Search

Brian Pennington

A blog about Cyber Security & Compliance

Tag

Data Protection Act

Lack of guidance on BYOD raises data protection concerns

The UK Information Commissioner’s Office (ICO) has commissioned a survey into business attitudes towards Bring Your Own Device (BYOD).

The survey results shown many employers appear to have a ‘laissez faire’ attitude to allowing staff to use their personal laptop, tablets or smartphone for at work and for work business, which may be placing people’s personal information at risk.

The survey, carried out by YouGov, reveals that 47% of all UK adults now use their personal smartphone, laptop or tablet computer for work purposes. But less than 3 in 10 who do so are provided with guidance on how their devices should be used in this capacity, raising worrying concerns that people may not understand how to look after the personal information accessed and stored on these devices.

Simon Rice, Group Manager (Technology), said:

The rise of smartphones and tablet devices means that many of the common daily tasks we would have previously carried out on the office computer can now be worked on remotely. While these changes offer significant benefits to organisations, employers must have adequate controls in place to make sure this information is kept secure.

“The cost of introducing these controls can range from being relatively modest to quite significant, depending on the type of processing being considered, and might even be greater than the initial savings expected. Certainly the sum will pale into insignificance when you consider the reputational damage caused by a serious data breach. This is why organisations must act now.

“Our guidance aims to help organisations develop their own policies by highlighting the issues they must consider. For example, does the organisation know where personal data is being stored at any one time? Do they have measures in place to keep the information accurate and up-to-date? Is there a failsafe system so that the device can be wiped remotely if lost or stolen?

Today’s guidance from the ICO explains how organisations need to be clear on the types of personal data that can be processed on personal devices and have remote locate and wipe facilities in place so the confidentiality of the data can be maintained in the event of a loss or theft.

Key recommendations from the ICO’s guidance:

  • Be clear with staff about which types of personal data may be processed on personal devices and which may not
  • Use a strong password to secure your devices
  • Enable encryption to store data on the device securely
  • Ensure that access to the device is locked or data automaticaly deleted if an incorrect password is input too many times
  • Use public cloud-based sharing and public backup services, which you have not fully assessed, with extreme caution, if at all
  • Register devices with a remote locate and wipe facility to maintain confidentiality of the data in the event of a loss or theft

The survey results below shows that email is the most common work activity carried out on a personal device (55%) which consider what information can be in the body of an email or attached leaves an organisations open to many commercial, legislative and regulatory risks for example PCI DSS compliance.

All UK Adults online who use a smartphone, laptop or a tablet PC for work purposes access usage
Work email

55%

Accessing work files

35%

Storage   of work documents and work files

36%

Social networking (e.g. LinkedIn, Twitter, Facebook) for work

26%

Editing work documents

37%

Uploading   work information to a website

19%

Work video chat (e.g. skype etc.)

7%

Work related applications (Apps)

16%

Work related online banking

14%

Work related shopping

12%

Work related web browsing

35%

Other

22%

None of these

.

Nursing and Midwifery Council fined for breaching the Data Protection Act

The Information Commissioner’s Office has issued a £150,000 fine to the Nursing and Midwifery Council was for breaching the Data Protection Act. 

The Nursing and Midwifery Council lost three DVDs related to a nurse’s misconduct hearing, which contained confidential personal information and evidence from two vulnerable children. 

In October 2011 the DVDs, containing confidential information, was sent to a misconduct hearing via a courier and when the package arrived at the hearing the DVDs were missing and have never found 

After an investigation by the ICO it was found the information was not encrypted. 

David Smith, Deputy Commissioner and Director of Data Protection, said:

It would be nice to think that data breaches of this type are rare, but we’re seeing incidents of personal data being mishandled again and again. While many organisations are aware of the need to keep sensitive paper records secure, they forget that personal data comes in many forms, including audio and video images, all of which must be adequately protected. 

I would urge organisations to take the time today to check their policy on how personal information is handled. Is the policy robust? Does it cover audio and video files containing personal information? And is it being followed in every case? 

If the answer to any of those questions is no, then the organisation risks a data breach that damages public trust and a possible weighty monetary penalty.

The council had been couriering evidence relating to a ‘fitness to practise’ case to the hearing venue. When the packages were received the discs were not present, though the packages showed no signs of tampering. Following the security breach the council carried out extensive searches to find the DVDs, but they’ve never been recovered. 

The Nursing and Midwifery Council’s underlying failure to ensure these discs were encrypted placed sensitive personal information at unnecessary risk. No policy appeared to exist on how the discs should be handled, and so no thought was given as to whether they should be encrypted before being couriered. Had that simple step been taken, the information would have remained secure and we would not have had to issue this penalty.

.

The Prudential is fined £50,000 for breaching the Data Protection Act

The UK’s Information Commissioner’s Office (ICO) has fined the Prudential £50,000 after an administrative error in two accounts that led to tens of thousands of pounds, meant for an individual’s retirement fund, ending up in the wrong account.

This is the first monetary penalty served by the ICO that doesn’t relate to a significant data loss.

The original error, in March 2007, was caused when the records of both customers, who share the same first name, surname and date of birth, were mistakenly merged.

The problem was eventually resolved in September 2010. This was despite the company being alerted to the mistake on several occasions, including a letter from one of the customers in late April 2010 which clearly indicated his address had not changed for over 15 years. The company failed to investigate thoroughly at this point and the penalty imposed today relates to the inaccuracy then present which continued for a further six months.

Stephen Eckersley, ICO Head of Enforcement, said:

“Organisations must make sure the information they hold on their customers’ files is accurate and kept up to date in order to comply with the Data Protection Act. In this case two customer files were consistently confused and the company failed to remedy the situation despite being alerted to the problem on more than one occasion before it was finally resolved.

“This case would be considered farcical were it not for the serious sums of money involved.”
Last year the public made more complaints about the way money lenders were handling their information than for any other sector. Around 15% of the almost 13,000 data protection complaints received by the ICO during the last financial year were due to concerns relating to this group, with inaccurate data the third most complained about issue across all sectors.

Commenting on the ICO’s concerns in this area, Stephen Eckersley continued:

“While data losses may make the headlines, most people will contact our office about inaccuracies and other issues relating to the misuse of their information. Inaccurate information on a customer’s record, particularly when the record relates to an individual’s financial affairs, can have a significant impact on someone’s life.

“We hope this penalty sends a message to all organisations, but particularly those in the financial sector, that adequate checks must be in place to ensure people’s records are accurate. Staff should also receive adequate training on how to manage and maintain them, with any concerns fully investigated in order to ensure problems are addressed at an early stage.”

Prudential has committed to staff training and an improvement in processes to ensure that the accuracy of customers’ records is maintained at all times.

 .

Overall the UK needs to improve its approach to the Data Protection Act

The Information Commissioner’s Office (ICO) has published its audits for of the UK’s four largest sectors and whilst it was positive about the approach of the Private Sector it raised concerns about the Public Sector.

The audit reports (below) summarise the outcomes of over 60 ICO audits carried out in the private, NHS, local and central government sectors.

Announcing the reports, Louise Byers, Head of Good Practice, at the ICO said:

“We have been providing free audits to help organisations look after the personal information they collect and publishing the results for two years now. During this time we have seen some innovative and well thought out approaches to keeping people’s personal information secure and complying with the Data Protection Act. Today’s reports allow for this knowledge to be shared, while raising areas of continued concern.”

Each report provides a summary of the level of assurance the organisations in each sector have provided during their audit, along with relevant examples of good practice and existing areas for improvement. The audits were all carried out between February 2010 and July 2012.

