Search

Brian Pennington

A blog about Cyber Security & Compliance

Tag

Data Protection Act 1998

Office agrees it must do more to protect customer data

The UK Information Commissioner Office (ICO) has warned shoe retailer Office after the personal data of over one million customers was hacking.

The hacker accessed customers’ details and website passwords via an unencrypted database.

Sally-Anne Poole, Group Manager at the Information Commissioner’s Office said:

The breach has highlighted two hugely important areas of data protection: the unnecessary storage of older personal data and the lack of security to protect data.

“All data is vulnerable even when in the process of being deleted, and Office should have had stringent measures in place regardless of the server or system used. The need and purpose for retaining personal data should also be assessed regularly, to ensure the information is not being kept for longer than required.”

“Fortunately, in this case there is no evidence to suggest that the information has been used any further and the company did not store any bank details.”

The data breach also highlights the risks associated with customers using the same password for all their online accounts.

Sally-Anne Poole added:

“This one incident could potentially have given the hacker access to numerous accounts that the clients held with other organisations, as passwords were included on the database in question. It’s important to use a unique, strong password for each separate account; preferably a combination of numbers and letters – not a name or dictionary word.”

Office has agreed to an “undertaking under the Data Protection Act 1998”, the details are here.

Advertisements

I thought I had published this months ago but found it still in my drafts.

2013 was a very busy year for the UK’s Information Commissioners Office (ICO) as he issued record numbers of fines and enforcements.

There are normally three types of punishments administered by the ICO:-

  1. Monetary. The most serious of the actions and one normally reserved for organisational entities.
  2. Undertaking. Typically applied when an organisation has failed to adhere to good business practise and needs the helping guidance of the ICO
  3. Prosecutions. Normally reserved for individuals who have blatantly breached the Act and like 2012 there were not many in 2013.

The complete list of those who fell foul of the Data Protection Act in 2013 is below:-

Monetary penalty notices

A monetary penalty will only be served in the most serious situations. When deciding the size of a monetary penalty, the ICO takes into account the seriousness of the breach and other factors like the size, financial and other resources of an organisation’s data controller. The ICO can impose a penalty of up to £500,000. It is worth noting that monetary penalties are to HM Treasury. The size of the fines might change with the pending revision to the Data Protection Act.

The list has the most recent first.

  • 16 December 2013. A monetary penalty notice has been served on First Financial (UK) Limited after the pay day Loans Company sent millions of spam text messages.
  • 29 October 2013. A monetary penalty notice has been served on North East Lincolnshire Council after the loss of an unencrypted memory device containing personal data and sensitive personal data relating to 286 children.
  • 22 October 2013. A monetary penalty notice has been served on the Ministry of Justice for failing to keep personal data securely, after spreadsheets showing prisoners’ details were emailed to members of the public in error.
  • 26 September 2013. A monetary penalty notice has been served on Jala Transport, a small money-lending business, after the theft of an unencrypted portable hard drive containing its customer database.
  • 29 August 2013. A monetary penalty notice has been served on Aberdeen City Council after inadequate home working arrangements led to 39 pages of personal data being uploaded onto the internet by a Council employee.
  • 23 August 2013. A monetary penalty notice has been served to Islington Borough Council after personal details of over 2,000 residents were released online via the What Do They Know (WDTK) website.
  • 5 August 2013. A monetary penalty notice has been served to the Bank of Scotland after customers’ account details were repeatedly faxed to the wrong recipients. The information included payslips, bank statements, account details and mortgage applications, along with customers’ names, addresses and contact details.
  • 12 July 2013. A monetary penalty notice has been served on NHS Surrey following the discovery of sensitive personal data belonging to thousands of patients on hard drives sold on an online auction site. Whilst NHS Surrey has now been dissolved outstanding issues are now being dealt with by the Department of Health.
  • 8 July 2013. A monetary penalty notice has been served to Tameside Energy Services Ltd after the Manchester based company blighted the public with unwanted marketing calls.
  • 18 June 2013. Monetary penalty notices have been served to Nationwide Energy Services and We Claim You Gain – both companies are part of Save Britain Money Ltd based in Swansea. The penalties were issued after the companies were found to be responsible for over 2,700 complaints to the Telephone Preference Service or reports to the ICO using its online survey, between 26 May 2011 and end of December 2012.
  • 13 June 2013. A monetary penalty notice has been served to North Staffordshire Combined Healthcare NHS Trust, after several faxes containing sensitive personal data were sent to a member of the public in error.
  • 7 June 2013. A monetary penalty notice has been served to Glasgow City Council, following the loss of two unencrypted laptops, one of which contained the personal information of 20,143 people.
  • 5 June 2013. A monetary penalty notice has been served to Halton Borough Council, in respect of an incident in which the home address of adoptive parents was wrongly disclosed to the birth family.
  • 3 June 2013. A monetary penalty has been served to Stockport Primary Care Trust following the discovery of a large number of patient records at a site formerly owned by the Trust.
  • 20 March 2013. A monetary penalty has been served to DM Design Bedroom Ltd. The company has been the subject of nearly 2,000 complaints to the ICO and the Telephone Preference Service. The company consistently failed to check whether individuals had opted out of receiving marketing calls and responded to just a handful of the complaints received.
  • 15 February 2013. A monetary penalty has been served to the Nursing and Midwifery Council. The council lost three DVDs related to a nurse’s misconduct hearing, which contained confidential personal information and evidence from two vulnerable children. An ICO investigation found the information was not encrypted.
  • 24 January 2013. A monetary penalty has been served to the entertainment company Sony Computer Entertainment Europe Limited following a serious breach of the Data Protection Act. The penalty comes after the Sony PlayStation Network Platform was hacked in April 2011, compromising the personal information of millions of customers, including their names, addresses, email addresses, dates of birth and account passwords. Customers’ payment card details were also at risk. Appeal withdrawn.

Undertakings

Undertakings are formal agreements between an organisation and the ICO to undertake certain actions to avoid future breaches of the Data Protection Act, typically this involves, Encryption, Training and Management Procedures.

The list has the most recent first.

  • 20 December 2013. A follow up has been completed to provide an assurance that Luton Borough Council has appropriately addressed the actions agreed in its undertaking signed September 2013.
  • 26 November 2013. An undertaking to comply with the seventh data protection principle has been signed by the Royal Borough of Windsor & Maidenhead, following an incident in which restricted information about employees was disclosed on its intranet in error.
  • 22 November 2013. An undertaking to comply with the Privacy and Electronic Communications Regulations has been signed by Better Together. The organisation must neither transmit, nor instigate the transmission of, unsolicited communications for the purposes of direct marketing by means of electronic mail to individual subscribers unless the recipient of the electronic mail has previously notified Better Together that they consent.  A follow up has been completed to provide an assurance that Foyle Women’s Aid has appropriately addressed the actions agreed in its undertaking signed August 2013.
  • 21 November 2013. An undertaking to comply with the seventh data protection principle has been signed by Great Ormond Street Hospital for Children NHS Foundation Trust. This follows four incidents involving the accidental disclosure of sensitive personal data.
  • 1 November 2013. A follow up has been completed to provide an assurance that The Health and Care Professions Council has appropriately addressed the actions agreed in its undertaking signed July 2013.
  • 1 November 2013. A follow up has been completed to provide an assurance that Mansfield District Borough Council has appropriately addressed the actions agreed in its undertaking signed January 2013.
  • 25 October 2013. A follow up has been completed to provide an assurance that The Burnett Practice has appropriately addressed the actions agreed in its undertaking signed in April 2013. An undertaking to comply with the seventh data protection principle has been signed by Panasonic UK. This follows the theft of an unencrypted laptop containing personal data relating to people who had attended a hospitality event run by a third party company on Panasonic’s behalf.
  • 15 October 2013. An Undertaking to comply with the seventh data protection principle has been signed by the Royal Veterinary College. This follows the loss of a memory card containing personal data. In addition, data protection training is not considered to be adequate and the RVC does not appear to be taking steps to address this proactively. This highlights a potentially serious failing in respect of staff awareness of Information Governance policies. Their investigation revealed that the device was personally owned by the employee and as such fell outside of the policies and procedures in place. However, the RVC does not appear to have accounted for the possibility of employees using their own devices in the workplace.
  • 7 October 2013. An Undertaking to comply with the seventh data protection principle has been signed by The Hillingdon Hospitals NHS Foundation Trust.
  • 4 October 2013. An Undertaking to comply with the seventh data protection principle has been signed by the Cardiff & Vale University Health Board, following the loss of documents containing sensitive personal data by a consultant.
  • 29 August 2013. An undertaking to comply with the seventh data protection principle has been signed by Aberdeen City Council after inadequate home working arrangements led to 39 pages of personal data being uploaded onto the internet by a Council employee.
  • 11 September 2013. An undertaking to comply with the seventh data protection principle has been signed by Luton Borough Council following several incidents involving inappropriate handling of sensitive personal data. Investigation of these incidents revealed that previous recommendations made by the ICO had not been implemented.
  • 28 August 2013. An undertaking to comply with the sixth data protection principle has been signed by Cardiff City Council. The Council agreed to put measures in place to ensure greater compliance with subject access requests.
  • 22 August 2013. An undertaking to comply with the seventh data protection principle has been signed by the Local Government Ombudsman. This follows the theft of a bag containing hard copy papers relating to complaints made to the Local Government Ombudsman (the LGO) including some SPD. It is felt that the provision of data protection training was insufficient to ensure staff awareness of policies and procedures relating to the use of personal data.
  • 13 August 2013. An undertaking to comply with the seventh data protection principle has been signed by Northern Health & Social Care Trust. This follows a number of security incidents which led to a formal investigation into the Trust’s compliance with the Act. One incident in May 2011, involved confidential service user information being faxed from a ward in Antrim Hospital to a local business in error. The investigation into the Trust revealed that despite the Trust having introduced what should have been mandatory Information Governance training for all staff, the majority of staff involved in these incidents had not received this training. This highlighted a potentially serious failing in respect of staff awareness of Information Governance policies. In particular, the failure to monitor and enforce staff completion of training was a concern.
  • 13 August 2013. An undertaking to comply with the seventh data protection principle has been signed by Foyle Women’s Aid. This follows the temporary loss of a folder belonging to a Criminal Justice Support worker employed by Foyle Women’s Aid that was left in a café. The folder contained confidential client information. An apparent lack of effective controls and procedures for taking information out of the office was a contributor to the loss of highly sensitive personal data.
  • 16 July 2013. An undertaking to comply with the seventh data protection principle has been signed by Janet Thomas. This follows a report made by a member of the public that approximately 7,435 CV files, containing personal data, were being stored unprotected on the website http://www.janetpage.com.
  • 9 July 2013. An undertaking to comply with the seventh data protection principle has been signed by the Health & Care Professions Council (HCPC) after an incident in which papers containing personal data were stolen on a train in 2011.
  • 12 June 2013. (issued 10 September 2012) An undertaking to comply with the seventh data protection principle has been signed by Bedford Borough Council relating to the removal of legacy data from a social care database.
  • 12 June 2013 (issued 18 September 2012). An undertaking to comply with the seventh data protection principle has been signed by Central Bedfordshire Council relating to the removal of legacy data from a social care database and in relation to the preparation of planning application documentation for publication.
  • 31 May 2013. A follow up has been completed to provide an assurance that Leeds City Council has appropriately addressed the actions agreed in its undertaking signed November 2012.
  • Prospect. A follow up has been completed to provide an assurance that Prospect has appropriately addressed the actions agreed in its undertaking signed January 2013.
  • 21 May 2013 (issued 9 November 2011). An undertaking to comply with the seventh data protection principle has been signed by News Group Newspapers, following an attack on the website of The Sun newspaper in 2011.
  • 26 April 2013. An undertaking to comply with the seventh data protection principle has been signed by The Burnett Practice. This follows an investigation whereby an email account used by the practice had been subject to a third party attack. The email account subject to the attack was used to provide test results to patients and included a list of names and email addresses.
  • 4 April 2013. An undertaking to comply with the seventh data protection principle has been signed by the East Riding of Yorkshire Council, following incidents last year in which personal data was inappropriately disclosed.
  • 25 January 2013. An undertaking to comply with the seventh data protection principle has been signed by the Managing Director of Mansfield District Council. This follows a number of incidents where personal data of housing benefit claimants was disclosed to the wrong landlord.
  • 16 January 2013. An undertaking to comply with the seventh data protection principle has been signed by the union Prospect. This follows an incident in which two files containing personal details of approximately 19,000 members of the union had been sent to an unknown third party email address in error.

