Search

Brian Pennington

A blog about Cyber Security & Compliance

Tag

DPA

ICO response to ECJ ruling on personal data to US Safe Harbor

The ICO has issued a statement in response to the European Court of Justice ruling about the legal basis for the transfer of personal data to businesses that are members of the US Safe Harbor

Deputy Commissioner David Smith said:

“Today’s ruling is clearly significant and it is important that regulators and legislators provide a considered and clear response. This ruling is about the legal basis for the transfer of personal data to businesses that are members of the US Safe Harbor. It does not mean that there is an increase in the threat to people’s personal data, but it does make clear the important obligation on organisations to protect people’s data when it leaves the UK.

“The judgment means that businesses that use Safe Harbor will need to review how they ensure that data transferred to the US is transferred in line with the law. We recognise that it will take them some time for them to do this.

“It is important to bear in mind that the Safe Harbor is not the only basis on which transfers of personal data to the US can be made. Many transfers already take place based on different provisions. The ICO has previously published guidance on the full range of options available to businesses to ensure that they are complying with the law related to international transfers. We will now be considering the judgment in detail, working with our counterpart data protection authorities in the other EU member states and issuing further guidance for businesses on the options open to them. Businesses should check the ICO website for details over the coming weeks.

“Concerns about the Safe Harbor are not new. That is why negotiations have been taking place for some time between the European Commission and US authorities with a view to introducing a new, more privacy protective arrangement to replace the existing Safe Harbor agreement. We understand that these negotiations are well advanced.”

Personal data in leaked datasets is still personal data – ICO

By Simon Rice, Group Manager for Technology at the Information Commissioners Office (ICO).

Personal data in leaked datasets is still personal dataThey say ‘no publicity is bad publicity’, but after spending most of the week trending on Twitter, I wonder if the users of the Ashley Madison site might disagree.

Having already prompted a flurry of news stories when the online attack of the Ashley Madison servers was first revealed, this week we’ve seen another wave of coverage as the personal data was published online.

Wherever your sympathies might lie in relation to the people identified in the published data set, the fact remains that such details are personal information, with certain protections in law.

Like many online attacks, the data protection response is international. In this case, we’re liaising with our counterparts in Canada, where the company is based.

But with cases like this, there is still a domestic aspect to consider.

Anyone in the UK who might download, collect or otherwise process the leaked data needs to be aware they could be taking on data protection responsibilities defined in the UK’s Data Protection Act.

Similarly, seeking to identify an individual from a leaked dataset will be an intrusion into their private life and could also lead to a breach of the DPA.

Individuals will have a range of personal reasons for having created an account with particular online services (or even had an account created without their knowledge) and any publication of further personal data without their consent can cause them significant damage or distress.

It’s worth noting too that any individual or organisation seeking to rely on the journalism exemption should be reminded that this is not a blanket exemption to the DPA and be encouraged to read our detailed guide on how the DPA applies to journalism.

This is not the first time an online service has suffered such an attack and unfortunately it’s unlikely to be the last. But it’s important people don’t assume that the law and the protections it affords to UK individuals don’t apply online.

Have your details been published in a dataset?

If you find your personal data being published online then you have a right to go to that publisher and request that the information is removed. This applies equally to information being shared on social media. If the publisher is based in the UK and fails to remove your information you can complain to the ICO.

Two thirds of British workers willing to breach data protection rules

Despite the risk to their employer of criminal proceedings and heavy fines, two thirds (66%) of UK workers would not report a serious data protection breach if they thought it would get one of their  colleagues into trouble, according to recent research.

The study by telecoms and IT firm Daisy Group, which looked at data security risks, found that 13% UK workers had disabled the password protection features on work laptops, mobiles, or tablet devices because they found them annoying. Of those who did have password protection, 36% said they didn’t change their passwords regularly, and 17% admitted their password was very simple and would be easy to guess.

Data security breaches 

However, if asked by a third party to email a client or supplier’s personal details outside of the company,  56% said they wouldn’t and 19% said they would check with their boss before doing so. Although 7% said that they would send the details without querying the request, as they didn’t think anyone would mind.

When asked if data security was an important issue for the company they worked for, 19% said they had no idea.

Cloud specialist, Graham Harris, explained: When it comes to data security, all too often businesses focus purely on IT processes and forget about the staff that will be using them.

As our research identified, human error is one of, if not the most likely source for data security issues, and fear of reprisal is a powerful force. Businesses must be proactive and educate their staff about what data security processes and policies there are, why they exist, what the staff member’s responsibilities are and reassure them about what to do in the event of a problem

confidential

Estate agents and those working in the property industry were among the most likely to turn a blind eye to colleagues’ data security failings, with 71% saying they wouldn’t report a data security breach that would get a colleague into trouble. Those working in marketing were the most likely to raise the alarm.

Despite the potential risk of commercially-sensitive data theft, business management and professional services workers were the most likely to disable data security features on their mobile devices.

Mobile Device Management 

The research was conducted to assess the demand among UK businesses for ‘mobile device management’. The new cloud-based technology gives organisations more control over smartphones and tablet computers by letting them remotely track and wipe the content of any lost or stolen devices, thereby ensuring the information remains confidential.

According to one statistic, 180,000 computing and communication devices were lost or stolen in the UK last year, but it is likely that the true figure is much higher as not all thefts are reported to the police.

Graham Harris explained: “It is important to ‘common sense’ test any security system. Procedures that are complicated or disrupt the working environment often result in employees finding ways to circumnavigate them or taking matters in their own hands. Similarly, it is important to plan for human error and problems, such as theft or loss of devices that carry important data, so that when they do occur, they can be dealt with quickly and effectively.”

The EU is currently in the process of reforming laws on Data Protection which, among other things, will require organisations to report data protection breaches to the relevant authorities within 24 hours. It is anticipated that the penalties for failure to comply will increase to as much as €100m. The legislation changes are expected to be in force by the end of 2018.

Most consumers do not trust anyone to protect their personal information

Fortinet surveys reveal growing cyber threat concerns as more consumers fear data breaches, while CISOs lack confidence in their ability to stop them.

Despite their concerns, third-party studies reveal consumer behaviours may present greater challenges for organizations that don’t have the right security protections in place.

Two industry surveys commissioned by Fortinet reveals

  • 71% of consumers across the U.S. are more nervous about their personal information being stolen through a data breach than they were just a year ago
  • 28% of IT security professionals are confident they have done enough to prevent a security incident

Despite this shift in consumer sentiment, the research revealed consumers are not taking necessary precautions to protect their personal information. When asked what measures they are implementing to better safeguard their information online:-

  • 76% of respondents said they had merely implemented stronger passwords – a step that is typically required when setting up an online account
  • 20% said they aren’t doing anything at all

It is no question the cyber threat environment remains dynamic and dangerous, and is gaining in severity. According to a recent report released by the Identity Theft Resource Center (IRK), companies in the U.S. experienced a record-breaking 783 data breaches in 2014.

Already in 2015 this trend has continued with the Anthem Health security breach – the largest in history, affecting more than 80 million of its customers, as well as Sony, TV Monde and others. Many of these attacks were initiated by sophisticated hackers looking for ways to circumvent perimeter defences through compromised devices, while others originated from within the network through unsuspecting employees or partners who, without malicious intent, let cyber criminals in.

The amount of entry points cyber criminals can use to infiltrate corporate networks and steal precious information is growing rapidly, as the number of devices connected to the network increase,” said Andrew Del Matte, chief financial officer at Fortinet. “If consumers aren’t taking precautions to protect their devices and proprietary data in their personal lives, it is unlikely they are doing so at work, increasing the possibility of a breach. It is more critical now than ever before for businesses to help safeguard the consumer and customer data for which they are responsible. They must take a multi-layered approach to security to protect against both malicious and non-malicious threats, from both inside and outside of the network

On a scale of 1 to 5 with 1 being “completely trust” and 5 being “don’t trust at all,” consumers were asked how much they trust various business providers and other institutions to protect their information. The survey found:

  • 31% of consumers completely trust their doctors
  • 18% completely trust their health insurance providers
  • 27% completely trust their personal banks
  • 14% completely trust their credit card companies
  • 19% completely trust their employers
  • 4% completely trust retailers

Are Organizations Doing Enough?

In a survey of 250 IT professionals with authority over the security decisions for their organizations,

  • 57% indicated they are most concerned about protecting customer data from cyber criminals.
  • 28% of those surveyed, are completely confident their organizations have done everything possible to prevent a security incident
  • 26% said they were only half-confident that they have taken the necessary measures to protect their organization from potential risk

Consumers are more concerned than ever about their personal information being compromised through a data breach, with good reason,” said Derek Manky, senior security strategist at Fortinet’s FortiGuard Labs. “The evolving threat landscape puts everyone at greater risk, particularly organizations that aren’t taking the time to rethink their approach to security. An old school approach won’t do. Businesses should seek out a best-of-breed security partner with scale, third-party validated solutions and access to the most up-to-date threat intelligence, to safeguard their networks from threats, no matter the type or where it is initiated, today and in the future

Who breached the Data Protection Act in 2014? Find the complete list here.

