recent work

Absolute Data DP consulting update

October 8th, 2015

On 1st October 2015 Absolute Data moved its entire data protection consulting practice including DataWise to a new business called Data Protection People Limited. “We absolutely believe that this is in the best interests of our clients and our DP consulting team” said Absolute Data’s MD Phil Brining. “We’ve got more people, more investment, and a singular focus now which is to help organisations with their data protection and privacy compliance. I believe that changes happening before our eyes such as the Safe Harbor ruling as well as the changes down the line such as the GDPR mean that there will be an exponential growth in demand for the services that I have been building at Absolute Data for several years and we must grow and evolve to meet that demand and to continue to help our clients.

We have a fantastic portfolio of customers most of which are internationally recognised brands and I am very grateful for the trust and confidence they have placed with me and my consulting team. But we must invest and we must grow our team in order to deliver against the agenda coming over on the horizon.”

www.dataprotectionpeople.com

Charity fundraising under the spotlight

July 8th, 2015

Yesterday the BBC published a story putting charity fundraising under scrutiny http://www.bbc.co.uk/news/uk-33422277. Having worked with a few large charities I can see the difficulties they face. Many charities employ third party collectors or agencies to engage the public and collect donations and/or introduce new regular donors. This is a pure out and out sales activity and one which is, in my opinion, not easy to manage as the charity is at least two steps removed from the actual sales effort. Coupled with that, in my experience the contractual arrangements of such activities is not well documented – particularly in respect of the legal relationship and responsibilities regarding data. We’ve found many instances of charities employing several data a processors with no data processing agreement in place and only very basic data protection provisions in a commercial agreement. In many cases the collector has proposed the commercial agreement which the charity has adopted to reduce its legal fees – but this is false economy as the agreements like this are stacked in favour of the collector and contain very weak data protection provisions.

Keeping a log of all such arrangements, using robust data processor agreements giving the charity the rights it needs to protect itself and members of the public is vital. We’re often asked to carry out due diligence on collectors for charities and have been on several site visits to assess their operations – particularly from an information governance and management control perspective. Pre-contract due diligence is another vital process that charities need to undertake.

In my experience charities generally expect collectors to behave responsibly and respectfully – but these are independent commercial sales operations that are usually incentivised by an income based on funds raised.

Staying safe during a video conference

June 4th, 2015

There have been many stories in the news recently concerning online privacy. These days, it is vital to make sure you take the necessary steps to secure yourself when using the internet. Companies employing video conferencing equipment also need to be vigilant. Video conferencing can bring many excellent benefits to your company, but the process can also pose security risks if you do not handle it in the right way. There are a few simple steps you can take when carrying out video conferencing to lessen the risk of data loss or identity theft.

– Think about nesting windows. Many video conferencing calls share a person’s computer screen between all the people involved in the conversation so that images and information can be shared. If you have windows open containing information that you do not plan to share, make sure they are all properly closed before you begin conferencing.

– Guard against unauthorised recording. If you’re having a discussion about trade secrets or upcoming projects and you don’t want rivals or competitors to know about it, it’s important that nobody is recording the conference without your knowledge. Make it clear to all attendees that unauthorised recording is forbidden and only take notes where necessary.

– Make sure your staff and colleagues have a clear understanding of data protection. A large majority of the security concerns we see in the media stem from a lack of understanding. We provide the best support in the business and advice whenever you need it to ensure that you understand how to protect your data, which will reduce the chances of any issues. If all companies had a strong data protection strategy in place, we would see far fewer incidents of data theft or breaches.

We specialise in salesforce CRM implementation and the creation and implementation of effective data strategies. If you would like to know more about what we can do for your company to help minimise the chances of data security issues, please don’t hesitate to get in touch.

£3m pay out for “Crazy Miss Bonkers”

May 22nd, 2015

Data, like everything in life eventually reaches the end of its usefulness – it becomes un-necessary to fulfil or support the purpose for which it was collected. It’s a natural part of the data lifecycle. Unavoidable. And at that point it should be destroyed – properly. Within the Data Protection Act 1998 the 5th and 7th data protection principles cover this point: the 5th principle states that data should be kept for no longer than is necessary to fulfil the purpose for which it was collected, and the 7th principle obliges data controllers to utilise appropriate technical and organisational measures to keep data secure. An organisational measure might be to log, clearly mark-up, segregate and keep secure all hard disks awaiting destruction, and a technical measure might be to smash redundant hard disks into oblivion! I’ve witnessed such a process and it is immensely satisfying. There are several companies offering such a service and will bring a mobile unit to your site and totally destroy hard disk media by smashing it to bits with a compressed air-powered machine. Be sure that you don’t destroy any data accidentally in the process otherwise that too would be a breach of the Data Protection Act!

In the news last week was a £3m pay out for a former banker who was successful in a sexual discrimination case against her employer. Her argument was pretty well supported by information obtained via a Subject Access Request (SAR) – one of the rights a data subject has in accordance with the 6th Data Protection Principle. Svetlana Lokhova was supplied with a range of documents in which she was described by her male colleagues as “Crazy Miss Cokehead” and “Miss Bonkers”. The comments were generally contained in emails many of which were from Ms Lokhova’s line manager to others in the bank and even to clients. In one email, her boss told a client, “We are all quaking here awaiting arrival of Ms Cokehead in a puff of sulphurous smoke”.

Once comments of this nature are contained within a data system they are very difficult indeed to find and destroy. Most email systems helpfully retain deleted emails in a “deleted emails” folder and of course an email will at least be in one “sent items” folder and one “Inbox”. It is an offence to deliberately delete information relevant to a SAR once a SAR has been received – but not only is it good practice but it is an obligation under the DPA to destroy once it is past its useful life.

Five steps to secure data

March 13th, 2015

Data protection has been in the spotlight for the last few years as more and more cases of theft and security breaches occur. A recent study by Symantec found that consumers in the UK lack confidence in data protection, and believe that both businesses and the Government fail to do enough to protect them. One third of the people they polled even reported that they had intentionally used the wrong details because they feared using the right ones. The most important figure is that 89% of them said that security is a driver for what sites they chose to shop on.

Businesses can take five relatively simple steps to improve their data protection and ensure they give consumers confidence and the right experience.

The first step is to actually understand where data is stored. Some businesses use a range of different mediums to store information but the more of these you have the more risks you face. You’ll need a specific plan for each type of storage you use. Keeping this number to a minimum will help to reduce the potential for issues.

Next you should put a need to know policy in place. By limiting access you cut down on the number of people that are involved and the potential for errors. Access should be limited to people you trust and you should have systems in place to log who accesses what and from where.

The security of your network is very important, particularly when you consider that malware is changing daily and thieves are getting more and more sophisticated. You’ll certainly have a firewall and other protection in place but you need to make sure they are up to date and performing properly. The security coverage should also extend to mobile devices if you allow people to connect to your network with them.

A data management plan is essential and will help you to keep on top of records. You’ll need to have an idea of which details you must protect and how long you want to save them for. You should look at the vulnerabilities of your system and make sure these are the areas that you invest in protection. As well as electronic records consider paper ones and handle them securely. You must also account for the safe disposal of information.

The final thing to do is perhaps the most important; you need to educate everybody to make sure they understand the risks and their obligations. You can build a security culture where everybody takes steps to protect data and keep it secure. You also need to ensure you account for periodic upgrades and training so you stay up to date. Contact our expert team if you are in need of any assistance with your data strategy. We have the knowledge and experience you need to provide complete information assurance.

Facebook’s privacy policy under scrutiny

March 10th, 2015

Millions of people use social media on a daily basis to update their friends, family and colleagues on their lives.

Electronic communication plays an important role in our lives, with many of using social media every single day. The most popular social network used across the world is Facebook, boasting over 1 billion users – a seventh of the world’s population. This January, the social network made significant changes to their privacy policy.

However, in a report written by Belgium’s data watchdog, Facebook have been accused of breaking data protection laws in Europe. The social network’s new terms were said to be in violation of the European laws against how data is gathered about individuals, what is done with it and how people are informed of such practices. The report stated that the security settings were far too complicated for users to clearly understand which data is private and which will be shared, as well as leaving users uncertain of which organisations are receiving their data. This news comes as European law is currently discussing future options regarding the region’s data protection, with new regulations expected from 2017 to meet the changing technology demands.

As millions if individuals and businesses rely on electronic communications in 2015, it’s important that businesses know that not only is their privacy and data protected, but that their clients’ are too. We are here to help concerned businesses with their privacy needs, specialising in data protection strategies, salesforce CRM implementation and more. Over the years we have worked with a variety of different businesses both small and large, providing them with practical advice and help to defend their data. Whether you would like our help with training your team or guidance in certain areas, we’re equipped with the experience and skill set needed.

Data Anonymisation added to DataWISE

March 9th, 2015

Data anonymisation functionality has been added to the DataWISE information governance management system. It is now possible to create an archived data set record in the Assets tab and record information about how it has been anonymised. We’ve also drafted a standard Data Anonymisation Policy and Procedure which is available to DataWISE users and which sets out why data is anonymised, the anonymisation process, and the anonymisation verification process. The procedure ties in with DataWISE’s record keeping so that a full record of the batches of data that has been anonymised is maintained in DataWISE. A training note has been added to DataWISE resources providing instruction on how to use the new feature. Contact us for more information.

DataWise helps to fully secure your company’s data

March 3rd, 2015


In the past several years, there have been several blunders made by various companies who simply have not taken satisfactory steps towards protecting their data. From local councils to global corporations, user details have been leaked from data breaches due to these entities simply not being careful enough with this vital information. This is why a suitable data strategy is absolutely vital. We are not only dedicated to providing a software solution, in the form of DataWise, to protect against this, but also to dispense help and advice to ensure that our clients do not easily lose their customer’s personal details.

Taking active steps towards securing customer data should be the number one priority of all companies and businesses. If you lose customer’s personal details, you are also extremely likely to lose their trust and their custom in the future. The problem with data breaches and leaks is that they can happen for a number of reasons, from inadequate security to hacking and even theft of key items such as memory sticks and laptops. By taking steps towards maximising your security, you can prevent this data from being leaked.

Preventing data leaks is not just a moral obligation, but a legal one as well. Organisations breaching the Data Protection Act could face a fine of up to £500,000. A company needs to make sure that its data is kept as safe as possible, that it is kept for the right amount of time and expunged on request, and that you know exactly where all of your data is stored. These are only a few of the many guidelines that you need to adhere to ensure that you are not falling foul of the act and risking being hit with a hefty fine.

Our DataWise system is used for complete data protection, and comes in three forms: DataWise Platform, DataWise Pro and DataWise Ultimate. Each part comes with different extras, but the basics remain unchanged, with our customers receiving our software platform and extras including templates and record keeping logs. It covers everything from disaster plans and information security incidents to data sharing agreements and materials in regards to legal compliance.

When you use our services, we take several steps towards ensuring that your data is as safe as it possibly can be. We take the time to learn about the data that you use and how you use it, before ensuring that all policies and procedures in place are adequate for protecting it. We also train your staff wherever possible to ensure that they know their responsibilities in concerns to information assurance, and also as a means of ensuring that they are fully adhering to data protection laws. If you need a fully comprehensive solution for your information security needs, then we can handle it for you.

How will new regulations affect data security and usage in the EU?

February 23rd, 2015

Later in 2015 we will see new regulations put into practice regarding data protection in the EU. The European Union’s General Data Protection Regulation (GDPR) will replace the directives that have been in place since 1995, modernising the system to suit the technologically advanced modern world. The aim is to create a single law rather than the multitude of national laws we currently have. It is hoped that the regulations will be simplified, require less administrative work and reduce legal uncertainty whilst also improving better protection for consumers.

Data protection and information assurance is very much in the spotlight at the moment. With the internet proving to be such an integral part of the modern age, more effort needs to be taken to protect consumers and ensure their information is secure when it is online. The new law will help to achieve this but political debate is set to continue about what the regulations should be.

In the UK, there is an ongoing political debate on data protection. The Conservatives have taken a middle of the road stance by championing the need to protect consumers whilst still giving businesses the ability to use consumer details to personalise the services and products they offer them. Labour has taken a similar balanced approach, although they are not in support of all of the proposed new laws. The Liberal Democrats have a positive outlook and believe we need clear rules that will provide better privacy, security and business services.

With the General Election in May it will be interesting to see which stance the new Government takes regarding data security. It will be very important to get the new regulations right, particularly in the UK because the NHS has been guilty of some of the most serious breaches. The debate will continue and new laws should be decided on after input from governments, technology companies and the people affect most by data breaches, consumers.

With data security in the spotlight it is more important than ever to have specialist companies on hand to help businesses and public entities to make the best decisions in terms of protection. We can plan and implement a bespoke data strategy for your business, whatever sector you are involved in.

Samsung TVs highlight concerns about technology and privacy

February 17th, 2015

Privacy has always been a big concern for people and businesses who deal with information which needs to remain private, but as more innovative new technology is introduced all the time, it’s becoming clear that data can be compromised in ways we never had to think about in years gone by. These technological developments inevitably lead to the need for new and improved data protection strategies.

Samsung’s Smart TV sets are a prime example of this; they have been in the news recently because of concerns that they may be “eavesdropping” on people in their own living rooms – a scenario that seems to be straight out of Orwell’s 1984.

The TVs are equipped with microphones that allow users to control them via voice commands rather than a remote control. It seems that the speech is then transmitted to a third party to be interpreted. Samsung’s privacy policy contains a warning to users that they should be careful when discussing personal or sensitive information near their TV, as the data will be transmitted to the third party through the voice recognition feature. Samsung have stated that they use industry-standard safeguards to protect users’ data and that people have the option to disable the voice command feature, but this has not assuaged the fears many people have about trusting this kind of technology in their homes.

News stories like these highlight the importance of having effective data protection strategies in place, to ensure that your privacy is not breached and that you are protecting yourself from unwanted effects of using new technology in your home or workplace. As a modern, dynamic company, we do all we can to stay up to date with the latest concerns people have about protecting their data, ensuring that we can continue to provide a useful and relevant service to all our clients. Whether you require salesforce CRM implementation, accurate risk assessments to determine possible danger areas, or advice on how to integrate data between different data systems, our team can come up with and implement a bespoke strategy based around your unique needs.

Another half a million medical records hacked!

April 22nd, 2014

The Daily Telegraph reports:

“The personal details of nearly half a million people considering cosmetic surgery may have been accessed by hackers, it has emerged.

Cyber criminals reportedly gained access to servers belonging to the Harley Medical Group, which has 21 clinics across the UK, and extracted some 480,000 records from its website enquiry form.

This includes prospective clients’ names, addresses, dates of birth, email addresses and telephone numbers, as well as details of the type of cosmetic procedure they were interested in.

Harley Medical Group said in a letter to customers affected that no clinical or financial information was accessed, and that it had informed the police and the UK’s Information Commissioner’s Office (ICO) about the data breach.

“We acted immediately when we became aware that an individual had deliberately bypassed our website security, gaining access to contact information from initial inquiries, in an attempt to extort money from the company,” said Harley Medical Group’s chairman Peter Boddy.
“We have taken action to further strengthen the security around website inquiries.”

Details on how the hackers managed to access the data have not been made public, but there is currently no suggestion that it is linked to the Heartbleed bug, which has been making headlines over the last two weeks.

A report in The Sun suggests that the hackers used a Russian email address to try and extort money from the Harley Medical Group.

Security expert Graham Cluley put the breach down to “sloppy security” on the part of Harley Medical Group, suggesting that it failed to protect its customers’ information.

“If you’re considering having a tummy tuck, a breast enlargement or some other form of cosmetic surgery, chances are that you want to keep the treatment private,” Cluley wrote in a post on BitDefender’s HotForSecurity blog.

“Such information could be used not just to embarrass an individual, but also – potentially – to extort money from them,” he said.

“Furthermore, the private information could be sold to tabloid newspapers or entertainment websites which are scrabbling for some showbiz tittle tattle to fill their pages.”

The Information Commissioner’s Office confirmed that it would be making enquiries into the incident.”

http://www.telegraph.co.uk/technology/internet-security/10770922/Hackers-steal-500k-patient-records-from-Harley-Medical-Group.html

Busy May?!

April 2nd, 2014

Absolute Data’s Phil Brining has just signed up to attend the Salesforce World Expo at London’s ExCel and the Yorkshire Mafia, Buy Yorkshire event at the Royal Armouries both of which are in May.   Coupled with the Bank Holidays – it’s going to be a busy month!

French Data Protection Regulator granted new powers of inspection

April 1st, 2014

Privacy Law and Business reported yesterday on the new powers of inspection granted to the French data protection regulator, CNIL. The French Data Protection Act was amended on 17th March to give CNIL the right to perform checks on on-line data bases. The sort of checks anticipated include how individuals are informed of the use of their data and how their consent is collected, how cookies and tracking tools are used, and also by implication, an assessment regarding the risk of security breaches.

A CNIL spokesperson said, “The CNIL will not infringe companies’ security to gain access to their systems. But I want to stress that ‘security breaches’ only represent a part of our online inspections. If an infringement has occurred, the CNIL’s President can decide whether to issue an injunction or not. This injunction will compel the organization to take the necessary measures within a determined period of time.”

Privacy Law and Business stated that, “the new power allows the CNIL to remotely detect and react to data breaches on the Internet”.

Absolute Data Comment
This is an interesting development in light of the impending Data Protection Directive which will bring the UK’s data protection law in line with the rest of Europe in the next few years. It would seem that the French Regulator now has the power to be proactive in testing for compliance – a new power which may be granted to the Information Commissioner in the UK in the not-so-distant future. Of course UK companies with French operations may well find that they already fall under the scope of these new powers.

Absolute Data exhibit at iNetwork

March 21st, 2014

Absolute Data’s Joe Colleran and Phil Brining were delighted to be invited to attend the iNetwork spring event in Manchester today and chose the occasion to exhibit DataWise, the company’s information compliance management system.  “We’ve had excellent interest in DataWise” said Senior Consultant, Joe, “and there is real interest in the gap that DataWise fills”.

 

“It has been a great event” said Managing Director Phil Brining “well done iNetwork and thanks for inviting us to take exhibition space”.

New data protection law now in sight

March 15th, 2014

Earlier this week the European Parliament decisively voted through the new EU Data Protection reform package in a clear endorsement of the proposals meaning that a new data protection legislative framework is now within sight after months of delay.

The vote, 621 in favour, 10 against and 22 abstentions shows a massive majority of support for reform – the clearest indication yet that despite reports in the media of countries like the UK dragging their feet on the issue – the law across Europe will change in the next year or so. The EU press release says this reform is “a necessity” and is now “irreversible”.

So what does that mean for the UK? Well the proposals are yet to be firmed up but the bar is going to be raised significantly. For instance, the fines to be imposed on firms that break the rules are to be raised to up to Euro 100 million or 5% of annual worldwide turnover. This is an increase on the previously discussed figure of Euros 1 million or 2% of annual worldwide turnover and the current limit of £500,000.  There is likely to be a broadening of the definition of data falling under the scope of the legislation, more onus placed on data sharing/processing arrangements, and a requirement to have professionally trained data protection compliance officers in many organisations.  The rights of individuals to have data erased will be increased.

The overriding principle underpinning the entire proposal is the focus on governance: on data controllers taking a more responsible approach to their processing of personal data; on having structured plans, policies, and procedures in place and an effective training and awareness program; and crucially, being able to provide evidence of having a good governance framework in place.

£200k fine – lack of awareness “no excuse”

March 14th, 2014

A not for profit organisation was fined £200,000 by the Information Commissioner (ICO) after falling victim to a hacker who stole  10,000 records from a database behind their web site.  The hacker was subsequently jailed for 32 months – leaving the British Pregnancy Advisory Service (BPAS) with tough questions to answer.

BPAS claimed that they did not know what data was being collected on their web site and that it wasn’t therefore their fault that excessive and sensitive data was being kept in the database.  They also claimed that their web provider was in charge of security of the servers and that it was pretty much out of their control.

The ICO showed no sympathy and sent out a stern reminder that it is a data controller who is responsible for the data processing activities that are undertaken on their behalf.

Deputy Commissioner, David Smith said: “Data controllers must take active steps to ensure that the personal data they are responsible for is kept safe.

“There’s a simple message here: treat the personal information you are holding with respect. This includes making sure you know just what information you are holding and that it’s subject to up-to-date and effective security measures.”

Absolute Data Comment

I see lots of situations every week of organisations who have appointed web providers to manage their web sites and they have absolutely no idea of nor any control over what data is collected, how long it is stored and so forth.  Only last week, while carrying out an information search for a client following a Subject Access Request, we uncovered a situation where a web site provider had been “scraping” social media comment made by our client’s customers and storing them indefinitely in a web database.  Even when the poster had removed or modified the post – our client’s web provider retained a copy – effectively on behalf of our client – although they had no idea that this was going on!

I agree wholeheartedly with D avid Smith – if you have a web site YOU need to ENSURE that you know exactly what your appointed provider is doing in respect to data collection, storage, security etc.  A growing area of our work at Absolute Data is carrying out due diligence on behalf of companies into their supply chain, including their web site provider.

Another fine for failure to notify

March 13th, 2014

Another company was fined earlier this week for failure to notify the office of the Information Commissioner that it was processing personal data.

Becoming Green (UK) Ltd was at Cardiff Magistrates Court and company director, 39-year-old Mr Abdul Muhith of Cardiff Bay was also convicted for allowing the company to unlawfully process personal data without notifying with the ICO (section 61 of the Data Protection Act).

Absolute Data Comment

There are a couple of points that interest me about this case.

  1. The offence was uncovered when an ICO case worker noticed Mr Muhith had not registered the company with the ICO which is the first case I am aware of that has come to court through vigilent ICO employee action.
  2. In light of the above, there are about 10,000 ICO Notifications and about 3,000,000 UK businesses.  Some of the companies that we work for at Absolute Data have several notifications which I believe means in general terms that a massive majority of organisations are NOT notified – any you can’t tell me that they are all exempt from notification
  3. And finally, the company director has now got a criminal record. It should be food for thought for 288 Company Directors…

Phil Brining

The ICO has produced an online self assessment tool to help businesses determine whether they need to notify.
http://ico.org.uk/for_organisations/data_protection/registration/self-assessment

Legality Risk to Cloud Computing on the horizon?

March 7th, 2014

When the European Parliament Civil Liberties, Justice and Home Affairs (LIBE) Committee called for the immediate suspension of data flows “to any organization that has self-certified its adherence to the US Safe Harbor Principles” there was a very sharp intake of breath of data protection compliance officers across Europe.  If your company uses Google Docs or Salesforce or any other Safe Harbor company, your legal right to use that service for processing personal information could be in jeopardy.

_ _ _ _ _ _

It is common knowledge that it is unlawful to process personal information outside of the European Economic Area unless sufficient safeguards are in place to protect that information.  In practice processing includes every conceivable activity you can think of that you would do with data: collecting it, storing it, transmitting it, retrieving it, backing it up …. even deleting it is an act of data processing.  The Data Protection Act 1998 also sets out that it is the data controller’s responsibility to ensure that the safeguards in place are sufficient – and the data controller is of course very likely to be YOU.

If you are using one of the many cloud computing services like Dropbox, Apple, GoogleDocs, CrashPlan, Office365, Zoho, Zapier, Survey Monkey, Mail Chimp etc. etc. to process information about your staff or customers or prospects, then you are very likely to be deemed in law to be the Data Controller.  The responsibility for the data that you are processing sits squarely with you.  Any data loss, accidental destruction, malicious theft, or unauthorised access by snoopers is your problem and your responsibility.  And if you haven’t any robust evidence of having undertaken due diligence to access the suitability of the safeguards in place of the company who is processing data on your behalf (i.e. the cloud service provider), then heaven help you.  You may have a £500,000 fine heading your way!

So what are considered to be “sufficient safeguards” and how do you go about undertaking and documenting due diligence?  Most people think that data protection safeguards are exclusively about IT security – about firewalls, tunnels, password controls, tokenisation, encryption etc. – but that’s is only part of the picture.  It’s actually only 12.5% of the problem to be precise!  More of that later.  There are also varying degrees of due diligence that you need to apply to ANY data sharing/data processing agreement/practice (including but not exclusively cloud computing services) – also more of that later.

Fortunately there has been a scheme in place since 2000 that has been approved by both the European Union and the United States of America (where many cloud services actually process your cloud based data).  Ironically most users of cloud computing services have never even heard of “Safe Harbor” – the mechanism which may offer them some degree of protection against prosecution in the UK!

So when the European Parliament Civil Liberties, Justice and Home Affairs (LIBE) Committee called for the immediate suspension of data flows “to any organization that has self-certified its adherence to the US Safe Harbor Principles” there was a very sharp intake of breath of data protection compliance officers across Europe.  If your company uses Google Docs or Salesforce or any other Safe Harbor company, your legal right to use that service for processing personal information could be in jeopardy.  To be clear, that’s not to say that you would be breaking the law if you carried on using the cloud service – but you would have to undertake and be able to evidence more robust and rigorous due diligence in order to defend your position and decision to use the service.

This is definitely one to watch.  There have been several reports in the press that the European Commission has decided not to suspend Safe Harbor, and repeated calls for its suspension by LIBE and other groups following each successive revelation about systematic snooping and unauthorised access of data by the US National Security Agency (NSA).  Perhaps it is time to start putting in place your own due diligence measures (which I’d suggest is good practice anyway) just in case – because if Safe Harbor IS suspended – it will have unimaginably massive repercussions for businesses in the UK.

Targets’ earnings fall after data breach

March 5th, 2014

The Wall Street Journal and other media have reported that US retail giant Target Corp’s profits have fallen by 46% following a massive data breach – one of the biggest credit card theft in history. Sales fell by over 5% as a direct result of a loss of confidence in shoppers following the breach. Not only that, but the costs of remedial action has run into hundreds of millions of dollars and there are over 80 law suits underway and possible action from the US regulator.

This is the first time I recall seeing such a cause-and-effect direct link placed between company profitability and a data breach.

http://online.wsj.com/news/articles/SB10001424052702304255604579406694182132568?mg=reno64-wsj&url=http%3A%2F%2Fonline.wsj.com%2Farticle%2FSB10001424052702304255604579406694182132568.html

ICO Conference another success

March 5th, 2014

I was fortunate enough to attend the annual Data Protection Practitioner conference earlier this week in Manchester hosted by the newly re-appointed Information Commissioner, Christopher Graham. Over 750 people attended making it the most well attended ICO annual conference ever.

For me personally, I didn’t think that it was as good as previous years – maybe it was me – but I was expecting hot debate about some of the topical issues, I was hoping that the workshop sessions would give me some really pragmatic ideas and guidance to implement in my work as a data protection consultant, and I was looking forward to spending time in the information market meeting suppliers who may hold the key to some of the issues we face.

I have to say that I was disappointed on all three counts and ironically it’s the first time that we’ve had to pay for the privilege of attending the conference!  So … my view is that the one to attend is definitely the PDP conference and I’ll be getting my application form in early this year.

Philip Brining – 6th March 2014

 

New EU Regulation about notifying Personal Data Breaches enters into force – it applies to Electronic Communications Service Providers (ECPs). A Possible Future for All?

September 18th, 2013

A new EU Regulation applicable to the notification of personal data breaches came into force on 25 August 2013.

Broadly, this new duty requires publicly available electronic communications service providers (ECPs) operating in the EU, such as telecoms operators and internet service providers, to notify their national authority (e.g. ICO), without undue delay, of any ‘personal data breach’.

A ‘personal data breach’ is defined as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a publicly available electronic communications service in the Community.”

The expectation is that any such breach is reported to the relevant national authority within 24 hours of it occurring.  However, companies may make an initial notification to the national authority within the 24 hour timescale and a second notification with more information as stipulated by the Regulation within three days of the initial notification.

In addition, the ECPs must notify individuals of the breach “without undue delay after the detection of the personal data breach” if it is “likely to adversely affect [their] personal data or privacy,” “unless the ECP affected by the breach can demonstrate to its national authority that it has implemented appropriate technological protection measures.”  It is expected that this will occur within 24 hours of the breach.

The Regulation details the content of what must be notified to the national authority and what must be reported to the individual(s) affected.

ECPs do not have to notify subscribers or individuals if they are able to demonstrate to their national authority that they have implemented “appropriate technology protection measures” which were applied to the data affected by the breach; such measures must render the data ‘unintelligible’ and this is defined as:

(a)   it has been securely encrypted with a standardized algorithm, the key used to decrypt the data has not been compromised in any security breach, and the key used to decrypt the data has been generated so that it cannot be ascertained by available technological means by any person who is not authorized to access the key; or

(b)    it has been replaced by its hashed value calculated with a standardized cryptographic keyed hash function, the key used to hash the data has not been compromised in any security breach, and the key used to hash the data has been generated in a way that it cannot be ascertained by available technological means by any person who is not authorized to access the key.

However, the proposed new data protection Regulation would provide for such an obligation for all data controllers; could your organisation be confident of meeting such a requirement?

The ICO will be issuing its own guidance to ECPs shortly.

Do you know how to respond to a Subject Access Request (SAR)? Cardiff City Council told to improve its processes relating to the handling of ‘SARs’ by the Information Commissioner’s Office.

September 18th, 2013

The Information Commissioner’s Office (ICO) has issued an undertaking to Cardiff City Council, which requires the authority to improve its practices regarding Subject Access Requests (SARs).

This came about after the council failed to respond to a SAR within the 40 working days timeline set out in the Data Protection Act (DPA), which subsequently triggered a complaint to the ICO by the individual concerned. This failure prompted the Information Commissioner to take a closer look at the council’s SAR compliance in general and found it to be wanting.

The ICO requires that the council will:

1.   Clearly define procedures for dealing with subject access requests, and make sure that all staff involved in such work receive appropriate training in how to follow them;

2.  Ensure that  appropriate checks and supervision are put in place to ensure that third-party data is dealt with in accordance with the Act’s requirements and the data controller’s policies and procedures;

3. Make sure that sufficient measures are in place for the storage of paper records to ensure that subject access requests are responded to appropriately.

Organisations processing personal data must have regard to the eight principles of the DPA and the 6th principle (relevant to this case) states that “Personal data shall be processed in accordance with the rights of data subjects under the Act”.

One of those individual rights is “a right of access to a copy of the information comprised in their personal data” which they can exercise by making a subject access request to the appropriate organisation; the ICO considers this to be one of the fundamental aspects of the DPA and generally takes a very dim view of any organisation not fulfilling its obligations in this respect.

So, could your organisation handle a ‘Subject Access Request’; would staff even recognise such a request bearing in mind that it doesn’t have to follow a standard form and could arrive by letter or email?  Will you charge the allowable fee (currently £10.00 with some exceptions)?  Do you even know where all your client, staff, customer, supplier, etc personal data (electronic and manual) is held and how easy it would be to access it?  Finally, could you pull the whole thing together and respond within the 40 working days (not as easy as it seems!)?

The ICO has just published the ‘Subject Access Code of Practice’ (58 pages!) available from their website www.ico.org.uk or get in touch to discuss (we’ve helped a client successfully negotiate this minefield, including complaints and challenges by the ICO).

Law Commission ‘Data Sharing between Public Bodies’ consultation launched; open between 16th September and 16th December 2013 (get involved).

September 18th, 2013

In a perhaps timely announcement, given the all too familiar circumstances surrounding the death of Daniel Pelka, the Law Commission has published a consultation paper on the subject of data sharing between public bodies.

However, it should also be noted that the Information Commissioner’s Office (ICO) has already published, since May 2011, its own ‘Data Sharing Code of Practice’ (available from its website www.ico.org.uk) which is designed to provide a framework for all organisations to make good quality decisions about data sharing.

Both the Law Commission’s and ICO’s documents are worth reading by all organisations involved in data sharing (just about everyone!) as the issues they raise and try to address are, in our experience, prevalent across all sectors – private, public and charity/voluntary.

The details below about the Law Commission’s consultation are taken directly from its website:

Background
The law surrounding data sharing is complex. Powers to share data are express or implied in numerous statutes and in the common law. The Data Protection Act 1998 sets the limits on data sharing and the rules for handling personal data. The law of confidentiality protects confidential or private information. Contract, employment and European Union law plays a part, as does the European Convention on Human Rights. There are also professional regulations, such as those that prohibit doctors from breaching the confidentiality of their patients.
Public bodies collect large amounts of data from individuals and organisations but they continue to report that they cannot always share the data they need to share and, as a result, miss out on opportunities to provide better services to citizens. At the same time, it is accepted that there is a need to ensure that the security of data and privacy of individuals are not put at risk.
The Consultation
This project aims to establish whether these perceived obstacles are embedded in practice or culture, or whether they are to do with the substance of the law or how it is written.
• Is there a problem with the law – does the law itself erect barriers that unduly restrict data sharing between public bodies?
• Is the law is too complex and hard to understand – has a lack of clarity in the law led public bodies to develop cultures that prevent lawful data sharing? Is data sharing just too difficult?
• Is there is a simply a gap in education, guidance and advice?

This consultation relates to their (Law Commission) Data Sharing between Public Bodies project.

Reference number: LCCP214; follow the hyperlink below for the consultation document:
Data Sharing between Public Bodies Consultation [PDF, 0.22mb]

Information security (IS) breaches reach highest ever levels according to Department for Business/PWC 2013 IS Breaches Survey

September 10th, 2013

The number of information security breaches affecting UK business, both large and small, continues to increase. The rise is most notable for small businesses; they’re now experiencing incident levels previously only seen in larger organisations. The survey found that:

• 93% of large organisations had a security breach in the last year.
• 87% of small businesses had a security breach in the last year (up from 76% a year ago).

Affected companies experienced roughly 50% more breaches on average than a year ago.
• 113 is the median number of breaches suffered by a large organisation in the last year (up from 71 a year ago).
• 17 is the median number of breaches suffered by a small business in the last year (up from 11 a year ago).

The cost of individual breaches continues to vary widely. The average cost of respondents’ worst breach of the year has never been higher, with several individual breaches costing more than £1m. In total, the cost to UK plc of information security breaches is of the order of billions of pounds per annum – it’s roughly tripled over the last year.

Both external attacks and the insider threat are significant; attacks by outsiders (such as criminals, hacktivists and competitors) cause by far the most security breaches in large businesses – the average large business faces a significant attack every few days. Even small businesses, which used not to be a target, are now also reporting increasing attacks.

Staff also play a key role in many breaches. Serious security breaches are often due to multiple failures in technology, processes and people. In addition, staff-related incidents have risen sharply in small businesses.

In response to this the vast majority of businesses continue to prioritise information security with related budgets increasing, or a least not being cut. However, many businesses can’t translate this expenditure into effective security defences. In large organisations, ineffective leadership and communication about security risks often leaves staff unable to take the right actions.

There are weaknesses in training, communication and understanding of internal security policies and procedures, a lack of clarity around data protection responsibilities, insufficient risk assessment and skills shortages in respect of information governance/security.

Business use of technology is changing fast with the increasing use of cloud based services, social networking sites, bring your own devices (BYOD) and portable media, so it’s important to have a flexible approach to information security.

Overall, the survey results show that companies are struggling to keep up with security threats, and so find it hard to take the right actions. How would your organisation rate?

Please follow link to download a copy:
https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/191671/bis-13-p184es-2013-information-security-breaches-survey-executive-summary.pdf?utm_source=Campaigner&utm_campaign=Tuesday_June_04_2013_-_1&campaigner=1&utm_medium=HTMLEmail
https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/200455/bis-13-p184-2013-information-security-breaches-survey-technical-report.pdf 

Did you know that your organisation, as a data controller, is responsible for validating and putting proper contracts in place with any suppliers handling data on its behalf? Get it wrong….

September 10th, 2013

The Information Commissioner’s Office (ICO) has issued NHS Surrey with a monetary penalty of £200,000 after more than 3,000 patient records were found on a second hand computer bought through an online auction site.

The sensitive information was inadvertently left on the computer and sold by a data destruction company employed by NHS Surrey since March 2010 to wipe and destroy their old computer equipment. The company carried out the service for free, with an agreement that they could sell any salvageable materials after the hard drives had been securely destroyed.

On 29 May 2012 NHS Surrey was contacted by a member of the public who had recently bought a second-hand computer online and found that it contained the details of patients’ treated by NHS Surrey. The organisation collected the computer and found confidential sensitive personal data and HR records, including patient records relating to approximately 900 adults and 2000 children, on the device.

After being alerted to the problem, NHS Surrey managed to reclaim a further 39 computers sold by the trading arm of their new data destruction provider. Ten of these computers were found to have previously belonged to NHS Surrey; three of which still contained sensitive personal data.

The ICO’s investigation found that NHS Surrey had no contract in place with their new provider, which clearly explained the provider’s legal requirements under the Data Protection Act, and failed to observe and monitor the data destruction process.

NHS Surrey mislaid the records of the equipment passed for destruction between March 2010 and 10 February 2011, and was only able to confirm that 1,570 computers were processed between 10 February 2011 and 28 May 2012. The data destruction company was unable to trace where the computers ended up, or confirm how many might still contain personal data.

Stephen Eckersley, ICO Head of Enforcement, said:
“The facts of this breach are truly shocking. NHS Surrey chose to leave an approved provider and handed over thousands of patients’ details to a company without checking that the information had been securely deleted. The result was that patients’ information was effectively being sold online.

“This breach is one of the most serious the ICO has witnessed and the penalty reflects the disturbing circumstances of the case. We should not have to tell organisations to think twice, before outsourcing vital services to companies who offer to work for free.”

How confident are you that your organisation couldn’t make the same mistakes?

The ICO has produced guidance explaining how old IT equipment containing personal information can be securely destroyed in compliance with the Data Protection Act.

Summary of data protection and privacy happenings over the summer period; publishing personal details online, leaking information and wrong fax numbers. Lessons learnt…?

September 10th, 2013

1. Council employee publishes vulnerable children’s welfare details online
The Information Commissioner’s Office (ICO) has served Aberdeen City Council with a monetary penalty of £100,000 after a serious data breach resulted in sensitive information relating to social services involvement with several individuals being published online.

The information was released after a council employee accessed documents, including detailed reports, from her home computer. A file transfer program installed on the machine automatically uploaded the documents to a website, publishing sensitive information about several vulnerable children and their families.

The ICO’s investigation found that the council had no relevant home working policy in place for staff and did not have sufficient measures in place to restrict the downloading of sensitive information from the council’s network.

2. Council publishes over 2,000 residents’ personal details online
The Information Commissioner’s Office (ICO) has served Islington Council with a monetary penalty of £70,000 after personal details of over 2,000 residents were released online.

The information was inadvertently released in response to a freedom of information request, and revealed sensitive personal information relating to residents’ housing needs.

The breach occurred due to a lack of understanding of pivot tables. These are used in Microsoft Excel and other spreadsheet programs to neatly summarise large amounts of data. But the tables retain a copy of the source data used. This information is hidden from view, but is easily accessible.

3. Probation officer prosecuted for leaking victim’s details to alleged culprit
A probation officer who revealed a domestic abuse victim’s new address to the alleged perpetrator has been successfully prosecuted by the Information Commissioner’s Office (ICO).

Victoria Idowu claimed that she provided the victim’s full name, new address and date of birth, along with the details of the investigating officer, as she believed that the individual already knew this information and she was keen to avoid a case of mistaken identity.

Ms Idowu, who had worked at the trust since October 2005, has already been the subject of disciplinary proceedings by London Probation Trust, which resulted in her employment being terminated due to gross misconduct.

Unlawfully obtaining or accessing personal data is a criminal offence under section 55 of the Data Protection Act 1998.

4. Bank of Scotland penalised after four year fax blunder
The Information Commissioner’s Office (ICO) has served the Bank of Scotland with a monetary penalty of £75,000 after customers’ account details were repeatedly faxed to the wrong recipients.

The information included payslips, bank statements, account details and mortgage applications, along with customers’ names, addresses and contact details. The documents were faxed over a four year period, with the first incident reported to the bank in February 2009 by a third party organisation.

Half of UK consumers mistrust companies

June 27th, 2013

Information Age reported on the 25th June that a recent survey by Comres found that half of UK consumers have no trust of companies in respect of their data. The report suggests that UK consumers mistrust large corporations who seemingly hoover up large amounts of data under the guise of consumer profiling and enhancing customer experiences, but simply go on to re-sell this data or otherwise unfairly exploit it. Information Age state that Barclays plc changed their terms and conditions late in June 2013 giving it the right to resell aggregated annonymised data about its customers buying patterns.

Only 18% of the survey’s respondants felt that personal data was being used to enhance customer experiences.

Another survey by Infosys found that trust varied between industries with 91% have a high level of trust with doctors, 74% with banks, and 69% with retailers.

http://www.information-age.com/technology/information-management/123457147/half-of-uk-consumers-say-corporate-data-collection-is-harmful——survey

Crucial vote delayed until October 2013

June 27th, 2013

The new European Data Protection Regulation has been on the agenda since it was first proposed by Vice-President Vivian Reding January 2012 – but despite set-backs in pushing forward with new harmonised rules, new legislation will be with us in the next year or so setting out a new framework for how we can process data.

Unhelpfully there is a great deal of scaremongering about the new Regulation from pressure groups keen to retain and exploit loop holes and confusion with the existing legislation for their own benefits which makes it difficult to get a clear picture of what the new rules will mean in practice.

Science Business published a useful article last week which is well worth reading for an objective update of the current situation.

http://bulletin.sciencebusiness.net/news/76176/Irish-Data-Protection-sprint-fails-to-reach-the-finishing-line

SME’s expose larger firms to privacy breach risks

June 24th, 2013

PR Newswire reported on 18th June that small firms were putting larger firms at risk of data protection breaches by not having robust enough policies, procedures, and work practices when it comes to handling data. According to a report by Shred-it, SMEs are particularly poor with activities such as shredding documents and disposing of hard drives.

The report claims that SMEs are, “10 times less likely to have an information security system set up than is the case with larger businesses”.

http://www.prnewswire.co.uk/news-releases/smes-putting-larger-businesses-security-at-risk-owing-to-lack-of-data-protection-protocols-211938381.html

COMMENT
Absolute Data are often asked to help large businesses evaluate SMEs that they wish to appoint as data processors, whether that’s a call centre, a web hosting company, or a data destruction facility – and we have developed a set of tools to enable us to effectively measure and compare providers in an objective and consistent manner.

In our experience there are numerous organisations both small and large providing data processing to services to our clients who are simply not providing a good enough or robust enough service. The report is absolutely right in its assertion that poor data handling processes in a supply chain introduces a huge element of un-controlled risk to data controllers: and it is the controller who is ultimately responsible for the entire supply chain.

We recently worked with an international company who used a team of very large pan-European service providers as data processors. We found that 50% of processors were working with NO contract in place, that the data was being off-shored to the USA without the knowledge of our client, and that redundant computing equipment containing our client’s data was lost for a period of weeks. All very worrying stuff.

So our view is that you cannot rely on the size of a data processor – you have to either do your own due diligence, or get an expert firm like Absolute Data in to assess the risks on your behalf.

Council of the European Union proposes to relax data protection consent

June 14th, 2013

The Council of the European Union published a report on 31st May setting out suggested compromises to the draft Data Protection Regulation which is set to change and harmonise data protection law across Europe toughening up the UK’s data protection laws from next year. The report follows around 3,000 proposed amendments to the draft Regulation being suggested by the member states.
One of the suggestions is to change the consent required to undertake direct marketing from “Explicit” to “Unambiguous”. The direct marketing industry will no doubt regard this as something of hollow progress as they see the introduction of explicit consent as something of a death knell. Speaking in Leeds in March 2013 the Direct Marketing Association’s Director of Public Affairs, Caroline Roberts, told the audience that the new Data Protection Regulation would kill off trading and sharing data and unsolicited direct marketing due to the requirement in the Regulation to have obtained prior explicit consent.

So, what would constitute “Unambiguous Consent” and how would it differ from “Explicit Consent”?

Unambiguous consent feels very close to implied consent i.e. consent through not opting out, and it seems to follow that provided there are sufficient well worded and clear notices provided to individuals when collecting their personal information, by not opting out, the individual could well be deemed to be granting consent for the organisation collecting their personal information to use it for direct marketing purposes. That unambiguous consent has been obtained fairly and lawfully.
Explicit consent suggests that the whole area of implied consent is simply not robust enough: that consent will not be valid unless an individual has ticked a box themselves in the full knowledge that in doing so, their personal information will be used for particular purposes, and additionally, that they are free to do so with no undue pressure being exerted by the organisation. This latter point is interesting and usually explained in the context of an employment situation where an employer holds more power in the data processing relationship than the employee and that an employee saying, “actually I don’t want to grant my consent to my personal information being sent to China for payroll processing purposes”, is likely to be pressurised to conform.