Prosecutions

The list has the most recent first.

  • 3 December 2013. A former manager who oversaw the finances of a GP’s practice in Maidstone has been prosecuted by the ICO after unlawfully accessing the medical records of approximately 1,940 patients registered with the surgery. Steven Tennison was prosecuted under section 55 of the Data Protection Act at Maidstone Magistrates Court.
  • 8 October 2013. A pay day loans company based in London and its director have been prosecuted after failing to register that the business was processing personal information. Hamed Shabani, the sole director of First Financial, was convicted under section 61 of the Data Protection Act at City of London Magistrates Court.
  • 25 September 2013. A former Barclays Bank employee has been fined after illegally accessing the details of a customer’s account. In one case the employee, Jennifer Addo, found out the number of children the customer had and passed the details to the customer’s then partner, who was a friend of Ms Addo.
  • 15 August 2013. A probation officer who revealed a domestic abuse victim’s new address to the alleged perpetrator has been fined £150 following a prosecution bought by the ICO.

Find the 2012 list here.

IT Security Still Not Protecting the Right Assets Despite Increased Spending

Most IT security resources in today’s enterprise are allocated to protecting network assets, even though the majority of enterprises believe a database security breach would be the greatest risk to their business, according to a report issued by CSO Custom Solutions Group and sponsored by Oracle.

In the survey with 110 companies from industries including Financial Services, Government, High Tech, more than two thirds of IT security resources remain allocated to protecting the network layer, while less than one third of the staff and budget resources were allocated to protecting core infrastructure such as databases and applications.

Key findings from the report

  • When comparing the potential damage caused by breaches, most enterprises believed that a database breach would be the most severe as they contain the most vital and valuable information intellectual property as well as sensitive customer, employee, and corporate financial data.
  • An un-balanced and fragmented approach to security has left many organizations’ applications and data vulnerable to attacks both internally and externally.
  • Today’s findings underscore the relevance of Oracle’s “security inside-out” approach which means focusing attention on the organizations most strategic assets which include databases, applications and users.
  • Nearly 66% of respondents said they apply a security inside out strategy, where as 35% base their strategy on end point protection.
  • Even with this fundamental belief in strategy, spending does not truly align as more than 67% of IT security resources including budget and staff time remain allocated to protecting the network layer and less than 23% of resources were allocated to protecting core systems like servers, applications and databases.
  • 44% believed that databases were safe because they were installed deep inside the perimeter.
  • 90% report the same or higher, level of spend compared to 12 months prior. The survey shows that 59% of participants plan to increase security spending in the next year.
  • In 35% of organizations, security spend was influenced by sensational informational sources rather than real organizational risks.
  • 40% of respondents believed that implementing fragmented point solutions created gaps in their security and 42% believe that they have more difficulty preventing new attacks than in the past.

IT Security has to focus attention on the most strategic assets. Organizations cannot continue to spend on the wrong risks and secure themselves out of business. When attackers do break through the perimeter, they can take advantage of weak security controls against the core systems by exploiting privileged user access, vulnerable applications, and accounts with excessive access,” said Mary Ann

Davidson, Chief Security Officer at Oracle. “Organizations have to get the fundamentals right which are database security, application security and identity management.”

“The results of the survey show that the gap between the threat of severe damage to a database attack versus the resources allocated to protecting the database layer is significant, highlighting the disconnect in how organizations are securing their IT infrastructures,” said Tom Schmidt, Managing Editor, CSO Custom Solutions Group.

The full report can be found here.

SMEs are putting larger customers at risk of security breaches

According to Shred-it’s third annual Security Tracker survey SMEs in the UK are putting their own businesses at risk and could also be damaging larger firms they supply services to by not taking enough preventative measures of confidential data.

It’s good business sense for larger companies to ask whether their suppliers have a data protection partner and an information security system in place – not only to prevent sensitive information being lost by a third party but also because the financial and reputational damage of a breach could put that supplier out of business and cause havoc in the supply chain,” warns Robert Guice, Vice President Shred-it EMEA.

The survey reveals SMEs are 10 times less likely to have an information security system set up than is the case with larger businesses.

SMEs continue to hugely underestimate the potential cost of a data breach to them. In terms of financial loss, the Information Commissioner’s Office in the UK can fine companies up to half a million pounds, enough to send many companies into insolvency”, Mr Guice said. “We believe that smaller companies maybe over-estimating the costs involved in making sure confidential information is kept safe

Whilst larger companies may be able to absorb this cost, SMEs risk a huge hit to their bottom line and a tarnished reputation which can impact relationships with customers and other business partners” Mr Guice continued.

There is a worrying gap between the protocols in place between smaller and larger businesses. Whilst companies with revenue over £1m are eight times more likely to use a professional shredding company to dispose of their sensitive documents, 37 per cent of small businesses in the UK have no information security management system in place. Moreover, three in ten (28 per cent) small business owners have never provided any information security training to their employees.

Key findings include

  • 2 in every 5 large businesses suffering a data breach have incurred losses of more than £500,000
  • The average fine is approximately £150,000 – large enough for 30% of companies to have to lay off staff as a result.
  • 77% of larger businesses have an employee directly responsible for managing information security issues at management level (66%) or board level (11%)
  • 48% of SMEs have a nominated person
  • 95% of large businesses have an employee devoted to data protection compared with only 53% of small business owners, suggesting that larger businesses better understand the potential threat of data breaches and have put control systems in place accordingly.
  • 33% of senior business executives and only 4% of small business owners use a professional shredding service
  • 88% of large businesses are more than twice as likely to be aware of the EU Data Protection Directive reforms as small businesses (43%).
  • Although the gap is closer, large businesses are still more likely to be aware of the UK Data Protection Act (92%) than small business owners (72%).
  • With more information being stored in electronic form, it is equally worrying that less than one quarter of large (23%) and small businesses (25%) crush their electronic media – which means the vast majority of UK businesses are inadvertently putting themselves and their customers at risk.
  • Businesses could be giving away private information to fraudsters by not properly disposing of or destroying hard drives. 66% of large business and 49% of small business owners wrongly think that degaussing or wiping a hard drive will remove confidential information kept on them.

.

Top Tips from the ICO for when you are moving premises – do not forget to check the cabinets being one

After another NHS body * decides to ignore simple Data Protection guidelines the UK Information Commissioner has repeated his Top 5 Tips to help organisations improve their approach to Data Protection, especially those moving premises:

  1. Personal information is at particular risk when moving premises – make sure its security is a priority. All but one of our monetary penalties issued under the Data Protection Act in 2012/13 were for failing to keep information secure.
  2. Don’t assume anything. This breach happened because two departments each assumed that the other was conducting a final check that all records had been removed or transferred as required. Make sure it is clear who is responsible for what.
  3. Ensure records and equipment containing personal information are moved securely. Where personal information is being moved to other premises, make sure there is a secure means of moving the information and check that it has all been received safely.
  4. Dispose with care. If moving premises requires the disposal of files or computer hardware, make sure that this is done in a secure manner. Remember you are still responsible for what happens to personal data even after it has left through the back door.
  5. Learn from your mistakes. Stockport Primary Care Trust had suffered two similar incidents before this breach, but senior management hadn’t been informed. Put a policy in place to make sure that security incidents are reported and acted upon so that you learn from your mistakes.