2014 was another busy year for the Information Commissioners Office with yet more breaches of the Data Protection Act.

There are normally three types of punishments administered by the ICO

  1. Monetary. The most serious of the actions and one normally reserved for organisational entities.
  2. Undertaking. Typically applied when an organisation has failed to adhere to good business practise and needs the helping guidance of the ICO
  3. Prosecutions. Normally reserved for individuals who have blatantly breached the Act.
  4. Enforcements. A requirement on an organisation or individual to desist from specific activities.

Below is a summary of the ICO’s activity in 2014 across all three “punishment” areas.

Monetary penalty notices

A monetary penalty will only be served in the most serious situations. When deciding the size of a monetary penalty, the ICO takes into account the seriousness of the breach and other factors like the size, financial and other resources of an organisation’s data controller. The ICO can impose a penalty of up to £500,000. It is worth noting that monetary penalties are to HM Treasury.

  • 22 August 2014 a monetary penalty of £90,000 was issued to Kwik Fix Plumbers Ltd for continually making nuisance calls targeting vulnerable victims. In several cases, the calls resulted in elderly people being tricked into paying for boiler insurance they didn’t need.
  • 5 December 2014 a monetary penalty of £70,000 was issued to Manchester Ltd after sending unsolicited text messages and appeared on the recipients’ mobile phone to have been sent by “Mum”.
  • 05 November 2014 a monetary penalty of £7,500 was issued to Worldview Limited following a serious data breach where a vulnerability on the company’s site allowed attackers to access the full payment card details of 3,814 customers
  • 01 October 2014 a monetary penalty of £70,000 was issued to fine to EMC Advisory Services Limited for making hundreds of nuisance calls. The company was responsible for 630 complaints to the ICO and the TPS between 1 March 2013 and 28 February 2014. They failed to make sure that those registered with the TPS, or who’d previously asked not to be contacted, weren’t being called.
  • 26 August 2014 a monetary penalty of £180,000 to the Ministry of Justice over serious failings in the way prisons in England and Wales have been handling people’s information
  • 28 July 2014 a monetary penalty of £50,000 fine to Reactiv Media Limited after an investigation discovered they had made unsolicited calls to hundreds of people who had registered with the Telephone Preference Service (TPS).
  • 23 July 2014 a monetary penalty of £150,000 to Think W3 Limited after a serious breach of the Data Protection Act revealed thousands of people’s details to a malicious hacker.
  • 03 April 2014 a monetary penalty of £50,000 Amber UPVC Fabrications Ltd (T/A Amber Windows) after an investigation discovered they had made unsolicited marketing calls to people who had registered with the Telephone Preference Service (TPS).
  • 19 March 2014 a monetary penalty of £100,000 to Kent Police after highly sensitive and confidential information, including copies of police interview tapes, were left in a basement at the former site of a police station.
  • 07 March 2014 a monetary penalty of £200,000 to the British Pregnancy Advice Service. Hacker threatened to publish thousands of names of people who sought advice on abortion, pregnancy and contraception.
  • 11 January 2014 a monetary penalty of £185,000 to Department of Justice Northern Ireland after a filing cabinet containing details of a terrorist incident was sold at auction.

ICO statement on Monetary Penalties

Undertakings

Undertakings are formal agreements between an organisation and the ICO to undertake certain actions to avoid future breaches of the Data Protection Act, typically this involves, Encryption, Training and Management Procedures.

