Search

Brian Pennington

A blog about Cyber Security & Compliance

Tag

Information Commissioner

Elizabeth Denham’s speech at the Data Protection Practitioners’ Conference 2017

6th march Manchester, UK.

Good morning, and welcome to Manchester. It’s cold and it’s grey, but for those of us who live around here, we kind of like it, and we’re proud it’s where the biggest data protection conference of the year takes place.

We’ve got a busy schedule today. Lots on GDPR, of course. Trevor Hughes from IAPP talking about the role of the data protection officer internationally. Practical workshops on everything from breach notification to consent. And a very engaging information market – the speakers’ corner looks sure to be a conversation starter, and don’t miss our experts talking about the law enforcement directive too.

So lots to engage you. Let’s get started by getting your grey matter warmed up: a quick general knowledge quiz. One question:

What links the following:

  • the Labour Party;
  • international weightlifting;
  • the music you heard when I entered the room; and
  • the ICO?

The answer is right before your eyes: all have performed right here at this venue. I’m not sure which of the four had the rowdiest audience…!

Manchester Central has been the home of the Data Protection Practitioners Conference for the best part of a decade, and I’m sure you’ll agree it’s an excellent venue. It was converted from a railway station built more than 125 years ago by Sir John Fowler, the architect famed for his work on the Forth Railway Bridge.

Sir John once said: “Engineers are not mere technicians and should not approve or lend their name to any project that does not promise to be beneficent to man and the advancement of civilization.”

DPOs in the mainstream

I think there’s something in that comment for us here today. About not merely being technicians. About looking to see how the projects we contribute to can be beneficial to citizens. How we can put the customer first.

I don’t think that’s too grand an aim. This is an exciting time to be in data protection. Like many of you, I’ve worked in this sector a long time. I remember when we were a back office function. When we often were seen as “mere technicians”. That seems a very long time ago.

My colleague Rob Luke, who you’ll hear from shortly, is speaking before an advertising conference later this week. Fifteen years ago, which advertiser would have invited the data protection regulator to their annual event? Who thought data protection when they booked a slot in the ad break during Coronation Street? But today, data protection is central to their work. Making the most of customer data. Combining big data sets. Finding new ways to better understand what consumers want, to track how they act or predict what they will do next.

Last week, we opened an inquiry into privacy risks arising from the use of data analytics for political purposes following public reports about the role of private firms in the Brexit referendum. We often find ourselves at the heart of many debates of modern society.

It’s an exciting time to work in data protection, whatever your sector, with real opportunities. We’ll talk a lot today about the practical aspects, from how GDPR will change things at your organisations, to the steps you can take to use the coming change in the law as an opportunity to inform your practices.

But let’s not lose sight of what good data protection can achieve. We have an opportunity to set out a culture of data confidence in the UK. We just need to keep in mind that when we lend our name to projects, we should think about how they can be of benefit to citizens.

Review of last 12 months

I think it’s fair to say that a recap of the files we’ve been involved in over the past twelve months can be characterised by organisations failing to put customers first.

Our work with WhatsApp and Facebook springs to mind. We all rely on digital services for important parts of our lives. But my office felt these apps were not taking enough responsibility for data protection. Companies have legal responsibilities to treat people’s data with proper care and transparency – to give them persistent control and choice.

Similarly the record fine we issued to TalkTalk. You could write an essay discussing the technical detail of the cyber-attack itself, but fundamentally, not enough respect – not enough care – was being given to the type of protection consumers would have expected of their personal information.

And without rehearsing the conversations we’ve had with parts of charity sector, there’s a similar theme: insufficient thought about the level of transparency donors would want, expect, or support.

They’re examples of organisations getting it wrong under the current Data Protection Act. GDPR is going to put even more of an onus on organisations to understand and respect the personal privacy rights of consumers.

GDPR

Because while the General Data Protection Regulation builds on the previous legislation, it provides more protections for consumers, and more privacy considerations for organisations. It brings a more 21st century approach to the processing of personal data.

The GDPR gives specific new obligations for organisations, for example around reporting data breaches and transferring data across borders.

But the real change for organisations is understanding the new rights for consumers.

Consumers and citizens will have stronger rights to be informed about how organisations use their personal data. They’ll have the right to request that personal data be deleted or removed if there’s no compelling reason for an organisation to carry on processing it, and new rights around data portability and how they give consent.

On that subject, do take a look at the guidance on consent that is now out for consultation, and will be discussed at our workshop later today.

Accountability and breadth

At the centre of the GDPR is the concept of broader and deeper accountability for an organisation’s handling of personal data. The GDPR brings into UK law a trend that we’ve seen in other parts of the world – a demand that organisations understand, and mitigate – the risks that they create for others in exchange for using a person’s data. It’s about a framework that should be used to build a culture of privacy that pervades an entire organisation. It goes back to that idea of doing more than being a technician, and seeing the broader responsibility and impact of your work in your organisation on society.

Making it matter to the boardroom

I’ve already spoken to some of you this morning, and I hear what you’re saying. You understand why having your organisation accept more accountability for data protection matters. You want to change the culture of your organisation. But in many cases, you need to convince your senior management first. So, what can I give you today to help you make that case when you go back to your offices tomorrow?

The fines are the obvious headline. The GDPR gives regulators greater enforcement powers. If an organisation can’t demonstrate that good data protection is a cornerstone of their business policy and practices, they’re leaving themselves open to enforcement action that can damage their public reputation and possibly their bank balance. That makes data protection a boardroom issue.

But there’s a carrot here as well as a stick, and as regulators we actually prefer the carrot. Get data protection right, and you can see a real business benefit.

Accepting broad accountability for data protection encourages an upfront investment in privacy fundamentals, but it offers a payoff down the line, not just in better legal compliance, but a competitive edge. Whether that means attracting more customers or more efficiently meeting pressing public policy needs, I believe there is a real opportunity for organisations to present themselves on the basis of how they respect the privacy of individuals. Over time this can play a real role in consumer choice.

What the ICO is doing

Gandhi said the future depends on what we do in the present. So let me talk a little about what my office is doing now, to help you prepare for the future.

I’ve worked as a regulator in this field for more than twelve years and my focus has always been on making sure the regulator is relevant. On making sure we’re taking on that challenge of not being mere technicians but instead are making a difference to the organisations we regulate through education. Making a difference to the public, through giving them an avenue to file a complaint and by sanctioning the bad actors.

Each of us in the information rights field, on a daily basis, tries to make a difference to the public. Collectively, we do a good job: I think people have never been more aware of their rights, of what they can expect of the businesses and organisations they trust with their data. But consumer trust hasn’t followed that. An ICO survey last year showed only one in four UK adults trust businesses with their personal data. And I don’t believe the figure would be much higher for the public sector. As a regulator, it’s one of my jobs to give you the tools and the support to turn that around.

I want to see comprehensive data protection programs as the norm, organisations better protecting the data of citizens and consumers, and a change of culture that makes broader and deeper data protection accountability a focus for organisations across the UK. I think that’s achievable.

We’ll be shortly announcing work we’ll be doing to contribute to that. We want to support independent research that helps people better navigate the digital world. Our research and grants programme will dedicate funds over the next five years to engaging the research community in finding ways to help consumers. More details in due course.

Post Brexit

And of course we need to be looking to the horizon, to what might exist beyond GDPR.

Fourteen months ago I was writing a speech for a different audience, in a different role. My appearance was at the Canadian annual privacy and security conference, as information and privacy commissioner for British Columbia. I was talking about the challenges of a digital economy that required data to flow across borders, where different legal systems and cultural norms about privacy make this a complicated undertaking. More specifically, I spoke about how changes within the EU affect those outside of it, particularly around adequacy.

How familiar does that sound today? The UK EU referendum decision means we’re facing the same challenges. The UK’s digital economy needs data to flow across borders: how do we make sure that can happen? How can we foster economic growth while still respecting citizen’s rights?

When the government comes to answer those questions beyond the implementation of GDPR in 2018, we expect to be at the centre of many conversations, speaking up for continued protection and rights for consumers, and clear laws for organisations. And addressing the strong data protection laws we’d need if we want to keep the UK’s approach at an equivalent standard to the EU.

Conclusion

Which brings us back to today. The GDPR is a strong data protection law. It gives consumers more control over their data. And it includes new obligations for organisations.

Today is about learning more about those obligations, more about data protection best practice, more about how to get it right.

Today is about helping you make the best use of tomorrow.

ICO, Michael McIntyre and the Data Protection Act

ICO response to police force tweeting Michael McIntyre’s picture:

Police forces like all other organisations must comply with the Data Protection Act. The police especially must ensure that they have legitimate grounds for processing personal data and disclosing images of this nature without a justifiable policing purpose could potentially breach the Data Protection Act. We will follow this up with the Force concerned

I have often wondered about the sharing of images and how in certain circumstances it could lead to the wrong person or a known person being identified e.g. a photo-fit image created by a Police Artist often looks like everyone’s next door neighbour.

Equally if a person in the public spot light cannot have their image shared by a public body then how can a media outlet, who is also governed by the Data Protection Act, show images that people do not want sharing.

It will be interesting to see what the outcome will be and if Michael McIntyre complains.

Who breached the Data Protection Act in 2014? Find the complete list here.

2014 was another busy year for the Information Commissioners Office with yet more breaches of the Data Protection Act.

There are normally three types of punishments administered by the ICO

  1. Monetary. The most serious of the actions and one normally reserved for organisational entities.
  2. Undertaking. Typically applied when an organisation has failed to adhere to good business practise and needs the helping guidance of the ICO
  3. Prosecutions. Normally reserved for individuals who have blatantly breached the Act.
  4. Enforcements. A requirement on an organisation or individual to desist from specific activities.

Below is a summary of the ICO’s activity in 2014 across all three “punishment” areas.

Monetary penalty notices

A monetary penalty will only be served in the most serious situations. When deciding the size of a monetary penalty, the ICO takes into account the seriousness of the breach and other factors like the size, financial and other resources of an organisation’s data controller. The ICO can impose a penalty of up to £500,000. It is worth noting that monetary penalties are to HM Treasury.

