Tag Archives: Information Commissioner’s Office

ICO warns CCTV operators that use of surveillance cameras must be “necessary and proportionate”

The Information Commissioner’s Office has warned CCTV operators that surveillance cameras must only be used as a necessary and proportionate response to a real and pressing problem.

The warning comes on the same day that the Information Commissioner’s Office (ICO) has published its updated CCTV Code of Practice. The update includes a look at the data protection requirements placed on the operators of new and emerging surveillance technologies, including drones and body-worn video cameras.

“The UK is one of the leading users of CCTV and other surveillance technologies in the world,” said Jonathan Bamford, the ICO’s head of strategic liaison. “The technology on the market today is able to pick out even more people to be recorded in ever greater detail. In some cases, that detail can then be compared with other databases, for instance when Automatic Number Plate Recognition (ANPR) is used. This realises new opportunities for tackling problems such as crime, but also poses potential threats to privacy if cameras are just being used to record innocent members of the public without good reason.”

The ICO has moved to warn CCTV operators that the use of surveillance cameras must be "necessary and proportionate"

The ICO has moved to warn CCTV operators that the use of surveillance cameras must be “necessary and proportionate”

Bamford added: “Surveillance cameras should not be deployed as a quick fix, but rather as a proportionate response to a real and pressing problem. Installing surveillance cameras or technology like ANPR and body-worn video is often seen as the first option, but before deploying such systems we need to understand the problem and whether that’s an effective and proportionate solution. Failure to conduct proper privacy impact assessments in advance has been a common theme in our enforcement cases.”

Updated Code of Practice: the detail

The updated Code of Practice explains how CCTV and other forms of camera surveillance can be used to process people’s information. The guidance details the issues that operators should consider before installing such surveillance technology, the measures that companies should have in place to make sure an excessive amount of personal information isn’t being collected and the steps organisations should take in order to make sure captured information is kept secure and destroyed once it’s no longer required.

The ICO’s CCTV Code of Practice complements the provisions in the Surveillance Camera Code of Practice issued last year by the UK Surveillance Camera Commissioner, which applies to police forces, local authorities and Police and Crime Commissioners in England and Wales (as described in the Protection of Freedoms Act 2012). The ICO’s guidance covers a wider area, as the requirements of the Data Protection Act apply to all sectors processing personal information across the whole of the UK (including the private sector). The Data Protection Act 1998 does not apply to individuals operating CCTV for their own domestic use.

Recent enforcement action taken by the ICO to stop the excessive use of CCTV includes an enforcement notice served on Southampton City Council after the latter required the video and audio recording of the city’s taxi passengers 24 hours a day.

The ICO also served an enforcement notice on Hertfordshire Constabulary after the force began using ANPR cameras to record every car entering and leaving the small rural town of Royston in Hertfordshire.

In both cases, the “excessive use” of surveillance cameras was reduced following the ICO’s action.

Advertisements

Leave a comment

Filed under Risk UK News

GPEN survey finds 85% of mobile apps fail to provide basic privacy information

A survey of over 1,200 mobile apps by 26 privacy regulators from across the world has shown that a high number of apps are accessing large amounts of personal information without adequately explaining how people’s data is being used.

The survey by the Global Privacy Enforcement Network (GPEN) examined the privacy information provided by 1,211 mobile apps. As a member of GPEN, the UK’s Information Commissioner’s Office examined 50 of the top apps released by UK developers.

The key findings of the research are as follows:

*85% of the apps surveyed failed to clearly explain how they were collecting, using and disclosing personal information
*More than half (59%) of the apps left users struggling to find basic privacy information
*Almost one-in-three apps appeared to request an excessive number of permissions to access additional personal information
*43% of the apps failed to tailor privacy communications to the small screen, either by providing information in a too small print or by hiding the information in lengthy privacy policies that required scrolling or clicking through multiple pages

A survey of over 1,200 mobile apps by 26 privacy regulators from across the world has shown that a high number of apps are accessing large amounts of personal information without adequately explaining how people’s information is being used

A survey of over 1,200 mobile apps by 26 privacy regulators from across the world has shown that a high number of apps are accessing large amounts of personal information without adequately explaining how people’s information is being used

Examples of good practice

The research did find examples of good practice, with some apps providing a basic explanation of how personal information is being used, including links to more detailed information if the individual wants to know more.

