Why is everyone so angry about the proposed EU Data Protection Regulations?

I have been reading about the proposed new EU Regulation on Data Protection and a lot of people seem to be highlighting a lot of what they perceive to be negatives within it, whereas I see them as being positives.

Jail terms for data misuse, absolutely!! Heavy monetary penalties against large corporations for failure to comply? Bring it on!!

There has not been much mention however, of the switch to explicit consent to process data, something that should be a common right of all individuals, rather than have these shoddy and shambolic clauses currently in place where you are not sure what you have signed up to. Couple that with the requirement to state clearly and in common language, what the data is to be used for and who it will be shared with makes processing much tighter and more controlled.

Another major area is the increased protection for children, which under these proposed Regulations, is currently planned to be someone who is under 18, and the requirement for parent/guardian sign up for under 13s.

There is also the requirement for Data Processors to be held as accountable as the Data Controllers when handling data and the requirements to have policies and processes in place that define what and how data is being used and disaster recovery plans built in. So far so good, these are all very positive steps and I welcome every single one of them.

On the downside however are the dropping of the requirement to notify, that could cause problems for the ICO revenue stream and also lead to unlicensed data misusers!!

Then there is the increased Data Access Request activity. This is the real downside of the proposed Regulation as it drops the fee (nobody will really miss that anyway) but it also reduces response time to one month rather than 40 days and the increased amount of extra information that will have to be supplied, such as length of time the data will be held, telling the applicant about their rights on erasure and correction and advising them that they have a right of complaint to the ICO. This is not so user friendly but when you look at the bigger picture, how many DSARs actually take 40 days? In my experience it is about 0.2% with the majority being completed in less than a week.

On to the right to be forgotten, this is new and allows for the individual to apply to have their data erased where it may just be stagnant or if there is no real rationale for keeping it. The data controller will need to advise all other users of those data that they will need to comply as well so there will need to be a log kept of who data are transferred to. I think this is aimed more at the Social Media sites where ‘information’ it used to profile people applying for jobs and that old photo of the lads on holiday with buckets on their heads may not be so good, therefore the applicant can ask for it to be removed as it is both excessive and probably out of date..

Just a few thoughts there to chew over, happy to discuss with anyone who wants to.

http://www.kpgprofessionalservices.co.uk

Posted in Breaches, Data Integrity, Data Protection, Data Security, EU Data Regulations, Fair Processing, Fixing Facebook, ICO, Information Commissioner, Information Security, Justice | Leave a comment

A Couple Of Not So Healthy Uses Of Sensitive Personal Data

It transpires that a manager of a leisure centre, run by a local council, who was responsible for accepting people with health problems from their GP to enable them to have fitness sessions related to their particular condition, was being made redundant by his employer. To offset this he decided to branch out on his own and offer the same services but as a private rather than council run operation. But how to get his message across was obviously a big hurdle but one he had in ingenious idea to overcome, he emailed himself  the data for over 2400 ‘clients’ including their sensitive medical details which included obesity, diabetes, arthritis, and cardiac and mild mental health issues.

For the uninitiated this would be a brilliant way to get a leg-up into the health service world but, as we know from our Data Protection training, this is not the case. Indeed, when the Information Commissioner got wind of it he decided to prosecute the person involved and took steps to this end. He was helped by the fact that the ex-manager had set up his new business with the exact same name as the council one had been, Active options, and this proved to be his downfall as people complained to the council about the person involved contacting them and it was the council who flagged this up to the Commissioner.

He was prosecuted under section 55 of the Data Protection Act at West Hampshire Magistrates Court this week (May 22) where he was fined a total of £3,000 and ordered to pay a £15 victim surcharge and £1,376 prosecution costs. Section 55 of the Data Protection Act 1998, makes it an offence (with certain exemptions) to obtain, disclose or procure the disclosure of personal information knowingly or recklessly, without the consent of the organisation holding the information.

Christopher Graham, the Information Commissioner, said afterwards: “People have a right to privacy and the ICO works to maintain that right. Nobody expects that their health records will be taken and used in this way. Mr Hedges had been told by Southampton Council about the need to keep patients’ details confidential, but he decided to break the law to benefit his new business. This case shows why there is a need for tough penalties to enforce the Data Protection Act. At very least, behaviour of this kind should be recognised as a ‘recordable offence’ which it isn’t now. For the most serious cases the current ‘fine only’ regime will not deter and other options including the threat of prison should be available. The necessary legislation for this is already on the statue book but needs to be activated. The government must ensure that criminals do not see committing data theft as a victimless crime and worth the risk.”

This is the second Section 55 offence in this part of the UK this year as, in March, a former receptionist at a GP surgery in Southampton was prosecuted for unlawfully obtaining sensitive medical information relating to her ex-husband’s new wife. When she appeared at West Hampshire Magistrates, Marcia Phillips was fined £750 and ordered to pay a £15 victim surcharge and £400 prosecution costs.

Ms Phillips was found to have accessed the information on 15 separate occasions over a 16-month period while working as a receptionist at the Bath Lodge Practice. The breach became apparent after Phillips left her job and sent a text message to her ex-husband’s partner referring to highly sensitive medical information taken from her medical record.

So you see, although the data may be something you use on a daily basis it does not give you the right to use it outwith the reason it has been obtained. If you are caught you will, as these two cases prove, be prosecuted in the Criminal Court and be fined, obtain a criminal record and have your life and name tarnished.

Is it worth taking a chance? Absolutely not!!!!

And remember, Section 55 also refers to reckless loss of data so even if you make an error of judgement and give information to someone you cannot identify as having the right to that data, you could be liable under S.55 too and end up in court!!

For any help or further information respond to this post or go to http:www.kpgprofessionalservices.co.uk

Posted in Blagging, Breaches, Data Protection, Data Security, Fair Processing, ICO, Information Commissioner, Information Security, Justice | Tagged , , , , | Leave a comment

Do You Have Everything You Need To Process The Data You Hold?

This is becoming a very interesting question in the modern world of data retention and data management but too many companies are either holding insufficient data for their needs or, even worse, too much!! Either way, both are potentials for breach under The Data Protection Act 1998 (DPA) and the Information Commissioner’s Office (ICO) is starting to take notice of these types of things.

There are 8 data protection principles that organisations have to observe, but the three I want to focus on are that personal data must be: –

  1. Adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed;
  2. Accurate and where necessary kept up to date;
  3. Kept for no longer than is necessary for the purposes;

These cover the actual holding of the data and dictate what the Data Processor must do. And it is quite clear on the actions you have to take, if you are a company that is using your data for profiling/marketing purposes you really should be doing this anyway, unfortunately there are too many that don’t.

Let’s have a look at the three individually although I usually take all three as one combined ‘rule’ as they are all interlinked.

3: Personal data must be:

– Adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed;

This is really basic and means to you the user that you should only hold enough information about a person to enable you to safely process their data within the realms of your notification. Therefore, if you have too little data you are not realistically able to use that data for any active purpose as it is too sketchy. Also, if you have too much you are in danger of using it incorrectly and be open to at least to an assessment being passed to you by the ICO. So the important thing here is make sure you only hold the data you need, if you are not using it then securely delete it, do not keep it ‘just in case’ as this is one of the measures of relevancy.

4: Personal data must be:

–          Accurate and where necessary kept up to date

Again, this is very self evident and also good practice for any database, information you are holding and using has to be accurate otherwise it is worthless and, in the eyes of the ICO, should never be used unless it is being updated by asking the customer to clarify and update their information. This should be a standard exercise for all data users, so make sure you check with your customers that the information being held is current otherwise, failure to do this, could result in interest being shown by the ICO and a possible assessment or worse if the result causes any damage to the customer.

5: Personal data must be:

–          Kept for no longer than is necessary for the purposes;

But how long is long? This is a very crucial answer and one that requires you to have and use a Retention Schedule or Policy. These can be built by either a Practitioner like myself or by looking at the data you use, comparing it to the legal, statutory or best practice retentions and then tabulating it and ensuring everyone knows about it and what it means to them. It is often easier to get an external person to look at this as they have a different perspective on the data you hold an use and are more inclined to ask the question, “Why is this being held/used?” Create a data retention schedule/policy and circulate to all staff to ensure they are aware that documents should not be disposed of until the agreed date.

If you would like to find out more about this or have a chat with me please either respond to this blog or use the contact page on my website –  http://www.kpgprofessionalservices.co.uk

Posted in Breaches, Data Integrity, Data Protection, Data Security, Fair Processing, Information Commissioner, Information Security | Tagged , , , , , , | Leave a comment

Dame Fiona Caldicott Review: Her Further Recommendations – “unlawful personal data processing and sharing should be reported as ‘data breach’”

Dame Fiona Caldicott has recommended that all health and social care bodies should publish details of cases where they have processed or shared patients’ personal data without legal basis. This recommendation formed part of her report, commissioned by the Government, into the health and social care sectors practices involving information governance.

Her report further states that “The processing of data without a legal basis, where one is required, must be reported to the board, or equivalent body of the health or social care organisation involved and dealt with as a data breach,” and she continued by saying, “There should be a standard severity scale for breaches agreed across the whole of the health and social care system. The board or equivalent body of each organisation in the health and social care system must publish all such data breaches. This should be in the quality report of NHS organisations, or as part of the annual report or performance report for non-NHS organisations. A ‘data breach’ should be defined as any failure to meet the requirements of the Data Protection Act. This includes unlawful disclosure or misuse of confidential data, recording or sharing of inaccurate data and inappropriate invasion of people’s privacy.”

She has identified that there is a “culture of anxiety” existing within these sectors and has found that personal information is not shared as often as it could easily be done, between professionals. She went on to say that “safe and appropriate sharing in the interests of the individual’s direct care should be the rule, not the exception”.

There should be no difference between the health and social care sectors and any other sector who captures and processes personal and sensitive personal data. They should be explaining to patients how their personal data that they are collecting and processing might be used, for example, in anonymised structure for “research, audit, public health and other purposes”. They must also recognise their patient’s rights when collecting this data and explain that they are able to withhold their consent from this type of processing. In line with the rest of the data gathering industry a they should also be told that they can change their decision on consent to sharing their personal data and these sectors should be maintaining records of “any explicit decision of consent, including withdrawal of consent previously given”. Dame Fiona also said that patients should also be informed of the consequences of not providing consent.

She further clarified this bay saying that, if personal data is fully anonymised the information is available to be “freely processed and publicly disclosed”, however, if the information has only been “de-identified by the use of pseudonyms or coded references” it is personal data and must be treated as such.

Dame Fiona further said that linking of de-identified personal data with other information that contains identifiers should only happen “in specialist, well-governed, independently scrutinised environments known as ‘accredited safe havens’” The Health and Social Care Information Centre should have it set out, in the code for processing confidential information, what the “attributes” are for an accredited safe haven. “Data sets containing personal confidential data, or data that can potentially identify individuals (de-identified data for limited disclosure or limited access), are only disclosed for linkage in secure environments, known as ‘accredited safe havens’,” she continuedd. “The purposes for such linkage should be expanded to cover audit, surveillance and service improvement. Within the accredited safe haven, de-identified data for limited disclosure or access must not be linked to personal confidential data unless there is a clear legal basis to do so, and contracts must forbid this. This would re-identify the de-identified data for limited access, and be a data breach.”

Her report identifies that there needs to be national minimum standards on “data stewardship” that govern how the ‘safe havens’ operate. These standards should outline the bodies responsibilities for anonymising data as well as mandating the use of “privacy enhancing technologies”. They should also ensure “robust governance arrangements” are in place and that there are “clear conditions for hosting researchers and other investigators who wish to use the safe haven”. Dame Fiona also recommends that patients are given information about how their data is used and shared and details of who has had access to their sensitive personal information should also be made available to them “in a suitable form”.

Health Secretary Jeremy Hunt responded in a statement saying. “The Caldicott review has been about striking the right balance between sharing people’s health and care information to improve services and develop new treatments while respecting the privacy and wishes of the patient….. If patients are to see the benefits of these changes we must respect the wishes of the small number of people who would prefer not to share this information. I firmly believe that technology can transform the quality of healthcare in this country, but we must always respect the fact that this is very personal information about an individual.”

Jeremy Hunt previously outlined his vision for a ‘paperless’ NHS by 2018. He said that “NHS patients should each have a digital medical record that public health providers can access “when necessary” and where individuals’ “permission” has been granted.” To my mind this produces further possibilities for breach given the NHS’ record on data loss…

Posted in Breaches, Data Integrity, Data Protection, Data Security, Fair Processing, Information Security, NHS | Tagged , , , | Leave a comment

Does The Data Protection Act Need Beefing Up To Prevent Further Horse Play?

So, once again we hear of police officers, at all levels it would appear, using the PNC to access information on other people for their own ends and gains. This is becoming an all too common affair now and one that the Information Commissioner should really be stamping down on hard and looking for more support from Government to strengthen S.55 of the Act to introduce custodial sentences for those who flout the law!

It was interesting that several police officers were caught following the News of the World scandal and that it has come to light they were selling the information held on the PNC for their own profit to the journalists. This has gone on for years though and sadly we are seeing it on the increase as it is easier for people to fall into the trap of ‘I will not get caught’. However, this type of action is being seen as less of a sweep-it-under-the-carpet problem and more of a let’s tell the world one.

What really astonished me recently though, was the police officer who used the PNC for his own sexual gratification rather than selling on data. He was caught accessing the details of single women who had reported crimes and basically using the system as a dating service for himself, despite being married. Accessing the data is one thing but using it like this is such a betrayal of trust that I think the Act really does need beefing up and preventing this sort of tempting horse play to occur again!!

The Information Commissioner needs to look at his Act and realise that it is not much more than a paper tiger really, when it comes down to brass tacks. Yes, he has the powers to fine large companies for breaches but what about the ‘criminals’ who actually do breach like this? They are still constrained by a maximum fine of £5000 in the Sheriff/Magistrate Courts and an unlimited fine in the High/Crown Courts. But just how many people really get punished through these routes? I would reckon that there are hardly any prosecutions nowadays other than for non-compliance with the notification process, which is hardly a criminal act compared to what is going on elsewhere…..

Things need to improve with The Data Protection Act, either repeal it and re-write it, as happened before or beef it up and get S.55 fully engaged and give this Act of Parliament some real powers before it is too late. I know this has gone to the parliament before and they knocked it back but why? Out of self-interest protection or something more that nobody is telling us about? What have the Parliament got to hide? Is there something lurking in those chambers that might cause an explosion that Guido Fawkes failed to ignite? So many questions that need answering and ones that I feel we should all be asking of the UK Government and local MPs else we will also find ourselves being brushed off by the Home Secretary along with the European Convention on Human Rights!!

So let us look at and lobby for greater powers under S.55, to enable custodial sentences and criminal acts to be recognised as such, rather than fine the poor unfortunates who may have not realised or forgotten to renew their notification. The true criminals are the people that illegally access the information then use it for their own means, not the Mandarins who sit so high up the food chain that beef and horse have no sway on them! If we can target them we can stop this cancer that is starting to eat into our very rights structure, before it transpires that someone has been killed through this criminal negligence.

I look forward to hearing your thoughts

Posted in Blagging, Breaches, Data Protection, Fair Processing, ICO, Information Commissioner, Information Security, Justice | Leave a comment

Should Ticked Consent Be Valid?

How many times have you gone online to buy or book something and found that the website owner is asking your consent to send you other marketing or share your information with other third party suppliers? I would hope it is every time you go online however, how many times have you found these boxes already ticked?  More often than not I would suggest which means you have to ensure that you un-tick the box before proceeding to prevent the avalanche of emails from all and sundry hitting your inbox…….

Given this scenario, it is interesting to hear that the European Parliament’s Civil Liberties, Justice and Home Affairs Committee is now proposing that the pre-ticking of these boxes be stopped as it does not give the individual their free and explicit right of consent. Basically under the current regime, consent boxes can be pre-ticked and the consumer then has to opt-out of giving consent when, under best practice systems everyone should only have to opt-in, ie: tick the box to say that they unequivocally agree to their data being processed in the way the website is saying it will. Thus consent is being freely given by the consumer and they understand what they are opting in to.

Now, is this fair? Looking from both sides of the fence you will get different opinions. From the consumer angle it will be a very definite ‘yes’ as it will decrease the amount of spam and junk emails they receive and also means they have greater control over what they are asking for and do not feel ‘tricked’ by what is often perceived to be sharp practice by the online marketers. From the industry you will get a resounding ‘no’ as this is their bread and butter, they sell on lists of consumers who have ‘opted-in’ to receive third party emails and e-marketing. That fact that this is done be using an enforced opt-in has nothing to do with the ethics of the situation, this is a marketing initiative that goes back many years to when we used paper forms and the wording was something like “XYZ Ltd will pass your information on to other interested companies it feels you will benefit from, if you do not want us to do this please tick here” and a tick box was added. This was not regulated at all and some companies would switch between the opt-out, as above, to an opt-in on their next mailing. This meant the consumer had to carefully read the opt-in/out statement to ensure they were ticking to receive or not receive.

This has transferred, in the current scheme of things, to the pre-ticked boxes in the online forms and, although this should be fully visible, is often buried in their terms and conditions or privacy notice, which the consumer should be reading but who actually does? So the business side of the equation believes that there is a precedent for supplying the pre-ticked boxes as this is what used to happen with the old paper opt-outs but is this right?

Basically I do not think there is any reason why the opt-out should be used in this day and age. We are all capable of understanding what we read and we should not be made to go hunting for something that is one of our basic rights, that of preventing unwanted marketing. The Information Commissioner has also said many times in the past that he believes the use of opt-outs should be stopped as it is an unfair burden on the consumer and is denying their rights. It would appear the EU is now coming to the same decision and I for one would support this all the way as I do ot derive any pleasure from trying to opt-out but it is much nicer to be able to say “yes, I think I would like to receive information from you in the future”. In fact, I find myself using websites that make me opt-out, les and less and this is the way forward, if we all did this how would they survive? I leave it to you to decide, should we be opting-out or opting-in.

I look forward to hearing your thoughts

Posted in Cookies, Data Protection, Email, Fair Processing, ICO, Information Commissioner, Information Security, Justice | Leave a comment

Overcooking the Cookies?

Well, it looks like everyone is starting to use their cookie warning but is it going too far for the average user? There are many sites who just put the cookie notice up on the screen and ask you to confirm you are happy for them to attach a cookie to your computer and explains how to opt out from them in the future but the vast majority are starting to get a little tedious…

Many more sites are using the constant warning where every time you go to their site a cookie notice appears on a pop up, this also includes the site of the Information Commissioner’s Office, who I think should really know better!!

There are some others I have found who give you chapter and verse about the type of cookies they use, and the file name suffixes but unfortunately they do not tell you what they are used for, just that you have to accept or decline them, which to me is a waste of time unless you are extremely well versed in cookie culture and understand all the cookie types (does anyone??)

So, is this just an annoying trend that website developers are using to get people to complain about the cookie laws or is it just laziness on the part of the vast majority of sites, like the ICO? To be honest I am really not sure about it and think it does not really comply with the regulations as all it is doing is saying that at this time I am happy for my computer to hold a cookie from your website. My understanding is that we should be told that if we agree a cookie will be attached to the computer and it is for updating (or whatever) purposes. It should then show how to cancel the cookie at a later stage or, which would be a lot better, have another click through to turn off and delete cookies from that site available to the user. Why complicate the whole thing with this constant requirement to accept cookies from the sites you use all the time?

Well, it looks to me as though the cookie users have decided on a plan to make the public complain about this so as to get the cookie regulations changed into something they want to use rather than what is best for business…. If we all start complaining to the ICO about them they may put it to the MoJ to relook at the legislation and come up with something more akin to we had previously, wouldn’t they? After all, the ICO is doing exactly the same thing to hack off the users of their own website.

Folk are asking where we go from here, in my mind we need to ensure the cookie regulations are not diluted but the users experience is made better by changing the way they process cookie notices. Let’s make it mandatory for firms to ask only once for your opt-in to receiving cookies, with an explanation of why they are using them and for what purposes. They could even have a click through for the more technical minded who want to know what type of cookie is being planted and finally a simple click box to opt-out, and have removed, cookies from that website.

Am I being too simplistic? No, I am trying to make website owners be more compliant and make better use of their customer’s time.

I look forward to reading your comments

Posted in Cookies, Data Protection, Fair Processing, ICO, Information Commissioner, Justice, Uncategorized | Leave a comment