UK Information Commissioners Office fines data supplier 80,000 pounds and sends a warning to the data broking industry

November 6, 2017

The Information Commissioner’s Office has been an active regulator in the United Kingdom.  The legislation in the United Kingdom, the Data Protection Act, empowers the ICO to levy heavy monetary penalty notices, technical terms for fines. In Australia the Information Commissioner can commence civil penalty proceedings which penalties of up to $1.7 million.  Each regulator has its own regulatory armaments.  The difference is that the ICO is active.  The Australian Information Commissioner is not.

This fine is the first by the ICO involing the data broking industry.

The ICO  issued a monetary penalty notice, fining Verso Group (UK) Limited for supplying personal information to another company, Prodial Ltd which used that data to make 46 million nuisance calls.  Prodial received a record fine but the investigation continued and went to the source of the data.  That is quite a common feature of regulatory investigations.  Commonly one investigation for Read the rest of this entry »

UK Information Commissioners office fines Nottinghamshire Council 70,000 pounds for leaving vulnerable peoples personal information on line for 5 years

September 5, 2017

The UK Information Commissioner’s Office has again taken action for breaches of data security. This time it issued a monetary penalty notice, of £70,000, against the Nottinghamshire Council for exposing the personal information of vulnerable people for 5 years.  While the legislative structures are different the assertive approach by the ICO compares favourably to the lethargic and timid approach taken by the Australian Privacy Commissioner.

The nub of the problem was that Nottinghamshire County Council had set up a portal to allow social care providers to confirm that they had capacity to support a vulnerable person.  The architecture of the portal was flawed.  A member of the public discovered Read the rest of this entry »

UK Information Commissioner fines a North London council for security flaw which exposed thousands of people’s personal information

August 20, 2017

The UK Information Commissioner (“ICO”) continues to set a brisk pace in taking action against data breaches, this time imposing a £70,000 fine on the Islington Council for failing to keep personal information secure on its parking ticket system website.  It highlights that breaches of privacy laws are as much about ensuring that personal information is secure from potential breach as responding to a breach itself.  The infraction can be just as costly.

In the case of Islington council the ICO found that its website which allowed people to see an image of their parking offence had design faults which Read the rest of this entry »

UK Information Commissioner slaps a 100,000 pound fine on Telco firm TalkTalk for failing to look after its customer’s data

August 18, 2017

TalkTalk has had a dreadful few years courtesy of data breaches.  In 2016 it received a record fine of £400,000 for theft of personal data involving 157,000 customers which had not been encrypted as a result of a hack in 2015.  It later estimated Read the rest of this entry »

Federal Trade Commission halts company that used information in loan applications to sell personal information to third parties wanting leads for their own business purposes for the pu

July 20, 2017

It is almost embarrassing to say that data is big business.  Personal information is the wheat that is separated from the digital chaff. The Federal Trade Commission issued a complaint against Blue Global Media in what was an egregious program of getting consumers to fill out loan applications and on selling that data, including personal information and sensitive information which in the US context includes social security number and credit card details, to parties willing to pay for leads. As is commonly the case the FTC Read the rest of this entry »

Royal Free London NHS Foundation Trust enters into undertaking because of the breach of the Data Protection Act in turning over sensitive medical data of around 1.6million patients to DeepMind

July 15, 2017

The UK Information Commissioner’s Office (the “ICO”) has its detractors however as a regulator it has been by far more energetic than its Australian equivalent.  The legislative structure is different as is the resourcing.  The UK Data Protection Act provides more scope for enforcement action and the penalties can be swingeing.  That said the approach taken by the ICO in both adopting an educational approach, the carrot, but also high profile and tough regulatory action, monetary penalty notices, highlights a difference with the Office of the Information Commissioner, which has been all about the education and very little about the enforcement. That has had a deleterious effect on privacy and data protection compliance in Australia.

The ICO took action against the Royal Free London NHS Foundation Trust for failing to Read the rest of this entry »

The Australian Competition and Consumer Commission sends warning about phishing

June 20, 2017

The Australian Competition and Consumer Commission (ACCC) has issued an alert about phishing scams stating that so far this eyar there have been 11,000 reports and a loss of $260,000.  Given under reporting is the norm it is likely that the losses are much greater.

The media release provides:

The ACCC is warning people to stay alert to ‘phishing’ scammers pretending to be from well-known businesses and government departments trying to con unsuspecting victims out of their personal information and money. Read the rest of this entry »

UK Information Commissioner’s Office fine Gloucester City Council 100,000 pounds for exposing personal information to cyber attack

June 14, 2017

It is a critical part of maintaining data security to address vulnerabilities on a website as and when they become known.  That is requirement is included in all guidances put out by privacy commissioners.  Usually it is fairly straightforward task, updating programs, installing patches when a vulnerability is identified and responding to notices about threats.  Organisations should, but rarely, organise penetration testing.  In the United States there is a culture of engaging white hat hackers to test the cyber defences of government and organisations.

But protecting from well known vulnerabilities has to be a necessary minimum.  As The Gloucester City Council will now realise having been fined £100,000 for failing to repair a vulnerability, the Heartbleed flaw in software, in the council’s website.  This failure Read the rest of this entry »

United Kingdom Information Commissioner’s Office fines Basildon Borough 150,000 poundsCouncil for publishing sensitive personal data on line

June 4, 2017

The United Kingdom’s Information Commissioner’s Office (the “ICO”) has imposed a severe fine of on Basildon Borough Council for publishing personal information on planning application documents. The argument run by the Council was that the planning laws prevented it from doing so even though it routinely redacted personal information on other applications.  In Victoria this has been an issue in the past where some councils have felt that they can not redact while others argue they can.  It appears that most do redact.

The ICO media release provides:

A council has been fined £150,000 by the Information Commissioner’s Office (ICO) for publishing sensitive personal information about a family.

Basildon Borough Council breached the Data Protection Act when it published the information in planning application documents which it made publicly available online.

The ICO’s investigation found that on 16 July 2015, the council received a written statement in support of a householder’s planning application for proposed works in a green belt. The statement contained sensitive personal data relating to a static traveller family who had been living on the site for many years. In particular, it referred to the family’s disability requirements, including mental health issues, the names of all the family members, their ages and the location of their home. Read the rest of this entry »

UK Information Commissioner’s Office fines HCA International Ltd for failing to keep fertility patient personal information secure

March 5, 2017

Health records are amongst the most sensitive of information.  Information about a person’s fertility treatment are an even more sensitive category of information again.  It is not surprising that when there is a failure to keep data secure the regulator would take a strong line.  At least in the United Kingdom. In Australia, the regulator has not taken a strong line yet on anything of substance.

The UK Information Commissioner’s Office (the “ICO”) fined HCA International Ltd (“HCA”) £200,000 for failing to keep records secure. The problem stemmed from Read the rest of this entry »