  • 22 August 2014 a monetary penalty of £90,000 was issued to Kwik Fix Plumbers Ltd for continually making nuisance calls targeting vulnerable victims. In several cases, the calls resulted in elderly people being tricked into paying for boiler insurance they didn’t need.
  • 5 December 2014 a monetary penalty of £70,000 was issued to Manchester Ltd after sending unsolicited text messages and appeared on the recipients’ mobile phone to have been sent by “Mum”.
  • 05 November 2014 a monetary penalty of £7,500 was issued to Worldview Limited following a serious data breach where a vulnerability on the company’s site allowed attackers to access the full payment card details of 3,814 customers
  • 01 October 2014 a monetary penalty of £70,000 was issued to fine to EMC Advisory Services Limited for making hundreds of nuisance calls. The company was responsible for 630 complaints to the ICO and the TPS between 1 March 2013 and 28 February 2014. They failed to make sure that those registered with the TPS, or who’d previously asked not to be contacted, weren’t being called.
  • 26 August 2014 a monetary penalty of £180,000 to the Ministry of Justice over serious failings in the way prisons in England and Wales have been handling people’s information
  • 28 July 2014 a monetary penalty of £50,000 fine to Reactiv Media Limited after an investigation discovered they had made unsolicited calls to hundreds of people who had registered with the Telephone Preference Service (TPS).
  • 23 July 2014 a monetary penalty of £150,000 to Think W3 Limited after a serious breach of the Data Protection Act revealed thousands of people’s details to a malicious hacker.
  • 03 April 2014 a monetary penalty of £50,000 Amber UPVC Fabrications Ltd (T/A Amber Windows) after an investigation discovered they had made unsolicited marketing calls to people who had registered with the Telephone Preference Service (TPS).
  • 19 March 2014 a monetary penalty of £100,000 to Kent Police after highly sensitive and confidential information, including copies of police interview tapes, were left in a basement at the former site of a police station.
  • 07 March 2014 a monetary penalty of £200,000 to the British Pregnancy Advice Service. Hacker threatened to publish thousands of names of people who sought advice on abortion, pregnancy and contraception.
  • 11 January 2014 a monetary penalty of £185,000 to Department of Justice Northern Ireland after a filing cabinet containing details of a terrorist incident was sold at auction.

ICO statement on Monetary Penalties

Undertakings

Undertakings are formal agreements between an organisation and the ICO to undertake certain actions to avoid future breaches of the Data Protection Act, typically this involves, Encryption, Training and Management Procedures.

  • 19 December 2014 Treasury Solicitors Department. A follow up has been completed to provide an assurance that the Treasury Solicitors Department has appropriately addressed the actions agreed in its undertaking signed February 2014.
  • 19 December 2014 Wirral Metropolitan Borough Council. A follow up has been completed to provide an assurance that Wirral Metropolitan Borough Council has appropriately addressed the actions agreed in its undertaking signed April 2014.
  • 19 December 2014 Caerphilly County Borough Council. A council that ordered covert surveillance on a sick employee must review its approach after an Information Commissioner’s Office (ICO) investigation. The ICO found the Council breached the Data Protection Act when it ordered the surveillance of an employee suspected of fraudulently claiming to be sick.
  • 15 December 2014 St Helens Metropolitan Borough Council. A follow up has been completed to provide an assurance that St Helens Metropolitan Borough Council has appropriately addressed the actions agreed in its undertaking signed June 2014.
  • 01 December 2014 Dudley Metropolitan Borough Council. A follow up has been completed to provide an assurance that Dudley Metropolitan Borough Council has appropriately addressed the actions agreed in its undertaking signed April 2014.
  • 28 November 2014 Oxfordshire County Council. A follow up has been completed to provide an assurance that Oxfordshire County Council as appropriately addressed the actions agreed in its undertaking signed June 2014.
  • 28 November 2014 Aspers (Milton Keynes) Limited. A follow up has been completed to provide an assurance that Aspers (Milton Keynes) Limited has appropriately addressed the actions agreed in its undertaking signed June 2014.
  • 26 November 2014 Department of Justice Northern Ireland. A follow up has been completed to provide an assurance that the Department of Justice Northern Ireland has appropriately addressed the actions agreed in its undertaking signed May 2014.
  • 17 November 2014 London Borough of Barking and Dagenham. A follow up has been completed to provide an assurance that London borough of Barking and Dagenham has appropriately addressed the actions agreed in its undertaking signed April 2014.
  • 05 November 2014 Student Loans Company. A follow up has been completed to provide an assurance that Student Loans Company has appropriately addressed the actions agreed in its undertaking signed April 2014.
  • 05 November 2014 Royal Veterinary College. A follow up has been completed to provide an assurance that The Royal Veterinary College has appropriately addressed the actions agreed in its undertaking signed October 2013.
  • 24 October 2014 Gwynedd Council. An Undertaking to comply with the seventh data protection principle has been signed by Gwynedd Council following two breaches of the Data Protection Act.
  • 24 October 2014 Disclosure and Barring Service. An undertaking to comply with the first data protection principle has been signed by the Disclosure and Barring Service.
  • 08 October 2014 South Western Ambulance Service NHS Trust. An undertaking to comply with the first, third and seventh data protection principles has been signed by South Western Ambulance Service NHS Trust. This includes the completion of a Privacy Impact Assessment in respect of data sharing. This follows an investigation whereby patient data related to 45, 431 data subjects was shared with a Clinical Commissioning Group (‘CCG’) without a legal basis to do so. There were also security concerns surrounding the manner in which the data was stored on discs when being distributed to the CCG.
  • 08 October 2014 Weathersby Limited. An undertaking to comply with the seventh data protection principle has been signed by Weathersby Limited after the company failed to secure an internal server properly, resulting in personal data relating to clients being made available on the internet.
  • 07 October 2014 Basildon and Thurrock University Hospitals NHS Foundation Trust. An undertaking to comply with the seventh data protection principle has been signed by Basildon and Thurrock University Hospitals NHS Foundation Trust. This follows an investigation into two reported incidents involving disclosures of personal data to third parties in error.
  • 25 September 2014 Norfolk Community Health & Care NHS Trust. An undertaking to comply with the first, third and seventh data protection principle has been signed by Norfolk Community Health & Care NHS Trust. This follows an investigation involving the inadvertent sharing of data with a referral management centre.
  • 22 September 2014 Oxford Health NHS Foundation Trust. An undertaking to comply with the seventh data protection principle has been signed by Oxford Health NHS Foundation Trust.  This follows an investigation into two separate incidents involving disclosures of personal data.
  • 09 September 2014 Isle of Scilly Council. An undertaking to comply with the seventh data protection principle has been signed by the Council of the Isle of Scilly. This follows an investigation into two separate incidents. The first relating to confidential information which was part of a disciplinary hearing being sent unredacted to third parties.
  • 28 August 2014 Racing Post. An undertaking to comply with the seventh data protection principle has been signed by the Racing Post. This follows an investigation whereby the Racing Post website was subject to an internet based SQL injection attack which gave access to a customer database. The data included customer registration details relating to 677,335 data subjects.
  • 13 August 2014 Wokingham Borough Council. A follow up has been completed to provide an assurance that Wokingham Borough Council has appropriately addressed the actions agreed in its undertaking signed April 2014.
  • 11 August 2014 Thamesview Estate Agents Ltd. An undertaking to comply with the seventh data protection principle has been signed by Thamesview Estate Agents Ltd after the company continued to leave papers containing personal information on the street despite a previous warning. The papers were stored in transparent bags and the information was clearly visible to anyone who walked past.
  • 18 July 2014 The Moray Council. A follow up has been completed to provide an assurance that The Moray Council has appropriately addressed the actions agreed in its undertaking signed May 2014.
  • 09 July 2014 Betsi Cadwaladr University Health Board. An undertaking to comply with the seventh data protection principle has been signed by Betsi Cadwaladr University Health Board after sensitive information was sent to the wrong address.
  • 27 June 2014 Oxfordshire County Council. An undertaking to comply with the seventh data protection principle has been signed by Oxfordshire County Council. This follows an investigation whereby a solicitor had removed a number of documents from the office but had dropped these in a street near their home. The sensitive personal data related to three child protection cases concerning 22 data subjects.
  • 23 June 2014 Aspers (Milton Keynes) Limited. An undertaking to comply with the seventh data protection principle has been signed by Aspers (Milton Keynes) Limited, following an email which was sent in error to an recipient outside of the organisation.
  • 19 June 2014 Department of Justice Northern Ireland. An undertaking to comply with the seventh data protection principle has been signed by Department of Justice Northern Ireland. This follows the sale of a filing cabinet that contained documents originating from within the Northern Ireland Prison service. The documents contained personal data, as defined by section 1 of the Data Protection Act 1998 (the Act), which was sensitive in nature.
  • 17 June 2014 Aberdeenshire Council. An undertaking to comply with the seventh data protection principle has been signed by Aberdeenshire Council after a paper file was lost by an employee of the Adult Mental Health section of the council’s Social Work service. The employee had placed the file on the roof of his car before driving off.
  • 16 June 2014 Cardiff and Vale University Health Board. A follow up has been completed to provide an assurance that Cardiff and Vale University Health Board has appropriately addressed the actions agreed in its undertaking signed October 2013.
  • 09 June 2014 Worcestershire Health and Care NHS Trust. An undertaking to comply with the seventh data protection principle has been signed by Worcestershire Health and Care NHS Trust. This follows an investigation whereby the local press were handed a patient handover sheet containing details of 18 patients.
  • 02 June 2014 Jephson Homes Housing Association Ltd. An undertaking to comply with the seventh data protection principle has been signed by Jephson Homes Housing Association Ltd. This follows an investigation into the disclosure in error of several documents containing third party personal data when providing documents to an individual as part of a litigation process.
  • 30 May 2014 Panasonic UK. A follow up has been completed to provide an assurance that Panasonic UK has appropriately addressed the actions agreed in its undertaking signed October 2013.
  • 30 May 2014 St Helens Metropolitan Borough Council. An undertaking to comply with the seventh data protection principle has been signed by St Helens Metropolitan Borough Council after child’s foster placement address was disclosed in error.  Investigations identified that Council had selected the correct recipient and had redacted the majority of documents disclosed however the address was missed on one document.
  • 30 May 2014 London Borough of Barking & Dagenham. An undertaking to respond in a quicker and more effective manner to losses of personal data has been signed by London Borough of Barking & Dagenham. This follows an investigation into the loss of a file containing medical data relating to eleven children, which discovered that although the council knew where the file was, it had still not been retrieved five months later.
  • 27 May 2014 Student Loans Company. An undertaking to comply with the seventh data protection principle has been signed by the Student Loans Company Limited following an investigation by the ICO into three separate incidents involving the disclosure of documents to the incorrect recipients.  The investigation identified that whilst checking procedures were in place documents containing sensitive personal data were subject to fewer checks than those containing less sensitive data.
  • 16 May 2014 Great Ormond Street Hospital for Children NHS Foundation Trust. A follow up has been completed to provide an assurance that Great Ormond Street Hospital for Children NHS Foundation Trust has appropriately addressed the actions agreed in its undertaking signed November 2013.
  • 12 May 2014 The Moray Council. An undertaking to comply with the seventh data protection principle has been signed by The Moray Council. This follows an investigation into the loss of a file containing adoption meeting papers at a café in the local area.
  • 25 April 2014 Dudley Metropolitan Borough Council. An undertaking to comply with the seventh data protection principle has been signed by Dudley Metropolitan Borough Council. This follows an investigation whereby a social worker had left a case file containing sensitive personal data at a client’s home. The case file outlined child welfare concerns and disclosed the identity of the source.
  • 15 April 2014 Wirral Borough Council. An undertaking to comply with the seventh data protection principle has been signed by Wirral Borough Council after social services records containing sensitive personal information were sent to the wrong addresses on two occasions. The information, which was disclosed in February and April 2013, included sensitive personal details relating to two families living in the borough and in one case included details of a criminal offence committed by one of the family members.
  • 15 April 2014 Wokingham Borough Council. An undertaking to comply with the seventh data protection principle has been signed by Wokingham Borough Council, after sensitive social services records relating to the care of a young child were lost. The information, which had been requested by a family member, was lost after the delivery driver left the documents outside the requester’s home in August 2013.
  • 11 April 2014 Royal Borough of Windsor and Maidenhead. A follow up has been completed to provide an assurance that the Royal Borough of Windsor and Maidenhead has appropriately addressed the actions agreed in its undertaking signed September 2013.
  • 28 March 2014 Barking, Havering & Redbridge University Hospitals NHS Trust. An undertaking to comply with the seventh data protection principle has been signed by Barking, Havering & Redbridge University Hospitals NHS Trust. This follows an investigation by the ICO into a series of fax related incidents which revealed that the Trust had a very low attendance rate for Information Governance training.
  • 20 March 2014 Disclosure and Barring Service. An undertaking to comply with the first data protection principle has been signed by the Disclosure and Barring Service.
  • 14 March 2014 Cardiff City Council. A follow up has been completed to provide an assurance that Cardiff City Council has appropriately addressed the actions agreed in its undertaking signed August 2013.
  • 13 March 2014 Neath Care. An undertaking to comply with the seventh data protection principle has been signed by Neath Care. This follows the disclosure of ten client care service delivery plans which were found by a member of the public in the street. The care service delivery plans related to elderly people and contained confidential client information on matters such as personal care, medication and key safe numbers.
  • 26 February 2014 Treasury Solicitor’s Department. An undertaking to comply with the seventh data protection principle has been signed by the Treasury Solicitor’s Department. The data controller agreed to put measures in place to ensure the security of the personal data it handles.
  • 24 January 2014 Hillingdon Hospitals NHS Foundation Trust. A follow up has been completed to provide an assurance that Hillingdon Hospitals NHS Foundation Trust has appropriately addressed the actions agreed in its undertaking signed September 2013.
  • 10 January 2014 Northern Health and Social Care Trust. A follow up has been completed to provide an assurance that Northern Health and

