It is perhaps a telling reflection on the past year that the end of the UK’s transition period with the EU has been a secondary concern for many DPOs in 2020.And yet the end of the transition period may bring the most significant change to data protection in the UK since the implementation of the GDPR three years ago. There remains hope that an adequacy decision may yet be reached, which would allow the UK to continue to access the free flow of personal data provision granted for those within the EU. But organisations cannot rely on this. The stakes are too high, with the risk that the data flow tap from the EU is turned off, and with it the flow of HR records, customer details and data from cloud services. This month’s newsletter is dedicated to the support the ICO continues to offer to help businesses prepare. It includes detail on our upcoming webinar, links to our FAQs, and details on where to find information on instruments like Standard Contractual Clauses that can allow organisations to keep receiving data from the EU. Organisations have overcome so many challenges in 2020. We want to offer our support as you face this final hurdle. Thank you for your support and engagement in 2020, and let’s hope for a more positive and prosperous 2021.

Source: ICO

Data Breach at the NHS

NHS Highland said that 31 people received information from a patient list of 284 people, the information included patients’ contact details, date of birth and the name of their clinic

The health board said they have reported the matter to the ICO and are holding an investigation into the matter.

Ticketmaster Fined 1.25m

Ticketmaster have been fined for the data breach in which personal details and card details of up to 9 million customers across Europe were stolen. Many, including the writer, reported theft from their bank accounts during this period after using Ticketmaster.

Journalist Gatecrashes EU Defence Video Conference

Dutch journalist Daniel Verlaan of RTL Nieuws joined the highly confidential video conference after Dutch Defence Minister tweeted a photo that contained the login address and part of the PIN code. It did not take many attempts for RTL to guess the rest of the PIN. John Green, lawyer from Green CDL says “this raises serious questions over the security of confidential EU meetings.”

Bristol City Council Email Blunder Reveals Identities of Families with Disabled Children

The local authority sent an email asking for views on a new support service to hundreds of people and the names of all the children and the email addresses of their primary carers were viewable to all recipients.

Green CDL offers free EU data protection consultation

If you in any way have any dealings within the EU from 1st January data protection rules will change. Green CDL is offering a free initial consultation with our lawyer to advise what steps you need to take. Time is running out, you need to take action now.

European Commission releases draft Standard Contractual Clauses for consultation

On 12 November the European Commission released its draft implementing decision and re-drafted sets of Standard Contractual Clauses. There will now be a 4 week consultation period ending on 10 December 2020. John Green, a data protection lawyer from Green CDL says “unfortunately these are unlikely to be approved before the end of the transition period for the UK meaning organisations relying upon these as a safeguard will need to prepare new contracts sometime in the New Year.”

Resident Evil game maker hit with cyber attack

Capcom, makers of popular games such as Resident Evil and Street Fighter, has confirmed that its computer systems have been hacked. It said some of its internal networks had been suspended “due to unauthorised access” from outside Capcom. It further said that “at present” there was no sign that customer information had been accessed. Emma Green, Cyber Security and Data Protection analysist from Green CDL says “no evidence of customer information having been compromised does not mean that it hasn’t”.

ICO finds seven UK political parties failing at data protection

The ICO audited the parties’ data protection practices and made a number of recommendations for improvements, it is understood 70% of the findings were classified as urgent or high priority.

Key recommendations for the parties include:

  • providing the public with clear information at the outset about how their data will be used;
  • telling individuals when they use intrusive profiling such as combining information about those individuals from several different sources to find out more about their voting characteristics and interests;
  • being transparent when using personal data to profile and then target people with marketing via social media platforms;
  • being able to demonstrate that they are accountable, showing how parties meet their obligations and protect people’s rights;
  • carrying out thorough checks on all contracted and potential processors and third party suppliers to gain assurances that they comply with the key transparency, security and accountability requirements of data protection law and;
  • reviewing their lawful bases for the different types of processing of personal data used to ensure the most appropriate basis is used

Covid Cyber Threats

The National Cyber Security Centre (NCSC) has stated that more than a quarter of the incidents they responded to were Covid related. The actual figure is probably even higher as the period reported on was from September 2019 to August 2020 and covers a pre-pandemic period.

The figures show there was 723 incidents during that period of which 194 were Covid related. The Police have previously estimated that less than 1% of cyber crimes get reported which puts the number of cyber crimes during this period to around 72,000.

Housing Association Targeted in Cyber Attack

Flagship Group, based in Norwich, have said that the cyber attack on 1st November took “most of our group’s systems offline’. Their websites states “there has been some data encryption and some personal customer and staff data has been compromised” leading to speculation the attack was a ransomware attack.

Cybersecurity Researchers Buy 100 Used USB Drives and Finds 75,000 ‘Deleted’ Files

The team, from Abertay University, purchased the USB sticks from an online auction site, some of the USB drives contained files named “passwords”, naming files as such makes a hackers job much easier. Other files on the drives included tax returns, contracts and bank statements despite the drives appearing to be empty. This was due to the previous owners deleting the files without releasing they have not been permanently deleted and can be reinstated with publicly available free software.

AXN Cryptocurrency Hacked Immediately After Launch

The new AXION network token named AXN was hacked immediately after its launch on 2nd November. A hacker minted 79 billion AXN and used the AXN Uniswap exchange to convert them to 1,300 Ethereum (ETH) coins worth around $500,000. The AXN price fell to zero.

$1 billion BitCoin Wallet Emptied Ahead of Presidential Election

Almost $1 billion worth of cryptocurrency contained in a password protected BitCoin wallet was moved to another wallet ahead of the 2020 US presidential election. The mysterious transaction was noticed by cyber experts and researchers.

Companies Need to Act Now as Data Protection Requirements Change on 1st January

Following the end of the transition period on 31st December 2020 the UK will become, in the eyes of the EU, a ‘Third Country’ in respect of data protection.

As a result companies in the UK will be treated the same as companies established in other ‘Third Countries’ who have not been granted adequacy status.

You therefore may be required to put in place an appropriate safeguard.

Additionally if you:

  • Offer goods or services to data subjects in the EU
  • Monitor behaviour of data subjects in the EU (such as using cookies on a website)

You will likely be required to designate in writing a representative in the EU.

If you require an appropriate safeguard, an EU representative or just want a free assessment on what is required please contact us for further details.

Green CDL launches Green CDL EU Data Protection OÜ to Act as Companies’ EU Data Protection Representative

Following the end of the transition period companies who offer goods or service to persons in the EU or monitor behaviour of persons in the EU, using such things as cookies on websites, will likely be required to appoint in writing an EU representative.

Green CDL is pleased to announce the launch of Green CDL EU Data Protection OÜ that can act as such a representative from only £149 a month.

Headed by our English Lawyer, John Green, Green CDL EU Data Protection OÜ is based in Tallinn, home of the world-renowned NATO Cyber Defence Centre.

For further information please telephone 01625 724704 or email us at info@greencdl.com.

Marriott Fined £18.4m as ICO Once Again Backs Down

The ICO has fined the Marriott Hotel chain £18.4m for a major data breach which affected up to 339 million records.

This is a vast reduction on the notice of intention to fine Marriott just over £99m issued by the ICO back in July 2019 and follows in the footsteps of a similar back down with British Airways from £183m to just £20m just a few weeks ago.

Facebook Sued Over Cambridge Analytica

A group calling itself Facebook You Owe Us is alleged to be bringing a class action in the UK against Facebook for failing to meet its obligation under the Data Protection Act 1998 (in force at the time the allegations took place).

Facebook says it has not received any documents in relation to the claim.

Patients of a Therapy Clinic Blackmailed Following Data Breach

A number of patients of a large psychotherapy clinic in Finland have been contacted by a blackmailer after their data was stolen in a data breach at the clinic. It is understood the blackmailer is threatening to release personal data, including notes about what was discussed in therapy sessions.