* The NHS Commissioning Board was been fined £100,000 by the Information Commissioner’s Office (ICO) after the dissolved Stockport Primary Care Trust left around 1,000 documents including work diaries, letters, referral forms and patient records containing personal information. Some of the documents contained particularly sensitive data relating to 200 patients, including details of miscarriages, child protection issues and, in one case, a police report relating to the death of a child.

The size of the fine reflects the serious nature of the breach and the fact it was not the first time the organisation had “lost information”.

David Smith, Deputy Commissioner and Director of Data Protection, said about the Stockport fine:

It’s crucial that organisations don’t take their eye off the ball when moving premises. This NHS trust’s efforts to keep its patients’ confidential records secure were completely undermined by its failure to properly decommission the premises it was leaving.

The highly sensitive nature of the documents left behind makes this mistake inexcusable, and there can be no doubt that the penalty we’ve served is both necessary and appropriate.

In the last year we have served two six figure penalties on organisations that have left large volumes of personal information behind when leaving a site. These penalties highlight the need for organisations to have effective decommissioning procedures in place and to make absolutely sure that these procedures are followed in practice

Finally a prosecution of a former employee stealing confidential information

Thousands of people everyday must copy, save or forward information for innocent or mischievous purposes but now there is a quotable case that can be used to deter such risky activities.

A former manager of a health service based at a council run leisure centre in Southampton has been prosecuted by the Information Commissioner’s Office (ICO) for unlawfully obtaining sensitive medical information relating to over 2,000 people.

Paul Hedges took the information hoping to use the data for a new fitness company he was setting up. He was prosecuted under section 55 of the Data Protection Act at West Hampshire Magistrates Court yesterday and fined £3,000 and ordered to pay a £15 victim surcharge and £1,376 prosecution costs.

Mr Hedges, who previously worked as a Community Health Promotions Manager based at Bitterne Leisure Centre, sent the information to his personal email account on 28 April 2011 after being told that he was being made redundant. The 42 year-old had previously been responsible for managing the council’s Active Options GP referral service, where patients would be referred by their GP or other health professional to attend fitness sessions, for a range of conditions including obesity, diabetes, arthritis, and cardiac and mild mental health issues.

The information included sensitive medical details relating to 2,471 patients. The council became aware of their former employee’s actions when they received complaints about patients being approached by Mr Hedges; who had since set up a similar service using the Active Options name and branding.

Christopher Graham the UK Information Commissioner was quoted as saying:

People have a right to privacy and the ICO works to maintain that right

Nobody expects that their health records will be taken and used in this way. Mr Hedges had been told by Southampton Council about the need to keep patients’ details confidential, but he decided to break the law.

This case shows why there is a need for tough penalties to enforce the Data Protection Act. At very least, behaviour of this kind should be recognised as a ‘recordable offence’ which it isn’t now. For the most serious cases the current ‘fine only’ regime will not deter and other options including the threat of prison should be available. The necessary legislation for this is already on the statue book but needs to be activated.

The government must ensure that criminals do not see committing data theft as a victimless crime and worth the risk.

Receptionist prosecuted for breaching the Data Protection Act

Another nosy parker faces the results of their snooping after she decided to spy on her ex-husband’s new wife.

The GP receptionist at a Southampton surgery was prosecuted by the UK’s Information Commissioner’s Office (ICO) for unlawfully obtaining sensitive medical records.

The ICO reported on the 12th March 2013 that Marcia Phillips was prosecuted under section 55 of the Data Protection Act and fined £750 and ordered to pay a £15 victim surcharge and £400 prosecution costs.

Ms Phillips was found to have accessed the information on 15 separate occasions over a 16-month period while working as a receptionist at the Bath Lodge Practice. The breach became apparent after Phillips left her job and sent a text message to her ex-husband’s partner referring to highly sensitive medical information taken from her medical record.

Deputy Commissioner and Director of Data Protection, David Smith, said:

This case clearly shows the distress that can be caused when an individual uses a position of responsibility to illegally access sensitive personal information. Ms Phillips knew she was breaking the law, but continued to do so in order to cause harm to her ex-husband’s new wife.

“The nature of her job meant that she will have been in no doubt as to the importance of patient confidentiality. Despite this she repeatedly accessed the victim’s file without a valid reason

Unlawfully obtaining or accessing personal data is a criminal offence under section 55 of the Data Protection Act 1998. The offence is punishable by way of a fine of up to £5,000 in a Magistrates Court or an unlimited fine in a Crown Court. The ICO continues to call for more effective deterrent sentences, including the threat of prison, to be available to the courts to stop the unlawful use of personal information.

David Smith added:

We continue to urge the Government to press ahead with the introduction of tougher penalties to enforce the Data Protection Act. Without these unscrupulous individuals will continue to break the law. Action to replace the section 55 ‘fine only’ regime with an effective deterrent is long overdue. This change is not directed at the media and should not be held while Lord Justice Leveson‘s recommendations on data protection and the media are considered

.

An update on the progress of the European Data Protection Act

At last week’s Information Commissioners Data Protection Officers Conference in Manchester I had the privilege of being updated on the progress, or lack of progress, of the revised European Data Protection Act.

With the existing directive dating back over 17 years an upgrade is well over due but there is significant pressure from businesses to water down any revisions to the directive.

A watered down directive does not serve anyone, the privacy campaigners or those with commerce in mind, because breaches are happening far too often and breaches affect consumer confidence.

This means the larger retailers should be supporting stronger Data Protection controls so the smaller, less funded or less skilled businesses have the detailed controls and the incentives to put privacy and security first.

In the main hall and in the breakout room there was constant reference to the thinking about the issues before systems and processes are put in place. The two terms used were:-

  1. Privacy by Design
  2. Security by Design

Both Privacy by Design and Security by Design are essential for consumer confidence because they are demonstrable actions organisations can refer to when dealing with the users of their data.

Françoise Le Bail of the EU Commission stated that “23% of users feel they do not have complete control of their data when shopping online”. In other words almost a quarter of those who buy on line are suspicious of the people who want to take money from them. If those statistics were applied to bricks and mortar retailers the high street would look a lot worse than it does now and it already looks pretty bad.

Françoise Le Bail also stated that the EC’s priorities for the Act are: –

  • The architecture of the framework
  • Key provisions to include all personal data and consent
  • A more risk based approach – proportionality
  • Data Protection Offices are needed
  • A consistent European wide level of governance
  • Support for authorities by providing training and not just fines

David Smith the UK Deputy Information Commissioner stated the UK was not 100% in favour of the current draft proposals but the UK was largely supportive.

David Smith had a list of items that were favoured including:-

  • Improved consistency across Europe
  • Enhanced Individual rights
  • Code of conduct and certification

However, the UK is looking for additional items to be added and a clarification on others, for example:-

  • The UK wants a more “risk” based approach to personal data
  • Individual compensation should not be restricted to monetary loss. It should also take into account aggravation and heartache.
  • Data Protection training needs to be added to the school curriculum
  • There are two proposals in place by the EU and the UK doesn’t want any more than that. The two proposals are Law Enforcement and everyone else.

Other items of note

  • The date for the Act to be passed is likely to be June 2014 with enforcement two years later in 2016
  • The 24 hour mandatory breach notification is likely to slip to 72 hours
  • The maximum 2% of global turnover is likely to be approved but some members of the commission are pushing for it to be 10%
  • Right to be forgotten is a big problem due to the nature of what can be forgotten and what should never be forgotten
  • Data Portability is both a target for Europe and a problem and negotiations are on-going with the US and other nations on cross border data sharing.
  • MiData now has 26 signed up companies and the drive for more is growing

Other blog posts on the subject are below:-

EU Commission proposes a comprehensive reform of the Data Protection rules

This week the European Commission proposed a comprehensive reform of the EU’s 1995 data protection rules to strengthen online privacy rights and to boost Europe’s digital economy.

The press release states:

Technological progress and globalisation have profoundly changed the way our data is collected, accessed and used. In addition, the 27 EU Member States have implemented the 1995 rules differently, resulting in divergences in enforcement. A single law will do away with the current fragmentation and costly administrative burdens, leading to savings for businesses of around €2.3 billion a year. The initiative will help reinforce consumer confidence in online services, providing a much needed boost to growth, jobs and innovation in Europe.

“17 years ago less than 1% of Europeans used the internet. Today, vast amounts of personal data are transferred and exchanged, across continents and around the globe in fractions of seconds,” said EU Justice Commissioner Viviane Reding, the Commission’s Vice-President. “The protection of personal data is a fundamental right for all Europeans, but citizens do not always feel in full control of their personal data. My proposals will help build trust in online services because people will be better informed about their rights and in more control of their information. The reform will accomplish this while making life easier and less costly for businesses. A strong, clear and uniform legal framework at EU level will help to unleash the potential of the Digital Single Market and foster economic growth, innovation and job creation.”

The Commission’s proposals update and modernise the principles enshrined in the 1995 Data Protection Directive to guarantee privacy rights in the future. They include a policy Communication setting out the Commission’s objectives and two legislative proposals: a Regulation setting out a general EU framework for data protection and a Directive on protecting personal data processed for the purposes of prevention, detection, investigation or prosecution of criminal offences and related judicial activities.