Prosecution

  • 13 November 2014 Harkanwarjit Dhanju. A former pharmacist working for West Sussex Primary Care Trust has been prosecuted for unlawfully accessing the medical records of family members, work colleagues and local health professionals. Harkanwarjit Dhanju was fined £1000, ordered to pay a £100 victim surcharge and £608.30 prosecution costs.
  • 11 November 2014 Matthew Devlin. Company director Matthew Devlin has been fined after illegally accessing one of Everything Everywhere’s (EE) customer databases. Devlin used details of when customers were due a mobile phone upgrade to target them with services offered by his own telecoms companies.
  • 22 August 2014 Dalvinder Singh. A Birmingham banker has been fined after he admitted reading his colleagues bank accounts. He worked in Santander UK’s suspicious activity reporting unit at their Leicester office. His role investigating allegations of money laundering meant he was able to view customer accounts. But he used his access to look at eleven colleagues’ accounts, to learn how much their salaries and bonuses were.
  • 06 August 2014 A Plus Recruitment Limited. A recruitment company has been prosecuted today at Doncaster Magistrates Court for failing to notify with the ICO. A Plus Recruitment Limited pleaded guilty and was fined £300 and ordered to pay costs of £489.95 and a victim surcharge of £30.
  • 05 August 2014 1st Choice Properties (SRAL). A property lettings and management company has been prosecuted for failing to notify with the ICO at Uxbridge Magistrates Court today. 1st Choice Properties (SRAL) was convicted in the defendant’s absence and fined £500, ordered to pay costs of £815.08 and a victim surcharge of £50.
  • 15 July 2014 Jayesh Shah. The owner of a marketing company trading as Vintels has been prosecuted for failing to notify the ICO of changes to his notification at Willesden Magistrates Court today. Jayesh Shah was fined £4000, ordered to pay costs of £2703 and a £400 victim surcharge.
  • 14 July 2014 Hayden Nash Consultants. A recruitment company has been prosecuted for failing to notify with the ICO at Reading Magistrates Court today. Hayden Nash Consultants entered a guilty plea and was fined £200, ordered to pay costs of £489.85 and a £20 victim surcharge.
  • 10 July 2014 Stephen Siddell. A former branch manager for Enterprise Rent-A-Car has been prosecuted for unlawfully stealing the records of almost two thousand customers before selling them to a claims management company. Stephen Siddell was fined £500, ordered to pay a £50 victim surcharge and £264.08 in prosecution costs.
  • 09 July 2014 Global Immigration Consultants Limited. A legal advice company has been prosecuted for failing to notify with the ICO at Manchester Magistrates Court today. Global Immigration Consultants Limited entered a guilty plea and was fined £300, ordered to pay costs of £260.18 and a £30 victim surcharge.
  • 06 June 2014 Darren Anthony Bott. The director of a pensions review company has been prosecuted for failing to notify with the ICO. Darren Anthony Bott of Allied Union Ltd entered a guilty plea and was fined £400, ordered to pay costs of £218.82 and a £40 victim surcharge.
  • 05 June 2014 API Telecom. A telecoms company has been prosecuted by the ICO for failing to comply with an information notice in Westminster Magistrates’ Court yesterday. The company, API Telecom, entered a guilty plea and was fined £200, ordered to pay full costs of £489.85 and the victim surcharge was imposed.
  • 13 May 2014 QR Lettings. A property company has been prosecuted by the ICO for failing to notify under section 17 of the Data Protection Act. QR Lettings pleaded guilty at a hearing on 13 May 2014 at Birkenhead Magistrates Court. The company was fined £250, ordered to pay costs of £260 and a £30 victim surcharge.
  • 25 April 2014 Barry Spencer. A man who ran a company that tricked organisations into revealing personal details about customers has been ordered to pay a total of £20,000 in fines and prosecution costs, as well as a confiscation order of over £69,000 at a hearing at Isleworth Crown Court.
  • 25 April 2014 Allied Union Limited. A pension review company has been prosecuted by the ICO for failing to notify under section 17 of the Data Protection Act.  Allied Union Limited pleaded guilty at a hearing on 25 April 2014 at Swansea Magistrates Court. The company was fined £400, ordered to pay costs of £338.11 and a victim surcharge of £40.
  • 25 March 2014 Help Direct UK Limited. A financial advisors has been prosecuted by the ICO for failing to notify under section 17 of the Data Protection Act. Help Direct UK Limited pleaded guilty at a hearing on 25 March 2014 at Swansea Magistrates Court. The company was fined £250, ordered to pay costs of £248.83 and a victim surcharge of £25.
  • 12 March 2014 Boilershield Limited. A plumbing company and its director have been prosecuted by the ICO for failing to notify under section 17 of the Data Protection Act. Boilershield Limited and its director, Mohammod Ali, pleaded guilty at a hearing on 12 March 2014 at Bromley Magistrates. They were both fined £1,200, ordered to pay costs of £196.87 and a victim surcharge of £120.
  • 11 March 2014 Becoming Green (UK) Ltd. A Cardiff-based green energy deal company, Becoming Green (UK) Ltd, has been prosecuted by the Information Commissioner’s Office after failing to notify the ICO that it handled customers’ personal data. The offence was uncovered when the company was being monitored following concerns about compliance.
  • 24 January 2014 ICU Investigations Limited. Six men who were part of a company that tricked organisations into revealing personal

Enforcements

  • 19 November 2014 Grampian Health Board (NHS Grampian). The Information Commissioner’s Office has ordered NHS Grampian to take action to make sure patients’ information is better protected.
  • 12 November 2014 Hot House Roof Company. The ICO has issued an enforcement notice against Hot House Roof Company ordering them to stop making nuisance marketing calls. The company had failed to honour suppression requests and repeatedly made calls to a number of individuals despite their being TPS registered.
  • 21 October 2014 Abdul Tayub. The Information Commissioner’s Office has served Abdul Tayub with an enforcement notice after he was found to be sending unsolicited marketing mail by electronic means without providing information as to his identity and without prior consent.
  • 12 September 2014 All Claims Marketing Limited. The Information Commissioner’s Office has served All Claims Marketing Limited with an enforcement notice after the company was found to be sending unsolicited marketing mail by electronic means without providing information as to its identity.
  • 03 September 2014 Winchester and Deakin Limited. The Information Commissioner’s Office has served Carmarthen-based direct marketing company Winchester and Deakin Limited (also trading as Rapid Legal and Scarlet Reclaim) with an enforcement notice ordering them to stop making nuisance calls. The move comes after an investigation discovered they had made unsolicited marketing calls to people who had registered with the Telephone Preference Service (TPS) or who had asked not to be contacted.
  • 16 June 2014 DC Marketing Limited. The ICO has issued an enforcement notice against DC Marketing Limited after the company made hundreds of nuisance calls to try and get people to purchase solar panels partly financed by the Green Deal Home Improvement Fund. An ICO investigation found the company also frequently gave a false name to avoid detection.
  • 29 May 2014 Wolverhampton City Council. The ICO has issued an enforcement notice against Wolverhampton City Council, following an investigation into a data breach at the council that occurred in January 2012. The breach was caused when a social worker, who had not received data protection training, sent out a report to a former service user detailing their time in care. However, the social worker failed to remove highly sensitive information about the recipient’s sister that should not have been included.
  • 03 April 2014 Amber UPVC Fabrications Ltd (T/A Amber Windows). The ICO has issued an enforcement notice against Amber Windows ordering them not to call subscribers who have previously told them not to ring or subscribers who have not consented to them calling and have registered the number with the TPS for at least the required 28 days.
  • 10 March 2014 Isisbyte Limited. The ICO has served an enforcement notice on Isisbyte Limited after the company was found to be making unsolicited marketing calls without providing information as to their identity.
  • 10 March 2014 SLM Connect Limited. The ICO has served an enforcement notice on SLM Connect Limited after the company was found to be making unsolicited marketing calls without providing information as to their identity.

Who has breached the Data Protection Act in 2012? Find the complete list here.

Who breached the Data Protection Act in 2013? Find the complete list here.

I thought I had published this months ago but found it still in my drafts.

2013 was a very busy year for the UK’s Information Commissioners Office (ICO) as he issued record numbers of fines and enforcements.

There are normally three types of punishments administered by the ICO:-

  1. Monetary. The most serious of the actions and one normally reserved for organisational entities.
  2. Undertaking. Typically applied when an organisation has failed to adhere to good business practise and needs the helping guidance of the ICO
  3. Prosecutions. Normally reserved for individuals who have blatantly breached the Act and like 2012 there were not many in 2013.

The complete list of those who fell foul of the Data Protection Act in 2013 is below:-

Monetary penalty notices

A monetary penalty will only be served in the most serious situations. When deciding the size of a monetary penalty, the ICO takes into account the seriousness of the breach and other factors like the size, financial and other resources of an organisation’s data controller. The ICO can impose a penalty of up to £500,000. It is worth noting that monetary penalties are to HM Treasury. The size of the fines might change with the pending revision to the Data Protection Act.

The list has the most recent first.