  • 19 December 2014 Treasury Solicitors Department. A follow up has been completed to provide an assurance that the Treasury Solicitors Department has appropriately addressed the actions agreed in its undertaking signed February 2014.
  • 19 December 2014 Wirral Metropolitan Borough Council. A follow up has been completed to provide an assurance that Wirral Metropolitan Borough Council has appropriately addressed the actions agreed in its undertaking signed April 2014.
  • 19 December 2014 Caerphilly County Borough Council. A council that ordered covert surveillance on a sick employee must review its approach after an Information Commissioner’s Office (ICO) investigation. The ICO found the Council breached the Data Protection Act when it ordered the surveillance of an employee suspected of fraudulently claiming to be sick.
  • 15 December 2014 St Helens Metropolitan Borough Council. A follow up has been completed to provide an assurance that St Helens Metropolitan Borough Council has appropriately addressed the actions agreed in its undertaking signed June 2014.
  • 01 December 2014 Dudley Metropolitan Borough Council. A follow up has been completed to provide an assurance that Dudley Metropolitan Borough Council has appropriately addressed the actions agreed in its undertaking signed April 2014.
  • 28 November 2014 Oxfordshire County Council. A follow up has been completed to provide an assurance that Oxfordshire County Council as appropriately addressed the actions agreed in its undertaking signed June 2014.
  • 28 November 2014 Aspers (Milton Keynes) Limited. A follow up has been completed to provide an assurance that Aspers (Milton Keynes) Limited has appropriately addressed the actions agreed in its undertaking signed June 2014.
  • 26 November 2014 Department of Justice Northern Ireland. A follow up has been completed to provide an assurance that the Department of Justice Northern Ireland has appropriately addressed the actions agreed in its undertaking signed May 2014.
  • 17 November 2014 London Borough of Barking and Dagenham. A follow up has been completed to provide an assurance that London borough of Barking and Dagenham has appropriately addressed the actions agreed in its undertaking signed April 2014.
  • 05 November 2014 Student Loans Company. A follow up has been completed to provide an assurance that Student Loans Company has appropriately addressed the actions agreed in its undertaking signed April 2014.
  • 05 November 2014 Royal Veterinary College. A follow up has been completed to provide an assurance that The Royal Veterinary College has appropriately addressed the actions agreed in its undertaking signed October 2013.
  • 24 October 2014 Gwynedd Council. An Undertaking to comply with the seventh data protection principle has been signed by Gwynedd Council following two breaches of the Data Protection Act.
  • 24 October 2014 Disclosure and Barring Service. An undertaking to comply with the first data protection principle has been signed by the Disclosure and Barring Service.
  • 08 October 2014 South Western Ambulance Service NHS Trust. An undertaking to comply with the first, third and seventh data protection principles has been signed by South Western Ambulance Service NHS Trust. This includes the completion of a Privacy Impact Assessment in respect of data sharing. This follows an investigation whereby patient data related to 45, 431 data subjects was shared with a Clinical Commissioning Group (‘CCG’) without a legal basis to do so. There were also security concerns surrounding the manner in which the data was stored on discs when being distributed to the CCG.
  • 08 October 2014 Weathersby Limited. An undertaking to comply with the seventh data protection principle has been signed by Weathersby Limited after the company failed to secure an internal server properly, resulting in personal data relating to clients being made available on the internet.
  • 07 October 2014 Basildon and Thurrock University Hospitals NHS Foundation Trust. An undertaking to comply with the seventh data protection principle has been signed by Basildon and Thurrock University Hospitals NHS Foundation Trust. This follows an investigation into two reported incidents involving disclosures of personal data to third parties in error.
  • 25 September 2014 Norfolk Community Health & Care NHS Trust. An undertaking to comply with the first, third and seventh data protection principle has been signed by Norfolk Community Health & Care NHS Trust. This follows an investigation involving the inadvertent sharing of data with a referral management centre.
  • 22 September 2014 Oxford Health NHS Foundation Trust. An undertaking to comply with the seventh data protection principle has been signed by Oxford Health NHS Foundation Trust.  This follows an investigation into two separate incidents involving disclosures of personal data.
  • 09 September 2014 Isle of Scilly Council. An undertaking to comply with the seventh data protection principle has been signed by the Council of the Isle of Scilly. This follows an investigation into two separate incidents. The first relating to confidential information which was part of a disciplinary hearing being sent unredacted to third parties.
  • 28 August 2014 Racing Post. An undertaking to comply with the seventh data protection principle has been signed by the Racing Post. This follows an investigation whereby the Racing Post website was subject to an internet based SQL injection attack which gave access to a customer database. The data included customer registration details relating to 677,335 data subjects.
  • 13 August 2014 Wokingham Borough Council. A follow up has been completed to provide an assurance that Wokingham Borough Council has appropriately addressed the actions agreed in its undertaking signed April 2014.
  • 11 August 2014 Thamesview Estate Agents Ltd. An undertaking to comply with the seventh data protection principle has been signed by Thamesview Estate Agents Ltd after the company continued to leave papers containing personal information on the street despite a previous warning. The papers were stored in transparent bags and the information was clearly visible to anyone who walked past.
  • 18 July 2014 The Moray Council. A follow up has been completed to provide an assurance that The Moray Council has appropriately addressed the actions agreed in its undertaking signed May 2014.
  • 09 July 2014 Betsi Cadwaladr University Health Board. An undertaking to comply with the seventh data protection principle has been signed by Betsi Cadwaladr University Health Board after sensitive information was sent to the wrong address.
  • 27 June 2014 Oxfordshire County Council. An undertaking to comply with the seventh data protection principle has been signed by Oxfordshire County Council. This follows an investigation whereby a solicitor had removed a number of documents from the office but had dropped these in a street near their home. The sensitive personal data related to three child protection cases concerning 22 data subjects.
  • 23 June 2014 Aspers (Milton Keynes) Limited. An undertaking to comply with the seventh data protection principle has been signed by Aspers (Milton Keynes) Limited, following an email which was sent in error to an recipient outside of the organisation.
  • 19 June 2014 Department of Justice Northern Ireland. An undertaking to comply with the seventh data protection principle has been signed by Department of Justice Northern Ireland. This follows the sale of a filing cabinet that contained documents originating from within the Northern Ireland Prison service. The documents contained personal data, as defined by section 1 of the Data Protection Act 1998 (the Act), which was sensitive in nature.
  • 17 June 2014 Aberdeenshire Council. An undertaking to comply with the seventh data protection principle has been signed by Aberdeenshire Council after a paper file was lost by an employee of the Adult Mental Health section of the council’s Social Work service. The employee had placed the file on the roof of his car before driving off.
  • 16 June 2014 Cardiff and Vale University Health Board. A follow up has been completed to provide an assurance that Cardiff and Vale University Health Board has appropriately addressed the actions agreed in its undertaking signed October 2013.
  • 09 June 2014 Worcestershire Health and Care NHS Trust. An undertaking to comply with the seventh data protection principle has been signed by Worcestershire Health and Care NHS Trust. This follows an investigation whereby the local press were handed a patient handover sheet containing details of 18 patients.
  • 02 June 2014 Jephson Homes Housing Association Ltd. An undertaking to comply with the seventh data protection principle has been signed by Jephson Homes Housing Association Ltd. This follows an investigation into the disclosure in error of several documents containing third party personal data when providing documents to an individual as part of a litigation process.
  • 30 May 2014 Panasonic UK. A follow up has been completed to provide an assurance that Panasonic UK has appropriately addressed the actions agreed in its undertaking signed October 2013.
  • 30 May 2014 St Helens Metropolitan Borough Council. An undertaking to comply with the seventh data protection principle has been signed by St Helens Metropolitan Borough Council after child’s foster placement address was disclosed in error.  Investigations identified that Council had selected the correct recipient and had redacted the majority of documents disclosed however the address was missed on one document.
  • 30 May 2014 London Borough of Barking & Dagenham. An undertaking to respond in a quicker and more effective manner to losses of personal data has been signed by London Borough of Barking & Dagenham. This follows an investigation into the loss of a file containing medical data relating to eleven children, which discovered that although the council knew where the file was, it had still not been retrieved five months later.
  • 27 May 2014 Student Loans Company. An undertaking to comply with the seventh data protection principle has been signed by the Student Loans Company Limited following an investigation by the ICO into three separate incidents involving the disclosure of documents to the incorrect recipients.  The investigation identified that whilst checking procedures were in place documents containing sensitive personal data were subject to fewer checks than those containing less sensitive data.
  • 16 May 2014 Great Ormond Street Hospital for Children NHS Foundation Trust. A follow up has been completed to provide an assurance that Great Ormond Street Hospital for Children NHS Foundation Trust has appropriately addressed the actions agreed in its undertaking signed November 2013.
  • 12 May 2014 The Moray Council. An undertaking to comply with the seventh data protection principle has been signed by The Moray Council. This follows an investigation into the loss of a file containing adoption meeting papers at a café in the local area.
  • 25 April 2014 Dudley Metropolitan Borough Council. An undertaking to comply with the seventh data protection principle has been signed by Dudley Metropolitan Borough Council. This follows an investigation whereby a social worker had left a case file containing sensitive personal data at a client’s home. The case file outlined child welfare concerns and disclosed the identity of the source.
  • 15 April 2014 Wirral Borough Council. An undertaking to comply with the seventh data protection principle has been signed by Wirral Borough Council after social services records containing sensitive personal information were sent to the wrong addresses on two occasions. The information, which was disclosed in February and April 2013, included sensitive personal details relating to two families living in the borough and in one case included details of a criminal offence committed by one of the family members.
  • 15 April 2014 Wokingham Borough Council. An undertaking to comply with the seventh data protection principle has been signed by Wokingham Borough Council, after sensitive social services records relating to the care of a young child were lost. The information, which had been requested by a family member, was lost after the delivery driver left the documents outside the requester’s home in August 2013.
  • 11 April 2014 Royal Borough of Windsor and Maidenhead. A follow up has been completed to provide an assurance that the Royal Borough of Windsor and Maidenhead has appropriately addressed the actions agreed in its undertaking signed September 2013.
  • 28 March 2014 Barking, Havering & Redbridge University Hospitals NHS Trust. An undertaking to comply with the seventh data protection principle has been signed by Barking, Havering & Redbridge University Hospitals NHS Trust. This follows an investigation by the ICO into a series of fax related incidents which revealed that the Trust had a very low attendance rate for Information Governance training.
  • 20 March 2014 Disclosure and Barring Service. An undertaking to comply with the first data protection principle has been signed by the Disclosure and Barring Service.
  • 14 March 2014 Cardiff City Council. A follow up has been completed to provide an assurance that Cardiff City Council has appropriately addressed the actions agreed in its undertaking signed August 2013.
  • 13 March 2014 Neath Care. An undertaking to comply with the seventh data protection principle has been signed by Neath Care. This follows the disclosure of ten client care service delivery plans which were found by a member of the public in the street. The care service delivery plans related to elderly people and contained confidential client information on matters such as personal care, medication and key safe numbers.
  • 26 February 2014 Treasury Solicitor’s Department. An undertaking to comply with the seventh data protection principle has been signed by the Treasury Solicitor’s Department. The data controller agreed to put measures in place to ensure the security of the personal data it handles.
  • 24 January 2014 Hillingdon Hospitals NHS Foundation Trust. A follow up has been completed to provide an assurance that Hillingdon Hospitals NHS Foundation Trust has appropriately addressed the actions agreed in its undertaking signed September 2013.
  • 10 January 2014 Northern Health and Social Care Trust. A follow up has been completed to provide an assurance that Northern Health and

Prosecution

  • 13 November 2014 Harkanwarjit Dhanju. A former pharmacist working for West Sussex Primary Care Trust has been prosecuted for unlawfully accessing the medical records of family members, work colleagues and local health professionals. Harkanwarjit Dhanju was fined £1000, ordered to pay a £100 victim surcharge and £608.30 prosecution costs.
  • 11 November 2014 Matthew Devlin. Company director Matthew Devlin has been fined after illegally accessing one of Everything Everywhere’s (EE) customer databases. Devlin used details of when customers were due a mobile phone upgrade to target them with services offered by his own telecoms companies.
  • 22 August 2014 Dalvinder Singh. A Birmingham banker has been fined after he admitted reading his colleagues bank accounts. He worked in Santander UK’s suspicious activity reporting unit at their Leicester office. His role investigating allegations of money laundering meant he was able to view customer accounts. But he used his access to look at eleven colleagues’ accounts, to learn how much their salaries and bonuses were.
  • 06 August 2014 A Plus Recruitment Limited. A recruitment company has been prosecuted today at Doncaster Magistrates Court for failing to notify with the ICO. A Plus Recruitment Limited pleaded guilty and was fined £300 and ordered to pay costs of £489.95 and a victim surcharge of £30.
  • 05 August 2014 1st Choice Properties (SRAL). A property lettings and management company has been prosecuted for failing to notify with the ICO at Uxbridge Magistrates Court today. 1st Choice Properties (SRAL) was convicted in the defendant’s absence and fined £500, ordered to pay costs of £815.08 and a victim surcharge of £50.
  • 15 July 2014 Jayesh Shah. The owner of a marketing company trading as Vintels has been prosecuted for failing to notify the ICO of changes to his notification at Willesden Magistrates Court today. Jayesh Shah was fined £4000, ordered to pay costs of £2703 and a £400 victim surcharge.
  • 14 July 2014 Hayden Nash Consultants. A recruitment company has been prosecuted for failing to notify with the ICO at Reading Magistrates Court today. Hayden Nash Consultants entered a guilty plea and was fined £200, ordered to pay costs of £489.85 and a £20 victim surcharge.
  • 10 July 2014 Stephen Siddell. A former branch manager for Enterprise Rent-A-Car has been prosecuted for unlawfully stealing the records of almost two thousand customers before selling them to a claims management company. Stephen Siddell was fined £500, ordered to pay a £50 victim surcharge and £264.08 in prosecution costs.
  • 09 July 2014 Global Immigration Consultants Limited. A legal advice company has been prosecuted for failing to notify with the ICO at Manchester Magistrates Court today. Global Immigration Consultants Limited entered a guilty plea and was fined £300, ordered to pay costs of £260.18 and a £30 victim surcharge.
  • 06 June 2014 Darren Anthony Bott. The director of a pensions review company has been prosecuted for failing to notify with the ICO. Darren Anthony Bott of Allied Union Ltd entered a guilty plea and was fined £400, ordered to pay costs of £218.82 and a £40 victim surcharge.
  • 05 June 2014 API Telecom. A telecoms company has been prosecuted by the ICO for failing to comply with an information notice in Westminster Magistrates’ Court yesterday. The company, API Telecom, entered a guilty plea and was fined £200, ordered to pay full costs of £489.85 and the victim surcharge was imposed.
  • 13 May 2014 QR Lettings. A property company has been prosecuted by the ICO for failing to notify under section 17 of the Data Protection Act. QR Lettings pleaded guilty at a hearing on 13 May 2014 at Birkenhead Magistrates Court. The company was fined £250, ordered to pay costs of £260 and a £30 victim surcharge.
  • 25 April 2014 Barry Spencer. A man who ran a company that tricked organisations into revealing personal details about customers has been ordered to pay a total of £20,000 in fines and prosecution costs, as well as a confiscation order of over £69,000 at a hearing at Isleworth Crown Court.
  • 25 April 2014 Allied Union Limited. A pension review company has been prosecuted by the ICO for failing to notify under section 17 of the Data Protection Act.  Allied Union Limited pleaded guilty at a hearing on 25 April 2014 at Swansea Magistrates Court. The company was fined £400, ordered to pay costs of £338.11 and a victim surcharge of £40.
  • 25 March 2014 Help Direct UK Limited. A financial advisors has been prosecuted by the ICO for failing to notify under section 17 of the Data Protection Act. Help Direct UK Limited pleaded guilty at a hearing on 25 March 2014 at Swansea Magistrates Court. The company was fined £250, ordered to pay costs of £248.83 and a victim surcharge of £25.
  • 12 March 2014 Boilershield Limited. A plumbing company and its director have been prosecuted by the ICO for failing to notify under section 17 of the Data Protection Act. Boilershield Limited and its director, Mohammod Ali, pleaded guilty at a hearing on 12 March 2014 at Bromley Magistrates. They were both fined £1,200, ordered to pay costs of £196.87 and a victim surcharge of £120.
  • 11 March 2014 Becoming Green (UK) Ltd. A Cardiff-based green energy deal company, Becoming Green (UK) Ltd, has been prosecuted by the Information Commissioner’s Office after failing to notify the ICO that it handled customers’ personal data. The offence was uncovered when the company was being monitored following concerns about compliance.
  • 24 January 2014 ICU Investigations Limited. Six men who were part of a company that tricked organisations into revealing personal