Key changes in the reform include:

  • A single set of rules on data protection, valid across the EU. Unnecessary administrative requirements, such as notification requirements for companies, will be removed. This will save businesses around €2.3 billion a year.
  • Instead of the current obligation of all companies to notify all data protection activities to data protection supervisors – a requirement that has led to unnecessary paperwork and costs businesses €130 million per year, the Regulation provides for increased responsibility and accountability for those processing personal data.
  • For example, companies and organisations must notify the national supervisory authority of serious data breaches as soon as possible (if feasible within 24 hours).
  • Organisations will only have to deal with a single national data protection authority in the EU country where they have their main establishment. Likewise, people can refer to the data protection authority in their country, even when their data is processed by a company based outside the EU. Wherever consent is required for data to be processed, it is clarified that it has to be given explicitly, rather than assumed.
  • People will have easier access to their own data and be able to transfer personal data from one service provider to another more easily (right to data portability). This will improve competition among services.
  • A ‘right to be forgotten’ will help people better manage data protection risks online: people will be able to delete their data if there are no legitimate grounds for retaining it.
  • EU rules must apply if personal data is handled abroad by companies that are active in the EU market and offer their services to EU citizens.
  • Independent national data protection authorities will be strengthened so they can better enforce the EU rules at home. They will be empowered to fine companies that violate EU data protection rules. This can lead to penalties of up to €1 million or up to 2% of the global annual turnover of a company.
  • A new Directive will apply general data protection principles and rules for police and judicial cooperation in criminal matters. The rules will apply to both domestic and cross-border transfers of data.

The Commission’s proposals will now be passed on to the European Parliament and EU Member States (meeting in the Council of Ministers) for discussion. They will take effect two years after they have been adopted.

The official press release was a short summary of what will be debated by the politicians. For a more detailed summary, based upon the January 2012 release and other research read my May 2012 post “Proposed European wide Data Protection Act – a review“.

As for the politicians debating the Act before passing it to law it is worth while reading the post “The Information Commissioner provides an update on the European Data Protection Act“.

It is disappointing that the delays will see the revised Act and the improvements in Data Protection and Privacy not being enforced until 2015.

.

The Information Commissioner provides an update on the European Data Protection Act

David Smith the UK’s Deputy Commissioner of the Information Commission has commented on the progress of the Revise European Data Protection Act.

Put simply, the proposals could prove to be one of the biggest changes to data protection this country has ever seen. Against that backdrop it is no surprise that we’ve been monitoring events in Europe closely, looking at how the initial reform proposals, published by the European Commission in January 2012, might be brought into law.

The process by which this proposal might become UK law is not a simple one, as our overview of the whole process shows. The crucial next step is for the European Parliament and the Council of the European Union to look at this separately before coming together to approve a final text. 

The European Parliament is where the MEPs sit, some 736 of them from across Europe. Much like our own Parliament, the MEPs will sit on several committees. There are five committees directly involved in looking at the data protection reforms: JURI (legal), ITRE (industry), IMCO (internal market and consumer protection), EMPL (employment) and LIBE (civil liberties). LIBE is the ‘lead’ committee. All committees will submit their own amendments before negotiating a consolidated Parliament view which is expected in late April. 

While that is happening, the council are also looking at the reforms. The council is made up of relevant ministers of each member state with responsibility for the issue at hand, although for practical purposes much of the work is done by government officials. For the data protection reform, the UK’s Ministry of Justice takes charge of the regulation, but works closely with the Home Office on the issue of the directive that will apply to law enforcement agencies. The subgroup of the council dealing with this issue is called DAPIX (Data Protection and Information Exchange) and is chaired by the Presidency of the Council – currently Ireland. The ICO has a key role in advising the Ministry of Justice throughout these discussions. 

At the time of writing, the parliamentary committees are well advanced in considering their compromise amendments on both parts of the package. The council, however, has not finished its first round of amendments. Nevertheless, with a timetable to adopt the new rules by the end of June – the end of the Irish Government’s presidency – this is one of the top priorities. The presidency is scheduling in more meetings to ensure that the negotiations can be completed as quickly as possible, to try to keep everything on track. 

Once both the parliament and the council have their consolidated views in what is known as the ‘First Reading’, they will need to negotiate, possibly over the summer if things go well, to get an agreement on the text. Failing this, they will move to the ‘Second Reading’ and further negotiations. 

Some of that negotiation will be around whether the reforms are in the form of a regulation, which will apply directly in every EU Member State, or a directive, which will need to be transposed in a more flexible way into national law. The proposal is for a general regulation with a directive specifically for the criminal justice sector. However there is speculation that this directive will be put on the back burner. This coupled with a move, which we and other data protection authorities are resisting, to confine the regulation to the private sector and develop a new directive to cover the public sector leave the outcome uncertain. Currently both the proposed regulation and the proposed directive allow two years for implementation following their coming into force. However experience suggests that because of its direct effect, implementation of any regulation will, in practice, come more quickly than implementation of any directive. 

In total, this means that the reform process will have taken around six years since the European Commission started its reflections on the matter. While this sounds like a long time we must remember that there are 27 Member States around the negotiating table; that’s at least 12 more than those negotiating our current framework which resulted in the Data Protection Act 1998! Even then the timescale is ambitious. Not many people expect agreement in June this year, but there is an imperative to get a package adopted by 2014 when the European Parliament and the commission are due for re-appointment. 

Crucially, the ICO has been involved throughout, and from several angles. It is extremely important that we, as the responsible regulator, pay attention at this crucial point in negotiations to what the proposals say, understand how they might affect the UK and use what influence we have to achieve a sensible outcome for individuals and businesses alike.

We recently published some of our thoughts on the latest developments which we passed to MEPs and other stakeholders. This builds on our initial analysis which we published last year to provide a core reference point explaining our views on the reforms.

In summary the Act is coming in 2013 but it is imperative that the Act comes because at the moment there are so many things missing that are essential for example mandatory disclosure of breaches and compulsory data officers for all companies over 250 employees. 

Lets hope they resolve it soon.

2013 looks like being a bigger year than 2012 as the ICO starts catching up with the backlog of breaches

2013 has started as 2012 finished off with UK Information Commissioner (ICO) coming down hard on those who breach the Data Protection Act.

So far this January 3 organisations have fallen foul of the ICO:

  1. Sony Computer Entertainment Europe Limited
  2. Mansfield District Council
  3. Prospect Trade Union

Sony Computer Entertainment Europe Limited

Sony Computer Entertainment Europe Limited fined £250,000 after the April 2011 hacking of the Sony PlayStation Network Platform (PSN). That breach resulted in millions of Sony customers having their data stolen including:

  • Names
  • Addresses
  • Email addresses
  • Dates of birth
  • Account passwords
  • Customers’ payment card details were also at risk.

David Smith, Deputy Commissioner and Director of Data Protection, said:

“If you are responsible for so many payment card details and log-in details then keeping that personal data secure has to be your priority. In this case that just didn’t happen, and when the database was targeted – albeit in a determined criminal attack – the security measures in place were simply not good enough.

“There’s no disguising that this is a business that should have known better. It is a company that trades on its technical expertise, and there’s no doubt in my mind that they had access to both the technical knowledge and the resources to keep this information safe.

“The penalty we’ve issued today is clearly substantial, but we make no apologies for that. The case is one of the most serious ever reported to us. It directly affected a huge number of consumers, and at the very least put them at risk of identity theft.

“If there’s any bright side to this it’s that a PR Week poll shortly after the breach found the case had left 77 per cent of consumers more cautious about giving their personal details to other websites. Companies certainly need to get their act together but we all need to be careful about who we disclose our personal information to.”

Mansfield District Council. The council had several incidents of housing benefit claimants personal data being disclosed to the wrong landlord. The ICO has issued a formal undertaking to Mansfield District Council.

Prospect Trade Union. Prospect unfortunately sent two files containing personal details of approximately 19,000 members of the union to an unknown third party email address in error. The ICO has issued a formal undertaking to Prospect.

Both Prospect and Mansfield District Council have agreed “Formal Undertaking”. An undertaking is a detailed and document agreement between the ICO and the organisation that breached the Data Protection Act, specifically how those that have breached the Act will improve their Data Protection regime.

The Sony hack was widely reporting and was a result of an external attack whilst the other two, Prospect and Mansfield District Council were both the result of avoidable human error.

Want to know who was caught in 2012? Read my post 2012 was a big year for the Data Protection Act with record fines and breaches, see the full 2012 list here.

2012 was a big year for the Data Protection Act with record fines and breaches, see the full 2012 list here.

ICOAs we are about to enter 2013 I thought it would be a good time to publish the entire list of who fell foul of the UK Data Protection Act and were punished by the Information Commissioner (ICO) during 2012.

There are three types of punishments administered by the ICO

  1. Monetary. The most serious of the actions and one normally reserved for organisational entities.
  2. Undertaking. Typically applied when an organisation has failed to adhere to good business practise and needs the helping guidance of the ICO
  3. Prosecutions. Normally reserved for individuals who have blatantly breached the Act.

Find out who got the record fine

Below is a summary of the ICO’s activity in 2012 across all three “punishment” areas.

Monetary penalty notices

A monetary penalty will only be served in the most serious situations. When deciding the size of a monetary penalty, the ICO takes into account the seriousness of the breach and other factors like the size, financial and other resources of an organisation’s data controller. The ICO can impose a penalty of up to £500,000. It is worth noting that monetary penalties are paid to HM Treasury and not to the ICO. Many argue that the ICO would be a stronger body if it had more money and penalties is a good way to generate more revenue – a self funding government department.