  • 16 December 2013. A monetary penalty notice has been served on First Financial (UK) Limited after the pay day Loans Company sent millions of spam text messages.
  • 29 October 2013. A monetary penalty notice has been served on North East Lincolnshire Council after the loss of an unencrypted memory device containing personal data and sensitive personal data relating to 286 children.
  • 22 October 2013. A monetary penalty notice has been served on the Ministry of Justice for failing to keep personal data securely, after spreadsheets showing prisoners’ details were emailed to members of the public in error.
  • 26 September 2013. A monetary penalty notice has been served on Jala Transport, a small money-lending business, after the theft of an unencrypted portable hard drive containing its customer database.
  • 29 August 2013. A monetary penalty notice has been served on Aberdeen City Council after inadequate home working arrangements led to 39 pages of personal data being uploaded onto the internet by a Council employee.
  • 23 August 2013. A monetary penalty notice has been served to Islington Borough Council after personal details of over 2,000 residents were released online via the What Do They Know (WDTK) website.
  • 5 August 2013. A monetary penalty notice has been served to the Bank of Scotland after customers’ account details were repeatedly faxed to the wrong recipients. The information included payslips, bank statements, account details and mortgage applications, along with customers’ names, addresses and contact details.
  • 12 July 2013. A monetary penalty notice has been served on NHS Surrey following the discovery of sensitive personal data belonging to thousands of patients on hard drives sold on an online auction site. Whilst NHS Surrey has now been dissolved outstanding issues are now being dealt with by the Department of Health.
  • 8 July 2013. A monetary penalty notice has been served to Tameside Energy Services Ltd after the Manchester based company blighted the public with unwanted marketing calls.
  • 18 June 2013. Monetary penalty notices have been served to Nationwide Energy Services and We Claim You Gain – both companies are part of Save Britain Money Ltd based in Swansea. The penalties were issued after the companies were found to be responsible for over 2,700 complaints to the Telephone Preference Service or reports to the ICO using its online survey, between 26 May 2011 and end of December 2012.
  • 13 June 2013. A monetary penalty notice has been served to North Staffordshire Combined Healthcare NHS Trust, after several faxes containing sensitive personal data were sent to a member of the public in error.
  • 7 June 2013. A monetary penalty notice has been served to Glasgow City Council, following the loss of two unencrypted laptops, one of which contained the personal information of 20,143 people.
  • 5 June 2013. A monetary penalty notice has been served to Halton Borough Council, in respect of an incident in which the home address of adoptive parents was wrongly disclosed to the birth family.
  • 3 June 2013. A monetary penalty has been served to Stockport Primary Care Trust following the discovery of a large number of patient records at a site formerly owned by the Trust.
  • 20 March 2013. A monetary penalty has been served to DM Design Bedroom Ltd. The company has been the subject of nearly 2,000 complaints to the ICO and the Telephone Preference Service. The company consistently failed to check whether individuals had opted out of receiving marketing calls and responded to just a handful of the complaints received.
  • 15 February 2013. A monetary penalty has been served to the Nursing and Midwifery Council. The council lost three DVDs related to a nurse’s misconduct hearing, which contained confidential personal information and evidence from two vulnerable children. An ICO investigation found the information was not encrypted.
  • 24 January 2013. A monetary penalty has been served to the entertainment company Sony Computer Entertainment Europe Limited following a serious breach of the Data Protection Act. The penalty comes after the Sony PlayStation Network Platform was hacked in April 2011, compromising the personal information of millions of customers, including their names, addresses, email addresses, dates of birth and account passwords. Customers’ payment card details were also at risk. Appeal withdrawn.

Undertakings

Undertakings are formal agreements between an organisation and the ICO to undertake certain actions to avoid future breaches of the Data Protection Act, typically this involves, Encryption, Training and Management Procedures.

The list has the most recent first.

  • 20 December 2013. A follow up has been completed to provide an assurance that Luton Borough Council has appropriately addressed the actions agreed in its undertaking signed September 2013.
  • 26 November 2013. An undertaking to comply with the seventh data protection principle has been signed by the Royal Borough of Windsor & Maidenhead, following an incident in which restricted information about employees was disclosed on its intranet in error.
  • 22 November 2013. An undertaking to comply with the Privacy and Electronic Communications Regulations has been signed by Better Together. The organisation must neither transmit, nor instigate the transmission of, unsolicited communications for the purposes of direct marketing by means of electronic mail to individual subscribers unless the recipient of the electronic mail has previously notified Better Together that they consent.  A follow up has been completed to provide an assurance that Foyle Women’s Aid has appropriately addressed the actions agreed in its undertaking signed August 2013.
  • 21 November 2013. An undertaking to comply with the seventh data protection principle has been signed by Great Ormond Street Hospital for Children NHS Foundation Trust. This follows four incidents involving the accidental disclosure of sensitive personal data.
  • 1 November 2013. A follow up has been completed to provide an assurance that The Health and Care Professions Council has appropriately addressed the actions agreed in its undertaking signed July 2013.
  • 1 November 2013. A follow up has been completed to provide an assurance that Mansfield District Borough Council has appropriately addressed the actions agreed in its undertaking signed January 2013.
  • 25 October 2013. A follow up has been completed to provide an assurance that The Burnett Practice has appropriately addressed the actions agreed in its undertaking signed in April 2013. An undertaking to comply with the seventh data protection principle has been signed by Panasonic UK. This follows the theft of an unencrypted laptop containing personal data relating to people who had attended a hospitality event run by a third party company on Panasonic’s behalf.
  • 15 October 2013. An Undertaking to comply with the seventh data protection principle has been signed by the Royal Veterinary College. This follows the loss of a memory card containing personal data. In addition, data protection training is not considered to be adequate and the RVC does not appear to be taking steps to address this proactively. This highlights a potentially serious failing in respect of staff awareness of Information Governance policies. Their investigation revealed that the device was personally owned by the employee and as such fell outside of the policies and procedures in place. However, the RVC does not appear to have accounted for the possibility of employees using their own devices in the workplace.
  • 7 October 2013. An Undertaking to comply with the seventh data protection principle has been signed by The Hillingdon Hospitals NHS Foundation Trust.
  • 4 October 2013. An Undertaking to comply with the seventh data protection principle has been signed by the Cardiff & Vale University Health Board, following the loss of documents containing sensitive personal data by a consultant.
  • 29 August 2013. An undertaking to comply with the seventh data protection principle has been signed by Aberdeen City Council after inadequate home working arrangements led to 39 pages of personal data being uploaded onto the internet by a Council employee.
  • 11 September 2013. An undertaking to comply with the seventh data protection principle has been signed by Luton Borough Council following several incidents involving inappropriate handling of sensitive personal data. Investigation of these incidents revealed that previous recommendations made by the ICO had not been implemented.
  • 28 August 2013. An undertaking to comply with the sixth data protection principle has been signed by Cardiff City Council. The Council agreed to put measures in place to ensure greater compliance with subject access requests.
  • 22 August 2013. An undertaking to comply with the seventh data protection principle has been signed by the Local Government Ombudsman. This follows the theft of a bag containing hard copy papers relating to complaints made to the Local Government Ombudsman (the LGO) including some SPD. It is felt that the provision of data protection training was insufficient to ensure staff awareness of policies and procedures relating to the use of personal data.
  • 13 August 2013. An undertaking to comply with the seventh data protection principle has been signed by Northern Health & Social Care Trust. This follows a number of security incidents which led to a formal investigation into the Trust’s compliance with the Act. One incident in May 2011, involved confidential service user information being faxed from a ward in Antrim Hospital to a local business in error. The investigation into the Trust revealed that despite the Trust having introduced what should have been mandatory Information Governance training for all staff, the majority of staff involved in these incidents had not received this training. This highlighted a potentially serious failing in respect of staff awareness of Information Governance policies. In particular, the failure to monitor and enforce staff completion of training was a concern.
  • 13 August 2013. An undertaking to comply with the seventh data protection principle has been signed by Foyle Women’s Aid. This follows the temporary loss of a folder belonging to a Criminal Justice Support worker employed by Foyle Women’s Aid that was left in a café. The folder contained confidential client information. An apparent lack of effective controls and procedures for taking information out of the office was a contributor to the loss of highly sensitive personal data.
  • 16 July 2013. An undertaking to comply with the seventh data protection principle has been signed by Janet Thomas. This follows a report made by a member of the public that approximately 7,435 CV files, containing personal data, were being stored unprotected on the website http://www.janetpage.com.
  • 9 July 2013. An undertaking to comply with the seventh data protection principle has been signed by the Health & Care Professions Council (HCPC) after an incident in which papers containing personal data were stolen on a train in 2011.
  • 12 June 2013. (issued 10 September 2012) An undertaking to comply with the seventh data protection principle has been signed by Bedford Borough Council relating to the removal of legacy data from a social care database.
  • 12 June 2013 (issued 18 September 2012). An undertaking to comply with the seventh data protection principle has been signed by Central Bedfordshire Council relating to the removal of legacy data from a social care database and in relation to the preparation of planning application documentation for publication.
  • 31 May 2013. A follow up has been completed to provide an assurance that Leeds City Council has appropriately addressed the actions agreed in its undertaking signed November 2012.
  • Prospect. A follow up has been completed to provide an assurance that Prospect has appropriately addressed the actions agreed in its undertaking signed January 2013.
  • 21 May 2013 (issued 9 November 2011). An undertaking to comply with the seventh data protection principle has been signed by News Group Newspapers, following an attack on the website of The Sun newspaper in 2011.
  • 26 April 2013. An undertaking to comply with the seventh data protection principle has been signed by The Burnett Practice. This follows an investigation whereby an email account used by the practice had been subject to a third party attack. The email account subject to the attack was used to provide test results to patients and included a list of names and email addresses.
  • 4 April 2013. An undertaking to comply with the seventh data protection principle has been signed by the East Riding of Yorkshire Council, following incidents last year in which personal data was inappropriately disclosed.
  • 25 January 2013. An undertaking to comply with the seventh data protection principle has been signed by the Managing Director of Mansfield District Council. This follows a number of incidents where personal data of housing benefit claimants was disclosed to the wrong landlord.
  • 16 January 2013. An undertaking to comply with the seventh data protection principle has been signed by the union Prospect. This follows an incident in which two files containing personal details of approximately 19,000 members of the union had been sent to an unknown third party email address in error.

Prosecutions

The list has the most recent first.

  • 3 December 2013. A former manager who oversaw the finances of a GP’s practice in Maidstone has been prosecuted by the ICO after unlawfully accessing the medical records of approximately 1,940 patients registered with the surgery. Steven Tennison was prosecuted under section 55 of the Data Protection Act at Maidstone Magistrates Court.
  • 8 October 2013. A pay day loans company based in London and its director have been prosecuted after failing to register that the business was processing personal information. Hamed Shabani, the sole director of First Financial, was convicted under section 61 of the Data Protection Act at City of London Magistrates Court.
  • 25 September 2013. A former Barclays Bank employee has been fined after illegally accessing the details of a customer’s account. In one case the employee, Jennifer Addo, found out the number of children the customer had and passed the details to the customer’s then partner, who was a friend of Ms Addo.
  • 15 August 2013. A probation officer who revealed a domestic abuse victim’s new address to the alleged perpetrator has been fined £150 following a prosecution bought by the ICO.

