Facebook privacy woes continue with the UK information Commissioner

July 11, 2018

Another case of compare and contrast between privacy regulators.  In the UK the Information Commissioner’s Office has announced the finding of investigations involving the use of personal information provided to Facebook by Cambridge Analytica.  The size of the breach of the Data Protection Act is enormous involving up to 87 million users worldwide.  The UK Information Commissioner commenced it investigation into Facebook in February.  It now announces its intention to fine Facebook a maximum of £500,000 as well as Read the rest of this entry »

UK Information Commissioner fines General Practitioner 35,000 pounds for failing to secure medical records

June 6, 2018

The UK Information Commissioner’s Office has once again shown how it should be done.  The Bayswater Medical Centre left highly sensitive medical information unsecured in an empty building for more than 18 months.

The Centre vacated a building which it leased in July 2015 after moving to new premises, but continued to use it as a storage facility.  Another local GP surgery, NHS West London CCG, was interested in taking over the lease of the empty building.  It had access from June 2016.  Employees of NHS West London CCG informed the Centre that there were unsecured ‘Lloyd George Records’ on the site. The Centre acknowledged that was the case.  Foolishly the Centre did nothing about the records even when Read the rest of this entry »

UK Data Protection Act finalised

June 5, 2018

The implementation of the GDPR has been followed by the enactment of the new UK Data Protection Act 2018.  The Act highlight the increasing sophistication of data protection laws in the UK/Europe sphere.

The Act contains provisions will which allow for continuation of the GDPR and also implements the EU Law Enforcement Directive, setting Read the rest of this entry »

UK Information Commissioner fines University of Greenwich 120,000 pounds for serious security breach

June 4, 2018

The comparison between Australia and the UK on data protection comes into sharp focus with the Information Commissioner’s announcement that the University of Greenwich has been slugged a £120,000 fine for a data breach which involved 20,000 people, including students and staff.

The breach involved a microsite set up in 2004, not closed Read the rest of this entry »

The UK Information Commissioner raises the concerns about the “staggeringly inaccurate” face recognition systems used by the police

May 16, 2018

Facial recognition technology has long been touted as an effective tool in crime prevention and investigation as well as important for national security.  It is also touted as a way of improving efficiency in business and through social media.  Unfortunately the hype does not match the facts.  The algorithms and the quality of images that power facial recognition technology are often below par leading to many false positives.  The technology is also plagued by Read the rest of this entry »

UK Information Privacy Commissioner releases comprehensive guide for lawful basis for processing data under the General Data Protection Regulation

May 14, 2018

The issue of consent is very significant under all data protection acts, not least the Australian Privacy Act 1988.  The UK Information Commissioner has released its guidance on consent.  While it is directly applicable to the obligations under the General Data Protection Regulation (the GDPR) the contents will be of use in the Australian context.  Issues relating to consent are common across jurisdictions and the UK Information Commissioner’s guidances are generally Read the rest of this entry »

The UK Information Commissioner releases its Guide to the General Data Protection Regulation

May 6, 2018

The UK Information Commissioner’s Office (the ICO) produces excellent guides relating to UK and EU laws. They are much clearer, specific and, therefore, useful than the guidances produced by the Australian Information Commissioner.  Given the legislation and regulations in this area of the law is principles based having good guidances is critical.

The ICO has produces its Guide to the General Data Protection Regulation (GDPR).  A 171 page tome on all matters relating to compliance with the GDPR.  The GDPR is about to take effect in Europe, on 25 May 2018 to be precise.  It’s impact will range farther than the borders of the European Union.    Even Mark Zuckerberg in his much vaunted testimony to Congress in April said Facebook would, eventually, comply with the GDPR.

The GDPR differs from the Australian Privacy Principles.  It is much more comprehensive.  However that does not mean that they are not relevant for Australian practitioners.  Companies with a significant presence in the EU will need to be aware of the GDPR requirements.  At the local level Read the rest of this entry »

UK Information Commissioners Office fines data supplier 80,000 pounds and sends a warning to the data broking industry

November 6, 2017

The Information Commissioner’s Office has been an active regulator in the United Kingdom.  The legislation in the United Kingdom, the Data Protection Act, empowers the ICO to levy heavy monetary penalty notices, technical terms for fines. In Australia the Information Commissioner can commence civil penalty proceedings which penalties of up to $1.7 million.  Each regulator has its own regulatory armaments.  The difference is that the ICO is active.  The Australian Information Commissioner is not.

This fine is the first by the ICO involing the data broking industry.

The ICO  issued a monetary penalty notice, fining Verso Group (UK) Limited for supplying personal information to another company, Prodial Ltd which used that data to make 46 million nuisance calls.  Prodial received a record fine but the investigation continued and went to the source of the data.  That is quite a common feature of regulatory investigations.  Commonly one investigation for Read the rest of this entry »

UK Information Commissioners office fines Nottinghamshire Council 70,000 pounds for leaving vulnerable peoples personal information on line for 5 years

September 5, 2017

The UK Information Commissioner’s Office has again taken action for breaches of data security. This time it issued a monetary penalty notice, of £70,000, against the Nottinghamshire Council for exposing the personal information of vulnerable people for 5 years.  While the legislative structures are different the assertive approach by the ICO compares favourably to the lethargic and timid approach taken by the Australian Privacy Commissioner.

The nub of the problem was that Nottinghamshire County Council had set up a portal to allow social care providers to confirm that they had capacity to support a vulnerable person.  The architecture of the portal was flawed.  A member of the public discovered Read the rest of this entry »

UK Information Commissioner fines a North London council for security flaw which exposed thousands of people’s personal information

August 20, 2017

The UK Information Commissioner (“ICO”) continues to set a brisk pace in taking action against data breaches, this time imposing a £70,000 fine on the Islington Council for failing to keep personal information secure on its parking ticket system website.  It highlights that breaches of privacy laws are as much about ensuring that personal information is secure from potential breach as responding to a breach itself.  The infraction can be just as costly.

In the case of Islington council the ICO found that its website which allowed people to see an image of their parking offence had design faults which Read the rest of this entry »