  • 12 December 2012 A monetary penalty has been served to London Borough of Lewisham after a social worker left sensitive documents in a plastic shopping bag on a train, after taking them home to work on. The files, which were later recovered from the rail company’s lost property office, included GP and police reports and allegations of sexual abuse and neglect.
  • 10 December 2012 A monetary penalty has been served to Devon County Council after a social worker used a previous case as a template for an adoption panel report they were writing, but a copy of the old report was sent out instead of the new one.  The mistake revealed personal data of 22 people, including details of alleged criminal offences and mental and physical health.
  • 28 November 2012 A monetary penalty has been served to Christopher Niebel and Gary McNeish, the joint owners of Tetrus Telecoms. The company had sent millions of unlawful spam texts to the public over the past three years.
  • 22 November 2012 A monetary penalty has been served to Plymouth City Council for a serious breach of the seventh data protection principle. A social worker sent part of a report relating to family A, to family B due to printing issues. The photocopied report contained confidential and highly sensitive personal data relating to the two parents and their four children, including of allegations of child neglect in on-going care proceedings.
  • 16 November 2012 A monetary penalty has been issued to Leeds City Council following an incident whereby sensitive personal data relating to a child was sent to an incorrect individual.
  • 6 November 2012 A monetary penalty of £50,000 was issued to Prudential after a mix-up over the administration of two customers’ accounts led to tens of thousands of pounds, meant for an individual’s retirement fund, ending up in the wrong account.
  • 25 October 2012 A monetary penalty of £120,000 was issued to Stoke-on-Trent City Council following a serious breach of the Data Protection Act that led to sensitive information about a child protection legal case being emailed to the wrong person.
  • 16 October 2012 A monetary penalty of £150,000 was issued to Greater Manchester Police after the theft of a memory stick containing sensitive personal data from an officer’s home. The device, which had no password protection, contained details of more than a thousand people with links to serious crime investigations.
  • 10 October 2012 A monetary penalty of £70,000 was issued to Norwood Ravenswood Ltd after highly sensitive information about the care of four young children was lost after being left outside a London home.
  • 11 September 2012 A monetary penalty of £250,000 was issued to Scottish Borders Council after former employees’ pension records were found in an over-filled paper recycle bank in a supermarket car park.
  • 6 August 2012 A monetary penalty of £175,000 was issued to Torbay Care Trust after sensitive personal information relating to 1,373 employees was published on the Trust’s website. Read the details here.
  • 12 July 2012 A monetary penalty of £60,000 was issued to St George’s Healthcare NHS Trust after a vulnerable individual’s sensitive medical details were sent to the wrong address.
  • 5 July 2012 A monetary penalty notice of £150,000 has been served to Welcome Financial Services Limited following a serious breach of the Data Protection Act. The breach led to the personal data of more than half a million customers being lost.
  • 19 June 2012 A monetary penalty notice of £225,000 has been served to Belfast Health and Social Care Trust following a serious breach of the Data Protection Act. The breach led to the sensitive personal data of thousands of patients and staff being compromised. The Trust also failed to report the incident to the ICO.
  • 6 June 2012 A monetary penalty for £90,000 has been served to Telford & Wrekin Council for two serious breaches of the seventh data protection principle. A Social Worker sent a core assessment report to the child’s sibling instead of the mother. The assessment contained confidential and highly sensitive personal data. Whilst investigating the first incident, a second incident was reported to the ICO involving the inappropriate disclosure of foster carer names and addresses to the children’s mother. Both children had to be re-homed.
  • 1 June 2012 A monetary penalty notice for £325,000 has been served on Brighton and Sussex University Hospitals NHS Trust following the discovery of highly sensitive personal data belonging to tens of thousands of patients and staff – including some relating to HIV and Genito Urinary Medicine patients – on hard drives sold on an Internet auction site in October and November 2010. Read the details here.
  • 21 May 2012 A monetary penalty notice for £90,000 has been served on Central London Community Healthcare NHS Trust for a serious contravention of the DPA, which occurred when sensitive personal data was faxed to an incorrect and unidentified number. The contravention was repeated on 45 occasions over a number of weeks and compromised 59 data subjects’ personal data. Read the details here.
  • 15 May 2012 A monetary penalty of £70,000 was issued to the London Borough of Barnet following the loss of sensitive information relating to 15 vulnerable children or young people, during a burglary at an employee’s home. Read the details here.
  • 30 April 2012 A monetary penalty of £70,000 has been issued to the Aneurin Bevan Health Board following an incident where a sensitive report containing explicit details relating to a patient’s health – was sent to the wrong person. Read the details here.
  • 14 March 2012 A monetary penalty of £70,000 was issued to Lancashire Constabulary following the discovery of a missing person’s report containing sensitive personal information about a missing 15 year old girl. Read the details here.
  • 15 February 2012 A monetary penalty of £80,000 has been issued to Cheshire East Council after an email containing sensitive personal information about an individual of concern to the police was distributed to 180 unintended recipients. Read the details here.
  • 13 February 2012 A monetary penalty of £100,000 has been issued to Croydon Council after a bag containing papers relating to the care of a child sex abuse victim was stolen from a London pub. View a PDF of the Croydon Council monetary penalty notice
  • 13 February 2012 A monetary penalty of £80,000 has been issued to Norfolk County Council for disclosing information about allegations against a parent and the welfare of their child to the wrong recipient.
  • 30 January 2012 A monetary penalty of £140,000 was issued to Midlothian Council for disclosing sensitive personal data relating to children and their carers to the wrong recipients on five separate occasions. The penalty is the first that the ICO has served against an organisation in Scotland. Read the details here.

Undertakings

Undertakings are formal agreements between an organisation and the ICO to undertake certain actions to avoid future breaches of the Data Protection Act, typically this involves, Encryption, Training and Management Procedures.

  • 20 December 2012 An undertaking to comply with the seventh data protection principle has been signed by Isle of Anglesey County Council.
  • 30 November 2012 An undertaking to comply with the seventh data protection principle has been signed by Leeds City Council. This follows a report made by the council that that a private area on the Leeds Initiative website was accessible to members of the public
  • 6 August 2012 An undertaking to comply with the seventh data protection principle has been signed by Marston Properties. This follows the loss of 37 staff members’ details when the filing cabinet the information was stored in was sent to a recycling centre and crushed.
  • 13 July 2012 An undertaking to comply with the seventh data protection principle has been signed by West Lancashire Borough Council. This follows the theft of a business continuity bag containing emergency response documents and personal data relating to 370 council employees.
  • 26 June 2012 An undertaking to comply with the seventh data protection principle has been signed by South Yorkshire Police. This follows the inclusion of personal data relating to drug offences, in response to a Freedom of Information request made by a journalist.
  • 23 May 2012 An undertaking to comply with the seventh data protection principle has been signed by Holroyd Howe Independent Ltd. This follows the release of a document containing details of employees’ pay to a former employee.
  • 30 April 2012 An undertaking to comply with the seventh data protection principle has been signed by the Aneurin Bevan Health Board. This follows an incident where a sensitive report – containing explicit details relating to a patient’s health – was sent to the wrong person. This breach was also the subject of a monetary penalty.
  • 25 April 2012 An undertaking to comply with the seventh data protection principle has been signed by Safe and Secure Insurances Services Limited. This follows the purchase of a hard drive from the Internet which contained personal data relating to the company’s clients.
  • 18 April 2012 An Undertaking to comply with the seventh data protection principle has been signed by Brecon Beacons National Park Authority. This follows two data security incidents which relate to the unauthorised disclosure of personal data on the data controller’s website.
  • 17 April 2012 An undertaking to comply with the seventh data protection principle has been signed by Leicestershire County Council, following the theft of a briefcase containing sensitive personal data from a social worker’s home.
  • 17 April 2012 An undertaking to comply with the seventh data protection principle has been signed by Toshiba Information Systems UK Ltd. This follows a web design error that created the potential for unauthorised access to individual’s personal data.
  • 11 April 2012 An undertaking to comply with the seventh data protection principle has been signed by Hertfordshire County Council. This follows the loss of an Attendance and Pupil Support consultation folder in January 2011.
  • 11 April 2012 An undertaking to comply with the seventh data protection principle has been signed by South London Healthcare NHS Trust. This follows the loss of two unencrypted memory sticks, the leaving of a clipboard with ward lists attached in a grocery store and a failure to adequately secure some patient paper files when not in use. All of the information was recovered.
  • 27 March 2012 An Undertaking has been signed by Pharmacyrepublic Ltd following the theft of a patient medication system containing the medication details of 2000 patients. The system, which was supplied by another firm, should have been securely returned to them by Pharmacyrepublic Ltd before the premises were vacated. Read the details here.
  • 14 March 2012 An undertaking to comply with the seventh data protection principle has been signed by the Lancashire Constabulary. This follows the discovery of a missing person’s report on a street in Blackpool. A monetary penalty has also been issued to the authority in connection with this incident.
  • 9 March 2012 An undertaking to comply with the seventh data protection principle has been signed by Enable Scotland (Leading the Way), after two unencrypted memory sticks and papers containing the personal details of up to 101 individuals were stolen from an employee’s home.
  • 1 March 2012 An undertaking to comply with the seventh data protection principle has been signed by Community Integrated Care, a national social care charity. This follows the theft of an unencrypted laptop containing personal and sensitive personal data.
  • 1 March 2012 An Undertaking to comply with the seventh data protection principle has been signed by Durham University. This follows the disclosure of personal information in training materials published on its website.
  • 1 March 2012 An Undertaking to comply with the seventh data protection principle has been signed by London Borough of Croydon. This follows the theft of a bag belonging to a social worker from a public house in London. The bag contained a hard copy file of papers concerning a child who is in the care of the Council. This incident was also subject to a monetary penalty which was announced earlier this month.
  • 1 March 2012 An undertaking to comply with the seventh data protection principle has been signed by Dr Pervinder Sanghera of Arthur House Dental Care. This follows the discovery of an unencrypted memory stick containing personal and limited sensitive personal data relating to patients and employees of the practice.
  • 10 February 2012 Youth charity Fairbridge has signed an undertaking committing the organisation to taking action after the loss of two unencrypted laptops containing employee information.
  • 10 February 2012 Healthcare provider Turning Point has signed an undertaking committing the organisation to take action after the loss of three service users’ files during an office relation.
  • 10 February 2012 Five local authorities have signed undertakings to comply with the seventh data protection principle, following incidents where the councils failed to take appropriate steps to ensure that personal information was kept secure.
  • 10 February 2012 Basingstoke and Deane Borough Council breached the Data Protection Act on four separate occasions during a two month period last year. The breaches included an incident in May when an individual was mistakenly sent information relating to 29 people who were living in supported housing.
  • 10 February 2012 Brighton and Hove Council emailed the details of another member of staff’s annual salary – and the deductions made from this – to 2,821 council workers. A third party also informed the ICO of a historic breach which occurred in May 2009 when an unencrypted laptop was stolen from the home of a temporary employee.
  • 10 February 2012 Undertakings have been signed by • Dacorum Borough Council • Bolton Council • Craven District Council
  • 3 February 2012 An undertaking to comply with the seventh data protection principle has been signed by E*Trade Securities Ltd. This follows a report to the Commissioner concerning missing client files. The files contained limited sensitive personal data including identification documents.
  • 20 January 2012 An undertaking has been signed by Manpower UK Ltd following a breach of the Data Protection Act where a spread sheet containing 400 people’s personal details was accidentally emailed to 60 employees.
  • 18 January 2012 An undertaking has been signed by the Chartered Institute of Public Relations, following the loss of up to 30 membership forms on a train. The organisation didn’t have a policy in place for handling personal data outside of the office at the time of the incident.
  • 18 January 2012 Praxis Care Limited breached both the UK Data Protection Act and the Isle of Man Data Protection Act by failing to keep peoples’ data secure. An unencrypted memory stick, containing personal information relating to 107 Isle of Man residents and 53 individuals from Northern Ireland, was lost on the Isle of Man.

Prosecutions

  • 13 December 2012 Christopher Niebel and Gary McNeish, joint owners of Tetrus Telecoms, have been prosecuted by the ICO for failing to notify under section 17 of the Data Protection Act. The defendants pleaded guilty at two separate hearings and were fined £3000 which was reduced to £2000 in both cases due to an early guilty plea. Niebel and McNeish were each ordered to pay prosecution costs of £482.50 and a £15 victims surcharge. The conviction comes after Niebel and McNeish were served with monetary penalties totalling £440,000 for a serious breach of the Privacy and Electronic Communications Regulations (PECR) after the company they owned sent millions of spam texts to members of the public without their consent.
  • 28 November 2012 A London barrister has been prosecuted by the ICO for failing to notify under section 17 of the Data Protection Act. Jeanette Hayne pleaded guilty at the hearing on 28 November 2012 but Westminster Magistrates decided to dispose of the case by way of an absolute discharge owing to particular mitigating circumstances. Concluding the hearing, the magistrate warned that those whose profession is to prosecute people for failing to comply with the law must meet their legal obligations
  • 2 August 2012 Mohammed Ali Enayet, owner of The Lime Lounge in Cleveleys has been prosecuted by the ICO for failing to register his premises’ use of CCTV equipment.
  • 30 March 2012 SAI Property Investments Limited, trading as IPS Property Services and one of its directors Mr Punjab Sandhu unlawfully obtained details about their tenants from a rogue employee at Slough Borough Council have been found guilty of committing offences under Section 55 of the Data Protection Act 1998 (DPA).
  • 27 February 2012 Pinchas Braun, a letting agent who unlawfully tried to obtain details about a tenant’s finances from the DWP has been found guilty of an attempt to commit an offence under section 55 of the Data Protection Act and the Criminal Attempts Act.
  • 12 January 2012 Juliah Kechil, formerly known as Merritt, a former health worker has pleaded guilty to unlawfully obtaining patient information by accessing the medical records of five members of her ex-husband’s family in order to obtain their new telephone numbers.

The ICO is not just an enforcer, he offers advice too The Information Commissioner’s 5 Tips on how to better protect personal information .

Data Protection Advice for schools and just about everyone else

The UK Information Commissioner’s Office has released a report which gives practical advice on how to comply with the Data Protection Act.

The advice was prompted by a survey of 400 schools across nine local authority areas that showed that whilst awareness of data protection laws was generally good, schools need to pay more attention to complying with data protection law.

The survey showed 95% of schools provided some information to pupils and parents about what was done with personal information.

A third of schools with password-protected computer systems conceded the passwords were not necessarily strong enough and not changed regularly, with 20% admitting email systems were not secure.

Louise Byers, ICO Head of Good Practice, helped draft the report: “The survey results showed that whilst awareness of the law was broadly good, knowledge on how to comply with it wasn’t always there. In many respects that should come as no surprise – it’s not teachers’ area of expertise – and it is precisely what our report is aiming to address.

“I’d urge teachers and heads to take a look at our recommendations and make sure they’re complying with the law. The sensitive personal data that schools handle means it is crucial they get this right, and we hope the ICO’s report will help them achieve that.”

A summary of the main recommendations is below:

  • Notification. Make sure you notify the Information Commissioner of the purposes for your processing of personal data
  • Personal data. Recognise the need to handle personal information in line with the data protection principles
  • Fair processing. Let pupils and staff know what you do with the personal information you record about them. Make sure you restrict access to personal information to those who need it
  • Security. Keep confidential information secure when storing it, using it and sharing it with others
  • Disposal. When disposing of records and equipment, make sure personal information cannot be retrieved from them
  • Policies. Have clear, practical policies and procedures on information governance for staff and governors to follow, and monitor their operation
  • Subject access requests. Recognise, log and monitor subject access requests
  • Data sharing. Be sure you are allowed to share information with others and make sure it is kept secure when shared
  • Websites. Control access to any restricted area. Make sure you are allowed to publish any personal information (including images) on your website
  • CCTV. Inform people what it is used for and review retention periods
  • Photographs. If your school takes photos for publication, mention your intentions in your fair processing/privacy notice
  • Processing by others. Recognise when others are processing personal information for you and make sure they do it securely
  • Training . Train staff and governors in the basics of information governance; recognise where the law and good practice need to be considered; and know where to turn for further advice
  • Freedom of information (FOI)/ After consultation, notify staff what personal information you would provide about them when answering FOI requests.

Find the full report here.

.

Rubbish causes a breach of the Data Protection Act and a £250,000 fine

Scottish Borders Council employed an outside company to digitise their employee records but when the pension records of several hundred ex-employees were found in recycling bins the Information Commission’s Office began an investigation for a breach of the Data Protection Act.

Following the investigation the Information Commissioner has fined the Council £250,000 for not seeking appropriate guarantees on how the personal data would be kept secured and dealt with.

It is believed more than 600 files were deposited at the recycle bins, containing confidential information and, in a significant number of cases, salary and bank account details. The files were spotted by a member of the public who called police, prompting the recovery of 676 files. A further 172 files deposited on the same day but at a different paper recycling bank are thought to have been destroyed in the recycling process.

Ken Macdonald, ICO Assistant Commissioner for Scotland, said:

“This is a classic case of an organisation taking its eye off the ball when it came to outsourcing. When the Council decided to contract out the digitising of these records, they handed large volumes of confidential information to an outside company without performing sufficient checks on how securely the information would be kept, and without even putting a contract in place.

“It is only good fortune that these records were found by someone sensible enough to call the police. It is easy to imagine other circumstances where this information could have exposed people to identity fraud and possible financial loss through no fault of their own.

“If one positive can come out of this, it is that other organisations realise the importance of properly managing third parties who process personal data. The Data Protection Act is very clear where the responsibility for the security of that information remains, and what penalties await those who do not comply with the law.”

Who else has the information commissioner caught this year? Find out here.

.

65% of businesses do not protect their customers’ private data

According to a survey by GreenSQL more than 65% of businesses do not protect their customers’ private data from unauthorised employees and consultants.

The results are interesting because every day we hear of another data breach or another form of malware which can steal data or at least damage data and you would think that with this amount of coverage business would sit up and start protecting their livelihood because that is what customer information is, their livelihood.

For an idea of the scale of the UK’s problem have a look at my post “Who has breached the Data Protection Act in 2012? Find the complete list here“.

Maybe it is bad news fatigue? Maybe the constant flow of horror stories makes them think that they cannot do anything about it so why bother.

I can understand the sentiment because on a personal level I do not wear a Kevlar jacket and carry pepper spray when I walk my dogs on a cold dark winter evening on the distant chance I might be mugged.

However, business cannot escape their contractual commitment to protect credit card data under the Payment Card Industry’s Data Security Standards (PCI DSS) and they cannot escape the legislative requirements to protect Personally identifiable Information (PII) for example the Data Protection Act and the pending European Wide Data Protection Act.

The survey results fall into three categories

  1. Ignore. 65% take no preventative measures
  2. Think about it. 23% use masking techniques only in non-production environments, such as dummy data and scrambling
  3. Try. 12% deploy dynamic data masking solutions on their production environments

I suspect that those who indicated that they deploy technologies to mask data are talking about credit card data where all payment applications are governed by the Payment Card Industry’s PA DSS but it should be applied to all sensitive data that could cause financial or reputational damage to anyone; customer, employee or contractor.

“Most companies would say protecting customer data is critical to maintaining their business and reputation,” said GreenSQL CEO, Amir Sadeh. “However, something is wrong when we discover that many IT departments are making no masking efforts whatsoever, and others are taking tepid approaches.”

GreenSQL surveyed “hundreds of IT managers and developers at large organizations” about the measures they took to prevent developers, QA, DBAs, consultants, outsourced employees, suppliers and application users from having access to sensitive data.

In summary adding protection to data bases and sensitive data is not hard and with current market trends moving towards cloud based solutions the costs are no longer prohibitive compared to becoming one of those horror stories people keep ignoring.

.

Who has breached the Data Protection Act in 2012? Find the complete list here.

So far 2012 has been a busy year for the Information Commissioners Office (ICO) and with almost three quarters of the year gone I thought I would look at who has fallen foul of the Data Protection Act.

There are normally three types of punishments administered by the ICO

  1. Monetary. The most serious of the actions and one normally reserved for organisational entities.
  2. Undertaking. Typically applied when an organisation has failed to adhere to good business practise and needs the helping guidance of the ICO
  3. Prosecutions. Normally reserved for individuals who have blatantly breached the Act.

