Tag Archives: Data Protection Act

Egress Software Technologies CEO responds to ICO’s Data Security Incidents Report for Q2

On Friday 16 November, the Information Commissioner’s Office (ICO) published its Data Security Incidents Report for Q2 2018. Data security incidents, which are breaches of the seventh data protection principle or personal data breaches reported under the Privacy and Electronic Communications Regulations, are a major concern for those affected and a key area of action for the ICO.

On 18 July 2018, the Independent Inquiry into Child Sexual Abuse (IICSA) was fined £200,000 for revealing the identities of abuse victims in a mass e-mail. On 9 August, Lifecycle Marketing (Mother and Baby) Ltd, also known as Emma’s Diary, was fined £140,000 for illegally collecting and selling personal information belonging to more than one million people.

On 20 September, Equifax Ltd was fined £500,000 for failing to protect the personal information of up to 15 million UK citizens during a cyber attack in 2017 and, on 28 September, BUPA Insurance Services was fined £175,000 for failing to have effective security measures in place to protect customers’ personal information.

ICOLogoWeb

Tony Pepper, CEO of Egress Software Technologies, commented: “Looking at this report, it’s no surprise that the number of data security incidents filed to the ICO has continued to increase with no signs of plateauing. Overall, there has been a 29% increase in the number of reported data security incidents, from 3,146 between April and June 2018 to 4056 from July to September 2018. This demonstrates a 490% increase compared to the same quarter in 2017.”

Pepper continued: “Similar to the statistics we observed in the ICO’s previous report, this doesn’t necessarily mean that organisations are experiencing more incidents, but it definitely does mean that more are now being reported. The increased awareness for organisations to tread carefully has been fuelled by the General Data Protection Regulation, as well as the significant data breach incidents that recognisable brands have suffered in recent times.”

In terms of the monetary penalties, fewer fines were issued between July and September compared to those issued between April and June, with £875,000 issued under the Data Protection Act in the most recent complete three-month period.

Significant growth in data incidents

Although the report doesn’t summarise the type of incidents reported, it does detail the sectors that have experienced significant growth in these incidents. These include general business, which has experienced an increase of 87%, finance with 49%, insurance and legal with 63%, media with 633% and transport and leisure with 57%, while Government, at both the central and local level, experienced a 14% increase.

“We have also seen an organisation fined for unlawfully selling personal data, while Equifax was fined the highest amount under the Data Protection Act (£500,000) for a cyber attack that exposed the personal information of up to 15 million UK citizens.”

ElizabethDenhamICO

Information Commissioner Elizabeth Denham

Pepper added: “Clearly, there’s not only an issue with external attackers illegally obtaining and hacking an organisation’s systems to obtain data, but also with internal employees – and companies as a whole – misleading the population on why their personal data is being collected and how it will be used. As a result, organisations should be vigilant when it comes to ensuring data security protection is in place, and especially so to combat internal threats.”

Pepper feels that organisations should take a user-centric approach to data security, ensuring that every employee – from C-Suite executives to the average worker – is as security savvy as they need to be. This philosophy has been highlighted in recent Egress research, which revealed that 20% of an organisation’s employees don’t know what kinds of personal information should be protected when sharing data via e-mail.

“By taking a user-centric approach and equipping staff to protect personal data through technology that supports and secures the work they do,” urged Pepper, “as well as more training and awareness of what constitutes the mishandling of personal data, organisations will be able better placed to mitigate the chances of external and internal data security incidents.”

Advertisements

Leave a comment

Filed under Risk Xtra

ICO Blog: ‘An updated CCTV Code of Practice fit for 2014 and beyond’

Jonathan Bamford – head of strategic liaison at the Information Commissioner’s Office (ICO) – discusses the ICO’s updated CCTV Code of Practice and outlines why a revised Code is required to meet the demands of modern society.

It’s nearly five months since I last wrote about the importance of having a CCTV Code fit for the demands of modern society. At that time the draft version of the Code was out for consultation. Now, all of your comments have been considered and our updated CCTV guidance is available on the ICO’s website.

The updated CCTV Code is one that’s truly fit for the times in which we live. The days of CCTV being limited to a video camera on a pole are long gone. Our new Code reflects the latest advances in surveillance technologies and their implementation, while also explaining the key data protection issues that those operating the equipment need to understand.

So what’s changed? Well, in some respects it’s a case of ‘keep calm and carry on’. The fundamental principles that need to be followed remain the same. People must be informed about the information being collected about them with relevant use of privacy notices and signage where required. The information also needs to be kept secure so that it doesn’t fall into the wrong hands, and effective retention and disposal schedules must be in place to make sure information is only kept for as long as necessary before it’s securely destroyed.

The ICO has updated its CCTV Code of Practice

The ICO has updated its CCTV Code of Practice

However, the Code must reflect the times. The pace of technological change since our CCTV guidance was last updated in 2008 – let alone when it was first published some 14 years ago – has been considerable. These advances bring with them new opportunities and challenges for making sure the technology continues to be used in compliance with the Data Protection Act.

One common theme from the enforcement action we’ve taken in relation to the use of surveillance cameras is that there needs to be a thorough privacy impact assessment. This needs to be conducted before deploying these increasingly powerful and potentially intrusive technologies. The Code will help operators to stay on the right side of the law and save them from wasting money and resources on non-compliant systems.

New and emerging surveillance technologies

The new and emerging technologies section of the updated Code covers the key surveillance technologies that we believe will become increasingly popular in the years ahead.

A number of organisations are starting to use body-worn video. These small, inconspicuous devices can record both sound and images. This can mean that they are capable of being much more intrusive than traditional town centre CCTV. On that basis, their use needs to be well justified with safeguards put in place such as to ensure they are not used when they’re not needed. There must be strong security in case the devices fall into the wrong hands. The Code details specific guidance to help deal with the challenges of using these new devices.

The guidance also considers technologies that are not currently commonplace, but which may prove increasingly popular in future. Just last month, the Civil Aviation Authority released figures showing that over 300 companies have now been given permission to operate UAS (Unmanned Aerial Surveillance) in the UK. This figure has risen by a third within the last 12 months alone. Many of these devices can now be bought for a few hundred pounds and can record imagery. There’s important guidance on how they can be used by organisations to record personal information.

Recreational users are also encouraged to operate UAS responsibly. For example, recording should be restricted and only carried out in controlled areas where people are informed that monitoring may be taking place. It’s important that organisations understand these obligations at an early stage if they’re to remain on the right side of the law.

Jonathan Bamford: head of strategic liaison at the ICO

Jonathan Bamford: head of strategic liaison at the ICO

The updated CCTV Code also addresses long-standing issues where the consultation responses have shown that further clarification of the law is required. One such issue is the need for operators to comply with subject access requests. These requests are an important right enshrined in the Data Protection Act and allow individuals to request a record of any personal information that an organisation holds about them. This includes CCTV footage capturing their image.

However, these requests have been causing a great deal of confusion, particularly for smaller operators unaware of this area of the law. The new CCTV guide includes an expanded section explaining how these requests should be handled, when the information should be given out and details of the statutory deadline of 40 days by which time operators have to provide a full response.

Complementing the Surveillance Camera Code of Practice

We’ve designed our guidance to complement the Surveillance Camera Code of Practice published under the Protection of Freedoms Act 2012. The Surveillance Camera Code’s ‘Guiding Principles’ apply to police forces, Police and Crime Commissioners and local authorities in England and Wales as described in the Act, and contain advice about recommended operational and technical standards that others may find useful.

The technology may change but the principles of the Data Protection Act remain the same. CCTV and other surveillance systems need to be proportionate, justifiable and secure in order to be compliant.

The updated ICO Code will help to make sure that this situation continues for the years ahead.

Leave a comment

Filed under Risk UK News

Information Commissioner ‘sounds the alarm’ on data breaches within legal profession

The Information Commissioner’s Office (ICO) is warning barristers and solicitors to keep personal information – and in particular paper files – secure. The advice follows a number of data breaches reported to the ICO involving the legal profession.

The ICO can serve a monetary penalty of up to £500,000 for a serious breach of the Data Protection Act provided the incident had the potential to cause substantial damage or substantial distress to affected individuals.

In most cases, these penalties are issued to companies or public authorities. However, barristers and solicitors are generally classed as data controllers in their own right and are, therefore, legally responsible for the personal information they process.

The information handled by barristers and solicitors is often very sensitive. This means that the damage caused by a data breach could meet the statutory threshold for issuing a financial penalty.

Also, legal professionals will often carry around large quantities of information in folders or files when transporting that information to or from court, and may also store those folders or files at home. This can increase the risk of a data breach.

In the last three months, 15 incidents involving members of the legal profession have been reported to the ICO.

Information Commissioner Christopher Graham

Information Commissioner Christopher Graham

Information Commissioner Christopher Graham said: “The number of breaches reported by barristers and solicitors may not seem that high but, given the sensitive nature of the information they handle and the fact that it’s often held in paper files rather than secured by any sort of encryption, that number is troubling. It’s important that we sound the alarm at an early stage to make sure this problem is addressed before a barrister or solicitor is left counting the financial and reputational damage of a serious data breach.”

Tips for barristers and solicitors

The ICO has published the following ‘top tips’ to help barristers and solicitors keep the personal information they handle secure:

*Keep paper records secure. Do not leave files in your car overnight and do lock information away when it’s not in use
*Consider data minimisation techniques in order to ensure that you are only carrying information that’s essential to the task in hand
*Where possible, store personal information on an encrypted memory stick or portable device. If the information is properly encrypted it will be virtually impossible to access, even if the device should be lost or stolen
*When sending personal information via e-mail consider whether the information needs to be encrypted or password protected. Avoid the pitfalls of auto-complete by double checking to make sure the e-mail address you are sending the information to is correct
*Only keep information for as long as is necessary. You must delete or dispose of information securely if you no longer need it
*If you are disposing of an old computer or other device, make sure all of the information held on the device is permanently deleted before disposal

The ICO is currently working with The Bar Council to update the Information Security Guidance provided to barristers in England and Wales.

The ICO’s website includes further guidance on security measures that should be in place when handling personal information.

In addition, the ICO has published a blog explaining the importance of encryption and the options available to barristers and solicitors who need to secure their data.

Leave a comment

Filed under Risk UK News

Big data ‘not a game played by different rules’ states the ICO

The Information Commissioner’s Office (ICO) has set out how big data can – and must – operate within data protection law.

The regulator’s latest report outlines that operating within the law should not be seen as a barrier to innovation.

Big data is a way of analysing data that typically uses massive datasets, brings together data from different sources and can analyse the data in real time. It often uses personal data, be that looking at broad trends in aggregated sets of data or creating detailed profiles in relation to individuals (for example, around lending or insurance decisions).

The ICO’s report sets out how the law applies when big data uses personal information. It details which aspects of the law organisations need to particularly consider, and highlights that organisations can stay the right side of the law and still innovate.

Buzz around big data

Announcing the publication of the report Steve Wood, the ICO’s head of policy delivery, said: “There is a buzz around big data and emerging evidence of its economic and social benefits. However, we’ve seen a lot of organisations who are raising questions about how they can innovate to find these benefits and still comply with the law. Individuals are also showing they’re concerned about how their data is being used and shared in big data-type scenarios.”

Big Data's on the ICO's radar

Big Data’s on the ICO’s radar

Wood continued: “What we’re saying in this report is that many of the challenges of compliance can be overcome by companies being open about what they’re doing. Organisations need to think of innovative ways to tell customers what they want to do and what they’re hoping to achieve. Not only does that go a long way towards complying with the law, but there are also benefits from being seen as responsible custodians of data.”

The report addresses concerns raised by some commentators that current data protection law doesn’t fit with big data.

“Big data can work within the established data protection principles,” said Wood. “The basic data protection principles already established in UK and EU law are flexible enough to cover big data. Applying those principles involves asking all the questions that anyone undertaking big data ought to be asking. Big data is not a game that is played by different rules. The principles are still fit for purpose, but organisations need to innovate when applying them.”

Leave a comment

Filed under Risk UK News