It is believed the data was stolen in November 2018 and a further breach took place in March 2019.

ICO Fines Bury Based Claims Management Company £250,000

During a 6 month period at the start of 2019 the company, Reliance Advisory Ltd, made 15.1 million unsolicited calls in relation to claims management services such as mis-sold PPI.

Experian Issued with Enforcement Notice from the ICO

The credit reference agency has been ordered to make fundamental changes to how it handles personal data following a two-year investigation by the ICO.

Experian have been given 3 months to comply or face a fine.

The Information Commissioner’s Office (ICO) orders the credit reference agency Experian Limited to make fundamental changes to how it handles people’s personal data within its direct marketing services.

The enforcement notice follows a two-year investigation by the ICO into how Experian, Equifax and TransUnion used personal data within their data broking businesses for direct marketing purposes. A complaint from the campaign group Privacy International to the ICO also raised concerns about the data broking industry, specifically Equifax and Experian.

As a result of the ICO’s work, all three credit reference agencies (CRAs) made improvements to their direct marketing services business. Equifax and TransUnion made the improvements alongside withdrawing some products and services. The ICO is therefore taking no further action against them.

The investigation found how the three CRAs were trading, enriching and enhancing people’s personal data without their knowledge. This processing resulted in products which were used by commercial organisations, political parties or charities to find new customers, identify the people most likely to be able to afford goods and services, and build profiles about people.

The ICO found that significant ‘invisible’ processing took place, likely affecting millions of adults in the UK. It is ‘invisible’ because the individual is not aware that the organisation is collecting and using their personal data. This is against data protection law.

Findings from the investigation have been published today in an ICO report into data protection compliance in the direct marketing data broking sector.

Although the CRAs varied widely in size and practice, the ICO found significant data protection failures at each company. As well as the failure to be transparent, the regulator found that personal data provided to each CRA, in order for them to provide their statutory credit referencing function, was being used in limited ways for marketing purposes. Some of the CRAs were also using profiling to generate new or previously unknown information about people, which is often privacy invasive.

Other thematic failings identified were:

  • Although the CRAs did provide some privacy information on their websites about their data broking activities, their privacy information did not clearly explain what they were doing with people’s data;
  • Separately, they were using certain lawful bases incorrectly for processing people’s data.

Although Experian made progress in improving compliance, it did not go far enough. Experian did not accept that they were required to make the changes set out by the ICO, and as such were not prepared to issue privacy information directly to individuals nor cease the use of credit reference data for direct marketing purposes. As a result, Experian has been given an enforcement notice compelling it to make changes within nine months or risk further action. This could include a fine of up to £20m or 4% of the organisation’s total annual worldwide turnover.

Information Commissioner Elizabeth Denham said:

“Our investigation uncovered data protection failings that likely affected millions of adults in the UK. Our investigation has changed the way credit reference agencies operate their offline direct marketing services. It has found invisible processing, allowing people to better understand how their data is being used, meaning people can exercise their privacy and data protection rights.

“The information the CRAs are privileged to hold for statutory credit reference purposes was unlawfully used by them in their capacity as a data broker, with poor regard for what people might want or expect.

“The data broking sector is a complex ecosystem where information appears to be traded widely, without consideration for transparency, giving millions of adults in the UK little or no choice or control over their personal data. The lack of transparency and lack of lawful bases combined with the intrusive nature of the profiling has resulted in a serious breach of individuals’ information rights.

“The trade in personal data with other organisations has implications beyond the industry. Disrupting the flow of non-compliant personal data will have significant impact not just across the sector but will drive benefits for individuals and organisations wherever this data is used.

“I am encouraged by Equifax and TransUnion’s willingness to change their practices and put people’s legal rights first. Now I expect the data broking sector to make the same commitments.”

The ICO decided an enforcement notice would be the most effective and proportionate way to achieve compliance in this situation. It is a powerful regulatory tool to require an organisation to stop processing personal data in a certain way and the most likely tool to achieve the results necessary to change behaviour.

The ICO’s notice requires Experian to inform people that it holds their personal data and how it is using or intends to use it for marketing purposes. Experian has until July 2021 to do this subject to any appeal.

The ICO also requires Experian to stop using personal data derived from the credit referencing side of its business by January 2021, which it does currently for limited direct marketing purposes. In the enforcement notice, the ICO states that people have no choice about whether their data is shared with Experian for credit referencing purposes and that Experian’s processing of this data for marketing purposes is unexpected.

As an example it should stop screening out prospective customers from marketing lists on the basis of financial status.

Other key requirements of the notice include:

  • Setting out improvements to privacy information to make clear what personal data is collected, where it has come from, what it is being used for or who the data is being sold to and why.
  • Deleting any data supplied to Experian under the lawful basis of consent which is now being processed using a different lawful basis of legitimate interests.
  • Stop the processing of any personal data that has been collected unlawfully.

The ICO’s engagement and educational work in this area is ongoing, with further audit findings to be published when they are concluded.

Notes to Editors

  1. The Information Commissioner’s Office upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
  2. The ICO has specific responsibilities set out in the Data Protection Act 2018 (DPA2018), the General Data Protection Regulation (GDPR), the Freedom of Information Act 2000 (FOIA), Environmental Information Regulations 2004 (EIR), Privacy and Electronic Communications Regulations 2003 (PECR) and a further five Acts / Regulations.
  3. Article 5 of the GDPR requires that personal data shall be:
    • Processed lawfully, fairly and in a transparent manner in relation to individuals;
    • Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
    • Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
    • Accurate and, where necessary, kept up to date
    • Kept in a form which permits identification of data subjects for no longer than is necessary; and
    • Processed using appropriate technical or organisational measures in a manner that ensures appropriate security of the personal data.
    • Article 5(2) requires that “the controller shall be responsible for, and be able to demonstrate, compliance with the principles.”
  4. Section 146 of the DPA 2018 contains a provision for the Information Commissioner to issue an assessment notice. It’s a notice the ICO issues to a data controller or processor to allow it to audit and assess whether they are compliant with data protection legislation.
  5. Section 149 of the DPA 2018 contains a provision for the Information Commissioner to issue an enforcement notice. It orders specific actions by an individual or organisation to resolve breaches (including potential breaches). An individual or organisation can be fined for failing to comply with the terms of an enforcement notice.
  6. Organisations issued with an ICO enforcement notice have the right to appeal to the First Tier Tribunal (Information Rights) within 28 days of receiving the notice.
  7. The ICO investigation into data analytics for political campaigns is one example of where invisible processing and profiling prevented people from exercising their data protection rights. As part of that investigation, the ICO announced that it had served assessment notices to Experian, Equifax and TransUnion (formerly Callcredit) in order to investigate the data broking sector further.
  8. Data broking involves collecting people’s personal data from a variety of sources, then combining it and selling or licensing it to other organisations to support direct marketing.
  9. The scope of this investigation was limited to ‘offline’ data broking. Offline direct marketing services focus on providing marketing to individuals through methods other than the internet. This can include postal, telephone and SMS marketing. It also means that the focus of the profiling activities we investigated and address in this report does not include data collected about an individual’s online behaviours. We are investigating participants in the online advertising industry separately.
  10. The scope of the investigation did not cover online data broking. It also did not extend beyond looking at the provision of marketing services by the data brokers. In the context of the CRAs, this means that the investigation did not look at their credit referencing functions.

Source: ICO website

Wagamama Reported to ICO Over Use of Personal Data from Track and Trace

According to the Sunday Times the restaurant chain used contact details collected using the app to send customers satisfaction surveys, it is also alleged they shared the personal data with a third party. Wagamama has responded by stating “This certainly should not have happened. We’re very sorry”.

Instagram Under Investigation Over Its Handling of Children’s Data

Ireland’s Data Protection Commissioner has launched an investigation into the social media giant into claims Instagram, who is owned by Facebook, failed to protect children’s data by allowing email addresses and phone numbers of under 18s to be made public.

Robin Hood Hacking Group Donates Money to Charity

Darkside hackers claim to have stolen millions from companies but have said they want to “make the world a better place”. The group posted receipts for $10,000 in Bitcoin donations to two charities. One of the charities, Children International, said it will not be keeping the donation.

Covid vaccine maker Dr Reddy’s Hit by Cyber Attack

The pharmaceutical company, which is currently developing a Covid-19 vaccine, says it has been hit by a cyber-attack. It is understood this has affected sites globally. The company says it has isolated all of its data centres to try and contain the attack.

Tokyo Olympics Targeted by Russian Hackers According to UK

The Foreign Office has said that Russia’s GRU military intelligence unit carried out cyber reconnaissance against officials and organisations involved in the games with the aim of causing disruption

Officials gave no details on the specifics of the attack but it is understood it took place before the games were postponed due to the Coronavirus pandemic.

ICO Fines British Airways £20m

The Information Commissioner’s Office has fined British Airways £20m for failing to protect the personal data of more than 400,000 of its customers which resulted in a cyber attack in 2018.

This is a vast reduction on the notice of intention to fine BA £183m issued by the ICO back in June 2019

Hackney Borough Council Hit by Cyber Attack

The London Borough Council says it was hit by a “serious cyber attack” affecting its IT systems. The Local Authority tweeted that services may be unavailable and people should only contact the council if absolutely necessary.

VoiP Provider Leaks Over 350 Million Customer Records

Broadvoice, a well-known VoIP provider that serves small- and medium-sized businesses, has leaked more than 350 million customer records related to the company’s “b-hive” cloud-based communications suite.

The data includes hundreds of thousands of voicemail transcripts, many involving sensitive information such as details about medical prescriptions and financial loans.

Russia Blamed for Cyber Attack on Norway Parliament

The attack on the email system in August was called a serious incident affecting the country’s most important democratic institution by the Norwegian Foreign Minister. She further placed the blame on Russia without offering any evidence to substantiate this claim.

13 October 2020

Information Commissioner Elizabeth Denham highlights the positive results of the ICO’s engagement with the UK devolved administrations on the use of data in the fight against COVID-19.

In times of crisis, the value of collaboration is crucial. That’s been central to the ICO’s approach during the pandemic, whether that’s benefiting from the shared expertise of international colleagues through the Global Privacy Assembly, or working alongside organisations within the UK.

Last month, I wrote about the engagement with the Department of Health and Social Care on the England and Wales NHS COVID-19 app, and how this positive relationship encouraged the necessary consideration of people’s data protection rights within the app.

We have enjoyed similar positive engagement in Northern Ireland, Scotland and Wales, where public health is a devolved matter. My offices have been working closely with the devolved administrations and other public bodies since the start of the pandemic to ensure that any COVID-19-related projects adopted a privacy by design approach.

This work has included advice and guidance on the shielding and manual contact tracing programmes, the collection of customer details, as well as the Data Protection Impact Assessments (DPIAs) for proximity apps in Northern Ireland and Scotland. We provided feedback on areas including automated decision making, improving transparency information and clarity on people’s information rights and legal basis.

Northern Ireland was the first administration in the UK to launch a proximity app, and the first app in the world to have interoperability with another country, in this case with the Republic of Ireland. The NI Department of Health (DoH) used the ICO’s expectations document as reference for prospective developers. To ensure full transparency and open public collaboration, the source code, the related DPIA and correspondence with the ICO on the StopCOVID NI app have been published by DoH.   

The DoH continued to engage with my office in Northern Ireland while working on the recent update of their app, which is now available to children aged 11 and above. We were clear that children’s privacy and level of understanding must be considered in all aspects of the app’s design.

The Scottish Government has worked openly and transparently with my Edinburgh office to ensure people’s information is being handled appropriately. This engagement assisted in increased understanding of the data flows and helped, in the case of the Protect Scotland App, to produce a clear, unambiguous and accessible DPIA that has received very positive feedback.                    

And my team in Wales played a key role in facilitating and supporting discussions between health bodies and local authorities as the Test, Trace, Protect programme was developed. The collaboration from the authorities involved in the delivery of the programme allowed us to provide advice that will help reassure the Welsh public that their data is being processed lawfully.  

Additionally, our engagement with DHSC around the development of the England and Wales COVID-19 app meant that we were able to provide timely and relevant advice to the Welsh Government on how the app would impact the personal data of Welsh citizens.

Our regional support has not just been about working with the public sector. Our local advice services have been busy dealing with enquiries from businesses, organisations and members of the public based in Northern Ireland, Scotland and Wales, providing tailored advice reflecting any differences in the devolved approaches to the COVID-19 response and information rights more generally. In Wales, this includes the provision of advice in the Welsh language for Welsh speaking stakeholders.

What’s important throughout is that people’s privacy rights are being considered at the heart of those apps and services. That’s crucial to trust, so people have the confidence to download an app or to hand over their data to help supress the spread of COVID-19.

Our responsibility as a regulator is to support and advise organisations to comply with data protection law. And my regional offices are best placed to provide guidance to and engage with the three devolved administrations and other local stakeholders to ensure people’s privacy continues to be protected.

Source: ICO website

H&M fined $41M for tracking workers’ personal lives using company database

The Data Protection Authority of Hamburg has fined retailer H&M more than €35 million for allegedly tracking hundreds of employees’ personal lives on a company database.

Meticulous notes were kept on workers’ vacations, illnesses, religious beliefs and family problems starting in at least 2014. These were then used to evaluate work performance and make decisions on their employment.

The tracking only came to light when, in 2019, a data breach caused by a configuration error revealed how much data H&M was collecting about the private lives of its employees. 

School payments service Wisepay hit by cyber-attack

Parents who have in recent days made payments using this service have been warned their card details may have been stolen. Wisepay confirmed a hack on its website allowed hackers to harvest card details between 2nd and 5th October via a fake website. The hack affected payments to approximately 300 schools.

ICO fines company £40,000 for sending up to 9,000 spam emails

Studios MG Ltd sent the email at the height of the pandemic in an attempt to sell facemasks. The ICO’s investigation found that the company was not in the business of selling PPE but the director of the company had decided to buy sell masks to try and sell on at a profit.

Chastity Belt security flaw

Security firm Pen Test Partners found a security flaw in a male chastity belt made by a Chinese manufacturer. The flaw allows hackers to lock the device without any manual release. The Chinese firm was slow to react to the revelation but have since revealed users can open the device using a screwdriver.

Parliamentary enquiry concludes there is “clear evidence of collusion” between Huawei and the Chinese Communist Party

The House of Commons defence committee based its findings on the testimony of academics, cyber security experts and telecom industry insiders. The Chinese giant responded by stating “this lacks credibility as it is built on opinion rather than fact”.

Troubled former tech giant John McAfee arrested in Spain

The former anti-virus and bitcoin entrepreneur now faces extradition to the US where he has been charged with tax evasion. If convicted he could face up to 30 years in prison.

Statement on the outcome of the ICO’s compulsory audit of the Department for Education

The Information Commissioner’s Office (ICO) has published the outcome of a compulsory audit of the Department for Education (DfE) carried out in February 2020.

The audit found that data protection was not being prioritised and this had severely impacted the DfE’s ability to comply with the UK’s data protection laws. A total of 139 recommendations for improvement were found, with over 60% classified as urgent or high priority.

The ICO’s primary responsibility is to ensure compliance with the law and its policy is to work alongside organisations committed to making the necessary changes to improve data protection practice.

Throughout the audit process the DfE engaged with the ICO and showed a willingness to learn from and address the issues identified. The Department accepted all the audit recommendations and is making the necessary changes.

The ICO continues to monitor the DfE, reviewing improvements against pre agreed timescales. Enforcement action will follow if progress falls behind the schedule.

The ICO carried out the compulsory audit following complaints received in 2019 regarding the National Pupil Database.