In the near future I expect the proposed revised and consolidated European wide Data Protection Act to lead to more activity by the ICO, in the UK and across the other 27 member states. Read my summary of the propose European Data Protection Act here.

Below is a summary of the ICO’s activity in 2012 across all three “punishment” areas.

Monetary penalty notices

A monetary penalty will only be served in the most serious situations. When deciding the size of a monetary penalty, the ICO takes into account the seriousness of the breach and other factors like the size, financial and other resources of an organisation’s data controller. The ICO can impose a penalty of up to £500,000. It is worth noting that monetary penalties are to HM Treasury.

  • 6 August 2012 A monetary penalty of £175,000 was issued to Torbay Care Trust after sensitive personal information relating to 1,373 employees was published on the Trust’s website. Read the details here.
  • 12 July 2012 A monetary penalty of £60,000 was issued to St George’s Healthcare NHS Trust after a vulnerable individual’s sensitive medical details were sent to the wrong address.
  • 5 July 2012 A monetary penalty notice of £150,000 has been served to Welcome Financial Services Limited following a serious breach of the Data Protection Act. The breach led to the personal data of more than half a million customers being lost.
  • 19 June 2012 A monetary penalty notice of £225,000 has been served to Belfast Health and Social Care Trust following a serious breach of the Data Protection Act. The breach led to the sensitive personal data of thousands of patients and staff being compromised. The Trust also failed to report the incident to the ICO.
  • 6 June 2012 A monetary penalty for £90,000 has been served to Telford & Wrekin Council for two serious breaches of the seventh data protection principle. A Social Worker sent a core assessment report to the child’s sibling instead of the mother. The assessment contained confidential and highly sensitive personal data. Whilst investigating the first incident, a second incident was reported to the ICO involving the inappropriate disclosure of foster carer names and addresses to the children’s mother. Both children had to be re-homed.
  • 1 June 2012 A monetary penalty notice for £325,000 has been served on Brighton and Sussex University Hospitals NHS Trust following the discovery of highly sensitive personal data belonging to tens of thousands of patients and staff – including some relating to HIV and Genito Urinary Medicine patients – on hard drives sold on an Internet auction site in October and November 2010. Read the details here.
  • 21 May 2012 A monetary penalty notice for £90,000 has been served on Central London Community Healthcare NHS Trust for a serious contravention of the DPA, which occurred when sensitive personal data was faxed to an incorrect and unidentified number. The contravention was repeated on 45 occasions over a number of weeks and compromised 59 data subjects’ personal data. Read the details here.
  • 15 May 2012 A monetary penalty of £70,000 was issued to the London Borough of Barnet following the loss of sensitive information relating to 15 vulnerable children or young people, during a burglary at an employee’s home. Read the details here.
  • 30 April 2012 A monetary penalty of £70,000 has been issued to the Aneurin Bevan Health Board following an incident where a sensitive report containing explicit details relating to a patient’s health – was sent to the wrong person. Read the details here.
  • 14 March 2012 A monetary penalty of £70,000 was issued to Lancashire Constabulary following the discovery of a missing person’s report containing sensitive personal information about a missing 15 year old girl. Read the details here.
  • 15 February 2012 A monetary penalty of £80,000 has been issued to Cheshire East Council after an email containing sensitive personal information about an individual of concern to the police was distributed to 180 unintended recipients. Read the details here.
  • 13 February 2012 A monetary penalty of £100,000 has been issued to Croydon Council after a bag containing papers relating to the care of a child sex abuse victim was stolen from a London pub. View a PDF of the Croydon Council monetary penalty notice
  • 13 February 2012 A monetary penalty of £80,000 has been issued to Norfolk County Council for disclosing information about allegations against a parent and the welfare of their child to the wrong recipient.
  • 30 January 2012 A monetary penalty of £140,000 was issued to Midlothian Council for disclosing sensitive personal data relating to children and their carers to the wrong recipients on five separate occasions. The penalty is the first that the ICO has served against an organisation in Scotland. Read the details here.

Undertakings

Undertakings are formal agreements between an organisation and the ICO to undertake certain actions to avoid future breaches of the Data Protection Act, typically this involves, Encryption, Training and Management Procedures.

  • 6 August 2012 An undertaking to comply with the seventh data protection principle has been signed by Marston Properties. This follows the loss of 37 staff members’ details when the filing cabinet the information was stored in was sent to a recycling centre and crushed.
  • 13 July 2012 An undertaking to comply with the seventh data protection principle has been signed by West Lancashire Borough Council. This follows the theft of a business continuity bag containing emergency response documents and personal data relating to 370 council employees.
  • 26 June 2012 An undertaking to comply with the seventh data protection principle has been signed by South Yorkshire Police. This follows the inclusion of personal data relating to drug offences, in response to a Freedom of Information request made by a journalist.
  • 23 May 2012 An undertaking to comply with the seventh data protection principle has been signed by Holroyd Howe Independent Ltd. This follows the release of a document containing details of employees’ pay to a former employee.
  • 30 April 2012 An undertaking to comply with the seventh data protection principle has been signed by the Aneurin Bevan Health Board. This follows an incident where a sensitive report – containing explicit details relating to a patient’s health – was sent to the wrong person. This breach was also the subject of a monetary penalty.
  • 25 April 2012 An undertaking to comply with the seventh data protection principle has been signed by Safe and Secure Insurances Services Limited. This follows the purchase of a hard drive from the Internet which contained personal data relating to the company’s clients.
  • 18 April 2012 An Undertaking to comply with the seventh data protection principle has been signed by Brecon Beacons National Park Authority. This follows two data security incidents which relate to the unauthorised disclosure of personal data on the data controller’s website.
  • 17 April 2012 An undertaking to comply with the seventh data protection principle has been signed by Leicestershire County Council, following the theft of a briefcase containing sensitive personal data from a social worker’s home.
  • 17 April 2012 An undertaking to comply with the seventh data protection principle has been signed by Toshiba Information Systems UK Ltd. This follows a web design error that created the potential for unauthorised access to individual’s personal data.
  • 11 April 2012 An undertaking to comply with the seventh data protection principle has been signed by Hertfordshire County Council. This follows the loss of an Attendance and Pupil Support consultation folder in January 2011.
  • 11 April 2012 An undertaking to comply with the seventh data protection principle has been signed by South London Healthcare NHS Trust. This follows the loss of two unencrypted memory sticks, the leaving of a clipboard with ward lists attached in a grocery store and a failure to adequately secure some patient paper files when not in use. All of the information was recovered.
  • 27 March 2012 An Undertaking has been signed by Pharmacyrepublic Ltd following the theft of a patient medication system containing the medication details of 2000 patients. The system, which was supplied by another firm, should have been securely returned to them by Pharmacyrepublic Ltd before the premises were vacated. Read the details here.
  • 14 March 2012 An undertaking to comply with the seventh data protection principle has been signed by the Lancashire Constabulary. This follows the discovery of a missing person’s report on a street in Blackpool. A monetary penalty has also been issued to the authority in connection with this incident.
  • 9 March 2012 An undertaking to comply with the seventh data protection principle has been signed by Enable Scotland (Leading the Way), after two unencrypted memory sticks and papers containing the personal details of up to 101 individuals were stolen from an employee’s home.
  • 1 March 2012 An undertaking to comply with the seventh data protection principle has been signed by Community Integrated Care, a national social care charity. This follows the theft of an unencrypted laptop containing personal and sensitive personal data.
  • 1 March 2012 An Undertaking to comply with the seventh data protection principle has been signed by Durham University. This follows the disclosure of personal information in training materials published on its website.
  • 1 March 2012 An Undertaking to comply with the seventh data protection principle has been signed by London Borough of Croydon. This follows the theft of a bag belonging to a social worker from a public house in London. The bag contained a hard copy file of papers concerning a child who is in the care of the Council. This incident was also subject to a monetary penalty which was announced earlier this month.
  • 1 March 2012 An undertaking to comply with the seventh data protection principle has been signed by Dr Pervinder Sanghera of Arthur House Dental Care. This follows the discovery of an unencrypted memory stick containing personal and limited sensitive personal data relating to patients and employees of the practice.
  • 10 February 2012 Youth charity Fairbridge has signed an undertaking committing the organisation to taking action after the loss of two unencrypted laptops containing employee information.
  • 10 February 2012 Healthcare provider Turning Point has signed an undertaking committing the organisation to take action after the loss of three service users’ files during an office relation.
  • 10 February 2012 Five local authorities have signed undertakings to comply with the seventh data protection principle, following incidents where the councils failed to take appropriate steps to ensure that personal information was kept secure.
  • 10 February 2012 Basingstoke and Deane Borough Council breached the Data Protection Act on four separate occasions during a two month period last year. The breaches included an incident in May when an individual was mistakenly sent information relating to 29 people who were living in supported housing.
  • 10 February 2012 Brighton and Hove Council emailed the details of another member of staff’s annual salary – and the deductions made from this – to 2,821 council workers. A third party also informed the ICO of a historic breach which occurred in May 2009 when an unencrypted laptop was stolen from the home of a temporary employee.
  • 10 February 2012 Undertakings have been signed by • Dacorum Borough Council • Bolton Council • Craven District Council
  • 3 February 2012 An undertaking to comply with the seventh data protection principle has been signed by E*Trade Securities Ltd. This follows a report to the Commissioner concerning missing client files. The files contained limited sensitive personal data including identification documents.
  • 20 January 2012 An undertaking has been signed by Manpower UK Ltd following a breach of the Data Protection Act where a spreadsheet containing 400 people’s personal details was accidentally emailed to 60 employees.
  • 18 January 2012 An undertaking has been signed by the Chartered Institute of Public Relations, following the loss of up to 30 membership forms on a train. The organisation didn’t have a policy in place for handling personal data outside of the office at the time of the incident.
  • 18 January 2012 Praxis Care Limited breached both the UK Data Protection Act and the Isle of Man Data Protection Act by failing to keep peoples’ data secure. An unencrypted memory stick, containing personal information relating to 107 Isle of Man residents and 53 individuals from Northern Ireland, was lost on the Isle of Man.

