The UK Information Commissioner fines data broking company 140,000 pounds for selling personal information to a marketing company affiliated to UK Labour

August 12, 2018

The UK Information Commissioner has taken strong action in the form of a Monetary Penalty Notice of £140,000 for on selling personal information of one million people, from Emma’s Diary, which provides advice on pregnancy and childcare, to Experian Marketing Services, which is used by the Labour Party.  That information was used as a database which was used to profile new mums for use during the 2017 General Election.  The key with data for political parties is to allow them to micro target voters with carefully structured messages.

Under both UK and Australian privacy legislation personal information collected for one purpose can not be disclosed to a third party for another purpose unless one of the exceptions applies.

The actions by Emma’s Diary was particularly cynical given Read the rest of this entry »

UK Information Commissioner hits Independent inquiry into child sexual abuse with a 200,000 pound for major data breach

July 30, 2018

As if the victims hadn’t suffered enough.  The Independent Inquiry into Child Sexual Abuse suffered a major data breach.  Of the all too common own goal variety.  A staff member sent an open email to 90 victims of sexual abuse, thereby allowing each person to identify the emails of others.  More than the majority of the email addresses listed the full name of the recipients.  Given the nature of the inquiry and the sensitivity of at least some of the recipients it was a dreadful and entirely avoidable error.  The Inquiry released personal information without consent.

Under the Monetary Penalty Notice the contravention was Read the rest of this entry »

Facebook privacy woes continue with the UK information Commissioner

July 11, 2018

Another case of compare and contrast between privacy regulators.  In the UK the Information Commissioner’s Office has announced the finding of investigations involving the use of personal information provided to Facebook by Cambridge Analytica.  The size of the breach of the Data Protection Act is enormous involving up to 87 million users worldwide.  The UK Information Commissioner commenced it investigation into Facebook in February.  It now announces its intention to fine Facebook a maximum of £500,000 as well as Read the rest of this entry »

UK Information Commissioner fines General Practitioner 35,000 pounds for failing to secure medical records

June 6, 2018

The UK Information Commissioner’s Office has once again shown how it should be done.  The Bayswater Medical Centre left highly sensitive medical information unsecured in an empty building for more than 18 months.

The Centre vacated a building which it leased in July 2015 after moving to new premises, but continued to use it as a storage facility.  Another local GP surgery, NHS West London CCG, was interested in taking over the lease of the empty building.  It had access from June 2016.  Employees of NHS West London CCG informed the Centre that there were unsecured ‘Lloyd George Records’ on the site. The Centre acknowledged that was the case.  Foolishly the Centre did nothing about the records even when Read the rest of this entry »

UK Data Protection Act finalised

June 5, 2018

The implementation of the GDPR has been followed by the enactment of the new UK Data Protection Act 2018.  The Act highlight the increasing sophistication of data protection laws in the UK/Europe sphere.

The Act contains provisions will which allow for continuation of the GDPR and also implements the EU Law Enforcement Directive, setting Read the rest of this entry »

UK Information Commissioner fines University of Greenwich 120,000 pounds for serious security breach

June 4, 2018

The comparison between Australia and the UK on data protection comes into sharp focus with the Information Commissioner’s announcement that the University of Greenwich has been slugged a £120,000 fine for a data breach which involved 20,000 people, including students and staff.

The breach involved a microsite set up in 2004, not closed Read the rest of this entry »

The UK Information Commissioner raises the concerns about the “staggeringly inaccurate” face recognition systems used by the police

May 16, 2018

Facial recognition technology has long been touted as an effective tool in crime prevention and investigation as well as important for national security.  It is also touted as a way of improving efficiency in business and through social media.  Unfortunately the hype does not match the facts.  The algorithms and the quality of images that power facial recognition technology are often below par leading to many false positives.  The technology is also plagued by Read the rest of this entry »

UK Information Privacy Commissioner releases comprehensive guide for lawful basis for processing data under the General Data Protection Regulation

May 14, 2018

The issue of consent is very significant under all data protection acts, not least the Australian Privacy Act 1988.  The UK Information Commissioner has released its guidance on consent.  While it is directly applicable to the obligations under the General Data Protection Regulation (the GDPR) the contents will be of use in the Australian context.  Issues relating to consent are common across jurisdictions and the UK Information Commissioner’s guidances are generally Read the rest of this entry »

The UK Information Commissioner releases its Guide to the General Data Protection Regulation

May 6, 2018

The UK Information Commissioner’s Office (the ICO) produces excellent guides relating to UK and EU laws. They are much clearer, specific and, therefore, useful than the guidances produced by the Australian Information Commissioner.  Given the legislation and regulations in this area of the law is principles based having good guidances is critical.

The ICO has produces its Guide to the General Data Protection Regulation (GDPR).  A 171 page tome on all matters relating to compliance with the GDPR.  The GDPR is about to take effect in Europe, on 25 May 2018 to be precise.  It’s impact will range farther than the borders of the European Union.    Even Mark Zuckerberg in his much vaunted testimony to Congress in April said Facebook would, eventually, comply with the GDPR.

The GDPR differs from the Australian Privacy Principles.  It is much more comprehensive.  However that does not mean that they are not relevant for Australian practitioners.  Companies with a significant presence in the EU will need to be aware of the GDPR requirements.  At the local level Read the rest of this entry »

UK Information Commissioners Office fines data supplier 80,000 pounds and sends a warning to the data broking industry

November 6, 2017

The Information Commissioner’s Office has been an active regulator in the United Kingdom.  The legislation in the United Kingdom, the Data Protection Act, empowers the ICO to levy heavy monetary penalty notices, technical terms for fines. In Australia the Information Commissioner can commence civil penalty proceedings which penalties of up to $1.7 million.  Each regulator has its own regulatory armaments.  The difference is that the ICO is active.  The Australian Information Commissioner is not.

This fine is the first by the ICO involing the data broking industry.

The ICO  issued a monetary penalty notice, fining Verso Group (UK) Limited for supplying personal information to another company, Prodial Ltd which used that data to make 46 million nuisance calls.  Prodial received a record fine but the investigation continued and went to the source of the data.  That is quite a common feature of regulatory investigations.  Commonly one investigation for Read the rest of this entry »