Within the private sector, the ICO had a high level of assurance that 11 out of the 16 companies audited had policies and procedures in place to comply with the Act. This included having robust security measures in place and providing thorough training for their staff.

Commenting on the report for the private sector, Louise Byers continued:

“The private sector organisations we have audited so far should be commended for their positive approach to looking after people’s data. However this does not mean that businesses in the UK should rest on their laurels. We are still seeing relatively few companies agree to an ICO audit and further improvements can be made, particularly when it comes to the retention and deletion of data.”

In the health service only one of the 15 organisations audited provided a high level of assurance to the ICO, with the local government sector showing a similar trend with only one out of 19 organisations achieving the highest mark. Central government departments fair little better with two out of 11 organisations achieving the highest level of assurance.

Louise Byers continued:

“While the NHS and central government departments we’ve audited generally have good information governance and training practices in place, they need to do more to keep people’s data secure. Local government authorities also need to improve how they record where personal information is held and who has access to it.

“The results of these reports show why we have requested an extension to our compulsory audit powers to cover the NHS and local government sectors. Organisations in these areas will be handling sensitive information, often relating to the care of vulnerable people. It is important that we have the powers available to us to help these sectors improve.”

Good Practise Audit outcomes analysis NHS – February 2010 to July 2012 

Good Practise Audit outcomes analysis Local authorities – February 2010 to July 2012

Good Practice Audit outcomes analysis Central Government – February 2010 to July 2012

Good Practice Audit outcomes analysis Private sector – February 2010 to July 2012

.

Information Commissioner publishes guidance on cloud computing

The UK’s Information Commissioner’s Office (ICO) has published guidelines to on how business treat personal information in the cloud whether that is a private or public cloud.

The data protection regulator ICO is concerned that many businesses do not realise they remain responsible for how the data is handled whilst it is in the cloud.

This has resulted in the ICO publishing a guide to cloud computing, to help businesses comply with the law.

The guide gives tips including:

  • Seek assurances on how your data will be kept safe. How secure is the cloud network, and what systems are in place to stop someone hacking in or disrupting your access to the data?
  • Think about the physical security of the cloud provider. Your data will be stored on a server in a data centre, which needs to have sufficient security in place.
  • Have a written contract in place with the cloud provider. This is a legal requirement, and means the cloud provider will not be able to change the terms of the service without your agreement.
  • Put a policy in place to make clear the expectations you have of the cloud provider. This is key where services are funded through adverts targeted at your customers: if they’re using personal data and you haven’t asked your customers’ permission, you’re breaking data protection law.
  • Don’t forget that transferring data internationally brings a number of obligations – that includes using cloud storage based abroad.

Speaking as the guide was launched, author Dr Simon Rice, ICO technology policy advisor, said:

“The law on outsourcing data is very clear. As a business, you are responsible for keeping your data safe. You can outsource some of the processing of that data, as happens with cloud computing, but how that data is used and protected remains your responsibility.

“It would be naïve for an organisation to take the attitude that these guidelines are too much effort to simply store some data in a different place. Where personal information is involved, the stakes are high and the ICO has already demonstrated it will act firmly against those who don’t meet data protection laws”

.

65% of businesses do not protect their customers’ private data

According to a survey by GreenSQL more than 65% of businesses do not protect their customers’ private data from unauthorised employees and consultants.

The results are interesting because every day we hear of another data breach or another form of malware which can steal data or at least damage data and you would think that with this amount of coverage business would sit up and start protecting their livelihood because that is what customer information is, their livelihood.

For an idea of the scale of the UK’s problem have a look at my post “Who has breached the Data Protection Act in 2012? Find the complete list here“.

Maybe it is bad news fatigue? Maybe the constant flow of horror stories makes them think that they cannot do anything about it so why bother.

I can understand the sentiment because on a personal level I do not wear a Kevlar jacket and carry pepper spray when I walk my dogs on a cold dark winter evening on the distant chance I might be mugged.

However, business cannot escape their contractual commitment to protect credit card data under the Payment Card Industry’s Data Security Standards (PCI DSS) and they cannot escape the legislative requirements to protect Personally identifiable Information (PII) for example the Data Protection Act and the pending European Wide Data Protection Act.

The survey results fall into three categories

  1. Ignore. 65% take no preventative measures
  2. Think about it. 23% use masking techniques only in non-production environments, such as dummy data and scrambling
  3. Try. 12% deploy dynamic data masking solutions on their production environments

I suspect that those who indicated that they deploy technologies to mask data are talking about credit card data where all payment applications are governed by the Payment Card Industry’s PA DSS but it should be applied to all sensitive data that could cause financial or reputational damage to anyone; customer, employee or contractor.

“Most companies would say protecting customer data is critical to maintaining their business and reputation,” said GreenSQL CEO, Amir Sadeh. “However, something is wrong when we discover that many IT departments are making no masking efforts whatsoever, and others are taking tepid approaches.”

GreenSQL surveyed “hundreds of IT managers and developers at large organizations” about the measures they took to prevent developers, QA, DBAs, consultants, outsourced employees, suppliers and application users from having access to sensitive data.

In summary adding protection to data bases and sensitive data is not hard and with current market trends moving towards cloud based solutions the costs are no longer prohibitive compared to becoming one of those horror stories people keep ignoring.

.

Who has breached the Data Protection Act in 2012? Find the complete list here.

So far 2012 has been a busy year for the Information Commissioners Office (ICO) and with almost three quarters of the year gone I thought I would look at who has fallen foul of the Data Protection Act.

There are normally three types of punishments administered by the ICO

  1. Monetary. The most serious of the actions and one normally reserved for organisational entities.
  2. Undertaking. Typically applied when an organisation has failed to adhere to good business practise and needs the helping guidance of the ICO
  3. Prosecutions. Normally reserved for individuals who have blatantly breached the Act.

In the near future I expect the proposed revised and consolidated European wide Data Protection Act to lead to more activity by the ICO, in the UK and across the other 27 member states. Read my summary of the propose European Data Protection Act here.

Below is a summary of the ICO’s activity in 2012 across all three “punishment” areas.

Monetary penalty notices

A monetary penalty will only be served in the most serious situations. When deciding the size of a monetary penalty, the ICO takes into account the seriousness of the breach and other factors like the size, financial and other resources of an organisation’s data controller. The ICO can impose a penalty of up to £500,000. It is worth noting that monetary penalties are to HM Treasury.

