Tag Archives: Data Protection Act 1998

BeCyberSure launches specialist EU GDPR Risk Assessment service

Information security specialist BeCyberSure has announced the launch of the “most comprehensive GDPR Risk Assessment available”. Conducted by security, risk and compliance specialists, the audit provides organisations with a definitive evaluation of their EU GDPR (General Data Protection Regulation) readiness, as well as what needs to be done to ensure compliance ahead of the 25 May 2018 deadline.

The GDPR supersedes the UK’s Data Protection Act 1998 and applies to every company that collects, processes or stores an EU citizen’s data, regardless of sector, size and geographical location. Enforcement of the GDPR is unaffected by the UK’s decision to leave the EU.

The BeCyberSure GDPR Risk Assessment is said to provide the most rigorous audit process available. The assessment is conducted on and off site by a GDPR specialist, beginning with a detailed review of company policies and governance, procedures and processes, an assessment of physical aspects (such as access to buildings and the storage of paper documents, etc.) and, if deemed necessary, an extensive digital vulnerability test. The audit also involves formal and informal (ie covert) interviews with employees as well as heads of department.


Carolyn Harrison, marketing director at BeCyberSure, explained that the GDPR is a company-wide issue and should not sit solely with IT.

“Our assessment begins with people, policies and processes to reveal any possible vulnerabilities that would result in non-compliance,” urged Harrison. “We then deep-dive, looking at what data the organisation is capturing, how it’s processed, what consent has been given, where it’s stored and how to dispose of all information that’s not required.” Harrison added: “The best technology in the world can be rendered useless if an open door, whether physical or digital, creates the opportunity to access to data.”

Following the audit, the host organisation is presented with a confidential Advisory Report stating what action (if any) is required to ensure GDPR compliance.

On that note, Harrison stated: “This report is invaluable in terms of benchmarking where an organisation is today, where they need to get to and the best course of action to get there. They can then choose to implement the programme of work themselves, collaborate with BeCyberSure or outsource the entire project to us.”

BeCyberSure has a senior team of GDPR auditors who have a wealth of experience with backgrounds in risk management and compliance, cyber security, policing, intelligence services and the military.

Harrison concluded: “There’s a lot of scaremongering going on about the GDPR and, while it’s true that the potential fines are eye-watering and the threat of personal liability daunting, if organisations act now, then they still have time to put the necessary safeguards in place to be GDPR-compliant. Undertaking a Risk Assessment is the first step in the due diligence process and means that organisations are not spending unnecessarily on their route to compliance.”

*For further information access www.becybersure.com

Leave a comment

Filed under Risk UK News, Uncategorized

ICO warns CCTV operators that use of surveillance cameras must be “necessary and proportionate”

The Information Commissioner’s Office has warned CCTV operators that surveillance cameras must only be used as a necessary and proportionate response to a real and pressing problem.

The warning comes on the same day that the Information Commissioner’s Office (ICO) has published its updated CCTV Code of Practice. The update includes a look at the data protection requirements placed on the operators of new and emerging surveillance technologies, including drones and body-worn video cameras.

“The UK is one of the leading users of CCTV and other surveillance technologies in the world,” said Jonathan Bamford, the ICO’s head of strategic liaison. “The technology on the market today is able to pick out even more people to be recorded in ever greater detail. In some cases, that detail can then be compared with other databases, for instance when Automatic Number Plate Recognition (ANPR) is used. This realises new opportunities for tackling problems such as crime, but also poses potential threats to privacy if cameras are just being used to record innocent members of the public without good reason.”

The ICO has moved to warn CCTV operators that the use of surveillance cameras must be "necessary and proportionate"

The ICO has moved to warn CCTV operators that the use of surveillance cameras must be “necessary and proportionate”

Bamford added: “Surveillance cameras should not be deployed as a quick fix, but rather as a proportionate response to a real and pressing problem. Installing surveillance cameras or technology like ANPR and body-worn video is often seen as the first option, but before deploying such systems we need to understand the problem and whether that’s an effective and proportionate solution. Failure to conduct proper privacy impact assessments in advance has been a common theme in our enforcement cases.”

Updated Code of Practice: the detail

The updated Code of Practice explains how CCTV and other forms of camera surveillance can be used to process people’s information. The guidance details the issues that operators should consider before installing such surveillance technology, the measures that companies should have in place to make sure an excessive amount of personal information isn’t being collected and the steps organisations should take in order to make sure captured information is kept secure and destroyed once it’s no longer required.

The ICO’s CCTV Code of Practice complements the provisions in the Surveillance Camera Code of Practice issued last year by the UK Surveillance Camera Commissioner, which applies to police forces, local authorities and Police and Crime Commissioners in England and Wales (as described in the Protection of Freedoms Act 2012). The ICO’s guidance covers a wider area, as the requirements of the Data Protection Act apply to all sectors processing personal information across the whole of the UK (including the private sector). The Data Protection Act 1998 does not apply to individuals operating CCTV for their own domestic use.

Recent enforcement action taken by the ICO to stop the excessive use of CCTV includes an enforcement notice served on Southampton City Council after the latter required the video and audio recording of the city’s taxi passengers 24 hours a day.

The ICO also served an enforcement notice on Hertfordshire Constabulary after the force began using ANPR cameras to record every car entering and leaving the small rural town of Royston in Hertfordshire.

In both cases, the “excessive use” of surveillance cameras was reduced following the ICO’s action.

Leave a comment

Filed under Risk UK News

GPEN survey finds 85% of mobile apps fail to provide basic privacy information

A survey of over 1,200 mobile apps by 26 privacy regulators from across the world has shown that a high number of apps are accessing large amounts of personal information without adequately explaining how people’s data is being used.

The survey by the Global Privacy Enforcement Network (GPEN) examined the privacy information provided by 1,211 mobile apps. As a member of GPEN, the UK’s Information Commissioner’s Office examined 50 of the top apps released by UK developers.

The key findings of the research are as follows:

*85% of the apps surveyed failed to clearly explain how they were collecting, using and disclosing personal information
*More than half (59%) of the apps left users struggling to find basic privacy information
*Almost one-in-three apps appeared to request an excessive number of permissions to access additional personal information
*43% of the apps failed to tailor privacy communications to the small screen, either by providing information in a too small print or by hiding the information in lengthy privacy policies that required scrolling or clicking through multiple pages

A survey of over 1,200 mobile apps by 26 privacy regulators from across the world has shown that a high number of apps are accessing large amounts of personal information without adequately explaining how people’s information is being used

A survey of over 1,200 mobile apps by 26 privacy regulators from across the world has shown that a high number of apps are accessing large amounts of personal information without adequately explaining how people’s information is being used

Examples of good practice

The research did find examples of good practice, with some apps providing a basic explanation of how personal information is being used, including links to more detailed information if the individual wants to know more.

The regulators were also impressed by the use of just-in-time notifications on certain apps that informed users of the potential collection (or use) of personal data as it was about to happen. These approaches make it easier for people to understand how their information is being used and when.

ICO group manager for technology, Simon Rice, commented: “Apps are becoming central to our lives, so it’s important we understand how they work and what they are doing with our information. These results show that many app developers are still failing to provide this information in a way that is clear and understandable to the average consumer.”

Rice added: “The ICO and the other GPEN members will be writing to those developers where there is clear room for improvement. We will also be publishing guidance to explain the steps people can take to help protect their information when using mobile apps.”

The ICO has published its Privacy in Mobile Apps guidance to help app developers in the UK handle people’s information correctly and meet their requirements under the Data Protection Act 1998. The guidance includes advice on informing people how their information will be used.

Research carried out last year to support the guidance’s launch showed that 49% of app users have decided not to download an app due to privacy concerns.

View the full results of the GPEN survey

Leave a comment

Filed under Risk UK News

Viewpoint: ‘The Licensing of Private Investigators’ (by Chris Brogan)

The Home Secretary Theresa May has finally decided that private investigators will require a licence under the Private Security Industry Act 2001 to take effect at the end of 2014.

The fine details of this proposed regulation have yet to be released, but while we’re waiting I thought I might share the following thoughts with you.

Over the years there has been a great deal of difficulty in establishing a definition of a private investigator and/or what he/she does (http://www.statewatch.org/news/2012/jul/uk-hasc-private-investigators-report.pdf). For the purposes of this article I’m suggesting it’s likely to be a non law-enforcement or public authority investigator.

Section 3 of the Private Security Industry Act addresses the offence of not having a licence when engaged in a licensable activity. “A person guilty of an offence under this section shall be liable, on summary conviction, to imprisonment for a term not exceeding six months or to a fine not exceeding Level 5 on the standard scale, or to both” (Section 3 (6) Private Security Industry Act 2001).

Now there’s nothing new in that. Any of those companies or individuals that have already had to comply with the Act will be familiar with these offences. The point that I want to address here is around ‘licensable conduct’ and what that looks like in the real world.

Chris Brogan: strong views on the licensing of private investigators

Chris Brogan: strong views on the licensing of private investigators

Section 3 (2) lists ten activities of licensable conduct. What is common throughout is that the conduct has to be in connection with a contract. If there isn’t a contractual agreement with the person/organisation that the licensable activity is being provided for then you don’t need a licence. The old chestnut of in-house security officers not being licensed readily springs to mind.

Contracts in English law

A contract in English law requires four components. There has to be an offer. Clear and unambiguous. There has to be an acceptance of that offer. Clear and unambiguous.

Consideration has to change hands. This does not mean money. Consideration is just something of value. It could be a service for a service. The contract also has to be considered legally binding between both parties.

Now consider the position of ABC plc, a large UK bank/corporation with lots of subsidiaries and/or associate companies. The investigation department is part of the head office structure and they supply investigative services to their branch offices and their subsidiary and associate companies.

These subsidiary and associate companies are separate legal entities under UK company law. (Companies Act 2006) ABC plc can sue or be sued by their subsidiary/associate companies. These individual companies, for reasons of motivation/individual corporate structure, are independent profit centres and their incomes and expenditure are reflected in their annual balance sheets. Look at any set of balance sheets of a plc company and you’re likely to see reference to balances due to and/or from subsidiary or associated companies.

I suggest that the above scenario is very familiar with any reader that has worked for a large concern. These concerns are, probably through ignorance, running risks that could have consequences of a financial, reputational and legal nature. If these risks ever mature where will the blame lie? Who owns the risk where security-related issues are concerned?

These investigative services are being supplied under contract and, as such, it’s my submission that:
• The individuals providing this service should be required to hold a licence. Section 3 (2)(b) of the Private Security Industry Act 2001.
• The directors of ABC plc – the company that’s providing these services under a contractual basis to their associate/subsidiary companies – should be licensed. Section 3 (2)(a) of the Private Security Industry Act 2001. That includes the non-executive directors whether they have a seat in the House of Lords or not.
• The mangers of these companies providing these services should be required to hold a licence. Section 3 (2)(d) of the Private Security Industry Act 2001.

Home Secretary Theresa May

Home Secretary Theresa May

Opening the floodgates of litigation

Now, if my submission is correct then the investigator who is committing a criminal offence could be prosecuted and runs the risk of not being able to obtain a licence in the future because of the negligence of his employers who owe him/her a legal Duty of Care.

I suggest that it would require only one successful case for the floodgates of litigation to open with the likes of Liberty and Big Brother Watch clamouring to offer their support. Just look at the recent press condemning the use of private investigators by local and public authorities.

This isn’t the first time that I’ve raised this argument, albeit previously in relation to security guarding. I have on nine separate occasions raised these points with the Security Industry Authority (SIA) at varying levels, all the way to the top. On the last occasion an SIA official told me that he would look in to it and would come back to me. I told him that eight of his colleagues over the years had told me that same story and they hadn’t. His forceful reply was that “he would.” That was three years ago and so far he hasn’t.

Come next year, private investigators will require a licence. Life is tough enough for them as it is. This will be the third regime to which they will have to submit control of their activities (The Office of Fair Trading – Consumer Credit Act 1974 as amended by the Consumer Credit Act 2006, the Information Commissioner’s Office – Data Protection Act 1998 and the Security Industry Authority – Private Security Industry Act 2001).

As these investigators will be competing on an un-level playing field with their in-house commercial colleagues, I suggest that they’ll have little compunction in drawing these potential illegal activities to the attention of the authorities and any other bodies whose interests may be furthered by these revelations.

How can you manage a risk if you don’t know what it is?

I hope that I’ve helped you identify some of the risks that you and your organisation may already be running. There are many more that could result from the above scenario. Risks breed risks.

It’s a well known legal maxim that the unforeseen consequences of legislation far outweigh the foreseen consequences. This doesn’t mean that we have to be unprepared.

Chris Brogan MA LLM MIBA FSyI, Partner, B&G Associates

1 Comment

Filed under IFSECGlobal.com News