But in the context of a commercial relationship what do consumers do when faced with a no option such as “grant consent or don’t use our services”? My guess is that most simply tick the consent box. The big question is whether this will be permissible when the new Regulation becomes law next year and whether consumers would have valid grounds for complaint with large multi national companies in these circumstances.

http://www.statewatch.org/news/2013/jun/eu-council-dp-reg-10227-add1-13.pdf

Data Profiling to be regulated

June 4th, 2013

The Article 29 working party, the independent European advisory body on data protection and privacy set up under Article 29 of the Data Protection Directive has adopted an advice note entitled, “Advice paper on essential elements of a definition and a provision on profiling within the EU General Data Protection Regulation” which seeks to find a practical middle ground between the European Commission’s current proposal for a Data Protection Regulation and the proposals of the European Parliament. The advice note sets out the following:
1. Data Profiling is to be defined – the following definition is suggested:
“Profiling” means any form of automated processing of personal data, intended to analyse or predict the personality or certain personal aspects relating to a natural person, in particular the analysis and prediction of the person’s health, economic situation, performance at work, personal preferences or interests, reliability or behaviour, location or movements.”

2. Profiling per-se rather than the outcome of the profiling activity is to be regulated i.e. the very act of profiling regardless of whether the results of the profile has any impact on a data subject will fall within the regulatory scope.

3. Data subjects to be given greater control over profiling activities including:

  • The granting of explicit consent being the legitimate grounds for processing by a data controller;
  • A data controller having to describe what information is used for profiling, the purposes of profiling activities, and the logic involved in automated profiling;
  • The data subject having the right to access, modify, and delete any profile information attributed to them;
  • The data subject having the right to refuse any decision based on profiling information and/or have any such decisions reviewed by human intervention.

4. Data Controllers will be required to take more responsibility and accountability for profiling and to ensure suitable measures are in place to safeguard the data subject’s rights and freedoms such as the use of data protection friendly technologies, structured privacy impact assessments, appropriate default values, data minimization, data security, and where appropriate anonymization or pseudonymization.
The advice note finishes suggesting that a balanced view needs to be taken in respect of regulating profiling activities: a balance between upholding the rights of individuals, and the interests of data controllers, and suggests that there are both positive and negative impacts of data profiling.

http://ec.europa.eu/justice/data-protection/article-29/documentation/other-document/files/2013/20130513_advice-paper-on-profiling_en.pdf

Liverpool FC in Khmer Rouge storm

May 30th, 2013

The Liverpool Echo reported on 29th May 2013 that Liverpool Football Club has disclosed a “Dossier” containing information about some of its more supporters which compares them to members of Cambodia’s infamous 1970s Khmer Rouge regime.

Liverpool fan and journalist Jim Boardman made a request for the informtion under the Data Protection Act after hearing rumours of the Dossier’s existance.

http://www.liverpoolecho.co.uk/news/liverpool-news/data-protection-act-led-part-4028414#.UaYnqsUkKao.email

Employee fined for taking employer’s data

May 30th, 2013

Paul Hedges, a former manager of a health service in the UK, was recently fined £3,000 by the Information Commissioner’s Office (ICO) for unlawfully obtaining medical and health information about 2,471 people.

Mr Hedges was working as a Community Health Promotions Manager at Bitterne Leisure Center in Southampton at the time and when he learned that he was about to lose his job sent the information to his personal e-mail account on April 28, 2011 in order that he could start up his own fitness company.

The ICO learned of the breach when patients complained about being approached by Hedges.

“People have a right to privacy and the ICO works to maintain that right,” Information Commissioner Christopher Graham said in a statement. “Nobody expects that their health records will be taken and used in this way. Mr Hedges had been told by Southampton Council about the need to keep patients’ details confidential, but he decided to break the law.”

The Information Commissioner has reiterated his call for tougher penalties to enforce the Act saying “at the very least, behaviour of this kind should be recognised as a ‘recordable offence’ which it isn’t now.”

Vote on new Data Protection Regulation pushed back

May 22nd, 2013

The EU Committee on Civil Liberties, Justice and Home Affairs (LIBE) announced, on 6 May 2013, the postponement of its vote on the latest amendments for the draft General Data Protection Regulation, due to the high volume of amendments to consider. The vote would have taken place on 29 May 2013.

A LIBE spokesperson outlined three possible meeting dates for the vote as 19-20 June, 27 June and 8-9 July 2013.

Salesforce set to open UK data centre

May 22nd, 2013

World class CRM vendor Salesforce.com are to open a data centre in the UK to add to its growing base of European data centres and to support its bid to win more government work.

Concerns have been raised in the past about where a companys’ data is physically stored and processed when using Cloud services because it it not permissible under European Law to process data outside of the European Economic Area without undertaking a series of steps. It is actually a lot easier for UK organisations to “export data” than it is for organisations with operations in many of our European neighbours but all of that is set to change next year with the new Data Protection Regulation.

As a Salesforce.com partner we were delighted with the news.

http://www.out-law.com/en/articles/2013/may/cloud-provider-to-build-uk-data-centre-after-admitting-data-security-concerns-have-hindered-bids-for-government-contracts/

Goodform CRM Summit a great success

May 22nd, 2013

The 5th CRM Summit organised by Goodform this week was a huge success and Absolute Data’s Joe Colleran and Phil Brining were not only fortunate to secure a place, but also to run a workshop on the topic of information governance. With speakers from flown in from all over the world Charlie Shin from USA’s MLS (Major League Soccer) gave a superb insight into how MLS and US football clubs continue to gain market share in America, while Turkish football club Galatasaray’s Ozgur Gundogan set out the Club’s CRM and fan relationship strategy. Speakers from IBM, British Cycling, Silverstone and Leicester Tigers completed the day’s line up.

The slide deck and handouts from Absolute Data’s workshop are freely available in our downloads section and we were delighted with the positive response we received to DataWise, our information governance software solution.

Absolute Data to run workshop at CRM Summit

May 15th, 2013

Absolute Data’s Phil Brining and Joe Colleran announced today that they will be attending the Goodform CRM Summit at London’s IBM Southbank on Monday 20th May. Phil and Joe will be running a hands-on workshop on data governance. Absolute Data’s Joe Colleran said, “we’re really looking forward to attending. It’s always a great event and this year we’ve got the added bonus of running a workshop on Data Governance’s role in a CRM strategy. We’ve got four or five case studies to run through and a heap of practical worksheets for delegates to take away.”

The Goodform CRM Summit is at the London IBM Southbank on Monday 20th May. Visit www.goodform.info for further details

Absolute Data joins Liverpool Chamber

May 14th, 2013

We’re pleased to announce that Absolute Data has recently joined the Liverpool Chamber of Commerce. Speaking about the move, Liverpool based senior consultant, Joe Colleran, said, “We’ve actually got a lot of business clients in Liverpool some of whom we’ve been working with for 7 years and it makes sense for us to join the Chamber to try to grow our salesforce CRM consulting work as well as our information governance work. We’re really excited about working with the Chamber and its members and have had some interesting initial conversations with the Chamber staff. They seem like a really proactive group of people.”

Absolute Data will be running a series of workshops and surgeries for Chamber members. Email us for more details.

Leeds Rhinos lose player data laptop

April 11th, 2013

Absolute Data’s Phil Brining has worked in the field of professional sport since 1999 and was alarmed to read a report in the Yorkshire Post that a lap top computer containing player details including training, coaching and medical data had been stolen along with a handful of USB memory sticks containing a raft of data about players, and the Club’s training methods. Not only is this highly sensitive commercial data for the Club to lose, but it is also sensitive personal data relating to Rhinos players. The laptop was stolen during a burglary of the house of one of the Rhino’s coaching staff.  There was no comment as to whether the laptop or the portable media were protected in anyway. Tough questions will now be asked of Leeds Rhinos about this incident.

Council caught out by poor processes and training

April 9th, 2013

East Riding of Yorkshire Council has formally agreed to improve its data protection measures after two separate incidents led to the council breaching UK data laws, the Information Commissioner’s Office has confirmed following two separate incidents in April and May last year.

In one incident an employee was said to have mistakenly included sensitive personal data about one family in a response to a subject access request made by another. And in the other a student social worker was said to have revealed to the parent of a child under assessment the first name of an individual who had made an anonymous referral about that parent to the council’s children’s services team.

The ICO said that both incidents could be attributed to a “general lack of data protection awareness and training, together with a lack of proper management or checking procedures when dealing with subject access requests or supervising non-employees, such as students on placement”.

Right to be forgotten

April 8th, 2013

The UK has stepped up its attempt to opt out of or block the “right to be forgotten” from the EU Data Protection Regulation expected to be enacted next year.  The Guardian newspaper reported, as part of the continuing debate, that the UK is pressing for the change to be made as part of a ‘directive’ as opposed to a ‘regulation’, which will give EU member states more flexibility around how to implement it.

The EU view is that the new Regulation “Is one of the biggest market-openers of the last few years,” according to Viviene Reding, as it “eliminates 27 conflicting rules and replaces them with … a mechanism for the whole continent.”

The right to request the deletion of data would be expanded under the Commission’s draft Regulation and Article 17 specifies a specific ‘right to be forgotten’ giving individuals a general right to force organisations to delete personal data stored about them “without delay”.

Information and technology law expert Luke Scanlon of Pinsent Masons recently wrote in the privacy newsletter Out-Law.com, “Everyone wants the ability to protect their identity and not have adverse decisions made about them in relation to employment, insurance or credit, based on information that was once true but, as circumstances change, has become no longer accurate,” he said. “But it is clear, even to the Commission it would seem, that its proposed law cannot practically guarantee that all traces of data that a person has ever shared could be irreversibly erased, even though that is what is written on the label. This certainly creates an unfair expectation, a concern that the Information Commissioner has also expressed.”

CCTV Operators to be targeted for DPA inspections

March 27th, 2013

Privacy Law experts PDP reported in their e-newsletter earlier this week (http://www.pdptraining.com/newsletter-signup) that the French data protection authority, CNIL, had set out plans to target CCTV systems operators in its recently published annual programme for 2013. CNIL has set out an objective of carrying out around 400 inspections this year focusing its efforts on CCTV systems (which will be the subject of 25% of all inspections), data processing by market research companies, data processed by hotspots offering free internet access (e.g. Wi-Fi hotspots), processing by local authorities of data relating to persons’ social difficulties, data about persons detained in prison, police files and international enforcement actions.

Credit reference agencies suffer data breach

March 20th, 2013

Two of the largest credit reporting agencies and data list suppliers have acknowledged that they have suffered data security breaches through unauthorised intrusions into their systems. Nottingham based Experian and Equifax, suppliers of QAS and the dis-connect/re-connect lists respectively acknowledged the breach to Bloomberg earlier this month. Tim Klein, a spokesman for Equifax, told the news agency that a hacker gained “fraudulent and unauthorized access” to at least four consumer credit reports at the credit reporting agency. Credit reports and sensitive data on celebrity Paris Hilton, as well as U.S. First Lady Michelle Obama, former Secretary of State Hillary Clinton and FBI director Robert Mueller appeared on a website called Exposed.

The price of data protection

March 20th, 2013

The BBC reported yesterday that MPs have warned that providing the office of the Information Commissioner could cost the tax payer more than £40m each year. Currently the Information Commissioner’s Office (ICO) is funded through the notification fees that it collects which cost either £35 or £500 depending upon the size of organisation. The proposed new Data Protection Regulation which is expected to come into force next year is expected to scrap the requirement to notify in favour of placing further obligations on data controllers. But this means that the notification fees will also be scrapped. There is a suggestion that the ICO could be funded from the fines that it imposes but this would fundamentally change the ICO’s role. Sir Alan Beith, Chairman of the cross party committee reiterated calls for harsher penalties including prison sentences for serious breaches of the data protection laws.
The ICO plays three important roles: on the one hand it is responsible for regulating data processing activities of those processing personal data; and on the other hand it is responsible for educating both data controllers and the general public to improve privacy and information security. The third role that it fulfils is in upholding the rights of individuals, a vital role in helping to manage spam and unsolicited marketing communications. So is £40m a year a fair price to pay to fund a data protection regulator/ombudsman?

ICO Conference a great success

March 6th, 2013

The ICO Conference for data protection officers was attended by 800 people in Manchester yesterday, and with 300 on the waiting list, was the most popular ICO conference to date. Speakers included Françoise Le Bail who was appointed as Director General for the newly created DG Justice on 1st July 2010 and who gave the conference the European perspective on the forthcoming new Data Protection Regulation.

COMMENT
Absolute Data’s Phil Brining was fortunate to attend the conference and said, “I always like this event and was hoping to learn a little more about the new Regulation this year. I wasn’t disappointed. The best parts for me were the address by Françoise Le Bail and the final Q&A session with Christopher Graham, David Smith, who I always like hearing, and the ICO staff.

Friday Focus

February 15th, 2013

I’m sure that most of us have a Skype account. It’s the sort of thing that everyone creates, tries out, then either uses religiously, occasionally, or not at all. And the occasional users (like me) may have more than one account having periodically forgotten their log in credentials and find it easier to create a new account.

So it was interesting to reads that the Italian data protection regulator has raised an issue to do with the account closure provisions adopted by Skype which raises a debate that has been around for some time: when or rather should we delete data? Skype argue that when subscribers delete their accounts, it is good practice and necessary to simply mark the account as inactive – essentially to flag it as “deleted” but not to actually delete the record. That way they can preserve the uniqueness of log in details for subscribers and allow un-subscribers to resurrect their account should they wish to. It’s also a long-held data management principle that nothing should be actually deleted – just updated or re-flagged so that a full audit history of changes to a field on a database record is available.

Is that practice at odds with data protection legislation? Possibly not as we are allowed to retain data as long as is necessary for the purpose(s) for which it was collected. And arguably it actually enhances your meeting the requirements of the Fourth principle (the responsibility to maintain information accurate and up-to-date) because a trail od changes will demonstrate not only an attempt to maintain accurate data but also it will show the speed at which changes were implemented.

But do you really want to store all of that redundant data? The implications of a security breach are heightened if you are holding more data than is necessary and particularly if some of that data is particularly sensitive or confidential. If ITV had not had the latest pictures of the Duchess of Cambridge in their possession, then they would not have run the risk of accidentially broadcasting them on live TV.

Celebrity data remains big business and so it was surprising that the email account of a former US President was hacked. One would have assumed that it would have been better protected if not impregnable. Fortunately it was only the personal photographs and emails of George W Bush that were put into public arena, but by implication it could have been worse or more embarrassing. Rather like the accidental disclosure of medial information about Manchester United and England player Phil Jones. Sir Alex Ferguson was critical of the England camp for disclosing that the player was suffering from Shingles and rightly so although it’s doubtful that the complaint which was levelled as an unauthorised and inappropriate disclosure of the player’s sensitive personal information will be investigated by the Information Commissioner.

What’s App

February 11th, 2013

WhatsApp’s mobile messaging service used by hundreds of millions of customers worldwide breached privacy laws in at least two countries reports phys.org, a leading web-based science, research and technology news service, in a joint Canadian-Dutch probe. The California-based mobile app developer violated “certain internationally accepted privacy principles, mainly in relation to the retention, safeguard, and disclosure of personal data,” Canada’s privacy commissioner and the Dutch Data Protection Authority (CBP) said in a joint statement. WhatsApp has taken steps to resolve several privacy issues by implementing many of the privacy watchdogs’ recommendations. “However, outstanding issues remain to be fully addressed,” the watchdogs said.
The coordinated Canadian-Dutch investigation is a global first, and “marks a milestone in global privacy protection” in an “increasingly online, mobile and borderless world,” noted Canadian Privacy Commissioner Jennifer Stoddart. The joint probe found that most mobile smartphone users did not have a choice to use WhatsApp’s messaging app without granting access to their entire address book, in violation of Canadian and Dutch privacy laws.
In the Netherlands, the CBP said it may take further enforcement action, including sanctions, if it finds that WhatsApp continues to breach privacy laws. The privacy commissioner’s office in Canada has no enforcement powers but said WhatsApp has “demonstrated a willingness to fully comply with (its) recommendations.” The company, for example, has fixed a vulnerability that allowed a third party to send and receive messages in the name of users without their knowledge. It also recently introduced encryption to its mobile messaging service after the Canada-Dutch investigation revealed that messages sent using WhatsApp’s messenger service were prone to eavesdropping or interception, especially when sent through unprotected Wi-Fi networks.
http://phys.org/news/2013-01-whatsapp-messaging-breached-privacy-laws.html#jCp

Comment
At the end of January, WhatsApp proved how easy it is for a well-established company to fall prey to privacy breaches, after Canadian and Dutch data protection agencies accused it of retaining data on non-users without consent. The popular app had gone years in business without this being drawn to anyone’s attention, and without any penalties being brought. However, according to Daniel Cooper, head of global privacy and data security at Covington and Burling, it’s a trap many companies will have fallen into, as we will see in the future: “I suspect that these breaches are much more common than we think, with many businesses not paying due attention to their data collection practices when developing or deploying their services,” he told Wired.co.uk. “Many companies simply collect data, despite having no clear business need for it, on the basis that it may be useful in the future.” The argument here being liability caused by ignorance, is one that was raised with the cookie policy, and one that will be brought to the European Commission by the ICO later this year if Graham’s comments are anything to go by.

France calls for tax on data collection

February 11th, 2013

Politicians in France have called for the introduction of a tax on data collection prompted by revelations that Google makes about $30bn a year, including an estimated $2bn in France, out of collection and selling/using personal data. The Guardian’s correspondent reported that it is unlikely to become law but is a good indication of changing and hardening attitudes towards a more official quantification of data and data collection activities by companies in Europe.

Police involved in identity theft

February 4th, 2013

The BBC have picked up on an investigation carried out by the Guardian newspaper that the Metropolitan Police are investigating a claim that its officers created aliases using the identities of up to 80 dead children during operations in between the late 1960s and early 1990s. The reason for stealing the identities of the dead children was that they would stand up to scrutiny if birth records were checked. Two former officers of the Special Demonstration Squad (SDS) are quoted as saying they were issued with identity records, like driving licences and national insurance documents, in the children’s names.

A Met statement said: “A formal complaint has been received which is being investigated by the DPS (Directorate of Professional Standards) and we appreciate the concerns that have been raised.”

http://www.bbc.co.uk/news/uk-21316768

Comment
While the practice is distasteful to say the least, the data protection act only applies to living individuals and therefore it’s hard to see how its principles have been breached.

January News Round Up

February 1st, 2013

Plenty has happened in the data protection world through January 2013 – here’s just a short summary of some of the highlights:

  • Sony were fined £250,000 and criticised for poor information security, insufficient control of data processors, and for storing too much information about its customers following last years’ data security incident in which the Playstation network was hacked and the personal information of over 70 million people including credit card details was stolen.

 

  • The Information Commissioner published his response to the proposed EU Regulation giving ground in some areas while digging his heals in with others.  One big debate is whether the new laws should be a Regulation or a Directive.  Regulations apply directly in every EU Member State whereas directive need to be transposed in a more flexible way into national law.  The EU expects to have the shape of the new law published by June this year.

 

  • An influential group of British businesses published their thoughts regarding the proposed EU Regulation including the ICO’s right to do unannounced spot checks, the obligation on businesses to appoint a professionally qualified data manager, the requirement to report data breaches, and the right to be forgotten.

 

  • Cookies Update – the ICO published a review of cookies which basically said what we all thought: some good work has been done by web sites but most still rely on implied consent to place cookies that are not strictly necessary on users devices.  The ICO advises that this approach is unlikely to be lawful but cookies are not a top priority for the British public and therefore not for the ICO.

 

  • The ICO was critical of local government in his January newsletter over their attitude towards protecting personal data after serving four local councils with monetary penalties totaling over £300,000. The ICO accused councils of treating sensitive personal data in the same routine way they would deal with more general correspondence.

 

  • New Zealand was bestowed with an EU adequacy ruling making it far easier for UK organisations to transfer personal information to NZ.

 

  • Data Privacy Day – 28th January came and went without really being noticed!

 

  • Absolute Data moved into beta testing of its information assurance software DataWISE expected to be released in February.

Data Protection tops the list of UK security priorities

January 30th, 2013

Computer Weekly report that data protection is THE top priority for UK firms in 2013 with over 50% of those polled placing it above IT security, mobilisation, and cloud computing.  The imminent law changes coupled with a realisation that data protection risks and lack of control over process and people are probably now a greater threat to businesses than IT secuirty are thought to be behind the change.  This is great news but what are firms going to do about it?

Quite possibly the penny has  dropped and firms are now realising that technologically based IT security measures are less effective, dare I say useless, without organisationally based security measures and that work environments where there is a general lack of data governance control are highly dangerous and risky.

http://www.computerweekly.com/news/2240176822/Data-protection-tops-2013-UK-security-priorities

Absolute Data are data protection specialists advocating Information Assurance – a holistic approach to data and IT security.  Our aim is to implement technological controls within a broader framework of organisational and environmental control and governance so that information ASSURANCE can be achieved.  Sounds rather too academic?  Well in practical terms we’ve developed our own toolkit which is complaint with British Standard BS10012 and ISO27001 that will provide information assurance.  It’s basically a quality system akin to ISO9001 but for personal inforamtion and data.  It’s inexpensive, easy to deploy and effective.  Contact us for more information.

Sony fined £250k over data hack

January 24th, 2013

Sony Computer Entertainment Europe has been fined £250,000 ($396,100) following a “serious breach” of the Data Protection Act in what UK authorities described as preventable. Absolute Data reported the hack in May 2011 in which Sony lost the credit card details of more than 70 million people. The Information Commissioner’s Office (ICO) criticised the entertainment giant for not having up-to-date security software.
The company had previously apologised for the hack which saw its PlayStation Network knocked offline for several days. In May 2011 company executives bowed in public and offered users free games to show their remorse.

The ICO’s report said technical developments had led to user passwords not being secure – leaving data such as names, addresses, dates of birth and payment card information at risk.  “If you are responsible for so many payment card details and log-in details then keeping that personal data secure has to be your priority,” said David Smith, deputy commissioner and director of data protection at the ICO. “In this case that just didn’t happen, and when the database was targeted – albeit in a determined criminal attack – the security measures in place were simply not good enough. Sony “is a company that trades on its technical expertise, and there’s no doubt in my mind that they had access to both the technical knowledge and the resources to keep this information safe.”
Comment
As we at Absolute Data continue to highlight, even multi-national high-tec companies don’t get it right all of the time. Even multi-national high-tec companies with bags of resources don’t get it right all of the time.  Sony probably thought that they had information security covered, something that as consultants we hear all the time, but clearly they didn’t and suffered a major breach.  So what was at fault?  If you read the report of the Information Commissioner it sets out and implies that there are a number of possible causes:

  • Weak IT security measures at the third party network services provider,
  • Inadequate monitoring and control of the third party by Sony,
  • Inadequate data processor agreement between Sony and the third party,
  • Poor processes for development and testing system modifications,
  • A cavalier organisational culture at the third party and/or Sony
  • Weaknesses in IT and infrastructure design,
  • Ineffective or infrequent penetration testing’
  • Inadequate/inappropriate policy regarding the information held about customers.

And there are many more that could be added to the list.

The important question is what could have been done to reduce the likelihood and impact of a breach in the first place?

  • Regular training and awareness of privacy and information security threats/matters,
  • Technological tools like encryption,
  • A policy and process for rapidly applying software patches as they become available and thorough test procedures and sign off,
  • Not keeping so much data about customers in one place,
  • Better screening and auditing of third party suppliers,
  • Incident logging and review to highlight increased threat levels,

And there are many more.  One of the biggest questions is whether one off stand-alone measures have got any realistic chance of minimising breach threat and breach impact?  Our view is that a structured and strategic approach to information assurance/data governance is absulutely essential and the lack of such a system is the root cause of Sony’s problems.

ICO’s power to spot check private sector firms questioned.

January 23rd, 2013

Late in 2012 twenty businesses met with the Ministry of Justice (MOJ) to discuss the proposals being put forward by the EU for a new, tighter, data protection regulation which would replace the existing 1998 Data Protection Act. Articles 46 to 79 of the proposed regulation (due to become law in 2015) relate to the Office of the Information Commissioner (ICO) having the power to spot check private firms’ premises and data handling processing arrangements. Akin to the powers granted to the Health and Safety Executive this would enable the ICO to walk into any business in the UK unannounced and demand to inspect a firm and test its compliance with the law.

In addition to the proposal for spot checks, other major changes include:

  • a requirement for firms to notify the relevant data protection authorities of any serious data breaches within 24 hours;
  • firms with over 250 employees handling personal data must appoint a data protection officer;
  • businesses to respect users’ right to be forgotten;
  • people to have the power to force any firm to delete data stored on their systems.

Comment

One of the major elements of the EU’s proposals is changing data protection laws from a directive to a regulation. Directives can be implemented with local differences in each of the 27 Member States whereas Regulations have to be implemented identically.  The UK’s current 1998 Data Protection Act is the result of the EU Data Protection Directive (95/46/EC) and each Member State has a slightly different variation leading to difficulties for businesses with pan-European operations.  In fact a 2011 research piece indicated that the UK came out 21st out of 27 in respect of how tight and rigid our interpretation of the Directive was compared with the other Member States.

Many of the proposed changes to the regulation (and therefore to UK law) are simply reflecting the existing arrangements adopted by other Member States under their interpretation of the ‘95 Directive.  Not only is it unlikely that the overall rule set will be relaxed; but life, data, IT and communications technology are unrecognisable now compared to the mid 90s.   Coupled to that the facts that the new DP Regulation is being driven by German politician Jan Albrecht and the EU has previously been critical of the UK’s data protection arrangements and it seems highly likely that sweeping and significant change is only a matter of months  away.

http://www.v3.co.uk/v3-uk/news/2237823/exclusive-uk-firms-seek-to-limit-ico-powers-in-data-protection-shakeup

Information Commissioner highlights weaknesses in local government

January 15th, 2013

In his January newsletter Information Commissioner, Christopher Graham, criticised local government’s attitude towards protecting personal data after serving four local councils with monetary penalties totaling over £300,000. The penalties mean that nineteen local councils have now received monetary penalties for breaching the Data Protection Act, totaling £1,885,000.

The Information Commissioner said:
“It would be far too easy to consider these breaches as simple human error. The reality is that they are caused by councils treating sensitive personal data in the same routine way they would deal with more general correspondence. Far too often in these cases, the councils do not appear to have acknowledged that the data they are handling is about real people, and often the more vulnerable members of society.”

The bottom line is that ineffective work processes and staff training and awareness are the root cause of these issues.

Data Protection in an Ex-EU United Kingdom

January 15th, 2013

I was listening to a political debate about whether there should be a referendum to determine whether the UK remains in the European Union and my mind wandered to imagining how a decision to leave would affect information governance and data protection.

What would this look like? Imagine data transfers in and out of EEA zone if the EU determined that our ’98 Data Protection Act was inadequate. What strategy would our own regulator adopt in terms of harmonisation with other countries? Would we find a loosening up or a tightening of PECR, FOI, and DPA? Would UK companies be entitled to retain data relating to European citizens previously collected or would we be forced to destroy it? What impact would there be on our existing data processes, training and awareness programs, data systems. All interesting food for thought.

ICO’s cookies update published

January 14th, 2013

The ICO issued an activity report on cookies early in 2013 from which it would seem that implied consent and unclear statements on web sites are likely to be non-compliant. The majority of sites that the ICO has looked at rely on implied consent but he is focussed on the UK’s most popular websites and those about which he receives complaints. But, cookies appear to be a low priority for the public and the ICO with the 550 complaints received about websites dwarfed by the 53,000 complaints received about unwanted marketing calls.

Coming soon …

January 9th, 2013

Absolute Data consultants spent December working on revisions to DatASSURE, the information assurance framework and will be releasing version 3 later in January. Watch this space because the new version will have a host of improved resources ad features building on the success of version 2.

Another “safe” country

January 9th, 2013

The European Commission has declared that New Zealand is a country with adequate data protection measures in place for the purposes of EU data transfers. This means that UK organisations can more easily and reliably transfer data to New Zealand. However, it doesn’t mean that the proper precautions can be relaxed – you will still need to satisfy yourselves that the transferee has adequate measures in place, you’ll need a robust data sharing or processor agreement etc.. But well done New Zealand!

” Vice-President Viviane Reding, the EU’s Justice Commissioner, said that: “This decision is another step to boosting trade with our international partners while helping to set high standards for personal data protection at a global level.” New Zealand is the eleventh country to be deemed by the Commission as having an adequate level of protection for personal data”.

Absolute Data completes information assurance project

December 21st, 2012

Earlier this week Harrogate-based Absolute Data completed an information assurance project for a specialist software development company in Essex. The three month project resulted in DatAssure, Absolute Data’s information assurance framework being implemented in the Essex firm who specialise in providing recruitment software as a service. “The DatAssure framework gives our corporate clients and applicants great confidence in how we process and handle their personal information and applications”, commented the firms Managing Director. “It also gives us the ability to evidence good information governance which has helped us to win a couple of tenders even during the project.”

Leeds City Council fined £95,000 for data breach

December 19th, 2012

Leeds City Council has been fined £95,000 for sending sensitive information about a child in care to the wrong person through internal mail.

It revealed a criminal offence, school attendance and details of the youngster’s relationship with their mother.

When sending internal mail, the council reuses envelopes which have been used for external mail.

In this instance, the external address was not crossed out and the sensitive file was posted to someone who had nothing to do with the case.

The Information Commissioner’s Office (ICO) has criticised local government’s attitude towards protecting personal data, after other councils were also fined for breaching the Data Protection Act.

Information Commissioner Christopher Graham said: “We are fast approaching two million pounds worth of monetary penalties issued to UK councils for breaching the Data Protection Act, with nineteen councils failing to have the most straightforward of procedures in place.

“It would be far too easy to consider these breaches as simple human error. The reality is that they are caused by councils treating sensitive personal data in the same routine way they would deal with more general correspondence. Far too often in these cases, the councils do not appear to have acknowledged that the data they are handling is about real people, and often the more vulnerable members of society.

“The distress that these incidents would have caused to the people involved is obvious. The penalties we have issued will be of little solace to them, but we do hope it will stop other people having to endure similar distress by sending out a clear message that this type of approach to personal data will not be tolerated.

“There is clearly an underlying problem with data protection in local government and we will be meeting with stakeholders from across the sector to discuss how we can support them in addressing these problems.”

The ICO is pressing the Ministry of Justice for stronger powers to audit local councils’ data protection compliance – if necessary without consent.

The same powers are sought for NHS bodies across the UK following a series of data protection breaches in the health sector.

Bank employee fined for ‘snooping’ on other’s account

December 7th, 2012

Lara Davies of Barrowash, Derby, was found guilty of accessing information from her partner’s ex-wife’s bank account – which only became unearthed in divorce settlement meetings. The ex-wife became suspicious when purchases that no one else would have known about were discussed.

Barclays, where Ms Davies worked, were contacted, and when they investigated the matter she left her job.

Ms Davies pleaded guilty to 11 offences under section 55 of the Data Protection Act, and was fined £500 by Derby Crown Court and ordered to pay a £15 victim surcharge and £1,410.80 prosecution costs.

UK Information Commissioner, Christopher Graham, said:

“High street bank staff have access to financial information on a day-to-day basis, and are expected to treat that privilege with professionalism. When that trust is abused, and the personal data they access is misused, the law is very clear, as this case has shown.

“The only surprise here is that – in an age where our personal information is being stored and accessed by more organisations than ever – the penalties for abusing the system are so inadequate.”

Unlawfully obtaining or accessing personal data is a criminal offence under section 55 of the Data Protection Act 1998. The offence is punishable by way of a financial penalty of up to £5,000 in a Magistrates Court or an unlimited fine in a Crown Court. The ICO continues to call for more effective deterrent sentences, including the threat of prison, to be available to the courts to stop the unlawful use of personal information.

The Information Commissioner continued:

“This case illustrates the need for more effective deterrent sentences to be available to the courts, as recommended most recently by Lord Justice Leveson. Unlawful access to personal information is all too easy and all too common – and these days it does not seem to have much to do with the press.”

Spam text Firm fined £440,000

November 29th, 2012

The ICO yesterday served the fine to two owners of marketing company Tetrus Telecoms; Christopher Niebel and Gary McNeish. This is the first time the ICO has used its power to issue a monetary penalty for a serious breach of the Privacy and Electronic Communications Regulations (PECR) since January 2012, when it was first awarded the power.

The ICO became aware of Tetrus Telecoms after receiving intelligence in May 2011 that the company was sending huge volumes of unsolicited text messages from offices in Stockport and Birmingham, without the consent of the recipient and without identifying the sender – both of which are legal requirements under the PECR. Any replies were then used to generate leads that were sold to other companies at a considerable profit.

The ICO’s investigation included raids at the company’s Stockport premises, in August 2011, and the Manchester home of Niebel, in February this year. The evidence obtained showed Tetrus was using unregistered pay as you go sim cards to send out as many as 840,000 illegal text messages a day with an income of £7,000 – £8,000 a day.

Examples of the text messages sent out by Tetrus Telecoms include:

  • CLAIM TODAY you may be entitled to £3500 for the accident you had. To claim free, reply CLAIM to this message. To opt out text STOP. Thank you
  • URGENT! If you took out a Bank Loan prior to 2007 then you are almost certainly entitled to £2300 in compensation. To claim reply ‘YES’
  • You have still not claimed the compensation you are due for the accident you had. To claim then pls reply CLAIM. To opt out text STOP

Information Commissioner, Christopher Graham, said:

“The public have told us that they are distressed and annoyed by the constant bombardment of illegal texts and calls and we are currently cracking down on the companies responsible, using the full force of the law.

“In March we set up a survey on the ICO website so people can tell us about any unwanted texts and calls they have been receiving. So far we have received over 60,000 responses. We know the majority of these messages and calls have been made by companies who try to remain anonymous in the hope they can profit by selling personal information to claims management companies and other marketing organisations. We are using the information provided by the public to identify those responsible.”

Niebel has now been ordered to pay a penalty of £300,000, while McNeish, who appears to have taken less out of the business, has beenfined £140,000.

Niebel and McNeish are also facing prosecution from the ICO for failing to notify that Tetrus Telecoms was processing personal information. Notification is a legal requirement for organisations under the Data Protection Act punishable by a penalty up to £5,000 in the Magistrates Court, and a potentially unlimited fine in the Crown Court.

It is important that any company that has bought data from Tetrus or Niebel or McNeish in the past, now carefully checks that the proper customer consents have been obtained and that they are acting within the law.

Plymouth City Council fined £60,000 by Information Commissioner

November 26th, 2012

The Information Commissioner’s Office (ICO) has issued a £60,000 monetary penalty to the Council after the ‘details of a child neglect case were sent to the wrong recipient’.

Highly sensitive information was held in the report – including allegations of neglect and ongoing care proceedings.

The fine was imposed after the ICO discovered that there was no secure system in place for printing reports containing sensitive personal data, and that the council had also failed to take reasonable steps to ensure reports were checked before they were sent out.

Stephen Eckersley, Head of Enforcement at the ICO, said:

“It would be too easy to consider this a simple human error. The reality is that this incident happened because not enough care was being taken within the organisation when handling vulnerable people’s sensitive information.

“The distress this incident will have caused the people involved is obvious, and the penalty we have issued today reflects that.”

Robust data protection procedures a necessity for membership and sport Businesses

November 22nd, 2012

The Information Commissioner is hammering down hard on organisations that fail in their data practices.  Large fines of up to £500,000 are being imposed on organisations that are often unwittingly in breach of the law; this article explains how you can remain above it.

Are your data protection practices above the law?

The Data Protection Act 1998 (DPA) was designed to establish a framework of rights and duties that must be adhered to in order to safeguard personal data. The Information Commissioner’s Office (ICO) is the UK’s regulator responsible for ensuring organisations comply with the DPA and whose powers include imposing monetary fines of up to £500,000 where the security of personal data is put at risk.

Most organisations processes personal data – they collect it, use it, disclose it, buy it, store it etc. and they are breaking the law if they have not notified the ICO about their data processing.  But compliance with the law goes much further than that and the ICO is hammering down hard on organisations that cannot prove that they have sound information governance in place.  i.e. that their staff are regularly trained in this area; they have data policies and procedures in place; the infrastructure to audit their data processing practices; and generally that they have a risk assessment approach to privacy protection.

How do I know if I might have a problem?

There are some simple steps to assess if you are likely to be running un-necessary risks: here are perhaps the top 10:-

  1. Do we have a notification and how often do we check it?
  2. What purposes have we notified?
  3. What do we do to check whether we comply with the data protection law(s)?
  4. Do we have privacy policy, where is it, and is it fair and lawful?
  5. Do new starters have a DPA element to their induction?
  6. Do we train staff in our data protection policies and DPA in general at least annually?
  7. Do we have a list of what the data we process, what it comprises, where it is, and who has access to it?
  8. What do we do to check how secure our IT is – all of our IT not just our servers?
  9. Are our IT or computing suppliers (e.g. backup, hosting, Cloud, repairs etc.) on a sound agreements with us?
  10. Do we have a process for risk assessing data protection and privacy issues?

If you are not sure how you shape up against this quick list, then you may be running risks – contact us now for further information.

 

Managing the risks of anonymisation.

November 20th, 2012

The Information Commissioner’s Office (ICO) has today published its data protection code of practice on managing the risks related to anonymisation. The code explains how to protect the privacy rights of individuals while providing rich sources of data.

The code comes at a time when the UK is putting more and more anonymised data into the public domain, with the government’s open data agenda allowing us to find out more than ever about the performance of public services and holding public bodies to account.

Announcing the publication of today’s code of practice Christopher Graham, UK Information Commissioner, said:

“We have published our code of practice on managing the data protection risks related to anonymisation to provide a framework for practitioners to use when considering whether to produce anonymised information. The code also aims to bring a greater consistency of approach and to show what we expect of organisations using this data.

“Failure to anonymise personal data correctly can result in enforcement action from the ICO. However we recognise that anonymised data can have important benefits, increasing the transparency of government and aiding the UK’s widely regarded research community.

“We hope today’s guidance helps practitioners to protect privacy and enable the use of data in exciting and innovative ways. We would also like to thank those people who took part in our recent consultation and helped today’s code of practice become a reality.”

The ICO has also announced that a consortium led by the University of Manchester, with the University of Southampton, Office for National Statistics and the government’s new Open Data Institute (ODI), will run a new UK Anonymisation Network (UKAN). The Network will receive £15,000 worth of funding from the ICO over the next two years to enable sharing of good practice related to anonymisation, across the public and private sector. The network will include a website, case studies, clinics and seminars.

 

£500,000 fines for breaching data protection regulations

November 15th, 2012

Sports clubs and organisations must ensure that they are up to speed with the latest data protection procedures as breaches of the law can now incur fines of up to £500,000. Nearly all organisations processes personal data – they collect it, use it, disclose it, buy it, store it – and they are breaking the law if they haven’t notified the Information Commissioner’s Office (ICO) about their data processing. But compliance with the law goes much further than that and the ICO is hammering down hard on organisations that cannot prove that they have sound information governance in place, i.e. that their staff are regularly trained in this area; they have data policies and procedures in place; the infrastructure to audit their data processing practices; and generally that they have a risk assessment approach to privacy protection.

Absolute Data is committed to ensuring sports organisations create and follow realistic data protection policies and procedures within the law.

• They spend time getting to know what data-related activity your business participates in.

• They provide you with appropriate data protection policies and procedures that accurately reflect your activities.

• They provide training packages for staff; not only in the importance of data protection, but how to ensure that you are fully adhering to data protection law.

Clients can be provided with a data protection toolkit, which offers a robust and effective solution in reducing the risk of data breaches; some clients opt for a retained consultancy service. Here are the top 10 steps to assessing if you are likely to be running unnecessary risks in your organisation:

1. Do we have an ICO notification and how often do we check it?

2. What purposes have we notified?

3. What do we do to check whether we comply with the data protection law(s)?

4. Do we have a privacy policy, where is it, and is it fair and lawful?

5. Do new starters have a DPA element to their induction?

6. Do we train staff in our data protection policies and DPA in general at least annually?

7. Do we have a list of what the data we process, what it comprises, where it is, and who has access to it?

8. What do we do to check how secure our IT is – all of our IT not just our servers?

9. Are our IT or computing suppliers (e.g. backup, hosting, Cloud, repairs etc.) on a sound agreement with us?

10. Do we have a process for risk assessing data protection and privacy issues?

To find out more about data protection and Absolute Data’s services give us a call now: 01423 790125.

Prudential fined £50,000 for data mix-up

November 9th, 2012

The Information Commissioner’s Office issued the monetary penalty to Prudential after it was discovered that two customers’ accounts had been confused – meaning that tens of thousands of pounds had ended up in the wrong account.

The incident, which occurred in March 2007, resulted in a serious breach of the Data Protection Act, after two customer records, of people who had the same first name, surname and date of birth, were merged.

The problem was not resolved until September 2010, despite alerts being raised on several occasions, including one of the customers sending a letter confirming they had not moved house for over 15 years. The penalty imposed on Prudential relates to the inaccuracy that began here and continued for another 6 months.

Stephen Eckersley, ICO Head of Enforcement, said:

“Organisations must make sure the information they hold on their customers’ files is accurate and kept up to date in order to comply with the Data Protection Act. In this case two customer files were consistently confused and the company failed to remedy the situation despite being alerted to the problem on more than one occasion before it was finally resolved.

“This case would be considered farcical were it not for the serious sums of money involved.”

“While data losses may make the headlines, most people will contact our office about inaccuracies and other issues relating to the misuse of their information. Inaccurate information on a customer’s record, particularly when the record relates to an individual’s financial affairs, can have a significant impact on someone’s life.

“We hope this penalty sends a message to all organisations, but particularly those in the financial sector, that adequate checks must be in place to ensure people’s records are accurate. Staff should also receive adequate training on how to manage and maintain them, with any concerns fully investigated in order to ensure problems are addressed at an early stage.”

Prudential has now improved the training it provides to its staff and updated its processes to ensure that the accuracy of customers’ records is maintained at all times.

Comment
Absolute Data is committed to ensuring companies and organisations, regardless of their size, create and follow realistic data protection policies and procedures that are above the law. We can spend some time getting to know what data-related activity your business partakes in, and ensure that your policies and procedures reflect this activity. We can also help to train your staff; not only in the importance of data protection, but how they can ensure they are fully adhering to data protection law. We can either provide clients with a data protection toolkit, which offers a robust and effective solution in reducing the risk of data breaches, or a retained consultancy service, whereby one of our dedicated staff members works onsite with your staff for a pre-agreed number of days per week. Please get in touch to discuss how your organisation can ensure legal data compliance. Contact us now at info@absolute-data.co.uk

UK’s public sector fined over £2m in last 8 months for poor data handling

November 7th, 2012

A report by www.theinformationdaily.com has reported that that public sector organisations in the UK have paid more than £2m fines over the last 8 months for poor data handling.

The ICO announced that NHS bodies, police and local councils have accumulated fines of more than £2m (€2.5m) over the last 18 months for serious breaches of the Data Protection Act, with the figure set to rise as Stoke-on-Trent City Council is set to receive a £120,000 fine for not encrypting sensitive personal data.

The ICO has taken action in these areas after repeated failings from public bodies to protect people’s personal data. The monetary penalty for breaching the Data Protection Act can extend up to £500,000 (€624,000). According to the ICO, it will help to discourage others from making the same data protection mistakes.

The recent news unveils that NHS bodies lost the data of 1.8m patients in a single year. It has emerged that fines for the NHS could impact on patient care.

UK datacentres unprepared for massive changes that big data will bring

October 30th, 2012

Computer Weekly has today reported on the fact that ‘UK datacentres are unprepared for the massive changes that big data will bring to the enterprises and their IT facilities’ after Research Now conducted a study of 125 senior IT decision makers.

While IT executives are clear about the types of applications they will need to deploy to manage big data requirements in the next two years, they are not yet planning for the real increase in data volumes that these applications will need, the study further showed.

Big data refers to the huge volumes of unstructured and semi-structured data a company creates. Managing such unstructured data is not useful from just a business point of view but also to ensure that the business is compliant with data protection regulations.

The few companies that have planned for the impact of big data on datacentres and are implementing applications to manage it said they expect capacity requirements to increase by 40-50%.

Council fined for failing to encrypt

October 30th, 2012

Stoke-on-Trent City Council has been fined £120,000 after an employee sent an unencrypted email containing sensitive personal data to the wrong person. The employee, a solicitor involved in a child protection case, sent 11 emails relating to the case to a member of the public instead of legal counsel. Though the solicitor had acted in breach of the Council’s own guidance in sending the emails over an unsecured and unencrypted network, the body had failed to provide its legal department with encryption software, and knew that the team had to send emails to unsecure networks. The Council also provided no relevant training.

Stephen Eckersley, Head of Enforcement at the ICO, said “if this data had been encrypted then the information would have stayed secure. Instead, the authority has received a significant penalty for failing to adopt what is a simple and widely used security measure.”