  • 6 August 2012 A monetary penalty of £175,000 was issued to Torbay Care Trust after sensitive personal information relating to 1,373 employees was published on the Trust’s website. Read the details here.
  • 12 July 2012 A monetary penalty of £60,000 was issued to St George’s Healthcare NHS Trust after a vulnerable individual’s sensitive medical details were sent to the wrong address.
  • 5 July 2012 A monetary penalty notice of £150,000 has been served to Welcome Financial Services Limited following a serious breach of the Data Protection Act. The breach led to the personal data of more than half a million customers being lost.
  • 19 June 2012 A monetary penalty notice of £225,000 has been served to Belfast Health and Social Care Trust following a serious breach of the Data Protection Act. The breach led to the sensitive personal data of thousands of patients and staff being compromised. The Trust also failed to report the incident to the ICO.
  • 6 June 2012 A monetary penalty for £90,000 has been served to Telford & Wrekin Council for two serious breaches of the seventh data protection principle. A Social Worker sent a core assessment report to the child’s sibling instead of the mother. The assessment contained confidential and highly sensitive personal data. Whilst investigating the first incident, a second incident was reported to the ICO involving the inappropriate disclosure of foster carer names and addresses to the children’s mother. Both children had to be re-homed.
  • 1 June 2012 A monetary penalty notice for £325,000 has been served on Brighton and Sussex University Hospitals NHS Trust following the discovery of highly sensitive personal data belonging to tens of thousands of patients and staff – including some relating to HIV and Genito Urinary Medicine patients – on hard drives sold on an Internet auction site in October and November 2010. Read the details here.
  • 21 May 2012 A monetary penalty notice for £90,000 has been served on Central London Community Healthcare NHS Trust for a serious contravention of the DPA, which occurred when sensitive personal data was faxed to an incorrect and unidentified number. The contravention was repeated on 45 occasions over a number of weeks and compromised 59 data subjects’ personal data. Read the details here.
  • 15 May 2012 A monetary penalty of £70,000 was issued to the London Borough of Barnet following the loss of sensitive information relating to 15 vulnerable children or young people, during a burglary at an employee’s home. Read the details here.
  • 30 April 2012 A monetary penalty of £70,000 has been issued to the Aneurin Bevan Health Board following an incident where a sensitive report containing explicit details relating to a patient’s health – was sent to the wrong person. Read the details here.
  • 14 March 2012 A monetary penalty of £70,000 was issued to Lancashire Constabulary following the discovery of a missing person’s report containing sensitive personal information about a missing 15 year old girl. Read the details here.
  • 15 February 2012 A monetary penalty of £80,000 has been issued to Cheshire East Council after an email containing sensitive personal information about an individual of concern to the police was distributed to 180 unintended recipients. Read the details here.
  • 13 February 2012 A monetary penalty of £100,000 has been issued to Croydon Council after a bag containing papers relating to the care of a child sex abuse victim was stolen from a London pub. View a PDF of the Croydon Council monetary penalty notice
  • 13 February 2012 A monetary penalty of £80,000 has been issued to Norfolk County Council for disclosing information about allegations against a parent and the welfare of their child to the wrong recipient.
  • 30 January 2012 A monetary penalty of £140,000 was issued to Midlothian Council for disclosing sensitive personal data relating to children and their carers to the wrong recipients on five separate occasions. The penalty is the first that the ICO has served against an organisation in Scotland. Read the details here.

Undertakings

Undertakings are formal agreements between an organisation and the ICO to undertake certain actions to avoid future breaches of the Data Protection Act, typically this involves, Encryption, Training and Management Procedures.

  • 6 August 2012 An undertaking to comply with the seventh data protection principle has been signed by Marston Properties. This follows the loss of 37 staff members’ details when the filing cabinet the information was stored in was sent to a recycling centre and crushed.
  • 13 July 2012 An undertaking to comply with the seventh data protection principle has been signed by West Lancashire Borough Council. This follows the theft of a business continuity bag containing emergency response documents and personal data relating to 370 council employees.
  • 26 June 2012 An undertaking to comply with the seventh data protection principle has been signed by South Yorkshire Police. This follows the inclusion of personal data relating to drug offences, in response to a Freedom of Information request made by a journalist.
  • 23 May 2012 An undertaking to comply with the seventh data protection principle has been signed by Holroyd Howe Independent Ltd. This follows the release of a document containing details of employees’ pay to a former employee.
  • 30 April 2012 An undertaking to comply with the seventh data protection principle has been signed by the Aneurin Bevan Health Board. This follows an incident where a sensitive report – containing explicit details relating to a patient’s health – was sent to the wrong person. This breach was also the subject of a monetary penalty.
  • 25 April 2012 An undertaking to comply with the seventh data protection principle has been signed by Safe and Secure Insurances Services Limited. This follows the purchase of a hard drive from the Internet which contained personal data relating to the company’s clients.
  • 18 April 2012 An Undertaking to comply with the seventh data protection principle has been signed by Brecon Beacons National Park Authority. This follows two data security incidents which relate to the unauthorised disclosure of personal data on the data controller’s website.
  • 17 April 2012 An undertaking to comply with the seventh data protection principle has been signed by Leicestershire County Council, following the theft of a briefcase containing sensitive personal data from a social worker’s home.
  • 17 April 2012 An undertaking to comply with the seventh data protection principle has been signed by Toshiba Information Systems UK Ltd. This follows a web design error that created the potential for unauthorised access to individual’s personal data.
  • 11 April 2012 An undertaking to comply with the seventh data protection principle has been signed by Hertfordshire County Council. This follows the loss of an Attendance and Pupil Support consultation folder in January 2011.
  • 11 April 2012 An undertaking to comply with the seventh data protection principle has been signed by South London Healthcare NHS Trust. This follows the loss of two unencrypted memory sticks, the leaving of a clipboard with ward lists attached in a grocery store and a failure to adequately secure some patient paper files when not in use. All of the information was recovered.
  • 27 March 2012 An Undertaking has been signed by Pharmacyrepublic Ltd following the theft of a patient medication system containing the medication details of 2000 patients. The system, which was supplied by another firm, should have been securely returned to them by Pharmacyrepublic Ltd before the premises were vacated. Read the details here.
  • 14 March 2012 An undertaking to comply with the seventh data protection principle has been signed by the Lancashire Constabulary. This follows the discovery of a missing person’s report on a street in Blackpool. A monetary penalty has also been issued to the authority in connection with this incident.
  • 9 March 2012 An undertaking to comply with the seventh data protection principle has been signed by Enable Scotland (Leading the Way), after two unencrypted memory sticks and papers containing the personal details of up to 101 individuals were stolen from an employee’s home.
  • 1 March 2012 An undertaking to comply with the seventh data protection principle has been signed by Community Integrated Care, a national social care charity. This follows the theft of an unencrypted laptop containing personal and sensitive personal data.
  • 1 March 2012 An Undertaking to comply with the seventh data protection principle has been signed by Durham University. This follows the disclosure of personal information in training materials published on its website.
  • 1 March 2012 An Undertaking to comply with the seventh data protection principle has been signed by London Borough of Croydon. This follows the theft of a bag belonging to a social worker from a public house in London. The bag contained a hard copy file of papers concerning a child who is in the care of the Council. This incident was also subject to a monetary penalty which was announced earlier this month.
  • 1 March 2012 An undertaking to comply with the seventh data protection principle has been signed by Dr Pervinder Sanghera of Arthur House Dental Care. This follows the discovery of an unencrypted memory stick containing personal and limited sensitive personal data relating to patients and employees of the practice.
  • 10 February 2012 Youth charity Fairbridge has signed an undertaking committing the organisation to taking action after the loss of two unencrypted laptops containing employee information.
  • 10 February 2012 Healthcare provider Turning Point has signed an undertaking committing the organisation to take action after the loss of three service users’ files during an office relation.
  • 10 February 2012 Five local authorities have signed undertakings to comply with the seventh data protection principle, following incidents where the councils failed to take appropriate steps to ensure that personal information was kept secure.
  • 10 February 2012 Basingstoke and Deane Borough Council breached the Data Protection Act on four separate occasions during a two month period last year. The breaches included an incident in May when an individual was mistakenly sent information relating to 29 people who were living in supported housing.
  • 10 February 2012 Brighton and Hove Council emailed the details of another member of staff’s annual salary – and the deductions made from this – to 2,821 council workers. A third party also informed the ICO of a historic breach which occurred in May 2009 when an unencrypted laptop was stolen from the home of a temporary employee.
  • 10 February 2012 Undertakings have been signed by • Dacorum Borough Council • Bolton Council • Craven District Council
  • 3 February 2012 An undertaking to comply with the seventh data protection principle has been signed by E*Trade Securities Ltd. This follows a report to the Commissioner concerning missing client files. The files contained limited sensitive personal data including identification documents.
  • 20 January 2012 An undertaking has been signed by Manpower UK Ltd following a breach of the Data Protection Act where a spreadsheet containing 400 people’s personal details was accidentally emailed to 60 employees.
  • 18 January 2012 An undertaking has been signed by the Chartered Institute of Public Relations, following the loss of up to 30 membership forms on a train. The organisation didn’t have a policy in place for handling personal data outside of the office at the time of the incident.
  • 18 January 2012 Praxis Care Limited breached both the UK Data Protection Act and the Isle of Man Data Protection Act by failing to keep peoples’ data secure. An unencrypted memory stick, containing personal information relating to 107 Isle of Man residents and 53 individuals from Northern Ireland, was lost on the Isle of Man.

