Tag: ICO

ICO agitates for prison sentences, not just fines

An ex Barclays bank employee has been fined over £3,000 by the Information Commissioner’s Office for accessing private customer records. But this had led the ICO to call for more strict punishments, including the threat of prison.

Jennifer Addo, 27, appeared at Croydon Magistrates Court today. She was prosecuted under section 55 of the Data Protection Act and fined £2,990 for 23 offences, as well as being made to pay out £250 in a victim surcharge and £120 prosecution costs.

The branch noted Addo when a customer reported information about his account had been passed on to a partner. Addo had illegally gained access to the same customer’s details 22 times between 10 May 2011 and 8 August 2011. 

Addo was aware that she was not supposed to access customer details but confessed she decided to look anyway, passing information on to her friend. The ICO had been in touch with Addo but received no response until the prosecution today.

Stephen Eckersley, head of enforcement for the ICO, said that for all the banking industry’s safeguards, it still relies on the honesty of staff to respect private records.

“This case proves, yet again, why we need a more appropriate penalty for the crime of personal data theft,” Eckersley said. “With the law as it stands, this prosecution isn’t even recorded on the police national computer which means that an offender could apply for a job in a high street bank tomorrow and the potential employer wouldn’t be informed about the offence.

“The current ‘fine only’ regime is clearly not deterring people from breaking the law,” Eckersley said.

In addition to the fine, Addo lost her job at Barclays.

The ICO is using this particular case to agitate for what it calls more effective “deterrent sentences” – among them prison time.

Privacy group alleges Google ignores UK law

A campaign group, Safari Users Against Google’s Secret Tracking, claims to have seen legal documents filed by Google where the company declares itself exempt from UK privacy laws.

Google, the group said, would not accept service of the lawsuit in the UK – meaning the group would have to take the fight to California. The claim makes note of Google openly saying tracking cookings were installed on PCs and mobiles when people used Apple’s Safari browser, even after users had chosen to block them – letting the company track the browsing habits of Safari users without their consent.

In the US, Google paid a $22.5 million settlement to the FTC, when the company was caught out by a law student and security researcher.

A claimant in Britain, Marc Bradshaw, said in a statement: “It seems to us absurd to suggest that consumers can’t bring a claim against a company which is operating in the UK and is even constructing a $1 billion headquarters in London”.

“If consumers can’t bring a civil claim against a country where it operates, the only way of ensuring it behaves is by having a robust regulator,” Bradshaw said. He pointed out that the ICO will only fine Google if it breaks the law but “Google clearly doesn’t think that it is bound by that law,” Bradshaw said.

“Fines would be useless because Google earns more than the maximum fine in less than two hours,” Bradshaw continued. “With no restraint Google is free to continue to invade our privacy whether we like it or not”.

Law firm Olswang, representing the claimants, wrote a letter to the ICO proposing alternative sanctions – as the fines will only be a drop in the ocean for Google. The firm proposed plain English warnings on Google’s search home page about how it collects and tracks data, reversing Google’s merger of data across all services, and placing a prominent apology on Google’s search home page.

Olswang’s Dan Tench said the ICO’s response was dismissive, but that a “leading QC” disagrees and “has advised that the Information Commissioner does have stronger powers”.

“We note that France’s regulator, CNIL, has been more robust,” Tench said, “announcing a final ultimatum to Google to ensure quickly that its privacy policy complies with European law”.

Last week, the US’ Consumer Watchdog said Google had openly acknowledged that users of the Gmail service could not expect “legitimate” privacy with regards to their information and third parties. When questioned about this, an ICO spokesperson said, responding to TechEye:

“We have an ongoing investigation into whether Google’s privacy policy complies with the UK Data Protection Act. We have raised concerns with Google that its existing policy does not provide sufficient information to enable UK users of its services to understand how their data is being used.