Find the 2012 list here.

UK’s Information Commissioner believes 2013 will the year businesses handle data correctly…!

2013 is the year that commercial imperative of good data handling will be realised

Speaking at the launch of the ICO’s annual report today, Christopher Graham will highlight that consumers have a strong awareness of how their data should be handled, and how this affects their relationship with businesses.

An ICO study into public attitudes toward data protection found that 97% of those surveyed were concerned that organisations would pass or sell-on their personal details. The survey also found more than half (53%) considered details of the products they had bought to be personal information.

Yet in spite of these consumer concerns, only 10% of businesses were aware of the legal limitations of how they could use customer’s personal data.

Information Commissioner Christopher Graham said:

Education and empowerment have been two of the key areas we’ve focused on in the past twelve months. That work is having real benefits: consumers’ awareness of their rights remains strong, and that is empowering people to demand more in return for their data.

“The result is consumers expecting organisations to handle their personal data in a proper way, and in a legal way. Businesses that don’t meet that basic requirement are going to quickly find themselves losing customers.

I think 2013 is the year that organisations will realise the commercial imperative of properly handling customer data. The stats we’ve seen about public concern around personal data show that, as does a company the size of Microsoft choosing privacy as a theme of a national advertising campaign.

“The message to business is simple: consumers understand the value of their personal data, and they expect you to too.

Find the complete report here.

Rubbish causes a breach of the Data Protection Act and a £250,000 fine

Scottish Borders Council employed an outside company to digitise their employee records but when the pension records of several hundred ex-employees were found in recycling bins the Information Commission’s Office began an investigation for a breach of the Data Protection Act.

Following the investigation the Information Commissioner has fined the Council £250,000 for not seeking appropriate guarantees on how the personal data would be kept secured and dealt with.

It is believed more than 600 files were deposited at the recycle bins, containing confidential information and, in a significant number of cases, salary and bank account details. The files were spotted by a member of the public who called police, prompting the recovery of 676 files. A further 172 files deposited on the same day but at a different paper recycling bank are thought to have been destroyed in the recycling process.

Ken Macdonald, ICO Assistant Commissioner for Scotland, said:

“This is a classic case of an organisation taking its eye off the ball when it came to outsourcing. When the Council decided to contract out the digitising of these records, they handed large volumes of confidential information to an outside company without performing sufficient checks on how securely the information would be kept, and without even putting a contract in place.

“It is only good fortune that these records were found by someone sensible enough to call the police. It is easy to imagine other circumstances where this information could have exposed people to identity fraud and possible financial loss through no fault of their own.

“If one positive can come out of this, it is that other organisations realise the importance of properly managing third parties who process personal data. The Data Protection Act is very clear where the responsibility for the security of that information remains, and what penalties await those who do not comply with the law.”

Who else has the information commissioner caught this year? Find out here.

.

Latest NHS Fine for breaching the Data Protection Act is close to the “current” limit at £325,000

After a series of breaches where the NHS organisation involved received nothing more than a slap on the wrist the Information Commissioner is finally ratcheting up the pressure on public sector organisations, especially the NHS for breaching the Data Protection Act.

In the latest breach Brighton and Sussex University Hospitals NHS Trust has been fines £320,000 after a serious breach and is the highest ever issued.

The maximum fine was raised to £500,000 in April 2010

It is worth noting that fines under the proposed European Data Protection Act will be considerably higher with numbers in the order of €1 million or 2% of turnover been discussed, see Proposed European wide Data Protection Act – a review.

The Brighton and Sussex University Hospitals NHS Trust involved highly sensitive personal data belonging to tens of thousands of patients and staff – including some relating to HIV and Genito Urinary Medicine (GUM) patients – on hard drives sold on an Internet auction site in October and November 2010.

The data included details of:

  • Patients’ medical conditions
  • Treatments
  • Disability living allowance forms
  • Children’s reports

It also included documents containing staff details including:

  • National Insurance numbers
  • Home addresses
  • Ward
  • Hospital IDs
  • Information referring to criminal convictions and suspected offences

The data breach occurred when an individual engaged by the Trust’s IT service provider, Sussex Health Informatics Service (HIS), was tasked to destroy approximately 1000 hard drives held in a room accessed by key code at Brighton General Hospital in September and October 2010. A data recovery company bought four hard drives from a seller on an Internet auction site in December 2010, who had purchased them from the individual.

Although the ICO was assured in our initial investigation following this discovery that only these four hard drives were affected, a university contacted us in April 2011 to advise that one of their students had purchased hard drives via an Internet auction site. An examination of the drives established that they contained data which belonged to the Trust.

The Trust has been unable to explain how the individual removed at least 252 of the approximate 1000 hard drives they were supposed to destroy from the hospital during their five days on site. They are not believed to have known the key code needed to access the room where the drives were stored, and were usually supervised by staff working for HIS. However, the Trust has acknowledged that the individual would have left the building for breaks, and that the hospital is publicly accessible.

The ICO’s Deputy Commissioner and Director of Data Protection David Smith said:

“The amount of the CMP issued in this case reflects the gravity and scale of the data breach. It sets an example for all organisations – both public and private – of the importance of keeping personal information secure. That said, patients of the NHS in particular rely on the service to keep their sensitive personal details secure. In this case, the Trust failed significantly in its duty to its patients, and also to its staff.”

See previous ICO monetary fines for the NHS

.

Proposed European wide Data Protection Act – a review

Over the last few months I have attended several conferences and read a lot of research on the proposed upgrade of the European Commission’s 1995 Data Protection Act and have found it fascinating. The rumours, the speeches, the headlines and of course the lack of clarity on how the major issues will be dealt with in the real world.

EU Justice Commissioner Viviane Reding, the Commission’s Vice-President said:

“17 years ago less than 1% of Europeans used the internet. Today, vast amounts of personal data are transferred and exchanged, across continents and around the globe in fractions of seconds,”

“The protection of personal data is a fundamental right for all Europeans, but citizens do not always feel in full control of their personal data. My proposals will help build trust in online services because people will be better informed about their rights and in more control of their information. The reform will accomplish this while making life easier and less costly for businesses. A strong, clear and uniform legal framework at EU level will help to unleash the potential of the Digital Single Market and foster economic growth, innovation and job creation.”

Do not get me wrong I am 100% in favour of a consolidated European Data Protection Act because ambiguity in one country leads to breaches in another and that is not good for business or for the privacy of individual citizens.

After all the consultations and feedback the big development was the leaking of a draft EU Data Protection Act document at the end of 2011. The draft provided concrete evidence to substantiate the rumours and speculation about the requirements and likely fines and provided confirmation about the direction the Act was heading.

The Act is heading in the right direction but some of the points were likely to be contentious for example the “Right to be forgotten” and “all business with 250+ employees needing a Data protection Officer”, there are others but I will cover them later in the post.

One thing is obvious, a consolidated European Data Protection Act has polarised people into one of four camps:

  1. Those concerned with the privacy of the citizen who want more restrictions and tougher sanctions.
  2. Those concerned about the impact and cost to businesses who want less restrictions and lower sanctions.
  3. Those who have to translate and ultimately enforce the Act and to try and stop it becoming another Human Rights Act….! They want a simple and coherent Act that is easy to enforce without a constant steam of lawyers muddying the waters.
  4. Those citizens who in the main do not have a clue what is being done in their name and there are 500 million of them.

Viviane Reding Vice-President of the European Commission, EU Justice Commissioner believes the proposed EU wide Data Protection Act will save European businesses €2.3Billion annually whilst protecting the privacy of European Citizens.

Great, everyone one wins. Or do they?

The majority of the savings will probably benefit businesses that currently have to cope with 27 differing Data Protection Acts currently being operated across the EU commission member states. However if you are a small business operating in one or two countries you may struggle to financially benefit from the consolidation.

The impact on the local Data Protection Authority (DPA), which in the UK is called the Information Commissioner, is likely to be massive which means they will need more staff to accommodate and enforce the new requirements which also means the individual states will have to spend more money.

Why will there be a massive impact? There are several reasons but one in particular stands out as an administrative nightmare, if Personally Identifiable Information (PII) relating to a European citizen is transferred outside the boundaries of the EU the local DPA has to be informed. How many times this will need to be done is hard to calculate but how much data goes to the Call Centres in the Philippines? With 600,000 Philippine’s employed in call centres it is going to be a lot. Then there is the data processing in India, Data Translation in America, Disaster Recover contingencies across the globe, Cloud computing (where is the cloud?), the list of possibilities is endless.

The EU Commission is mindful of these implications and is discussing how some specific actions can be taken into account when defining the final draft. Three specific areas they are looking at are:

  1. Binding corporate rules on what, where and how.
  2. Sectoral adequacies, and the continuation of the Safe Harbour Agreements
  3. Existing mechanisms such as contractual clauses that are broadly used on both sides of the Atlantic.

Using the UK as an example, last year the UK Information Commissioners (ICO) office handled 30,000 complaints and with the proposed requirements on businesses that number could easily quadruple.  You could say “some of the 30,000 complaints lead to convictions and fines and that could pay for the increased costs of operating the new Data Protection Act”, on the face of it you are correct except the fines are collected by the UK Treasury and are not handed to the ICO. If the fines were passed over then the process could be self-funding.

On the 3rd May 2012 Viviane Reding announced the intention to conduct a funding review of all DPAs and then to lobby Governments for the correct funding in each country and she believes that if the leveraged fines were pointed in the right direction they could become a revenue generator for the country.

“the national data protection authority can even be a good investment as it can bring additional revenue for the Member State due to the fact that the main establishment is located in its territory. Such extra revenue and wider benefits can come from tax income, newly created jobs, and the collection of administrative fines on infringements. Let’s also not forget that according to the reform proposals, the administrative fines a national data protection authority can impose can be up to 2% of the annual worldwide turnover of an enterprise. This can lead to quite substantial revenues”

This review will not impact individual DPAs until the summer of 2013 which is likely to be 12 months before the Act is enforceable but 12 months after the hundreds of thousands of business have asked for assistance on what they need to do, who they need to register with, etc.

A significant improvement within the Act will be a requirement on business to be pro-active. Prevention is better than the cure or in this case better than a Data a Breach.

Businesses will be required to:

  • have “Privacy/Data Protection by Design” which means that, at the point of building a process or system, security has to be on the list of desired out-comes.
  • Data Protection by default, which means all systems have to be secure.
  • All business must undertake a Privacy/Data Protection Impact Assessment, which means they must have a documented process for assessing the risk to their PII data and be able to demonstrate that they have undertaken, “at least” annually, an assessment of the risk and taken steps to mitigate the risk. This is not a Penetration Test this is a thorough assessment of people, process and technologies surrounding and impacting on the PII data. A good guide is contained in the book Privacy Impact Assessment by David Wright and Paul de Hert ISBN-10: 9400725426.

Another huge improvement is the requirement on business to formally notify the local DPA of any breaches. Breach Notification has been in existence for several years, for example in California and in Germany. The new requirements will mean businesses can no longer delay notifying those affected in the hope that it will never surface.

It is proposed that the organisation’s Data Controllers notify the DPA within 24 hours.