Enforcements

  • 19 November 2014 Grampian Health Board (NHS Grampian). The Information Commissioner’s Office has ordered NHS Grampian to take action to make sure patients’ information is better protected.
  • 12 November 2014 Hot House Roof Company. The ICO has issued an enforcement notice against Hot House Roof Company ordering them to stop making nuisance marketing calls. The company had failed to honour suppression requests and repeatedly made calls to a number of individuals despite their being TPS registered.
  • 21 October 2014 Abdul Tayub. The Information Commissioner’s Office has served Abdul Tayub with an enforcement notice after he was found to be sending unsolicited marketing mail by electronic means without providing information as to his identity and without prior consent.
  • 12 September 2014 All Claims Marketing Limited. The Information Commissioner’s Office has served All Claims Marketing Limited with an enforcement notice after the company was found to be sending unsolicited marketing mail by electronic means without providing information as to its identity.
  • 03 September 2014 Winchester and Deakin Limited. The Information Commissioner’s Office has served Carmarthen-based direct marketing company Winchester and Deakin Limited (also trading as Rapid Legal and Scarlet Reclaim) with an enforcement notice ordering them to stop making nuisance calls. The move comes after an investigation discovered they had made unsolicited marketing calls to people who had registered with the Telephone Preference Service (TPS) or who had asked not to be contacted.
  • 16 June 2014 DC Marketing Limited. The ICO has issued an enforcement notice against DC Marketing Limited after the company made hundreds of nuisance calls to try and get people to purchase solar panels partly financed by the Green Deal Home Improvement Fund. An ICO investigation found the company also frequently gave a false name to avoid detection.
  • 29 May 2014 Wolverhampton City Council. The ICO has issued an enforcement notice against Wolverhampton City Council, following an investigation into a data breach at the council that occurred in January 2012. The breach was caused when a social worker, who had not received data protection training, sent out a report to a former service user detailing their time in care. However, the social worker failed to remove highly sensitive information about the recipient’s sister that should not have been included.
  • 03 April 2014 Amber UPVC Fabrications Ltd (T/A Amber Windows). The ICO has issued an enforcement notice against Amber Windows ordering them not to call subscribers who have previously told them not to ring or subscribers who have not consented to them calling and have registered the number with the TPS for at least the required 28 days.
  • 10 March 2014 Isisbyte Limited. The ICO has served an enforcement notice on Isisbyte Limited after the company was found to be making unsolicited marketing calls without providing information as to their identity.
  • 10 March 2014 SLM Connect Limited. The ICO has served an enforcement notice on SLM Connect Limited after the company was found to be making unsolicited marketing calls without providing information as to their identity.

Who has breached the Data Protection Act in 2012? Find the complete list here.

Who breached the Data Protection Act in 2013? Find the complete list here.

Travel company fined £150,000 after losing 1,163,996 Credit and Debit Card records

An online travel services company called Think W3 Limited, has been fined £150,000 after it breached the Data Protection Act.

Think W3 Limited was hacked in December 2012 after using insecure coding on the website of a subsidiary business, Essential Travel Ltd.

A hacker extracted a total of 1,163,996 Credit and Debit Card records. Of these records 430,599 were identified as current and 733,397 as expired.

Cardholder details had not been deleted since 2006 and there had been no security checks or reviews since the system had been installed.

Stephen Eckersley, The ICO’s Head of Enforcement, said:

This was a staggering lapse that left more than a million holiday makers’ personal details exposed to a malicious hacker.

“Data security should be a top priority for any business that operates online. Think W3 Limited accepted liability for failing to keep their customers’ personal data secure; failing to test their security and failing to delete out-of-date information.

“The public’s awareness of the importance of data protection is rising all the time. Ignorance from data controllers is no excuse. They must take active steps to ensure the personal data they are responsible for is kept safe or face enforcement action and the resulting reputational damage

The Information Commissioner’s fine will be in addition to the costs levied by the Credit Card schemes under PCI and the banks.

I thought I had published this months ago but found it still in my drafts.

2013 was a very busy year for the UK’s Information Commissioners Office (ICO) as he issued record numbers of fines and enforcements.

There are normally three types of punishments administered by the ICO:-

  1. Monetary. The most serious of the actions and one normally reserved for organisational entities.
  2. Undertaking. Typically applied when an organisation has failed to adhere to good business practise and needs the helping guidance of the ICO
  3. Prosecutions. Normally reserved for individuals who have blatantly breached the Act and like 2012 there were not many in 2013.

The complete list of those who fell foul of the Data Protection Act in 2013 is below:-

Monetary penalty notices

A monetary penalty will only be served in the most serious situations. When deciding the size of a monetary penalty, the ICO takes into account the seriousness of the breach and other factors like the size, financial and other resources of an organisation’s data controller. The ICO can impose a penalty of up to £500,000. It is worth noting that monetary penalties are to HM Treasury. The size of the fines might change with the pending revision to the Data Protection Act.

The list has the most recent first.