Prosecutions:

  • 2 August 2012. Mohammed Ali Enayet, owner of The Lime Lounge in Cleveleys has been prosecuted by the ICO for failing to register his premises’ use of CCTV equipment.
  • 30 March 2012. SAI Property Investments Limited, trading as IPS Property Services and one of its directors Mr Punjab Sandhu unlawfully obtained details about their tenants from a rogue employee at Slough Borough Council have been found guilty of committing offences under Section 55 of the Data Protection Act 1998 (DPA).
  • 27 February 2012. Pinchas Braun, a letting agent who unlawfully tried to obtain details about a tenant’s finances from the DWP has been found guilty of an attempt to commit an offence under section 55 of the Data Protection Act and the Criminal Attempts Act.
  • 12 January 2012. Juliah Kechil, formerly known as Merritt, a former health worker has pleaded guilty to unlawfully obtaining patient information by accessing the medical records of five members of her ex-husband’s family in order to obtain their new telephone numbers.

The ICO is not just an enforcer, he offers advice too The Information Commissioner’s 5 Tips on how to better protect personal information .

The list was compiled on the 16th August 2012, updates will be added later so why not subscribe to the blog and automatically get the updates.

 

See Who breached the Data Protection Act in 2013? Find the complete list here.

Proposed European wide Data Protection Act – a review

Over the last few months I have attended several conferences and read a lot of research on the proposed upgrade of the European Commission’s 1995 Data Protection Act and have found it fascinating. The rumours, the speeches, the headlines and of course the lack of clarity on how the major issues will be dealt with in the real world.

EU Justice Commissioner Viviane Reding, the Commission’s Vice-President said:

“17 years ago less than 1% of Europeans used the internet. Today, vast amounts of personal data are transferred and exchanged, across continents and around the globe in fractions of seconds,”

“The protection of personal data is a fundamental right for all Europeans, but citizens do not always feel in full control of their personal data. My proposals will help build trust in online services because people will be better informed about their rights and in more control of their information. The reform will accomplish this while making life easier and less costly for businesses. A strong, clear and uniform legal framework at EU level will help to unleash the potential of the Digital Single Market and foster economic growth, innovation and job creation.”

Do not get me wrong I am 100% in favour of a consolidated European Data Protection Act because ambiguity in one country leads to breaches in another and that is not good for business or for the privacy of individual citizens.

After all the consultations and feedback the big development was the leaking of a draft EU Data Protection Act document at the end of 2011. The draft provided concrete evidence to substantiate the rumours and speculation about the requirements and likely fines and provided confirmation about the direction the Act was heading.

The Act is heading in the right direction but some of the points were likely to be contentious for example the “Right to be forgotten” and “all business with 250+ employees needing a Data protection Officer”, there are others but I will cover them later in the post.

One thing is obvious, a consolidated European Data Protection Act has polarised people into one of four camps:

  1. Those concerned with the privacy of the citizen who want more restrictions and tougher sanctions.
  2. Those concerned about the impact and cost to businesses who want less restrictions and lower sanctions.
  3. Those who have to translate and ultimately enforce the Act and to try and stop it becoming another Human Rights Act….! They want a simple and coherent Act that is easy to enforce without a constant steam of lawyers muddying the waters.
  4. Those citizens who in the main do not have a clue what is being done in their name and there are 500 million of them.

Viviane Reding Vice-President of the European Commission, EU Justice Commissioner believes the proposed EU wide Data Protection Act will save European businesses €2.3Billion annually whilst protecting the privacy of European Citizens.

Great, everyone one wins. Or do they?

The majority of the savings will probably benefit businesses that currently have to cope with 27 differing Data Protection Acts currently being operated across the EU commission member states. However if you are a small business operating in one or two countries you may struggle to financially benefit from the consolidation.

The impact on the local Data Protection Authority (DPA), which in the UK is called the Information Commissioner, is likely to be massive which means they will need more staff to accommodate and enforce the new requirements which also means the individual states will have to spend more money.

Why will there be a massive impact? There are several reasons but one in particular stands out as an administrative nightmare, if Personally Identifiable Information (PII) relating to a European citizen is transferred outside the boundaries of the EU the local DPA has to be informed. How many times this will need to be done is hard to calculate but how much data goes to the Call Centres in the Philippines? With 600,000 Philippine’s employed in call centres it is going to be a lot. Then there is the data processing in India, Data Translation in America, Disaster Recover contingencies across the globe, Cloud computing (where is the cloud?), the list of possibilities is endless.

The EU Commission is mindful of these implications and is discussing how some specific actions can be taken into account when defining the final draft. Three specific areas they are looking at are:

  1. Binding corporate rules on what, where and how.
  2. Sectoral adequacies, and the continuation of the Safe Harbour Agreements
  3. Existing mechanisms such as contractual clauses that are broadly used on both sides of the Atlantic.

Using the UK as an example, last year the UK Information Commissioners (ICO) office handled 30,000 complaints and with the proposed requirements on businesses that number could easily quadruple.  You could say “some of the 30,000 complaints lead to convictions and fines and that could pay for the increased costs of operating the new Data Protection Act”, on the face of it you are correct except the fines are collected by the UK Treasury and are not handed to the ICO. If the fines were passed over then the process could be self-funding.

On the 3rd May 2012 Viviane Reding announced the intention to conduct a funding review of all DPAs and then to lobby Governments for the correct funding in each country and she believes that if the leveraged fines were pointed in the right direction they could become a revenue generator for the country.

“the national data protection authority can even be a good investment as it can bring additional revenue for the Member State due to the fact that the main establishment is located in its territory. Such extra revenue and wider benefits can come from tax income, newly created jobs, and the collection of administrative fines on infringements. Let’s also not forget that according to the reform proposals, the administrative fines a national data protection authority can impose can be up to 2% of the annual worldwide turnover of an enterprise. This can lead to quite substantial revenues”

This review will not impact individual DPAs until the summer of 2013 which is likely to be 12 months before the Act is enforceable but 12 months after the hundreds of thousands of business have asked for assistance on what they need to do, who they need to register with, etc.

A significant improvement within the Act will be a requirement on business to be pro-active. Prevention is better than the cure or in this case better than a Data a Breach.

Businesses will be required to:

  • have “Privacy/Data Protection by Design” which means that, at the point of building a process or system, security has to be on the list of desired out-comes.
  • Data Protection by default, which means all systems have to be secure.
  • All business must undertake a Privacy/Data Protection Impact Assessment, which means they must have a documented process for assessing the risk to their PII data and be able to demonstrate that they have undertaken, “at least” annually, an assessment of the risk and taken steps to mitigate the risk. This is not a Penetration Test this is a thorough assessment of people, process and technologies surrounding and impacting on the PII data. A good guide is contained in the book Privacy Impact Assessment by David Wright and Paul de Hert ISBN-10: 9400725426.

Another huge improvement is the requirement on business to formally notify the local DPA of any breaches. Breach Notification has been in existence for several years, for example in California and in Germany. The new requirements will mean businesses can no longer delay notifying those affected in the hope that it will never surface.

It is proposed that the organisation’s Data Controllers notify the DPA within 24 hours.

Mandatory Breach Notification is a difficult area because some breaches can run for months or years before they are discovered. It is the point of discovery that is important, as far as the Act is concerned, but if a business did try to cover up then there is a good chance they will be found out and the details of who did what will be clear for the world to see.

In 2007 when the UK’s HMRC lost a CD containing the child benefit details of 25 million people everyone expected an avalanche of Identity Thefts but, fingers crossed, nothing has happened in the last 5 years. They notified the authorities and the press within days. It could be argued however that, as a result, 25 million people were alerted and put under stress for no reason. Further details of the loss can be found here.

Similar to the HMRC situation in 2008 was when Heartland Payment Systems lost millions of credit card records. In this case they did not know the breach had occurred for approximately 8 months, but when they did find out they undertook forensics and notified the authorities within 8 days. The issue in this case was the data was used for criminal purposes. The criminal Albert Gonzalez AKA “segvec,” “soupnazi” and “j4guar17” has since been convicted and is currently serving 20 years for various crimes involving up to 130 million stolen credit cards’ data. Details of Gonzalez can be found here.

Once the DPA has been informed the organisation then has to inform the individuals affected. This is the first direct cost of a breach. See my post The huge and unexpected administrative costs of a data breach. There is always the risk that they may not understand the notification, for example a report indicated that “39% of those who received them (or properly noticed them) initially thought it was marketing material of some form”.

If adequate protection is in place, for example Tokenization, it is unlikely the organisation will have to inform the individuals. This makes putting security in place and being able to prove it was running essential.

Another impact which affects many countries, especially the UK, is the Freedom of Information Act (FOIA). Currently the FOIA does not allow access to information relating to voluntary breach notifications, which means if a cover up has been attempted but was not successful there is a chance they can avoid having all the information going public by admitting it and therefore suppressing it. The new Act will mean nearly all of the information about a breach will be in the public domain including an organisations failure to protect PII and possibly the organisations attempts to cover it up.

Across Europe the enforcement of the Act will be handled by the individual DPAs, around 1,500 seasoned Data Protection professionals, but many sceptics have speculated that larger businesses can flex their political muscle and lobby for leniency or to keep their breach out of the public eye.

The commission has recently taken a strong line on the need for independence and in April 2012 took action against Hungary for its DPAs lack of independence. For any Country to be hauled in front the of the European Courts of Justice is embarrassing, especially if they have to amend their own legislation. Full details of the Hungarian action can be found here.

Summary of proposed key changes in the proposed Act:

The Right to be forgotten is a contentious area for many organisations, for example;

  • Can someone with a bad credit history evoke the right to avoid their past?
  • If some evokes the right with their insurance company they will lose their Car Insurance no claims bonus – could this then create a right to be remembered? And who pays the administration costs for the reinstatement of the data.
  • In the case of employees past and present what information can be retained and what information has to be retained.

Privacy by Design. There is a debate as to whether the actual working will be Privacy or Data Protection which will be finalised when the final draft is passed for law. Organisations need to understand and account for:

  • why they need the data
  • what they are going to do with the data
  • how they intend to process the data
  • what protections are required
  • who will manage the processes

All organisations employing 250+ employees must have a Data Protection Officer.

All companies storing PII must undertake “regular” Privacy Impact Assessments. The wording may change to Data Protection Impact Assessment but that will not change the requirement to undertake, log and act upon the results of the Assessment.

All international data transfers need to be logged and the Data Protection Authority Informed.

Explicit consent must be obtained to include PII in databases and an ability to easily have their information removed.

Compulsory Breach Notifications within 24 hours of the breach.

Personally Identifiable Information is likely to include

  • Bank Account details
  • Credit Card data
  • IP addresses

Data Portability. Business must address the portability of data;

  • What is going to be done with it
  • How is it secured
  • How will fraud and Identity Theft be avoided

Significant fines can be levied. Actions that are likely to involve a fine from the DPA include

  • Failure to appoint a Data Protection Officer
  • Unauthorised International Data Transfer
  • Failure to undertake a Privacy/Data Protection Impact Assessment

Fines will be levied on a sliding scale

  • 0.5% of global turnover or                  €250,000
  • 1.0% of global turnover or                  €500,000
  • 2% of global turnover or                     €1 million of Global Turnover
  • So far no minimum figure is known.

The new EU Data Protection Act will be compulsory for all organisations except for Law Enforcement, who will operate under a European Commission “directive”. The Directive is designed to allow for faster and easier transfer of data and joined up policing across the member states.

This post was meant to be a short summary, compared to my notes it is, but the far reaching impact of this Act is largely unknown by most organisations and has a high probability of being passed into law during 2012 give a requirement to be compliant by 2014. Whatever the date is there is a need for organisations, of any size, to be aware of what is coming and to start developing plans to have Privacy and Data Protection at the forefront of their business plans NOW.

.

The good old fashion way to breach the Data Protection Act – lose some paperwork

The London Borough of Barnet was fined £70,000 by the Information Commissioner for losing paper records containing highly sensitive and confidential information, including the names, addresses, dates of birth and other details of 15 vulnerable children or young people.

A social worker took the paper records home to work on them out of hours and was unfortunately burgled. Why would a criminal steal worthless paperwork? Well the paperwork was inside a laptop bag complete with laptop.

The Information Commissioner’s Office investigation found the council had “failed to take appropriate organisational measures against the accidental loss of personal data held on paper records. Although the council had an information security policy and some guidance for staff on handling sensitive papers, the measures failed to explain how the information should be kept secure”.

This is the second fine for this council after is lost an unencrypted device containing personal data was stolen from an employee’s home in June 2010.

Simon Entwisle, the ICO’s Director of Operations, said:

“The potential for damage and distress in this case is obvious. It is therefore extremely disappointing the council had not put in place sufficient measures in time to avoid this second loss.

“While we are pleased that Barnet Council has now taken action to keep the personal data they use secure, it is vitally important that organisations have the correct guidance in place to keep sensitive paper records taken outside of the office safe. This includes storing papers containing sensitive information separately from laptops.”

.

Information Commissioner finally fines the NHS for a breach of the Data Protection Act

The Aneurin Bevan Health Board (ABHB) has become the first part of the NHS to be issued with a penalty (£70,000) for breaching the Data Protection Act.

The breach occurred when a consultant emailed a letter to a secretary for formatting, but did not include enough information for the secretary to identify the correct patient. The doctor also misspelt the name of the patient at one point, which led to the report being sent to a former patient with a very similar name.

The ICO’s investigation found that neither member of staff had received data protection training and that the organisation didn’t have adequate checks in place to ensure that personal information was sent to the correct person. These poor practices were also used by other clinical and secretarial staff across the organisation.

Stephen Eckersley, the ICO’s Head of Enforcement said:

“The health service holds some of the most sensitive information available. The damage and distress caused by the loss of a patient’s medical record is obvious, therefore it is vital that organisations across this sector make sure their data protection practices are adequate. 

“Aneurin Bevan Health Board failed to have suitable checks in place to keep the sensitive information they handled secure. This case could have been extremely distressing to the individual and their family and may have been prevented if the information had been checked prior to it being sent.

“We are pleased that the Health Board has now committed to taking action to address the problems highlighted by our investigation; however organisations across the health service must stand up and take notice of this decision if they want to avoid future enforcement action from the ICO.”

.

Bad day at the office for UK Councils as several breach the Data Protection Act

Today the Information Commissioner has notified five councils after they breached the Data Protection Act.

Information Commissioner, Christopher Graham said:

“At a time when councils are increasingly working with community partners, when data is shared it is vital that they uphold their legal responsibilities under the Data Protection Act. Failures not only put local residents’ privacy at risk, but also mean that councils could be in line for a sizeable monetary penalty.

“We must also consider the detrimental impact these breaches continue to have on the individuals affected. Disclosing details about someone’s social housing status can be upsetting and damaging for those affected. To help tackle this issue I’ve submitted a business case to the government to ask for them to extend my compulsory audit powers.”

The five data breaches at local authorities all relate to incidents where the councils failed to take appropriate steps to ensure that personal information was kept secure.

  • Basingstoke and Deane Borough Council breached the Data Protection Act on four separate occasions during a two month period last year. The breaches included an incident in May when an individual was mistakenly sent information relating to 29 people who were living in supported housing.
  • In July 2011, an employee of Brighton and Hove Council emailed the details of another member of staff’s personal data to 2,821 council workers. A third party also informed the ICO of a historic breach which occurred in May 2009 when an unencrypted laptop was stolen from the home of a temporary employee. The Council has now committed to ensuring that the personal information they process is secure, including making sure that all portable devices used to store personal data are encrypted.

The other councils affected are

  • Dacorum Borough Council
  • Bolton Council
  • Craven District Council

Additionally an enforcement notice has been issued to Staffordshire County Council over its mishandling of a subject access request.

Two other organisations also had actions taken against them

  • Youth charity Fairbridge
  • Healthcare provider Turning Point

.

Illicit access of medical records leads to a breach of the Data Protection Act

A medical record folder being pulled from the ...
Image via Wikipedia

A receptionist who unlawfully obtained her sister-in-law’s medical records in order to find out about the medication she was taking has been found guilty of an offence under section 55 of the Data Protection Act (DPA).

Usha Patwal, of Romford, was given a two year conditional discharge and ordered to pay £614 prosecution costs by Havering Magistrates Court after unlawfully obtained her sister-in-law’s medical records in order to find out about the medication she was taking.

The offence was uncovered when Patwal’s sister-in-law received text messages indicating that the texter knew about the medication she was taking.

She then contacted her doctors’ surgery – Gateway Medical Practice, Gravesend, Kent – to express her concerns.

The ICO investigation uncovered that Ms Patwal had made a call to Gateway posing as an employee of the King George Hospital in Romford, Essex, on 29 December 2010.

Further enquiries found that medical information had been faxed to Ms Patwal at the Lawns Medical Centre where she was employed as a receptionist. The fax has never been found and Mrs Patwal did not co-operate with the ICO investigation by giving an explanation for her actions.

Christopher Graham the Information Commissioner said:

“Medical records contain some of the most sensitive information possible. The medical centre’s receptionist was in a position of trust and abused her position for her own personal gain. This case demonstrates just how easy it can be to misuse personal data.

“Ms Patwal used her insider knowledge of the healthcare system to blag this information in an act that she believed would go undetected. The message from this case is clear: if you unlawfully obtain personal information there is always an audit trail, and you could end up in court.”

.

Information Commissioner gets tough with the largest fine for the breach of the Data Protection Act

The Information Commissioner’s Office (ICO) has served a penalty of £130,000 on Powys County Council for breaching the Data Protection Act.

Powys County Council sent the details of a child protection case to the wrong recipient.

The £130,000 penalty is the highest that the ICO has served since it was given the power in April 2010 and follows a similar incident, which was reported by the council to the ICO in June last year.

The latest breach at Powys county Council occurred in February when two separate reports about child protection cases were sent to the same shared printer. It is thought that two pages from one report were then mistakenly collected with the papers from another case and were sent out without being checked. The recipient mistakenly received the two pages of the report and knew the identities of the parent and child whose personal details were included in the papers.

The recipient made a complaint to the council and a further complaint was also submitted by the recipient’s mother via her MP.

Assistant Commissioner for Wales, Anne Jones said:

“This is the third UK council in as many weeks to receive a monetary penalty for disclosing sensitive information about vulnerable people. It’s the most serious case yet and it has attracted a record fine. The distress that this incident would have caused to the individuals involved is obvious and made worse by the fact that the breach could have been prevented if Powys County Council had acted on our original recommendations.

“The ICO has also issued a legal notice ordering the council to take action to improve its data handling. Failure to do so will result in legal action being taken through the courts.

“There is clearly an underlying problem with data protection in social services departments and we will be meeting with stakeholders from across the UK’s local government sector to discuss how we can support them in addressing these problems.”

The Information Commissioners Office is pressing the Ministry of Justice for stronger powers to audit local councils’ and the NHS on their Data Protection Compliance.

Related Posts on the actions of the Information Commissioner:

.

Internet regulation – Government plans for managing and monitoring of the internet revealed

On the 1st December 2011 the UK Parliament produced guidance on its plans for monitoring and managing the internet. It was published as a “Commons Library Standard Note“.

The remit of the document is:-

The practicalities of blocking and filtering harmful material on the internet have generated interest in a range of contexts: the misuse of social media during the August 2011 riots, child sexual abuse images and copyright infringement.

The communications regulator, Ofcom, considered arange of blocking techniques in the context of combating copyright infringement. Ofcom reported in May 2011. In August 2011, the Department for Culture, Media and Sport published Next steps for implementation of the Digital Economy Act. This referred to Ofcom’s assessment of website blocking and the fact that the Government would not be proceeding with this for the time being.

Other legislation can also be invoked to control internet content. Section 127 of the Communications Act 2003 proscribes the improper use of a public electronic communications network. It has recently been applied, apparently for the first time, to a social networking site (Twitter ).

Online activity is also subject to general offline legislation such as the Obscene Publications Act 1959 and the Human Rights Act 1998.

Tackling internet hate crime is another area that poses a challenge to the adaptation of law to this medium. A new service for reporting all hate crimes online was launched by the police in April 2011.

The paper then went on to address 6 specific sections

  1. Website blocking
  2. Digital Economy Act
  3. Communications Act
  4. Obscene Publications Act
  5. Human Rights Act
  6. Internet hate crime

A summary of the 6 sections is below:-

1 Website blocking

Access to harmful content can be stopped in a number of ways. Most internet service providers (ISPs) block access (by anyone) to websites known to contain images of child sexual abuse (“child pornography”). The Internet Watch Foundation (IWF) maintains a list of offending websites which is updated twice daily. The list typically contains details of 500 websites.

The IWF considers this kind of blocking to be

“a short-term disruption tactic which can help protect internet users from stumbling across these images, whilst processes to have them removed are instigated.”

It is highly unlikely to be a suitable approach for adult pornography or violent material much of which is legal (at least if it is unavailable to minors)1 and which is prevalent on the internet. However, this kind of blocking (known as uniform resource locator blocking) is only one of a number of available techniques.

The communications regulator, Ofcom, considered a range of blocking techniques – albeit in a different context – in its report of May 2011, “Site Blocking” to reduce online copyright infringement. The techniques considered were termed “primary” on account of their allowing ISPs to apply blocking at the level of their network infrastructure. Although none of the specific techniques are failsafe, they aim to prevent harmful material reaching any device within the home. The main alternative currently used is to install software on individual devices in the home to block the display of material identified as being harmful. One problem with filtering and blocking techniques is that legitimate websites can sometimes be captured. Deliberate circumvention by IT-literate users is also a challenge.

2 Digital Economy Act

Sections 17 and 18 of the Digital Economy Act 2010 cover website blocking, albeit in connection with copyright infringement:

  • “Power to make provision about injunctions preventing access to locations on the internet”
  • “Consultation and Parliamentary scrutiny”

In brief the effect of these sections is to introduce a power to bring in regulations for website blocking, subject to a “superaffirmative” parliamentary procedure. The Secretary of State could make the relevant regulations, but only a court could order the blocking of a website once (if ever) such regulations provide for this.

3 Communications Act

Section 127 of the Communications Act 2003 proscribes the improper use of a public electronic communications network. It has recently been applied, apparently for the first time, to a social networking site (involving a reference on Twitter to bombing an airport). Background to this case (currently subject to appeal) involving Paul Chambers is widely available online. It is worth commenting that the application and interpretation of the relevant statute law as it applies to the internet is still at a relatively early stage of development.

4 Obscene Publications Act

While the Obscene Publications Act 1959 tends to focus on sexual material, it could in principle also apply to violence in a non-sexual context.4 Publication of obscene material, including child pornography and extreme adult pornography, is illegal under the Obscene Publications Act 1959 (which extends to England and Wales). Section 2 (as amended by the Obscene Publications Act 1964) prohibits the “publication” of obscene material.

5 Human Rights Act

If feasible, preventing access to online media by individuals wishing to organise violent disorder would be unlikely to infringe their human rights. In the UK the relevant legislation is the Human Rights Act 1998 which gives further legal effect to the fundamental rights and freedoms contained in the European Convention on Human Rights. The right to free speech, is a qualified right.

6 Internet hate crime

A new service for reporting all hate crimes online was launched by the police in April 2011. The website, called True Vision, is supported by all forces in England, Wales and Northern Ireland.

All reports of incitement to racial hatred content hosted in the UK previously reported to the Internet Watch Foundation (IWF) should now be reported directly to True Vision.

The full document can be found here.

.

Estate Agent prosecuted for not disclosing he stored personal data

Merfyn Pugh Estate Agents pleaded guilty (1.12.11) to the offence of failing to notify the Information Commissioner’s Office (ICO) that his business processes personal data.

John Merfyn Pugh of the Estate Agents  Merfyn Pugh was prosecuted under section 17 of the Data Protection Act.

The Data Protection Act 1998 requires every organisation or person who is processing personal information in an automated form to notify, unless they are exempt. Failure to notify is a criminal offence and could lead to a fine of up to £5,000 in a Magistrates Court, or unlimited fines in a Crown Court.

Mr Pugh was given a conditional discharge of six months and was ordered to pay £614 towards prosecution costs.

If Mr Pugh had completed the required paperwork his costs would have been only £35 and he would have avoided a criminal record as well as damages to his business’s reputation damaged

Assistant information Commissioner for Wales, Anne Jones, said:

“Registering as a data controller is a basic legal requirement of the Data Protection Act. The fee for most businesses is £35 a year. Merfyn Pugh Estate Agents’ failure to register – even after being prompted to do so by the ICO – has cost them much more today. The message behind today’s prosecution is clear – ignore warnings and you too could end up in court.”

All organisations that handle personal data but have not yet registered as a data controller should proactively contact the ICO to ensure they are complying with the law. Some organisations will be exempt.

.

7,200 peoples’ personal information discovered in a skip

Coat of arms of Southwark London Borough Council
Image via Wikipedia

Southwark Council breached the Data Protection Act by misplacing a computer and some papers containing 7,200 peoples’ personal information which were discovered in a skip earlier this year, the Information Commissioner’s Office (ICO) said today.

The computer and papers were mistakenly left at one of the council’s buildings at the Spa Road Complex in Southwark when it was vacated in December 2009. They were then discovered in June of this year and disposed of by the building’s new tenant. The information stored on the computer and featured in the papers included details of peoples’ names and addresses, along with other information relating to their ethnic background, medical history and any past criminal convictions.

The breach was reported to the ICO on 3 June 2011 shortly after the information was discovered in the skip. The ICO’s enquiries found that, while the council did have information handling and decommissioning policies in place, the policies were not followed when the offices were vacated. The council also failed to make sure the information stored on the computer was encrypted.

The authority has now agreed to take action to keep the personal information it handles secure. This includes introducing new processes governing the transfer and disposal of personal information and making sure that all portable devices used to store sensitive information are fully protected.

The council has also agreed to an ICO audit in the new year to help them improve their compliance with the Data Protection Act.

Sally Anne Poole, Acting Head of Enforcement said:

“The fact that thousands of residents’ personal details went missing for over two years clearly shows that Southwark Council’s policies for handling personal information are below standard. As this information was lost before the ICO received the power to issue financial penalties we are unable to consider taking more formal action in this case.

“Southwark Council has committed to putting changes in place and we look forward to completing an audit next year to help them to identify further improvements.”

.

Council breaches the Data Protection Act by losing a memory stick

The Municipal Offices of the Metropolitan Boro...

Rochdale Metropolitan Borough Council has breached the Data Protection Act after losing an unencrypted memory stick containing the details of over 18,000 residents.

The memory stick, lost in May,  included, in some cases, residents’ names and addresses, along with details of payments to and by the council.

The device did not include any bank account details. The information had been put on a memory stick to compile the council’s financial accounts.

The memory stick has not been recovered

The ICO’s investigation found that the council’s data protection practices were insufficient. The Council specifically failed to make sure that memory sticks provided to its staff were encrypted.

The council also failed to provide employees with adequate data protection training. As well as requiring the council to put all of the changes in place by 31 March 2012, the ICO will follow up with the council to ensure that the agreed actions have been implemented.

Acting Head of Enforcement, Sally Anne Poole said:

“Storing the details of over 18,000 constituents on an unencrypted device is clearly unacceptable. This incident could have been easily avoided if adequate security measures had been in place. Luckily, the information stored on the device was not sensitive and much of it is publicly available. Therefore, the incident is unlikely to have caused substantial distress to local people. 

“Our investigation uncovered a number of failings at Rochdale Metropolitan Borough Council – that’s why we will follow up with the council, to ensure they’re doing everything they can to prevent this type of incident happening again.”

.

Who fell foul of the Information Commissioner in October?

A week after Calls for tougher penalties for breaches of the Data Protection Act (read my post here) I thought it would be good time to have a look at who the Information Commissioner’s Office (ICO) has taken action against during the month of October 2011.

To add some consistency I have also included actions taken since the 7th September because a previous posting “Who has the Information Commissioner caught in the last 3 months?”, read it here.

28 October 2011
An undertaking to comply with the seventh data protection principle has been signed by Newcastle Youth Offending Team. This follows the theft of an unencrypted laptop containing sensitive personal data. Read my post on this incident here.

27 October 2011
An Undertaking to comply with the seventh data protection principle has been signed by University Hospitals Coventry & Warwickshire NHS Trust. This follows two separate incidents involving the loss of personal data by the Trust.

19 October 2011
An undertaking to comply with the seventh data protection principle has been signed by Spectrum Housing Group. This follows a non-secure e-mail with an excel attachment containing personal data relating to employees of the data controller, being sent in error to an unintended recipient outside of the organisation. It was also discovered that data within ‘hidden’ pivot cells forming part of the spreadsheet could be revealed.

17 October 2011
An undertaking to comply with the seventh data protection principle has been signed by Dumfries and Galloway Council. This follows the accidental online disclosure of current and former employee’s personal data in response to a Freedom of Information (Scotland) Act request.

5 October 2011
An undertaking to comply with the seventh data protection principle has been signed by the General Secretary of the Association of School and College Leaders (ASCL). This follows theft of a laptop containing sensitive personal data from the home of an employee.

An undertaking to comply with the seventh data protection principle has been signed by Holly Park School. This follows the theft of an unencrypted laptop containing personal data relating to nine pupils.

See my blog on these two incidents Education, education, when will people learn, encrypt your data as two more education establishments lose data here.

4 October 2011
An undertaking has been signed by Dartford and Gravesham NHS Trust following the accidental destruction of 10,000 archived records. The records – which should have been kept in a dedicated storage area –were put in a disposal room due to lack of space. See my post, Hospital Destroys 10,000 Archived Records here.

An undertaking has also been signed by Poole Hospital NHS Foundation Trust after two diaries – containing information relating to the care of 240 midwifery patients – were stolen from a nurse’s car. The diaries included patients’ names, addresses and details of previous visits and were used by the nurse during out of hours duty.

20 September 2011
An undertaking to comply with the third and seventh data protection principles has been signed by Eastleigh Borough Council. This follows the potential disclosure of a document containing sensitive personal data.

15 September 2011
An undertaking to comply with the seventh data protection principle has been signed by the Child Exploitation Online Protection Centre (CEOP) and its parent organisation the Serious Organised Crime Agency (SOCA). This follows the discovery that CEOP’s website reporting forms were being transmitted insecurely. See my post on this here ICO takes action against the Child Exploitation and Online Protection Centre and the Serious Organised Crime Agency here.

An undertaking to comply with the seventh data protection principle has been signed by Royal Liverpool & Broadgreen University Hospitals NHS Trust. This follows two separate incidents involving the loss of personal data by the Trust.

14 September 2011
An Undertaking to comply with the seventh data protection principle has been signed by Eastern and Coastal Kent Primary Care Trust. This follows the loss of a CD containing personal data during a move of office premises.

9 September 2011
An undertaking to comply with the seventh data protection principle has been signed by Walsall Council. This follows the accidental disposal of postal vote statements in a skip by the council’s data processor. The council did not have a written agreement with the data processor selected to store this personal data.

see other posts related to the Information Commissioner

.

Newcastle Youth Offending Team breached the Data Protection Act after theft of an unencrypted laptop

Newcastle Youth Offending Team breached the Data Protection Act by failing to encrypt a laptop containing personal data which was later stolen, the Information Commissioner’s Office (ICO) said today.

The laptop – which contained personal data relating to 100 young people – was reported stolen from a contractor’s home in the Northumbria area in January. The contractor had been working on a youth inclusion programme on behalf of the Team. The majority of the personal data stored on the laptop included names, addresses, dates of birth and the name of the school the young person attended.

The ICO’s investigation found that, although Newcastle Youth Offending Team had a contract in place with the contractor, there was a failure to ensure that its employees were complying with necessary security measures.

Newcastle Youth Offending Team has stated that it will now take reasonable steps to ensure all data processors contracted to act on its behalf comply with the principles of the Act, including that all portable and mobile devices, including laptops, are encrypted.

Acting Head of Enforcement, Sally-Anne Poole, said:

“Encryption is a basic procedure and an inexpensive way to ensure that information is kept secure. But, to their detriment, not enough data handlers are making use of it. This case also highlights how important it is to ensure that watertight procedures are in place before any work is undertaken by contractors. Organisations shouldn’t simply assume that third parties will handle personal data in line with their usual standards. I’m pleased that Newcastle Youth Offending Team has learned lessons from this incident and hope that it encourages others to heed our advice.” 

.

Calls for tougher penalties for breaches of the Data Protection Act

In the United Kingdom there is an Act of Parliament that seeks to protect the personal data of its citizens, it is the Data Protection Act 1998 (DPA).

The enforcer of the Act is the Information Commissioner’s Office (ICO). The ICO also has responsibility for other Acts of Parliaments, specifically the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003.

Within the Data protection Act, anyone who processes personal information must comply with eight principles, which make sure that personal information is:

  1.  Fairly and lawfully processed
  2.  Processed for limited purposes
  3.  Adequate, relevant and not excessive
  4.  Accurate and up to date
  5.  Not kept for longer than is necessary
  6.  Processed in line with your rights
  7.  Secure
  8.  Not transferred to other countries without adequate protection

The Justice Committee has recently produced a report on referral fees and the theft of personal data and concluded that the fines for breaching the Data protection Act needed to be tougher.

Sir Alan Beith, the Chair of the Justice Committee said:

“Using deception to obtain personal information – sometimes known as blagging – or selling it on without permission are serious offences that can cause great harm.

Fines are used to punish breaches of data protection laws, but they provide little deterrent when the financial gain exceeds the penalty.

“Magistrates and Judges need to be able to hand out custodial sentences when serious misuses of personal information come to light. Parliament has provided that power, but Ministers have not yet brought it into force – they must do so.”

Report on the Potential misuses of personal data
Potential misuses of personal data are also not being fully investigated, the MPs warn, because the Information Commissioner does not have the power to compel private sector organisations to undergo information audits. If the Commissioner had been able to compel audits of insurance companies and personal injury lawyers the issues around referral fees might have been identified and tackled sooner.

Sir Alan Beith MP added:

“The Information Commissioner’s lack of inspection power is limiting his ability to identify problems or investigate potential data abuses.

Ministers must examine how to enable the Commissioner to investigate properly without increasing the regulatory burden on business or the public sector.”

Report on Referral fees
The committee welcomes the Government’s commitment to ban referral fees in personal injury cases. The MPs call on Ministers to take into account the fact that referral fees reward a range of illegal behaviour. The report concludes that banning referral fees, together with custodial sentences for breaches of Section 55 of the Data Protection Act, would increase the deterrent and reduce the financial incentives for such offences.

Case studies quoted in the Justice Committee Report:

  1. In one case, a nurse was providing patient details to her partner who worked for an accident management company. A fine was imposed of £150 per offence, but accident management companies pay up to £900 for on client’s details.
  2. A woman whose husband had been jailed for sexual assault accessed the bank account details of the victim. The woman attempted to monitor the victim’s spending and social activities but was only fined £100 per offence.

Information Commissioner, Christopher Graham said:

“The Government should lose no more time in bringing in appropriate deterrent sentences to combat the unlawful trade in personal data. Lord Justice Leveson’s Inquiry into press standards should not be used as an excuse for inaction. The Ministry of Justice still has not given a response to the previous administration’s public consultation of two years ago. We need action, not more words. Citizens are being denied the protection they are entitled to expect from the Data Protection Act.

“We shouldn’t have to wait a further year for the 2008 legislation to be commenced when today’s highly profitable trade in our data has little if anything to do with the press.

“The Commissioner recently called for stronger powers of audit. The ICO is building a business case for the extension of Assessment Notice powers to parts of the private sector such as motor insurance and financial services as well as to the NHS and local government.

“I welcome the support of the Justice Committee”

.

Blog at WordPress.com.

Up ↑

%d bloggers like this: