Matthew Arnold & Baldwin LLP | Giving you a lot more than just law... » ICO

Information Commissioner’s Office set to get tough with public bodies that fail to comply with Freedom of Information Act

Paul Gershlick — Fri, 23 Jul 2010 16:22:22 +0000

The Information Commissioner’s Office – the UK’s information regulator – is set to get tough with public bodies that fail to comply with the Freedom of Information Act 2000. The Act gives people anywhere in the world the right to see information held by more than 100,000 UK public bodies about the way in which decisions are made and public money spent, even if it relates to their competitors. Bodies will face sanctions if they regularly fail to respond on time, do not disclose information without specifying an exemption or fail altogether to respond to an information request. The ICO is concerned with the number of complaints, particularly over the time it takes to get a response. The sanctions can include enforcement notices, written undertakings, compliance with best practice recommendations and ultimately a report to Parliament.

Information Commissioner issues code of practice for online behavioural advertising

Paul Gershlick — Tue, 20 Jul 2010 15:46:01 +0000

The Information Commissioner’s Office – the UK’s data protection regulator – has issued a code of practice dealing with online behavioural advertising issues. Online behavioural advertising refers to the practice of presenting target ads based on a user’s behaviour online. The ICO has said that the behaviour is not intrinsically bad, but it must be conducted fairly. Users should be given details of what is being done on a tracked basis, and explicit consent is needed where the information being tracked is sensitive personal data, such as sexual health. The guidance says that service providers are able to refuse to provide a service to a user if they have not opted in to the use of cookies and the use of the cookies is strictly necessary for the provision of the service. The ICO’s battle cry is simply fairness and openness. To read the ICO’s code of practice, click here: http://www.ico.gov.uk/upload/documents/library/data_protection/detailed_specialist_guides/personal_information_online_cop.pdf.

Information Commissioner calls for prison sentences for data breaches, as data complaints to the regulator rise

Mark Weston — Fri, 16 Jul 2010 12:30:23 +0000

Christopher Graham, the Information Commissioner, has called for prison sentences to deter the illegal sale and purchase of people’s data. Graham, who is in charge of regulating data in the UK, said that data theft is not a victimless crime. His call came in his report that detailed a concerning increase in the number of complaints about use of data. There was a 30% rise in complaints about people’s data – up to 33,000 – in 2009/2010 compared to the previous year. Many of the complaints related to the rights of data subjects to access data, the way the data was disclosed, and how accurate it was. In addition, the report revealed that there was a 20% annual jump in the number of complaints – to 3,700 – over public bodies’ failure to comply with the Freedom of Information Act.

Government launches public consultation on data protection laws

Paul Gershlick — Wed, 14 Jul 2010 16:11:41 +0000

The Government has launched a consultation with the public to ask for their opinions on the country’s data protection laws and whether the position can be improved. The consultation has a wide remit in that it considers the rights of data subjects, obligations of data controllers, international data transfers, the enforcement powers of the Information Commissioner’s Office and whether people should be able to claim damages for loss of reputation without having to prove any other financial loss.

Paul Gershlick, a Partner at Matthew Arnold & Baldwin LLP and editor of Upload-IT, comments: ‘This consultation sounds like a good idea in theory. But, in practice, there may be little that the Government can do as the Data Protection Act implements a European Union Data Protection Directive. Therefore, any changes need to be in line with that EU law. As it is, the European Commission has recently given the UK an ultimatum to change the Act in line with the Directive.’

European Commission gives UK Government two month ultimatum to make Data Protection Act comply with EU Data Protection Directive requirements

Paul Gershlick — Fri, 02 Jul 2010 14:00:30 +0000

The European Commission has laid down a two month ultimatum in which the UK Government must comply with the Commission’s requirements to ensure that the UK’s Data Protection Act 1998 properly complies with the EU’s Data Protection Directive. The Commission has complained since 2004 that the UK’s law does not adequately reflect all of the requirements of the EU-wide Directive. In particular, the Government has two months to:

Enable the Information Commissioner’s Office – the Regulator in charge of enforcing UK data protection law – to have the right to conduct random checks on data controllers and issue penalties for non-compliance.
Ensure that data subjects can properly have the right to have their personal data erased.
Enable data subjects to have the right to claim compensation for moral damage when their personal data is used inappropriately.

If the Government fails to comply, the matter will be brought to the Court of Justice of the European Union.

The ICO says at http://www.ico.gov.uk/upload/documents/pressreleases/2010/ico_statement_european_commission_280610.pdf, “It is important that we have effective data protection regulation to help protect individuals’ personal information. We look forward to discussing the Commission’s detailed concerns with the Ministry of Justice and providing input into the UK Government’s response.”

Google’s Street View cars have been recording people’s wi-fi communications in error

Mark Weston — Tue, 25 May 2010 20:34:44 +0000

Google has been involved in more controversy over its Street View service, as its cars have been inadvertently collecting the contents of wireless communications from people’s unsecured wi-fi networks in streets where they have been snapping. Google’s Street View service was already controversial, as privacy campaigners had objected to pictures of people going about their everyday activities being recorded by Google’s Street View drivers in their streets and then being posted on the Internet on Google’s service. This latest episode comes as a big embarrassment to the online services giant, as it had previously said that its Street View cars did not collect the content of people’s wi-fi communications. It said: ‘How did this happen? Quite simply, it was a mistake.’ Google is now working closely with data protection and privacy regulators around the world to consider the best way of quickly disposing of the data.

Parties set out stall in election manifestos

Paul Gershlick — Wed, 21 Apr 2010 07:15:52 +0000

The political parties have made their manifesto pledges in the run-up to the General Election. Some say manifesto pledges are there to be broken. Nevertheless, they’re a good indication of the way a party is going to go if they win power.

For Labour, they will further change intellectual property law if they win, and they will create a few tax incentives for niche areas such as video game publishers. They would also look to use monitoring and surveillance technology including CCTV and the national citizens database and ID card scheme.

As for the Conservatives, they are committed to making efficiency savings in the public sector, such as stopping the ID card scheme. Crucially for anyone working with the public sector, they are looking to renegotiate large contracts and introduce more oversight and accountability into the public procurement process. They also want to increase the powers of the Information Commissioner’s Office to deal with public authorities that misuse people’s personal data.

ICO warns three councils about future conduct after not protecting data sufficiently

Paul Gershlick — Tue, 13 Apr 2010 09:56:31 +0000

The Information Commissioner’s Office – the regulator in charge of enforcing data protection laws in the UK – has come down hard on three councils after they failed to protect the security of personal data for which they were the data controllers. St Albans City and District Council agreed to do better after an unencrypted laptop that had been left unsecured on a desk was stolen; the laptop contained postal voters’ records and the data had no longer been required on the laptop at the time of the theft. Warwickshire Council also had to give promises about its future conduct after unencrypted and unsecured laptops and memory sticks containing information relating to school pupils and members of staff were stolen. Highland Council faced similar action after personal data relating to people’s physical and mental health was inadvertently disclosed.

Information Commissioner’s Office won’t go soft on charities on data compliance

Paul Gershlick — Tue, 23 Feb 2010 08:06:01 +0000

The Information Commissioner’s Office has hit a clear warning to charities that it won’t go soft on them, after it required the Alzheimer’s Society to sign a formal undertaking agreeing to comply with the Data Protection Act 1998 and improve its security and staff training. This follows the loss of several unencrypted laptops containing the names, addresses, national insurance numbers and salary details of 1,000 UK staff. The ICO – the regulator in charge of enforcing data protection laws in the UK – reiterated its message that it has given out frequently: all portable devices containing personal data must be encrypted and that staff are appropriately trained at all times.

(ISC)² warns new big fines are finally bringing data security to boards’ attentions

Mark Weston — Fri, 19 Feb 2010 16:32:15 +0000

Imminent fines are bringing data security issues to boards’ attentions. Those are the comments of John Colley, EMEA managing director of (ISC)². (ISC)² is a not-for-profit organisation that educates on information security issues. Colley claims that the forthcoming introduction in the UK of fines of £500,000 for serious data breaches is making businesses sit up and take their data protection obligations seriously. He advocates every information security person ensuring that they have compliant policies and documentation in place before the law becomes stricter.

Under changes to UK data protection law expected to take place in April this year, the Information Commissioner’s Office – the regulator in charge of enforcing data protection law in the UK – will be able to fine organisations up to £500,000 if they discover a serious breach of the Data Protection Act. The breach must be of a kind likely to cause substantial damage or distress, and either the organisation must have deliberately breached the Act or it should have known of the risk and the likely substantial damage or distress but still failed to take reasonable steps to prevent it. The ICO has issued guidance as to how high it would make the penalties. The ICO would consider a number of factors, including:

How serious the breach was.
How likely damage was.
Whether the breach was deliberate or negligent.
What steps the organisation had taken to safeguard the data.
The organisation’s resources and size.

It’s a case of ‘Do As We Tell You’ not ‘Do As We Do’ as Labour is the latest political party caught out for flouting privacy laws when canvassing

Paul Gershlick — Wed, 10 Feb 2010 21:46:22 +0000

The Labour Party has embarrassingly been told off for breaching the privacy rights of 500,000 people in a canvassing campaign, when it sent the recipients a recorded message of actress Liz Dawn telling them to vote labour. Unsolicited automated telephone calls without consent breach the Privacy and Electronic Communications (EC Regulations) 2003. A member of the public complained in July 2007 that they were receiving those calls, but the Information Commissioner’s Office – the UK data protection regulator – received further complains in 2009. The ICO has served an enforcement notice on Labour requiring the Party to ensure no further automated direct marketing calls are made without consent. If Labour breaches the enforcement notice, they could be fined. Labour is not the only Party at it – the Conservatives, Liberal Democrats and Scottish National Party have all received enforcement notices in the past for employing the same tactics. It seems to be a case of the politicians making the law for everyone else to comply with, but thinking they are above the law – sound familiar?

Coroners and Justice Act brought into force to allow Information Commissioner to inspect premises for data protection breaches

Mark Weston — Tue, 09 Feb 2010 21:55:39 +0000

Sections 173 to 175 of the Coroners and Justice Act has been brought into force as of 1 February. This gives the Information Commissioner – the data protection regulator in the UK – the right to inspect premises and require other co-operation (initially of public authorities, but the categories may be extended later) – to assess whether the data controller (usually the organisation being inspected) is complying with the Data Protection Act. The changes also make other changes of a framework nature initially, including requiring the Commissioner to create new codes of practice, such as to cover the sharing of personal data.

This is part of a trend to beef up data protection law and increase the teeth given to inspect and prosecute for data breaches.

School admits to loss of laptop containing sensitive personal data of over 1,000 pupils and staff

Paul Gershlick — Tue, 22 Dec 2009 21:49:06 +0000

A school has admitted storing sensitive personal data of about 1,200 pupils and staff on an unencrypted laptop, which was subsequently stolen. The Information Commissioner’s Office – the regulator in charge of enforcing data protection laws in the UK – has decided not to issue an enforcement notice for breaches of the Data Protection Act 1998 against Waseley Hills High School and Sixth Form Centre in Birmingham. The ICO was satisfied with the school’s undertakings to increase security held on portable devices, use encryption where appropriate and train staff on data security issues.

Information Commissioner wants powers to inspect organisations’ use of data…

Paul Gershlick — Tue, 15 Dec 2009 21:22:06 +0000

The Information Commissioner – the regulator in charge of enforcing data protection law in the UK – has called for powers to carry out spot checks on organisations to see if they are complying with the Data Protection Act. Currently, the Commissioner can only access premises with a warrant or with consent, but it would like the power to enter premises automatically. The ICO believes that it has had some success in catching wrong-doers but to enforce data protection laws effectively it needs to be able to catch organisations unawares. Aside from wanting better powers to access and detect breaches, the Commissioner has also been in the news recently for his push towards getting custodial sentences for people who supply or obtain data without the data controller’s consent.

Patient records turn up as gift wrapping paper at shop

Paul Gershlick — Mon, 14 Dec 2009 19:46:37 +0000

Whatever next? NHS patients’ paper records have turned up as packaging to wrap gifts up in at a jewellery shop! The records had originally come from Papworth Hospital NHS Foundation Trust, although the lack of care was not their fault. The records had apparently been sent by the hospital to a solicitor who acted for patients and the records were inadequately shredded. A recipient of a gift from the shop got more than she bargained for and phoned the hospital immediately to report the data compromise. The hospital was horrified when it found out.

Unsafe deletion of personal data is a breach of the Data Protection Act. In this case, though, the solicitor may face additional consequences. If his clients were already in a litigious frame of mind when they were looking for legal action in respect of the hospital, they may next decide to vent their spleens, so to speak, at their legal advisers!

Information Commissioner gets broader enforcement powers as Coroners and Justice Bill receives Royal Assent…

Mark Weston — Thu, 03 Dec 2009 10:58:31 +0000

The Information Commissioner’s Office – the body in charge of enforcing UK data protection laws – has been given greater enforcement powers, as the Coroners and Justice Bill has been passed. The new law gives the ICO a right to serve public authorities with assessment notices to enable them to establish whether they are complying with data protection laws. The law also gives the ICO broader powers to require people on premises to provide explanations of material found on those premises. One controversial provision in the original Bill – to allow the Government much wider data-sharing powers – was withdrawn before the Bill became law. The ICO would like to see the greater powers extended to its role in enforcing data protection laws against private sector organisations.

Government launches consultation on new powers for ICO to issue a maximum £500,000 fine for data protection breaches…

Samantha Lloyd — Wed, 02 Dec 2009 16:58:21 +0000

The Government has launched a consultation which would provide the Information Commissioner’s Office – the UK’s data protection regulator – with powers to fine organisations up to a maximum of £500,000 for serious breaches of data protection principles. The aim of the Ministry of Justice is to provide the ICO will the ability to impose robust penalties on those who commit such breaches. The consultation asks whether the proposed maximum fine of £500,000 would provide the ICO with a proportionate sanction. New powers for the ICO to issue civil monetary penalties were created by the Criminal Justice and Immigration Act 2008 and are expected to come into force next April. The powers will permit fines to be levied by the ICO where:

A data controller has breached of one of the eight data protection principles;
The breach was deliberate or the data controller knew, or ought to have known, of the contravention risk;
The contravention would be likely to cause substantial damage or substantial distress; and
The data controller failed to take action to stop it.

The consultation closes on 21 December 2009.