Police Force fined £120,000 for data breach

October 16th, 2012

Greater Manchester Police has been fined £120,000 by the Information Commissioner’s Office (ICO) for losing an unencrypted USB memory stick that was also not password-protected. Data on the memory stick included ‘details of more than a thousand people with links to serious crime investigations and was stolen from an officer’s home’.

The USB stick has not been recovered and although the officer had been issued a Force USB stick in 2004, it wasn’t encrypted, and the officer replaced the stick with his own personal one when the stick became full.

‘The ICO found that a number of officers across the force regularly used unencrypted memory sticks, which may also have been used to copy data from police computers to access data away from the office’.

The Force suffered a similar breach in 2010, but had not ensured that its staff were trained sufficiently in data protection.

David Smith, ICO director of data protection, said: “This was truly sensitive personal data, left in the hands of a burglar by poor data security. The consequences of this type of breach really do send a shiver down the spine. It should have been obvious to the force that the type of information stored on its computers meant proper data security was needed. Instead, it has taken a serious data breach to prompt it into action. This is a substantial monetary penalty, reflecting the significant failings the force demonstrated. We hope it will discourage others from making the same data protection mistakes.”

Comment
Absolute Data is committed to ensuring companies and organisations, regardless of their size, create and follow realistic data protection policies and procedures that are above the law. We can spend some time getting to know what data-related activity your business partakes in, and ensure that your policies and procedures reflect this activity. We can also help to train your staff; not only in the importance of data protection, but how they can ensure they are fully adhering to data protection law. We can either provide clients with a data protection toolkit, which offers a robust and effective solution in reducing the risk of data breaches, or a retained consultancy service, whereby one of our dedicated staff members works onsite with your staff for a pre-agreed number of days per week. Please get in touch to discuss how your organisation can ensure legal data compliance. Contact us now at info@absolute-data.co.uk

Businesses urged to remember their Data Protection obligations

October 8th, 2012

Both clients and organisations could be running huge risks in not knowing where their physical data is stored when using cloud based applications. The Information Commissioner is becoming ‘increasingly concerned’ with UK business’s attitudes towards this, believing that ‘many businesses do not realise that they’re still held accountable for the data even after handing it over to a cloud provider’.

The ICO has published a set of guidelines for companies migrating data into the cloud in the hope of clarifying the situation.
Here’s a breakdown of their top tips:

  • Businesses should review any personal data they process and prioritise what should and should not be moved into the cloud;
  • Organisations are also strongly recommended to inform end users about any processing arrangements made as well as ensure that their cloud provider has implemented the appropriate technical security for such information;
  • Whilst it is advised to inspect the premises of the cloud supplier, the ICO stated that it is “unlikely that a cloud provider would be willing to permit each of its prospective and current customers to enter its premises to carry out an audit,” resulting in the use of an independent third-party audit;
  • The watchdog stated that the encryption of data in transit and possibly “at rest” is a significant factor, especially when processing sensitive personal data.

Absolute Data is highly experienced in reviewing and auditing the data practices of any type of organisation, including any cloud-based activity. For further information, contact us now at info@absolute-data.co.uk or on 01423 790125.

Milestone Birthdays Announcements a thing of the past?

October 5th, 2012

Scotland’s national archives have made a decision to stop publishing information regarding 100th birthdays and 60th wedding anniversaries because it believes it breaches the Data Protection Act – a move that the ICO is challenging.

The commissioner, Christopher Graham, who deals with data protection across the UK, said:

“We are surprised at suggestions that data protection legislation might prevent National Records of Scotland from informing local authorities about the upcoming anniversaries of residents.

“The Data Protection Act plays a very important role in protecting our personal information but ought not to be a barrier to sensible information sharing.

“Sometimes organisations misunderstand the law or simply use data protection as a duck out.

“However the law has not changed in this area and it is important that data protection legislation is not used as justification for withdrawing a long held tradition in the UK which many people continue to enjoy.

“We will be contacting the National Records of Scotland to address this apparent confusion.

The NRS’s change in policy was revealed after Fife couple Irvine and Louise Rae were confused when no councillor showed up to their diamond wedding celebrations.

A National Records of Scotland spokesman said: “With regard to Buckingham Palace, the process of distributing anniversary cards provides a direct communication between the Monarch and her subjects.”

A spokesman for the National Records of Scotland issued a later statement apparently blaming the birthday ban on Buckingham Palace. He said:

“In line with Buckingham Palace’s request, National Records of Scotland no longer provides details of significant celebrations to Lord Lieutenants in local authorities.

“We would be happy to consider ways in which we could assist Lord Lieutenants to continue the unique Scottish tradition of local community celebrations of significant birthdays and anniversaries.”

A Buckingham Palace spokeswoman then suggested they may U-turn on the ban. She said:

“This practice of sharing information predates the data protection laws and we are now looking into the matter.”

Data Collection infringements could lead to fines of £500,000

October 2nd, 2012

The UK Information Commissioner’s Office (ICO) is set to start taking action against those companies who fail to comply with new regulations on collecting data from online customers.

The Financial Times has cited a report from KPMG, as saying that the move could make the firms, which do not notify visitors to their websites to install cookies to track online behavior, to pay a potential liable fine of about £500,000.

According to the report, the firms including Tesco, Sainsburys, the Daily Mail and government departments that include the Department for Work and Pensions have not modified their websites since the new laws was implemented four months ago.

Since May 2012, firms were required to obtain users’ permission before using cookies and the ICO had also delayed enforcement of the rules for a year, to enable firms’ time to adjust.

Many online retailers have been unwilling to implement the new law as they feared that pop-up boxes with warnings would suspend customers from using their websites.

Comment
Absolute Data works with many organisations to reduce or eliminate the risk to the personal information that they hold about individuals, including looking into ensuring organisations are safeguarded and compliant with the new Cookie Law. For further information, contact us now at info@absolute-data.co.uk.

Over £250,000 monetary penalties issued to two illegal marketers

October 2nd, 2012

The Information Commissioner’s Office (ICO) yesterday confirmed that two individual fines, totalling over £250,000 have been issued to two illegal marketers, who have ‘been responsible for distributing millions of spam texts’, and as such have breached the Privacy and Electronic Communications Regulations (PECR).

The marketers will have 28 days to respond to the fines, in order to try and prove their compliance with the law.

Director of Operations at the ICO, Simon Entwistle, said:

The public have told us that they are increasingly concerned about the illegal marketing texts and calls. These are often made by rogue companies claiming to offer pay outs for accidents a person has never had or PPI claims that they are not necessarily entitled to.

While companies can phone people to sell them the latest product or service, the law states that individuals should not receive unsolicited texts or automated marketing calls unless they have given their permission. We know many companies are failing to do this and two individuals responsible for sending millions of illegal marketing messages are now facing six figure penalties unless they can prove otherwise.

It would be inappropriate to provide further comment until both individuals have had the opportunity to reply, but we are already working to identify other individuals and companies involved in these unlawful practices.

Vast majority of information compromises come from firms’ employees

September 25th, 2012

New research by Forrester has suggested that only 25% of data breach cases come from external places, i.e. hackers, and just 12% were as a result of ill-intent. A staggering proportion of cases, 63%, were caused by employees, doing things such as losing laptops and inadvertently misusing equipment and privileges.

It’s not simply just a matter of having the appropriate tools and controls in place. It’s worth noting that only 56 percent of information workers in North America and Europe say that they are aware of their organization’s current security policies,” said researcher Heidi Shey in the report.

As for the victims of the breaches, employee and customer personal data accounted for 22% of cases reported, while intellectual property accounted for 19%. Sensitive identity management credentials like user names and passwords came in at 11%.

An interesting observation made as a result of the research was that “most organizations seem to have policies when it comes to mobile security, but most of them don’t have adequate protections in place because they lack the tools required to enforce those policies… While most mobile devices have native capabilities as measures against breaches – such as passcodes or passwords, and remote lock and wipe – almost 25% of those surveyed said they don’t have any form of data protection implemented on their devices”.

All in all, it seems that employee training for security awareness is in order. “Whether their actions are intentional or unintentional, insiders cause their fair share of breaches,” wrote Shey.

To view the report by Forrester, please click  here.

ICO report urges schools to ensure data protection law compliance

September 20th, 2012

An ICO-written report has been released today, aiming to help schools ‘ensure they are handling pupils’ personal information in-line with the law’ – and gives practical advice on how to comply with the Data Protection Act.

It was prompted by a survey of 400 schools across nine local authority areas that showed that whilst awareness of data protection laws was generally good, schools need to pay more attention to complying with data protection law.

The survey showed 95 per cent of schools provided some information to pupils and parents about what was done with personal information.

But a third of schools with password-protected computer systems conceded the passwords were not necessarily strong enough and not changed regularly, with 20 per cent admitting email systems were not secure.

Louise Byers, ICO Head of Good Practice, helped draft the report: “The survey results showed that whilst awareness of the law was broadly good, knowledge on how to comply with it wasn’t always there. In many respects that should come as no surprise – it’s not teachers’ area of expertise – and it is precisely what our report is aiming to address.

“I’d urge teachers and heads to take a look at our recommendations and make sure they’re complying with the law. The sensitive personal data that schools handle means it is crucial they get this right, and we hope the ICO’s report will help them achieve that.”

Staff pensions records lost – Council fined £250k

September 11th, 2012

The Information Commissioner’s Office (ICO) has confirmed that it has issued Scottish Borders Council with a £250,000 fine following the loss of pension records, bank details and salary information.

A report on publicservice.co.uk confirmed that 676 files were recovered from supermarket recycle bins after being spotted by a member of the public. And another 172 files were said to have been destroyed in the recycling process.

The council had used an external company to digitise the records, but the ICO said the authority had failed to seek appropriate guarantees on how the personal data would be kept secure, despite this being required under UK data protection laws.

The regulator found that no contract had been put in place with the third party processor. It also said no guarantees had been sought by the council on the technical and organisational security protecting the records. And there was a failure on the part of the authority to make sufficient attempts to monitor data handling.

“This is a classic case of an organisation taking its eye off the ball when it came to outsourcing,” said Ken Macdonald, ICO assistant commissioner for Scotland.

“When the council decided to contract out the digitising of these records, they handed large volumes of confidential information to an outside company without performing sufficient checks on how securely the information would be kept, and without even putting a contract in place.

“It is only good fortune that these records were found by someone sensible enough to call the police. It is easy to imagine other circumstances where this information could have exposed people to identity fraud and possible financial loss through no fault of their own.

“If one positive can come out of this, it is that other organisations realise the importance of properly managing third parties who process personal data. The Data Protection Act is very clear where the responsibility for the security of that information remains, and what penalties await those who do not comply with the law.”

The revelation follows news that Scottish councils have lost the personal data of 10,000 residents over the past five years.

Freedom of Information requests confirm 1014% rise in reported data breaches

August 31st, 2012

Computerworld.co.uk has reported on research carried out by storage firm, Imation, regarding the sharp rise of data breach incidents reported to the ICO in recent years.

Freedom of Information requests have confirmed a 1014% rise in reported breaches since 2007 across eight industry sectors logged by the ICO.

This included a 1,609 percent increase in incidents reported by local government, a 935 percent rise in the NHS, and a 132 rise in central government. “Other” public sector organisations – a catch-all category for organisations that fall outside these headings – showed a 1,380 percent rise.

For comparison, the private sector as a whole showed a 1,159 percent rise with only one sector, telecoms, doing well enough to record no breaches in the most recent period.

The percentages also add up to a concerning number of cases in absolute terms; between November 2007 and November 2008, local government reported 11 data beach incidents a figure that had grown to 188 by 2012.

The total number of incidents reported to the ICO in 2011/12 stands at 821, Imation said.

“More alarming is the consistent year-on-year increase in data breaches since 2007,” said Nick Banks of Imation Mobile security. “The figures obtained from the ICO by Imation seem to show that increasing financial penalties have had little effect on the amount of data breaches each year,” he said.

Over time, the ICO’s has started to get tougher with the number of fines growing. One analysis claimed that the ICO was more likely to fine public sector organisations than private ones but comparisons are hard to make because of differences in the type of data held.

Council not fined after data breach confirmed

August 28th, 2012

The Information Commissioner’s Office (ICO) concluded an investigation into complaints made about Kingston Council by confirming that they would not be fining them, even though it was confirmed that they had breached data protection laws – and could have faced a fine of up to £500,000.

An investigation by the information commissioner’s office (ICO) began in May after more than 100 rent statements were posted to the wrong addresses in Chessington. Residents in Charles Lesser House, Hereford Way, were shocked to find their two-page rent statements contained one sheet of their own information and a second page with somebody else’s personal data – including benefit entitlements, bank details and rent account numbers.

A spokesman from the information commissioner said: “After making inquiries into the incident the ICO has ruled the council did breach the data protection act by failing to keep the information secure.

“Following our inquiries and in line with our data protection regulatory action policy we concluded that, on this occasion, no further action was required.”

The head of Charles Lesser House Residents’ Association, Keith Dickinson, 62, said: “It caused a lot of embarrassment for a lot of people, but all that gets swept under the carpet.

“I think it is disappointing if they have been proven to be breaching data laws and do not get some punishment for it.

“If I did something like drive fast on a 20mph road I would get punished.

“It does not surprise me that they got away with it.”

Since April 2007 the information commissioner’s office has received eight complaints against Kingston Council, but only one was upheld with remedial action.

Surrey County Council was fined £120,000 last year after a series of blunders in which it emailed sensitive, personal information about hundreds of vulnerable individuals to the wrong people.

FOI request confirms that ICO has yet to begin investigating cookie law violations

August 22nd, 2012

PC Pro Magazine submitted the request recently, and has discovered that ‘320 website have been reported’ to the ICO – but that non, thus far, have been investigated.

“At present the information has not yet been analysed as the team which will have responsibility for this is not in place yet,” the ICO told PC Pro. “It is intended that once the data has been analysed any organisations not in compliance will be identified, then further action will be considered as appropriate.”

Specialist employees have now been drafted in to investigate cookie non-compliance, electronic marketing and unsolicited text messaging. The ICO told PC Pro Magazine that it ‘expected the team to start work at the end of this month [August]’.

In 2009, the EU’s Privacy and Electronic Communications (e-Privacy) Directive was changed to state that storing and accessing information on users’ computers would only be lawful “on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information … about the purposes of the processing”. Consent must be “freely given, specific and informed”. An exception exists where the cookie is “strictly necessary” for the provision of a service “explicitly requested” by the user – for example, to take the user of an online shop from a product page to a checkout.

Amendments to the PECR implemented the Directive into UK law last May. The ICO placed a year’s grace on enforcement action in order to give website operators time to implement measures to comply with the new consent requirements, however that period has now passed. The ICO can issue fines of up to £500,000 to organisations whose websites do not comply with the PECR.

Essex Chronicle reports breach at Essex County Council

August 21st, 2012

A security breach at the UK’s Essex County Council has exposed personal data on 400 people, reports ESecurity Chronicle.

“Names, addresses and financial information about people in ‘substantial’ and ‘critical’ need of care were sent from the Adults Health and Community Wellbeing Department to a computer outside of County Hall,” The Essex Chronicle reported.

“A council staff member was sacked following the breach, which was reported to Essex Police and the Government’s Information Commissioner.”

“it confirmed an investigation was now underway focussing on an ex-employee who was said to have breached information security policy. ‘We are taking this extremely seriously and have informed the police and the Information Commissioners Office,’ the council’s statement read. ‘Whilst the ex-employee had signed a declaration stating they had deleted the information and not shared it with anyone, it is our duty to inform service users that their information has been compromised.'”

Information Commissioner's Office extends its beady eye beyond breaches in the public sector

August 14th, 2012

Small Biz has today reported that private sector businesses need to be more vigilant than ever with their data protection practices, as the ‘Information Commissioner’s Office extends its beady eye beyond breaches in the public sector’.

The ICO has begun to issue more warning notices and has ramped up its fines (as reported in yesterday’s Absolute Data News).

“Small businesses are increasingly falling foul of the ICO,” said Syscap CEO Philips White in a canned statement.

“It’s clear that the ICO is starting to take a much more proactive stance in penalising data lapses, so this is something that business owners need to take very seriously,” he added.

The information-gatherers said that most firms had the wherewithal to secure customer information, but some businesses didn’t have the money or the sense to sort out their data security.

“Budgets have been stretched since the recession, so upgrading old or out-of-date IT equipment has been put on the backburner for some time now. This has left some old or redundant systems open to data lapses,” claimed White.

Small businesses at risk of data breach fine.

August 13th, 2012

Warning notices for data security lapses are up 48% from last year, the Information Commissioner’s Office has confirmed.

In total, it has issued £1.8million worth of fines over the last 12 months – almost £1.5million more than last year.

Analysts with Syscap – an independent funder to the education sector – say that while the majority of fines have been against public bodies, the ICO is also increasingly taking action against private organisations that lose data.
With the ICO cracking down, small businesses in particular are at risk, as they often lack the appropriate safeguards to properly monitor and track their ICT equipment, researchers say, leaving them more open to fines when data is lost.
Syscap chief executive Philip White said: “Small businesses are increasingly falling foul of the ICO. It’s clear that the ICO is starting to take a much more proactive stance in penalising data lapses, so this is something that business owners need to take very seriously.

“Businesses need to make sure that the correct safeguards are in place in order to secure their data, or they could be at risk of hefty fines in the near future.”

Serious data protection blunder by Ayrshire NHS.

August 10th, 2012

A patient’s records were sent almost 250miles away from her Girvan practice to one in Manchester, resulting in the patient, a Ms Mary Corbey, missing two cervical smear tests.

The case comes just four months after nurse Rab Wilson exposed NHS Ayrshire and Arran for withholding critical incident reports.

Carrick, Cumnock and Doon Valley MSP, Adam Ingram, said: “There seems to be a systematic failing of the management regime in NHS Ayrshire and Arran which fails to respond to concerns of patients and staff.

“It tends to deflect criticism, shuffle off responsibility and simply blame other people.

“And while I welcome the approach of the new chief executive, John Burns, it underlines the need for change at senior management level.”

Mrs Corbey’s medical files were wrongly sent to England when requested by another practice in 2003.

The mistaken identity with another patient led to her being de-registered at her local practice.

But Ayrshire and Arran bosses are still trying to insist the mistake was not their fault.

They’re pointing the finger at a body called the NHS National Services Scotland Practitioners Services Division, which has delegated powers to transfer patient records.

Health Trust fined £175,000 by Information Commissioner's Office (ICO)

August 6th, 2012

1,000 employee’s details were ‘accidentally published’ on Torbay Care Trust’s website, resulting in a £175,000 fine, the ICO has announced today.

The information was published on a spreadsheet on the website in 2009 and not spotted for 19 weeks. The data included individual’s names, dates of birth, National Insurance numbers, religion and sexual orientation.

The ICO’s investigation found that the Trust had no guidance for staff on what information shouldn’t be published online and had inadequate checks in place to identify potential problems.

Stephen Eckersley, Head of Enforcement, said:

“We regular speak with organisations across the health service to remind them of the need to look after people’s data. The fact that this breach was caused by Torbay Care Trust publishing sensitive information about their staff is extremely troubling and was entirely avoidable. Not only were they giving sensitive information out about their employees but they were also leaving them exposed to the threat of identity fraud.

“While organisations can publish equality and diversity information about staff in an aggregated form, there is no justification for unnecessarily releasing their personal information. We are pleased that the Trust are now taking action to keep their employees’ details secure.”

The Trust has now introduced a new web management policy to make sure personal data is not mistakenly published on their website in the future.

Organisations must gain clearance for personal data processing, warns ICO/

July 30th, 2012

As per the Information Commissioner’s Office guidelines, organisations are required to register with them annually and detail any data processing intentions they may have, prior to commencement of any activity. Those that don’t are guilty of an offence under UK data protection laws.

Under the Data Protection Act (DPA), organisations cannot process personal data unless they have notified the ICO of their planned activities and have been included in the watchdog’s “Data Controller Register”, subject to some exceptions. One exception is where an organisation only processes personal data for staff administration purposes.

As part of the registration, organisations must provide the ICO with “a general description of measures” they plan to take to ensure personal data is properly secure and which protects against the risk of “unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data” .

It is a criminal offence to process personal data without an appropriate entry on the data controller register unless an exemption applies. It is also a criminal offence to fail to notify the ICO of any changes to the data controller’s processing; or to process personal data which is inconsistent with the organisation’s registry entry.

Data protection law specialist Danielle van der Merwe of Pinsent Masons, the law firm behind Out-Law.com, said that proposed changes to EU data protection laws could bring an end to the notification requirement.
“The proposed General Data Protection Regulation, which is set to change the EU data protection regime, currently includes a provision which will ease the regulatory burden on data controllers by scrapping the need for organisations to notify with their local data protection authority,” she said.

Under the draft Regulation many large businesses and those with personal data-heavy processing operations would be required to appoint dedicated data protection officers whilst businesses would also be required to keep a record of their personal data processing and provide the information upon request to regulators. This is where Absolute Data can help.

Absolute Data runs a service called DataWise. DataWise is committed to ensuring companies and organisations, regardless of their size, create and follow realistic data protection policies and procedures that are above the law. We can spend some time getting to know what data-related activity your business partakes in, and ensure that your policies and procedures reflect this activity. We can also help to train your staff; not only in the importance of data protection, but how they can ensure they are fully adhering to data protection law. We can either provide clients with a data protection toolkit, which offers a robust and effective solution in reducing the risk of data breaches, or a retained consultancy service, whereby one of our dedicated staff members works onsite with your staff for a pre-agreed number of days per week.

Please feel free to get in touch with us to discuss how your organisation can ensure legal data compliance. Contact us now at info@absolute-data.co.uk, or call us on 01423 790125.

Small businesses need to "wake up" to data protection

July 27th, 2012

Small businesses that are concerned about the security of their data have been told to “wake up and hire a specialist”, by Graeme Batsman, director of Datadefender.co.uk.

Along with Absolute Data, Batsman believes that such businesses can benefit tremendously from acquiring the services of specialist data security consultants.

Absolute Data runs a service called DataWise. DataWise is committed to ensuring companies and organisations, regardless of their size, create and follow realistic policies and procedures that are above the law. We can help your organisation create robust and effective data protection policies and procedures: we can spend some time getting to know what data-related activity your business partakes in, and ensure that your policies and procedures reflect this activity. We can also help to train your staff; not only in the importance of data protection, but how they can ensure they are fully adhering to data protection law. DataWise, one of our services, provides clients with a data protection toolkit, which offers a robust and effective solution in reducing the risk of data breaches. With the ICO’s power to fine up to £500,000 for data breaches, it is worth getting in touch with us to discuss how your organisation can ensure legal data compliance. Contact us now at info@absolute-data.co.uk, or call us on 01423 790125.

UKFast research shows 'apalling data ignorance' by several UK councils.

July 20th, 2012

Poor data security from several of the UK’s local councils has left sensitive expenditure information openly available on the internet. Research carried out by UKFast, a web hosting specialist, has revealed ‘the appalling level of data protection ignorance which left details of one council’s £83m spend – including suppliers’ contact details and prices – as simple to find and download as an MP3 track’.

Lawrence Jones, CEO at UKFast said: “Our security division regularly monitors the level of cyber risk across the internet to make sure our clients are protected from every type of threat. The public sector should set an example on data protection so to discover such a lapse – where personal details and sensitive data is openly available – from a local government body is very concerning.”

Jones continued: “We discovered several databases, not only from councils but from businesses as well, all filled with information that would allow cybercriminals to impersonate suppliers to steal money or personal information through even the simplest of attacks.

“It would not take any specialist technical skill to be able to find this information through a search engine and then put together a convincing email or phone call impersonating the suppliers to steal from the council or business.”

Examining the true value of CRM

July 13th, 2012

Soccerex has today reported on its latest examination of the value of CRM at professional sports clubs.

David McClellan, CEO of Tickethour UK thinks:
“There is simply no point in joining the rush to CRM for the sake of it so it is worth considering some basic but essential questions before making any sort of investment:

What will Clubs get out of these systems in terms of hard, bottom line profit?

Are these solutions directly increasing profits over and above their total costs?

Enterprise CRM systems provide many levels of segmentation and profiling to allow extremely accurate targeting and profiling of the wider customer base. Does your marketing function do this? Or is your marketing output simply emails to the entire database? No point paying for segmentation if you aren’t going to use it.

So if you are investing heavily in enterprise CRM systems, you are maximising your data asset, running and measuring highly targeted campaigns, and achieving a measurable ROI in terms of profit, then well done! If not, then congratulations on your cash surplus”.

Absolute Data’s experience with CRM

Everton Football Club, is a longstanding client of Absolute Data’s and one of the country’s leading football clubs. The club’s Corporate Sales department is responsible for maximising revenue from corporate hospitality, advertising, events and sponsorship. Absolute Data was asked to improve the way that leads and prospects were managed and accounts developed and move Everton away from the reliance on Talent CRM, Excel and Outlook, and good old fashioned pen and paper.

How did Absolute Data help?

Absolute Data moved in, and helped assess Everton’s needs. We focussed on investigating the sales processes and designing labour saving automated tasks that would be popular with the sales team and therefore increase the chances of adoption and success. On our advice, Everton FC implemented Salesforce CRM, and we worked with the Club and Salesforce’s professional services team to create a superb system to manage corporate and sponsorship sales and accounts.

Everton’s corporate sales management system now gives an unparalleled insight into sales activities and interaction with customers. The sales team love the system as it saves them time, gives them control, and helps them to earn more money in their pockets. Management have an instant 24/7 accurate view of the sales pipeline and forecasts, and the sales administrators find it far easier to work with than their legacy ticketing system. The results have been quite astonishing. Three Everton staff were trained and have now taken over development of the system giving the club control: something that was part of the requirements through years of frustration relying upon third parties and consultants. Salesforce is an integral part of Everton’s CRM and data strategy … click on this link to see how we have helped

Probably our biggest contribution was our superb insight into exactly how commercial departments operate in professional sport having been there and done it!

Are UK SME’s getting worse at protecting private information?

July 12th, 2012

Jamie Lawrence has reported that UK SME’s are not taking the necessary steps in order to destroy sensitive business data – and the main reason for this is that they do not believe ‘losing private information will have any impact on [their] business’. This is according to new independent research commissioned by Shred-It, the UK destruction company.

“This years findings are particularly worrying, as they show SMEs becoming increasingly lax about information destruction as they just do not see any consequences for poor security procedures”, says Robert Guice, Executive Vice President, EMEA, Shred-it.

This lack of concern could be the reason why over one-third of SMEs (35.4 percent) admitted that they had no protocols in place for the storage and disposal of confidential data, over three quarters of respondents (76.6 percent) either do not provide any training for employees on company information security procedures (26.6 percent), or do so only on an ad hoc basis (50 percent).

According to the Information Commissioners Office’s (ICO) annual report, there was a 21 percent decrease in the number of data protection cases received between 2009 and 2011 and a 9 percent decrease in the number of cases closed. This suggests that more needs to be done to combat data protection breaches by both the private and public sector in the UK.

The report also reveals:

Nearly half of SMEs (46.4 percent) said they did not have anyone specifically responsible for managing data security issues
12.8 percent of UK SMEs have no provision in place to shred sensitive documents
822 SMEs in our survey (81.9 percent) use an in-house shredding machine, but of those almost three quarters (72.2 percent) do not have anywhere secure to store documents before being shredded
Just 5.4 percent of SMEs use a professional shredding company compared to 43 percent of larger firms (those with over 250 employees).

St George’s Healthcare NHS Trust issued £60,000 penalty

July 12th, 2012

St George’s Healthcare NHS Trust has been issued a £60,000 penalty after sensitive medical details were sent to the wrong address.

In May 2011, the Trust sent sensitive information in two letters – and although they were addressed to the correct recipient, the recipient had moved house and not lived at this address for almost 5 years.
Investigations proved that the recipient had provided the correct address and it had indeed been logged on NHS SPINE, the national care records service, in 2006.

Stephen Eckersley, the ICO’s Head of Enforcement, said:

“It’s hard to imagine a more distressing situation for a vulnerable person than the thought of their sensitive health information being sent to someone who had no reason to see it. This breach was clearly preventable and is the result of the Trust’s failure to make sure the contact details they have for their patients are accurate and up to date.

“This is the fourth monetary penalty we have issued to the NHS in the past two months. It is vital that these organisations make sure they have the necessary measures in place to keep patients’ details secure.”

The Trust has now taken action to make sure that the personal information they handle is kept secure. This includes making sure adequate checks are in place to ensure that local information the trust has for patients is correct, by cross checking that information against SPINE and other relevant sources.

Europol failing to reveal or audit data transferred to US

July 3rd, 2012

PDP news has today reported that Europol has refused to reveal an inspection report detailing how financial data are shared with US authorities.

A report released earlier this year revealed that the EU police agency does not know the amount of financial data actually transferred to the US pursuant to a controversial terrorist financing tracking programme (the so-called ‘SWIFT’ agreement) adopted by the European Parliament in the summer of 2010.

Many MEPs were led to believe the European Commission would, within a year of the agreement, set up a system that would ensure the Americans would only get the data they had required. But two years later the Commission has yet to implement a system that would filter out the data. Dutch Liberal MEP, Sophie In’t Veld, described the situation as “the Americans want a needle, and we give them a haystack.”

Does signing the Telephone Preference Service register make any difference?

July 3rd, 2012

The government run Telephone Preference Service (TPS), is at times being ignored by telemarketing companies, after an undercover investigation was completed. The TPS was set up to ensure consumers were not contacted by telemarketing and telesales companies if they did not want to be. There are currently 17.5 million numbers on the list.

BBC program Panorama discovered that although individuals had complained to the Information Commissioner’s Office after repeatedly being contacted since signing the TPS register, no fines had been imposed on offending companies.
But Mike Lordan at the Direct Marketing Association, which runs the TPS, told Panorama that some companies are ignoring the rules. “Companies are not abiding by legislation, and we should be seeing enforcement against those companies who are persistently breaching legislation.”

Richard Lloyd from consumer group Which? also told the programme: “Even if you have signed up to the telephone preference service, it won’t make a jot of difference to those companies that are buying and selling that information you gave to that website maybe years ago.”

A spokesman for the Information Commissioner’s office said that until this year, they did not have suitable legal powers to act. Although they now have the power to impose fines of up to £500,000, they say that enforcing the rules is not easy given the vast amounts of money companies which flout the rules stand to make.

ICO statement on unwanted marketing calls and text messages

July 2nd, 2012

The ICO now has the power to issue a monetary penalty for serious breaches of the Privacy and Electronic Communications Regulations. The powers allow us to issue the worst offenders with a monetary penalty of up to £500,000. The ICO currently has a team dedicated to enforcing these Regulations and is actively pursuing specific cases.

In March this year, the ICO introduced a web based form that allows individuals to report their concerns. So far around 12,000 individuals have responded and the ICO is using this information to trace the companies responsible for making these unwanted calls and to build up a picture of how this industry is operating.

The ICO is actively pursuing organisations that are the subject of frequent complaints, yet claim to only contact individuals with their consent. We are asking these organisations to provide us with proof that they are complying with the law.

ICO statement in response to the Open Data White Paper

June 28th, 2012

The Information Commissioner’s Office (ICO) has issued the following statement today in response to the publication of the Open Data White Paper.

Information Commissioner, Christopher Graham said:

“We welcome the publication of today’s Open Data White Paper and its recognition that transparency and openness must be central to the way modern public authorities operate. The proposals complement the spirit of the Freedom of Information Act and so support the accountability of public authorities. The paper also recognises the privacy concerns that must be addressed if these proposals are to be successful.

“We will continue to work with the Cabinet Office and the Ministry of Justice to ensure that the open data agenda and the government’s wider data sharing proposals increase transparency and accountability, while respecting the privacy rights of the UK citizen.”

Further information on today’s announcement can be found on the Cabinet Office website.

Civil monetary penalty issued to Belfast Health and Social Care (BHSC) Trust

June 20th, 2012

A civil monetary penalty has been issued to Belfast Health and Social Care (BHSC) Trust after the ICO confirmed that it had made a ‘serious breach of the Data Protection Act’.

Belvoir Park Hospital was left disused after a merge of 6 sites in April 2007. Although security measures were put in place to protect the many patient records that were left in the buildings (some of which dated back to 1950), trespassers managed to access the site quite freely in March 2010 – they took photographs of some records, and posted them online.
While the Trust took action to improve the security of the site, including repairing damaged doors and windows, on 11 April 2011, the Irish News reported that it was still possible to access the site without authorisation. The Trust then increased the number of security guards on site and carried out a full inspection which revealed further records, many of which were being retained in breach of the Trust’s ‘Records Retention and Disposal’ policy.
The Trust failed to report the situation at the Belvoir Park site to the ICO. The ICO’s investigation found that the Trust failed to keep the information secure and also to securely destroy medical documents which it no longer required.
The ICO’s Assistant Commissioner for Northern Ireland, Ken Macdonald, said:
“The severity of this penalty reflects the fact that this case involved the confidential and sensitive personal data of thousands of patients and staff being compromised.
“The Trust failed to take appropriate action to keep the information secure, leaving sensitive information at a hospital site that was clearly no longer fit for purpose. The people involved would also have suffered additional distress as a result of the posting of this data on the Internet.

“The Trust has therefore failed significantly in its duty to its patients, and we hope that the action we’ve taken sets an example for all organisations that they must keep personal data secure, irrespective of where they choose to store it.”
The Trust has now removed patient records from the site and examined them and either retained or securely disposed of them as required. A decommissioning policy has also been implemented by the Trust to ensure that personal information is securely destroyed once it is no longer needed.

Crackdown on Cookie Law begins

May 22nd, 2012

It has been confirmed that the Information Commissioner’s Office (ICO) will, in the coming weeks, contact large UK companies to find out what they have put in place in order to comply with the recently updated ‘Cookie Law’ (Privacy and Electronic Communications Regulations, or PECR).

The Cookie Law essentially means that business must gain consent from website users in order to track web activity. The deadline for businesses to make necessary changes to comply was 26th May 2012.

ZNet has reported that approiximately 50 companies will be quizzed about whether they have audited their cookie use and what steps they have taken to ensure compliance.

Following my news post a few days ago, it is also apparent that many government departments are not currently compliant, and the ICO will apparently quiz some of them, so results could prove very interesting, as could any next steps the ICO chooses to take as a result.

The ICO’s Deputy Commissioner, David Smith commented:
“All we are doing is removing the moratorium, so that any non-compliance is considered as non-compliance,” told ZDNet UK. “It’s most unlikely that cookie’s non-compliance will attract monetary penalties, unless you have reached criteria about a serious breach or have caused substantial distress.”

“Majority" of the UK government's own websites will fail to comply in time for the Cookie Law deadline

May 17th, 2012

The BBC has learned and reported that the “majority” of the UK government’s own websites will fail to comply in time – all UK sites have been given until 26 May to make sure visitors are able to give “informed consent” over cookies.

The Cabinet Office said the government was “working to achieve compliance at the earliest possible date”.

“As in the private sector, where it is estimated that very few websites will be compliant by the 26th May, so it is true of the government estate,” a Cabinet Office spokesman told the BBC.

“The majority of department websites will not be compliant with the legislation by that date.”

The BBC understands that the sites, which range from those run by local councils to national departments, have been told that no action will be taken by the Information Commissioner’s Office (ICO) over the deadline miss – provided they were “showing a commitment” to eventually make changes.

While government websites do not carry advertising, cookies are still used to carry out various tasks, such as helping site administrators monitor levels of traffic.

“If people listen to our advice and are prepared to take steps towards compliance there shouldn’t be a problem,” Dave Evans, the ICO’s group manager for business and industry, told E-Consultancy last month.

“However, if businesses deliberately stop short of total compliance, then there is a risk.”

Council is fined £70,000 for data breach

May 17th, 2012

The London Borough of Barnet received the monetary penalty after paper records ‘containing highly sensitive and confidential information, including the names, addresses, dates of birth and details of the sexual activities of 15 vulnerable children or young people’ were lost, following a buglary at a social workers home in April 2011.

After an investigation by the Information Commissioner’s Office (ICO) found that ‘council failed to take appropriate organisational measures against the accidental loss of personal data held on paper records’.

An incident involving the council in 2010 resulted in them signing a formal undertaking to ensure that a paper-handling policy was introduced and adhered to; this latest blunder confirmed that this policy was not in place at the time of the second loss – and as a result, the fine was issued.

Simon Entwisle, the ICO’s Director of Operations, said:

“The potential for damage and distress in this case is obvious. It is therefore extremely disappointing the council had not put in place sufficient measures in time to avoid this second loss.

“While we are pleased that Barnet Council has now taken action to keep the personal data they use secure, it is vitally important that organisations have the correct guidance in place to keep sensitive paper records taken outside of the office safe. This includes storing papers containing sensitive information separately from laptops.”

Comment
DataWise by Absolute Data, is committed to ensuring companies and organisations, regardless of their size, create and follow realistic policies and procedures that are above the law. We can help your organisation create robust and effective data protection policies and procedures: we can spend some time getting to know what data-related activity your business partakes in, and ensure that your policies and procedures reflect this activity. We can also help to train your staff; not only in the importance of data protection, but how they can ensure they are fully adhering to data protection law. DataWise, one of our services, provides clients with a data protection toolkit, which offers a robust and effective solution in reducing the risk of data breaches. With the ICO’s power to fine up to £500,000 for data breaches, it is worth getting in touch with us to discuss how your organisation can ensure legal data compliance. Contact us now at info@absolute-data.co.uk, or call us on 01423 790125.

Information Commissioner’s Office (ICO) website blocked

May 15th, 2012

An apparent attack by hackers has created serious disruption to the ICO website, in what the ICO believes was a deliberate act.

Tweets on social networking site Twitter, claimed that Anonymous; a loosely-organised group of hackers which has regularly targeted official websites, was behind the attack.

An ICO spokesman said the site contained no sensitive data:

“Access to the ICO website has been disrupted over the past few days. We believe this is due to a distributed denial of service attack,” he said.

“The website itself has not been damaged, but people have been unable to access it. We provide a public-facing website which contains no sensitive information.

“We regret this disruption to our service and we are working to try to bring the website back online as soon as possible.”

Facebook May Update Privacy Policy to Satisfy Regulators

May 13th, 2012

In response to a request made by the Irish data protection agency, it has been suggested that Facebook may update its privacy policy.

Included in the request was for Facebook to publish ‘more detail on how long data can be held, what happens when accounts are deactivated and what kinds of ads could be shown to users even when they’re not on Facebook’s pages’.

“We’re adding more examples and detailed explanations to help you understand our policies,” Erin Egan, Facebook’s chief privacy officer for policy, said in a blog posting on the site.

ICO statement on the Draft Communications Data Bill

May 9th, 2012

An ICO spokesperson said:

“We are waiting to see the detail of what is proposed, including any role envisaged for the Information Commissioner. We shall then have to judge whether the Commissioner’s current powers are adequate for the task or whether additional powers and resources will be needed. It remains our position that the case for this proposal still has to be made, and we shall expect to see strong and convincing safeguards and limitations to accompany the Bill.”

Google 'Street View' saga set to continue

May 3rd, 2012

The Information Commissioner’s Office (ICO), although it closed its investigation last year, could be forced to look into privacy issues relating to Google Street View again, after the Canadian privacy watchdog suggested “significant personal data had indeed been collected”.

After a second look at the issue, the ICO insisted that Google submitted to a series of audits, but chose not to fine them.

Now that even more new evidence has come to light (a report by the US Federal Communications Commission) suggesting that “Google employees were fully aware of the data collection”, the ICO “…will study the Federal Communication Commission’s report and consider what further action, if any, needs to be taken.”

The next audit is due from Google in June, which will prove/disprove whether the ICO’s initial recommendations have been implemented or not.

ICO informed of billing system hack

May 1st, 2012

A Leeds-based web hosting company has informed the Information Commissioner’s Office(ICO) that its systems have been ‘compromised by hackers’.

eUKhost Ltd posted an announcement on its website last Saturday morning (28th May 2012):

“Although the method of the compromise remains unclear, we can confirm that an administrator level login was compromised and an IP address added to an allow list to allow a successful login.”

“We are still investigating how this compromise occurred and we can’t currently see any evidence of a database dump. However, with our billing system compromised on any level, passwords stored within and not changed since signup can potentially be compromised.”

The hack itself occurred in February 2012, although eUKhost Ltd didn’t find out about the hack until last week, when the hacking group responsible posted a video confirming the activity on YouTube. UrduHack, a Pakistani hacking group, has been confirmed as responsible for the hack.

eUKhost Ltd said:
“The hacking group responsible is not the type to cause trouble with individuals… they are the kind of hackers that just want to prove they can do something. Their motive was not financial, and they were not interested in compromising our systems, they just wanted to prove they could do it.”

“We are… a bit guilty of not following our own advice that we give to our customers, so we are a little embarrassed that we have not practiced what we preached.”

eUKHost has now moved its billing system to a new server and changed the encryption algorithm. It would appear that payment details do not appear to have been compromised.

NHS receives first fine for data breach

April 27th, 2012

Aneurin Bevan Health Board (ABHB), in Wales, has been fined £70,000 after a hospital accidently sent a patient’s health details to the wrong person.

The incident happened after a consultant sent a letter to a medical secretary to be formatted, but omitted to identify a patient number, and spelt the name incorrectly. As a result, the secretary chose the wrong patient to send the letter to (although they had a similar name) – the wrong patient then read the letter.

“The health service holds some of the most sensitive information available. The damage and distress caused by the loss of a patient’s medical record is obvious, therefore it is vital that organisations across this sector make sure their data protection practices are adequate,” ICO enforcement chief Stephen Eckersley said in a statement.

It was discovered that data protection training hadn’t been given to neither the consultant nor the medical secretary – nor were adequate checks put in place by ABHB to stop such an incident occurring.

Stephen Eckersley, of the ICO said: “Organisations across the health service must stand up and take notice of this decision if they want to avoid future enforcement action from the ICO….this case could have been extremely distressing to the individual and their family and may have been prevented if the information had been checked prior to it being sent. Organisations across the health service must stand up and take notice of this decision if they want to avoid future enforcement action from the ICO.”

Pertinently, although this is the first fine levied on an NHS organisation, “the data protection watchdog is still considering other fines for similar bodies”.

The Brighton and Sussex University Hospitals NHS Trust is facing a much weightier £375k fine after a contractor it employed to destroy hard drives sold them on eBay instead. The drives contained patient data.However, the ICO has not yet given a final decision on that fine, as it is still in discussions with the trust.

Trustworthy Internet Movement (TIM) to publish the names of insecure websites

April 26th, 2012

The move by TIM aims to improve website security, following research that confirmed 52% of sites were using “versions of security protocols known to be compromised”.

The group, which consists of security experts and entrepreneurs, has been created because of frustrations about blaze attitudes and the slow pace of online safety improvements.

“We want to stimulate some initiatives and get something done,” said TIM’s founder Philippe Courtot, serial entrepreneur and chief executive of security firm Qualys.

Other expderts that will be part of TIM include SSL’s inventor Dr Taher Elgamal; “white hat” hacker Moxie Marlinspike who has written extensively about attacking the protocol; and Michael Barrett, chief security officer at Paypal.

The testing methods that TIM will undertake are two-stage: the first part would be to run automated tools against websites to test how well they had implemented SSL. The second stage concerns the running of the bodies, known as certificate authorities, which guarantee that a website is what it claims to be.

“We’ll be making it public,” adds Courtot, “Everyone is now going to be able to see who has a good grade and who has a bad grade.”

ICO fines – the disparity of fines between private and public sector data breaches

April 25th, 2012

A BBC report has highlighted the types of data breaches that have occurred in the UK over the last year, in both private and public sector organisations, and the apparent disparity between the level of fines levied, after a freedom of information request by satellite system-maker Viasat.

The UK’s private sector accounted for more than a third of all reported data breaches over 11 months, but less than 1% of the resulting fines, according to a Freedom of Information request.

Five fines totalling £790,000 were imposed on the public sector and one £1,000 penalty on a private firm.

During the period March 2001 to February 2012, the ICO said 730 events had been flagged up as being potentially liable to a penalty or other action.

The private sector reported 263 cases, while 467 were reported by government and other public sector bodies.

These included:
• 281 incidents when information had been mistakenly sent via email, documents had been sent to the wrong address, or other similar accidents;
• 170 incidents caused by the theft of data or hardware;
• 108 events involving the loss of data or hardware, of which the NHS was responsible for just over a third of cases;
• 17 instances in which materials had not been disposed of properly.

Of the 433 breaches resolved over the period, six resulted in local councils being fined. The biggest penalty was a £140,000 charge imposed on Midlothian Council after it repeatedly disclosed personal data about children and their carers to the wrong recipients.

The private sector company singled out was ACS: Law. Its data controller was fined £1,000 after a hack attack and subsequent security breach resulted in sensitive details about 6,000 people being published on a third-party website.

The ICO said at the time that it would have imposed a larger £200,000 fine had the firm not ceased trading and its owner not been of limited means.

Recent data breaches that have come to light include:
• The accidental publication of the home and email addresses of 38,000 people who applied to run the London Marathon
• Loans company Student Finance England sending an email to 8,000 customers, which included other recipients’ email addresses
• Scotland Yard sharing email addresses of more than 1,000 victims of crime with other victims.

Study carried out by ICO finds personal information on hard disks

April 25th, 2012

The BBC has reported on a recent study carried out by the Information Commissioner’s Office (ICO), suggesting that ‘one in 10 second-hand hard drives still contain the original user’s personal information’.

As part of the study, the ICO purchased devices from various sources, including eBay and computer fairs, and discovered that from the 200 hard disks collected, 11% of them contained personal information.

Alarmingly, ‘at least two of the drives had enough information to enable someone to steal the former owners’ identities’.

“We live in a world where personal and company information is a highly valuable commodity,” said Information Commissioner Christopher Graham.

“It is important that people do everything they can to stop their details from falling into the wrong hands.”

Among the 34,000 files found were scanned bank statements, passports, information on previous driving offences and some medical details.

Four of the hard drives came from organisations rather than individuals and contained information about employees and clients, including health and financial details.

All four organisations had been contacted, and had subsequently taken action to securely erase data on old equipment, the ICO said.

The ICO has published guidance for individuals on how to securely delete information.

Theft of briefcase results in Data Protection Act (DPA) breach

April 19th, 2012

The ICO confirmed the DPA breach after verifying that sensitive personal data was stolen along with a briefcase from a Leicestershire County Council social worker’s home.

The briefcase, which was stolen in a burglary in May 2011, contained the sensitive personal data of 18 individuals, outlining ‘details of neglect and requested the removal of the children from their parents’ care’.

Although the line manager, that authorised the social worker to take the files home, had been trained in data protection policies and procuedures, the social worker had not.

The authority had a policy in place but this didn’t relate to the handling of paper documents while working from home.

Stephen Eckersley, the ICO’s Head of Enforcement said:

“Local authorities must recognise that social workers are handling some of the most sensitive information available. The fact that this information often relates to vulnerable young children means it is all the more important for these organisations to provide staff with adequate training and guidance on how to keep this information secure.

“While Leicestershire County Council already recognised the risks associated with home working and had produced guidance for their staff, the guidance did not explain how papers containing personal information should be kept secure.

“We are pleased that the Council have now committed to taking action to protect the personal information they handle and will extend its training programme to cover all staff who are regularly required to take this information outside of the office.”

Comment
DataWise by Absolute Data, is committed to ensuring companies and organisations, regardless of their size, create and follow realistic policies and procedures that are above the law. We can help your organisation create robust and effective data protection policies and procedures: we can spend some time getting to know what data-related activity your business partakes in, and ensure that your policies and procedures reflect this activity. We can also help to train your staff; not only in the importance of data protection, but how they can ensure they are fully adhering to data protection law. DataWise, one of our services, provides clients with a data protection toolkit, which offers a robust and effective solution in reducing the risk of data breaches. With the ICO’s power to fine up to £500,000 for data breaches, it is worth getting in touch with us to discuss how your organisation can ensure legal data compliance. Contact us now at info@absolute-data.co.uk, or call us on 01423 790125.

London Hospital loses two unencrypted USB sticks – poor staff training is blamed

April 18th, 2012

South London Healthcare NHS Trust was ordered to sign a formal undertaking after it mislaid two unencrypted memory sticks containing the personal data of 600 maternity patients and the medical and personal data of 33 children. Although both memory sticks were later recovered, the Information Commissioner’s Office (ICO) maintained concerns that the data could have been copied onto another device due to the sticks’ lack of encryption, and as such, the formal undertaking was requested.

“Due to not having received up to date information on governance training the employee was unaware that an encrypted device issued by the data controller should have been used”, said the ICO.

A formal press release was not issued by the ICO, presumably because the devices were recovered.

Comment
DataWise by Absolute Data, is committed to ensuring companies and organisations, regardless of their size, create and follow realistic policies and procedures that are above the law. We can help your organisation create robust and effective data protection policies and procedures: we can spend some time getting to know what data-related activity your business partakes in, and ensure that your policies and procedures reflect this activity. We can also help to train your staff; not only in the importance of data protection, but how they can ensure they are fully adhering to data protection law. DataWise, one of our services, provides clients with a data protection toolkit, which offers a robust and effective solution in reducing the risk of data breaches. With the ICO’s power to fine up to £500,000 for data breaches, it is worth getting in touch with us to discuss how your organisation can ensure legal data compliance. Contact us now at info@absolute-data.co.uk, or call us on 01423 790125.

Key data protection & security questions a business should ask itself…

April 12th, 2012

Can your firm answer these five security questions?

• How am I protected if a member of my staff decides to steal data, misuse information, commit fraud or just makes a mistake?

• What stops my business being hit like the bigger firms that I see in the press getting hacked by cyber criminals?

• What are the most valuable things my business has (customer data, IPR, reputation etc.)?

• If I had a security breach tomorrow what would I do? (or how would I know?)

• Could I get all the data back if I lost a server, laptop, member of staff, filing cabinet etc?

DataWise, a service by Absolute Data, is committed to ensuring companies and organisations, regardless of their size, create and follow realistic policies and procedures that are above the law. We can help your organisation create robust and effective data protection policies and procedures: we can spend some time getting to know what data-related activity your business partakes in, and ensure that your policies and procedures reflect this activity. We can also help to train your staff; not only in the importance of data protection, but how they can ensure they are fully adhering to data protection law. DataWise, one of our services, provides clients with a data protection toolkit, which offers a robust and effective solution in reducing the risk of data breaches. With the ICO’s power to fine up to £500,000 for data breaches, it is worth getting in touch with us to discuss how your organisation can ensure legal data compliance. Contact us now at info@absolute-data.co.uk, or call us on 01423 790125.

ICO statement on Operation Motorman

April 12th, 2012

“We strongly condemn the irresponsible publication of material from the Motorman files. Putting these into the public domain in this way is a serious violation of many people’s privacy and raises more questions than it answers.

“People who are concerned that their personal data may have been included in the Motorman files are able to contact the ICO via our website to make a ‘fast-tracked’ Subject Access Request (SAR) under the Data Protection Act (DPA).

“The issue of publication is being considered by the Leveson Inquiry and it’s most unfortunate that Guido Fawkes has chosen to jump the gun.

“The ICO will now consider what further steps it should take in the face of this apparent breach of the DPA.”

Aviva apologises for sending confidential information to the wrong people

April 10th, 2012

Insurance company Aviva sent policy holders pension plans that were relating to other people, in a blunder at the end of last week.

Britain’s biggest insurance company has asked customers to destroy or return the misdirected letters, which all contain annual bonus information and expected reward on retirement.

Aviva ought to be asking themselves serious questions about their data protection practises following this major blunder. In the meantime, a letter of apology has been sent by the company’s ‘Customer Experience Director’ Hugh Hessing, to each affected person.

Comment
DataWise by Absolute Data, is committed to ensuring companies and organisations, regardless of their size, create and follow realistic policies and procedures that are above the law. We can help your organisation create robust and effective data protection policies and procedures: we can spend some time getting to know what data-related activity your business partakes in, and ensure that your policies and procedures reflect this activity. We can also help to train your staff; not only in the importance of data protection, but how they can ensure they are fully adhering to data protection law. DataWise, one of our services, provides clients with a data protection toolkit, which offers a robust and effective solution in reducing the risk of data breaches. With the ICO’s power to fine up to £500,000 for data breaches, it is worth getting in touch with us to discuss how your organisation can ensure legal data compliance. Contact us now at info@absolute-data.co.uk, or call us on 01423 790125.

Virgin Atlantic employee resigns over information leak allegation

April 9th, 2012

ITV has reported that the Information Commissioner’s Office (ICO) will be making enquiries into allegations that a Virgin Atlantic employee passed on celebrities’ flight details to a a London picture agency.

Princess Beatrice, singer Cheryl Cole and actress Sienna Miller are among those whose details are reported to have been handed over.

The accused employee resigned in the wake of the accusations but is understood to deny the claims.

The Information Commissioner’s Office said:

“The ICO takes all breaches of the Data Protection Act seriously. Any organisation processing personal information in the UK must ensure they comply with the law.

“We will need to make further inquiries to establish the precise nature of the alleged incident before deciding what action, if any, needs to be taken by this office.”

Virgin Atlantic is looking into the allegations and has said it would “deeply regret” any concern caused to the passengers believed to be involved.

Comment
DataWise by Absolute Data, is committed to ensuring companies and organisations, regardless of their size, create and follow realistic policies and procedures that are above the law. We can help your organisation create robust and effective data protection policies and procedures: we can spend some time getting to know what data-related activity your business partakes in, and ensure that your policies and procedures reflect this activity. We can also help to train your staff; not only in the importance of data protection, but how they can ensure they are fully adhering to data protection law. DataWise, one of our services, provides clients with a data protection toolkit, which offers a robust and effective solution in reducing the risk of data breaches. With the ICO’s power to fine up to £500,000 for data breaches, it is worth getting in touch with us to discuss how your organisation can ensure legal data compliance. Contact us now at info@absolute-data.co.uk, or call us on 01423 790125.

UK Businesses to worry about proposed EU General Data Protection Regulation?

April 5th, 2012

Independent IT integrator SecureData has voiced concerns regarding the ‘EU General Data Protection Regulation – UK Enterprise Enquiry’, suggesting the legislation contained within it could lead to “collateral damage” to UK businesses.

IT Managers across various industries (including financial, manufacturing, retail, distribution/transport and commercial) were questioned about data compliance – 94% were found to have some level of responsibility in this area.

Taken from the report, key findings include:
• 72 per cent of respondents from the largest businesses (3,000 employees+) said the draft data protection rules would cost their business more
• Limited agreement (64 per cent and 58 per cent) that the proposed regulations would improve business security processes and consumer data protection
• 40 per cent think the proposed 24-hour deadline for notifying individuals of a data breach would advertise security weaknesses before an appropriate security review could be completed
• 36 per cent fear “false alarms” from pressures to notify of data breaches quickly to avoid fines
• 26 per cent envisage their enterprise outsourcing the new data protection officer job role requirement

Carl Shallow, head of compliance at SecureData, comments: “Consumers may have a right to be forgotten, but hard-working growth businesses have a right to be remembered. The new internet economy is vital to Europe’s economic recovery and the need for increased data protection must be finely balanced with freedoms for technological and business model innovation. Fears overs unintended collateral damage from this legislation clearly needs to be reviewed.

“Across the enterprise questions must be asked about exactly what is sensitive data and where does it reside. There is frequently an abundance of ‘lost’ unstructured data siloed across the largest organisations’ IT estates. The new act is an ideal opportunity to review data governance procedures and management solutions.”

Comment
DataWise, a service by Absolute Data, is committed to ensuring companies and organisations, regardless of their size, create and follow realistic policies and procedures that are above the law. We can help your organisation create robust and effective data protection policies and procedures: we can spend some time getting to know what data-related activity your business partakes in, and ensure that your policies and procedures reflect this activity. We can also help to train your staff; not only in the importance of data protection, but how they can ensure they are fully adhering to data protection law. DataWise provides clients with a data protection toolkit, which offers a robust and effective solution in reducing the risk of data breaches – and prices start from as little as £125 a month. With the ICO’s power to fine up to £500,000 for data breaches, it is worth getting in touch with us to discuss how your organisation can ensure legal data compliance. Contact us now at info@absolute-data.co.uk, or call us on 01423 790125.

Absolute Data launches CRM / Data in Sport Professional Group

April 4th, 2012

Absolute Data has today launched the CRM/Data in Sport Professional LinkedIn group after several of our club clients suggested that we create and moderate group exclusively for people working with CRM and data in professional sport at club or governing body level.

The group will be attractive to:
• Privacy Compliance Managers;
• CRM/Data Managers;
• Ticket Office Manages;
• Data Protection Managers;
• IT Managers.

Features & Benefits of the group:
• Industry-specific support, guidance, links;
• Sharing ideas by promoting relevant discussions;
• Recommended models for best practice;
• Availability of specialist consulting services;
• Review/support individual queries and cases.

We’d like this to be a pragmatic group – a source of guidance, ideas, and solutions – rather than being a talking shop. While the group is be peer-to-peer, Absolute Data’s consultants will be available to: stimulate and encourage discussion; highlight relevant news, events and current affairs; field questions; write newsletters; organise periodic face-to-face meetings; organise or recommend training courses/materials; and invite guest moderators and writers to contribute to discussions and podcasts.

Please take a look at the Group here: http://www.linkedin.com/groups?gid=4383936&trk=myg_ugrp_ovr

Section 55 of the UK Data Protection Act breached by SAI Property Investments Limited

April 2nd, 2012

The company, trading as IPS Property Services, has been fined £260, a £15 victim surcharge and £702.08 prosecution costs for obtaining details about their tenants from a rogue employee at Sloug Borough Council. A Director at the company was fined a further £260 for two offences, a £15 victim surcharge and £351.03 prosecution costs.

The rogue employee gave the firm information regarding Housing and Council Tax Benefit relating to the victim – he was fined £690 for three offences.

The Information Commissioner’s Office said : “this case highlights the need for a more appropriate range of deterrent punishments to be made available to the courts.”

Comment
DataWise by Absolute Data, is committed to ensuring companies and organisations, regardless of their size, create and follow realistic policies and procedures that are above the law. We can help your organisation create robust and effective data protection policies and procedures: we can spend some time getting to know what data-related activity your business partakes in, and ensure that your policies and procedures reflect this activity. We can also help to train your staff; not only in the importance of data protection, but how they can ensure they are fully adhering to data protection law. DataWise, one of our services, provides clients with a data protection toolkit, which offers a robust and effective solution in reducing the risk of data breaches. With the ICO’s power to fine up to £500,000 for data breaches, it is worth getting in touch with us to discuss how your organisation can ensure legal data compliance. Contact us now at info@absolute-data.co.uk, or call us on 01423 790125.

Public Authorities required to speed-up Freedom of Information Request responses

March 23rd, 2012

£70,000 Monetary Penalty served to Lancashire Constabulary

March 16th, 2012

Scottish Charity breaches Data Protection Act, and signs formal undertaking to ensure future data security

March 10th, 2012

Letting Agent fined for attempted Data Protection Act breach

February 29th, 2012

A letting agent has been fined £200, ordered to pay a £15 victim surcharge and asked to pay £728.60 in prosecution costs after he was found guilty of illegally trying to obtain information regarding a tenant’s financial status.

The agent, A Mr Pinchas Braun, called the Department for Work and Pensions (DWP) and tried to access the personal information of the tenant. When he failed to be able to confirm the middle name of the tenant in question, the DWP ended the call and informed the ICO of the incident.

Braun, who at the time worked for Manor West Estates property management company, had no authority to access such details. He could have received anything up to £5,000 by way of a fine; unlawfully obtaining or accessing personal data is a criminal offence under section 55 of the Data Protection Act 1998.

Information Commissioner, Christopher Graham, said:

“The Department for Work and Pensions hold important information about each and every one of us. We are very pleased that a DWP staff member was alert to this attempt to blag information and that the call was halted before it was too late.

“The motive behind Mr Braun’s action was financial. He knew that such an underhand method of obtaining the tenant’s personal information was illegal but carried on regardless.

“This case shows that unscrupulous individuals will continue to try and blag peoples’ details until a more appropriate range of deterrent punishments is available to the courts. There must be no further delay in introducing tougher powers to enforce the Data Protection Act beyond the current ‘fine only’ regime,” Mr Graham said.

“The contrast is striking in the penalties available for blagging under the Fraud Act on the one hand and under the Data Protection Act on the other. On the same day, prison sentences were handed down in one court with chicken feed fines being imposed in another – all for the same activity”.

Two councils fined a total of £180,000 for serious Data Protection Act breaches

February 15th, 2012

Croydon Council has been served a monetary penalty of £100,000 after “a bag containing papers relating to the care of a child sex abuse victim was stolen from a London pub”.

Norfolk County Council has been served with a fine of £80,000 after it “disclosed information about allegations against a parent and the welfare of their child to the wrong recipient”.

Stephen Eckersley, Head of Enforcement said:

“We appreciate that people working in roles where they handle sensitive information will – like all of us – sometimes have their bags stolen. However, this highly personal information needn’t have been compromised at all if Croydon Council had appropriate security measures in place. 

“One of the most basic rules when disclosing highly sensitive information is to check and then double check that it is going to the right recipient. Norfolk County Council failed to have a system for this and also did not monitor whether staff had completed data protection training.

“While both councils acted swiftly to inform the people involved and have since taken remedial action, this does not excuse the fact that vulnerable children and their families should never have been put in this situation.”

Council fined £80,000 for Data Protection Act breach

February 15th, 2012

The Information Commissioner’s Office (ICO) has today announced that it has ordered Cheshire East Council to pay the monetary penalty ‘for failing to take appropriate measures to ensure the security and appropriateness of disclosure when emailing personal information’.

In May 2011, an email detailing concerns about an individual working in the area ended up being forwarded to 180 unintended recipients, after the correct policies and procedures were not followed; personal email accounts, not using a secure email system, and a lack of direction as to what to do once an individual received the email were factors that contributed to the breach.

Stephen Eckersley, Head of Enforcement, said:

“While we appreciate that it is vitally important for genuine concerns about individuals working in the voluntary sector to be circulated to relevant parties, a robust system must be put in place to ensure that information is appropriately managed and carefully disclosed. Cheshire East Council also failed to provide this particular employee with adequate data protection training. The highly sensitive nature of the information and the need to restrict its circulation should have been made clear to all recipients.

“I hope this case – along with the fact that we’ve handed out over one million pounds worth of penalties since our powers came into force – acts as a strong incentive for other councils to ensure that they have sufficient measures in place around protecting personal data.”

Following the breach, the council attempted to recall the email to prevent further dissemination. Over half (57%) of the recipients confirmed that they had deleted the information.

Comment
DataWise by Absolute Data, is committed to ensuring companies and organisations, regardless of their size, create and follow realistic policies and procedures that are above the law. We can help your organisation create robust and effective data protection policies and procedures: we can spend some time getting to know what data-related activity your business partakes in, and ensure that your policies and procedures reflect this activity. We can also help to train your staff; not only in the importance of data protection, but how they can ensure they are fully adhering to data protection law. DataWise, one of our services, provides clients with a data protection toolkit, which offers a robust and effective solution in reducing the risk of data breaches. With the ICO’s power to fine up to £500,000 for data breaches, it is worth getting in touch with us to discuss how your organisation can ensure legal data compliance. Contact us now at info@absolute-data.co.uk, or call us on 01423 790125.

E*Trade Securities Ltd breaches Data Protection Act

February 3rd, 2012

The ICO has today confirmed that financial services company, E*Trade Securities Ltd, lost over 600 customers’ personal details – and after investigation, has been found to have breached the Data Protection Act.

Archived documents, containing identification numbers, proof of address and account application forms that were stored in a facility in the UK went missing back in April 2010, prompting the company to inform the ICO.

It was found that no formal agreement was in place between the document sotrage company and E*Trade; thus compromising the security of the data.

As a result, the organisation has agreed to implement written agreements, ensure appropridate audit trails are in place and record where client files are stored at all times.

Head of Enforcement, Steve Eckersley, said:

“This breach was caused by the company failing to have the necessary security measures in place to keep their clients’ information secure. 

“The fact that customer records are being archived in a storage facility and not regularly accessed does not give businesses license to forget about them. This case demonstrates how important it is to stipulate in writing how long personal information needs to be kept, how regularly it should be reviewed and when it can be securely destroyed.”

Comment
This case highlights a compromise in 5 of the 8 principles of the Data Protection Act. The loss of data has highlighted that the data was not secure, it may not have been accurate and up to date, it may well have been kept longer than necessary, it could have been irrelevant and excessive, and it may not have been processed with the data subjects’ rights in mind.

Absolute Data’s service, DataWise, can help organisations such as E*Trade Securities Ltd reduce the risks they take in protecting their customer’s data. We are committed to help your organisation create robust and effective data protection policies and procedures: we can spend some time getting to know what data-related activity your business partakes in, and ensure that your policies and procedures reflect this activity. We can also help to train your staff; not only in the importance of data protection, but how they can ensure they are fully adhering to data protection law. We provide our clients with a data protection toolkit, offering robust and effective solutions in reducing the risk of data breaches. With the ICO’s power to fine up to £500,000 for data breaches, it is worth getting in touch with us to discuss how your organisation can ensure legal data compliance. Contact us now at info@absolute-data.co.uk, or call us on 01423 790125.

First Scottish council fined for breaching the Data Protection Act – this time for £140,000

January 30th, 2012

Midlothian Council has been fined after it disclosed ‘highly sensitive personal data relating to children and their carers’ on five separate occasions.

The incidents occurred between January and June 2011; each time papers and reports were sent to the wrong recipients. Although the first incident happened in January and was investigated in March, it didn’t stop other breaches occurring in May and June.

Assistant information commissioner for Scotland, Ken Macdonald, said: “Information about children’s care, as well as details about their health and wellbeing, is some of the most sensitive information a local authority holds. It is of vital importance that this information is protected and that robust policies are followed before it is disclosed.”

The ICO has confirmed that the conclusions of its investigation were that all five breaches ‘could have been avoided if the council had put adequate data protection policies, training and checks in place’

The ICO is asking the government for stronger powers to audit local councils’ data protection compliance, if necessary without consent.

Comment
DataWise by Absolute Data, is committed to ensuring companies and organisations, regardless of their size, create and follow realistic policies and procedures that are above the law. We can help your organisation create robust and effective data protection policies and procedures: we can spend some time getting to know what data-related activity your business partakes in, and ensure that your policies and procedures reflect this activity. We can also help to train your staff; not only in the importance of data protection, but how they can ensure they are fully adhering to data protection law. DataWise, one of our services, provides clients with a data protection toolkit, which offers a robust and effective solution in reducing the risk of data breaches. With the ICO’s power to fine up to £500,000 for data breaches, it is worth getting in touch with us to discuss how your organisation can ensure legal data compliance. Contact us now at info@absolute-data.co.uk, or call us on 01423 790125.

A reason to use DataWise

January 27th, 2012

As Absolute Data launches its DataWise service, we look at some of the most high-profile data protection blunders made in 2011 (compiled by www.information-age.com).

DataWise, by Absolute Data, is committed to advising companies and organisations, regardless of their size, in creating robust and effective data protection policies and procedures, and helping them to ensure they stay above the law. We spend time getting to know what data-related activity your business partakes in, and ensure that your policies and procedures reflect this activity. We can also help to train your staff; not only in the importance of data protection, but how they can ensure they are fully adhering to data protection law.

A recent study carried out in partnership by the Ponemon Institute and Experian suggests that “by far, negligent employees, temporary employees or contractors not only make organisations vulnerable to [future] breaches…. [but that] conducting training and awareness programmes and enforcing security policies should be a priority for organisations” (2011).

March 2011
Retail, banking and services conglomerate the Co-operative Group apologised after details of 83,000 customers of its funeral planning service were accidentally published online. It blamed the episode on a contractor.

June 2011
Which? Money published a study of data protection complaints against banks. It found that Barclays Bank topped the list, with 116 legitimate complaints to the Information Commissioner’s Office in 2010, just above Lloyds with 114 complaints. The most common breaches by banks, the study found, were failures to respond to subject access requests.

August 2011
A hospital in Dublin was forced to admit that patient records had been subject to “unauthorised access and disclosure” after being sent to the Philippines for transcription, having initially described reports of the breach as “unsubstantiated”.

NHS North Central London (NHS NCL), had 20 of its laptops stolen from a storeroom.One of the laptops contained 8.6 million patient records, and the incident was only reported to police three weeks after the laptop went missing.

September 2011
A former Barclays employee was found guilty of illegally accessing a customer’s data. The woman, the wife of a convicted sex offender who abused her position to find out details of her husband’s victim, had chosen to “ignore training [Barclays] provide”, the bank said. “All staff receive annual training on the importance and regulatory requirements of the Data Protection Act and the consequences of any breach”

November 2011
A woman applying for a mortgage had her credit rating damaged by a glitch in the bank’s credit checking software. The system accidentally accessed the woman’s credit history multiple times, prompting her score to deteriorate. The ICO found that it was “unlikely that Barclays has complied with the requirements of the [Data Protection Act]”, but did not take any action against the bank.

December 2011
Powys County Council was fined a record £130,000 after sensitive information relating to child protection case was mailed to the wrong recipient. The information had been picked up accidentally from a shared printer.

Local Government
Big Brother Watch’s report suggested that 1,035 data breaches had ocurred in local government since 2008, although only 53 were reported to the ICO. These breaches included the loss of 244 laptops, 98 memory sticks and 93 mobile devices.

What does the ICO have to say?
 “Education…. awareness raising….are key activities”

Contact us now to discuss how your organisation will benefit from using DataWise: info@absolute-data.co.uk, or call us on 01423 790125.

Firms bite back in response to EU data breach proposals – DataWise can help

January 27th, 2012

Yesterday, we reported that Viviane Reding, Justice Commissioner, has announced proposals to ensure organisations report all data breaches to their national supervisory authority (in the UK’s case, the Information Commissioner’s Office, or ICO) within 24 hours.

Computerworld has since reported that ‘many companies don’t have the sophisticated systems for identifying breaches in the first place’, which could prive difficult in reaching the 24 hour deadline. “Mandatory reporting of data breaches within 24 hours will be difficult, if not impossible, to comply with,” said Bridget Treacy, partner at law firm Hunton & Williams.

Gerhard Eschelbeck, CTO at IT security firm Sophos, agreed, describing the deadline as “very aggressive”, and said that this would impact the quality of the breach notifications.

In the same announcement, Reding proposed a staggered fining system, with organisations fined between 0.5% and 2% of their revenues for serious data breaches. This proposal has been met with worry among many businesses.

Pat Phillips, practice director at consultancy Xceed, said that this was a particular area of concern.”The real worries are around those parts of the bill that can directly impact the bottom line. With the threat of a fine of up to two percent of annual global turnover, CISOs will already be girding themselves for safeguarding the business’ profitability alongside its data,” he said.

Marc Dautlich, head of information law at law firm Pinsent Masons, agreed that the new regulations will have a significant impact on business costs.

“[With the two percent fine] the penalties for non-compliance are extremely large,” he said. “Fixed costs on medium-sized companies will increase as they will need to appoint a data protection officer, no matter how little personal data they actually process in Europe.”

Francois Zimmermann, CTO at Hitachi Data Systems UKm interestingly pointed out that “To implement effective data management policies, the rules and policies should be updated as part of an evolutionary process, which changes being introduced as and when they are needed, rather than in a raft every few years or so. This will challenge organisations to have an infrastructure in place that can cope with this constant change.” And this is where our service, DataWise, can help.

DataWise is a service committed to ensuring companies and organisations, regardless of their size, create and follow realistic policies and procedures that are above the law. We can help your organisation create robust and effective data protection policies and procedures: we can spend some time getting to know what data-related activity your business partakes in, and ensure that your policies and procedures reflect this activity. We can also help to train your staff; not only in the importance of data protection, but how they can ensure they are fully adhering to data protection law. DataWise, one of our services, provides clients with a data protection toolkit, which offers a robust and effective solution in reducing the risk of data breaches. With the ICO’s power to fine up to £500,000 for data breaches, it is worth getting in touch with us to discuss how your organisation can ensure legal data compliance. Contact us now at info@absolute-data.co.uk, or cal us on 01423 790125.

Tough new data protection rules proposed by European Commission

January 26th, 2012

One of the rules proposed could see businesses fined 2% of turnover for serious data breaches, Viviane Reding, Justice Commissioner, has announced. As well as this, “Companies and organisations must notify [authorities] of serious data breaches as soon as possible — and to me, that means within 24 hours,” said Reding.

According to a Commission FAQ document, processing sensitive data without an individual’s consent will be considered a serious violation. Less serious breaches of the rules would see a lesser fine, proposed to be stepped at €250,000, or 0.5% of turnover, whichever is higher, and €500,000 or 1% of turnover, whichever is higher.

One of the main aims of the proposed changes is to see a ‘much simpler data protection administration throughout Europe’, according to Reding. As well as this, Reding has stated that “American companies… have to apply European law, like everybody who is doing business in Europe. Full stop.”

Network plugs security hole after it inadvertently provides users' numbers to websites accessed using 3G network

January 25th, 2012

The Guardian has reported that mobile operator O2 has admitted it “regularly hands over subscribers’ phone numbers to sites that offer age-restricted material and premium-rate billing, whether the users realise it or not”.

The Guardian says that O2 is the UK’s second-biggest mobile network with about 27.2m subscribers, and another 2.8m using its network through Tesco Mobile, plus an unknown number on the GiffGaff SIM-only network. With smartphone penetration at around 50% that could mean that up to 15m people have been affected by the data leakage.

An ICO spokesperson said: “Keeping people’s personal information secure is a fundamental principle that sits at the heart of the Data Protection Act and the privacy and electronic communications regulations. When people visit a website via their mobile phone they would not expect their number to be made available to that website. We will now speak to O2 to remind them of their data breach notification obligations, and to better understand what has happened, before we decide how to proceed.”

Praxis Care Limited loses unencrypted memory stick – Data Protection Act breached

January 19th, 2012

The BBC has reported that the care provider lost the sensitive personal information records of around 107 people from the Isle of Man and 53 people from Northern Ireland, when an unencrypted memory stick went missing on the Isle of Man in August 2011.

All those concerned have now been informed, and the Information Commissioner’s Office (ICO) has order the company to improve its procedures.

Christopher Graham, the UK Information Commissioner, said: “Carrying people’s personal information around on an unencrypted memory stick is clearly unacceptable.

“The fact that some of the personal details stored on the device were out of date and so surplus to requirements makes this breach all the more concerning.

“The ICO will continue to work closely with other data protection regulators where it is clear that a data breach extends across national boundaries.”

In a statement, Praxis Care said: “Praxis Care can confirm it has agreed with the Information Commissioner measures to improve data security following the loss of service user information in August 2011 on the Isle of Man.

“The main element of the undertaking confirms the measures taken shortly after the incident to encrypt data and improve data handling.

“The data loss was promptly reported to the relevant authorities including the Information Commissioner. All service users affected were informed of the details of the lost information and received an apology from Praxis Care.

“Praxis Care is confident that the measures taken will greatly reduce the risk of future information loss.”

Comment
DataWise by Absolute Data, is committed to ensuring companies and organisations, regardless of their size, create and follow realistic policies and procedures that are above the law. We can help your organisation create robust and effective data protection policies and procedures: we can spend some time getting to know what data-related activity your business partakes in, and ensure that your policies and procedures reflect this activity. We can also help to train your staff; not only in the importance of data protection, but how they can ensure they are fully adhering to data protection law. DataWise, one of our services, provides clients with a data protection toolkit, which offers a robust and effective solution in reducing the risk of data breaches. With the ICO’s power to fine up to £500,000 for data breaches, it is worth getting in touch with us to discuss how your organisation can ensure legal data compliance. Contact us now at info@absolute-data.co.uk, or call us on 01423 790125.

NHS Trust tipped to receive ICO’s biggest ever fine for data breach

January 13th, 2012

It has been hinted that Brighton and Sussex University Hospitals will be fined a whopping £375,000 for its involvement in a data breach that occurred in September 2010.

Hard drives that the hospital contracted out to be destroyed, were later found to have been sold on eBay by the very contractor it had employed.

A spokesperson for the Information Commissioner’s Office (ICO) said the watchdog had proposed fining the Trust £375,000 over the incident. The Trust has challenged the suggested penalty. “We were the victims of a crime,” Duncan Selbie, chief executive of Brighton and Sussex University Hospitals NHS Trust said in a statement. “We subcontracted the destruction of these hard drives to a registered contractor who subsequently sold them on eBay.”

“As soon as we were alerted to this we informed the police and with their help we recovered all the hard drives stolen by this individual,” he said. “We are confident that there is a very low risk of any of the data from them having passed into the public domain. We have subsequently received a Notice from the Information Commissioner’s Office proposing a fine of £375,000 which we are, in the circumstances, challenging.”

The ICO recently published an information rights strategy in which it detailed its intention to give “particular regulatory attention” to health organisations as part of prioritisation of its enforcement action.

Comment
DataWise by Absolute Data, is committed to ensuring companies and organisations, regardless of their size, create and follow realistic policies and procedures that are above the law. We can help your organisation create robust and effective data protection policies and procedures: we can spend some time getting to know what data-related activity your business partakes in, and ensure that your policies and procedures reflect this activity. We can also help to train your staff; not only in the importance of data protection, but how they can ensure they are fully adhering to data protection law. DataWise, one of our services, provides clients with a data protection toolkit, which offers a robust and effective solution in reducing the risk of data breaches. With the ICO’s power to fine up to £500,000 for data breaches, it is worth getting in touch with us to discuss how your organisation can ensure legal data compliance. Contact us now at info@absolute-data.co.uk, or call us on 01423 790125.

1.4 million people affected in data loss

January 9th, 2012

The BBC has reported a massive data loss, with up to 1.4 million victims. The CattleS Group, parent company of both doorstep lenders Welcome Financial Services Limited and Shopacheck, has written to 1.4 million people after the names, address and some payment history information was lost. The ICO is now investigating, after two storage tapes went missing. The victims of the data breach include all clients that signed up with either company between October 2005 and Ocotber 2010 as well as 18,000 current and former employees.

Although the loss has occurred, Shopacheck, in its letter to those affected, said:

“We have no evidence that the information has fallen into the wrong hands.

“However, we cannot rule out the risk that the data has or may be accessed and so must warn you that there is potential for your information to be misused.”

As a result of this loss, the Cattles Group has launched a review of data security across the company.

A spokesperson from the Information Commissioner’s Office said: “We will be making enquiries into the circumstances of the alleged breach of the Data Protection Act before deciding what action, if any, needs to be taken.”

The maximum fine that can be imposed following a breach is £500,000.

Welcome Finance was one of the UK’s largest lenders for people with a chequered credit history until they stopped lending to new customers in 2009.

Shopacheck specialises in doorstep lending to those who may have been rejected by the mainstream banks. The lender’s typical terms amount to a 399.7% representative APR.

Comment
DataWise by Absolute Data, is committed to ensuring companies and organisations, regardless of their size, create and follow realistic policies and procedures that are above the law. We can help your organisation create robust and effective data protection policies and procedures: we can spend some time getting to know what data-related activity your business partakes in, and ensure that your policies and procedures reflect this activity. We can also help to train your staff; not only in the importance of data protection, but how they can ensure they are fully adhering to data protection law. DataWise, one of our services, provides clients with a data protection toolkit, which offers a robust and effective solution in reducing the risk of data breaches. With the ICO’s power to fine up to £500,000 for data breaches, it is worth getting in touch with us to discuss how your organisation can ensure legal data compliance. Contact us now at info@absolute-data.co.uk, or call us on 01423 790125.

Don’t cut your data protection activity in 2012; use DataWise!

January 4th, 2012

The Information Commissioner’s Office (ICO) has published its data protection and freedom of information strategy for 2012 and within it, has suggested that businesses shouldn’t be cutting back on its spend in this area in 2012.

Christopher Graham, Information Commissioner, has suggested that business too often see data protection and freedom of information issues as a “mere ‘back office’ function to be cut”.

“Businesses under pressure in the downturn must be tempted to cut corners and push boundaries,” he added. “That’s a bad call, since the first casualty of a big data breach is going to be a brand’s reputation. Consumers will abandon companies that disrespect their privacy.”

Graham added that those dealing with information security and access to information are “under real pressure, hit by the double whammy of increasing demands for information from citizens and consumers on the one hand and reduced resourcing on the other”.

Comment
DataWise by Absolute Data, is committed to ensuring companies and organisations, regardless of their size, create and follow realistic policies and procedures that are above the law. We can help your organisation create robust and effective data protection policies and procedures: we can spend some time getting to know what data-related activity your business partakes in, and ensure that your policies and procedures reflect this activity. We can also help to train your staff; not only in the importance of data protection, but how they can ensure they are fully adhering to data protection law. DataWise, one of our services, provides clients with a data protection toolkit, which offers a robust and effective solution in reducing the risk of data breaches. With the ICO’s power to fine up to £500,000 for data breaches, it is worth getting in touch with us to discuss how your organisation can ensure legal data compliance. Contact us now at info@absolute-data.co.uk, or call us on 01423 790125.

PDP report UK police misuse of Facebook

January 4th, 2012

Over the last four years, over 150 UK police officers have posted ‘inappropriate photos or comments on Facebook’, that have resulted in disciplinary action, as reported by PDP.

Former partners and ex-colleagues appear to be the main victims of this inappropriate behaviour, after comments suggesting these police officers had ‘beaten up members of the public during protests’. Police operations were also revealed on occasions, as well as the be-friending of victims of crime.

Online Privacy to Heat Up in Europe in 2012

January 3rd, 2012

The Financial (www.finchannel.com) has published an interesting review regarding online privacy, as the debate heats up as we enter 2012:

Historically, many internet users in Western Europe have had concerns about online privacy and data protection, according to eMarketer.
 
Google memorably encountered legal battles in several European countries, including Germany and Switzerland, when it undertook comprehensive photography of streets and buildings for its Street View offering. In Germany, the web giant was forced to allow individuals and businesses to opt out of Street View, and hundreds of thousands did so.

In the UK, telecoms giant BT suffered a PR disaster when it partnered with Phorm, an online behavioral tracking firm, in a trial in southern England—without telling the 18,000 people whose online habits were under the microscope. This kind of approach pushes all the wrong buttons for many web users.

Consumers are not opposed to all data collection. According to a 2010 European Commission study conducted by TNS Opinion & Social, “Attitudes on Data Protection and Electronic Identity in the European Union,” 74% of EU consumers ages 15 and older agreed that “disclosing personal information is an increasing part of modern life.” Moreover, 58% agreed that there is no alternative to revealing personal information in order to get some products or services, and 29% said they didn’t mind disclosing some details to get a free online service like email.

At the same time, few Europeans seem to agree with Facebook founder and CEO Mark Zuckerberg that privacy is no longer a “social norm.” In the UK, two-thirds of internet users ages 16 and older polled for a 2011 Communications Consumer Panel study said more needed to be done to protect personal information online. Only 12% said they felt current privacy protection for web users was adequate.Among UK social network users, worries were even more widespread. Some 90% of those sampled said they felt medium or high levels of concern about companies’ abilities to collect information about them from social sites.

Basically, web users want to make their own choices about what they reveal, and where. When BITKOM and forsa Institute polled a group of social network users ages 14 to 69 in Germany in 2011, the overwhelming majority said they wanted the ability to control numerous aspects of their privacy settings in those networks.The discussion about how and where to draw data protection lines on the web looks set to heat up further in the coming months. One focus of debate is an EU Privacy and Communications Directive coming into force in May 2012. The Directive aims to ensure that consumers know when their personal information is being collected. Crucially, websites will need to get visitors to opt in before any cookies can be used to track their behavior.

Marketers and website owners fear this will make internet users turn away from sites that apply the Directive, especially if other sites do not. But firms that deal with European consumers will have little choice but to follow the new rules, or risk legal action and fines.

It’s worth remembering, too, that Europe’s internet users are not going to stop browsing the web, visiting their favorite sites and shopping online. Many web users are aware of the new EU restrictions and welcome them as a much-needed safeguard. Savvy brand owners will explain the advantages of cookies to site visitors and reward them for opting in. Dealing proactively and transparently with these legal requirements can be a big differentiator for brands, and may even boost customer loyalty.

Police Officer charged with data protection breach

December 29th, 2011

The BBC reported on 28th December 2011:

A Strathclyde Police officer has been charged with illegally obtaining personal information about a man suspected of having a gun.

Sgt Allan Jackson, 44, allegedly ordered two constables to access police records and tell him whether the man held a firearms certificate.

At Kilmarnock Sheriff Court, he denied knowingly or recklessly breaching the Data Protection Act without consent.

The case against Sgt Jackson was continued until next month.

The alleged offence is said to have taken place at Saltcoats police office, in North Ayrshire, in March.

Sgt Jackson is said to have then passed information to a sergeant and a chief inspector at divisional headquarters in Kilmarnock.

A spokeswoman for Strathclyde Police said: “We can confirm that a 44-year-old officer has been reported to the procurator fiscal in relation to an alleged breach of the Data Protection Act.”

She said the officer involved had not been suspended.

Medical Records accessed unlawfully by surgery receptionist

December 16th, 2011

A doctor’s surgery receptionist has been handed a two year conditional discharge and ordered to pay £614 prosecution costs after unlawfully obtaining her sister-in-law’s medical records.

The sister-in-law, a patient at a medical practice in South East England, became concerned that her medical records had been accessed after text message communication suggested the sender knew what medication she was taking. An employee of the medical practice has been found guilty of posing as an employee of a hospital and requesting medical record details by fax.

Information Commissioner Christopher Graham commented:

“Medical records contain some of the most sensitive information possible. The medical centre’s receptionist was in a position of trust and abused her position for her own personal gain. This case demonstrates just how easy it can be to misuse personal data.”  The employee, “used her insider knowledge of the healthcare system to blag this information in an act that she believed would go undetected. The message from this case is clear: if you unlawfully obtain personal information there is always an audit trail, and you could end up in court.”

21 year old male charged with breaching Data Protection Act

December 8th, 2011

The BBC has reported that a 21 year old male, a cleaner working in an Edinburgh hospital, breached the DPA on 16th November this year after he used patient information to contact a female patient via the social networking site, Facebook.

Electronic floor plans were used by the male to find out the patient’s name. The man is due to appear in court at a later date.

Third Council in as many weeks to receive monetary penalty from ICO for data breach

December 7th, 2011

Powys County Council has been fined £130,000 after breaching the Data Protection Act. It is its second breach in two years; both breaches occurred in similar situations, after documents sent to shared printers were picked up and inadvertently sent to the wrong recipient. Details sent were in relation to child data protection cases.

The first breach in June 2010, was reported as a ‘one-off error’ by the Council, who promised to ensure social worker staff were trained appropriately; however following the second breach in February this year, it became evident that mandatory training for these staff had not been implemented, in fact no training had been provided at all.

This fine is the largest fine issued by the ICO since it gained the power to do so in April 2010. Assistant Commissioner for Wales Anne Jones said:

“There is clearly an underlying problem with data protection in social services departments and we will be meeting with stakeholders from across the UK’s local government sector to discuss how we can support them in addressing these problems,” she said.

Jones added, “This is the third UK council in as many weeks to receive a monetary penalty for disclosing sensitive information about vulnerable people. It’s the most serious case yet and it has attracted a record fine. The distress that this incident would have caused to the individuals involved is obvious and made worse by the fact that the breach could have been prevented if Powys County Council had acted on our original recommendations.”

Comment
Absolute Data is committed to ensuring companies and organisations, regardless of their size, create and follow realistic policies and procedures that are above the law. We can help your organisation create robust and effective data protection policies and procedures: we can spend some time getting to know what data-related activity your business partakes in, and ensure that your policies and procedures reflect this activity. We can also help to train your staff; not only in the importance of data protection, but how they can ensure they are fully adhering to data protection law. DataWise, one of our services, provides clients with a data protection toolkit, which offers a robust and effective solution in reducing the risk of data breaches. With the ICO’s power to fine up to £500,000 for data breaches, it is worth getting in touch with us to discuss how your organisation can ensure legal data compliance. Contact us now at info@absolute-data.co.uk, or call us on 01423 790125.

Six months conditional Discharge for Estate Agent for failing to notify the ICO of data processing

December 5th, 2011

John Merfyn was prosecuted at Caernarfon Magistrates Court for an offence under section 17 of the Data Protection Act.

For applicable organisations, failure to notify intentions to process personal datais a criminal offence, and can lead to a fine of up to £500,000.

As well as a 6 month conditional discharge, Mr Pugh was ordered to pay £614 towards prosecution costs.

Assistant Commissioner for Wales, Anne Jones, said:

“Registering as a data controller is a basic legal requirement of the Data Protection Act. The fee for most businesses is £35 a year. Merfyn Pugh Estate Agents’ failure to register – even after being prompted to do so by the ICO – has cost them much more today. The message behind today’s prosecution is clear – ignore warnings and you too could end up in court.”

Comment
Absolute Data is committed to ensuring companies and organisations, regardless of their size, are ICO registered if they need to be. As well we can help your organisation create robust and effective data protection policies and procedures: we can spend some time getting to know what data-related activity your business partakes in, and ensure that your policies and procedures reflect this activity. We can also help to train your staff; not only in the importance of data protection, but how they can ensure they are fully adhering to data protection law. DataWise, one of our services, provides clients with a data protection toolkit, which offers a robust and effective solution in reducing the risk of data breaches. With the ICO’s power to fine up to £500,000 for data breaches, it is worth getting in touch with us to discuss how your organisation can ensure legal data compliance. Contact us now at info@absolute-data.co.uk, or call us on 01423 790125.

Two Councils fined total of £140,000 for data breaches

November 29th, 2011

The Information Commissioner’s Office has confirmed that two Councils in the UK, North Somerset and Worcestershire County have both been served monetary fines for breaching the Data Protection Act.

Worcestershire County will have to pay £80,000 for an incident that happened in March 2011; 23 unintended recipients received highly sensitive and personal information relating to a large number of vulnerable people. It was found that appropriate training hadn’t been given to staff members and secure systems had not been put in place to ensure that situations such has this didn’t occur.

North Somerset’s fine is £60,000 – the wrong HNS employee received highly sensitive and confidential information relating to a child’s serious case review. Having been informed of the error, the employee sending the emails then continued to send emails to the wrong recipient a further three times.

In both cases, although policies and procedures were in place, there was no sufficient staff training in data protection. Email security, such as encryption, also needs to be addressed and trained in appropriately.

Information Commissioner, Christopher Graham, said:

“Personal information in cases involving vulnerable people is about the most sensitive personal information imaginable. It is of great concern that this sort of information was simply sent to the wrong recipients by staff at two separate councils. It was fortunate that in both cases at least the email recipients worked in a similar sector and so were used to handling sensitive information. This mitigating factor has been taken into account in assessing the amount of the penalties.

“There is too much of this sort of thing going on across local government. People who handle highly sensitive personal information need to understand the real weight of responsibility that comes with keeping it secure. Of course this includes having the correct training and policies in place, but it’s also about common sense. Considering whether email is the appropriate medium, checking and double checking that the right recipients will receive the information – and measures like encryption and data minimisation – should be routine. I hope these penalties send a clear message to those working in the social care sector. The Information Commissioner takes this sloppiness seriously – and so should you.”

Comment
Absolute Data is committed to ensuring companies and organisations, regardless of their size, create and follow realistic policies and procedures that are above the law. We can help your organisation create robust and effective data protection policies and procedures: we can spend some time getting to know what data-related activity your business partakes in, and ensure that your policies and procedures reflect this activity. We can also help to train your staff; not only in the importance of data protection, but how they can ensure they are fully adhering to data protection law. DataWise, one of our services, provides clients with a data protection toolkit, which offers a robust and effective solution in reducing the risk of data breaches. With the ICO’s power to fine up to £500,000 for data breaches, it is worth getting in touch with us to discuss how your organisation can ensure legal data compliance. Contact us now at info@absolute-data.co.uk, or call us on 01423 790125.

ICO launches ‘Tell Me More’ Campaign

November 25th, 2011

In a bid to get the general public to provide their thoughts and opinions regarding the publication of information by public authorities, the Information Commissioner’s Office (ICO) has launched a new campaign called ‘Tell Me More’.

Head of Policy Delivery at the ICO, Steve Wood, said: “’Tell Me More’ is an opportunity for the public to tell us what they want to know upfront about their local council or a government department. Of course, people can make FOI requests for information – but publication schemes are about ensuring that the most requested information is already out there for all to see. I want to encourage members of the public, journalists and campaign groups to complete our survey to help ensure that we have a model publication scheme that is fit for purpose and reflects their interests.”

BBC reports on a ‘shockingly lax attitude’ to protection of confidential information by some councils.

November 23rd, 2011

The BBC has reported that since 2008, UK local councils have lost private data more than 1,000 times. Data losses have included that of vulnerable people and children; over 130 authorities have been involved in these data losses. The report Nick Pickles, of Big Brother Watch has said:

“[This research] highlights a shockingly lax attitude to protecting confidential information across nearly a third of councils.

“The fact that only a tiny fraction of staff have been dismissed brings into question how seriously managers take protecting the privacy of their service users and local residents.

“Despite having access to increasing amounts of data and being responsible for even more services, local authorities are simply not able to say our personal information is safe with them.”

We have highlighted several times over the past year of councils that have lost or had data stolen; of all the reported cases, the information of ‘at least 3,100 children and young people was compromised in 118 cases’.

In summary, the research found that:

  • At least 244 laptops and portable computers, 98 memory sticks and 93 mobile devices went missing.
  • Only 55 incidents were reported to the Information Commissioner’s Office (ICO)
  • Only nine people lost their jobs as a result, according to the councils which responded (263 councils reported no losses, while a further 38 did not respond).
  • Buckinghamshire and Kent reported the most data loss incidents with 72 cases each, followed by Essex with 62 and Northamptonshire with 48.
  • In Birmingham, one lost USB stick included the names, addresses, contact details, tenancy type and ethnic origin of 64,000 tenants. In that case, the member of staff was suspended and later resigned.

Although the ICO has the power to fine organisations up to £500,000 for data breaches, it does not yet have the power to carry out compulsory audits in the local government sector. In light of this research, the ICO has called for new powers in order to be able to do so.

An ICO spokesman said: “It’s vital that local authorities properly live up to their legal responsibility to keep personal data secure, particularly where it is sensitive information about children and young people.

“Our concern isn’t just that councils have the right policies and procedures in place; it’s about bringing about a culture among staff whereby everyone takes their responsibilities seriously and effective data handling becomes second nature.

“We’re calling for powers to conduct compulsory audits in the local government sector and will this week submit a formal business case to the Ministry of Justice”.

Individual sells personal information unlawfully, resulting in conditional discharge and fine

November 11th, 2011

A gambling industry worker sold the personal information, including names, addresses, phone numbers and email addresses of 65,000 online bingo players and made approximately £25,000 from it – risking them to identity theft and compromising their privacy as a result.

Although the data in questions was sold to a Mr Marc Ben-Ezra in 2008, who later tried to sell the data to various contacts within the UK gaming industry, the offence wasn’t uncovered until May 2011, when Cashcade Ltd, who provides marketing services to the Foxy Bingo snd is also a data controller for the brand, became suspicious. Test data was purchased, and then information was passed over to the ICO for investigations.

Information Commissioner, Christopher Graham, said:

“This case shows that the unlawful trade in personal information is unfortunately still a thriving and lucrative activity. Mr Ben-Ezra sold people’s personal details on an industrial scale, making in the region of £25,000 at the expense of the tens of thousands of bingo players whose privacy he compromised, and who he exposed to the nuisance of being approached by rival betting websites and, at worst, the risk of identity theft.

“I am grateful to Cashcade Limited and Gala Coral for their work in exposing this unlawful practice. However, we still don’t have a punishment that fits the crime. The ICO continues to push for the government to activate the 2008 legislation that would allow courts to consider other penalties like community service orders or the threat of prison.”   

Cashcade Limited understands that the data was sold to Mr Ben-Ezra having been unlawfully obtained in 2008; the perpetrators of this offence are yet to be uncovered. Mr Ben-Ezra cooperated fully with officers when questioned; the ICO website quotes:  ‘during an interview under caution he admitted the offences and stated that the practice of buying and selling customer data was widespread during his time working in the gaming industry in Israel’

Unlawfully obtaining or accessing personal data is a criminal offence under section 55 of the Data Protection Act 1998. The offence is punishable by way of a financial penalty of up to £5,000 in a Magistrates Court or an unlimited fine in a Crown Court. The ICO continues to call for more effective deterrent sentences, including the threat of prison, to be available to the courts to stop the unlawful use of personal information.

‘Consumers must be more empowered than they are today’

November 10th, 2011

Explicit consent will have to be obtained by companies that wish to process the personal data of others, under new EU data protection laws, says Viviana Reding, EU Justice Commissioner.

 Including this, individuals will be able to force organisations to delete the personal information held about them. Changes to the law are expected by February 2012.

Reding says:

“In modernising the EU’s data protection rules, we believe that consumers must be more empowered than they are today,” the statement said.

“Users should be in control of their data. This is why in our view, EU law should require that consumers give their explicit consent before their data are used. And consumers generally should have the right to delete their data at any time, especially the data they post on the Internet themselves. We will work closely together to make sure that the modernisation of the EU’s data protection rules addresses these issues and that the EU’s data privacy principles are turned into a reality for consumers and businesses everywhere in Europe,” Reding said.

In her statement Reding also said that the revised data protection laws should apply to companies with EU consumers that store personal data in ‘the cloud’.

“Consumers in Europe should see their data strongly protected, regardless of the EU country they live in and regardless of the country in which companies, which process their personal data, are established,” Reding said.

“We both believe that companies who direct their services to European consumers should be subject to EU data protection laws. Otherwise, they should not be able to do business on our internal market. This also applies to social networks with users in the EU. We have to make sure that they comply with EU law and that EU law is enforced, even if it is based in a third country and even if its data are stored in a ‘cloud’,” she said.

Flaws in current EU data protection laws to be amended

November 9th, 2011

The European Commission’s justice commissioner Viviane Reding met with German Consumer Protection Minister Ilse Aigner, discussed the new directive yesterday and outlined plans for the updated law to compel any non-European company — with customers or clients within Europe — to comply with European regulations.

In a statement, it was said that the: “European Commission will come forward with proposals to reform the 1995 Data Protection Directive by the end of January 2012″.

“We both believe that companies who direct their services to European consumers should be subject to EU data protection laws. Otherwise, they should not be able to do business on our internal market”, the joint statement added.

Referring to the cloud, the new law will not only modernise the data protection laws, but will also counteract the effects of the Patriot Act in Europe.

Another Council signs formal undertaking for data breach

November 7th, 2011

An unencrypted memory stick holding personal details of over 18,000 residents has been lost by Rochdale Metropolitan Borough Council, and as a result has signed a formal undertaking as required by Information Commissioner’s Office (ICO), to ensure that a similar breach does not happen again.

The memory stick was never recovered, and information lost included names, addresses and payment details – it was used in order to compile the council’s financial accounts.

As with many organisations, both public and private, the ICO found that the council’s data protection practises were inadequate; procedures were not sufficient, and procedures and training were not satisfactory.

As well as requiring the council to put all of the changes in place by 31 March 2012, the ICO will follow up with the council to ensure that the have been implemented.

Acting Head of Enforcement, Sally Anne Poole said:

“Storing the details of over 18,000 constituents on an unencrypted device is clearly unacceptable. This incident could have been easily avoided if adequate security measures had been in place. Luckily, the information stored on the device was not sensitive and much of it is publicly available. Therefore, the incident is unlikely to have caused substantial distress to local people. 

“Our investigation uncovered a number of failings at Rochdale Metropolitan Borough Council – that’s why we will follow up with the council, to ensure they’re doing everything they can to prevent this type of incident happening again.”

Comment
Absolute Data is committed to ensuring companies and organisations, regardless of their size, create and follow realistic policies and procedures that are above the law. We can help your organisation create robust and effective data protection policies and procedures: we can spend some time getting to know what data-related activity your business partakes in, and ensure that your policies and procedures reflect this activity. We can also help to train your staff; not only in the importance of data protection, but how they can ensure they are fully adhering to data protection law. DataWise, one of our services, provides clients with a data protection toolkit, which offers a robust and effective solution in reducing the risk of data breaches. With the ICO’s power to fine up to £500,000 for data breaches, it is worth getting in touch with us to discuss how your organisation can ensure legal data compliance. Contact us now at info@absolute-data.co.uk, or call us on 01423 790125.

University of Edinburgh to undertake Information Rights research project

November 5th, 2011

A research project aimed at ensuring children and young people are aware of the threats to their privacy and how to protect themselves has been announced by Jonathan Bamford, Head of Strategic Liaison at the Information Commissioner’s Office (ICO). The research will be carried out by the Centre for Research on Families and Relationships at Edinburgh University.

Bamford said:

“Embedding information rights in the education system isn’t as straightforward as simply making all pupils complete a specific course – it’s about equipping them with a set of life skills. Valuable knowledge like how to protect privacy online and how to make a freedom of information request can empower children and young people, and will serve them well throughout their adult lives.

“If this project is going to be a success we need to know how we can get the message across to children and young people in the most effective way. That’s where the University of Edinburgh comes in. We look forward to working with them to make this ambition a reality so that we can begin to get these important messages across in schools and colleges throughout the UK.”

Professor Kay Tisdall from the University of Edinburgh said:

“The Centre for Research on Families and Relationships welcomes working across the four nations of the UK, so we can learn from each other about how to make children and young people’s information rights a reality. We look forward to hearing children and young people’s opinions through reference groups in schools and understanding how educational policy and curricular development can embed information rights in the wider context of children’s human rights.”

Unencrypted Laptop loss results in Data Protection breach

October 31st, 2011

The Data Protection Act was breached after an unencrypted laptop containing the personal data of 100 young people was stolen.

The data, which included names, addresses, dates of birth and school attended, was stolen from the home of a contractor working with Newcastle Youth Offending Team.

Although there was a contract in place between the contractor and the Team, the Information Commissioner’s Office (ICO) has found that the Team was failing to ensure compliance with security measures.

Newcastle Youth Offending Team has now signed an undertaking to ensure it doesn’t allow a similar situation to happen again.

Acting Head of Enforcement, Sally-Anne Poole, said:

“Encryption is a basic procedure and an inexpensive way to ensure that information is kept secure. But, to their detriment, not enough data handlers are making use of it. This case also highlights how important it is to ensure that watertight procedures are in place before any work is undertaken by contractors. Organisations shouldn’t simply assume that third parties will handle personal data in line with their usual standards. I’m pleased that Newcastle Youth Offending Team has learned lessons from this incident and hope that it encourages others to heed our advice.”

Comment
Absolute Data is committed to ensuring companies and organisations, regardless of their size, create and follow realistic policies and procedures that are above the law. We can help your organisation create robust and effective data protection policies and procedures: we can spend some time getting to know what data-related activity your business partakes in, and ensure that your policies and procedures reflect this activity. We can also help to train your staff; not only in the importance of data protection, but how they can ensure they are fully adhering to data protection law. DataWise, one of our services, provides clients with a data protection toolkit, which offers a robust and effective solution in reducing the risk of data breaches. With the ICO’s power to fine up to £500,000 for data breaches, it is worth getting in touch with us to discuss how your organisation can ensure legal data compliance. Contact us now at info@absolute-data.co.uk, or call us on 01423 790125.

MPs call for increased powers for ICO

October 28th, 2011

Guardian Professional has published an article regarding the argument that breaches of the Data Protection Act should result in the option of a custodial sentence, according to parliament’s justice committee.
‘Referral Fees and the theft of Personal Data’, a report by the committee, states: “Currently the only available penalty is a fine, which we feel is inadequate in cases where people have been endangered by the data disclosed, or where the intrusion or disclosure was particularly traumatic for the victim, or where there is no deterrent because the financial gain resulting from the crime far exceeds the possible penalty.”

The Information Commissioner has already voiced his annoyance at the fact he cannot investigate private organisations he feels could be taking data protection risks without their consent, and this report back up this opinion by adding: “We call on the Ministry of Justice to work with the information commissioner to assess how the current system is working, and to consider why he has not formally requested the power to compel audits in any additional sectors and whether this process is unduly cumbersome.”

Graham said: “We shouldn’t have to wait a further year for the 2008 legislation to be commenced when today’s highly profitable trade in our data has little if anything to do with the press.

The ICO does have the power to issue fines of up to £500,000 for data protection offences and has repeatedly stated that it wants to take a firmer stance on data protection.

DataWise, a service by Absolute Data, can help your organisation create robust and effective data protection policies and procedures: we can spend some time getting to know what data-related activity your business partakes in, and ensure that your policies and procedures reflect this activity. We can also help to train your staff; not only in the importance of data protection, but how they can ensure they are fully adhering to data protection law. We provide clients with a data protection toolkit, which offers a robust and effective solution in reducing the risk of data breaches. With the ICO’s power to fine up to £500,000 for data breaches, it is worth getting in touch with us to discuss how your organisation can ensure legal data compliance. Contact us now at info@absolute-data.co.uk, or call us on 01423 790125.

Organisations still failing at the Basics of Data Protection, says ICO

October 24th, 2011

David Smith, deputy commissioner at the Information Commissioner’s Office (ICO), has recently spoken about the fact that ‘UK organisations need to realise that examples of good practice do exist and that security improvements need not necessarily be expensive’ in the realms of data protection. A recent article in computerweekly.co.uk has highlighted the fact that UK organisations are continuing to lose portable storage media containing unencrypted data, and that although government departments are improving in this regard, smaller private organisations and lower levels of public services, such as doctor’s surgeries, give the impression they don’t feel that the rules apply to them, and that data loss will not apply to them.

Smith states, “If organisations do not keep personal information they do not need, they are less likely to lose it.”

The Information Commissioner’s Office gained the power to fine organisations for data breaches in April 2010, and although only six penalties have been imposed, they were imposed for ‘failing to meet the requirement of addressing the risk and having appropriate measures in place’ rather than purely for losing data.

Absolute Data is committed to ensuring companies and organisations, regardless of their size, create and follow realistic policies and procedures that are above the law. DataWise, a service by Absolute Data, can help your organisation create robust and effective data protection policies and procedures: we can spend some time getting to know what data-related activity your business partakes in, and ensure that your policies and procedures reflect this activity. We can also help to train your staff; not only in the importance of data protection, but how they can ensure they are fully adhering to data protection law. We provide clients with a data protection toolkit, which offers a robust and effective solution in reducing the risk of data breaches. With the ICO’s power to fine up to £500,000 for data breaches, it is worth getting in touch with us to discuss how your organisation can ensure legal data compliance. Contact us now at info@absolute-data.co.uk, or call us on 01423 790125.

Private Organisation breaches Data Protection Act

October 20th, 2011

Spectrum Housing Group, a private housing organisation based in Dorset, emailed a non-secure excel spreadsheet containing personal data of its employees to the wrong external email address, the Information Commissioner’s Office (ICO) has announced today.

The incident, that happened in March this year, was discovered 30 minutes after the email was sent; the unintended recipient was informed and the data destroyed. The data included information such as pension contributions.

The ICO has revealed that Spectrum did not have a policy in place to prevent such situations ocurring, and as such, as requested that the company take corrective action; Wayne Morris, Group Chief Executive, has signed a formal undertaking.

Sally Anne Poole, Acting Head of Enforcement at the ICO, says:

“While on this occasion the information compromised was not sensitive, the fact is that at the time of the incident Spectrum Housing Group did not have appropriate controls in place. This case highlights the need for organisations to make sure that adequate checks are in place and documents suitably protected before they are sent out.”

Comment
Absolute Data is committed to ensuring companies and organisations, regardless of their size, create and follow realistic policies and procedures that are above the law. We can help your organisation create robust and effective data protection policies and procedures: we can spend some time getting to know what data-related activity your business partakes in, and ensure that your policies and procedures reflect this activity. We can also help to train your staff; not only in the importance of data protection, but how they can ensure they are fully adhering to data protection law. DataWise, one of our services, provides clients with a data protection toolkit, which offers a robust and effective solution in reducing the risk of data breaches. With the ICO’s power to fine up to £500,000 for data breaches, it is worth getting in touch with us to discuss how your organisation can ensure legal data compliance. Contact us now at info@absolute-data.co.uk, or call us on 01423 790125.

Council breaches Data Protection Act

October 18th, 2011

A spreadsheet containing names, salaries and dates of birth of almost 900 employees, past and present, was accidentally published online and available to be viewed for 2 months, the Information Commissioner’s Office has revealed.

A Freedom of Information Request led to the disclosure of the information, and was removed after a complaint made by a trade union.

Ken Macdonald, Assistant Commissioner for Scotland at the ICO said:

“Being open about council pay is a fundamental way that citizens can hold local authorities to account, but that should never be at the expense of upholding individuals’ privacy rights. Procedures clearly went wrong in this case and I’m pleased that the council is reviewing its practices in light of the lessons that have been learned.”

Comment
DataWise, a service by Absolute Data, offers a free one-hour consultation to any organisation, which serves to highlight any data risks that might be being taken. The findings of the consultation can then suggest a whole array of services aimed to help you ensure compliance with the Data Protection Act.

Absolute Data is committed to ensuring companies and organisations, regardless of their size, create and follow realistic policies and procedures that are above the law. We can help your organisation create robust and effective data protection policies and procedures: we can spend some time getting to know what data-related activity your business partakes in, and ensure that your policies and procedures reflect this activity. We can also help to train your staff; not only in the importance of data protection, but how they can ensure they are fully adhering to data protection law. With the ICO’s power to fine up to £500,000 for data breaches, it is worth getting in touch with us to discuss how your organisation can ensure legal data compliance. Contact us now at www.absolute-data.co.uk, or call us on 01423 790125.

Fear of confidentiality and data breaches is putting patients off treatment

October 14th, 2011

Publicservice.co.uk has reported that a NHS patients ‘may withold information from their doctors and put off treatment’, over fears of breaches in data and confidentiality.

A recent survey came back with startling figures; over half of 1,000 surveyed ‘either withheld information or would withhold information from clinicians and nearly 40 percent have or would put off seeking treatment if a hospital had a ppor reputation for security’

“It is vital for the future of the NHS that patient information can be freely exchanged between the clinicians,” said Ted Boyle a specialist healthcare IT consultant and former systems administration and security manager at NHS Lothian.

“At the same time patients have a right to expect that sensitive information about them will remain confidential.

“For this to happen it is essential that advanced security systems are in place to monitor exactly who is accessing people’s records in order to prevent patient data from being abused.”

Comment
DataWise, a service by Absolute Data, offers a free one-hour consultation to any organisation, which serves to highlight any data risks that might be being taken. The findings of the consultation can then suggest a whole array of services aimed to help you ensure compliance with the Data Protection Act.

Absolute Data is committed to ensuring companies and organisations, regardless of their size, create and follow realistic policies and procedures that are above the law. We can help your organisation create robust and effective data protection policies and procedures: we can spend some time getting to know what data-related activity your business partakes in, and ensure that your policies and procedures reflect this activity. We can also help to train your staff; not only in the importance of data protection, but how they can ensure they are fully adhering to data protection law. With the ICO’s power to fine up to £500,000 for data breaches, it is worth getting in touch with us to discuss how your organisation can ensure legal data compliance. Contact us now at www.absolute-data.co.uk, or call us on 01423 790125.

ICO powerless to audit organisations that cause data protection concern

October 12th, 2011

Following Christopher Graham’s revelation that there is a ‘systematic’ problem with data breaches in the NHS, he has now complained that he is ‘powerless to insist on auditing organisations in local government, the health service and the public sector’ – even though the majority of data breaches come from these sectors alone.

Currently, the Information Commissioner’s Office (ICO) must get consent from an organisation in order to be audited. Graham, Chief Information Commissioner thinks “something is clearly wrong when the regulator has to ask permission from the organisations causing us concern before we can audit their data protection practices”.

“Helping the healthcare sector, local government and businesses to handle personal data better are top priorities, and yet we are powerless to get in there and find out what is really going on.”.

Graham added: “With more data being collected about all of us than ever before, greater audit powers are urgently needed to ensure that the people handling our data are doing a proper job.”

Comment
DataWise, a service by Absolute Data, offers a free one-hour consultation to any organisation, which serves to highlight any data risks that might be being taken. The findings of the consultation can then suggest a whole array of services aimed to help you ensure compliance with the Data Protection Act.

Absolute Data is committed to ensuring companies and organisations, regardless of their size, create and follow realistic policies and procedures that are above the law. We can help your organisation create robust and effective data protection policies and procedures: we can spend some time getting to know what data-related activity your business partakes in, and ensure that your policies and procedures reflect this activity. We can also help to train your staff; not only in the importance of data protection, but how they can ensure they are fully adhering to data protection law. With the ICO’s power to fine up to £500,000 for data breaches, it is worth getting in touch with us to discuss how your organisation can ensure legal data compliance. Contact us now at info@absolute-data.co.uk, or call us on 01423 790125.

More NHS Trusts breach Data Protection Act (DPA)

October 6th, 2011

It has been confirmed by the Information Commissioner’s Office that 10,000 archived records were accidentally destroyed by Dartford and Gravesham NHS Trust, and as a result, the Trust has breached the DPA.

Lack of space meant the records – which should have been kept in a dedicated storage area – were left in a disposal room. They were destroyed between 28 and 31 December last year, but the hospital failed to realise the information had gone missing for three months.

It has been confirmed that the loss of these records ‘does not pose a clinical risk to data subjects affected by this incident’; but ut could not confirm how many of the records would have contained personal information. Some would have included names, addresses and some medical information relating to former patients and staff.

The ICO has requested that the Trust ensures its staff are made aware of, and regularly trained in, all policies and procedures relating to data protection and data governance.

Acting Head of Enforcement, Sally Anne Poole, said:
“Although the majority of information lost was several years old and only being kept for archiving purposes, there is no excuse for failing to keep it secure. The hospital should have ensured that the records were kept in a safe area – and, had they had adequate audit trails in place, they would have been able to keep track of where this information was at all times.”

In a separate incident, another NHS Trust, Poole, has signed an undertaking after midwifery patient records, contained within diary, were stolen from a midwife’s car. This information included names, address, and details of previous visits.

Comment
Both organisations were said to have now taken action to make sure the personal information they handle is protected. Absolute Data is committed to ensuring companies and organisations, regardless of their size, create and follow realistic policies and procedures that are above the law. We can help your organisation create robust and effective data protection policies and procedures: we can spend some time getting to know what data-related activity your business partakes in, and ensure that your policies and procedures reflect this activity. We can also help to train your staff; not only in the importance of data protection, but how they can ensure they are fully adhering to data protection law. With the ICO’s power to fine up to £500,000 for data breaches, it is worth getting in touch with us to discuss how your organisation can ensure legal data compliance. Contact us now at info@absolute-data.co.uk, or call us on 01423 790125.

Educational establishments breach Data Protection Act

October 5th, 2011

Publicservice.co.uk has today reported on the loss of personal information from two educational establishments.

The Data Protection Act was breached by Holly Park School in Barnet after an unencrypted laptop was stolen from an unlocked cupboard; a breach that would and should have been fairly easy to prevent had the correct training, policies and procedures been in place – as it happened, the school had no data protection policy in place at all. The information stolen included pupil’s names, address, exam marks as well as some health-related information.

In a separate incident, an employee of the Association of School College Leaders had a laptop stolen from their home. The laptop contained sensitive personal information, and although encryption software was installed on the laptop, employees were given the choice as to what documents to encrypt. Details lost included union membership details and physical and mental health statuses.

“All personal information – the loss of which is liable to cause individuals damage and distress – must be encrypted,” said the ICO’s acting head of enforcement, Sally Anne Poole.

“This is one of the most basic security measures and is not expensive to put in place – yet we continue to see incidents being reported to us.

“This type of breach is inexcusable and is putting people’s personal information at risk unnecessarily.”

Comment
Both organisations were said to have now taken action to make sure the personal information they handle is protected. Absolute Data is committed to ensuring companies and organisations, regardless of their size, create and follow realistic policies and procedures that are above the law. We can help your organisation create robust and effective data protection policies and procedures: we can spend some time getting to know what data-related activity your business partakes in, and ensure that your policies and procedures reflect this activity. We can also help to train your staff; not only in the importance of data protection, but how they can ensure they are fully adhering to data protection law. With the ICO’s power to fine up to £500,000 for data breaches, it is worth getting in touch with us to discuss how your organisation can ensure legal data compliance. Contact us now at info@absolute-data.co.uk, or call us on 01423 790125.

Betfair fails to disclose data theft

October 3rd, 2011

The Press Association has reported that Betfair, the online gambling company, covered up a data breach and failed to let its customers know their personal information was at risk.

In March 2010, More than 3.1 million account names with encrypted security questions, 2.9 million usernames, and nearly 90,000 account usernames with bank account details were stolen, along with credit card details.

A Betfair spokesman said it decided not to disclose the attack, which it reported to the UK’s Serious Organised Crime Agency, and Australian and German authorities, as it determined it was not going to impact customers.

The spokesman added “We have subsequently implemented all of the recommendations from the independent reports we commissioned and have done everything we can to minimise the risk of this happening again.”

Council signs formal undertaking for failure to comply with 3rd and 7th Data Protection Principles

September 30th, 2011

Eastleigh Borough Council has been requested to sign an undertaking in order to ensure compliance with both the Third and Seventh Data Protection Principles.

Sensitive information was being held by the council, with said data sometimes being held in respect of criminal convictions and mental health status. Although the Information Commissioner’s Office (ICO) appreciates that organisations need to keep such types of data, it found shortcomings in the way the Council maintained and stored it; it also found that excessive information was stored for the purpose for which it was kept.

As a result of the undertaking Eastleigh Council will regularly reassess the list, and ensure the contents of the list are kept up to date.

Comment
Absolute Data is committed to ensuring companies and organisations, regardless of their size, create and follow realistic policies and procedures that are above the law. We can help your organisation create robust and effective data protection policies and procedures: we can spend some time getting to know what data-related activity your business partakes in, and ensure that your policies and procedures reflect this activity. We can also help to train your staff; not only in the importance of data protection, but how they can ensure they are fully adhering to data protection law. With the ICO’s power to fine up to £500,000 for data breaches, it is worth getting in touch with us to discuss how your organisation can ensure legal data compliance. Contact us now at info@absolute-data.co.uk, or call us on 01423 790125.

Website security flaw leads sensitive data vulnerable

September 16th, 2011

A security flaw on the Child Exploitation and Online Protection Centre (CEOP) website, which came to light following a complaint to the Information Commissioner’s Office (ICO), has meant the organisation, and its parent organisation, the Serious Organised Crime Agency (SOCA) has taken action to rectify the situation.

An unencrypted online form is at the centre of the complaint; this lack of security could have led to sensitive data being left in a state of vulnerability during transfer between servers. The form itself had been left unencrypted for some months ‘although there was no evidence to suggest that any attempts had been made to access the information’.

Acting Head of Enforcement, Sally Anne Poole said:

“Organisations must make sure that any personal data transmitted electronically is adequately protected. While there is no evidence to suggest that attempts have been made to access any of the information, it is highly likely that it would have been sensitive in nature and should not have been compromised by insufficient IT security measures.

“We are pleased that CEOP and SOCA have taken action to make sure that all of the information sent in by members of the public remains secure.”

Christopher Graham, ICO: Unlawful use of personal information should be punishable by custodial sentence

September 14th, 2011

Christopher Graham of the Information Commissioners Office will highlight the need for such action when he speaks with the Justice Select Committee this week.

Such a call comes days after the conviction of a bank cashier, who illegally accessed the files of a sex attack victim, ‘to build a picture of the woman who had accused her husband’. Sarah Langridge, who had previously worked for Barclay’s Bank claimed she accessed the victim’s accounts, and was fined £800, £400 costs and £15 victim’s surcharge.

Mrs. Langridge was discovered to have carried out the offence after the victim recognised her during court proceedings as someone who worked in her bank’s local branch. After contacting police about her concerns, it was proved that Langridge had accessed the victim’s account 8 times in 8 months – during the court case that found her husband convicted.

Information Commissioner, Christopher Graham, said:

“It beggars belief that – in an age where our personal information is being stored and accessed by more organisations than ever – the penalties for seriously abusing the system still do not include the possibility of a prison sentence, even in the most serious cases. Access to online records is now part and parcel of almost every transaction the citizen makes – with government agencies, local government, the NHS, DVLA, high street banks, insurers, and social networks. This only makes the risks to privacy greater and the need for security greater still.

“The details of this case are truly shocking. The victim had a harrowing enough experience at the hands of her attacker; the revelation that her attacker’s wife was then rooting through all her personal details, for whatever purpose, would have caused even further distress.

“I note the outcome of this latest case, and I remain concerned that the courts are not able to impose the punishment to fit the crime in all cases, because the current penalty for this all too common offence is limited to a fine rather than the full range of possible sentences, including prison for the most serious cases,” Mr. Graham said.

Section 55 of the Data Protection Act makes it an offence to “knowingly or recklessly, without the consent of the data controller, obtain or disclose personal data.” The current penalty for committing the offence is a maximum £5,000 fine if the case is heard in a Magistrates Court and an unlimited fine in a Crown Court.

Coucil breaks data laws after personal data found in skip.

September 12th, 2011

The Information Commissioner’s Office (ICO) has found Walsall Council guilty of breaking data laws after an external contractor, working on the council;s behalf, dumped resident’s postal vote statements in a skip. Information dumped included names, address, dates of birth and signatures. 951 statements have never been recovered.

The Council had no contract in place with the contractor in relation to processing personal information, and also did not provide instructions to them with regards to keeping information secure.

“While councils can hire contractors to process personal information on their behalf, they must remember that they are still ultimately responsible for ensuring people’s information is kept secure,” said Simon Entwisle, the ICO’s director of operations.

“Obviously little thought was given to this when the statements were disposed of in the skip.”

Walsall Council’s chief executive has signed a formal undertaking that will ensure contracts are signed with suppliers handling personal data.

Comment
Absolute Data is committed to helping companies and organisations, regardless of their size, create and follow realistic data policies and procedures that are above the law. We can spend some time getting to know what data-related activity your business partakes in, and ensure that your policies and procedures reflect this activity. We can also help to train your staff; not only in the importance of data protection, but how they can ensure they are fully adhering to data protection law. With the ICO’s power to fine up to £500,000 for data breaches, it is worth getting in touch with us to discuss how your organisation can ensure legal data compliance. Contact us now at info@absolute-data.co.uk or call us on 01423 790125.

ICO confirms data breach at University Hospital of South Manchester NHS Foundation Trust

September 8th, 2011

Sensitive personal information relating to 87 patients was copied onto an unencrypted memory stick by a medical student and then subsequently lost. The ICO found that the student was not trained properly on induction by the Foundation Trust; the Trust believed the student would have been trained properly in data protection whilst at medical school.

“Medics handle some of the most sensitive personal information possible and it is vital that they understand the need to keep it secure at all times, especially when they are completing placements at several health organisations,” said Sally Anne Poole, acting head of enforcement at the ICO.

“This case highlights the need to ensure data protection training for healthcare providers is built in early on so that it becomes second nature.

“NHS bodies have a duty to make sure their staff – both permanent and temporary – understand their responsibilities on day one in the job.”

Christopher Graham, Information Commissioner, has already raised concerns that the NHS has a “systemic” problem when it came to breaches of the Data Protection Act.

Comment
Absolute Data is committed to helping companies and organisations, regardless of their size, create and follow realistic data policies and procedures that are above the law. We can spend some time getting to know what data-related activity your business partakes in, and ensure that your policies and procedures reflect this activity. We can also help to train your staff; not only in the importance of data protection, but how they can ensure they are fully adhering to data protection law. With the ICO’s power to fine up to £500,000 for data breaches, it is worth getting in touch with us to discuss how your organisation can ensure legal data compliance. Contact us now at info@absolute-data.co.uk or call us on 01423 790125.

London Ambulance Service breaks data laws after laptop containing patient information stolen

September 7th, 2011

The Information Commissioners Office has demanded that the London Ambulance Service sign a formal undertaking to ensure that its data and IT policies and procedures are adequate, understood, followed by staff and regularly checked for efficiency.

Over 2,664 different patient’s data was stored on the personal laptop of an agency staff member; this laptop was unencrypted, and was stolen.

Although medical details were not contained on the laptop, names, addresses, dates of birth and NHS numbers were.

It has been confirmed that the agency staff member did have a legitimate reason to access the records, however they did breach policy by using unencrypted and personal computers.

In future, The London Ambulance Service will need to ensure that all its staff members, whether agency or not, are made aware of the policies and procedures surrounding personal data.

Comment
Absolute Data is committed to helping companies and organisations, regardless of their size, create and follow realistic data policies and procedures that are above the law. We can spend some time getting to know what data-related activity your business partakes in, and ensure that your policies and procedures reflect this activity. We can also help to train your staff; not only in the importance of data protection, but how they can ensure they are fully adhering to data protection law. With the ICO’s power to fine up to £500,000 for data breaches, it is worth getting in touch with us to discuss how your organisation can ensure legal data compliance. Contact us now at info@absolute-data.co.uk or call us on 01423 790125.

Sensitive and Personal information relating to children found in second hand furniture shop

September 2nd, 2011

The Scottish Children’s Reporter Administration (SCRA) has breached the Data Protection Act twice in four months; once after an office refurbishment resulted in nine case files finding their way into the wrong hands via a resold filing cabinet and again, after sensitive data was emailed to the wrong address.

Both breaches occurred after the SCRA failed to ensure its staff adhered to data protection policies and procedures and IT guidance, which are areas of great importance when risk of fines for breaches is so high, at £500,000.

Ken Macdonald, Assistant Commissioner for Scotland said:

“The fact that sensitive information was mishandled not once but twice by the same organisation is concerning. On both occasions the personal data which was compromised related to young children and was caused by human errors that could easily have been avoided. Luckily, on both occasions, the information was not circulated widely.”

Neil Hunter, Chief Executive of SCRA has put in place measures to ensure errors of this nature do not happen again. He has also vowed during office moves that staff will also be made aware of other existing policies and procedures and monitored to check that they are being followed throughout the moving process.

Comment
Absolute Data is committed to ensuring companies and organisations, regardless of their size, create and follow realistic policies and procedures that are above the law. We can help your organisation create robust and effective data protection policies and procedures: we can spend some time getting to know what data-related activity your business partakes in, and ensure that your policies and procedures reflect this activity. We can also help to train your staff; not only in the importance of data protection, but how they can ensure they are fully adhering to data protection law. With the ICO’s power to fine up to £500,000 for data breaches, it is worth getting in touch with us to discuss how your organisation can ensure legal data compliance. Contact us now at info@absolute-data.co.uk, or call us on 01423 790125.

Subject Acces Requests

August 19th, 2011

The Information Commissioner’s Office (ICO) has explained how, under the Data Protection Act, students can find out exactly what the examiner thins of their work.

In light of yesterday’s A Level results, David Smith, Deputy Commissioner for Data Protection said:

“We’ve all experienced the excitement and occasional disappointment that the exam season can bring. We’re using results day to remind students that they have a right under the Data Protection Act to see information about their results. Having access to information – such as a breakdown of their overall mark and examiners’ comments – may not lead to their grades being altered but it could help them make decisions that impact on their future, such as deciding to re-sit an exam or pursue a particular subject at college or university.”

“This right doesn’t just apply to A-level exams. Students sitting GCSEs, Scottish Highers and degree examinations can also request to see their information. If examination bodies fail in their legal duty to respond then students can bring a complaint to the ICO and we will look into it.”

A ‘subject access request’ can be made by any individual; this is the term given when any individual wants to know what information an organisation knows about them. An organisation has 40 days to respond to such a request; exam boards can have either 40 days from exam results being published, or within 5 months of the request being received – whichever is earliest.

Taken from the ICO’s website, the following link is a guide that schools and universities can use when dealing with a subject access request. http://www.ico.gov.uk/for_organisations/sector_guides/education.aspx

Formal Undertaking signed by London Borough of Greenwich

August 17th, 2011

The Information Commissioner’s Office (ICO) has enforced the London Borough of Greenwich to sign a formal undertaking after two incidents resulted in breaches of the Data Protection Act.

Personal and sensitive data was disclosed after data wasn’t adequately encrypted, and data was sent to by email to the wrong external email address. The data, which was both personal and sensitive, included medical and family history as well as criminal conviction information.

It has been confirmed that human error was the cause for both incidents, although the Council’s policies and procedures in place did not “explicitly state that the sending of emails containing sensitive personal data to external webmail addresses should be avoided”.

Comment
This breach brings about an interesting point: the policies and procedures in place were not effective in the first place – but also that the policy itself did not comply with the 7th Data Protection Principle.

Here at Absolute Data we can help your organisation create robust and effective data protection policies and procedures: we can spend some time getting to know what data-related activity your business partakes in, and ensure that your policies and procedures reflect this activity. We can also help to train your staff; not only in the importance of data protection, but how they can ensure they are fully adhering to data protection law. With the ICO’s power to fine up to £500,000 for data breaches, it is worth getting in touch with us to discuss how your organisation can ensure legal data compliance. Contact us now at info@absolute-data.co.uk, or call us on 01423 790125.

Mandatory requirement to report data breaches considered in EU data protection law changes

August 15th, 2011

It is expected that businesses will need to introduce tighter data control measures, following proposals by the EU to bring in mandatory data breach reporting.

In June, the EU’s Justice Commissioner Viviane Reding said new data protection changes including mandatory notification of data breaches across all sectors would ensure that all businesses, including those in the financial sector, take data protection seriously. “Data breaches have eroded consumers’ trust and banks and businesses will need to take data protection much more seriously if they want to avoid future reputation damage,” she said.

Comment
A consideration to make is that many organisations might not actually know where their data is stored, or how. Understandably, due to this, it would be incredibly difficult for any organisation to put appropriate measures in place in order to adhere to new rules and regulations imposed upon them.

Absolute Data can help any organisation with this problem, bridge any gaps in their current data security, and provide ongoing data management, ensuring the highest standards of data security, management, staff training and understanding.

Absolute Data provides three different key services in the field of data management; an auditing service, a bespoke data management to organisation service, and a pay-monthly package aimed at removing the stress and time constraints faces by businesses when it comes to data and the complicated world in which it sits.

If you would like to find out more about our services, and how we can help your organisation feel confident in its data activities, then please get in touch at info@absolute-data.co.uk now.

Major UK Retailer breaches Data Protection Act

August 12th, 2011

The Information Commissioner’s Office yesterday confirmed that Lush, the cosmetics retailer, has breached the Data Protection Act, following the theft of some of Lush’s customer data earlier this year.

Hackers managed to access the payment details of 5,000 customers who had previously shopped on its website.
“Lush took some steps to protect their customers’ data but failed to do regular security checks and did not fully meet industry standards relating to card payment security”, said Sally Anne Poole, the ICO acting head of enforcement

As a result of this, and the fact that the retailer did not record suspicious activity sufficiently, Lush has been requested to sign a formal undertaking, ensuring that this situation will not occur again, and that steps will be taken to enforce that it doesn’t.

School signs formal undertaking after website hack

August 10th, 2011

Bay House School in Hampshire has been found to have breached the Data Protection Act following investigations carried out by the Information Commissioner’s Office (ICO).

Computer hackers, who are known to include at least one of Bay House School’s own pupils, accessed the school’s internal information management system via an attack on the school’s remotely-hosted website. As a result, almost 20,000 people’s personal details were put at risk.

Policies and procedures put in place by the school were meant to ensure that individual’s usernames and passwords were different, but the nothing was put in place to ensure this, and as a result, the personal details of 20,000 individuals, including teachers, parents and around 7,600 pupils risked being exposed online. The data included names, addresses, photographs and some sensitive medical history information.

“While it can be difficult to remember lots of different passwords, it is vitally important that individuals do not use the same password to log in to data systems that are supposed to be kept secure. This is particularly important when the systems allow access to sensitive information relating to young adults,” said Sally Anne Poole, acting head of enforcement at the ICO.

The school has now agreed to ensure that confidential information is encrypted, and that procedures are enforced to protect sensitive data.

Comment
The failure that led to the breach was entirely human. Of course technical measures to safeguard data are absolutely vital and a critical part of data protection strategies; but policy and processes are just as important and often overlooked, probably because they are the most difficult aspect of data protection for organisations to manage. We are being asked more and more to provide support and assistance in this area and we’re able to provide an internal audit system which routinely reviews the healthy operation of work practices and their adherence to policy and procedure. Not only would we have been able to present a systematic data system review to the ICO to demonstrate good data governance, we might also have been able to help Bay House School identify process failure early on and avoid the breach in the first place.

The 4 P’s – Policy, Process, Procedure, and Practice – are going to become more and more important in the next few years.

Report calls for “more joined up enforcement of privacy”

July 26th, 2011

The UK Home Affairs Select Committee has published a report based on the apparent need for “more joined up enforcement of privacy”.

The report has criticised the way communication related data is regulated, stating that the “use, disclosure and interceptions’ of such data is ‘fragmented”.

The Committee is “concerned about the number of Commissioners, each responsible for different aspects of privacy”.

Its recommendations included a call for the government to give “serious consideration to appointing one overall Commissioner, with specialists leading on each separate area.”

Action to be taken against countries that have not introduced e-Privacy Directive

July 25th, 2011

PDP News has reported that the European Commission has commenced legal action against member states that have not implemented new telecommunication rules, including the e-Privacy Directive (which incorporates the controversial ‘Cookie Law’) into their national laws.

All member states were asked to start the ball rolling on the changes by 25th May this year – however all member states that have not introduced new rules could face an order or fine from the European Court of Justice.

The UK is one of only 7 countries that have implemented the new laws, with the others being Denmark, Estonia, Finland, Ireland, Malta and Sweden.

A top UK University signs Undertaking with the ICO

July 22nd, 2011

York University allowed 148 student records to be inappropriately accessed, after it failed to close a test area of its website, and as a result, it has signed an Undertaking with the ICO, reports PDP News.

Director of Operations at the ICO, Simon Entwisle, said “it is so vital that adequate checks and security measures are put in place. This breach could have been avoided if the University had properly assessed the risks that this work posed to the security of their students’ details. They also failed to test the security of their IT system once the work was complete, leading to an unnecessary delay in the error being corrected.”

Comment
Absolute Data can help any organisation to ensure its privacy and data processes are above the law. It can also train staff in continuing to deliver a high standard of service in these areas. For more information on Absolute Data’s services, please contact us now at info@absolute-data.co.uk or call us on 01423 790125 now.

Recorded visitor rates on ICO website take a nosedive after new guidelines on Cookie Law are adopted.

July 13th, 2011

It has been confirmed by the ICO that the number of visitors accepting cookies from its website fell by 90%, since its adoption of measures regarding ‘cookie consent’ in June.

Cookies are small text files that store information about internet users’ online behaviour. Websites store the files on users’ computers.

New UK Law compels websites to get explicit permission from users to place cookies in their browsers; websites cannot record non-consenting users as visitors to their site.

Although a 90% drop could be devestating to many web companies, it has been suggested by an ICO spokesperson that “The drop may be more severe than that which other sites might suffer because visitors to the ICO’s site are ‘more privacy aware’”.

The ICO has previously issued guidance on how websites can comply with the new cookie laws and has given organisations until May 2012 to change their use of cookies to comply with the law before it begins taking enforcement action.

Comment
Many of Absolute Data’s clients have vey compelling web content, not to mention very focussed audiences – and as such, the new Cookie Law could have a seriou impact on their digitial media business model.
Phil Brining, MD here at Absolute Data, suggests our clients take a moment to

“look at the terms of their internet provision, check the details of sponsorship and advertiser contracts to make sure that the commercial base of these is not based on tracked visits.”

“We’d strongly advise early action to plan how they intend to introduce and communicate their response to the cookie law in order to avoid or minimise measured visits drop off “.

If you would like further information as to how Absolute Data can help you ensure compliance of the new law, get in touch now. info@absolute-data.co.uk.

Private Sector reports most data breaches – but they refuse free audits to rectify their problems.

July 12th, 2011

An article in SC Magazine has highlighted the issue that although private companies have reported the most data breaches over the last 12 months, 79% haven’t agreed to a free data protection audit by the ICO.

Christopher Graham, Information Commissioner, said: “Lenders, general businesses and direct marketing companies account for almost a third of total complaints to the ICO, and businesses were the top sector for reporting data security breaches to us last year. Despite this, many of them are still resisting our offer to undergo audits. We’ve written to organisations we consider to be high risk but the response has been disappointing.

“These audits are not about naming and shaming those who are getting it wrong. The fact that a company has undergone a consensual audit should count as a badge of honour, showing that the business takes data security seriously. After all, sound data protection practices are irrevocably linked to providing good customer service.”

There could be many reasons for this disparity; one of which could be that companies fear the censure of the ICO and how an audit may lay them open to a financial penalty, thus creating a reluctance to accept an audit.

Mike Samrt at SafeNet agrees with this theory:

“While the ICO doesn’t want to come across as naming and shaming, recent high-profile security breaches are making organisations really anxious. The issue here is one of trust: what happens if a high-profile company accepts a free security audit and it uncovers security vulnerabilities that the ICO deem they should have known about and been prepared for? Will they be under scrutiny from the ICO for future?

“My point would be that organisations are reluctant to be audited because they fear the censure of the ICO and how an audit may lay them open to financial penalties. It is something of a Catch 22 and a solution needs to be found if high risk organisations aren’t ready to open up on these concerns.”

Absolute Data provides three data protection services, ranging from just £30 a week for DataWise – a service that ensures organisations are compliant in data protection and privacy management, giving expert knowledge and advice, and reducing the risks that your business might take.

To find out more about this service, as well as our other bespoke data protection packages, DataSure and DataCheck, please email us now at info@absolute-data.co.uk

Recorded visitor rates on ICO website take a nosedive after new guidelines on Cookie Law are adopted.

July 12th, 2011

It has been confirmed by the ICO that the number of visitors accepting cookies from its website fell by 90%, since its adoption of measures regarding ‘cookie consent’ in June.

Cookies are small text files that store information about internet users’ online behaviour. Websites store the files on users’ computers.

New UK Law compels websites to get explicit permission from users to place cookies in their browsers; websites cannot record non-consenting users as visitors to their site.

Although a 90% drop could be devestating to many web companies, it has been suggested by an ICO spokesperson that “The drop may be more severe than that which other sites might suffer because visitors to the ICO’s site are ‘more privacy aware’”.

The ICO has previously issued guidance on how websites can comply with the new cookie laws and has given organisations until May 2012 to change their use of cookies to comply with the law before it begins taking enforcement action.

Comment
Many of Absolute Data’s clients have vey compelling web content, not to mention very focussed audiences – and as such, the new Cookie Law could have a seriou impact on their digitial media business model.
Phil Brining, MD here at Absolute Data, suggests our clients take a moment to

“look at the terms of their internet provision, check the details of sponsorship and advertiser contracts to make sure that the commercial base of these is not based on tracked visits.”

“We’d strongly advise early action to plan how they intend to introduce and communicate their response to the cookie law in order to avoid or minimise measured visits drop off “.

If you would like further information as to how Absolute Data can help you ensure compliance of the new law, get in touch now. info@absolute-data.co.uk.

Data audits should be welcomed by UK Businesses

July 7th, 2011

The ICO’s Christopher Graham yesterday announced that “businesses should be more willing to undergo data protection audits”, following the ICO’s annual report. The report confirmed suspicions that “private companies reported the most data security breaches of any sector in 2010/11”.

Of 603 data security breaches reported to the ICO in 2010/11, 186 – almost a third – occurred in the private sector. Despite this, just 19% of businesses contacted by the ICO accepted the offer to undergo free data protection audits. In contrast, 71% of public sector organisations who were contacted voluntarily agreed to be audited.

“Lenders, general businesses and direct marketing companies account for almost a third of total complaints to the ICO, and businesses were the top sector for reporting data security breaches to us last year. Despite this, many of them are still resisting our offer to undergo audits. We’ve written to organisations we consider to be high risk but the response has been disappointing.

“These audits are not about naming and shaming those who are getting it wrong. The fact that a company has undergone a consensual audit should count as a badge of honour, showing that the business takes data security seriously. After all, sound data protection practices are irrevocably linked to providing good customer service.”

Although the ICO offers this free basic audit service, which highlights problem areas that need fixing, DataWise by Absolute Data can solve these problems in a cost effective, hassle free way.

To find out more about Absolute Data and DataWise call us now on 01423 790125, or email us at info@absolute-data.co.uk

New data rules in India likely to affect UK business.

July 6th, 2011

A recent article by John Ribeiro in PC World magazine has reported that stringent new data protection and collection rules in India could mean that companies from outside of India will be required to adjust their data collection practices to conform to Indian data protection regulations – even though their current practices may comply fully with their own country’s privacy rules.

The new Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules 2011 make sure that organisations get consent, in writing, from individuals about the use of the sensitive personal information they collect about them.

It has been suggested that “India may have gone a bit too far trying to put in place a tough data protection and privacy regime to impress investors”.

The new rules are such that any Indian company collecting the personal information of individuals abroad will not have to adhere to these rules, because “Indian companies will be collecting this data on behalf of the customer who is abroad and governed by laws in his country” said Kamlesh Bajaj, CEO of the Data Security Council of India.

Comment
Companies that outsource data processing or work that involves data processing to India will need to re-assess the impact of these changes to the Indian Law on their own data operations and legislative compliance. This is something that Absolute Data can help you with, and would be delighted to discuss with you. Contact us now on 01423 790125 or at info@absolute-data.co.uk.

'Health Service must get its data practices right'

July 5th, 2011

The ICO has released a statement urging the Health Service must get its data practices right, following the confirmation that a further five health organisations have been found to have breached the Data Protection Act.

Christopher Graham has said:
“The health service holds some of the most sensitive personal information of any sector in the UK. Millions of records are constantly being accessed and we appreciate that there will be occasions where human error occurs. But recent incidents such as the loss of laptops.. put[ting] information on unencrypted memory sticks or faxing [information] to the wrong number suggest that the security of data remains a systemic problem…. My office is working with Connecting for Health to identify how we can support the health service to tackle these issues”.

Examples of previous breaches include:

In February 2011, Ipswich Hospital NHS Trust misplaced 29 patient records after a member of staff took them home to update a training log and then lost the records. The information, which included sensitive personal data relating to operations carried out on patients, was subsequently recovered. The Trust introduced mandatory data protection training for all relevant staff to be completed by 30 June 2011.

In February 2011, Dunelm Medical Practice in Durham sent discharge letters about two patient’s routine operations to the wrong recipient. A member of staff had failed to spot that they had entered the recipients’ fax number incorrectly. The faxes were received by a third party organisation which immediately alerted County Durham and Darlington NHS Foundation Trust before destroying both documents. The Practice has now agreed to send Electronic Discharge Letters by secure email and only fax them in exceptional circumstances. The Practice will also programme the fax machine with the numbers for the regional branches to better protect the information in future.

Security of British mobile telephones in doubt, after numbers offered for sale over internet

July 4th, 2011

The Telegraph has reported that the Accident Advice Helpline had “unwittingly” made use of information “gathered by spam text messages to find new business”.

An Indian firm gathered potential leads by means of spam text massages, passed them to a businessman in Thailand, who then sold the leads to a company based in Newcastle, which then passed potential claims to the Accident Advice Helpline.

The businessman in Thailand, a Mr Gary McNeish, who runs a firm called Tetrus, had purchased mobile phone data from a call centre in India – he has admitted that he “he failed to carry out checks on the data and took the seller’s word that it was opt-in data”.

Millions of text messages were sent out to the purchased data asking them to reply if they had a compensation claim, with replies sold to RT Analytics in Newcastle for between “£5 and £20 each.”

Under UK and European regulations selling personal data to third parties without permission is illegal.

Although Mr McNeish of Tetrus is adamant it is the first time he has used such a service, he is also adamant he would use the same company again because he was told “it was data that had been generated from opt-in telephone surveys and that is what it looked like.”

RT Analytics started purchasing leads from Tetrus in May, and also has a signed contract with Tetrus ensuring regulations wouldn’t be breached.

The Accident Advice Helpline is investigating how it managed to get involved with non-compliant data. It is thought it paid up to £500 for each lead from RT Analytics.

Christopher Graham, the Information Commissioner, is investigating the companies behind the messages.

Companies to publicly admit suffering data breaches?

June 30th, 2011

A recent British Bankers Association conference on data protection and privacy has seen the EU Justice Commissioners and Vice President of the European Commission speak about plans to force companies to admit their data breaches.

Viviane Reding said her intention was to introduce a mandatory requirement to notify – “the same as I did for telecoms and internet access when I was Telecoms Commissioner, but this time for all sectors, including banking and financial services.”

With EU data protection rules dating back to 1995, Reding feels that the legislation needs updating, which will ensure businesses “ do their share to ensure safe and transparent digital products and services.”

130 Merseyside police officers abuse position and breach Data Protection Act

June 28th, 2011

The Telegraph has reported that officers from Merseyside Police force breached the Data Protection Act 42 times throughout 2008, as a result of Freedom of Information Act disclosures. In 2009, there were 152 breaches.

The 2009 breaches were carried out at the time when Steven Gerrard was prosecuted over an alleged nightclub affray; a situation police believe intrigued officers to access confidetinal files relating to the incident. Gerrard was subsequently cleared of the alleged incident.

Other incidents involving family members and friends of officers were also illegally accessed; senior officers described the worst cases as “a serious abuse of force systems”. Around 7 officers have been made to leave the force as a result of their actions, with three others given written warnings.

The Telegraph has also reported that “A total of 169 officers were required to receive “managerial advice” about their behaviour, while 29 were given written warnings”.

Travelodge admits security breach

June 27th, 2011

Hotel chain Travelodge has confirmed that names and email addresses contained within its customer database have been obtained by a hacker group, after customers reported spam emails to them.

A spam e-mail that some customers had received says, “Good day. Don’t miss exciting career opening. The company is seeking for self-motivated people in United Kingdom to help us spread out our activity in the UK area.”

The ICO has stated that it will be looking into the details surrounding the breach, and will ascertain if and action needs to be taken.

“Asserting that safety and security of customers’ personal information as their top most priority”, the company said it is currently conducting a comprehensive investigation into this issue.

Does your organisation manage the personal data of others in a lawful manner?

June 23rd, 2011

The Data Protection Act has been law in Britain for over a quarter of a century. With the level of fines for serious offences now increased to £500,000 per offence, and with the Information Commissioner’s Office (ICO) soon to be given the power to inspect, on demand, the data processes of businesses, it is hard to see how any British business can claim to not understand the importance of the Act. A fine of £500,000 to any business, and especially during the current economic situation, could be devastating.

However, a recent survey by the firm Shred-it has confirmed that ‘around 50% of SME owners in the UK are ignoring the possible risks of data security through data loss in the workplace’.

Coupled with this is the fact the ‘68% of 1,000 small businesses in the UK either do not provide sufficient training on data security guidelines (30%) or only inform their staff at the time it is needed (38%)’.

For the past few years the ICO has focussed their efforts on the public sector and we have all seen major breaches by HMRC, Councils, the NHS, schools, Government and universities. Since January 2010 the ICO has issued £370,000 in fines to just four Councils. But the focus is changing – more recently on the back of data breaches, Zurich was fined £2.3 million, Sony has seen its share price fall and A4E Limited was fined £60,000.

More importantly, the ICO has started looking into specific industry sectors to assess their standard of data management. Organisations in telecoms, the legal profession, construction, and estate agency have all recently been fined for a range of data protection offences, and the ICO has announced that he intends to scrutinise the care sector. There is a clear message here and a wakeup call to businesses of every size up and down the United Kingdom.

Absolute Data is a specialist data protection and privacy consulting firm based in Harrogate that provides data management solutions to organisations of any status or size. Our most recent addition to the services we provide is DataWise; a service designed specifically for small businesses. For a low fixed fee, our team of experts is on hand to put all of the necessary systems and procedures in place to ensure legal compliance. With Absolute Data as your outsourced data protection and privacy team, you can concentrate on running your business; rest assured and confident that you can demonstrate legal compliance. We have other bespoke compliance packages available too, DataCheck and DataSure – both of which ensure legal compliance, but have added services such as auditing and advice on specific and complex data issues.

Our aim is to assist organisations with the challenges that data governance and privacy management bring, and take away the pressures and stresses that undoubtedly come with managing such a minefield. We’d like to talk to organisations about how we can help them, in a cost and time effective way.

NHS lose laptop containing details of over 8 million people

June 21st, 2011

V3.co.uk has reported on what could be the biggest data breaches of its kind for the National Health Service.

Recently the North Central London Strategic Health Authority informed police that a laptop containing over 8 million patient records has gone missing from one of its storerooms.

Although the laptop went missing many weeks ago, the situation has only just been reported to police; it is not known if the password-protected, but not encrypted laptop has gone missing, or has been stolen.

Since the Information Commissioner’s office implemented its new fining policy, whereby organisations can be fined up to £500,000 for data breaches, the NHS has ‘been one of the worst offenders… and was responsible for roughly a quarter of all incidents reported to the ICO’, according to v3.co.uk.

Mick Gorrill, former ICO head of enforcement has indicated that the NHS is however improving, and is ‘getting to grips’ with data protection.

The ICO said that it is making enquiries “to establish the full facts of this alleged data breach”.

To read the article in full, go to www.v3.co.uk/v3-uk/news/2079023/nhs-laptop-goes-missing-million-patient-records#ixzz1PuNysR8

SME's 'ignoring the potential impact data loss or theft could have on their business'

June 20th, 2011

Fresh Business Thinking has reported on the number of small and medium sized enterprises (SME’s) that are ‘ignoring the potential impact data loss or theft could have on their business.’

Shred-It, the confidential waste-disposal company, found that of 1,000 UK business looked at, 68% of SME’s either ‘do not train their staff on information security procedures (30 percent) or only do so as and when required (38 percent)’.

The Information Commissioner’s Office (ICO) introduced new rules in 2010, allowing companies to be fined up to £500,000 for breaching the Data Protection Act – a ruling that should have encouraged businesses to take action against data loss.

Over half (58 percent) of businesses [researched] admitted that they were completely unaware of the ICO’s increased power.

Robert Guice, executive vice president of Shred-it, said; “Ignorance is no defence in the eyes of the law and UK businesses need to wake up quickly to the fact that failures to store and dispose of confidential information in a secure manner could have far-reaching and potentially financially damaging impacts upon their operations.”

Phil Orford, CEO of the Forum of Private Businesses, said, “It’s time companies got wise to the seriousness of data theft and the importance of protecting their information. Quite apart from the implications for the commercial viability of a business, failing to secure data properly could lead to a potentially huge fine.”

£73,000 fines for ex T-Mobile employees, found guilty of major data theft

June 15th, 2011

PDP News yesterday reported on the convictions of two former T-Mobile employers, who have been found guilty and fined for ‘illegal activity relating to customer data’

In 2008, the then-employees stole, and subsequently sold customer data to other parties. They have been ordered to pay £73,000 in fines.

Christopher Graham, Information Commissioner said:

“Those who have regular access to thousands of customer details may think that attempts to use it for personal gain will go undetected. But this case shows that there is always an audit trail and my office will do everything in its power to uncover it.”

Surrey County Council fined £120,000 over Data Protection Breach

June 14th, 2011

IT Portal.com has reported that Surry County Council has been fined by the Information Commissioner’s Office (ICO) for a total of £120,000 for breaching the Data Protection Act.

The ICO confirmed that last year, the Council made three major breaches, all based on emailing sensitive data to the wrong party, which has resulted in the fine.  It is thought that the fine reflects the seriousness of the initial breach, which was then repeated several times.

“The fact that the first breach saw sensitive personal information relating to the health and welfare of 241 vulnerable individuals was sent to the wrong people is shocking enough…..  when you take into account the two similar breaches that followed, it is clear that Surrey County Council failed to fully address the risks of sending sensitive personal data by email until it was far too late,” said Christopher, Graham Information Commissioner.

Once the Surrey City Council pays the fine, ICO will send the funds to the HM Treasury’s Fund.

Go to http://www.itproportal.com/2011/06/10/surrey-county-fined-120000-violating-data-protection-act/#ixzz1P9QJyp47 to read the article in full.

Comment
Absolute Data works with many organisations to reduce or eliminate the risk to the personal information that they hold about individuals. The “softer side” of privacy risk management such as staff training and having documented procedures is often overlooked. Aside from this, organisations may not have the time, the funds or the knowledge to train staff or implement procedures to stop instance such as this from happening.

Absolute Data can take any hassle away from an organisation, and hold training and seminars, document information, carry out regular checks and reviews on an organisation’s behalf as well as purchase, implement and manage anything relating to Data Protection. For further information, contact us now at info@absolute-data.co.uk.

Complaints made to ICO about new Cookie law

June 13th, 2011

Journalism.co.uk has reported on the number of complaints made to the ICO in the days following the implementation of the new cookie law.

The law came into play on 26th May; from now on, all websites must gain permission from visitors if they intend to ‘drop’ cookies – small text files left by websites on a user’s computer – which are used to gather data about users.

The ICO has given a year for website owners to implement the necessary changes needed to comply with the law. Katherine Vander from the ICO said financial penalties would only by levied on “persistent offenders”.

The UK is said to be leading the way in adopting the new law, but there has been ‘backlash from the online industry’ due to the value that cookies bring to gathering audience information, and the ICO has also received complaints regarding the publicity surrounding the new rules.

“We’ve been criticised for not being more prescriptive. But we’re not best-placed to tell you,” Vander said.

“We fully recognise the challenges of implementing these requirements.

“You can be very clever how you get consent…. It doesn’t have to involve ticking a box but it has to involve someone taking a positive action in some way,” she said.

ICO leads the way in new Cookie Law

June 8th, 2011

May 25th saw the launch of a new law in the UK, aimed at ensuring websites comply with how it uses ‘cookies’ on its websites;(http://www.absolute-data.co.uk/2011/05/25/new-cookie-law-now-in-place/ and http://www.absolute-data.co.uk/2011/05/26/organisationa-given-12-months-to-comply-with-new-%e2%80%98cookie-law%e2%80%99/).

This week the ICO has added a header bar to its website, ensuring its compliance, proving it is committed to the changes and leading the way for others.

Information Commissioner, Christopher Graham, said “as the regulator, I’m conscious that my own website will be looked at for a model of how to comply. I am not saying that other websites should necessarily do the same”.

Organisations have voiced concern over the implementation of the new law, and as such, these concerns and challenges will be discussed in the next issue of the Privacy and Data Protection Journal: http://www.pdpjournals.com/.

£1,050 fine for Personal Injury worker who used stolen personal information.

June 3rd, 2011

V3.co.uk has today reported that NHS Bury patients fell victim to a data theft by a personal injury worker.

Martin Campbell, who used to be employed by personal injuries firm Direct Assist, was passed stolen personal information of 29 patients of one of Bury NHS’s Primary Care walk-in centres; this data was then used to generate leads for Direct Assist over a four-month period. Campbell’s girlfriend, Dawn Makin, who worked at the walk in centre, stole the information.

Bury Primary Care Trust received complaints from patients, which subsequently led to an investigation after Campbell contacted them about their injuries, and encouraged them to make a personal injury claim.

The investigation found that Makin had accessed patient files and hadn’t been authorised to do so, before passing them to Campbell. The Information Commissioner’s Office (ICO) then got involved. Campbell was found guilty of the offence and ordered to pay a £1050 fine, £1160 in costs and a £15 victim’s surcharge.

The ICO noted that it will not take any further action against Makin, as doing so is no longer in the public interest. Information Commissioner, Christopher Graham warned:

“People’s medical information is some of their most sensitive data and they rightly expect health workers only to access it when there is a legitimate business need. Abusing this trust for personal gain is clearly wrong and potentially very distressing for those affected,” he said.

“Martin Campbell would have known that obtaining the information was unlawful and yet he put his greed ahead of people’s privacy rights. Today’s prosecution should help to serve as a deterrent to those who attempt to illegally obtain and pass on people’s information.”

Comment
Absolute Data works with many organisations to reduce or eliminate the risk to the personal information that they hold about individuals. The “softer side” of privacy risk management such as staff training and having documented procedures is often overlooked. Aside from this, organisations may not have the time, the funds or the knowledge to train staff or implement procedures to reduce the risk of instances such as this from happening.

Absolute Data can take any hassle away from an organisation, and hold training and seminars, document information, carry out regular checks and reviews on an organisation’s behalf as well as purchase, implement and manage anything relating to Data Protection. For further information, please contact us now at info@absolute-data.co.uk.

Direct Mail campaigns by Charities draw in thousands of complaints.

June 1st, 2011

www.thedrum.co.uk has reported that 9,462 complaints were made about UK charities’ direct mail campaigns throughout 2010, following the publishing of the Fundraising Standards Board’s Annual Report.

The highest rates of complaints came from direct mail, telephone and doorstep face-to-face marketing.

The use of direct mail in charity fundraising fell by 27% from 2009 to 2010 and yet the number of complaints increased by 86%. 

Of the 1,200 recorded data protection complaints, the large majority related to direct mail (46%), email (29%) and telemarketing fundraising (23%). 

Alistair McLean, chief executive of the Fundraising Standards Board said

“Complaints concerning charities’ use of data should ring a warning bell for all fundraisers.  Charities and suppliers alike must strive to source and maintain better data for donors and potential supporters, and to make timely and appropriate use of that data.”

Two charities sign Undertakings following Data Breaches.

May 31st, 2011

PDP News has reported that two UK-based charities have breached the Data Protection Act.

The breaches occurred in the first instance after the sensitive data of young people was left on an unencrypted laptop belonging to Asperger’s Children and Carers Together. The laptop was then taken to an employee’s house and subsequently stolen. Up to 80 individual’s data was stolen along with the laptop – the information in the data included medical history, names, addresses and dates of birth.

The second charity that breached the Act was the Wheelbase Motor Project in Nottingham; the data stolen in this instance included previous criminal convictions and child protection issues of several young people.

Both organisations reported their losses to the Information Commissioner’s Office (ICO) swiftly and as a result have both signed formal undertakings, in which they commit to ‘encrypt all portable and mobile devices that are used to store personal data’.

Comment

Absolute Data works with many organisations to reduce or eliminate the risk to the personal information that they hold about individuals. The “softer side” of privacy risk management such as staff training and having documented procedures is often overlooked. Aside from this, organisations may not have the time, the funds or the knowledge to train staff or implement procedures to stop instance such as this from happening.
Absolute Data can take any hassle away from an organisation, and hold training and seminars, document information, carry out regular checks and reviews on an organisation’s behalf as well as purchase, implement and manage anything relating to Data Protection. For further information, please contact us now at info@absolute-data.co.uk.

Organisations given 12 months to comply with new ‘Cookie Law’.

May 26th, 2011

Computerworld UK has today reported that Christopher Graham of the Information Commissioner’s Office (ICO) has confirmed that organisations will be given 12 months to comply with the new Cookie Law, that came into force yesterday, 25th May. However, he has stressed that this news shouldn’t encourage firms to ‘do nothing for the next year’.

The ICO has also published guidance as to how firms can ensure they comply, and Graham confirmed that “I have said all along that the new EU rules on cookies are challenging. Browser settings giving individuals more control over cookies will be an important contributor to a solution. But the necessary changes to the technology aren’t there yet.”

He also said: “We’re giving businesses and organisations up to one year to get their house in order. This does not let everyone off the hook. Those who choose to do nothing will have their lack of action taken into account when we begin formal enforcement of the rules.”

New 'Cookie Law' now in place

May 25th, 2011

The Information Commissioner’s Office’s (ICO) new ‘cookie law’ is launched today, Wednesday 25th May, after announcing it in March.

The law will ensure that websites gain ‘explicit consent’ from visitors to store or access information on their computers. The law is part of an overall EU law on cookies – all businesses that track users via their cookies will be affected.

Deputy information commissioner David Smith said that a lot of attention has been paid to the ‘consent to cookie’ and he said that the directive behind the new law regards any storage of information on a user, ‘which is not strictly necessary for the provision of the service’.

He said: “It should and only take place with consent of the user and there is a substantial change where it is less about the user. Is it strictly necessary for the provision of service? While it is not strictly about the delivery of messages, there may be security considerations in the way in which security is used in the other information.

“It is a substantial change and there will be an easing in period where we will suspend enforcement action, but the regulations do mean this has to be taken seriously. It is the operator of the website who is responsible for complying with these regulations and their implementation.”

More hurdles for Sony PlayStation network.

May 25th, 2011

PDP has reported on their website that Sony have hit ‘yet another wall’ in their attempts to restore the PlayStation Network.

After the initial major data breach that occurred in April, Sony had requested that all of its users change their log in passwords. However, it was pointed out that anyone could have their password changed if the date of birth and email address was known; both of these details were stolen by the hackers.

Sony’s senior executives have made a number of public apologies and PlayStation owners are being offered free games in compensation for the extensive network outage. There is evidence that some disgruntled users are switching to Microsoft’s gaming platform, the Xbox.

To read more about PDP and their training course in data protection, go to http://www.pdptraining.com/ now.

Which? reports on Britain's Banks data Breaches

May 25th, 2011

The Telegraph has today reported that a recent Which? consumer survey found that the Information Commissioner’s Office (ICO) received well over 500 complaints about possible data breaches by eight of Britain’s biggest banks.

The 515 complaints have been suggested to be merely ‘the tip of the iceburg’; mainly because only 1 in 10 people have heard of the ICO.

The Telegraph reported that Barclays was the bank with the most suspected breaches with 116 complaints, followed by Lloyds TSB with 114 and Santander with 103, and that more than half of all complaints arose from firms failing to provide customers with copies of the data held about them properly.

Richard Lloyd, executive director at Which?, said: “Banks and building societies hold incredibly sensitive information and the impact on customers can be serious if they mishandle it, from affecting credit ratings to leaving people open to fraud.

“Consumers who suffer financial loss or stress as a result of data mismanagement by firms should be entitled to compensation.

“Regulators need to impose much tougher sanctions on firms who are lax with people’s data as the message clearly isn’t getting through.”

A spokesman for the ICO said: “While the number of upheld complaints is small compared to the millions of bank accounts in the UK, mishandling of financial information can have a serious effect on individuals’ lives. It needs to be looked after properly and customer’s data protection rights respected.

A spokesman for the British Bankers’ Association said: “All of the UK’s banks take data privacy extremely seriously. All complaints are fully and immediately investigated and remedial action taken where necessary to ensure no harm comes to any customer.”

To read the report in full, go to http://www.telegraph.co.uk/finance/personalfinance/8533596/Britains-banks-breaching-data-protection-rules.html now.

University 'unlawfully' discloses personal data to Students.

May 19th, 2011

ZNet has reported that The UK’s Information Commissioners Office (ICO) has confirmed that the University of Kent has ‘unlawfully’ disclosed personal data relating to students with disabilities.

The University sent an email to around 616 recipients; a note within the email noted that ‘all recipients of the message had a disability’. The ICO confirmed that, due to mostly human error (lack of ‘BCC’ useage in mass emails), the University had acted unlawfully by disclosing such information which ultimately allowed students to identify other students with disabilities.

Personal apologies were sent from deputy vice chancellor of the universirty, David Nightingale, to all students involved within hours of discovering what had happened. He also confirmed that the “significant breach of data protection” could not occur again due to enforcing policies already in place.

The ICO said it was “unlikely that the University has complied with the requirements of the Data Protection Act” because it “did not take sufficient steps to ensure the security of the personal data“.

The university confirmed within the apology letter, that it will carry out“refresher training for staff on the importance of using the blind carbon copy function when sending emails containing personal data”.

This is the second alleged data breach by a university in almost a week, after York University published lots of student data by mistake, which amounted ‘to one of the largest breaches of personal data in a higher educational institution’.

Free Fraud Protection offered to PSN users in parts of Europe…

May 19th, 2011

Dominic Sacco has reported that Sony has offered all PlayStation Network users 12 month’s free identity theft protection, following the mass-theft of its customer’s data recently.

Affinion International Ltd has made a deal with Sony in order for Sony to be able to offer this free service; users in the UK, France, Spain, Italy and Germany all qualify – with Sony hopeful that other countries will be able to qualify soon too.

The fraud protection service includes cover for the following items (according tot he European PlayStation blog):

– Monitoring and alerting service
– Personal information protection software
– Dedicated helpline
– Victim of fraud support
– Insurance that covers the expenses incurred in identity restoration following identity fraud
– Card monitoring and alerting service

Sony finally switched the PlayStation Network (PSN) back on last weekend after almost a month of inactivity, follwoign an illegal breach of the system. It is thought that around 77 million PSN users we affected, having their personal information accessed. Sony hasn’t ruled out the possibility that these users’ credit card details were also stolen.

Although critics have been quick to judge Sony for the speed at which it acted in the aftermath, Sony chief Howard Stringer is adamant that it ‘did act quickly enough to tell users about a security breach’, says  the BBC.

Stringer went on to add that most security breaches go unreported and that only 43% of firms “notify victims within a month”. He was quoted to say

“We reported in a week. You are telling me my week wasn’t fast enough?”

Somerset County Council in data breach.

May 16th, 2011

The Information Commissioner’s Office has confirmed that Somerset County Council has breached the Data Protection Act.

The breach was reported in February 2011, just after the incident took place – when a social service assessment about a local teenager was sent to the wrong family. The assessment included information about the teenager’s behavioural and medical history and background, and was passed to the wrong family during assessment of a similar case.

The ICO has confirmed that there were failings in the way the Council handled the incident; the recipients were initially told to throw the document away, and were later told not to do that, but to await its collection by a council employee.

Acting Head of Enforcement, Sally-Anne Poole said:

“The information collected by social services departments is often extremely sensitive. Local authorities should make sure they have adequate measures in place to keep this information secure, especially where there is the potential for human error. Even though the information was returned to the council the damage had already been done and will have caused considerable embarrassment to those affected.

“I am pleased that Somerset County Council has taken action to ensure that any future documents containing personal data are checked prior to release and that staff will receive appropriate training on their legal obligations to keep personal information secure.”

Sheila Wheeler, Chief Executive of Somerset County Council, has now signed an undertaking to ensure that staff will be made aware of the Council’s policies and procedures for the storage, use and disclosure of personal data and receive appropriate training on how to follow them. The Council will also introduce quality control checks to be made before the release of any documents containing personal data.

To read the official press release, go to www.ico.gov.uk/~/media/documents/pressreleases/2011/somerset_council_news_release_20110513.ashx now.

A full copy of the undertaking can be viewed here:

http://www.ico.gov.uk/what_we_cover/promoting_data_privacy/taking_a ction.aspx#undertakings 

Comment
Absolute Data works with many organisations to reduce or eliminate the risk to the personal information that they hold about individuals. The “softer side” of privacy risk management such as staff training and having documented procedures is often overlooked, such as in the case of Somerset County Council.

Absolute Data can take any hassle away from an organisation, and hold training and seminars, document information, and carry out regular checks and reviews on an organisation’s behalf. For further information, please contact us now at info@absolute-data.co.uk.

We're RECRUITING now – Salesforce Consultant

May 16th, 2011

Whilst we are growing the CRM side of our business, we are looking for someone who can fulfil the role of Salesforce Consultant. You will be responsible for implementing and managing Salesforce.com projects of varying sizes, primarily for organisations within the sports sector.  You will also be encouraged to take an active role in developing the business. 

By carrying out contract work for various clients throughout the UK, the role will involve a degree of travel.

This role will enable you to become involved in numerous CRM projects for high-profile customers.

Requirements

  • 1-2 years salesforce.com experience
  • Previous exposure to medium sized Salesforce implementations
  • Strong experience in Salesforce configuration
  • Strong experience in Salesforce data migration
  • Experience in user adoption and the write up of training documentation
  • Ideally salesforce.com certified, but not essential
  • An interest and/or experience in the sports industry is preferable, but not essential.

Benefits 

  • Competitive salary depending upon experience
  • Car allowance
  • 28 days holiday

Interested?

To apply, please send us an email to info@absolute-data.co.uk, with your CV and a covering letter.

We're RECRUITING now – Data Protection Consultant

May 16th, 2011

DATA PROTECTION CONSULTANT: Competitive Salary + benefits

We are looking for a temp to perm Data Protection Consultant to develop our data protection and privacy (DP&P) practice. We believe that this area will become more critical to businesses in the next decade and we are developing our business to meet the demand creating several exciting opportunities.

You will work from home or our offices in Harrogate/London fulfilling DP&P contract work for various clients throughout the UK including:

  • Audit and revision of notification of data protection processing, privacy policies etc;
  • Review and implementation of internal data protection and privacy policies and procedures including ISO27000 and BS10012;
  • Providing advice and guidance about data protection, privacy, and freedom of information matters including changes in legislation and ICO guidance;
  • Assisting with the design and delivery of internal DP&P training;
  • Provide day-to-day specialist data protection advice to clients;
  • Report data protection compliance and risks to the necessary contacts at each client;

You will also be encouraged to take an active role in developing our DP&P practice including:

  • Public speaking and publication of research/work;
  • Developing new business and new services

Requirements

  • 1 to 2 years experience in data protection audits/ consultancy and/or;
  • 1 to 2 years experience from a legal background being well read in general Law with an interest in becoming Data Protection Accredited;
  • An interest and/or experience in the sports industry is good, but not essential;
  • A good and credible presenter;
  • The candidate must be proficient in working with MS Office (Word, Excel, PowerPoint).

Benefits

  • Competitive salary depending upon experience
  • Car allowance
  • Support for on-going CPD training courses as required
  • 28 days holiday

Interested?

To apply, please send us an email to info@absolute-data.co.uk, with your CV and a covering letter.

Update on 'cookie' law

May 12th, 2011

We posted a report by The Enquirer on our website on 19th April about the imminent changes to ‘cookie law’ in the UK, in order to bring it inline with the rest of the EU. (http://www.absolute-data.co.uk/2011/04/19/uk-government-to-adopt-eu-rules-on-browser-cookies-confirms-vaizey/).

The BBC reported on Monday that website are being asked by the ICO to review the way in which they track users on their sites as a step toward ensuring the changes in the law are adhered to. The law officially comes into play on 26th May.

In The Enquirer’s 19th April report, Communications Minister Ed Vaizy was quoted:

“We recognise that work on the technical solutions for cookie use will not be complete by the implementation deadline. It will take time for meaningful solutions to be developed, evaluated and rolled out. Therefore we do not expect the ICO to take enforcement action in the short term against businesses and organisations as they work out how to address their use of cookies.”

The Information Commissioner’s Office (ICO) has re-affirmed its stance and said sites need to be sure their cookies comply with the law and has issued guidance to firms ahead of the 26 May deadline but said that the guidance document was a “work in progress”.”It is not offering all the answers,” said an ICO spokesperson.

Firms are being encouraged to prepare by examining their cookies to see what purpose they fulfill and reach a decision about whether they require “informed consent” from visitors to keep using them. This review process was important to undertake, said the spokesperson, because from 26 May the ICO is obliged to investigate any complaints it gets about the use of non-compliant cookies.

“We will look into those complaints and see what that company is doing to work towards compliance,” said the ICO.

It is still not expected that the ICO will take enforcement action until information about technical solutions has been drawn up.

Third-party cookies, used by advertisers to track users across sites, are likely to be particularly problematic to review and police. One solution, brokered by the Internet Advertising Bureau, might be the use of an icon on adverts that, when clicked, reveals information about data being gathered.

To read this article in full, go to http://www.bbc.co.uk/news/technology-13345545 now.

ACS:Law fined £1000 by the ICO – is it enough?

May 11th, 2011

On 1st February this year, we reported on how the ICO had gone under attack for failing to fine BT for a data breach involving law firm ACS:Law, following a cyber attack on the law firm . BT had emailed the confidential information of over 500 of its customers to the firm, who were using the data to fine people for illegal online file sharing. The confidential information included credit card data, and references to sexual life and health. Some of the details included particularly sensitive stuff, such as whether an individual was accused of sharing pornography. 

Many people were up in arms over this, because it highlighted the ability for organisations to claim to have a data protection policy, but failing to adequately enforce it.

However – yesterday it was reported on ZDNet UK that a UK privacy authority has fined the solicitor behind ACS:Law £1,000 for failing to keep the personal data of at least 6,000 people secure.

One of ACS:Law’s solicitors sent hundreds of letters ‘that accused people of unlawful file-sharing [but] had lax IT security which contributed to the loss of people’s personal details’, the Information Commissioner’s Office (ICO) said in a statement Tuesday.

“The security measures ACS:Law had in place were barely fit for purpose in a person’s home environment, let alone a business handling such sensitive details,” said information commissioner, Christopher Graham in a statement.

The web-hosting package that ASC:Law used for its operation was ‘only intended for home use, and cost £5.99 per month. Crossley had received no assurances from the web-host that information would be kept secure’. The solicitor’s firm should have been aware of Data Protection Act obligations, the ICO added.

The ICO would have fined ACS Law £200,000 had the company still been trading. Crossley, who at one point owned a Bentley, told ICO he did not now have the means to pay a higher fine.

“The £1,000 reflects his financial condition. He did drive a Bentley at one point, but he doesn’t now.”

Many people will be angered by this seemingly low fine. One such person is Alex Hanff, Privacy Campaigner, who told ZDNet UK:

“To issue a £1,000 fine is laughable,” said Hanff. “The ICO should have ruled on the seriousness of the breach — you couldn’t get much more sensitive information than [alleged] sexual orientation and preferences.”

Is the ICO using its fining powers effectively?

April 28th, 2011

Channelweb.co.uk has today reported on the Information Commissioner’s Office (ICO) response to claims made by encryption vendor ViaSat that the ICO is being ‘inactive’ in handing out fines for Data Protection Act (DPA) breaches.

The ICO was given powers in early 2010 to impose fines of up to £500,000 on firms that breach the DPA, although it has emerged, through ViaSat claims, that to date, only £310,000 of fines have been dished out.

ViaSat requested the information via a Fol – but the ICO claims that ‘one of the statistics, relating to the number of data breaches reported between 6 April 2010 and 22 March 2011, supplied to ViaSat, has been misinterpreted’.

The statistic in question suggests, according to ViaSat, that 2565 potential data breaches have been reported between 6th April 2010 and 22 March 2011. A representative from the ICO explained:

“While it is true that the ICO has concluded that in 2,565 cases compliance with the DPA was unlikely, the figure for self-reported security breaches – where information has been disclosed or lost – is far lower.

“The 2,565 [figure] cover all types of compliance including a company sending unwanted postal marketing, incorrect data being held or an organisation not handling a subject access request appropriately.”

The representative continued: “These [self-reported security breaches] vary from minor administrative errors, where enforcement action would not be appropriate to serious data losses which led to the ICO imposing a monetary penalty.”

Chris McIntosh of ‘ChannelWeb’, Cheif Executive of ViaSat UK, said

“The figure of 2,565 was given to us by the ICO in direct response to an FoI request on the number of data breaches reported since 6 April 2010,” he said. “Our request was clear in that we wanted information on the number of data breaches.

“Even if you look at the revised figures the ICO has released, it is still clear that monetary penalties have been enforced in less than one per cent of the data losses it has dealt with.”

Many people in the data industry seem to be concerned not with the number of breaches reported, but the number of breaches that the ICO has decided to clamp down on. ChannelWeb asked Daniel Hamilton, director of public privacy campaigners Big Brother Watch  what he thought:

“For the ICO to only take enforcement action in such a small number of cases, suggests he is little more than a paper tiger,” he said. “The ICO has tough and wide-ranging powers and it is time he used them to maximum effect.”

Sony playstation – has there been a data breach?

April 27th, 2011

The BBC has today reported of the potential extent of the Sony Playstation Network hack, and that credit card details may have been amongst the possible stolen personal information.

The company has said that the data might have fallen into the hands of an “unauthorised person” following a hacking attack on its online service.

The network went down last Wednesday 20th April, however people were not informed of the details as to why until today.

Access to the network was suspended last Wednesday, but Sony has only now revealed details of what happened.

In a statement posted on the official PlayStation blog, Nick Caplin, the company’s head of communications for Europe, said: “We have discovered that between April 17 and April 19 2011, certain PlayStation Network and Qriocity service user account information was compromised in connection with an illegal and unauthorized intrusion into our network”.

The blog posting lists the personal information that Sony believes has been taken.
• Name
• Address (city, state/province, zip or postal code)
• Country
• E-mail address
• Date of birth
• PlayStation Network/Qriocity passwords and login
• Handle/PSN online ID

Mr Caplin added: “It is also possible that your profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers may have been obtained.

“For your security, we encourage you to be especially aware of email, telephone, and postal mail scams that ask for personal or sensitive information.”

Sony also admitted that there was a chance that credit card information was also stolen.

“While there is no evidence that credit card data was taken at this time, we cannot rule out the possibility,” Mr Caplin said.

“If you have provided your credit card data through PlayStation Network or Qriocity, to be on the safe side we are advising you that your credit card number (excluding security code) and expiration date may also have been obtained.”

The UK’s information commissioner of the ICO, Christopher Graham told BBC Radio 4’s “You and Yours” programme, that it looked like “a very significant breach of data protection law”. The Information Commissioner’s Office (ICO) has the power to impose fines of up to £500,000.

He added: “We are already investigating what looks like a very significant breach of data protection law.”

The ability to fine Sony lies in whether the data in the Playstation Network was stored in the UK or not – fines can only be issued by the ICO if stored in the UK.

“It if turns out that it is our responsibility here in the UK, we would ask ‘were the security measures appropriate’,” he added.

To read the article in full, go to http://www.bbc.co.uk/news/technology-13192359 now.

Prime Minister feels 'uneasy' about the changing shape of UK Privacy Law.

April 21st, 2011

The BBC has today reported on PM David Cameron’s opinions toward the changing shape of privacy law in the UK.

Mr Cameron was recently asked on his position during a recent question-and-answer session at General Motors in Luton. He said that judges were using cases based on the Human Rights Act to develop a privacy law that left him feeling “a little uneasy”, and he argued that Parliament, not judges, should decide on the balance between the freedom of the press and the right to privacy.
Prime Minister Cameron’s comments follow a number of recent injunctions which have banned the identification of celebrities – but a leading law firm has defended these injunctions, saying they are not just for the rich. In one particular case, a world wide ban, or ‘contra mundum’ was issued for a man who didn’t want material about his private life published. Such bans have historically only been used in relation to high profile court cases, including the killers of James Bulger, when a court ruled that there was a “strong possibility” that their lives would be at risk if they were identified.

A contra mundum order is intended to apply forever, and it applies to all those who might come to know of it – as opposed to forbidding the publication of details by a specific newspaper or journalist.

In the particular case highlighted above, the man in question happens to be a Premier League footballer – he wishes to remain anonymous due to speculation about his private life.

The BBC writes:
“The decision is seen by many as another step in the move by the courts to extend protections for the right to respect for privacy and family life under Article 8 of the European Convention on Human Rights.
But it also marks a further advance in the steps the courts are prepared to take in restricting the right to freedom of expression under Article 10 of the Convention.
The law firm Carter Ruck, which has represented famous figures seeking injunctions, defended the practice.
Carter Ruck managing partner Cameron Doley said that injunctions could be obtained by people who were not rich and they were not there just to help the powerful suppress scandals.
And he argued that “genuinely private people” had a right to protection.”

When asked about his views, PR consultant Max Clifford said: “The privacy of the rich and famous seems to be exactly what the courts are determined to achieve.
“What we’ve got in this country now is a privacy law that wasn’t brought in by Parliament but the judges have decided what they want and that’s what they’ve achieved.”

UK Businesses fear Cloud Computing

April 19th, 2011

Realwire yesterday reported on UK business’s fear over Cloud Computing, due to concerns over its security; according to a survey by YouGov, almost 62% of IT Managers feel this way.

YouGov found that among the IT managers and directors surveyed, less than half of the businesses (41 per cent) are planning to move or have moved their IT operations to the cloud.

In addition to security fears, data protection (60 per cent) and a perceived lack of regulation (26 per cent) were stated as an obstacle to cloud adoption. As a result, almost one in five (18 per cent) IT managers said their businesses had considered but rejected the idea of moving any aspect of their IT to the cloud, and almost a quarter (24 per cent) had not even considered the cloud as an option.

With 79 per cent of respondents representing firms with 1,000 or more employees, this means that companies could be missing out on significant cost and efficiency benefits.

“Cloud technology has huge potential for streamlining IT operations, particularly in larger organisations with more sophisticated IT requirements,” said Andrew Lintell, corporate sales director for UK and Ireland, Kaspersky Lab. “Cloud-based solutions can make IT systems leaner as well as more agile and cost effective – freeing up valuable IT expertise and resources. 

Lintell continued: “Our research has found that there is still considerable confusion about the cloud. Companies may be concerned about where data is stored and how they can keep it secure, but they should also view the positive gains…”

To read the artcile in full, and for more information go to: http://www.realwire.com/releases/UK-businesses-fear-security-risks-surrounding-cloud-computing

Comment
Managing customer information ‘under one roof’ allows business to run more efficiently. For starters, sales opportunities can be exposed, handled quicker and reported on more accurately. From a marketing point of view, we can ensure that campaigns are reach the audience they’re intended for, and that revenue is maximised as a result.

By integrating correspondence, campaigns and actions, CRM strategies help both you and your customers.

Contact us now on 01423 790125 or at info@absolute0data.co.uk for further information.

UK government to adopt EU rules on browser cookies, confirms Vaizey.

April 19th, 2011

The Enquirer has today reported that the government will adopt EU regulations regarding web browser cookies from 25th May onwards, and that it has suggested that the Information Commissioner’s Office (ICO) will be lenient on firms that do not adopt the regulations until then.

Communications Minister Ed Vaizey said, “Our use of digital technologies, mobile and fixed line phone services, e-mail and the internet continues unabated. The changes to the EU Electronic Communications Framework will bring our regulatory framework up to date. They will help ensure there is a level playing field across Europe.”

The new regulations mean that companies will have to ask users for their permission before doing anything with browser cookies; the UE rules already enforce this. Its aim is to give users more privacy and a voice as to how companies see their consumers

The Enquirer states:
“In order to smooth the web browsing process the government has promised to work with browser makers to create ‘do not track’ features. This is incredibly fortunate since in the main the web browsers already have them.”

Vaizey added:
“We recognise that work on the technical solutions for cookie use will not be complete by the implementation deadline. It will take time for meaningful solutions to be developed, evaluated and rolled out. Therefore we do not expect the ICO to take enforcement action in the short term against businesses and organisations as they work out how to address their use of cookies.”

To read more  go to: www.theinquirer.net/inquirer/news/2044473/uk-adopts-european-track-laws#ixzz1JynbvGh8 now.

Freedom of Information (FOI) requests taking too long

April 15th, 2011

The Information Commissioner’s Office (ICO) has today released a statement outlining how several public authorities have failed to meet the requirement to reduce the amount of time they take to response to FOI requests.

33 authorities, including the Cabinet Office and the Ministry of Defence, were monitored by the ICO in this respect; and of the 33 authorities, the ICO is in discussion with several of them about improvements that still need to be made.

The London Borough of Hammersmith and Fulham, the London Borough of Islington, Wolverhampton City Council and Westminster City Council have all been asked to sign formal undertakings to improve performance.

Information Commissioner, Christopher Graham, said:

“I am delighted that over two thirds of the authorities whose performance we have been monitoring have managed to overcome their problems. However, the remaining authorities have not done enough to convince us that they have a clear and credible plan for getting back on track. Over the next four weeks, we shall be discussing appropriate next steps with them.”
 
“Responding promptly to FOI requests is key to delivering citizens’ rights. Too many public authorities are taking too long to decide either way whether to release information or to refuse requests.”

To read the statement in full, go to http://www.ico.gov.uk/~/media/documents/pressreleases/2011/foi_monitoring_news_release_20110412.ashx now.

Two UK health organisations guilty of Data Protection Acct (1998) breaches

April 13th, 2011

Many organisations keep paper records of their customers, clients and transactions. Many of these paper records include private and confidential information. The ICO has today warned of the need to keep the management systems of paper records more robust after two healthcare organisations; NHS Liverpool Community Health and the Council for Healthcare Regulatory Excellence (CHRE), have both recently been found guilty of breaching the Data Protection Act (DPA) and have signed formal undertakings as a result.

NHS Liverpool lost papers regarding the medical history of 31 children and their birth mothers, when moving premises in 2010. It was confirmed that the removal company used had no formal contract in place in relation to handling personal data, which is a requirement of the Act.

The CHRE has possibly lost complaint files containing sensitive personal data. Due to weaknesses in CHRE’s document recording, administration and communication processes the organisation cannot be certain if the information was ever received or whether it was subsequently lost or destroyed. As a result, they have also been found guilty of breaching the Act.

Acting Head of Enforcement, Sally Anne Poole, said:
“These incidents highlight significant weaknesses in both organisations’ data handling procedures. While we are pleased that NHS Liverpool Community Health and CHRE have both agreed to review their existing security procedures and processes, these incidents should act as a warning to other organisations who handle sensitive papers of the need to make sure their paper records management processes are as robust as their electronic data systems. The protection of data in all formats must be taken seriously.”

To read the report in full go to http://www.ico.gov.uk/~/media/documents/pressreleases/2011/nhs_liverpool_chre_news_release_201104.ashx now.

Full copies of both undertakings can be viewed here:
http://www.ico.gov.uk/what_we_cover/promoting_data_privacy/taking_action.aspx#undertakings

Comment
Absolute Data works with many organisations to reduce or eliminate the risk to the personal information that they hold about individuals. The “softer side” of privacy risk management such as staff training and having documented procedures is often overlooked and under-funded in organisations and an area where we can have a big impact for a modest investment. By having a documented procedural system for data management, the chances of getting it right first time will be increased. By reviewing such systems, organisations will continually improve data management systems. This is something that Absolute Data does and can help you with.
For further information, please contact us now at info@absolute-data.co.uk.

The Child Exploitation and Online Protection Centre in data breach investigation

April 12th, 2011

The Child Exploitation and Online Protection Centre (CEOP)’s website is under investigation by the Information Commissioner’s Office (ICO) following reports that a page used to transfer data was unencrypted; the page in question is the one used to report alleged offenders, and users accessing the page from Google or Facebook were not directed to an https URL, but a regular unencrypted http page.

CEOP reportedly fixed the issue on the same day as being made aware of it, and as far as it is aware, no personal details have been compromised.

The spokesman for CEOP said “There was an error and that has been rectified. The risk was extremely low.

“CEOP receives a number of reports through a number of different routes so the reports in question are a small proportion. But we take the security of our systems and reports seriously,” she said.

A spokesperson for the ICO said: “We are making enquiries into the circumstances of this alleged breach of the Data Protection Act before deciding what action, if any, needs to be taken.”

To read the article in full, go to http://www.computerworlduk.com/news/security/3273139/information-commissioner-investigates-security-risk-on-child-protection-website/ now.

Update on US Epsilon security breach – Marks and Spencer UK customers affected

April 7th, 2011

Marks and Spencer has confirmed that their customers could have been compromised in the giant data attack on email marketing firm Epsilon earlier in the week, and is the first UK company to admit as such.

Customers were told by Marks and Spencer to expect unsolicited spam emails, and were  urged to “take (their) privacy seriously”.

The admission by Marks and Spencer could spark an investigation by the Information Commissioner’s Office (ICO) in the UK – companies which pass UK citizens’ personal details to US-based companies are required to ensure that the destination has a proper “safe harbour” arrangement to safeguard the data to European standards. An ICO spokesman said: “We are making enquiries to determine whether a breach of the Data Protection Act has occurred.”

Approximately 2% of the companies (50) Epsilon works for are assumed to have been affected, with Barclaycard, Capital One and Hilton Hotels included.

“Given the phishing activity it feels like a hacker crime ring,” said Kevin Rowney, the director of breach response at security firm Symantec. “It’s not a nation state or an intelligence agency. It’s clearly someone interested in profit from this data.” It would be weeks before investigators could identify the attackers, he added.

To be continued…

Another Council breaches the Data Protection Act

April 7th, 2011

The Information Commissioner (ICO) has today confirmed that Kersten England, Chief Executive of the City of York Council, has signed an undertaking to ensure that new procedures are put in place to prevent documentation containing any form of personal data from being printed where there is no business need to do so, following an accidental data breach.

Personal data was disclosed to a third party after a mix-up occurred in printing. City of York Council reported this breach on 10th February this year. The disclosed information was forwarded to the third party when printed documents were collected from a communal printer tray and then posted out; the private information was mixed up within them. This private information had been printed by another member of staff, and no checks were made to ensure the correct documents were posted to the correct intended recipients.

City of York Council has been found to have robust procedures and policies in place regarding personal data and the handling of it, however management supervision, personal ownership and quality control lacked.

Acting Head of Enforcement, Sally-anne Poole said:
“This case highlights the need for employees to take responsibility and ownership of tasks that involve handling personal data. If the documents had not been left unattended by the printer and had been carefully checked before they were sent out then this situation could easily have been avoided. We are pleased that the City of York Council has introduced new security measures governing the use of its printers”.

The council will also bring in new quality control checks on all the information they handle prior to distribution, as well as extending their clear desk policy to include printer trays, post trays and other pending work trays.

To read the undertaking in full, go to http://www.ico.gov.uk/what_we_cover/promoting_data_privacy/taking_action.aspx#undertakings now.

The changing law in consumer data useage…

April 5th, 2011

Marketing Week has reported how important it is for businesses to take note of changing laws surrounding the use of consumer data; and specifically businesses that take data from consumer’s computers to deliver targeted online advertising.

The new law, which comes into force on Wednesday 25th May, will mean that marketers will have to obtain consent to store and retrieve data useage information from any visitor to their site; i.e. cookies. There is a concern among business leaders that the importance of this collection method hasnt been properly considered.

Christopher Graham, the UK Information Commissioner, says that businesses need to “wake up” and start thinking about how they will meet the requirements of the new law.

For the full article, go to http://www.marketingweek.co.uk/disciplines/data-strategy/businesses-need-to-%E2%80%98wake-up%E2%80%99-to-new-law/3025116.article now.

Largest internet security breach in U.S. history?

April 5th, 2011

The Guardian has reported that millions of customers’ details have been stolen as a result of an email hack. Customers of Barclaycard US, Capital One and other companies are said to be affected, after an attack on marketing email provider Epsilon – which is said to be one of the largest internet security breaches in US history.

Customers have been warned to expect fraudulent emails to be send to them, attempting to obtain further login details. It is not thought that passwords or credit card details have been exposed, and the Guardian has learned from Barclaycard US that the company will continue working with Epsilon, despite the breach.

Although thought unlikely, the Information Commissioner’s Office (ICO) is carrying out enquiries to check if any British customers have been affected.

Epsilon provides online marketing services for over 2000 companies. On Friday of last week, is added a statement to its website stating that its systems had been “exposed by an unauthorised entry”. It is not yet known who perpetrated the attack, which US law enforcement agencies have begun investigating.

“The information that was obtained was limited to email addresses and/or customer names only,” Epsilon said in its statement. “A rigorous assessment determined that no other personal identifiable information associated with those names was at risk. A full investigation is currently underway.”

“Losing your email address via a service to which you already belong makes it much easier for scammers to hit you with emails which match your existing interests, at least loosely,” said Paul Ducklin of internet security firm Sophos. “That, in turn, can make their fraudulent correspondence seem more believable.”

To read the article in full, go to http://www.guardian.co.uk/technology/2011/apr/04/epsilon-email-hack now.

Royal Cornwall Hospitals Trust signs formal undertaking for Data Protection Act breach.

April 4th, 2011

The ICO has confirmed that Royal Cornwall Hospitals NHS Trust has signed a formal undertaking after acknowledging that it twice breached the Data Protection Act in 2010.

Although full details of the incidents haven’t been released, it is clear that on both occasions, information regarding third parties was sent to an individual, after the individual requested information solely about them.

Acting Head of Enforcement, Sally-anne Poole, said:

“More and more people today want to find out exactly what information their GP or hospital holds about them, making subject access requests an increasingly popular tool.

“However, just because staff are busy with requests, this does not mean they can stop doing adequate checks before information is sent out. I am pleased that Royal Cornwall NHS Hospital Trust has agreed to take the necessary steps to make sure this sort of incident doesn’t happen again.”

A full copy of the undertaking can be viewed here:http://www.ico.gov.uk/what_we_cover/promoting_data_privacy/taking_action.aspx#undertakings

Comment
Absolute Data works with many organisations to reduce or eliminate the risk to the personal information that they hold about individuals. The “softer side” of privacy risk management such as staff training and having documented procedures is often overlooked and under-funded in organisations and an area where we can have a big impact for a modest investment. By having a documented procedural system for data management, the chances of getting it right first time will be increased. By reviewing such systems, organisations will continually improve data management systems. This is something that Absolute Data does and can help you with.
For further information, please contact us now at info@absolute-data.co.uk.

EU Privacy Legislation will bring costs to businesses, but make for 'level playing ground'.

April 1st, 2011

Businesses will be subject to extra costs regarding EU data privacy legislation, once new plans are implemented. Viviane Reding, the European Commissioner for justice, fundmental rights and citizenship, has recently been outling associated costs behind the forthcoming legislation, but has suggested that an EU-wide framework for data management would infact eliminate costs, due to simplifaction fo the law and thus a reduction in the work load relating to compliance.

Reding stated, ‘All fundamental rights have a cost. The right to the protection of data is not an exception,” she said. “Costs are carried by businesses, administrations and citizens – actually by society as a whole. But I believe that companies have specific responsibility because data is often their main economic asset.”

Reding warned that it is vital to get things in relation to data management equal across the EU, in order to maintain consumer / busines trust, and create a level playing field between competing businesses.

“I strongly believe that the cost of no action in the field of data protection is much higher than the cost of improving the rules.” Reding stated.

It is expected that the UK government will find the specch Reding made particularly interested, as it is apparent that it is critical of such plans for data privacy (especially ‘the right to be forgotten’).

Go to http://www.v3.co.uk/v3-uk/news/2039272/reding-outline-costs-business-pay-eu-privacy-legislation to read the full artcile.

Google Buzz to undergo privacy reviews for next 20 years.

March 29th, 2011

Marketing Week has reported on an article first written in newmediaage.co.uk, whereby Google Buzz will have to undergo a privacy review once every two years for the next 20 years.

Complaints were made about Google Buzz, including ‘public listing of users’ frequent Gmail contacts and the inability to be fully removed from the social network’. These complaints let to charges that it violated its own privacy promises..

Google stated: “We don’t always get everything right. The launch of Google Buzz fell short of our usual standards for transparency and user control, letting our users and Google down.”

Google has been the subject of privacy complaints in more than one area in recent times; it was for gathering personal data using unsecured Wi-Fi networks for its Streetview service.

This latest online privacy incident has resulted in comments by Viviane Reding, of the European Justice Commission (EJC),when she last week indicated that global internet companies, such as Facebook and Google, would be bound by European law, and that citizens had the right to proper data protection and the “right to be forgotten”.

To view the full story, go to http://www.marketingweek.co.uk/disciplines/digital/google-to-undergo-privacy-audits-for-next-20-years/3025050.article now.

Second Estate Agents is fined for Data Protection Act breach

March 25th, 2011

The second estate agent in a month has been found guilty of breaching the Data Protection Act, and as a result, has been fined by the Information Commissioner’s Office (ICO).

Newbank Estate and Letting Agents failed to inform the ICO that it processes personal data; it was ordered, by Cwmbran Magistrate’s Court, to pay a £100 fine, £250 towards prosecution costs, and a £15 victims’ surcharge.

Such a fine ‘should serve as a clear warning to all businesses that they must comply with all necessary laws if they handle personal data’, Anne Jones, Assistant commissioner for Wales said; “The fact that this is the second prosecution against an estate agent that the ICO has brought to court this month proves that the industry still needs to take its legal responsibilities more seriously,”

Stewart Room, of Lawyer firm Fisher Waterhouse LLP, has stated, through v3.co.uk, that the fine undermined the ICO’s stance – and called on the ICO to lobby hard for more to be done:
“The amount of the fine sends out a very clear signal to business, namely that the courts do not regard Data Protection Act crimes as serious matters. This is very depressing as it will only encourage bad businesses to continue in their ways,” he said.

Information commissioner Christopher Graham announced on Tuesday that the organisation is in the process of preparing a fifth fine, which could go as high as £500,000, as it seeks to clamp down on poor data handling.

To read the article in full, go to http://www.v3.co.uk/v3-uk/news/2037362/estate-agent-fined-ico-clamps-breaches now.

Comment
In order to eliminate the risk of a fine from the ICO, organisations need to know what risks they could be taking. Absolute Data specialises in helping such organisations review their data strategy, and thus improve data management systems.
Absolute Data works with many organisations to reduce or eliminate the risk to the personal information that they hold about individuals. The “softer side” of privacy risk management such as staff training and having documented procedures is often overlooked and under-funded in organisations and an area where we can have a big impact for a modest investment. By having a documented procedural system for data management, the chances of getting it right first time will be increased. By reviewing such systems, organisations will continually improve data management systems. This is something that Absolute Data does and can help you with.
For further information, please contact us now at info@absolute-data.co.uk.

Another Council breaches the Data Protection Act

March 21st, 2011

Confidential personal information has been disposed of in a skip by Wolverhampton City Council, the Information Commissioners Office (ICO) has revealed.

The breach occurred in October 2010, after records including medical, employment and personal data was fly-tipped into a then-stolen skip at a local leisure centre. A local newspaper discovered this information, and reported on it.

Although the Council had a written contract with a waste management company ensuring the secure disposal of personal data, it was the Council itself that had failed to determine the personal and confidential nature of the information disposed of.

Director of Operations at the ICO, Simon Entwisle, said:
“This breach demonstrates how important it is that staff who handle personal data have a good understanding of the need to keep it safe at all times – especially when it is being disposed of. An organisation’s responsibility to keep information secure does not end when it is taken out of the building.
“The thought of people’s personal details being dumped on the street is worrying enough, not to mention what could have happened if it had fallen into the wrong hands. I am pleased that the council has taken the necessary steps to ensure that this type of breach does not happen again.”

Comment
An undertaking has been signed by the Coucil to ensure that staff are made aware of the Council’s policies on data protection and waste management, and are appropriately trained in how to follow them. The council will also ensure that compliance with the policies is appropriately and regularly monitored. Absolute Data specialises in helping such organisations review their strategies in these areas, and thus improve data management systems. Absolute Data also works with many organisations in order to reduce or eliminate the risk to the personal information that they hold about individuals. The “softer side” of privacy risk management such as staff training and having documented procedures is often overlooked and under-funded in organisations and an area where we can have a big impact for a modest investment. For further information, please contact us now at info@absolute-data.co.uk.

More prosecutions for businesses as they fail to notify the ICO

March 21st, 2011

An estate agency has had a member of its staff, Peter Quigg, found guilty of failing to notify the Information Commissioners Office that his business, PDQ Property Sales, processes the personal information of others. Ormskirk Magistrates Court found him guilty, and fined his £250 with £265 costs, as well as a £15 victim surcharge.

As per the Data Protection Act 1998, every organisation that processes the information of others is required to notify the Information Commissioners of the reason they are doing so. All estate agents are currently being written to, urging them to check whether they fall into this category.

Nick Gorril, Haead of Enforcement at the Information Commissioners Office said,

“This requirement is written into data protection legislation for a number of very valid reasons, not least because it gives people an added assurance that businesses and other organisations understand the need to keep their personal details secure.”

Comment
In order to eliminate the risk of a fine from the ICO, organisations need to know what risks they could be taking. Absolute Data specialises in helping such organisations review their data strategy, and thus improve data management systems.

Absolute Data works with many organisations to reduce or eliminate the risk to the personal information that they hold about individuals. The “softer side” of privacy risk management such as staff training and having documented procedures is often overlooked and under-funded in organisations and an area where we can have a big impact for a modest investment. By having a documented procedural system for data management, the chances of getting it right first time will be increased. By reviewing such systems, organisations will continually improve data management systems. This is something that Absolute Data does and can help you with.
For further information, please contact us now at info@absolute-data.co.uk.

Data breach at York University

March 16th, 2011

York University published the personal information of 148 students on its website, and an investigation has begun as a result.

Mobile phone numbers, addresses and A-Level results were visible on the university’s website inquiry page last week. The university has taken ‘immediate action to rectify the problem’ and a security review is now underway.

‘All procedures and management systems (are being investigated)…. (we) will undertake a thorough review of our date security arrangements’, Regsitrar Dr David Duncan stated.

The Information Commissioner has been informed, and the University has apologised to anyone who has been affected by the breach.

If the Information Commissioner finds the University guilty of violating the Data Protection Act, they could face legal action or a fine of up to £500,000.

County Council breaches Data Protection Act

February 24th, 2011

A memory stick containing sensitive data relating to vulnerable adults has been lost by Cambridgeshire County Council, after a drive to switch to encrypted devices, and training on the importance of keeping personal information secure.

The loss occurred after a staff member had encountered problems with an encrypted memory stick that had been provided by the council free of charge, and so switched to an unencrypted version. The memory stick in question held information relating to six individuals.

The internal campaign run by the Council had promoted encryption policy, and staff were warned about the dangers of not using encrypted devices to store information.

Sally Anne-Poole, Enforcement Group Manager at the ICO, said:
“While Cambridgeshire County Council clearly recognise the importance of encrypting devices in order to keep personal data secure, this case shows that organisations need to check their data protection policies are continually followed and fully understood by staff.
“We are pleased that Cambridgeshire County Council has taken action to improve its existing security measures and has agreed to carry out
regular and routine monitoring of its encryption policy to ensure it is being followed.”

As a result of the loss, Cambridgeshire County Council has signed a formal undertaking, “to ensure that all portable devices used by the council are encrypted using encryption software that meets the current standard”. The Council will also carry out regular monitoring procedures to ensure this doesn’t happen again.
To read the full undertaking, go to http://www.ico.gov.uk/what_we_cover/promoting_data_privacy/taking_action.aspx#undertakings now.

Comment
Absolute Data works with many organisations to reduce or eliminate the risk to the personal information that they hold about individuals. The “softer side” of privacy risk management such as staff training and having documented procedures is often overlooked, but even in the case of Cambridgeshire County Council, where they have taken active steps in managing risks to privacy, Absolute Data can help. Absolute Data can take any hassle away from an organisation, and hold training and seminars, document information, and carry out regular checks and reviews on an organisation’s behalf. For further information, please contact us now at info@absolute-data.co.uk.

Gwent Police in breach of Data Protection Act

February 16th, 2011

Information relating to approximately 10,000 people’s CRB checks was accidentally emailed by Gwent Police to a member of the public. A website journalist received the email after a member of staff copied them into the email. No criminal convictions were disclosed, and the nature of the information was not identifiable.

Gwent Police conducted an investigation into the error, concluding that the member of staff responsible for circulating the email was at fault, by failing to following the Force’s IT security policie.

Anne Jones, Assistant Commissioner for Wales, said:
“It is essential that staff are aware of and follow their organisation’s security policies. Such a huge amount of sensitive personal information should never have been circulated via email, especially when there was

no password or encryption in place. We are pleased that Gwent Police has taken steps to prevent this happening again.”

Mick Giannasi, the then Chief Constable of Gwent Police, has signed a formal undertaking agreeing to put in place a number of steps to prevent a similar breach from happening again. The undertaking was agreed in August 2010. However, as disciplinary proceedings at Gwent Police were underway, the ICO did not publish the undertaking at that time.

Gwent Police will implement stricter rules to ensure that wherever possible information is accessed directly via secure databases and the use of generic passwords will stop. The undertaking also requires new technology to be brought in to prevent the inappropriate auto completion of addresses in internal and external email accounts.

A full copy of the undertaking can be viewed here:
http://www.ico.gov.uk/what_we_cover/promoting_data_privacy/taking_action.aspx#undertakings

Comment
In order to eliminate the risk of a fine from the ICO, organisations need to know what risks they could be taking. Absolute Data specialises in helping such organisations review their data strategy, and thus improve data management systems.

Absolute Data works with many organisations to reduce or eliminate the risk to the personal information that they hold about individuals. The “softer side” of privacy risk management such as staff training and having documented procedures is often overlooked and under-funded in organisations and an area where we can have a big impact for a modest investment.
By having a documented procedural system for data management, the chances of getting it right first time will be increased. By reviewing such systems, organisations will continually improve data management systems. This is something that Absolute Data does and can help you with.
For further information, please contact us now at info@absolute-data.co.uk.

ICO hands out £150,000.00 in fines for Data Protection breaches

February 10th, 2011

The ICO has announced that two London Councils, Ealing and Hounslow, have been served monetary fines for breaches of the Data Protection Act. The breaches involved the loss of two unencrypted laptops containing the personal and sometimes sensitive information.

Laptops are relied upon by a service run by Ealing Council, whereby up to nine staff can be working from home at any given time. Information relating to individuals needs to be recorded on these laptops. This service, although run by Ealing Council, is operated on behalf of Hounslow Council too.

Two password protected, but not encrypted laptops, containing 1700 individuals’ details, was stolen from a workers home – these individuals were clients of both Councils. The un-encryption breached both council’s policies.

Although there is no evidence that any of the information has been accessed by a third party, it is clear that a significant risk has been posed to the data – and as a result Ealing Council was fined £80,000.00 and Hounslow £70,000.00. It was noted that neither council ensured their data policies were understood or adhered to by staff; there was also no written contract between the councils and Hounslow Council had never monitored Ealing Council’s procedures, resulting in the breach.

Deputy Commissioner, David Smith, said:
“Of the four monetary penalties that we have served so far, three concern the loss of unencrypted laptops. Where personal  nformation is involved, password protection for portable devices is simply not enough.
“The penalty against Hounslow Council also makes clear that an organisation can’t simply hand over the handling of the personal
information it is responsible for to somebody else unless they enure that the information is properly protected.
“Both councils have paid the price for lax data protection practices. I hope all organisations that handle personal information will make sure their houses are in order – otherwise they too may have to learn the hard way.”

Following the incident, both councils contacted affected individuals. Both authorities have also put significantly improved policies in place for information security and have agreed to consider an audit by the ICO.

To read the article in full, go to http://www.ico.gov.uk/~/media/documents/pressreleases/2011/Monetary_penalties_ealing_and_hounslow_news_release_20110208.ashx now.

Comment
In order to eliminate the risk of a fine from the ICO, organisations need to know what risks they could be taking. Absolute Data specialises in helping such organisations review their data strategy, and thus improve data management systems.

Absolute Data works with many organisations to reduce or eliminate the risk to the personal information that they hold about individuals. The “softer side” of privacy risk management such as staff training and having documented procedures is often overlooked and under-funded in organisations and an area where we can have a big impact for a modest investment.
By having a documented procedural system for data management, the chances of getting it right first time will be increased. By reviewing such systems, organisations will continually improve data management systems. This is something that Absolute Data does and can help you with.
For further information, please contact us now at info@absolute-data.co.uk.

 

The ICO comes under attack for dropping BT / ACS:Law case on Data Protection breach.

February 1st, 2011

The Guardian has today reported that the Information Commissioners Office (ICO) has dropped its case against BT. The case related to an email sent by BT to law firm ACS:Law which contained confidential  details of more than 500 of its customers, including names, addresses and telephone numbers.

The ICO has confirmed that BT cannot be held responsible for the action – but this decision has angered many, including Privacy International – “This appears to give the green light to companies like BT claiming to have a data protection policy, but failing to adequately enforce it,” Davies of Privacy International said. The privacy pressure group Big Brother Watch said the information commissioner, Christopher Graham, had “bottled it”.

Another online leak of BT customer’s data occurred in the aftermath of the saga, when ACS:Law’s website was attacked. A separate investigation is being conducted in relation to this.

In response, the ICO stated on Monday:  The ICO said on Monday: “We have regular contact with a range of organisations regarding allegations of staff inappropriately accessing or disclosing personal information.
“Where it is found that the data controller has adequate policies and safeguards already in place, the usual and most appropriate outcome in these cases is disciplinary action taken by the employer.
“However, where that employee is accessing records for personal gain, such as selling the data on to third parties, the ICO may open a criminal investigation.”

To read the article in full, go to http://www.guardian.co.uk/technology/2011/feb/01/ico-bt-acslaw now.

Information Commissioner’s Office gets tough on councillors – threatening monetary fines for Data Protection Act breaches.

January 26th, 2011

Website www.publicservice.co.uk has today reported that the Information Commissioner’s Office (ICO) has warned councillors in the UK that they could be fined up to £5,000 at Magistrate’s Court (or unlimited at Crown Court) if they do not register themselves as data handlers.

It is not a pre-requisite for councillors to notify the ICO – but failure to do so when necessary is a criminal offence. Councillors have been asked to consider the ‘role in which they are processing personal information’.  When carrying out their role as a representative of the residents in a ward, or if an independent councillor is not affiliated to any political party, then councillors may need to notify.

Simon Entwisle, director of operations at the ICO, said: “Most councillors have regular access to the personal information of the residents they represent. Like all organisations who handle people’s information, it is of paramount importance that they take their responsibilities under the Data Protection Act seriously.

To read the article in full, go to http://www.publicservice.co.uk/news_story.asp?id=15293 now.

Comment
In order to eliminate the risk of a fine from the ICO, organisations need to know what risks they could be taking. Absolute Data specialises in helping such organisations review their data strategy, and thus improve data management systems. For more information, contact us at info@absolute-data.co.uk

450,000 Organ Donation Preferences found to be Inaccurate

January 24th, 2011

A software error has been the cause of almost 450,000 inaccurate organ donation preferences, the ICO has confirmed, following a Press Release on their website.

Irregularities were discovered in the information recorded on the Organ Donation Register by NHS  Blood and Transport (NHSBT), and donation information stated on Driver and Vehicle Licensing Information (DVLA) application forms. Although most people’s information was accurate, 444,031 people’s preference information did require amending – with some of the number being contacted directly in order to ensure their original preferences were as they should be.

As soon as the initial error was recognised in March 2010, an immediate stop was placed on all data files received from the DVLA – a full investigation was then commissioned.

The ICO has stated that:

Alan McDermott, Senior Information Risk Officer at NHSBT, has signed an undertaking which commits the organisation to being more robust in checking information is accurate. This includes systematic sampling and checking of data for accuracy against source documents, routine cross-referencing, as well as making sure all forms for the collection of data are
uniform.

The NHSBT will also continue to write to all new registered entrants to give them an opportunity to report any errors, as well as inviting an external organisation with expertise of running large databases to conduct a review of its proposed new control systems.

To see the full Press Release, go to http://www.ico.gov.uk/~/media/documents/pressreleases/2011/organ_donation_register_news_release_20110121.ashx now.

Is the Serious Organised Crime Agency (SOCA) breaching the Data Protection Act?

January 21st, 2011

The London Evening Standard has today reported of the criticisms made by the Information Commissioner’s Office (ICO) about the Serious Organised Crime Agency.

The Agency holds a secret database detailing a ‘shadowy’ register of suspected criminals of money laundering and fraud. According to the ICO, the operation of this database breaks data protection and human rights laws.

The database, known as Elmer, holds the information of over one million people, although ‘many may be innocent’ – and the ICO has questioned whether the database is therefore ‘justified, necessary and proportionate’, as per the Terrorism Act 2000 (whereby every employee in the finance industry is required to send Soca the details of any customer they suspect of a financial crime, and are asked to include information such as their national insurance number, vehicle registration, account numbers and details of relevant transactions). Once on this database, a person’s information will be stored on it indefinitely.

Tory peer Lord Marlesford said: “This database sounds like something used by the Stasi in communist Germany. It is in effect a secret database of suspects – none of whom know they are on it nor can they respond to the allegations. It is most un-British and most undemocratic.”

Assistant Information Commissioner Jonathan Bamford said: “Many of these entries are of no ongoing interest to the law enforcement community and do not comply with the Human Rights Act or the Data Protection Act.” Former shadow home secretary David Davis, who campaigns on civil liberties, said Soca should remove “all entries that are trivial and unproven”.

A Soca spokesman said: “We accept the Information Commissioner’s findings on retention and deletion periods and already have work in hand to bring current practice into line with ICO requirements.”

To see the article in full, go to http://www.thisislondon.co.uk/standard/article-23915865-elite-crime-units-database-of-one-million-suspects-breaks-the-law.do now.

Comment
Absolute Data works with many organisations to reduce or eliminate the risk to the personal information that they hold about individuals. The “softer side” of privacy risk management such as staff training and having documented procedures is often overlooked and under-funded in organisations and an area where we can have a big impact for a modest investment.
By having a documented procedural system for data management, the chances of getting it right first time will be increased. By reviewing such systems, organisations will continually improve data management systems. This is something that Absolute Data does and can help you with.
For further information, please contact us now at info@absolute-data.co.uk.

Unencrypted laptop holding personal data put at risk- UK Junior doctor to blame

January 20th, 2011

theregister.co.uk has today reported the loss of an unencrypted laptop by a doctor in the UK. The laptop in question contained patient data.

The report details that the UK junior medic faces a disciplinary enquiry, after acting against regulations set by the Hull and East Yorkshire NHS Trust. He took unencrypted patient information and loaded it onto his own laptop, which was then stolen. He didn’t inform the right people of the incident for two weeks after.

Hull NHS Trust residents have been affected by a third breach of personal data exposure in less than a year, the others being the unauthorised access of sensitive data by a Trust staff member, and the theft of data from firm A4e (who, incidentally, were one of the first companies to be issued with a monetary fine from the Information Commissioner’s Office).

To read the report in full, go to http://www.theregister.co.uk/2011/01/19/hull_hospital_data_breach_flap/ now.

Comment
Absolute Data works with many organisations to reduce or eliminate the risk to the personal information that they hold about individuals. The “softer side” of privacy risk management such as staff training and having documented procedures is often overlooked and under-funded in organisations and an area where we can have a big impact for a modest investment.
By having a documented procedural system for data management, the chances of getting it right first time will be increased. By reviewing such systems, organisations will continually improve data management systems. This is something that Absolute Data does and can help you with.
For further information, please contact us now at info@absolute-data.co.uk.

ICO urges public to take control of personal credit files

January 19th, 2011

A press release has been issued from the Information Commissioner’s Office, urging the general public to take control of their personal credit files in 2011.

If a credit file is inaccurate, lenders can turn down requests for credit, and considering the economic climate, it is more important than ever for individuals to ensure their files are as they should be.

‘Credit explained’ is an easy to read guide issued by the ICO which helps users understand their rights. Go to http://www.ico.gov.uk/~/media/documents/library/data_protection/practical_application/credit_explained_leaflet_2005.ashx now to read the guide in full.

17% of all complaints letters received by the ICO in the last financial year were from people trying to correct information on their credit reports.

“Your credit reference file isn’t something you should only worry about when applying for a loan or buying a house – taking this approach could mean mistakes go un-noticed for years. I want to put a challenge out to the British public to make 2011 the year they take control of the information credit agencies hold about them. It’s your information and you have a right to check it’s all in order,” David Smith, Deputy Commissioner at the ICO, said.

Data breach at Vodafone sees the Sacking of Employees

January 19th, 2011

Zednet Australia has reported that Vodafone has confirmed that its operation in Australia has terminated the employment of several staff members and referred their actions to the New South Wales Police Service.

This action follows an alleged privacy leak by employees, whereby up to 4 million customer records were sold on the black market. The people purchasing the records were alleged to want to use the records, which included voice and SMS logs to blackmail customers.

The investigations continue. Please go to http://www.zdnet.com.au/vodafone-sacks-staff-over-data-breach-339308574.htm now for the full report.

UK football fans in the clear following World Cup data breach Scare

January 18th, 2011

Computerworlduk.com has today reported that UK football fans are in the clear after a World Cup data breach scare last year.

It had been suggested that 250,000 football fans personal details had been leaked and the source had been the UK. This led to an investigation by the Information Commissioner’s Office. It was reported in Norwegian newspaper “Dagbladet” that a database contained details of those fans internationally who had purchased tickets for football matches for the 2006 FIFA World Cup in Germany, and that the database in question had been sold on the black market to an organisation in Norway.

The ICO launched an investigation into the reports in Spetember 2010 but has found “no ticket purchasers in the UK have been affected of any wrong doing”.

“Our investigation has found that the ticketing database was created by a company in Germany working on behalf of the German Football Association and the FIFA World Cup Organising Committee in Germany.” Said Mick Gorrill of the ICO.

“We have concluded that there is no evidence to suggest that any person has unlawfully obtained personal information within the UK, or that any person or organisation has breached UK data protection laws.”

For more information, and to read the article in full, please go to http://www.computerworlduk.com/news/security/3256803/football-fans-data-deemed-safe-after-reported-world-cup-breach/ now.

E-privacy Directive worries Telecomms companies

January 14th, 2011

Z-Net UK jhas today published an article regarding a new law: The E-Privacy Directive. This new law will take effect from March; it will force telecommunications providers to inform customers about data breaches. In addition, the banking, healthcare and small business sectors are being considered for inclusion in this data-breach notification law by the European Commission.

The European Network Information Security Agency (ENISA) is worried about the launch of this law, stating that it will be a “key challenge for organisations”, and “Gaining and maintaining the trust and buy-in of citizens that their data is secure and protected represents a potential risk to the future development and take-up of innovative technologies and higher value-added online services across Europe”.
 
Naturally, telecommunications companies are worried about the damage notifying the public of a breach will do to their reputations and brands; and data protection regulators fear that an increase in notifications will put a strain on the services they provide.

Public confidence has been shaken of late, with some data breaches gaining a high profile within the media, especially since the introduction of monetary fines – namely Hertfordshire County Council and employment services company A4e.
“Every day there seems to be headlines that personal data has been leaked, that someone has found a laptop on a train,” Enisa data-breach expert Sławomir Górniak told ZDNet UK.

To read the full artcile, please go to http://www.zdnet.co.uk/news/security/2011/01/14/enisa-telecoms-companies-are-wary-of-data-breach-law-40091437/ now.

Comment
Absolute Data works with many organisations to reduce or eliminate the risk to the personal information that they hold about individuals. The “softer side” of privacy risk management such as staff training and having documented procedures is often overlooked and under-funded in organisations and an area where we can have a big impact for a modest investment. 

By having a documented procedural system for data management, the chances of getting it right first time will be increased. By reviewing such systems, organisations will continually improve data management systems. This is something that Absolute Data does and can help you with. 

For further information, please contact us now at info@absolute-data.co.uk.

ICO welcomes the Government’s call to expand the Freedom of Information Act

January 11th, 2011

Following Nick Clegg’s pledge to expand the Freedom of Information Act, the Information Commissioner’s Office has welcomed such a pledge with open arms, in the hope that the expansion gives greater transparency into the government and its workings.

Justice Minister Lord McNally has suggested that a key part of the government’s desire for transparency is to assess whether the Act is working in practice, and whether changes need to be made to it.

“I am delighted to announce this package of measures which will give people additional tools to find out whether thousands of UK bodies are acting in the public interest and providing value for money,” he said.

“We aim to increase the amount of information readily available to the public and have already achieved a great deal, including, for example, the publication of all government spending over £25,000 and the salaries of the Civil Service’s highest earners.”

To read the full article, go to http://www.v3.co.uk/v3/news/2274162/government-information-security#ixzz1AiTPCEtD now.

Freedom of Information to be Expanded?

January 6th, 2011

James Chapman of the Daily Mail has today reported that deputy Prime Minister Nick Clegg has pledged to expand freedom of information by ensuring ‘hundreds more taxpayer-funded and charitable bodies should be subject to the transparency of the Freedom of Information Act, which currently applies only to most public authorities’.
They will include the organisations which are currently shielded from scrutiny such as the Association of Chief Police Officers, the Universities and Colleges Admissions Service (UCAS), academy school trusts and the Financial Ombudsman Service.
Mr Clegg said that if an organisation’s behaviour and decisions had ‘clear consequences for the public good, people must be able to see right into the heart of them’.

The Deputy Prime Minister also said that Britain remained a society where information was ‘hoarded by the few’.
‘And, as we know, information is knowledge, and knowledge is power,’ he added.
‘People cannot be free when the state is forever on their back; when their liberties are denied and their autonomy is undermined.
‘So this Government is going to restore British freedoms”.

To read the full article, go to: http://www.dailymail.co.uk/news/article-1344498/Clegg-pledges-expand-freedom-information.html#ixzz1AG8Q4taR now.

Scottish Government draws up Privacy Principles – will rest of UK follow?

January 5th, 2011

All UK public bodies are likely to follow the Scottish Government’s principles in identity management and privacy. The Scottish government has drawn up these principles, which include ensuring public bodies in Scotland only obtain the minimum necessary personal information on citizens, as well as ensuring these bodies don’t aggregate data in a single space and allowing every citizen access to the information held about them through a secure login.

The assistant information commissioner for Scotland, lawyers and academics of Scotland all worked together to formulate the principles, which cover five topics: proving identity and entitlement; governance and accountability; risk management; data and data sharing and education and engagement.

One of the pronciples’ main aims is to reduce the formulation of large “centralised databases of people’s personal information” – and instead, personal information of groups should only be “drawn together if there is a business need to do so”  – and transactional data should be kept apart from personal information.

Christopher Graham, the information commissioner, urged “all Scottish public authorities, not just the Scottish government” to adopt the principles “as a minimum standard”. Graham also said  that when imposing penalties for breaches of the Data Protection Act, he takes in to consideration “among other factors, the level of compliance with best practice guidance issued both by my office and by other relevant parties”.

To read the full article, please go to http://www.ukauthority.com/Headlines/tabid/36/NewsArticle/tabid/64/Default.aspx?id=3019 now.

Gaelic Athletic Association in data breach Investigation

December 13th, 2010

The ICO has released a statement regarding its position on a data breach involving members of the Gaelic Athletic Association (GAA).

On Friday December 10th, The GAA released a statement on its website, explaining that there has been unauthorised access to the GAA membership database. The database contains the names and addresses of 501,786 members; and contains medical condition information of 544 members. These members have been contacted directly by letter explaining exactly what is recorded about them. In addition to this, 167,157 of the members on the database are under 18 years of age. It is GAA policy that mobile phone or email details of persons under 18 years of age should not be stored on any database.

On 19th November, the GAA was informed that disks containing the database had been received by the Office of the Data Protection Commissioner. Servasport Ltd., a Belfast based company that develops and maintains the GAA membership database, has issued an unreserved apology to the GAA and its members. Due to investigations by the Police Service of Northern Ireland, and in order to facilitate this investigation, the GAA was unable to inform members until now.

The ICO, as a result, has released a statement, informing readers that “The Information Commissioner’s Office is working closely with the Police Service of Northern Ireland and the Data Protection Commission in the Republic of Ireland to establish the details of a data breach involving the personal data of members of the Gaelic Athletic Association (GAA).”

To read the statement in full, go to http://www.ico.gov.uk/~/media/documents/pressreleases/2010/gaa_statement_10122010.ashx now. For more information from the GAA, including helpline numbers if you think you may be affected by the breach, please go to http://www.gaa.ie/gaa-news-and-videos/daily-news/1/1012101236-important-notice-on-gaa-membership-database/1/.

Comment
Mistakes can happen, and an organisation’s current system may be found to have loop holes in, thus introducing an element of risk into the data management system. However, it is vitally important that procedures relating to the management of data are documented, adhered to and regularly reviewed so as to not allow such procedural flaws to happen at all; and above all else, get fined by the ICO for anything up to £500,000.
By having a documented procedural system for data management, the chances of getting it right first time will be increased. By reviewing such systems, organisations will continually improve data management systems. This is something that Absolute Data does and can help you with. Absolute Data also works with many organisations to reduce or eliminate the risk to the personal information that they hold about individuals. The “softer side” of privacy risk management such as staff training and having documented procedures is often overlooked and under-funded in organisations and an area where we can have a big impact for a modest investment.  For further information, please contact us now at info@absolute-data.co.uk.

$1.3 billion awarded in U.S Data Theft case

December 1st, 2010

The BBC has today reported that European software giant SAP has been ordered to pay its U.S rival, Oracle $1.3 billion following the theft of data.

SAP’s subsidiary TomorrowNow stole customer-support documents, with Oracle alleging that the German company wanted to poach the 358 customers involved. Safra Catz, co president of Oracle stated:
“For more than three years, SAP stole thousands of copies of Oracle software and then resold that software and related services to Oracle’s own customers. The trial made it clear that SAP’s most senior executives were aware of the illegal activity from the very beginning”.

Although SAP admitted it had made a mistake: “We regret the actions of TomorrowNow, we have accepted liability and have been willing to fairly compensate Oracle”, it had claimed it owed just $40 billion, although this was rejected b the court. Compensation of $1.65 billion was initially demanded by Oracle.

SAP has stated it will “pursue all available options, including post-trial motions and appeal if necessary”.The jury reached its decision after only a day of deliberation.

To read the full article. go to http://www.bbc.co.uk/news/business-11826167 now.

Survey says People want Tougher Penalties for Data Loss

November 26th, 2010

Website IT Pro has today announced that ‘most UK consumers want tougher penalties to be handed to companies guilty of losing data’, following a recent survey by OnePoll.

Other conclusions drawn from the survey suggest that two thirds of those asked want to see company directors face criminal proceedings for serious data breaches and that many people want to see compulsory data loss disclosure implemented in the UK.

The results of the survey come after the ICO issued its first fines since it gained more power back in April 2010; whilst some are showing praise for this new implementation, others don’t think the fines issued are big enough, at £100,000 and £60,000.
Ross Brewer, Vice President and Managing Director, International Markets, LogRhythm Europe, the Middle East and Africa (EMEA) said that the survey ‘proved companies do not just risk being punished for data loss incidents, they risk losing customers as well’.
 “Our findings show that when people hear about the loss of confidential information they will actively avoid the organisations involved – 66 percent stated they would try to avoid future interactions, while 17 percent were adamant they definitely would not have anything more to do with the guilty party,” he added.

ICO Places First Fines Totalling £160,000

November 24th, 2010

The ICO has announced today that it has placed its first monetary fines on two companies, totalling £160,000. Hertfordshire County Council were found guilty of two serious breaches of the Data Protection Act, after the mistakenly faxed the personal data of others to the wrong recipients. Meanwhile, A4e, an employment services organisation, was fined £60,000 for losing an unencrypted laptop that contained the personal details of 24,000 individuals that had used community legal advice centres in Hull and Leicester.
Both companies have accepted the fines, stating that they are ‘sorry that these mistakes happened (Hertfordshire County Council) and ‘we fully accept the judgement…. A4e takes the protection of personal data extremely seriously…’ (A4e).
Information Commissioner, Christopher Graham said: “These first monetary penalties send a strong message to all organisations handling personal information. Get it wrong and you do substantial harm to individuals and the reputation of your business. You could also be fined up to half a million pounds.”

Comment
Mistakes can happen, and an organisation’s current system may be found to have loop holes in, thus introducing an element of risk into the data management system. However, it is vitally important that procedures relating to the management of data are documented, adhered to and regularly reviewed so as to not allow such procedural flaws to happen at all; and above all else, get fined by the ICO for anything up to £500,000.
By having a documented procedural system for data management, the chances of getting it right first time will be increased. By reviewing such systems, organisations will continually improve data management systems. This is something that Absolute Data does and can help you with. Absolute Data also works with many organisations to reduce or eliminate the risk to the personal information that they hold about individuals. The “softer side” of privacy risk management such as staff training and having documented procedures is often overlooked and under-funded in organisations and an area where we can have a big impact for a modest investment.  For further information, please contact us now at info@absolute-data.co.uk.

MPs Personal Data is Compromised

November 18th, 2010

Work carried out on a database that contained the bank details, vehicle registrations and home telephone numbers of MP’s with expenses claims allowed such personal information to be put at risk, the ICO has confirmed. Routine maintenance on the database was carried out by the Independent Parliamentary Standards Authority (IPSA) during July 2010, which is when the expenses claims, and hence the personal data, was accessible by others.

Mick Gorrill, Head of Enforcement at the ICO, said:
“This case highlights how any work carried out on a database must be subject to rigorous security testing before being re-launched. MPs carry out a high profile role and the information their expenses claims include could put them at risk of fraud and endanger their security.”

As a result, the IPSA has signed a formal undertaking in order to ensure any necessary security measures are put in place in order to protect MPs personal information, that such measures are communicated to all MPs and staff, and that regular reviews to the system’s administrator account take place.

To read the formal undertaking, please go to http://www.ico.gov.uk/what_we_cover/promoting_data_privacy/~/media/documents/library/Data_Protection/Notices/ipsa

Comment
Mistakes can happen, and an organisation’s current system may be found to have loop holes in, thus introducing an element of risk into the data management system. However, it is vitally important that procedures relating to the management of data are documented, adhered to and regularly reviewed so as to not allow such procedural flaws to happen at all.
By having a documented procedural system for data management, the chances of getting it right first time will be increased. By reviewing such systems, organisations will continually improve data management systems. This is something that Absolute Data does and can help you with. Absolute Data also works with many organisations to reduce or eliminate the risk to the personal information that they hold about individuals. The “softer side” of privacy risk management such as staff training and having documented procedures is often overlooked and under-funded in organisations and an area where we can have a big impact for a modest investment.  For further information, please contact us now at info@absolute-data.co.uk.

Data Protection Act breached by Local Authority

November 18th, 2010

The ICO yesterday announced that New Forest District Council has breached the Data Protection Act after it published the personal information of others; in this case, planning applicants who had applied via the local authority website.

A resident in the New Forest District Council first complained to the ICO in 2008, after a request to the Council to remove personal data from an application pre-publication on the website went unnoticed. The initial request was adhered to, but other residents’ information was finding its way online over the next few months. Initially, improvements were made and monitoring processes were installed at the Council. However, The ICO contacted the Council in July 2010 after it emerged personal data was being published online again.

Staff were interviewed and systems examined; it was confirmed that the Council was taking the correct measures to ensure risks to personal data were reduced, and the Council’s Chief Executive, David Yates, has announced his personal commitment to ensure maximum compliance with the Data Protection Act. In response, Sally-Anne Pool of the ICO has stated:

“The ICO welcomes the measures introduced by New Forest District Council to tackle this problem. While we appreciate it is difficult for any organisation to give a 100% guarantee that they will comply with the Act, we expect authorities to put the most effective data protection measures in place and to ensure they are upheld.
“We will be monitoring other local authorities to scope compliance in this area on a national level. Any council found to have an unacceptable error rate may be subject to regulatory action.”

Comment
Absolute Data works with many organisations to reduce or eliminate the risk to the personal information that they hold about individuals. The “softer side” of privacy risk management such as staff training and having documented procedures is often overlooked and under-funded in organisations and an area where we can have a big impact for a modest investment.  For further information, please contact us now on info@absolute-data.co.uk.

Portsmouth City Council signs formal undertaking following breach of Data Protection Act.

November 8th, 2010

Portsmouth City Council has been found to have breached the Data Protection Act, after giving out personal details of an individual by mistake. The information in question related to the individuals physical and mental health, and was mistakenly provided following a ‘subject access request’ – an individual’s request to see the information a council held about them.

It was discovered that supervision and training into such requests was inadequate. Mick Gorrill, Head of Enforcement at the ICO, said:

“This breach of the Data Protection Act was entirely avoidable, and would not have happened if the individuals dealing with the request had been given proper training and the necessary levels of support. The fact that the information released included sensitive information relating to an individual, who wasn’t directly involved in the original request, could have caused a great deal of embarrassment and distress.

The Council has now signed a formal undertaking to ensure that all relevant staff are fully trained in how to handle subject access requests and that checks are put in place to ensure that third-party data is dealt with in accordance with the Act’s requirements.

To read the full undertaking, please go to http://www.ico.gov.uk/Home/what_we_cover/promoting_data_privacy/taking_action.aspx#portsmouth now.

Comment
Absolute Data works with many organisations to reduce or eliminate the risk to the personal information that they hold about individuals. The “softer side” of privacy risk management such as staff training and having documented procedures is often overlooked and under-funded in organisations and an area where we can have a big impact for a modest investment.  For further information, please contact us now on info@absolute-data.co.uk.

Public Sector ahead of private sector on Data Protection Awareness

November 5th, 2010

The ICO has today announced that big business are lagging behind the public sector when it comes to data protection awareness following research by SMSR on behalf of the ICO.

Under 50% of private sector firms, in the recent survey, said that they should store personal information securely, at a time when the general public ranked ‘protecting personal information’ second highest in social concerns – only ‘preventing crime’ ranked higher. The general public are more aware than ever that they have a right to see the information that a company or organisation holds about them, as almost 90% of people serveyed knew this.

Information Commissioner, Christopher Graham, said:
“A strong awareness of data protection obligations is of fundamental importance to any organisation. Businesses need to show they are taking data protection seriously. Failing to do so could not only lead to enforcement action, it could also do significant damage to their reputation.

“There is a link between satisfied customers and good handling of personal information. Our research shows that almost all of the individuals surveyed are concerned about the collection and secure storage of their personal information. Ignoring data protection obligations is ignoring a key customer concern.”
To read the full article go to http://www.ico.gov.uk/news/press_releases.aspx now.

Comment
Absolute Data works with many organisations to reduce or eliminate the risk to the personal information that they hold about individuals. The “softer side” of privacy risk management such as staff training and having documented procedures is often overlooked and under-funded in organisations and an area where we can have a big impact for a modest investment.  For further information, please contact us now on info@absolute-data.co.uk.

Crown Paint Website investigated for possible Data Breach

October 25th, 2010

Readers of a website owned by Crown Paints have spotted that a company customer database had been published online, in full.
www.theregister.co.uk discovered this possible data breach late last week, (http://www.theregister.co.uk/2010/10/21/crown_paints_data_fail/), although have obviously not provided the link to the page that contains the personal details of all customers who had filled in an enquiry form. Details on show included full names, address, telephone numbers and details of the enquiry made.
The ICO has been informed of the situation, to which they replied:
“We have recently been informed of a possible data breach which may involve Crown Decorating Centre.
“We will be making enquiries into the circumstances of the alleged breach of the Data Protection Act before deciding what action, if any, needs to be taken.”

Comment
Absolute Data works with many organisations to reduce or eliminate the risk to the personal information that they hold about individuals. The “softer side” of privacy risk management such as staff training and having documented procedures is often overlooked and under-funded in organisations and an area where we can have a big impact for a modest investment.  For further information, please contact us now on info@absolute-data.co.uk.

Recruitment Agency signs Undertaking for the ICO

October 25th, 2010

Healthcare Locums, a medical recruitment agency, has signed a formal Undertaking for the ICO after it was found to have lost the personal data relating to doctors.

An auction website was used to sell this personal data, which included visa and clearance information, and although Healthcare Locums confirmed the incident had happened, it initially didn’t know how or when the data went missing – later it was confirmed that the hard drive containing the information went missing during a transfer of items across the country.

“This breach highlights the importance of making sure personal information is transported in a way that complies with the Data Protection Act,” said Sally Anne-Poole, enforcement group manager at the ICO. Healthcare Locums signed the formal Undertaking, which covers how information is handled and transported.

To read more on this, go to http://www.v3.co.uk/v3/news/2271623/ico-acts-nhs-leak now.

Comment
Mistakes can happen, and an organisation’s current system may be found to have loop holes in, thus introducing an element of risk into the data management system. However, it is vitally important that procedures relating to the management of data are documented, adhered to and regularly reviewed so as to not allow such procedural flaws to happen at all.
By having a documented procedural system for data management, the chances of getting it right first time will be increased. By reviewing such systems will continually improving the data management system. This is something that Absolute Data does and can help you with. Contact us now: info@absolute-data.co.uk

Facebook involved in Privacy Breach

October 22nd, 2010

Privacy options on the social networking site Facebook have not been working in all cases, it emerged this week.

The personal information of millions of users was being passed to around 25 different advertising and data firms, without prior consent, even when privacy settings were at the maximum security levels. Organisations whose ‘apps’ can be operated on Facebook, including Farmville and Texas Hold’em Poker were transmitting user ID’s to such firms – who can then create target individuals with specifc promotions and advertising campaigns.

‘The practice violates Facebook’s own rules on data protection and will raise questions about the company’s ability to keep information about its members’ activities secure’ says the Daily Mail’s Jack Doyle. As a result of the latest findings, Facebook has suspended the operations of those violating the rules.

Daniel Hamilton of Big Brother Watch said: ‘This is the latest in a string of security
breaches by Facebook.

‘For the site to pass on confidential information about their users to third parties in order to sell advertising is a gross invasion of privacy.
‘It’s important that members of the public realise that Facebook is not a private place, nor is their information secure.’

Read more now at http://www.dailymail.co.uk/sciencetech/article-1321573/Facebook-games-privacy-breach-User-IDs-passed-advertising-firms.html#ixzz135w4iP2w

Patient Details left on Train

October 22nd, 2010

It was announced this week that a doctor, hoping to undertake work at home following his shift at a hospital within the North West London Hospitals NHS Trust, left printed out documents containing the personal and diagnostic information of his patients on a tube train. The doctor did realise the documents were missing, and did retrieve them from the train’s termination point.

However, this act of forgetfulness has sparked outrage among staff at the ICO. Sally-Anne Poole pointed out that “Most of us can think of time when we’ve found someone else’s personal belonging, like an umbrella, left behind on a train. But the last thing we should ever expect to find are highly confidential and sensitive papers detailing people’s medical history.”
As a result, the ICO called for more effective data protection measures to be put in place at the Trust, and as such, the Chief Executive of the North West London Hospitals NHS Trust has signed a formal undertaken, to ensure that mistakes like this do not happen again.
To read the full story, go to http://www.ico.gov.uk/~/media/documents/pressreleases/2010/nw_london_hospitals_nhs_trust_undertaking_20101018.ashx
and to read the full Undertaking, go to http://www.ico.gov.uk/what_we_cover/promoting_data_privacy/taking_action.aspx#nwlondonnhs
now.

Comment
Mistakes can happen, and an organisation’s current system may be found to have loop holes in, thus introducing an element of risk into the data management system. However, it is vitally important that procedures relating to the management of data are documented, adhered to and regularly reviewed so as to not allow such procedural flaws to happen at all.
By having a documented procedural system for data management, the chances of getting it right first time will be increased. By reviewing such systems will continually improving the data management system. This is something that Absolute Data does and can help you with. Contact us now: info@absolute-data.co.uk

RSA suggest a new era of compliance in the world of Data

October 19th, 2010

A recent study, by the RSA-backed Security for Business Innovation Council, regarding data protection and the rules surrounding it, titled ‘Raising the Bar for Organisations Worldwide’ has suggested that it is the ‘end of business as usual’ for companies. The RSA has reported that ‘recent developments in data protection legislation and enforcement measures add up to a new and more hostile compliance landscape for companies’. It is expected that the upcoming EU Data Protection Directive will outline plans for increased enforcement of regulations, but also tighter rules and requirements around notifying the authorities of a breach.

However, due to tougher enforcement and penalties for data protection breaches, the report has gone so far as to recommend that businesses should take action to influence legislators in order to keep data protection rules from growing too strict.  It is assumed that data protection authorities will have full power for ‘auditing, halting data processing and engaging in legal proceedings’ according to the study. However, the study is suggesting that organisations make efforts to influence legislators to ensure that regulations avoid overly-prescriptive rules.

To read the full study, go to http://www.rsa.com/innovation/docs/CISO_RPT_1010.pdf now.

UK data protection law needs to provide clearer guidelines to businesses and individuals.

October 14th, 2010

According to the Information Commissioner’s Office, the UK data protection law needs to provide clearer guidelines for both individuals and businesses.
In a report published in Computer Weekly, specific clarity has been called for in respect of clarification of personal data following a recent public consultation led by the government.
The ICO would also like to see several other areas of the law improved – including providing greater clarity of consent to use personal information, offering better coordination between freedom of information law and an appreciation that individual’s rights need to be updated to bring them in line with the capabilities of modern technology, and finally a more pragmatic approach to the regulation of international data flows.
The allocation of responsibilities amongst those handling personal data also needs to reflect the changing nature of modern day business relationships, the ICO said.
“We need to ensure that people have real protection for their personal information, not just protection on paper and that we are not distracted by arguments over interpretations of the Data Protection Act,” said David Smith, deputy Information Commissioner.

To view the whole article, go to
http://www.computerweekly.com/Articles/2010/10/07/243206/UK-data-protection-law-needs-greater-clarity-says-ICO.htm now.

BT embroiled in ACS:Law list breach

September 29th, 2010

As the story behind the alleged data breach by CS:Law unravels (see yesterday’s news article Law Firm faces fine of £500,000 after alleged breach of Data Protection Act), BT have today admitted to sending ‘unencrypted’ data to the firm; in the form of unencrypted excel spreadsheets. The personal details of approximately 500 customers were involved.

BT, it would appear, were working with ACS:Law in late August when email correspondence between  BT employee Prakash Mistry and Andrew Crossley, who runs ACS:Law, was sent, along with unencrypted excel attachments.

Although the email sent from Mistry requested “that the data will be held securely and shall be used only in accordance with the provisions of the…. Court’s Order of 17 February 2010”, the data was sent in an insecure manner.

In response to this development, BT have announced that:
We are investigating how this occurred as we have robust systems for managing data. We have already ensured that this will not happen again. In this circumstance our legal department sent data to a firm of solicitors (ACS:Law) which reached them safely and we trusted that they would keep the data safe.”

It is assumed that BT have, as a result, “comprehensively breached” the Data Protection Act, says Simon Davies, of Privacy International.

As the facts surrounding the issues faced by ACS:Law unravel, a spokesperson for the Information Commissioner Office (ICO) told BBC News that the BT e-mail would be part of its ongoing investigation into ACS:Law. The UK’s Information Commissioner, Christopher Graham, told the BBC that firms who breach the Data Protection Act “could face fines of up to half a million pounds”.

To read the story in full, go to http://www.bbc.co.uk/news/technology-11434809 now.

Comment
Absolute Data works with many organisations to reduce or eliminate the risk to the personal information that they hold about individuals. The “softer side” of privacy risk management such as staff training and having documented procedures is often overlooked and under-funded in organisations and an area where we can have a big impact for a modest investment.  For further information, please contact us now on info@absolute-data.co.uk.

Law Firm faces fine of £500,000 after alleged breach of Data Protection Act

September 28th, 2010

A law firm that focuses its efforts on researching and fining individuals thought to illegally share files online has today been warned it could face fines of up to £500,000.00 for allegedly breaching the Data Protection Act. Privacy expert Simon Davis called it “one of the worst breaches” of the Data Protection Act (DPA) he had ever seen.

ACS:Law has made a successful business out of its anti-piracy efforts, asking individuals to pay £500 per infringement or face court action. ACS:Law obtains IP (internet protocol) addresses by using ‘third-party firms to scour the net looking for possible infringements of music and film copyright’. Court orders are then applied for in order to obtain the physical addresses that the IP address originates from.

The alleged breach occurred following an attack on ACS: Law’s website; supposedly done in retaliation of its work. In getting the website back online, the personal information of approximately 14,000 individuals was released into the public domain, and uploaded to file sharing websites including The Pirate Bay, where it is being shared by hundreds of users. Credit card details, email addresses and physical addresses are said to have been leaked.

As a result, the UK’s Information Commissioner (ICO) has told the BBC that ACS:Law could face a fine of half a million pounds.
“The question we will be asking is how secure was this information and how it was so easily accessed from outside,” said Christopher Graham.
“We’ll be asking about the adequacy of encryption, the firewall, the training of staff and why that information was so public facing”.

In response, Andrew Crossley, who runs ACS:Law spoke out:
“We were the subject of a criminal attack to our systems. The business has and remains intact and is continuing to trade,” he added.

To see the article in full, go to http://www.bbc.co.uk/news/technology-11418970 now.

Comment
Absolute Data works with many organisations to reduce or eliminate the risk to the personal information that they hold about individuals.  An interesting point to note on this story is the direct quote from the ICO’s office relating to data processes.  The reference to the adequacy of things like staff training is a procedural point and not at all technology related.  The “softer side” of privacy risk management such as staff training and having documented procedures is often overlooked and under-funded in organisations and an area where we can have a big impact for a modest investment.  For further information, please contact us now on info@absolute-data.co.uk.

NHS IT Manager Guilty of Snooping on Patient Records

September 22nd, 2010

Computerworld UK has today published an article about Dale Trevor, an data quality manager at Hull PCT. Trevor, 22, has pleaded guilty to ‘going through patients’ medical records’ – and specifically those of women, and furthermore, of family, friends and colleagues.

Mr Trevor has pleaded guilty of breaching the Computer Misuse Act 1990, by accessing patients’ medical records without authority.

“Any breach of patient confidentiality is a serious matter, and so in this particular case, we welcome the fact that a successful criminal prosecution has been brought and that a custodial sentence is being considered” stated John Fitzsimmons, Director of Performance at NHS Hull.
“We hope the outcome, following a lengthy investigation, will go some way to reassure patients just how seriously we considered this breach of their trust to have been.”

Comment
Absolute Data can help stop situations such as this from happening, by auditing an organisation’s data activity – and realising who needs specific access, increasing security measures as necessary and training staff members on the importance of data protection and data governance.

To see the rest of this article, go to http://www.computerworlduk.com/news/security/3240512/nhs-it-manager-guilty-of-snooping-on-patient-records/.

Many Landlords and Letting Agents failing to Notify the ICO

September 22nd, 2010

It has been announced by the ICO that few Landlords and Letting Agents notify it when dealing with the personal information of others; and as a result, those concerned are breaching the Data Protection Act.

The ICO has urged the National Association of Estate Agents and The Association of Residential Letting Agents to tell its members of the importance of notification.

A spokesperson for the ICO, a Mr Gorill, has said that he wants all market players to comply, and that the launch of legal action is promised against those who don’t.

The ICO’s work has seen a 15% increase in notifications so far this year as a result of its work.

Comment

Absolute Data can help your company comply with the Data Protection Act and steer clear of the threat of legal action by analysing your business’s activity and recommending, or even implementing, data governance processes and procedures for you. For more information please contact us now at info@absolute-data.co.uk

NHS Trust Loses Sensitive Personal Data of its Patients

September 21st, 2010

East and North Hertfordshire NHS Trust has signed a formal undertaking after an unencrypted USB stick containing sensitive personal data was lost by a junior doctor on a train.

The junior doctor was intending to pass patient information to a colleague electronically, once at home, but the USB stick was lost during the journey.

It has now been confirmed that in future, all staff will be made aware by the data controller of the full policy for the use of portable media and the storage and use of personal data and all staff will be trained appropriately in order to comply with such policies.

Efficient monitoring will also take effect; the data controller will also implement any other security measures it deems appropriate to protect against such things happening again.

Comment
There are a number of failings that led to this loss of data.  Most of the failings stem from failure in training and guidance; it would seem that because this NHS Trust did properly train its staff member, it could have been running with a high level of risk of data loss for some time. Absolute Data can help organisations protect against such risks, by carrying out research and implementing training and procedural change. For more information on these services, please contact us now at info@absolute-data.co.uk.

Business Computing World considers the risks to data posed by mobile workers

September 16th, 2010

Business Computing World released a story earlier this week written by Colin Woodland, which looked into the risks to data posed by mobile workers (http://www.businesscomputingworld.co.uk/is-your-company-data-safe-in-the-hands-of-your-mobile-workers/).

“The move towards a truly mobile workforce is accelerating at a blindingly fast pace. IDC estimates that there are already over 1 billion mobile workers worldwide. Laptops, netbooks, and USB flash drives allow workers to access, remove and store large amounts of data and take it outside the relatively safe confines of your corporate offices. There’s no doubt about the productivity gains and benefits of a mobile workforce.” writes Woodland.  He goes on to argue that the cost of mobilising a workforce may outweigh the benefits due to the huge costs of data breaches which, according to the article, average a staggering £1.68 million per breach.

Woodward offers a way of managing the risk: to ensure that all devices whether laptops or USB sticks are encrypted – but also to ensure that there is a log of all of the portable devices in the organisation and their assignment to employees.  This is a great approach but in our opinion, it’s too narrow.  Like Woodward, we too are great supporters of a structured data management system; a documented suite of processes and procedures managed by an internal team and designed to continually improve data governance and the way that data is managed in an organisation.  But this is a far cry from a log of devices.  We encourage a periodic review of and organisations’ data at all points of its lifecycle through the organisation and a documented review of findings.  We encourage controlled documents implemented in a systematic way to build a framework for data governance designed to manage risk.  The log of devices would be one such technique within the broader data governance system.

Absolute Data was fortunate enough to attend Cloudforce in London on the 8th September 2010. It is truly quite amazing what can be achieved using the force.com platform and the salescloud; not only to mitigate the specific risk of data loss on laptops and portable media, but also in terms of mobilising the workforce.  We also believe that organisations should adopt a cloud computing strategy that works to manage its data risks and often we find that this falls out of a data governance audit as a way of reducing the risk of data loss.

Colin Woodward’s full article can be read at http://www.businesscomputingworld.co.uk/is-your-company-data-safe-in-the-hands-of-your-mobile-workers/

East Lothian Council publishes personal details online

September 13th, 2010

East Lothian Council has apologised in the East Lothian Courier for a major error made in the protection of data after taxi licensee’s personal informtation, including their criminal convictions, was published on the local authority’s website.

The information was made accessible to all for approximately two hours, although as soon as this major error was realised, the papers were removed from the site and the Information Commissioner’s office informed.

A council spokesperson commented: “This was a serious error on the part of the council. We have sent letters to the individuals named in the papers apologising unreservedly for any distress caused. Following an immediate investigation into the circumstances surrounding the incident, we have also taken steps to improve our procedures to ensure that it does not happen again.”

Comment
Mistakes can happen, and an organisation’s current system may be found to have loop holes in, thus introducing an element of risk into the data management system. However, it is vitally important that procedures relating to the management of data are documented, adhered to and regularly reviewed so as to not allow such procedural flaws to happen at all.

By having a documented procedural system for data management, the chances of getting it right first time will be increased. By reviewinf such systems will continually improving the data management system. This is something that Absolute Data does and can help you with. Contact us now: info@absolute-data.co.uk

To see  the whole article, go to:  http://www.eastlothiancourier.com/news/roundup/articles/2010/09/09/404896-council-sorry-for-data-protection-gaffe/

Customers of comparethemarket.com and confused.com – their data at risk of disclosure

September 6th, 2010

 

ZDNet has today reported that weak authentication has left customers of comparethemarket.com and confused.com with their data at risk of disclosure.

When customers of comparethemarket.com ‘retrieve their quote’, the level of authentication just ‘isn’t strong enough’, says Sean Sullivan, Security Advisor for F-Secure labs.

“Email, surname and birth-date is not good enough. Black-hat scripts can scrape data from Facebook accounts,” said Sullivan. “Just throw it into a database and write a script to enter the data [on the Comparethemarket.com prompt page]. I have no doubt someone would try it.”

With competitive prices for such information in the world of cybercrime, it isn’t hard to see how an individual’s personal data could be passed on without knowledge or agreement. Similarly, confused.com customers, who forget their password, pass through an incredibly simple retrieval process, and with the questions asked in this process easily obtained, authentication is inadequate, says  technology publication PC Pro.

Comment

Our interest in this article here at Absolute Data was fuelled because we are constantly advising clients about privacy risk management and the activities of third parties in undertaking “unauthorised” independent and uncontrolled risk assessments of the data processing of other companies.  We preach that it’s far better to have your own risk assessment regime than to have third parties potentially with axes to grind carrying them out.

To view the whole article, please go to:http://www.zdnet.co.uk/news/security/2010/09/03/experts-data-at-risk-on-price-comparison-sites-40089993/

For more information on Absolute Data Risk Assessments contact us at info@absolute-data.co.uk

Yorkshire Building Society and DSG Retail in breach of Data Protection Act

August 31st, 2010

It was reported on www.computerworlduk.com that The Information Commissioner has found Yorkshire Building Society to be in breach of the Data Protection Act after an laptop was stolen from containing customer data.

Computerworlduk.com reported that “The Information Commissioner’s Office (ICO) has found Yorkshire Building Society in breach of the Data Protection Act after an unencrypted laptop was stolen from its premises”. It also recently found DSG Retail, which owns Dixons and PC World, and Royal Wolverhampton Hospitals NHS Trust in breach of the Act for leaving customer details in a skip and losing a CD containing patient records, respectively.

In the Yorkshire Building Society case, the laptop belonged to the former Chelsea Building Society, which had recently merged with Yorkshire, and was stolen from its head office in Cheltenham. It contained a “substantial” part of Chelsea’s customer database.
Yorkshire Building Society hired private investigators to retrieve the laptop, which was recovered within 48 hours of the theft. Although forensic investigations found that none of the data had been accessed during that time, there were signs that there had been several attempts to do so. Prior to its theft, a Chelsea employee had been using the laptop for working from home, and then after being requested to do so, handed it in to a manager who returned the laptop to the Cheltenham office. The manager wrote down the computer’s passwords and left the details in a bag with the laptop under a desk overnight, and the laptop was stolen the next morning. However, in addition to the theft, the ICO found that the employee did not need access to all the data on the laptop to carry out their work.

Iain Cornish, chief executive of Yorkshire Building Society has signed an undertaking to ensure that such data security breaches do not occur again.

Although Yorkshire already has a policy of encrypting all its portable devices, this will now encompass the Chelsea business. Furthermore, all staff are to be made aware of the company’s policies for storing and using personal data, and staff will access only the data that they need to do their work.

Mick Gorrill, head of enforcement at the ICO, said: “It is extremely concerning that an unencrypted laptop containing large amounts of personal data was left unsecured overnight, together with details of its passwords.
“What’s more, the fact that the employee did not require all the information to carry out the task in hand created an unnecessary risk which could easily have been avoided.” However, he added: “I am satisfied that steps are now in place to prevent this happening again”.”

Comment
There are two main issues at work here that we often see when we visit companies:
1)      Data Security
a.       the laptop containing personal data was not sufficiently protected from unauthorised access;
b.      the laptop (and therefore the data) was not sufficiently well secured overnight;
c.       the passwords were stored with the laptop machine;
2)      Data management
a.       the laptop contained data that was un-necessary and which should have been removed earlier;
b.      staff were not aware of their responsibilities nor possible risks;
c.       there does not appear to have been a data governance system in operation at the Chelsea;
d.      “policy” is not being implemented in the field and without a data governance system in operation there is no way of finding out.

A systematic data governance system highlights these kinds of matters and many more and reduces data loss risks.  The costs of clearing up after a breach far out-weigh the costs of implementing such a system.

Zurich Insurance has been fined more than £2m over the loss of 46,000 customers' personal details.

August 26th, 2010

On Tuesday this week, the Financial Services Authority (FSA) imposed a fine of £2,275,000 on Zurich Insurance for losing a back up tape containing the personal details of 46,000 of their customers.  This fine is the largest fine that a single firm has received for data security failings and comes on the back of a year of changes and strengthening at the Information Commissioners’ Office (ICO).
Zurich outsourced some customer data processing to a South African subsidiary, Zurich SA, which in August 2008 lost an unencrypted back-up tape in transit. The affected customers were not told about the breach for a year.
“As there were no proper reporting lines in place Zurich UK did not learn of the incident until a year later,” the FSA noted in a statement, adding that Zurich UK’s willingness to settle “at an early stage” of the investigation led to a 30-percent reduction in the fine. It would otherwise have been £3.25m.
“Zurich UK let its customers down badly,” Margaret Cole, the FSA’s director of enforcement and financial crime, said in a statement. “It failed to oversee the outsourcing arrangement effectively and did not have full control over the data being processed by Zurich SA. To make matters worse, Zurich UK was oblivious to the data loss incident until a year later”.
“Firms across the financial sector would do well to look at the details of this case and learn from the mistakes that Zurich UK made.”

Comment
There are a number of failings that lead to this major loss of data which has not only cost Zurich financially, but also reputationally.  Most of the failings are failure in processes and it would seem that because Zurich did not have any kind of data governance management system, it has been running with a high level of risk of data loss in the business for some time and this one lost tape has been the catalyst for the breach.  Zurich say that there is no evidence that the lost data, which included personal details and bank account information, has been misused. But that’s not the point and in March, the ICO found the company guilty of breaching the Data Protection Act.
Zurich have now made changes to their internal procedures to reduce the risk of data loss which is good news.  We hope that this case makes other companies large and small sit up and think hard about whether they have assessed the data loss risks within their business.

The BBC has today reported that ‘cold calling should be banned’ according to a recent Which? survey.

August 26th, 2010

Which? says the average consumer receives six cold calls a month, and found two-thirds of people surveyed had received at least one unsolicited call within the last three months, with recipients often left feeling ‘intimidated’.

“Reputable businesses should stop making sales calls to you if you ask to be removed from their contact database, but if that doesn’t work you should report the company to the Information Commissioner’s Office or Ofcom.”  states the report. Absolute Data ensures that all of its customers have their data matched against the telephone preference service to make sure that all calls made are being made legitimately; it quite agrees that unscrupulous operators need outlawing, as it brings perfectly legitimate operators into disrepute. Read the BBC report in full, here: http://www.bbc.co.uk/news/uk-11090087

 If you would like further information about the way we can help your business make legitimate calls, please contact us now on info@absolute-data.co.uk.

Council found guilty of losing children’s personal data

August 18th, 2010

The Information Commissioner’s Office (ICO) has found West Berkshire Council in breach of the Data Protection Act (DPA) after the council lost an unprotected USB drive containing personal information on children, including details about ethnicity and physical and mental health.
The USB drive which was lost in March had been used by an employee for five years and was not encrypted or password protected.  It is understood that staff at the Council have been provided with encrypted USB sticks for the last four years but no process was in place to replace or protect older USB sticks.  The ICO also found that council staff had not received appropriate or sufficient training in data protection issues and that it had inadequate compliance monitoring policies in place.
Sally-Anne Poole, enforcement group manager at the ICO, said: “It is essential that organisations ensure the correct safeguards are in place when storing and transferring personal information, especially when it concerns sensitive information relating to children.”
Nick Carter, chief executive of West Berkshire Council, has now signed a formal undertaking to ensure that all portable and mobile devices containing personal data are encrypted. The council will also provide training to staff on data protection and IT security issues.                                                                                                                                                                                                                                                     There have been a number of data breaches by involving children’s data by organisations over the past 12 months including Wigan Council, which lost an unprotected laptop containing information on over 40,000 children. C

Comment
In our work in professional sport, we come across many organisations that process the personal information of young and often vulnerable people in a range of education, health and sports coaching programmes and other fantastic schemes.  Many of our clients ask us to advise them on how to protect the data that they receive, process and store relating to young people, such as restricting access to database records, managing system generated reports, blocking data copying, encrypting portable media, and most importantly, implementing a systematic review of data processes to run periodic and documented health checks.  Being able to demonstrate that staff have had sufficient and adequate training in these matters is vitally important but often overlooked.

The Consequences of Data Theft

August 11th, 2010

In mid November 2009, T Mobile admitted to a massive data breach in which an employee had stolen a very large volume of T Mobile customer data and sold it on to a third party.  Rival phone companies bought the data and used the information to call customers who were nearing the end of their current T Mobile contract to offer them a new contract with a different network.  Last month, David Turley, now a former T Mobile employee, appeared at Chester Crown Court facing 18 charges under Section 55 of the Data Protection Act 1998.  Turley admitted to stealing and selling the data and will be sentenced shortly.  The maximum penalty for data theft was increased to £500,000 in April 2010 but the Information Commissioner has been pushing for some months for prison sentences. 

Comment

Many companies are already taking precautions to deal with the “Insider Threat” regarding data loss and a variety of tools and technologies are becoming available to combat the risk.  The best first starting place for companies that are concerned about data protection issues is to carry out a data protection risk assessment: something that Absolute Data can undertake.

ICO to Target Specific Industries

August 9th, 2010

The ICO has today issued a statement informing readers of its plans to target specific industries, in order to enforce them to notify if they  handle people’s personal information.

Private investigators routinely handle personal information; however the 1626 private investigators registered with the ICO seems like a relatively small number. As a result, the ICO has written to various governing bodies including the Association of British Investigators and the Institute of Professional Investigators, to try and encourage them to notify the ICO. If private investigators are still then seen to be flouting the rules, the ICO has warned that ‘regulatory action’ will be taken.

Comment

Currently, notification to the ICO for any organisation is just £35, but fines for lack of notification can be devestating.With the ICO now targeting specific industries it feels need to be made aware of the consequences, it is of vital importance that all organisations check that they are covered. If there is seen to be a trend within an industry, your organisation could be hit hard. If you would like us to help you ensure that your organisaition isn’t targeted, and that you have the right notification, please email us for further information at info@absolute-data.co.uk.

DMA Updates Direct Marketing Code of Practice

July 27th, 2010

The Direct Marketing Association has updated its direct marketing code of practice.  “This new edition of the Code has been updated to include all recent changes to relevant legislation, including data protection, consumer credit, prize draws, telemarketing, and consumer protection” says DMA Chairman, David Metcalf in the Code’s Foreword.

The new Code of Practice is available at http://www.dma.org.uk/_attachments/resources/45_S4.pdf and whilst it has no legal status, it represents best practice and is a vital source of information and guidance for marketers in the UK.  One of the conditions of membership of the DMA is that Member organisation must abide by the Code of Practice rules.

MoD loses £600,000 of laptops in two years

July 26th, 2010

It has been reported that £600,000 worth of CD’s, DVD’s, USB memory sticks, laptops and mobile phones were misplaced or lost by the government department since 2008. On top of that, only a fifth of these lost items were encrypted – resulting in heavy criticism by leading security experts.

The losses occurred even after widespread criticism following major security lapses in 2008, when a Royal Navy laptop was stolen, along with over 600,000 should-be confidential records. This latest discovery has meant since May 2008, 340 laptops have been lost or stolen – just fewer than 13 per month (although 25 were later recovered).
Since the report by Sir Edmond Burton in June 2008, the MoD’s security measures have seen little significant improvements, and there have now been calls to put even tighter security measures in place. Sean Sullivan works for F-Secure, a software security firm said: ‘At a time when national security is paramount, it’s vital that far more is done to encrypt sensitive data and staff are held to account. This loss represents a devastating disregard for the taxpayer’s security and pocket.’
In response to this latest discovery, the MoD stated: ”Investigations are undertaken into every loss or theft, and appropriate disciplinary action taken.”

Comment

It is of paramount importance that companies take the level of care, effort and responsibility deserved into protecting personal information held within their electronic equipment, and lead by example. Absolute Data can help companies to do this by training your staff into implementing robust data management processes into their everyday working, in a simple yet effective way.

Absolute Data Launches new look website

July 21st, 2010

Absolute Data today announced the re-launch of their website. Commenting on the new site, M.D. Phil Brining said ‘This site is a vast improvement upon our last web presence. We are really pleased to be able to draw together interesting information for our clients including important news stories, highlighting data management-related events, and also a new section with downloadable documents including our own thoughts and research in the form of white papers’.

The website was built by Harrogate-based Wondermedia, with marketing direction from ITS Marketing. The new Absolute Data website comes hot on the heels of sister company Intelligent Sales’ website, launched in June.

ICO reports 30% rise in data protection complaints

July 21st, 2010

The ICO reported on 14th July that it had seen a 30% increase in data protection complaints year on year between 1 April 2009 and 31 March 2010.  In a statement released by Information Commissioner, Christopher Graham, it was reported that the ICO had made some significant internal changes in order to deal with the level of complaints.  Graham also repeated his call for jail terms as punishments for some breaches of the data protection legislation.  “I continue to believe that the courts should be able to impose a custodial sentence, where appropriate, to tackle the unlawful trade in personal data that is the scourge of the digital world,” he said.

In June this year, the European Commission gave the UK two months to strengthen the powers of the ICO.  It is widely anticipated that the ICO will have the power to do spot checks on UK businesses within the next 18 months with the ability to impose and enforce penalties resulting from the checks.  The maximum fine or breaches of data protection laws was increased to £500,000 earlier this year.

Comment

This whole area is moving in one direction and at some pace.  The ICO will have the power to spot check many businesses from next year and has indicated that this the thin end of a wedge.  It is vitally important that UK businesses, large and small, see the writing on the wall and take action NOW!  Absolute Data can help you prepare for what is undoubtedly coming by assessing and then reducing the risks of data protection breaches.  Call us now for an free no obligation initial consultation.

ICO updates breach notification guidance

July 18th, 2010

The UK’s Information Commissioner’s Office (ICO) has updated its guidance for organisations on when they should notify it about data breaches. According to the latest guidance, where there is, “significant harm” resulting from the breach, either due to the volume of the data, its sensitivity, or both, there is a requirement that the matter should be reported to the ICO. An interesting twist is that the ICO is suggesting that the “significant harm” does not have to be actual harm – potential harm is also reportable.  To draw a parallel, this is similar health and safety “near miss” reporting.

Where there is little risk that individuals would suffer harm, the ICO says, “there is no need to report.” The ICO is leaving it up to individuals and companies (and the resulting case law) to find out what constitutes “significant harm” or “insignificant harm”.  By way of an example, the ICO cites an example of where a stolen laptop is properly encrypted, or where the subject of the breach is publically available information, there would be no requirement to report the breach.

Comment

It’s vitally important that companies keep track of breaches no matter how minor so that they can build up a database of data breaches and near misses and their causes.  All of this will result from having a data aware culture within a company.  Absolute Data can not only help with building and rolling out an internal data awareness campaign, but will also work with you to build and implement robust data management processes.

Over half of UK businesses aren’t sure they comply with data laws.

July 17th, 2010

34% of the 1,200 companies polled by security software company Sophos about the UK’s data protection laws said that they were concerned that they did not comply with data protection legislation.  A further 14% said that they did not know whether or not they complied, and a further 15% said that they did not know whether or not they complied but were not concerned about it.

Source ComputerWeekly.com 15th July 2010.  http://www.computerweekly.com/Articles/2010/07/15/241989/Data-protection-laws-too-relaxed-say-nearly-half-of-UK.htm

Comment

The Data Protection Act has been around in the UK for over a quarter of a century.  It’s still quite astonishing that many companies are not aware about the UK’s data protection legislation.  Quite clearly, changes are afoot with the recent hike in penalties and fines and the drive to give the ICO greater powers.  The good news is that it’s reasonably quick and easy to assess whether your company is compliant and, if it’s not … to do something about it.

ICO Slams three councils for loss of child data

July 8th, 2010

The Information Commissioner’s Office made the unusual step of naming and shaming three English Councils for the loss of data relating to children. The London Borough of Barnet, West Sussex County Council and Buckinghamshire County admitted losing data on a total 9000 children under their care, through the loss of unencrypted memory sticks, cd’s, laptops and written reports. As a result, all three Councils have now signed formal undertakings for breaching the Data Protection Act, and now promise that all employees will be made aware of data policies, the storage of data and use of personal data in the future.

Comments  

Given the new powers that the ICO will acquire in 18 month’s time, we believe that it is vitally important for organisations handling information and personal data relating to children to undertake a review of their data management practices.

Absolute Data have been asked to undertake such a review by the community department of a leading Premier League Football Club who wish to remain ahead of the game in terms of data management by ensuring that the personal data relating to participants of soccer coaching courses and educational projects remains absolutely secure and  unavailable to unauthorised employees of the football club.

The loss of data relating to children is highly emotive and could be very damaging to small professional sports organisations and their funders.

ICO Publishes Guidelines for personal data held in the Cloud

July 7th, 2010

The ICO has issued a new code of practice for businesses that hold personal data in the cloud. This code of practice has been designed to help businesses comply with the law, by querying how cloud providers protect their data, and addresses how the Data Protection Act applies to information processed online (including how a company should operate internationally). 

‘The cloud-computing code of practice will help [SMEs] not just comply with the law, but to run their businesses well’  Iain Bourne, the ICO’s group manager of policy delivery states. At the moment, if a cloud provider compromises the security of its client’s data, the responsibility still lies with the client, or the business. This code of practice is available at www.ico.gov.uk as a downloadable document.

Comment

As Absolute Data has been working with salesforce.com for around 18 months, it fully understands the concerns around the stories of data in the cloud. However, in Absolute Data’s experience, salesforce.com represents a very secure, well -managed and manageable environment in which to store personal data although we do understand that all clouds computing providers are as professional as salesforce, nor take security matters as seriously.  The code of conduct is a great piece of work by the ICO, giving more guidance to organisations of the sorts of questions to ask and the issues to look for when selecting a cloud computing partner. We would be very happy to advise on the application of the code of practice – please email us at info@absolute-data.co.uk for further information.