Mandatory Breach Notification is a difficult area because some breaches can run for months or years before they are discovered. It is the point of discovery that is important, as far as the Act is concerned, but if a business did try to cover up then there is a good chance they will be found out and the details of who did what will be clear for the world to see.

In 2007 when the UK’s HMRC lost a CD containing the child benefit details of 25 million people everyone expected an avalanche of Identity Thefts but, fingers crossed, nothing has happened in the last 5 years. They notified the authorities and the press within days. It could be argued however that, as a result, 25 million people were alerted and put under stress for no reason. Further details of the loss can be found here.

Similar to the HMRC situation in 2008 was when Heartland Payment Systems lost millions of credit card records. In this case they did not know the breach had occurred for approximately 8 months, but when they did find out they undertook forensics and notified the authorities within 8 days. The issue in this case was the data was used for criminal purposes. The criminal Albert Gonzalez AKA “segvec,” “soupnazi” and “j4guar17” has since been convicted and is currently serving 20 years for various crimes involving up to 130 million stolen credit cards’ data. Details of Gonzalez can be found here.

Once the DPA has been informed the organisation then has to inform the individuals affected. This is the first direct cost of a breach. See my post The huge and unexpected administrative costs of a data breach. There is always the risk that they may not understand the notification, for example a report indicated that “39% of those who received them (or properly noticed them) initially thought it was marketing material of some form”.

If adequate protection is in place, for example Tokenization, it is unlikely the organisation will have to inform the individuals. This makes putting security in place and being able to prove it was running essential.

Another impact which affects many countries, especially the UK, is the Freedom of Information Act (FOIA). Currently the FOIA does not allow access to information relating to voluntary breach notifications, which means if a cover up has been attempted but was not successful there is a chance they can avoid having all the information going public by admitting it and therefore suppressing it. The new Act will mean nearly all of the information about a breach will be in the public domain including an organisations failure to protect PII and possibly the organisations attempts to cover it up.

Across Europe the enforcement of the Act will be handled by the individual DPAs, around 1,500 seasoned Data Protection professionals, but many sceptics have speculated that larger businesses can flex their political muscle and lobby for leniency or to keep their breach out of the public eye.

The commission has recently taken a strong line on the need for independence and in April 2012 took action against Hungary for its DPAs lack of independence. For any Country to be hauled in front the of the European Courts of Justice is embarrassing, especially if they have to amend their own legislation. Full details of the Hungarian action can be found here.

Summary of proposed key changes in the proposed Act:

The Right to be forgotten is a contentious area for many organisations, for example;

  • Can someone with a bad credit history evoke the right to avoid their past?
  • If some evokes the right with their insurance company they will lose their Car Insurance no claims bonus – could this then create a right to be remembered? And who pays the administration costs for the reinstatement of the data.
  • In the case of employees past and present what information can be retained and what information has to be retained.

Privacy by Design. There is a debate as to whether the actual working will be Privacy or Data Protection which will be finalised when the final draft is passed for law. Organisations need to understand and account for:

  • why they need the data
  • what they are going to do with the data
  • how they intend to process the data
  • what protections are required
  • who will manage the processes

All organisations employing 250+ employees must have a Data Protection Officer.

All companies storing PII must undertake “regular” Privacy Impact Assessments. The wording may change to Data Protection Impact Assessment but that will not change the requirement to undertake, log and act upon the results of the Assessment.

All international data transfers need to be logged and the Data Protection Authority Informed.

Explicit consent must be obtained to include PII in databases and an ability to easily have their information removed.

Compulsory Breach Notifications within 24 hours of the breach.

Personally Identifiable Information is likely to include

  • Bank Account details
  • Credit Card data
  • IP addresses

Data Portability. Business must address the portability of data;

  • What is going to be done with it
  • How is it secured
  • How will fraud and Identity Theft be avoided

Significant fines can be levied. Actions that are likely to involve a fine from the DPA include

  • Failure to appoint a Data Protection Officer
  • Unauthorised International Data Transfer
  • Failure to undertake a Privacy/Data Protection Impact Assessment

Fines will be levied on a sliding scale

  • 0.5% of global turnover or                  €250,000
  • 1.0% of global turnover or                  €500,000
  • 2% of global turnover or                     €1 million of Global Turnover
  • So far no minimum figure is known.

The new EU Data Protection Act will be compulsory for all organisations except for Law Enforcement, who will operate under a European Commission “directive”. The Directive is designed to allow for faster and easier transfer of data and joined up policing across the member states.

This post was meant to be a short summary, compared to my notes it is, but the far reaching impact of this Act is largely unknown by most organisations and has a high probability of being passed into law during 2012 give a requirement to be compliant by 2014. Whatever the date is there is a need for organisations, of any size, to be aware of what is coming and to start developing plans to have Privacy and Data Protection at the forefront of their business plans NOW.

.

The good old fashion way to breach the Data Protection Act – lose some paperwork

The London Borough of Barnet was fined £70,000 by the Information Commissioner for losing paper records containing highly sensitive and confidential information, including the names, addresses, dates of birth and other details of 15 vulnerable children or young people.

A social worker took the paper records home to work on them out of hours and was unfortunately burgled. Why would a criminal steal worthless paperwork? Well the paperwork was inside a laptop bag complete with laptop.

The Information Commissioner’s Office investigation found the council had “failed to take appropriate organisational measures against the accidental loss of personal data held on paper records. Although the council had an information security policy and some guidance for staff on handling sensitive papers, the measures failed to explain how the information should be kept secure”.

This is the second fine for this council after is lost an unencrypted device containing personal data was stolen from an employee’s home in June 2010.

Simon Entwisle, the ICO’s Director of Operations, said:

“The potential for damage and distress in this case is obvious. It is therefore extremely disappointing the council had not put in place sufficient measures in time to avoid this second loss.

“While we are pleased that Barnet Council has now taken action to keep the personal data they use secure, it is vitally important that organisations have the correct guidance in place to keep sensitive paper records taken outside of the office safe. This includes storing papers containing sensitive information separately from laptops.”

.

E*Trade Securities Ltd falls foul of the ICO after losing customer records

In April 2010 E*Trade Securities Ltd discovered that 608 customer records were lost at a UK based storage facility and despite an investigate were unable to recover the records.

E*Trade Securities Ltd did not have a formal agreement to store the customer information securely and subsequently informed Information Commissioner’s office in December 2010.

E*Trade Securities Ltd has now agreed to take action to keep the personal information it holds secure. This includes implementing written agreements with UK contractors storing client personal data on its behalf and making sure that appropriate audit trails are in place to record where client files are being sent and stored at all times.

Head of Enforcement, Steve Eckersley, said:

“This breach was caused by the company failing to have the necessary security measures in place to keep their clients’ information secure. 

“The fact that customer records are being archived in a storage facility and not regularly accessed does not give businesses license to forget about them. This case demonstrates how important it is to stipulate in writing how long personal information needs to be kept, how regularly it should be reviewed and when it can be securely destroyed.”

.

Health worker convicted of obtaining patient details unlawfully

Juliah Kechil, formerly known as Merritt, a former Health Care Assistant in the outpatients department at the Royal Liverpool University Hospital has pleaded guilty to unlawfully obtaining patient information by accessing the medical records of five members of her ex-husband’s family in order to obtain their new telephone numbers.

She was convicted under section 55 of the Data Protection Act at Liverpool City Magistrates Court today.

She was fined £500 and also ordered to pay £1,000 towards prosecution costs and a £15 victim surcharge.

Ms Kechil accessed the medical records of the five individuals between July and November 2009. Royal Liverpool University Hospital began an investigation in November 2009 when the defendant’s father-in-law contacted the hospital after receiving nuisance calls which he suspected had been made by his former daughter-in-law. Having changed his phone number in July 2009 following unwanted calls from Ms Kechil, he was immediately concerned that there had been a breach of patient confidentially.

Ms Kechil had no work-related reasons to access their records and she accessed the information for her own personal gain without the consent of her employer. The accesses were traced through audit trails which were linked to the defendant’s smartcard ID.

Head of Enforcement, Steve Eckersley, said:

“Unlawfully obtaining other people’s information for personal gain is a serious offence which can have potentially devastating effects. Ms Kechil accessed medical records for entirely personal reasons. The breach of their privacy would obviously have been very distressing for the individuals involved.

“People should be able to feel confident that their personal details will be stored securely and only accessed when there is a legitimate business need. We will always push for the toughest penalties against individuals who abuse this trust.” 

Unlawfully obtaining or accessing personal data is a criminal offence under section 55 of the Data Protection Act 1998. The offence is punishable by way of a financial penalty of up to £5,000 in a Magistrates Court or an unlimited fine in a Crown Court. The ICO continues to call for more effective deterrent sentences, including the threat of prison, to be available to the courts to stop the unlawful use of personal information.

Another recent breach of the Data Protection Act by someone accessing Medical Data – Illicit access of medical records leads to a breach of the Data Protection Act

.

Illicit access of medical records leads to a breach of the Data Protection Act

A medical record folder being pulled from the ...
Image via Wikipedia

A receptionist who unlawfully obtained her sister-in-law’s medical records in order to find out about the medication she was taking has been found guilty of an offence under section 55 of the Data Protection Act (DPA).

Usha Patwal, of Romford, was given a two year conditional discharge and ordered to pay £614 prosecution costs by Havering Magistrates Court after unlawfully obtained her sister-in-law’s medical records in order to find out about the medication she was taking.

The offence was uncovered when Patwal’s sister-in-law received text messages indicating that the texter knew about the medication she was taking.

She then contacted her doctors’ surgery – Gateway Medical Practice, Gravesend, Kent – to express her concerns.

The ICO investigation uncovered that Ms Patwal had made a call to Gateway posing as an employee of the King George Hospital in Romford, Essex, on 29 December 2010.

Further enquiries found that medical information had been faxed to Ms Patwal at the Lawns Medical Centre where she was employed as a receptionist. The fax has never been found and Mrs Patwal did not co-operate with the ICO investigation by giving an explanation for her actions.

Christopher Graham the Information Commissioner said:

“Medical records contain some of the most sensitive information possible. The medical centre’s receptionist was in a position of trust and abused her position for her own personal gain. This case demonstrates just how easy it can be to misuse personal data.

“Ms Patwal used her insider knowledge of the healthcare system to blag this information in an act that she believed would go undetected. The message from this case is clear: if you unlawfully obtain personal information there is always an audit trail, and you could end up in court.”

.

Websites failing cookie regulations

Earlier this year the UK government tried to implement Privacy and Electronic Communications Regulations after an EU Directive. The regulations were to have taken effect on the 25th may 2011 but after a series of lobbies and petitions the regulations were put back to the 26th May 2012.

As part of the process the Information Commissioner implemented a 12 month lead-in process and 6 months into the process has released a statement.

“The guidance we’ve issued today builds on the advice we’ve already set out, and now includes specific practical examples of what compliance might look like. We’re half way through the lead-in to formal enforcement of the rules.

But, come 26 May next year, when our 12 month grace period ends, there will not be a wave of knee-jerk formal enforcement actions taken against those who are not yet compliant but are trying to get there.”

