pay a £15 victim surcharge and £728.60 prosecution costs by Highbury Magistrates.

The ICO’s investigating officers identified the caller as Pinchas Braun. Further enquiries found that Braun worked for a property management and rental business called Manor West Estates and that he was responsible for rent collection. The DWP account that Mr Braun had targeted belonged to one of his employer’s tenants.

Information Commissioner, Christopher Graham, said:

“The Department for Work and Pensions hold important information about each and every one of us. We are very pleased that a DWP staff member was alert to this attempt to blag information and that the call was halted before it was too late.

“The motive behind Mr Braun’s action was financial. He knew that such an underhand method of obtaining the tenant’s personal information was illegal but carried on regardless.

“This case shows that unscrupulous individuals will continue to try and blag peoples’ details until a more appropriate range of deterrent punishments is available to the courts. There must be no further delay in introducing tougher powers to enforce the Data Protection Act beyond the current ‘fine only’ regime,” Mr Graham said.

“The contrast is striking in the penalties available for blagging under the Fraud Act on the one hand and under the Data Protection Act on the other. On the same day, prison sentences were handed down in one court with chicken feed fines being imposed in another – all for the same activity”

Unlawfully obtaining or accessing personal data is a criminal offence under section 55 of the Data Protection Act 1998. The offence is punishable by way of a financial penalty of up to £5,000 in a Magistrates Court or an unlimited fine in a Crown Court. This also applies to attempts under the Criminal Attempts Act. The ICO continues to call for more effective deterrent sentences, including the threat of prison, to be available to the courts to stop the unlawful use of personal information.

Both examples show how important it is for all organisation to be aware of the threat to their customers from “blagging” or “social engineering” for example in the Braun case above he was unsuccessful because he didn’t know the middle name of the victim.

.

Is the Information Commissioner having a purge on breaches?

Flag of Cheshire EastIt seems that the Information Commissioner’s Office is releasing, on a daily basis, details of organisations that have breached the Data Protection Act.

Every day some employee has done something they should not have done posted to the wrong place, not used the correct system, etc. which means the common cause is human…

The latest involves Cheshire East Council, who in May 2011 breaches the Data Protection Act when a council employee contacted the local voluntary sector co-ordinator to alert voluntary workers that the Police had concerns about an individual who was working in the area.

Instead of sending an email via the council’s secure system, the employee sent an email to the local voluntary sector co-ordinator via her personal email account. This simple error cost the council £80,000.

Stephen Eckersley, Head of Enforcement, said about the Cheshire East breach:

“While we appreciate that it is vitally important for genuine concerns about individuals working in the voluntary sector to be circulated to relevant parties, a robust system must be put in place to ensure that information is appropriately managed and carefully disclosed. Cheshire East Council also failed to provide this particular employee with adequate data protection training. The highly sensitive nature of the information and the need to restrict its circulation should have been made clear to all recipients.

“I hope this case – along with the fact that we’ve handed out over one million pounds worth of penalties since our powers came into force – acts as a strong incentive for other councils to ensure that they have sufficient measures in place around protecting personal data.”

Two other recent incidents involving the Information Commissioner: 

.

E*Trade Securities Ltd falls foul of the ICO after losing customer records

In April 2010 E*Trade Securities Ltd discovered that 608 customer records were lost at a UK based storage facility and despite an investigate were unable to recover the records.

E*Trade Securities Ltd did not have a formal agreement to store the customer information securely and subsequently informed Information Commissioner’s office in December 2010.

E*Trade Securities Ltd has now agreed to take action to keep the personal information it holds secure. This includes implementing written agreements with UK contractors storing client personal data on its behalf and making sure that appropriate audit trails are in place to record where client files are being sent and stored at all times.

Head of Enforcement, Steve Eckersley, said:

“This breach was caused by the company failing to have the necessary security measures in place to keep their clients’ information secure. 

“The fact that customer records are being archived in a storage facility and not regularly accessed does not give businesses license to forget about them. This case demonstrates how important it is to stipulate in writing how long personal information needs to be kept, how regularly it should be reviewed and when it can be securely destroyed.”

.

Create a free website or blog at WordPress.com.

Up ↑

%d bloggers like this: