UK Information Commissioner intends to fine Marriot International 99 million pounds and British Airways 183.39 million pounds. The GDPR bites for data breaches

July 16, 2019

With the General Data Protection Regulation in force in the United Kingdom the Information Commissioner has greatly enhanced powers to fine those who breach data protection laws.  And in that vein the Commissioner announced on 8 July 2019 an intention to fine British Airways £183.39 million for a data breach in September 2018 which resulted in personal information of 500,000 were compromised.  As is often the case investigation after the breach revealed Read the rest of this entry »

UK Information Commissioner prosecutes unauthorised access to personal information..part of a growing problem

June 11, 2019

Organisations and agencies that collect and use personal information have a chronic problem of staff accessing that information without authorisation.   It is a very significant problem in the health industry with staff looking into the health records of celebrities; George Clooney in 2007, of Brittany Spears in 2008, Michael Jackson’s health records in 2011 and Kim Kardashian in 2013 to name a few. Last year 2 staff members at the Ipswich Hospital were reprimanded and one sacked for accessing Ed Sheeran’s health records relating to his treatment for a writs injury caused by a bicycle accident.  These instances are a fraction of the breaches of this nature that occurs. The breaches rarely come to light because the organisations notify those whose personal information have been compromised.  And they are only occasionally notified to the regulator. 

A case of snooping that was reported to the regulator resulted in a successful prosecution. In the United Kingdom unauthorised access of personal information is criminal offence. The UK Information Commissioner successfully prosecuted a former customer services officer at Stockport Homes who unlawfully accessed personal data, being anti social behaviour cases 67 times in 2017.  The breaches were Read the rest of this entry »

BUPA fined 175,000 pounds for data protection failures

October 3, 2018

As Bupa has discovered, data breaches caused by employee misbehaviour can be as devastating for an organisation as a cyber attack.  A rogue Bupa employee accessed and sold onto the dark web personal information of Bupa’s customers.  When it was discovered by a third party the Information Commissioner investigated and found systemic failures and non compliance with data security.  That is a common outcome.  The breach is generally bad however the investigation usually turns up more than just one problem with an organisation’s data security.  As was the case with Bupa.  There were systemic failures on Read the rest of this entry »

UK Information Commissioner’s office fines Equifax half a million pounds for security breach in 2017

October 1, 2018

First the breach, then the disastrous publicity and just when things seem to be getting better the enforcement action.  That is the way of it with UK and US privacy breaches.  Equifax’s travails have followed this path.

In 2017 Equifax suffered a data breach through a cyber attack.  The impact was, even by modern standards, massive with personal information of 146 million people being compromised.  That involved 200,000 credit card numbers and expiration dates and government issued documentation such as drivers’ licences and passports. A total of 15 million UK citizen’s personal information was compromised, giving the Commissioner jurisdiction.

The cost of the breach has been enormous, running to $275 million as at March this year.

The Equifax data breach is a “how not to” store information, set up proper data security and respond to the data breach.  As the UK Information Commissioner found Read the rest of this entry »

The UK Information Commissioner fines data broking company 140,000 pounds for selling personal information to a marketing company affiliated to UK Labour

August 12, 2018

The UK Information Commissioner has taken strong action in the form of a Monetary Penalty Notice of £140,000 for on selling personal information of one million people, from Emma’s Diary, which provides advice on pregnancy and childcare, to Experian Marketing Services, which is used by the Labour Party.  That information was used as a database which was used to profile new mums for use during the 2017 General Election.  The key with data for political parties is to allow them to micro target voters with carefully structured messages.

Under both UK and Australian privacy legislation personal information collected for one purpose can not be disclosed to a third party for another purpose unless one of the exceptions applies.

The actions by Emma’s Diary was particularly cynical given Read the rest of this entry »

UK Information Commissioner hits Independent inquiry into child sexual abuse with a 200,000 pound for major data breach

July 30, 2018

As if the victims hadn’t suffered enough.  The Independent Inquiry into Child Sexual Abuse suffered a major data breach.  Of the all too common own goal variety.  A staff member sent an open email to 90 victims of sexual abuse, thereby allowing each person to identify the emails of others.  More than the majority of the email addresses listed the full name of the recipients.  Given the nature of the inquiry and the sensitivity of at least some of the recipients it was a dreadful and entirely avoidable error.  The Inquiry released personal information without consent.

Under the Monetary Penalty Notice the contravention was Read the rest of this entry »

Facebook privacy woes continue with the UK information Commissioner

July 11, 2018

Another case of compare and contrast between privacy regulators.  In the UK the Information Commissioner’s Office has announced the finding of investigations involving the use of personal information provided to Facebook by Cambridge Analytica.  The size of the breach of the Data Protection Act is enormous involving up to 87 million users worldwide.  The UK Information Commissioner commenced it investigation into Facebook in February.  It now announces its intention to fine Facebook a maximum of £500,000 as well as Read the rest of this entry »

UK Information Commissioner fines General Practitioner 35,000 pounds for failing to secure medical records

June 6, 2018

The UK Information Commissioner’s Office has once again shown how it should be done.  The Bayswater Medical Centre left highly sensitive medical information unsecured in an empty building for more than 18 months.

The Centre vacated a building which it leased in July 2015 after moving to new premises, but continued to use it as a storage facility.  Another local GP surgery, NHS West London CCG, was interested in taking over the lease of the empty building.  It had access from June 2016.  Employees of NHS West London CCG informed the Centre that there were unsecured ‘Lloyd George Records’ on the site. The Centre acknowledged that was the case.  Foolishly the Centre did nothing about the records even when Read the rest of this entry »

UK Data Protection Act finalised

June 5, 2018

The implementation of the GDPR has been followed by the enactment of the new UK Data Protection Act 2018.  The Act highlight the increasing sophistication of data protection laws in the UK/Europe sphere.

The Act contains provisions will which allow for continuation of the GDPR and also implements the EU Law Enforcement Directive, setting Read the rest of this entry »

UK Information Commissioner fines University of Greenwich 120,000 pounds for serious security breach

June 4, 2018

The comparison between Australia and the UK on data protection comes into sharp focus with the Information Commissioner’s announcement that the University of Greenwich has been slugged a £120,000 fine for a data breach which involved 20,000 people, including students and staff.

The breach involved a microsite set up in 2004, not closed Read the rest of this entry »