“Our mid-term report can be summed up by the schoolteacher’s favourite clichés “could do better” and “must try harder.” Many people running websites will still be thinking that implementing the law is an impossible task. But they now need to get to work. Over the last few months we’ve been speaking to and working with businesses and organisations that are getting on with it and setting the standard. My message to others is – if they can do it, why can’t you?

“Some people seem to want us to issue prescriptive check lists detailing exactly what they need to do to comply. But this would only get in the way and would be too restrictive for many businesses and organisations. Those actually running websites are far better placed to know what will work for them and their customers.”

Key points set out in the amended cookies advice include:

  • More detail on what is meant by consent. The advice says ‘consent must involve some form of communication where an individual knowingly indicates their acceptance.’
  • The guidance explains that cookies used for online shopping baskets and ones that help keep user data safe are likely to be exempt from complying with the rules.
  • However, cookies used for most other purposes including analytical, first and third party advertising, and ones that recognise when a user has returned to a website, will need to comply with the new rules.
  • Achieving compliance in relation to third party cookies is one of the most challenging areas. The ICO is working with other European data protection authorities and the industry to assist in addressing the complexities and finding the right answers.
  • The ICO will focus its regulatory efforts on the most intrusive cookies or where there is a clear privacy impact on individuals.

ICO claims he wants:

  • We will allow for a greater focus on wilful non-compliance by letting those who are making genuine attempts to comply get on with the job without unnecessary interference from the regulator.
  • We will further reduce the burden on those trying to comply by ensuring that our response to complaints recognises ongoing work
  • We will give realistic and practical advice to those who ask for it
  • We will be clear about how this work fits in with our strategy on regulatory action
  • We will apply the rules consistently

What the ICO expects from website owner

There is no silver bullet and we are not expecting you to invent one. If we approach your organisation about this topic, perhaps because we have received complaints, we expect you to be able to tell us what you have done so far, how you expect to be compliant and how long it will take. Exactly what you tell us will depend on who you are, the sophistication and complexity of your website and who your users are but we will expect that you can tell us something.

Two general questions that might help in this regard might be, “is my website doing anything that my users don’t know about?” and “am I confident that I am giving them appropriate options?” Your confidence might stem from the fact that you have switched all your cookies off until users tell you to switch them on again. It might stem from the fact that many of your users are registered with you and as part of the registration process they have indicated to you that they are happy for your site to work in a certain way. Or it might stem from the fact that your users will know that some things are more likely than not going to happen when they arrive at your site and that if they want to make choices about those things they know where to go and what to do.

The first option is the safest one. The second is just as safe provided that you are honest and upfront with registered users and that you can rely on the fact that they have made an informed decision to click that “Agree” button. It also, of course, only applies to some of your users – how will you ensure that the one-off or casual user is not left with a browser full of persistent and unwanted cookies?

The third option relies on a lot of factors that might be out of your control such as the general level of user awareness. You can and should, though, do whatever you can to demonstrate your compliance. Three things will help: following the ICO advice, looking for and implementing the ‘quick wins’ and keeping an eye out for industry or sectoral standards and codes. After all, if everyone else in your area of business has done a cookie audit, is changing the way they explain things to users and has engaged with industry peers to come up with consistent messages, the ICO might reasonably ask “if they can do it, why can’t you?”

.

Information Commissioner gets tough with the largest fine for the breach of the Data Protection Act

The Information Commissioner’s Office (ICO) has served a penalty of £130,000 on Powys County Council for breaching the Data Protection Act.

Powys County Council sent the details of a child protection case to the wrong recipient.

The £130,000 penalty is the highest that the ICO has served since it was given the power in April 2010 and follows a similar incident, which was reported by the council to the ICO in June last year.

The latest breach at Powys county Council occurred in February when two separate reports about child protection cases were sent to the same shared printer. It is thought that two pages from one report were then mistakenly collected with the papers from another case and were sent out without being checked. The recipient mistakenly received the two pages of the report and knew the identities of the parent and child whose personal details were included in the papers.

The recipient made a complaint to the council and a further complaint was also submitted by the recipient’s mother via her MP.

Assistant Commissioner for Wales, Anne Jones said:

“This is the third UK council in as many weeks to receive a monetary penalty for disclosing sensitive information about vulnerable people. It’s the most serious case yet and it has attracted a record fine. The distress that this incident would have caused to the individuals involved is obvious and made worse by the fact that the breach could have been prevented if Powys County Council had acted on our original recommendations.

“The ICO has also issued a legal notice ordering the council to take action to improve its data handling. Failure to do so will result in legal action being taken through the courts.

“There is clearly an underlying problem with data protection in social services departments and we will be meeting with stakeholders from across the UK’s local government sector to discuss how we can support them in addressing these problems.”

The Information Commissioners Office is pressing the Ministry of Justice for stronger powers to audit local councils’ and the NHS on their Data Protection Compliance.

Related Posts on the actions of the Information Commissioner:

.

Estate Agent prosecuted for not disclosing he stored personal data

Merfyn Pugh Estate Agents pleaded guilty (1.12.11) to the offence of failing to notify the Information Commissioner’s Office (ICO) that his business processes personal data.

John Merfyn Pugh of the Estate Agents  Merfyn Pugh was prosecuted under section 17 of the Data Protection Act.

The Data Protection Act 1998 requires every organisation or person who is processing personal information in an automated form to notify, unless they are exempt. Failure to notify is a criminal offence and could lead to a fine of up to £5,000 in a Magistrates Court, or unlimited fines in a Crown Court.

Mr Pugh was given a conditional discharge of six months and was ordered to pay £614 towards prosecution costs.

If Mr Pugh had completed the required paperwork his costs would have been only £35 and he would have avoided a criminal record as well as damages to his business’s reputation damaged

Assistant information Commissioner for Wales, Anne Jones, said:

“Registering as a data controller is a basic legal requirement of the Data Protection Act. The fee for most businesses is £35 a year. Merfyn Pugh Estate Agents’ failure to register – even after being prompted to do so by the ICO – has cost them much more today. The message behind today’s prosecution is clear – ignore warnings and you too could end up in court.”

All organisations that handle personal data but have not yet registered as a data controller should proactively contact the ICO to ensure they are complying with the law. Some organisations will be exempt.

.

Information Commissioner fines two councils for emailing personal information

The Information Commissioner’s Office (ICO) has served monetary penalties to two councils for breaching the Data Protection Act.

North Somerset Council and Worcestershire County Council after staff at both authorities sent highly sensitive personal information to the wrong recipients. The news comes as the Information Commissioner is pressing for stronger powers to audit data protection compliance across local government and the NHS.

1. Worcestershire County Council was fined £80,000 for an incident in March 2011 where a member of staff emailed highly sensitive personal information about a large number of vulnerable people to 23 unintended recipients. The error occurred when the employee clicked on an additional contact list before sending the email, which had only been intended for internal use.

Enquiries by the ICO found that Worcestershire County Council had failed to take appropriate measures to guard against the unauthorised processing of personal data, such as providing employees with appropriate training and clearly distinguishing between internal and external email distribution lists. The council had also failed to properly consider an alternative means of handling the information, such as holding it in a secure system that could only be accessed by members of staff who needed to see it. Fortunately, on this occasion all of the unintended recipients worked for registered organisations used to operating within the council’s protocols about handling sensitive data. Worcestershire County Council has explained to the ICO that as soon as the breach occurred the council employee immediately realised their error and attempted to contact all of the unintended recipients to ensure that the information was deleted.

2. North Somerset Council was fined £60,000 for breaching the Data Protection Act when a council employee sent five emails, two of which contained highly sensitive and confidential information about a child’s serious case review, to the wrong NHS employee.

The incidents, which took place during November and December 2010, occurred when a council employee selected the wrong email address when creating a personal distribution list. The council employee was told about the error by the unintended recipient shortly after the first incident took place. Despite this, information was emailed to the same NHS employee on a further three occasions. The issue was then raised at senior level. Two of the council’s Assistant Directors highlighted the issue with the employee on 9 December but a fifth and final incident took place later that same day. The NHS organisation verbally confirmed to North Somerset Council that it destroyed the emails after their own internal investigation was complete.

The ICO’s enquiries found that, although North Somerset Council had some policies and procedures in place, it had failed to ensure that relevant staff received appropriate data protection training. In response to these incidents, the ICO has recommended that the council adopts a more secure means to send information electronically, including encryption and ensuring that managers sign off email distribution lists.

Information Commissioner, Christopher Graham, said: “Personal information in cases involving vulnerable people is about the most sensitive personal information imaginable. It is of great concern that this sort of information was simply sent to the wrong recipients by staff at two separate councils. It was fortunate that in both cases at least the email recipients worked in a similar sector and so were used to handling sensitive information. This mitigating factor has been taken into account in assessing the amount of the penalties.

“There is too much of this sort of thing going on across local government. People who handle highly sensitive personal information need to understand the real weight of responsibility that comes with keeping it secure. Of course this includes having the correct training and policies in place, but it’s also about common sense. Considering whether email is the appropriate medium, checking and double checking that the right recipients will receive the information – and measures like encryption and data minimisation – should be routine. I hope these penalties send a clear message to those working in the social care sector. The Information Commissioner takes this sloppiness seriously – and so should you.”

The ICO is pressing the Ministry of Justice for stronger powers to audit local councils’ data protection compliance, if necessary without consent. The same powers are sought for NHS bodies following a series of data protection breaches.

.

Gambling takes on a new meaning when someone steals your personal information

A former gambling industry worker who unlawfully obtained and sold personal data relating to over 65,000 online bingo players has been found guilty of committing three offences under section 55 of the Data Protection Act.

Marc Ben-Ezra, of Finchley, was given a three year conditional discharge and ordered to pay £1,700 to Cashcade Limited as well as £830.80 costs at Hendon Magistrates Court today.

Information Commissioner, Christopher Graham, said:

“This case shows that the unlawful trade in personal information is unfortunately still a thriving and lucrative activity. Mr Ben-Ezra sold people’s personal details on an industrial scale, making in the region of £25,000 at the expense of the tens of thousands of bingo players whose privacy he compromised, and who he exposed to the nuisance of being approached by rival betting websites and, at worst, the risk of identity theft.

“I am grateful to Cashcade Limited and Gala Coral for their work in exposing this unlawful practice. However, we still don’t have a punishment that fits the crime. The ICO continues to push for the government to activate the 2008 legislation that would allow courts to consider other penalties like community service orders or the threat of prison.”

The offences were first uncovered in May 2011 when Mr Ben-Ezra sent a series of emails to a number of contacts within the UK gaming industry offering customer data for sale. The emails were sent under the pseudonym Malcolm Edwards and contained a sample data set relating to 400 Foxy Bingo customers.

Cashcade Limited, which provides marketing services for the Foxy Bingo brand and is the data controller for its customer information, was concerned and wanted to know how its customer data had been obtained. The company instructed an investigative services company to conduct a test purchase of the data – which contained over 65,000 Foxy Bingo customers’ personal details – and paid Mr Ben Ezra £1,700 cash for it. Cashcade Limited then handed this information to the ICO and co-operated fully with investigators to find out who was responsible.

Cashcade Limited believe that the acquired test data, which did not contain customers’ bank account details, was unlawfully obtained in 2008 and sold to Mr Ben-Ezra, who was working for a poker company in Israel at the time. Attempts by Cashcade to identify the perpetrators of the 2008 breach have so far been unsuccessful but remedial action to prevent a recurrence has been taken. The company is continuing to pursue the other perpetrators.

The data that was acquired contained customers’ names, addresses, email addresses, telephone numbers and usernames. Cashcade Limited has assured the ICO that no customer accounts were compromised.

The email sent to the investigative services company by Mr Ben-Ezra also included customer information relating to 404 Gala Coral customers from 2008. The data controller – Gala Coral Group – has confirmed that they believe that the information was unlawfully obtained from their management information system.

Mr Ben-Ezra was exposed as the individual behind the offences in August 2011 when the ICO’s investigators traced the email address which was found to be registered to the business address of Mr Ben-Ezra’s father-in-law. After enquiries were made at that address, Mr Ben-Ezra contacted the ICO and during his meetings with officers co-operated fully and handed over the laptops containing the data. During an interview under caution he admitted the offences and stated that the practice of buying and selling customer data was widespread during his time working in the gaming industry in Israel. He told officers that he kept the data which he had obtained whilst in Israel and, on moving to London, he sold it as a way of paying off his gambling debts.

The ICO has not received any complaints from the customers on the lists. Foxy Bingo and Gala Bingo have proactively contacted affected customers to assure them that their account information is secure.

Unlawfully obtaining or accessing personal data is a criminal offence under section 55 of the Data Protection Act 1998. The offence is punishable by way of a financial penalty of up to £5,000 in a Magistrates Court or an unlimited fine in a Crown Court. The ICO continues to call for more effective deterrent sentences, including the threat of prison, to be available to the courts to stop the unlawful use of personal information.

.

Who fell foul of the Information Commissioner in October?

A week after Calls for tougher penalties for breaches of the Data Protection Act (read my post here) I thought it would be good time to have a look at who the Information Commissioner’s Office (ICO) has taken action against during the month of October 2011.

To add some consistency I have also included actions taken since the 7th September because a previous posting “Who has the Information Commissioner caught in the last 3 months?”, read it here.

28 October 2011
An undertaking to comply with the seventh data protection principle has been signed by Newcastle Youth Offending Team. This follows the theft of an unencrypted laptop containing sensitive personal data. Read my post on this incident here.

27 October 2011
An Undertaking to comply with the seventh data protection principle has been signed by University Hospitals Coventry & Warwickshire NHS Trust. This follows two separate incidents involving the loss of personal data by the Trust.

19 October 2011
An undertaking to comply with the seventh data protection principle has been signed by Spectrum Housing Group. This follows a non-secure e-mail with an excel attachment containing personal data relating to employees of the data controller, being sent in error to an unintended recipient outside of the organisation. It was also discovered that data within ‘hidden’ pivot cells forming part of the spreadsheet could be revealed.

17 October 2011
An undertaking to comply with the seventh data protection principle has been signed by Dumfries and Galloway Council. This follows the accidental online disclosure of current and former employee’s personal data in response to a Freedom of Information (Scotland) Act request.

5 October 2011
An undertaking to comply with the seventh data protection principle has been signed by the General Secretary of the Association of School and College Leaders (ASCL). This follows theft of a laptop containing sensitive personal data from the home of an employee.

An undertaking to comply with the seventh data protection principle has been signed by Holly Park School. This follows the theft of an unencrypted laptop containing personal data relating to nine pupils.

See my blog on these two incidents Education, education, when will people learn, encrypt your data as two more education establishments lose data here.

4 October 2011
An undertaking has been signed by Dartford and Gravesham NHS Trust following the accidental destruction of 10,000 archived records. The records – which should have been kept in a dedicated storage area –were put in a disposal room due to lack of space. See my post, Hospital Destroys 10,000 Archived Records here.

An undertaking has also been signed by Poole Hospital NHS Foundation Trust after two diaries – containing information relating to the care of 240 midwifery patients – were stolen from a nurse’s car. The diaries included patients’ names, addresses and details of previous visits and were used by the nurse during out of hours duty.

20 September 2011
An undertaking to comply with the third and seventh data protection principles has been signed by Eastleigh Borough Council. This follows the potential disclosure of a document containing sensitive personal data.

15 September 2011
An undertaking to comply with the seventh data protection principle has been signed by the Child Exploitation Online Protection Centre (CEOP) and its parent organisation the Serious Organised Crime Agency (SOCA). This follows the discovery that CEOP’s website reporting forms were being transmitted insecurely. See my post on this here ICO takes action against the Child Exploitation and Online Protection Centre and the Serious Organised Crime Agency here.

An undertaking to comply with the seventh data protection principle has been signed by Royal Liverpool & Broadgreen University Hospitals NHS Trust. This follows two separate incidents involving the loss of personal data by the Trust.

14 September 2011
An Undertaking to comply with the seventh data protection principle has been signed by Eastern and Coastal Kent Primary Care Trust. This follows the loss of a CD containing personal data during a move of office premises.

9 September 2011
An undertaking to comply with the seventh data protection principle has been signed by Walsall Council. This follows the accidental disposal of postal vote statements in a skip by the council’s data processor. The council did not have a written agreement with the data processor selected to store this personal data.

see other posts related to the Information Commissioner

.

Calls for tougher penalties for breaches of the Data Protection Act

In the United Kingdom there is an Act of Parliament that seeks to protect the personal data of its citizens, it is the Data Protection Act 1998 (DPA).

The enforcer of the Act is the Information Commissioner’s Office (ICO). The ICO also has responsibility for other Acts of Parliaments, specifically the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003.

Within the Data protection Act, anyone who processes personal information must comply with eight principles, which make sure that personal information is:

  1.  Fairly and lawfully processed
  2.  Processed for limited purposes
  3.  Adequate, relevant and not excessive
  4.  Accurate and up to date
  5.  Not kept for longer than is necessary
  6.  Processed in line with your rights
  7.  Secure
  8.  Not transferred to other countries without adequate protection

The Justice Committee has recently produced a report on referral fees and the theft of personal data and concluded that the fines for breaching the Data protection Act needed to be tougher.

Sir Alan Beith, the Chair of the Justice Committee said:

“Using deception to obtain personal information – sometimes known as blagging – or selling it on without permission are serious offences that can cause great harm.

Fines are used to punish breaches of data protection laws, but they provide little deterrent when the financial gain exceeds the penalty.

“Magistrates and Judges need to be able to hand out custodial sentences when serious misuses of personal information come to light. Parliament has provided that power, but Ministers have not yet brought it into force – they must do so.”

Report on the Potential misuses of personal data
Potential misuses of personal data are also not being fully investigated, the MPs warn, because the Information Commissioner does not have the power to compel private sector organisations to undergo information audits. If the Commissioner had been able to compel audits of insurance companies and personal injury lawyers the issues around referral fees might have been identified and tackled sooner.

Sir Alan Beith MP added:

“The Information Commissioner’s lack of inspection power is limiting his ability to identify problems or investigate potential data abuses.

Ministers must examine how to enable the Commissioner to investigate properly without increasing the regulatory burden on business or the public sector.”

Report on Referral fees
The committee welcomes the Government’s commitment to ban referral fees in personal injury cases. The MPs call on Ministers to take into account the fact that referral fees reward a range of illegal behaviour. The report concludes that banning referral fees, together with custodial sentences for breaches of Section 55 of the Data Protection Act, would increase the deterrent and reduce the financial incentives for such offences.

Case studies quoted in the Justice Committee Report:

  1. In one case, a nurse was providing patient details to her partner who worked for an accident management company. A fine was imposed of £150 per offence, but accident management companies pay up to £900 for on client’s details.
  2. A woman whose husband had been jailed for sexual assault accessed the bank account details of the victim. The woman attempted to monitor the victim’s spending and social activities but was only fined £100 per offence.

Information Commissioner, Christopher Graham said:

“The Government should lose no more time in bringing in appropriate deterrent sentences to combat the unlawful trade in personal data. Lord Justice Leveson’s Inquiry into press standards should not be used as an excuse for inaction. The Ministry of Justice still has not given a response to the previous administration’s public consultation of two years ago. We need action, not more words. Citizens are being denied the protection they are entitled to expect from the Data Protection Act.

“We shouldn’t have to wait a further year for the 2008 legislation to be commenced when today’s highly profitable trade in our data has little if anything to do with the press.

“The Commissioner recently called for stronger powers of audit. The ICO is building a business case for the extension of Assessment Notice powers to parts of the private sector such as motor insurance and financial services as well as to the NHS and local government.

“I welcome the support of the Justice Committee”

.

Information Commissioner: Businesses ‘waking up’ to Data Protection responsibilities

Christopher Graham, the UK Information Commiss...
Image via Wikipedia

The Information Commissioner has reported that businesses may be ‘waking up’ to their obligations under the Data Protection Act (DPA) but public confidence in how personal information is being handled continues to decline, the Information Commissioner’s Office (ICO) said today.

Figures published show that nearly three quarters of businesses surveyed now know that the DPA requires them to keep personal information secure. This is up 26% on last year’s figure.

Public confidence has fallen with less than half of those surveyed believing organisations process their data in a fair and proper manner. Concern is particularly high in relation to web-based businesses with almost three quarters of individuals believe that online companies are not keeping their details secure.

Information Commissioner, Christopher Graham said:

“I’m encouraged that the private sector is waking up to its data protection responsibilities, with unprompted awareness of the Act’s principles higher than ever. However, the sector does not seem to be putting its knowledge to good use. The fact is that security breaches in the private sector are on the rise, and public confidence in good information handling is declining. Businesses seem to know what they need to do – now they just need to get on with doing it. It’s not just the threat of a £500,000 fine that should provide the incentive. Companies need to consider the damage that can be done to a brand’s reputation when data is not handled properly. Customers will turn away from brands that let them down.”   

The ICO’s annual track survey looks at information rights issues across the board. Other figures released today show that awareness of citizens’ rights under the Freedom of Information Act is increasing.

    • 90% of public authorities surveyed are aware that individuals have a right to see information.
    • 84% – also agreed that the Act is needed.
    • 24% of respondents were sceptical that the information they’d like to see is actually being made public.
    • Just half of those surveyed are satisfied that information is readily available and accessible.
    • 70% recognise the ICO’s role as the enforcer of the Data Protection Act, the highest awareness level since the question was introduced to the annual survey in 2004.
    • 53% of businesses surveyed now have a clear understanding of the ICO’s role in this area compared with 20% last year, This increase is partly driven by the private sector.
    • 58% more breaches have been reported to the ICO so far in 2011/12 than in the same period last year.
The Information Commissioner, Christopher Graham added:

“This survey highlights the increasing importance of accountability and transparency, and the public’s right to know. Almost all public authorities can see the clear benefits of having freedom of information laws. But more needs to be done to make sure that the right information is being made available since only half of citizens surveyed feel they have easy access to the information they want.”

.

Create a free website or blog at WordPress.com.

Up ↑

%d bloggers like this: