Peter A Clarke

The Information Commissioner’s office (the “ICO“) has entered into an enforceable undertaking with Thamesview Estae Agents who engaged in practices inconsistent with properly handling personal information and disposing of it securely, to wit it left transparent bags of documents containing personal information on the street for collection and disposal by a third party.  The contents of the bags could be viewed Read the rest of this entry »

The saying “The Cobblers children go shoeless” is apt when viewing the ICO’s media release Information Commissioner ‘sounds the alarm’ on data breaches within the legal profession.  The release comes on the back of 15 incidents (so described) of possible data breaches.  In an industry/profession which generates a significant volume of data in paper and digital form coupled with the fact that much of that data contains sensitive and usually privileged information, the need for proper data management is important.  Unfortunately it is also Read the rest of this entry »

The UK Information Commissioner has issued a guide Safer smartphones – a guide to keeping your device secure.

The main tips are Read the rest of this entry »

The UK Information Commissioner has published a review of the impact of the Civil Monetary Penalties.

Under the Data Protection Act 1984 the ICO can issue Civil Monetary Penalties (CMPs) to the maximum of £500,000 for serious breaches of the Data Protection Act (the DPA) and serious breaches of the Privacy and Electronic Communications Regulations (PECR). The criteria for serving a CMP  under section 55  A(1) of the DPA are:

1.  there has been a serious contravention of a data protection principle and
2.  “the contravention was of a kind likely to cause substantial damage or substantial distress” and
3.  the data controller:

(a) knew or ought to have known—

(i)                  that there was a risk that the contravention would occur ,and

(ii)                 that such a contravention would be of a kind likely to cause substantial damage or substantial distress, but

 (b) failed to take reasonable steps to prevent the contravention”.

The listed key findings are:

• The research findings indicate that  CMPs are effective at improving data protection compliance.This was particularly clear for organisations that had been issued with a CMP; the research showed a clear impact on how those organisations managed their data protection responsibilities:
  • Organisations took their data protection obligations seriously, with revised practices and policies, and increased staff training.
  • Data protection was given a higher profile, with greater senior management buy-in.
  • Staff awareness was raised through targeted campaigns,with their importance of handling data properly made more prominent.

Read the rest of this entry »

On 24 July 2014 the Information Commissioner’s Office in the United Kingdom (the ICO) served on Think W3 a very substantial monetary penalty notice, of £150,000 after determining that personal details involving 1,163,996 credit and debit card records were accessed.

The ICO media notice provides:

Think W3 Limited, an online travel services company, has been served a £150,000 monetary penalty after a serious breach of the Data Protection Act revealed thousands of people’s details to a malicious hacker.

The company was hacked in December 2012 after using insecure coding on the website of a subsidiary business, Essential Travel Ltd. The hacker extracted a total of 1,163,996 credit and debit card records. Of these records 430,599 were identified as current and 733,397 as expired.

Cardholder details had not been deleted since 2006 and there had been no security checks or reviews since the system had been installed. Read the rest of this entry »

Enforceable undertakings are now an option available to the Privacy Commissioner as a result of his own motion investigation or in response to complaint.  Those powers are found at section 33E of the Privacy Act 1988.  It provides:

33E  Commissioner may accept undertakings

             (1)  The Commissioner may accept any of the following undertakings:

                     (a)  a written undertaking given by an entity that the entity will, in order to comply with this Act, take specified action;

                     (b)  a written undertaking given by an entity that the entity will, in order to comply with this Act, refrain from taking specified action;

                     (c)  a written undertaking given by an entity that the entity will take specified action directed towards ensuring that the entity does not do an act, or engage in a practice, in the future that interferes with the privacy of an individual.

             (2)  The undertaking must be expressed to be an undertaking under this section.

             (3)  The entity may withdraw or vary the undertaking at any time, but only with the consent of the Commissioner.

             (4)  The Commissioner may, by written notice given to the entity, cancel the undertaking.

             (5)  The Commissioner may publish the undertaking on the Commissioner’s website.

Enforceable undertakings have been a fixture of consumer protection proceedings at both the State and Federal levels in Australia. The Australian Securities & Investment Commission can accept undertakings under sections 93AA or 93A of the Australian Securities and Investments Commission Act 2001.  It is likely that the Federal Court will look to that body of cases relating to undertakings and enforcement action for breaches of enforceable undertakings in the event of a breach of an enforceable undertaking under the Privacy Act 1988.  But it is important to note that privacy law, particularly that grounded in statute, is  discrete and distinctive.  Many practitioners whose involvement in the area is sporadic (and some whose involvement is more) tend to cobble together principles from other areas of law onto privacy related matters.  That leads to strange arguments, not a few logical inconsistencies and the appearance of a round legal argument being rammed into a statutory square hole on a fairly regular basis.  A better way of approaching matters when looking for precedents is to look to how overseas regulators in the common law jurisdiction primarily approach enforceable undertakings and take action for breaches or civil penalty proceedings as well as Australian precedent.  In particular Read the rest of this entry »

The US Federal Trade Commission and the UK Information Commissioner’s Office have signed a memorandum of understanding to promote increased co operation as part of increasing consumer privacy.

The media release (with pictures found here) provides (absent photographs):

The ICO has issued a 48 page updated privacy impact assessment code of practice.  Clearly it is tied to the UK Data Protection Act however it is relevant to any practitioners in the Australian environment.

The press release (found here) provides:

The Information Commissioner’s Office (ICO) has published Read the rest of this entry »