The regulators were also impressed by the use of just-in-time notifications on certain apps that informed users of the potential collection (or use) of personal data as it was about to happen. These approaches make it easier for people to understand how their information is being used and when.

ICO group manager for technology, Simon Rice, commented: “Apps are becoming central to our lives, so it’s important we understand how they work and what they are doing with our information. These results show that many app developers are still failing to provide this information in a way that is clear and understandable to the average consumer.”

Rice added: “The ICO and the other GPEN members will be writing to those developers where there is clear room for improvement. We will also be publishing guidance to explain the steps people can take to help protect their information when using mobile apps.”

The ICO has published its Privacy in Mobile Apps guidance to help app developers in the UK handle people’s information correctly and meet their requirements under the Data Protection Act 1998. The guidance includes advice on informing people how their information will be used.

Research carried out last year to support the guidance’s launch showed that 49% of app users have decided not to download an app due to privacy concerns.

View the full results of the GPEN survey

Leave a comment

Filed under Risk UK News

Repeated security failings lead to £180,000 fine for Ministry of Justice

The Information Commissioner’s Office (ICO) has served a £180,000 penalty on the Ministry of Justice over serious failings in the way prisons in England and Wales have been handling people’s information.

The penalty follows the loss of a back-up hard drive at HMP Erlestoke Prison, Wiltshire in May 2013. The hard drive contained sensitive and confidential information about 2,935 prisoners, including details of links to organised crime, health information, histories of drug misuse and material about victims and visitors. The device was not encrypted.

The incident followed a similar case in October 2011 when the ICO was alerted to the loss of another unencrypted hard drive containing the details of 16,000 prisoners serving time at HMP High Down Prison in Surrey.

In response to the first incident, in May 2012 the prison service provided new hard drives to all of the 75 prisons across England and Wales still using back-up hard drives in this way. These devices were able to encrypt the information stored on them. However, the ICO’s investigation into this latest incident found that the prison service didn’t realise that the encryption option on the new hard drives needed to be turned on to work correctly.

The Information Commissioner’s Office (ICO) has served a £180,000 penalty on the Ministry of Justice over serious failings in the way prisons in England and Wales have been handling people’s information

The Information Commissioner’s Office (ICO) has served a £180,000 penalty on the Ministry of Justice over serious failings in the way prisons in England and Wales have been handling people’s information

The end result was that highly sensitive information was insecurely handled by prisons across England and Wales for over a year, in turn leading to the latest data loss at HMP Erlestoke. If the hard drives in both of these cases had been encrypted then the information would have remained secure despite their loss.

Highly sensitive information insecurely handled

ICO head of enforcement Stephen Eckersley commented: “The fact that a Government department with security oversight for prisons can supply equipment to 75 prisons throughout England and Wales without properly understanding, let alone telling them how to use it beggars belief. The result was that highly sensitive information about prisoners and vulnerable members of the public, including victims, was insecurely handled for over a year. This failure to provide clear oversight was only addressed when a further serious breach occurred and the devices were finally set up correctly.”

Eckersley continued: “This is simply not good enough. We expect Government departments to be an example of Best Practice when it comes to looking after people’s information. We hope this penalty sends a clear message that organisations must not only have the right equipment available to keep people’s information secure, but must also understand how to use it.”

Working with the National Offenders and Management Service, the Ministry of Justice has now taken action to ensure all of the hard drives being used by prisons are securely encrypted.

Leave a comment

Filed under Risk UK News

Information Commissioner ‘sounds the alarm’ on data breaches within legal profession

The Information Commissioner’s Office (ICO) is warning barristers and solicitors to keep personal information – and in particular paper files – secure. The advice follows a number of data breaches reported to the ICO involving the legal profession.

The ICO can serve a monetary penalty of up to £500,000 for a serious breach of the Data Protection Act provided the incident had the potential to cause substantial damage or substantial distress to affected individuals.

In most cases, these penalties are issued to companies or public authorities. However, barristers and solicitors are generally classed as data controllers in their own right and are, therefore, legally responsible for the personal information they process.

The information handled by barristers and solicitors is often very sensitive. This means that the damage caused by a data breach could meet the statutory threshold for issuing a financial penalty.

Also, legal professionals will often carry around large quantities of information in folders or files when transporting that information to or from court, and may also store those folders or files at home. This can increase the risk of a data breach.

In the last three months, 15 incidents involving members of the legal profession have been reported to the ICO.

Information Commissioner Christopher Graham

Information Commissioner Christopher Graham

Information Commissioner Christopher Graham said: “The number of breaches reported by barristers and solicitors may not seem that high but, given the sensitive nature of the information they handle and the fact that it’s often held in paper files rather than secured by any sort of encryption, that number is troubling. It’s important that we sound the alarm at an early stage to make sure this problem is addressed before a barrister or solicitor is left counting the financial and reputational damage of a serious data breach.”

Tips for barristers and solicitors

The ICO has published the following ‘top tips’ to help barristers and solicitors keep the personal information they handle secure:

*Keep paper records secure. Do not leave files in your car overnight and do lock information away when it’s not in use
*Consider data minimisation techniques in order to ensure that you are only carrying information that’s essential to the task in hand
*Where possible, store personal information on an encrypted memory stick or portable device. If the information is properly encrypted it will be virtually impossible to access, even if the device should be lost or stolen
*When sending personal information via e-mail consider whether the information needs to be encrypted or password protected. Avoid the pitfalls of auto-complete by double checking to make sure the e-mail address you are sending the information to is correct
*Only keep information for as long as is necessary. You must delete or dispose of information securely if you no longer need it
*If you are disposing of an old computer or other device, make sure all of the information held on the device is permanently deleted before disposal

The ICO is currently working with The Bar Council to update the Information Security Guidance provided to barristers in England and Wales.

The ICO’s website includes further guidance on security measures that should be in place when handling personal information.

In addition, the ICO has published a blog explaining the importance of encryption and the options available to barristers and solicitors who need to secure their data.

Leave a comment

Filed under Risk UK News

Big data ‘not a game played by different rules’ states the ICO

The Information Commissioner’s Office (ICO) has set out how big data can – and must – operate within data protection law.

The regulator’s latest report outlines that operating within the law should not be seen as a barrier to innovation.

Big data is a way of analysing data that typically uses massive datasets, brings together data from different sources and can analyse the data in real time. It often uses personal data, be that looking at broad trends in aggregated sets of data or creating detailed profiles in relation to individuals (for example, around lending or insurance decisions).

The ICO’s report sets out how the law applies when big data uses personal information. It details which aspects of the law organisations need to particularly consider, and highlights that organisations can stay the right side of the law and still innovate.

Buzz around big data

Announcing the publication of the report Steve Wood, the ICO’s head of policy delivery, said: “There is a buzz around big data and emerging evidence of its economic and social benefits. However, we’ve seen a lot of organisations who are raising questions about how they can innovate to find these benefits and still comply with the law. Individuals are also showing they’re concerned about how their data is being used and shared in big data-type scenarios.”

Big Data's on the ICO's radar

Big Data’s on the ICO’s radar

Wood continued: “What we’re saying in this report is that many of the challenges of compliance can be overcome by companies being open about what they’re doing. Organisations need to think of innovative ways to tell customers what they want to do and what they’re hoping to achieve. Not only does that go a long way towards complying with the law, but there are also benefits from being seen as responsible custodians of data.”

The report addresses concerns raised by some commentators that current data protection law doesn’t fit with big data.

“Big data can work within the established data protection principles,” said Wood. “The basic data protection principles already established in UK and EU law are flexible enough to cover big data. Applying those principles involves asking all the questions that anyone undertaking big data ought to be asking. Big data is not a game that is played by different rules. The principles are still fit for purpose, but organisations need to innovate when applying them.”

Leave a comment

Filed under Risk UK News

ICO requires “stronger powers” and “a clearer guarantee of independence”

UK Information Commissioner Christopher Graham has warned it has never been more important that the general public has an independent regulator overseeing the handling of people’s personal data.

Speaking at the launch of the Information Commissioner’s Office’s (ICO) Annual Report earlier today, Christopher Graham highlighted how the troubled launch of care.data, Facebook’s research and the so-called Google ‘right to be forgotten’ ruling show why there’s a need to have an independent regulator.

Christopher Graham: the Information Commissioner

Christopher Graham: the Information Commissioner

Graham also warned that independence relies on strong powers and sustainable funding.

The Annual Report shows that the ICO responded to a record number of data protection and Freedom of Information complaints this year.

Sometimes the State is the issue

“Facebook, care.data, Google: it’s clear that organisations’ use of data is getting ever more complicated,” stressed Graham. “People need to know someone is watching over their information. That someone needs to be independent of Government and business so the public know the regulator can be trusted. Sometimes the State is itself the issue. When the Intelligence and Security Committee wanted to know how the Snowden revelations fitted with data protection law, it turned to the Information Commissioner.”

Graham added: “Independence means someone who has the resources to take on this ever-growing number of cases. The last twelve months have witnessed a record – more complaints resolved than ever, more enforcement action taken and more advice given through our Helpline. It also means having the powers to act on the more serious complaints. A strong regulator is needed if a data breach affects millions of people.”

In conclusion, the Information Commissioner explained: “That someone is the Information Commissioner. We’re effective, efficient and busier than ever but, to do our job properly and to represent people properly, we need stronger powers, more sustainable funding and a clearer guarantee of independence.”

The report’s figures in detail

This year’s Annual Report shows that the ICO has handled 259,903 calls to its Helpline and resolved 15,492 data protection complaints – in both cases a rise of over 10% on the previous financial year.

The ICO has also decided on 5,296 Freedom of Information complaints (a 12% rise on last year’s figure), and received 161,720 reports from people concerned about spam texts and nuisance calls.

For the past five years the ICO has faced a reduction in its funding for FOI, while the proposed EU data protection reforms would remove the notification fee that funds the ICO’s work under the Data Protection Act.

The ICO’s written submission to the Intelligence and Security Committee in February is now available.

The Information Commissioner will appear before the Intelligence and Security Committee in the autumn.

Leave a comment

Filed under Risk UK News

ICO raids SIM farm blamed for 350,000 nuisance messages

The Information Commissioner’s Office (ICO) has seized hundreds of SIM cards after raiding a SIM farm located at offices in Wolverhampton.

Initial estimates suggest the equipment could have been used to send over 350,000 nuisance text messages, though the total may have been more than a million.

Computer equipment and paperwork were seized and a residential address was also searched. The investigation continues.

Andy Curry, enforcement manager at the ICO, said: “What we’ve seized backs the intelligence we had that hundreds of thousands of nuisance messages were coming from this address. The rules on sending messages are clear, and if the evidence proves the law has been broken then we will issue a sizeable fine against those responsible.”

The raid was prompted by intelligence supported by reports using the 7726 tool that allows mobile phone users to report spam text messages by forwarding the messages to 7726 (spelling out SPAM).

“This shows why reporting messages to us and your mobile network operator is so crucial,” added Curry. “Without the reports we received through the 7726 system, we wouldn’t have been able to carry out this raid.”

The raid follows an announcement by the ICO on Tuesday that a Yorkshire direct marketing firm and a Devon PPI claims company were told they face fines totalling £140,000 for breaching electronic marketing rules.

The companies were linked to thousands of nuisance marketing calls and prompted over 1,200 reports to the ICO and the Telephone Preference Service.

Importance of the 7726 GSMA Spam Reporting Service

Neil Cook, CTO of Cloudmark (the message-based threat protection specialist company that powers the 7726 GSMA Spam Reporting Service), explained: “Nuisance spam messages and phone calls are escalating in the UK. This latest raid by the ICO is a fantastic example of how the GSMA Spam Reporting Service haas been crucial in delivering the knowledge required to shut down another company alleged to have been taking advantage of subscribers’ trust in mobile messaging services.”

Cook continued: “The service empowers consumers to take control of the issue and know that action will be forthcoming that further protect thems. As the ICO has stated, the information received from the public via 7726 was crucial in this latest action.”

With the GSMA Spam Reporting Service, subscribers can easily report SMS spam by forwarding it to the special short code: ‘7726’ (S-P-A-M). Through the automated collection and analysis of subscriber-reported spam, the service provides operators with collaborative and real-time global insight into threats against their networks and subscribers.

“This information can then provide law enforcement agencies with the evidence they need to bring spammers to justice,” concluded Cook.

Find out more on how to report nuisance texts and calls to the Information Commissioner’s Office

Leave a comment

Filed under IFSECGlobal.com News