  • 16 December 2013. A monetary penalty notice has been served on First Financial (UK) Limited after the pay day Loans Company sent millions of spam text messages.
  • 29 October 2013. A monetary penalty notice has been served on North East Lincolnshire Council after the loss of an unencrypted memory device containing personal data and sensitive personal data relating to 286 children.
  • 22 October 2013. A monetary penalty notice has been served on the Ministry of Justice for failing to keep personal data securely, after spreadsheets showing prisoners’ details were emailed to members of the public in error.
  • 26 September 2013. A monetary penalty notice has been served on Jala Transport, a small money-lending business, after the theft of an unencrypted portable hard drive containing its customer database.
  • 29 August 2013. A monetary penalty notice has been served on Aberdeen City Council after inadequate home working arrangements led to 39 pages of personal data being uploaded onto the internet by a Council employee.
  • 23 August 2013. A monetary penalty notice has been served to Islington Borough Council after personal details of over 2,000 residents were released online via the What Do They Know (WDTK) website.
  • 5 August 2013. A monetary penalty notice has been served to the Bank of Scotland after customers’ account details were repeatedly faxed to the wrong recipients. The information included payslips, bank statements, account details and mortgage applications, along with customers’ names, addresses and contact details.
  • 12 July 2013. A monetary penalty notice has been served on NHS Surrey following the discovery of sensitive personal data belonging to thousands of patients on hard drives sold on an online auction site. Whilst NHS Surrey has now been dissolved outstanding issues are now being dealt with by the Department of Health.
  • 8 July 2013. A monetary penalty notice has been served to Tameside Energy Services Ltd after the Manchester based company blighted the public with unwanted marketing calls.
  • 18 June 2013. Monetary penalty notices have been served to Nationwide Energy Services and We Claim You Gain – both companies are part of Save Britain Money Ltd based in Swansea. The penalties were issued after the companies were found to be responsible for over 2,700 complaints to the Telephone Preference Service or reports to the ICO using its online survey, between 26 May 2011 and end of December 2012.
  • 13 June 2013. A monetary penalty notice has been served to North Staffordshire Combined Healthcare NHS Trust, after several faxes containing sensitive personal data were sent to a member of the public in error.
  • 7 June 2013. A monetary penalty notice has been served to Glasgow City Council, following the loss of two unencrypted laptops, one of which contained the personal information of 20,143 people.
  • 5 June 2013. A monetary penalty notice has been served to Halton Borough Council, in respect of an incident in which the home address of adoptive parents was wrongly disclosed to the birth family.
  • 3 June 2013. A monetary penalty has been served to Stockport Primary Care Trust following the discovery of a large number of patient records at a site formerly owned by the Trust.
  • 20 March 2013. A monetary penalty has been served to DM Design Bedroom Ltd. The company has been the subject of nearly 2,000 complaints to the ICO and the Telephone Preference Service. The company consistently failed to check whether individuals had opted out of receiving marketing calls and responded to just a handful of the complaints received.
  • 15 February 2013. A monetary penalty has been served to the Nursing and Midwifery Council. The council lost three DVDs related to a nurse’s misconduct hearing, which contained confidential personal information and evidence from two vulnerable children. An ICO investigation found the information was not encrypted.
  • 24 January 2013. A monetary penalty has been served to the entertainment company Sony Computer Entertainment Europe Limited following a serious breach of the Data Protection Act. The penalty comes after the Sony PlayStation Network Platform was hacked in April 2011, compromising the personal information of millions of customers, including their names, addresses, email addresses, dates of birth and account passwords. Customers’ payment card details were also at risk. Appeal withdrawn.

Undertakings

Undertakings are formal agreements between an organisation and the ICO to undertake certain actions to avoid future breaches of the Data Protection Act, typically this involves, Encryption, Training and Management Procedures.

The list has the most recent first.

  • 20 December 2013. A follow up has been completed to provide an assurance that Luton Borough Council has appropriately addressed the actions agreed in its undertaking signed September 2013.
  • 26 November 2013. An undertaking to comply with the seventh data protection principle has been signed by the Royal Borough of Windsor & Maidenhead, following an incident in which restricted information about employees was disclosed on its intranet in error.
  • 22 November 2013. An undertaking to comply with the Privacy and Electronic Communications Regulations has been signed by Better Together. The organisation must neither transmit, nor instigate the transmission of, unsolicited communications for the purposes of direct marketing by means of electronic mail to individual subscribers unless the recipient of the electronic mail has previously notified Better Together that they consent.  A follow up has been completed to provide an assurance that Foyle Women’s Aid has appropriately addressed the actions agreed in its undertaking signed August 2013.
  • 21 November 2013. An undertaking to comply with the seventh data protection principle has been signed by Great Ormond Street Hospital for Children NHS Foundation Trust. This follows four incidents involving the accidental disclosure of sensitive personal data.
  • 1 November 2013. A follow up has been completed to provide an assurance that The Health and Care Professions Council has appropriately addressed the actions agreed in its undertaking signed July 2013.
  • 1 November 2013. A follow up has been completed to provide an assurance that Mansfield District Borough Council has appropriately addressed the actions agreed in its undertaking signed January 2013.
  • 25 October 2013. A follow up has been completed to provide an assurance that The Burnett Practice has appropriately addressed the actions agreed in its undertaking signed in April 2013. An undertaking to comply with the seventh data protection principle has been signed by Panasonic UK. This follows the theft of an unencrypted laptop containing personal data relating to people who had attended a hospitality event run by a third party company on Panasonic’s behalf.
  • 15 October 2013. An Undertaking to comply with the seventh data protection principle has been signed by the Royal Veterinary College. This follows the loss of a memory card containing personal data. In addition, data protection training is not considered to be adequate and the RVC does not appear to be taking steps to address this proactively. This highlights a potentially serious failing in respect of staff awareness of Information Governance policies. Their investigation revealed that the device was personally owned by the employee and as such fell outside of the policies and procedures in place. However, the RVC does not appear to have accounted for the possibility of employees using their own devices in the workplace.
  • 7 October 2013. An Undertaking to comply with the seventh data protection principle has been signed by The Hillingdon Hospitals NHS Foundation Trust.
  • 4 October 2013. An Undertaking to comply with the seventh data protection principle has been signed by the Cardiff & Vale University Health Board, following the loss of documents containing sensitive personal data by a consultant.
  • 29 August 2013. An undertaking to comply with the seventh data protection principle has been signed by Aberdeen City Council after inadequate home working arrangements led to 39 pages of personal data being uploaded onto the internet by a Council employee.
  • 11 September 2013. An undertaking to comply with the seventh data protection principle has been signed by Luton Borough Council following several incidents involving inappropriate handling of sensitive personal data. Investigation of these incidents revealed that previous recommendations made by the ICO had not been implemented.
  • 28 August 2013. An undertaking to comply with the sixth data protection principle has been signed by Cardiff City Council. The Council agreed to put measures in place to ensure greater compliance with subject access requests.
  • 22 August 2013. An undertaking to comply with the seventh data protection principle has been signed by the Local Government Ombudsman. This follows the theft of a bag containing hard copy papers relating to complaints made to the Local Government Ombudsman (the LGO) including some SPD. It is felt that the provision of data protection training was insufficient to ensure staff awareness of policies and procedures relating to the use of personal data.
  • 13 August 2013. An undertaking to comply with the seventh data protection principle has been signed by Northern Health & Social Care Trust. This follows a number of security incidents which led to a formal investigation into the Trust’s compliance with the Act. One incident in May 2011, involved confidential service user information being faxed from a ward in Antrim Hospital to a local business in error. The investigation into the Trust revealed that despite the Trust having introduced what should have been mandatory Information Governance training for all staff, the majority of staff involved in these incidents had not received this training. This highlighted a potentially serious failing in respect of staff awareness of Information Governance policies. In particular, the failure to monitor and enforce staff completion of training was a concern.
  • 13 August 2013. An undertaking to comply with the seventh data protection principle has been signed by Foyle Women’s Aid. This follows the temporary loss of a folder belonging to a Criminal Justice Support worker employed by Foyle Women’s Aid that was left in a café. The folder contained confidential client information. An apparent lack of effective controls and procedures for taking information out of the office was a contributor to the loss of highly sensitive personal data.
  • 16 July 2013. An undertaking to comply with the seventh data protection principle has been signed by Janet Thomas. This follows a report made by a member of the public that approximately 7,435 CV files, containing personal data, were being stored unprotected on the website http://www.janetpage.com.
  • 9 July 2013. An undertaking to comply with the seventh data protection principle has been signed by the Health & Care Professions Council (HCPC) after an incident in which papers containing personal data were stolen on a train in 2011.
  • 12 June 2013. (issued 10 September 2012) An undertaking to comply with the seventh data protection principle has been signed by Bedford Borough Council relating to the removal of legacy data from a social care database.
  • 12 June 2013 (issued 18 September 2012). An undertaking to comply with the seventh data protection principle has been signed by Central Bedfordshire Council relating to the removal of legacy data from a social care database and in relation to the preparation of planning application documentation for publication.
  • 31 May 2013. A follow up has been completed to provide an assurance that Leeds City Council has appropriately addressed the actions agreed in its undertaking signed November 2012.
  • Prospect. A follow up has been completed to provide an assurance that Prospect has appropriately addressed the actions agreed in its undertaking signed January 2013.
  • 21 May 2013 (issued 9 November 2011). An undertaking to comply with the seventh data protection principle has been signed by News Group Newspapers, following an attack on the website of The Sun newspaper in 2011.
  • 26 April 2013. An undertaking to comply with the seventh data protection principle has been signed by The Burnett Practice. This follows an investigation whereby an email account used by the practice had been subject to a third party attack. The email account subject to the attack was used to provide test results to patients and included a list of names and email addresses.
  • 4 April 2013. An undertaking to comply with the seventh data protection principle has been signed by the East Riding of Yorkshire Council, following incidents last year in which personal data was inappropriately disclosed.
  • 25 January 2013. An undertaking to comply with the seventh data protection principle has been signed by the Managing Director of Mansfield District Council. This follows a number of incidents where personal data of housing benefit claimants was disclosed to the wrong landlord.
  • 16 January 2013. An undertaking to comply with the seventh data protection principle has been signed by the union Prospect. This follows an incident in which two files containing personal details of approximately 19,000 members of the union had been sent to an unknown third party email address in error.

Prosecutions

The list has the most recent first.