Prosecutions:

  • 2 August 2012. Mohammed Ali Enayet, owner of The Lime Lounge in Cleveleys has been prosecuted by the ICO for failing to register his premises’ use of CCTV equipment.
  • 30 March 2012. SAI Property Investments Limited, trading as IPS Property Services and one of its directors Mr Punjab Sandhu unlawfully obtained details about their tenants from a rogue employee at Slough Borough Council have been found guilty of committing offences under Section 55 of the Data Protection Act 1998 (DPA).
  • 27 February 2012. Pinchas Braun, a letting agent who unlawfully tried to obtain details about a tenant’s finances from the DWP has been found guilty of an attempt to commit an offence under section 55 of the Data Protection Act and the Criminal Attempts Act.
  • 12 January 2012. Juliah Kechil, formerly known as Merritt, a former health worker has pleaded guilty to unlawfully obtaining patient information by accessing the medical records of five members of her ex-husband’s family in order to obtain their new telephone numbers.

The ICO is not just an enforcer, he offers advice too The Information Commissioner’s 5 Tips on how to better protect personal information .

The list was compiled on the 16th August 2012, updates will be added later so why not subscribe to the blog and automatically get the updates.

 

See Who breached the Data Protection Act in 2013? Find the complete list here.

The Information Commissioner’s 5 Tips on how to better protect personal information

The UK’s Information Commissioners office has created a list of 5 useful tips for protecting personally identifiable information (PII).

The list comes on the back of an offer by the ICO to help charities and other third sector organisations to help them protect data and avoid potential fines of up to £500,000.

Louise Byers, Head of Good Practice at the ICO, said:

“We are aware that charities are often handling extremely sensitive information relating to the health and wellbeing of vulnerable people. With these organisations often lacking the money to employ dedicated information governance staff, there’s a danger that many charities may be struggling to look after people’s data.

“We have published today’s top five areas for improvement to show the voluntary and charity sector that good data protection practices can be cheap and easy to introduce, providing they have the right help and support.

“A one day advisory visit from the ICO provides charities with a data protection ‘check up’ and practical advice on how they can look after people’s information. We are now calling on these organisations to use the summer period to check that their data protection practices are adequate and get in touch before it is too late.”

Sam Younger, Chief Executive of the Charity Commission said:

“Trustees are responsible for ensuring their charity complies with relevant legislation – including the Data Protection Act – and for protecting their charity’s reputation. Mishandling sensitive data not only causes individuals serious distress, it can also damage the good name of your charity. So I encourage trustees of charities that handle sensitive data to take note of the ICO’s guidance and consider taking part in an ICO advisory visit.”

The ICO’s top five areas for improvement are:

  1. Tell people what you are doing with their data. People should know what you are doing with their information and who it will be shared with. This is a legal requirement (as well as established best practice) so it is important you are open and honest with people about how their data will be used.
  2. Make sure your staff are adequately trained. New employees must receive data protection training to explain how they should store and handle personal information. Refresher training should be provided at regular intervals for existing staff.
  3. Use strong passwords. There is no point protecting the personal information you hold with a password if that password is easy to guess. All passwords should contain upper and lower case letters, a number and ideally a symbol. This will help to keep your information secure from would-be thieves.
  4. Encrypt all portable devices. Make sure all portable devices – such as memory sticks and laptops – used to store personal information are encrypted.
  5. Only keep people’s information for as long as necessary. Make sure your organisation has established retention periods in place and set up a process for deleting personal information once it is no longer required.

I would like to add that whilst these tips are useful most businesses, especially charities, should review their requirements under the Payment Card Industry Data Security Standard (PCI DSS) as credit cards are the life blood to most organisations.

.

Torbay Care Trust (NHS) fined £175,000 for breaching the Data Protection Act

Torbay Care Trust in Torquay has been fined £175,000 after it published the sensitive details of over 1,000 employees on the Trust’s website.

Staff at the Trust published the information in a spreadsheet on their website in April 2011 and only realised when a member of the public reported it 19 weeks later.

The data covered the equality and diversity responses of 1,373 staff and included individuals’ names:-

  • Dates of birth
  • National Insurance numbers
  • Religion
  • Sexuality

The Information Commissioners Office’s investigation found that the Trust had no guidance for staff on what information shouldn’t be published online and had inadequate checks in place to identify potential problems.

Stephen Eckersley, Head of Enforcement, said:

“We regular speak with organisations across the health service to remind them of the need to look after people’s data. The fact that this breach was caused by Torbay Care Trust publishing sensitive information about their staff is extremely troubling and was entirely avoidable. Not only were they giving sensitive information out about their employees but they were also leaving them exposed to the threat of identity fraud.

“While organisations can publish equality and diversity information about staff in an aggregated form, there is no justification for unnecessarily releasing their personal information. We are pleased that the Trust are now taking action to keep their employees’ details secure.”

With the proposed European Data Protection Act the scope of what is classified as Personally Identifiable Information (PII) will be better defined but will include more than most business think is actually covered.

It is time businesses undertook thorough risk assessments of their exposure to the PII data leakages because the proposed new fines are potentially up to 2% of global turnover.

Read my summary of the proposed European Data Protection Act here.

.

Latest NHS Fine for breaching the Data Protection Act is close to the “current” limit at £325,000

After a series of breaches where the NHS organisation involved received nothing more than a slap on the wrist the Information Commissioner is finally ratcheting up the pressure on public sector organisations, especially the NHS for breaching the Data Protection Act.

In the latest breach Brighton and Sussex University Hospitals NHS Trust has been fines £320,000 after a serious breach and is the highest ever issued.

The maximum fine was raised to £500,000 in April 2010

It is worth noting that fines under the proposed European Data Protection Act will be considerably higher with numbers in the order of €1 million or 2% of turnover been discussed, see Proposed European wide Data Protection Act – a review.

The Brighton and Sussex University Hospitals NHS Trust involved highly sensitive personal data belonging to tens of thousands of patients and staff – including some relating to HIV and Genito Urinary Medicine (GUM) patients – on hard drives sold on an Internet auction site in October and November 2010.

The data included details of:

  • Patients’ medical conditions
  • Treatments
  • Disability living allowance forms
  • Children’s reports

It also included documents containing staff details including:

  • National Insurance numbers
  • Home addresses
  • Ward
  • Hospital IDs
  • Information referring to criminal convictions and suspected offences

The data breach occurred when an individual engaged by the Trust’s IT service provider, Sussex Health Informatics Service (HIS), was tasked to destroy approximately 1000 hard drives held in a room accessed by key code at Brighton General Hospital in September and October 2010. A data recovery company bought four hard drives from a seller on an Internet auction site in December 2010, who had purchased them from the individual.

Although the ICO was assured in our initial investigation following this discovery that only these four hard drives were affected, a university contacted us in April 2011 to advise that one of their students had purchased hard drives via an Internet auction site. An examination of the drives established that they contained data which belonged to the Trust.

The Trust has been unable to explain how the individual removed at least 252 of the approximate 1000 hard drives they were supposed to destroy from the hospital during their five days on site. They are not believed to have known the key code needed to access the room where the drives were stored, and were usually supervised by staff working for HIS. However, the Trust has acknowledged that the individual would have left the building for breaks, and that the hospital is publicly accessible.

The ICO’s Deputy Commissioner and Director of Data Protection David Smith said:

“The amount of the CMP issued in this case reflects the gravity and scale of the data breach. It sets an example for all organisations – both public and private – of the importance of keeping personal information secure. That said, patients of the NHS in particular rely on the service to keep their sensitive personal details secure. In this case, the Trust failed significantly in its duty to its patients, and also to its staff.”

See previous ICO monetary fines for the NHS

.

Information Commissioner’s Office consults on new anonymisation code of practice

The Information Commissioner’s Office (ICO) has begun a public consultation on a new anonymisationcode of practice.

English: Information Commissioner's Office bra...

The code will provide guidance on how information can be successfully anonymised and how to assess the risks of identification. The ICO has also launched a tendering process to establish a network of experts to share best practice around the release of data in an anonymised form.

Anonymisation techniques can convert personal data into a form so that individuals are no longer identifiable. The consultation will be relevant to any organisation that wants to release anonymised data, for example under the government’s open data agenda.

Christopher Graham, Information Commissioner said:

“The UK is putting more and more valuable data into the public domain. The open data agenda will see this process continue and I welcome the power this information gives the average UK citizen to understand how the public sector operates and hold organisations to account.

“However, while the public wants to see openness, they want to see their privacy rights respected too. The risks of anonymisation can sometimes be underestimated and in other cases overstated; organisations need to be aware of what those risks are and take a structured approach to assessing them, particularly in light of other personal information in the public domain.

“Anonymisation can allow organisations to publish or share useful information derived from personal data, whilst protecting the privacy rights of individuals. Our code will aim to provide clear, practical advice on how data can be anonymised. We are now inviting individuals and organisations to submit their views on how this can best be achieved.”

The consultation will play an important role in making sure that the new code achieves the right balance between the protection of individuals’ privacy and the benefits of making information publicly available.

The consultation will remain open for the next 12 weeks, before closing on 23 August 2012. A copy of the draft code and consultation document is available in the consultation section of the ICO website.

A final version of the ‘Anonymisation Code of Practice’ – incorporating any changes recurring from comments received – is due for publication in September.

The code of practice will allow organisations to better achieve compliance against the proposed European Data Protection Act. Read my post Proposed European wide Data Protection Act – a review for further information.

Another alternative to anonymisation is Tokenization which is a recognised solution for PCI DSS. For details of a Free copy of the Tokenization for Dummies eBook click here.

.

Create a free website or blog at WordPress.com.

Up ↑

%d bloggers like this: