Category: UK

ICO fined Hampshire County Council with 100,000 GBP

19. August 2016

The ICO fined Hampshire County Council with 100,000 GBP due to a data breach.

The fine was the result of missing measures protecting personal information against unauthorized access: Documents containing personal information of more than 100 data subjects were stored in an abandoned building. Furthermore, 45 bags of confidential waste were also found.

Hampshire County Council released a statement saying that “We are very sorry that this incident occurred. Hampshire County Council takes the management and protection of its data very seriously. Accordingly, appropriate procedures were in place at the time, but unfortunately, on this occasion, the process was not fully adhered to. However, at no time was any information disclosed outside of the site”.

Furthermore the statemet points out that “Immediate steps were taken to investigate the matter fully, and remedial action was taken. This has included strengthened and improved processes in the removal of, and destruction of, confidential waste from vacated buildings.”

The statement highlights that Hampshire County Council reported the incident to the ICO as soon as they became aware of it and that they have cooperated fully at all stages of the ICO’s investigation.

Category: Countries · Data breach · UK
Tags:

ICO fines Regal Chambers Surgery with 40,000 GBP

12. August 2016

The ICO fines Regal Chambers Surgery with 40,000 GBP due to the fact that personal medical information was handed out.

Regal Chambers Surgery disclosed medical file to a man regarding his son containing 62 pages not only of personal data but also including information on the ex-partner, her parents, and an older child he was not related to. However, although the man requested the records under Section 7 of the Data Protection Act, Regal Chambers had no process implemented to determine whether the data should be handed out.

The ICO’s Head of Enforcement, Steve Eckersley commented that “Most people would be horrified to think the information they entrust to their GP was being treated with anything less than the utmost care. In this case a patient reinforced this, however her pleas went unheeded”.

Category: EU · UK
Tags: ,

In order to prepare for the GDPR the ICO advises companies to establish internal data breach procedures

22. July 2016

The ICO has advised organisations to implement internal data breach procedures, which should be encouraged by employee trainings, in order to be prepared as soon as the General Data Protection Directive (GDPR) comes into effect in 2018.

Therefore, the recommendation made by the ICO in terms of its breach notification recommendation instruct companies to be compliant from the first day the GDPR is implemented. Furthermore, the recommendation states that “You should make sure that your staff understands what constitutes a data breach, and that this is more than a loss of personal data” and goes on by saying that “You should ensure that you have an internal breach reporting procedure in place. This will facilitate decision making about whether you need to notify the relevant supervisory authority or the public. In light of the tight timescales for reporting a breach, it is important to have robust breach detection, investigation and internal reporting procedures in place.” On top of this, the ICO points out that companies will not have much time to notify the authorities of any data breach due to the fact that article 33 of the GDPR requires notification to take place “without undue delay and, where feasible, not later than 72 hours after having become aware of it (…) unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons”.

A personal data breach is defined as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.

 

Agreement by EU and U.S. negotiators on final changes on the Privacy Shield

28. June 2016

After several months of negotiations regarding the legitimating instruments to carry out international data transfers, EU and U.S. negotiators agreed last week on the final changes of the proposed EU-U.S. Privacy Shield.

The initial draft of the EU-U.S. Privacy Shield was criticized by several European Institutions such as the Article 29 WP, the EDPS, Article 31 WP and the UK Data Protection Authority (ICO) for not offering enough safeguards for EU citizens regarding the protection of their personal data upon data transfers to the U.S.

The main critic of the EU-U.S. Privacy Shield was focused on the independency of the ombudsman and on the massive surveillance activities from American Authorities. Additionally, a follow up control mechanism regarding compliance with the EU-U.S. Privacy Shield was required by European negotiators.

EU and U.S. negotiators have agreed to improve the above mentioned aspects in order to ensure more guarantees on the protection of EU citizens’ personal data:

  • The White House committed in writing to collect EU personal data only under certain circumstances and for targeted purposes.
  • Data retention periods have been defined concretely: organizations will be obliged to delete personal data that is no longer needed for the purposes for which it was originally collected.
  • The proposal will include a specification that the ombudsman will be an independent institution.

As a next step, the Article 31 WP, made up of representatives of the EU Member States, will decide if the amended text complies with European Data Protection legislation. Both, the EU Commission and the U.S. Government hope that the EU-U.S. Privacy Shield enters into force by August 2016.

Implications for the UK

After UK citizens have voted to leave the EU, a two-year-negotiation between the EU and the UK Government will take place. During this time, UK organizations will have to comply with European legislation, also regarding international data transfers. When the UK ceases to be an EU Member State, it will be considered as being a third country in terms of international data transfers and will have to ensure enough safeguards regarding the protection of personal data.

The future of privacy rules after UK´s referendum to leave the EU

27. June 2016

On the 23rd June, UK celebrated a referendum to vote about UK´s EU membership. About 52% of the participants, voted for leaving the EU. The process of withdrawal from the EU will have to be done according to Art. 50 of the Treaty on the European Union and will take about two years until the process is completed.

The withdrawal of the UK´s membership will also have an impact on data protection rules. First of all, the GDPR will enter into force on the 25th May 2018, so that by this time, the UK will still be in process to leave the EU. This means that UK businesses will have to prepare and be compliant with the GDPR.

Additionally, if UK businesses trade in the EU, a similar framework to that of the GDPR will be required in order to carry out data transfers within the EU member states. The British DPA, ICO, published a statement regarding the existing data protection framework in the UK. According to ICO, “if the UK wants to trade with the Single Market on equal terms we would have to prove adequacy – in other words UK data protection standards would have to be equivalent to the EU´s General Data Protection Regulation framework starting in 2018”.

Currently, the GDPR is the reference in terms of data protection and organizations will have to prepare to be compliant and, even if the GDPR is not applicable to UK, a similar framework should be in place by the time the GDPR enters into force.

UK Information Commissioner gives opinion on EU-U.S. Privacy Shield

25. April 2016

The UK Information Commissioner, Christopher Graham, issued last week his opinion about the EU-U.S. Privacy Shield. He criticized the reluctance of the U.S. authorities to make amendments on the agreement. On the 13th April, the Article 29WP also called American negotiators for clarification of some aspects of the Privacy Shield such as data transfers, the institution of the ombudsman or the justification for the collection of personal data, etc. Graham also remarked that the ECJ will also ask for clarification regarding these points and invited both American and European authorities to provide the required clarification.

On the other side, Stefan Selig, U.S. undersecretary of commerce for international trade, affirmed that the opinion issued by the EU Data Protection Authorities will be revised carefully. However, he believes that the current draft of the EU-U.S. Privacy Shield achieves a balance of interests for both parties.

Graham also remarks the importance of reaching an agreement regarding international data transfers, so that the English DPA (ICO) can focus on providing support to organizations regarding the implementation of the GDPR that will be effective on the first half of 2018.

UK’s Information Commissioner demands prison penalties for serious data offences

22. July 2013

Information Commissioner Christopher Graham said, that people who misuse personal information should face tougher penalties, including the threat of prison in the most serious cases.

The Information Commissioner referred to a case in which a former manager of a health service based at a council-run leisure centre was prosecuted by the Information Commissioner’s Office for unlawfully obtaining sensitive medical information belonging to more than 2,000 people. The manager used the information, which he had sent to his personal email account, to approach patients to advertise a similar service he had set up.

The manager was  prosecuted under section 55 of the Data Protection Act and fined £3,000. He was also ordered to pay a £15 victim surcharge and £1,376.50 prosecution costs.

Mr. Graham issued following statement:

“Nobody expects that their health records will be taken and used in this way. The manager [name removed ] had been told about the need to keep patients’ details confidential, but he decided to break the law to benefit his new business. At very least, behaviour of this kind should be recognised as a ‘recordable offence’ which it isn’t now. For the most serious cases the current ‘fine only’ regime will not deter and other options including the threat of prison should be available. The necessary legislation for this is already on the statue book but needs to be activated. The government must ensure that criminals do not see committing data theft as a victimless crime and worth the risk.”

Category: UK
Tags: , ,

UK Ministry of Justice clarifies Negotiating Position on proposed EU Data Protection Regulation

4. July 2012

According to a report by huntonprivacyblog.com, the UK Ministry of Justice outlined its negotiating position on the basis of a previously started Call for Evidence. The Call for Evidence gave a perspective and feedback on the impact of the proposed EU Data Protection Regulation on business and individuals.

The results led to the position of the Ministry of Justice that reassured organizations to negotiate against regulations that would overburden business and for a legislative framework that support economic growth and innovation. The Ministry also stressed that people’s personal data must be protected at the same time.

Following issues need to hold negotiations from the perspective of the Ministry:

  • Right to be forgotten: It should be overhauled to clarify its scope and cost implications;
  • Bureaucratic and costly burdens on organizations: The Ministry will resist them if no greater protection for individuals is foreseeable; In particular mandatory data protection impact assessments, prior authorization from supervisory authorities and mandatory data protection officers were mentioned as such burdens without benefit for individuals;
  • Data Breach Notification: This Provisions will be supported depending on reflected timescales needed to properly investigate the breach and sensible and proportionate thresholds;
  • Penalties for Data Breaches: These administrative penalties will be supported with the objective to a more proportionate level of maximum fines;

Powers for the European Commission: The Ministry will push for the removal of many of the powers, especially where there is scope for the European Commission to substantially alter fundamental requirements.

Pages: Prev 1 2 3 4
1 2 3 4