  • 3 December 2013. A former manager who oversaw the finances of a GP’s practice in Maidstone has been prosecuted by the ICO after unlawfully accessing the medical records of approximately 1,940 patients registered with the surgery. Steven Tennison was prosecuted under section 55 of the Data Protection Act at Maidstone Magistrates Court.
  • 8 October 2013. A pay day loans company based in London and its director have been prosecuted after failing to register that the business was processing personal information. Hamed Shabani, the sole director of First Financial, was convicted under section 61 of the Data Protection Act at City of London Magistrates Court.
  • 25 September 2013. A former Barclays Bank employee has been fined after illegally accessing the details of a customer’s account. In one case the employee, Jennifer Addo, found out the number of children the customer had and passed the details to the customer’s then partner, who was a friend of Ms Addo.
  • 15 August 2013. A probation officer who revealed a domestic abuse victim’s new address to the alleged perpetrator has been fined £150 following a prosecution bought by the ICO.

Find the 2012 list here.

Health sector needs to improve its data protection

The Information Commissioner’s Office report on how organisations providing secondary health care are complying with the Data Protection Act and highlights areas that need improvement.

The report summarises the results of 19 audits, mostly against NHS Trusts.

The audits looked at how personal data is handled by the organisation, and fit alongside NHS information governance guidelines. The organisations voluntarily agreed to work with the ICO to identify good practice and, where necessary, improve procedures relating to the handling of personal data.

The Audits found:

  • All the organisations had data protection policies and procedures in place, though compliance with the policies wasn’t always effectively monitored, for instance through spot checks.
  • All the organisations had a system in place to track health records, though some did not conduct audits for missing files. The physical security of records also varied, with concern raised particularly around unlocked trollies used for moving files.
  • There was also a lack of simple password controls, notably forcing regular password changes.
  • Some organisations had little in the way of fire or flood protection in place for paper records.
  • All organisations had appropriate information governance related risk registers and risk assessments that were regularly reviewed.
  • Concern was raised around the use of fax machines for sending personal information, given the human error associated with using a fax machine.

Before three of the audits, staff were surveyed about their awareness of data protection policies

  • 88% of staff had read and understood the policy in place within their organisation
  • 94% had completed data protection training within the previous year

Claire Chadwick, ICO Team Manager in the Good Practice team, said:

Information about a person’s health tends to be one of the most sensitive types of personal data, and it is clear it must be properly handled.

“Our experiences in these audits suggested that tended to be the case. Only one of the audits suggested a substantial risk of non-compliance with the law, while more than half gave reasonable assurance the law was being complied with.

“By paying attention to this report, more organisations in this sector can ensure they are handling personal information properly. This report is an opportunity to review and improve practices and procedures based on our experiences

The audits followed a letter from the Information Commissioner and the Chief Executive of the NHS Sir David Nicholson to chief executives and finance directors within the NHS.

The full report can be found here.

Who breached the Data Protection Act in the first half of 2013?

As we have passed the first half of 2013, I thought it would be a good time to publish the entire list of who fell foul of the UK Data Protection Act and were punished by the Information Commissioner (ICO).

There are three types of punishments administered by the ICO

  1. Monetary. The most serious of the actions and one normally reserved for organisational entities.
  2. Undertaking. Typically applied when an organisation has failed to adhere to good business practice and needs the helping guidance of the ICO
  3. Prosecutions. Normally reserved for individuals who have blatantly breached the Act.

Monetary penalty notices

A monetary penalty will only be served in the most serious situations. When deciding the size of a monetary penalty, the ICO takes into account the seriousness of the breach and other factors like the size, financial and other resources of an organisation’s data controller. The ICO can impose a penalty of up to £500,000. It is worth noting that monetary penalties are paid to HM Treasury and not to the ICO. Many argue that the ICO would be a stronger body if it had more money and penalties is a good way to generate more revenue – a self funding government department.

  • 12 July 2013 NHS Surrey. A monetary penalty notice has been served on NHS Surrey following the discovery of sensitive personal data belonging to thousands of patients on hard drives sold on an online auction site. Whilst NHS Surrey has now been dissolved outstanding issues are now being dealt with by the Department of Health.
  • 8 July 2013 Tameside Energy Services Ltd. A monetary penalty notice has been served to Tameside Energy Services Ltd after the Manchester based company blighted the public with unwanted marketing calls.
  • 18 June 2013 Nationwide Energy Services and We Claim You Gain. Monetary penalty notices have been served to Nationwide Energy Services and We Claim You Gain – both companies are part of Save Britain Money Ltd based in Swansea. The penalties were issued after the companies were found to be responsible for over 2,700 complaints to the Telephone Preference Service or reports to the ICO using its online survey, between 26 May 2011 and end of December 2012.
  • 13 June 2013 North Staffordshire Combined Healthcare NHS Trust. A monetary penalty notice has been served to North Staffordshire Combined Healthcare NHS Trust, after several faxes containing sensitive personal data were sent to a member of the public in error.
  • 7 June 2013 Glasgow City Council. A monetary penalty notice has been served to Glasgow City Council, following the loss of two unencrypted laptops, one of which contained the personal information of 20,143 people.
  • 5 June 2013 Halton Borough Council. A monetary penalty notice has been served to Halton Borough Council, in respect of an incident in which the home address of adoptive parents was wrongly disclosed to the birth family.
  • 3 June 2013 Stockport Primary Care Trust. A monetary penalty has been served to Stockport Primary Care Trust following the discovery of a large number of patient records at a site formerly owned by the Trust.
  • 20 March 2013 DM Design Bedroom Ltd. A monetary penalty has been served to DM Design Bedroom Ltd. The company has been the subject of nearly 2,000 complaints to the ICO and the Telephone Preference Service. The company consistently failed to check whether individuals had opted out of receiving marketing calls and responded to just a handful of the complaints received.
  • 15 February 2013 Nursing and Midwifery Council. A monetary penalty has been served to the Nursing and Midwifery Council. The council lost three DVDs related to a nurse’s misconduct hearing, which contained confidential personal information and evidence from two vulnerable children. An ICO investigation found the information was not encrypted.
  • 24 January 2013 Sony Computer Entertainment Europe Limited. A monetary penalty has been served to the entertainment company Sony Computer Entertainment Europe Limited following a serious breach of the Data Protection Act. The penalty comes after the Sony PlayStation Network Platform was hacked in April 2011, compromising the personal information of millions of customers, including their names, addresses, email addresses, dates of birth and account passwords. Customers’ payment card details were also at risk. They failed in their bid to appeal.

Undertakings

Undertakings are formal agreements between an organisation and the ICO to undertake certain actions to avoid future breaches of the Data Protection Act, typically this involves, Encryption, Training and Management Procedures.

  • 16 July 2013 Janet Thomas. An undertaking to comply with the seventh data protection principle has been signed by Janet Thomas. This follows a report made by a member of the public that approximately 7,435 CV files, containing personal data, were being stored unprotected on the website
  • 9 July 2013 Health & Care Professions Council (HCPC). An undertaking to comply with the seventh data protection principle has been signed by the Health & Care Professions Council (HCPC) after an incident in which papers containing personal data were stolen on a train in 2011.
  • 12 June 2013 (issued 10 September 2012) Bedford Borough Council. An undertaking to comply with the seventh data protection principle has been signed by Bedford Borough Council relating to the removal of legacy data from a social care database.
  • 2 June 2013 (issued 18 September 2012) Central Bedfordshire Council. An undertaking to comply with the seventh data protection principle has been signed by Central Bedfordshire Council relating to the removal of legacy data from a social care database and in relation to the preparation of planning application documentation for publication.
  • 31 May 2013 Leeds City Council. A follow up has been completed to provide an assurance that Leeds City Council has appropriately addressed the actions agreed in its undertaking signed November 2012.
  • May Prospect. A follow up has been completed to provide an assurance that Prospect has appropriately addressed the actions agreed in its undertaking signed January 2013.
  • 21 May 2013 (issued 9 November 2011) News Group Newspapers. An undertaking to comply with the seventh data protection principle has been signed by News Group Newspapers, following an attack on the website of The Sun newspaper in 2011.
  • 26 April 2013 The Burnett Practice. An undertaking to comply with the seventh data protection principle has been signed by The Burnett Practice. This follows an investigation whereby an email account used by the practice had been subject to a third party attack. The email account subject to the attack was used to provide test results to patients and included a list of names and email addresses.
  • 4 April 2013 East Riding of Yorkshire Council. An undertaking to comply with the seventh data protection principle has been signed by the East Riding of Yorkshire Council, following incidents last year in which personal data was inappropriately disclosed.
  • 25 January 2013 Mansfield District Council. An undertaking to comply with the seventh data protection principle has been signed by the Managing Director of Mansfield District Council. This follows a number of incidents where personal data of housing benefit claimants was disclosed to the wrong landlord.
  • 16 January 2013 Prospect. An undertaking to comply with the seventh data protection principle has been signed by the union Prospect. This follows an incident in which two files containing personal details of approximately 19,000 members of the union had been sent to an unknown third party email address in error.