“Failure to take the necessary action to improve the policies compliance with the Data Protection Act by 20 September will leave the company open to the possibility of formal enforcement action.” 

ICO confirms Google must change privacy policy

The Information Commissioner’s Office has today written to Google, confirming that its privacy policy was not specific enough and that the updated policy raises “serious questions about its compliance with the UK Data Protection Act”.

The ICO said the updated policy doesn’t inform users enough about how Google will use their data across their products.

Google now must change its privacy policy to clear it up for individual users, and failure to do so will leave it open to “the possibility of formal enforcement action”.

In June this year, Google was told to bin Street View data it “mistakenly collected” and accidentally held onto by the ICO, but was let off without a fine.  

The ICO promised it would be keeping a close eye on Google’s actions, and the ruling came as Google was placed under scrutiny by other European countries and the European Commission itself. 

Indeed, the ICO was working in tandem with other members of the Article 29 Working Party – 27 other authorities from around Europe – and promises to work towards protecting individual privacy.  

So far, the EC has posed the most serious threat to Google. Failure to comply with EC orders could actually touch Google’s profits in a significant sense, compared to the hundred thousand or tens of millions it gets threatened with elsewhere. 

Google escapes fine in Street View data theft

Google has been ordered to get rid of data the company “mistakenly collected” as its Street View cars mapped the United Kingdom – but the Information Commissioner’s Office has let the company off without a fine.

The ICO has promised that it will be paying close attention to Google’s operations and will “not hesitate to take action” if there are more privacy breaches in the future.

In a statement, the ICO claimed that its decision regarding Google’s 2010 data snooping – which saw Street View cars picking up private information relating to personal wi-fi – was correct. The collection of payload data, the ICO found, was as a result of “procedural failings” and a “serious lack of management oversight including checks on the code”.

However, the ICO said there wasn’t enough evidence to prove that, on this occasion, Google intended to collect personal data.

Critics would say data collection is central to the company’s business model.

During initial investigations, further personal information was found – which Google promised to securely destroy. It later emerged that Google had held onto the data.

The ICO’s enforcement notice reads:

(1) Within 35 days of the date of this notice the data controller shall securely destroy any personal data within the meaning of the Data Protection Act 1998 held on vehicle discs and collected in the UK using Street View vehicles (to the extent that the data controller has no other legal obligations to retain such data) and,

(2) If the data controller subsequently discovers a Street View vehicle disk holding personal data and collected in the UK it shall promptly inform the Information Commissioner.”

“The ICO has concluded that the detriment caused to individuals by this breach fails to meet the level required to issue a monetary penalty,” the statement said.

ICO head of enforcement Stephen Eckersley said: “The early days of Google Street View should be seen as an example of what can go wrong if technology companies fail to understand how their products are using personal information. The punishment for this breach would have been far worse, if this payload data had not been contained”.

At the time, Google pinned the non-consensual gathering of personal data on rogue code and distanced itself from culpability.

Essentially, Google has gotten off lightly. Considering previously imposed financial penalties, if the ICO did issue a fine, it would not have been much more than a slap on the wrist, given Google’s relative size.

But the ICO did acknowledge it is still investigating whether Google’s privacy policy itself complies with the Data Protection Act.

This investigation is running concurrently with others across Europe, and is designed to assess whether Google is clear enough about how it uses personal information.

The Office pledged to approach Google “shortly” to confirm preliminary findings. 

Snooper's Charter blasted by MPs, Nick Clegg

Plans to introduce a “Snooper’s Charter” have received a wave of criticism, with MPs, public bodies and even the deputy Prime Minister attacking the Draft Communications Data Bill. 

A Joint Select Committee rejected initial plans to allow law enforcement agencies to access currently obtainable data such as in email communications, with proposed powers to monitor online data scaled back.

The scope of plans to monitor data should be significantly decreased, committee chair Lord Blencathra said, with major changes required to the Bill.

“There needs to be some substantial re-writing of the Bill before it is brought before Parliament as we feel that there is a case for legislation, but only if it strikes a better balance between the needs of law enforcement and other agencies and the right to privacy,”  Blencathra said.

The Lord added that there is “a fine but crucial line” between giving law enforcement and security agencies access to the information necessary for national security, and allowing UK citizens to go about their daily business “without a fear, however unjustified, that the state is monitoring their every move”.

Home Secretary Theresa May previously put forward plans which she claimed would protect against terrorism, for example, handing police and other agencies improved powers to monitor electronic communications.  However, the committee argued that May should not be given “carte blanche” to order the retention of all types of data.   The committee also rejected claims that it is necessary to put in stricter measures to ensure that plans are ‘future proofed’.

According to the committee recommendations, the types of data that are accessible should be reduced, with MPs able to vote on whether service providers should have to collect IP address data from subscribers for example.  The number of public bodies able to access the data should lowered, the committee recommended.

In addition, MPs said that there should be more consultation with privacy groups to avoid the gung-ho approach that has drawn widespread criticism from external bodies.

However, the committee indicated that it would be happy to pass proposals if they are changed to meet the recommendations.

The plans also received criticism from deputy PM Nick Clegg, who said that plans to increase powers to monitor online communications need to go “back to the drawing board”.

“It is for those reasons that I believe the coalition Government needs to have a fundamental rethink about this legislation,” Clegg said.  “We cannot proceed with this bill and we have to go back to the drawing board.”

The Information Commissioner Christopher Graham also took aim at the recommendations, highlighting the problems it would cause in regulating the strict rules initially proposed by the government.   Withholding more data, and for longer periods of time would also be a drain on public finances, Graham said.

“My concern is around the adequacy of the proposed safeguards that the ICO would be responsible for regulating,” Graham said. 

“Ensuring the security of retained personal information and its destruction after 12 months would require increased powers and resources, and as it stands today we’ve not been given clear advice on where that will come from,” he said.

The Home Secretary defended the bill in a newspaper column today, stating that she is “determined” to see through the web monitoring plans.

Nick Pickles, director of privacy and civil liberties campaign group Big Brother Watch, told TechEye:

“The committee has exposed weak evidence, misleading statements and fanciful figures and unanimously rejected this draft Bill’s proposal to monitor everyone’s emails, web visits and social media messages.

“The complexity and sensitivity of the subject required a radically different process and a totally different bill. There are challenges, but they can be solved in a proportionate way that protects privacy, is based on what is technically possible and focuses on maximising the effectiveness of data already held.

“After such a damming report, Parliament cannot support the draft Bill and it is now essential that if proposals are brought forward, they are comprehensively re-written and based upon the clear evidence and proper consultation that this draft Bill fundamentally lacked.” 

Prudential vanishes retirement money

The Information Commissioner’s Office (ICO) has fined Prudential for bungling two customer accounts which put tens of thousands of pounds of retirement fund money into the wrong account.

The company merged two accounts who shared the same first name, last name, and date of birth. Presuming they were the same person, Prudential went ahead and joined them up, resulting in years of confusion for both account holders – with the problem only resolved three years later in September 2010. 

Prudential had been told of the mistake several time, including from one of the customers who insisted his address had been the same for over 15 years. The ICO says the company didn’t bother to take any action, which is why the ICO slapped a £50,000 fine on Prudential – for failing to act for another six months.

The ICO’s head of enforcement, Stephen Eckersley, said in a statement that firms should make sure the data they keep on customers is kept up to date. “In this case, two customer files were consistently confused and the company failed to remedy the situation despite being alerted to the problem on more than one occasion before it was finally resolved,” Eckersley said. “This case would be considered farcical were it not for the serious sums of money involved”.

Rather than just headline-grabbing data losses, Eckersley noted, the majority of complaints to the ICO will be about inaccuracies and other problems regarding misuse of information. He highlighted that inaccurate information on a customer’s record can have a serious impact on someone’s life.

Of course, Prudential will not exactly be shaking in its boots. First half 2012 results for the company reveal International Financial Reporting Standards and new business profit of £1.16 billion and £1.14 billion respectively. 

Which means the £50,000 fine is the grand sum of 0.000004 percent of the company’s £1.14 billion  first half new business profit alone. 

*EyeNote Considering the company’s namesake: Prudential can be defined as “of, pertaining to, characterised by, or resulting from prudence.” Prudence can be defined as “caution with regard to practical matters; discretion”.

Watchdog slams police with £120,000 data breach fine

The Information Commissioners Office (ICO)  has slapped a police force with a £120,000 penalty after it was found guilty of a serious data breach.

 Greater Manchester Police was taken to task following an ICO investigation prompted by the theft of a memory stick containing sensitive personal data from an officer’s home.  The device, which had no password protection, contained details of more than a thousand people with links to serious crime investigations.

Delving deeper, the ICO found that a number of officers across the force regularly used unencrypted memory sticks, which it said may also have been used to copy data from police computers to access away from the office.

It said it was about time for the force to learn its lessons after a similar security breach in September 2010. The force was found to have neglected to put restrictions on downloading information, or sufficiently training staff in data protection.

The ICO imposed a penalty of £150,000. However, as the force paid it early it was able to take advantage of a 20 percent early payment discount, bringing the costs down £120,000.
David Smith, ICO Director of Data Protection, said it should have been obvious to the force that the type of information stored on its computers meant proper data security was needed. Instead, it has taken a serious data breach to prompt it into action.

HIV records from NHS trust accidentally sold on the web

The Information Commissioner’s Office has come down hard on the Brighton and Sussex University Hospitals NHS Trust.

The watchdog has slapped the trust with a Civil Monetary Penalty (CMP) of £325,000 following a serious breach of the Data Protection Act (DPA).

And security experts have said they are not surprised at the fine, which is the highest the ICO has issued since it was granted the power to issue CMPs in April 2010.

It follows the discovery of highly sensitive personal data belonging to tens of thousands of patients and staff, which was found on hard drives sold on an internet auction site in October and November 2010.

The ICO said some of the information was also related to HIV and Genito Urinary Medicine (GUM) patients as well as details of patients’ medical conditions and treatment, disability living allowance forms and children’s reports. It also included documents containing staff details such as National Insurance numbers, home addresses, ward and hospital IDs, as well as information referring to criminal convictions and suspected offences.

According to the ICO the data breach occurred when an individual was given the task of destroying the 1,000 hard drives held in a room accessed by key code at Brighton General Hospital in September and October 2010.

However, a data recovery company bought four hard drives from a seller on an internet auction site in December 2010, who had purchased them from the individual.

The ICO at the time was appeased with claims that these were the only four rogue disks. However, in April 2011 it was contacted by staff at a university, which advised them that one of their students had purchased hard drives via an internet auction site. An examination of the drives established that they contained data which belonged to the Trust.

The ICO said the trust had been unable to explain how the individual removed at least 252 of the approximate 1,000 hard drives they were supposed to destroy from the hospital during their five days on site.

It said they were not believed to have known the key code needed to access the room where the drives were stored, and were usually supervised by staff working for HIS. However, the Trust has acknowledged that the individual would have left the building for breaks, and that the hospital was publicly accessible.

Security and communications expert Chris McIntosh, CEO of ViaSat UK, told TechEye that the fine wasn’t a surprise.

“While previously focused against local government, the ICO’s penalty powers have come more and more to bear on the NHS in recent months,” McIntosh said.  “This isn’t too surprising: as one of the largest handlers of personal data in the UK, and given the sensitivity of much of that data, the NHS has had many more opportunities for such a catastrophic breach to occur.”

“At the same time,” McIntosh said, “a recent FOI request showed that the NHS was the most reported organisation in terms of lost data and hardware at 40 out of 108 cases nationwide in 2011 / 2012 and, more damningly, insecure disposal of data, responsible for more than twice as many cases as the entire private sector.” 

“With these statistics, a penalty of this magnitude was inevitable,” McIntosh continued. “Organisations need to learn from this and all of the ICO’s penalties: data must be encrypted and correctly destroyed, hardware must be kept under lock and key and contractors must be thoroughly vetted to ensure that standards are met.”

Last month the ICO issued a London Community Healthcare trust with a fine of £90,000 after it found it in serious breach of the Data Protection Act.

NHS Trust faxed patient data to the wrong number for three months

A London Community Healthcare trust has been slapped with a fine of £90,000 after the Information Commissioner’s Office found it in serious breach of the Data Protection Act.

The watchdog, which had its website hacked last week amid accusations that it didn’t protect citizen’s privacy enough,  first became aware of the NHS Trust’s wrong doings back in March 2011.

This was after after patient lists from the Pembridge Palliative Care Unit, intended for St John’s Hospice, were faxed to the wrong recipient.

The patient lists were said to contain sensitive personal data relating to 59 individuals. This including medical diagnoses and information relating to their domestic situations and resuscitation instructions.

The individual informed the Trust in June that they had been receiving the patient lists, which consisted of around 45 faxes over a three month period. However, they claimed that to protect privacy, they had shredded them.

The ICO conducted an investigation that found the trust had failed to have sufficient checks in place to ensure sensitive information sent by fax was delivered to the correct recipient. It also barked at the trust for failing to provide robust data protection guidance, and training to the members of staff that had accidentally sent the faxes.  

Stephen Eckersley, the ICO’s Head of Enforcement, said that the fact that this information was sent to the wrong recipient for three months without anyone noticing made the case “all the more worrying”.   

UK government watches cookie deadline whizz by

With a deadline for cookie laws set to take effect next week, many government websites will fail to comply, according to the Cabinet Office.

Following a 2011 EU directive the Information Commissioner’s Office gave all UK sites until the 26th of May this year to meet guidelines for cookies that would involve site visitors opting in to having their data recorded.

However, the government has admitted that it is a long way off meeting the guidelines.   A Cabinet Office spokesperson told the BBC that the government is working to complete compliance at the earliest possible date.

Many in the private sector have been slow to comply with the guidance, and government departments are no different, the Cabinet Office said.

In fact, the “majority” of departments will fail to meet the deadline.  

While the ICO is unlikely to be happy about even the government ignoring its guidance, it appears that there should be some leniency for those who are showing a “strong commitment” to make changes – eventually, at least.

Last year, communications minister Ed Vaizey gave his backing to the EU directive, saying that the government would allow one year for a gradual roll out of the new guidelines.  

Upon releasing the guidelines last year, the ICO said that it would not fine those who had not complied by the deadline, stating that the government was expecting a “phased approach to implementation”.

However, as the ICO deadline zooms by next week with little action from the public or private sector, the ICO might have to change its tune.

Open Rights Group Executive Director Jim Killock said, speaking with TechEye, that the latest embarrassing development in the cookie saga is thanks to a continued lack of clarity from the government.

“This shows a remarkable reluctance to grapple with the fact that users should be asked before data is collected about them and shared in ways they wouldn’t expect,” Killock told TechEye. “They should be showing the lead, and if they are not then they are part of the problem.”

Killock believes one of the biggest problems has been a lack of clarity from the government about how best it can proceed with the cookie law implementation.

“The government should come clean and explain precisely what data is being given to whom and in what way,” Killock said. “That would go a long way to exposing exactly what needs to be done.

“A lot of the questions around cookie compliance are overblown – really we are talking about a very small number of cases around analytics which could be solved quite easily, particularly if they worked with Google to ascertain that data is not being shared across Google’s service, which can be done,” Killock said.