Prosecutions

  • 23 May 2013 A former manager of a health service based at a council-run leisure centre in Southampton has been prosecuted under section 55 of the Data Protection Act for unlawfully obtaining sensitive medical information relating to over 2,000 people.
  • 8 April 2013 A Hertfordshire estate agent has been prosecuted under section 17 of the Data Protection Act after failing to notify with the ICO.
  • 12 March 2013 A former receptionist at a GP surgery in Southampton has been prosecuted under section 55 of the Data Protection Act for unlawfully obtaining sensitive medical information relating to her ex-husband’s new wife.

Also read

Infographic: BYOD Security is still a problem

Insufficient BYOD security management and lax exit processes puts organisations at risk.

Overall the UK needs to improve its approach to the Data Protection Act

The Information Commissioner’s Office (ICO) has published its audits for of the UK’s four largest sectors and whilst it was positive about the approach of the Private Sector it raised concerns about the Public Sector.

The audit reports (below) summarise the outcomes of over 60 ICO audits carried out in the private, NHS, local and central government sectors.

Announcing the reports, Louise Byers, Head of Good Practice, at the ICO said:

“We have been providing free audits to help organisations look after the personal information they collect and publishing the results for two years now. During this time we have seen some innovative and well thought out approaches to keeping people’s personal information secure and complying with the Data Protection Act. Today’s reports allow for this knowledge to be shared, while raising areas of continued concern.”

Each report provides a summary of the level of assurance the organisations in each sector have provided during their audit, along with relevant examples of good practice and existing areas for improvement. The audits were all carried out between February 2010 and July 2012.

Within the private sector, the ICO had a high level of assurance that 11 out of the 16 companies audited had policies and procedures in place to comply with the Act. This included having robust security measures in place and providing thorough training for their staff.

Commenting on the report for the private sector, Louise Byers continued:

“The private sector organisations we have audited so far should be commended for their positive approach to looking after people’s data. However this does not mean that businesses in the UK should rest on their laurels. We are still seeing relatively few companies agree to an ICO audit and further improvements can be made, particularly when it comes to the retention and deletion of data.”

In the health service only one of the 15 organisations audited provided a high level of assurance to the ICO, with the local government sector showing a similar trend with only one out of 19 organisations achieving the highest mark. Central government departments fair little better with two out of 11 organisations achieving the highest level of assurance.

Louise Byers continued:

“While the NHS and central government departments we’ve audited generally have good information governance and training practices in place, they need to do more to keep people’s data secure. Local government authorities also need to improve how they record where personal information is held and who has access to it.

“The results of these reports show why we have requested an extension to our compulsory audit powers to cover the NHS and local government sectors. Organisations in these areas will be handling sensitive information, often relating to the care of vulnerable people. It is important that we have the powers available to us to help these sectors improve.”

Good Practise Audit outcomes analysis NHS – February 2010 to July 2012 

Good Practise Audit outcomes analysis Local authorities – February 2010 to July 2012

Good Practice Audit outcomes analysis Central Government – February 2010 to July 2012

Good Practice Audit outcomes analysis Private sector – February 2010 to July 2012

.

Proposed European wide Data Protection Act – a review

Over the last few months I have attended several conferences and read a lot of research on the proposed upgrade of the European Commission’s 1995 Data Protection Act and have found it fascinating. The rumours, the speeches, the headlines and of course the lack of clarity on how the major issues will be dealt with in the real world.

EU Justice Commissioner Viviane Reding, the Commission’s Vice-President said:

“17 years ago less than 1% of Europeans used the internet. Today, vast amounts of personal data are transferred and exchanged, across continents and around the globe in fractions of seconds,”

“The protection of personal data is a fundamental right for all Europeans, but citizens do not always feel in full control of their personal data. My proposals will help build trust in online services because people will be better informed about their rights and in more control of their information. The reform will accomplish this while making life easier and less costly for businesses. A strong, clear and uniform legal framework at EU level will help to unleash the potential of the Digital Single Market and foster economic growth, innovation and job creation.”

Do not get me wrong I am 100% in favour of a consolidated European Data Protection Act because ambiguity in one country leads to breaches in another and that is not good for business or for the privacy of individual citizens.

After all the consultations and feedback the big development was the leaking of a draft EU Data Protection Act document at the end of 2011. The draft provided concrete evidence to substantiate the rumours and speculation about the requirements and likely fines and provided confirmation about the direction the Act was heading.

The Act is heading in the right direction but some of the points were likely to be contentious for example the “Right to be forgotten” and “all business with 250+ employees needing a Data protection Officer”, there are others but I will cover them later in the post.

One thing is obvious, a consolidated European Data Protection Act has polarised people into one of four camps:

  1. Those concerned with the privacy of the citizen who want more restrictions and tougher sanctions.
  2. Those concerned about the impact and cost to businesses who want less restrictions and lower sanctions.
  3. Those who have to translate and ultimately enforce the Act and to try and stop it becoming another Human Rights Act….! They want a simple and coherent Act that is easy to enforce without a constant steam of lawyers muddying the waters.
  4. Those citizens who in the main do not have a clue what is being done in their name and there are 500 million of them.

Viviane Reding Vice-President of the European Commission, EU Justice Commissioner believes the proposed EU wide Data Protection Act will save European businesses €2.3Billion annually whilst protecting the privacy of European Citizens.

Great, everyone one wins. Or do they?

The majority of the savings will probably benefit businesses that currently have to cope with 27 differing Data Protection Acts currently being operated across the EU commission member states. However if you are a small business operating in one or two countries you may struggle to financially benefit from the consolidation.

The impact on the local Data Protection Authority (DPA), which in the UK is called the Information Commissioner, is likely to be massive which means they will need more staff to accommodate and enforce the new requirements which also means the individual states will have to spend more money.

Why will there be a massive impact? There are several reasons but one in particular stands out as an administrative nightmare, if Personally Identifiable Information (PII) relating to a European citizen is transferred outside the boundaries of the EU the local DPA has to be informed. How many times this will need to be done is hard to calculate but how much data goes to the Call Centres in the Philippines? With 600,000 Philippine’s employed in call centres it is going to be a lot. Then there is the data processing in India, Data Translation in America, Disaster Recover contingencies across the globe, Cloud computing (where is the cloud?), the list of possibilities is endless.

The EU Commission is mindful of these implications and is discussing how some specific actions can be taken into account when defining the final draft. Three specific areas they are looking at are:

  1. Binding corporate rules on what, where and how.
  2. Sectoral adequacies, and the continuation of the Safe Harbour Agreements
  3. Existing mechanisms such as contractual clauses that are broadly used on both sides of the Atlantic.

Using the UK as an example, last year the UK Information Commissioners (ICO) office handled 30,000 complaints and with the proposed requirements on businesses that number could easily quadruple.  You could say “some of the 30,000 complaints lead to convictions and fines and that could pay for the increased costs of operating the new Data Protection Act”, on the face of it you are correct except the fines are collected by the UK Treasury and are not handed to the ICO. If the fines were passed over then the process could be self-funding.

On the 3rd May 2012 Viviane Reding announced the intention to conduct a funding review of all DPAs and then to lobby Governments for the correct funding in each country and she believes that if the leveraged fines were pointed in the right direction they could become a revenue generator for the country.

“the national data protection authority can even be a good investment as it can bring additional revenue for the Member State due to the fact that the main establishment is located in its territory. Such extra revenue and wider benefits can come from tax income, newly created jobs, and the collection of administrative fines on infringements. Let’s also not forget that according to the reform proposals, the administrative fines a national data protection authority can impose can be up to 2% of the annual worldwide turnover of an enterprise. This can lead to quite substantial revenues”

This review will not impact individual DPAs until the summer of 2013 which is likely to be 12 months before the Act is enforceable but 12 months after the hundreds of thousands of business have asked for assistance on what they need to do, who they need to register with, etc.

A significant improvement within the Act will be a requirement on business to be pro-active. Prevention is better than the cure or in this case better than a Data a Breach.

Businesses will be required to:

  • have “Privacy/Data Protection by Design” which means that, at the point of building a process or system, security has to be on the list of desired out-comes.
  • Data Protection by default, which means all systems have to be secure.
  • All business must undertake a Privacy/Data Protection Impact Assessment, which means they must have a documented process for assessing the risk to their PII data and be able to demonstrate that they have undertaken, “at least” annually, an assessment of the risk and taken steps to mitigate the risk. This is not a Penetration Test this is a thorough assessment of people, process and technologies surrounding and impacting on the PII data. A good guide is contained in the book Privacy Impact Assessment by David Wright and Paul de Hert ISBN-10: 9400725426.

Another huge improvement is the requirement on business to formally notify the local DPA of any breaches. Breach Notification has been in existence for several years, for example in California and in Germany. The new requirements will mean businesses can no longer delay notifying those affected in the hope that it will never surface.

It is proposed that the organisation’s Data Controllers notify the DPA within 24 hours.

Mandatory Breach Notification is a difficult area because some breaches can run for months or years before they are discovered. It is the point of discovery that is important, as far as the Act is concerned, but if a business did try to cover up then there is a good chance they will be found out and the details of who did what will be clear for the world to see.

In 2007 when the UK’s HMRC lost a CD containing the child benefit details of 25 million people everyone expected an avalanche of Identity Thefts but, fingers crossed, nothing has happened in the last 5 years. They notified the authorities and the press within days. It could be argued however that, as a result, 25 million people were alerted and put under stress for no reason. Further details of the loss can be found here.

Similar to the HMRC situation in 2008 was when Heartland Payment Systems lost millions of credit card records. In this case they did not know the breach had occurred for approximately 8 months, but when they did find out they undertook forensics and notified the authorities within 8 days. The issue in this case was the data was used for criminal purposes. The criminal Albert Gonzalez AKA “segvec,” “soupnazi” and “j4guar17” has since been convicted and is currently serving 20 years for various crimes involving up to 130 million stolen credit cards’ data. Details of Gonzalez can be found here.

Once the DPA has been informed the organisation then has to inform the individuals affected. This is the first direct cost of a breach. See my post The huge and unexpected administrative costs of a data breach. There is always the risk that they may not understand the notification, for example a report indicated that “39% of those who received them (or properly noticed them) initially thought it was marketing material of some form”.

If adequate protection is in place, for example Tokenization, it is unlikely the organisation will have to inform the individuals. This makes putting security in place and being able to prove it was running essential.

Another impact which affects many countries, especially the UK, is the Freedom of Information Act (FOIA). Currently the FOIA does not allow access to information relating to voluntary breach notifications, which means if a cover up has been attempted but was not successful there is a chance they can avoid having all the information going public by admitting it and therefore suppressing it. The new Act will mean nearly all of the information about a breach will be in the public domain including an organisations failure to protect PII and possibly the organisations attempts to cover it up.

Across Europe the enforcement of the Act will be handled by the individual DPAs, around 1,500 seasoned Data Protection professionals, but many sceptics have speculated that larger businesses can flex their political muscle and lobby for leniency or to keep their breach out of the public eye.

The commission has recently taken a strong line on the need for independence and in April 2012 took action against Hungary for its DPAs lack of independence. For any Country to be hauled in front the of the European Courts of Justice is embarrassing, especially if they have to amend their own legislation. Full details of the Hungarian action can be found here.

Summary of proposed key changes in the proposed Act:

The Right to be forgotten is a contentious area for many organisations, for example;

  • Can someone with a bad credit history evoke the right to avoid their past?
  • If some evokes the right with their insurance company they will lose their Car Insurance no claims bonus – could this then create a right to be remembered? And who pays the administration costs for the reinstatement of the data.
  • In the case of employees past and present what information can be retained and what information has to be retained.

Privacy by Design. There is a debate as to whether the actual working will be Privacy or Data Protection which will be finalised when the final draft is passed for law. Organisations need to understand and account for:

  • why they need the data
  • what they are going to do with the data
  • how they intend to process the data
  • what protections are required
  • who will manage the processes

All organisations employing 250+ employees must have a Data Protection Officer.

All companies storing PII must undertake “regular” Privacy Impact Assessments. The wording may change to Data Protection Impact Assessment but that will not change the requirement to undertake, log and act upon the results of the Assessment.

All international data transfers need to be logged and the Data Protection Authority Informed.

Explicit consent must be obtained to include PII in databases and an ability to easily have their information removed.

Compulsory Breach Notifications within 24 hours of the breach.

Personally Identifiable Information is likely to include

  • Bank Account details
  • Credit Card data
  • IP addresses

Data Portability. Business must address the portability of data;

  • What is going to be done with it
  • How is it secured
  • How will fraud and Identity Theft be avoided

Significant fines can be levied. Actions that are likely to involve a fine from the DPA include

  • Failure to appoint a Data Protection Officer
  • Unauthorised International Data Transfer
  • Failure to undertake a Privacy/Data Protection Impact Assessment

Fines will be levied on a sliding scale

  • 0.5% of global turnover or                  €250,000
  • 1.0% of global turnover or                  €500,000
  • 2% of global turnover or                     €1 million of Global Turnover
  • So far no minimum figure is known.

The new EU Data Protection Act will be compulsory for all organisations except for Law Enforcement, who will operate under a European Commission “directive”. The Directive is designed to allow for faster and easier transfer of data and joined up policing across the member states.

This post was meant to be a short summary, compared to my notes it is, but the far reaching impact of this Act is largely unknown by most organisations and has a high probability of being passed into law during 2012 give a requirement to be compliant by 2014. Whatever the date is there is a need for organisations, of any size, to be aware of what is coming and to start developing plans to have Privacy and Data Protection at the forefront of their business plans NOW.

.

Information Commissioner gets tough with the largest fine for the breach of the Data Protection Act

The Information Commissioner’s Office (ICO) has served a penalty of £130,000 on Powys County Council for breaching the Data Protection Act.

Powys County Council sent the details of a child protection case to the wrong recipient.

The £130,000 penalty is the highest that the ICO has served since it was given the power in April 2010 and follows a similar incident, which was reported by the council to the ICO in June last year.

The latest breach at Powys county Council occurred in February when two separate reports about child protection cases were sent to the same shared printer. It is thought that two pages from one report were then mistakenly collected with the papers from another case and were sent out without being checked. The recipient mistakenly received the two pages of the report and knew the identities of the parent and child whose personal details were included in the papers.

The recipient made a complaint to the council and a further complaint was also submitted by the recipient’s mother via her MP.

Assistant Commissioner for Wales, Anne Jones said:

“This is the third UK council in as many weeks to receive a monetary penalty for disclosing sensitive information about vulnerable people. It’s the most serious case yet and it has attracted a record fine. The distress that this incident would have caused to the individuals involved is obvious and made worse by the fact that the breach could have been prevented if Powys County Council had acted on our original recommendations.

“The ICO has also issued a legal notice ordering the council to take action to improve its data handling. Failure to do so will result in legal action being taken through the courts.

“There is clearly an underlying problem with data protection in social services departments and we will be meeting with stakeholders from across the UK’s local government sector to discuss how we can support them in addressing these problems.”

The Information Commissioners Office is pressing the Ministry of Justice for stronger powers to audit local councils’ and the NHS on their Data Protection Compliance.

Related Posts on the actions of the Information Commissioner:

.

Information Commissioner calls for powers to conduct compulsory Data Protection Audits

Christopher Graham, the UK Information Commiss...
Image via Wikipedia

The Information Commissioner has called for powers to conduct compulsory data protection audits in local government, the health service and the private sector are needed to ensure compliance with the law, the Information Commissioner said today at the 10th annual data protection compliance conference in London.

Christopher Graham’s call came as figures showed that the ICO is being blocked from auditing organisations in sectors that are causing concern over their handling of personal information.

The only compulsory data protections audit powers the ICO currently has are for central government departments.  For all other organisations the ICO has to win consent before an audit can take place.

Data breaches in the NHS continue to be a major problem. Of the 47 undertakings the ICO has agreed with organisations that have breached the Data Protection Act since April, over 40% (19) were in the healthcare sector.

In addition, the most serious personal data breaches that have resulted in a civil monetary penalty occurred in the local government sector. Four of the six penalties served so far involved local authorities.

Businesses remain the sector generating the most data protection complaints. Despite this, as reported in July, just 19% of companies contacted by the ICO accepted the offer of undergoing an audit.

The ICO has written to 29 banks and building societies and so far only six (20%) have agreed to undergo an audit. The insurance sector has also shown reluctance in this area. Of the 19 companies contacted this year by the ICO, only two agreed to an audit.

Information Commissioner, Christopher Graham said:

“Something is clearly wrong when the regulator has to ask permission from the organisations causing us concern before we can audit their data protection practices. Helping the healthcare sector, local government and businesses to handle personal data better are top priorities, and yet we are powerless to get in there and find out what is really going on.”

“With more data being collected about all of us than ever before, greater audit powers are urgently needed to ensure that the people handling our data are doing a proper job. I am preparing the business case for the extension of the ICO’s Assessment Notice powers under the Coroners and Justice Act 2009 to these problematic sectors.”  

The Information Commissioner also used his speech at the conference to give a six month update on the ICO’s complaints handling performance.

Complaints about marketing texts, some of which are known as spam texts, have trebled in volume since 2008/9, and now account for approximately 13% of all data protection complaints to the ICO. Over 1,000 complaints have been received since April.

The overall number of new Data Protection (DP) complaints is up by 2% compared to the same period last year.

The number of Freedom Of Information (FOI) complaints has also risen by around 5%. The ICO has increased its output to match the increase and has closed a record number of FOI cases during the first half of the year. Closures on DP cases are also up.

.

Blog at WordPress.com.

Up ↑

%d bloggers like this: