Mills & Reeve: Technology Law Update

Enter your email address:

Delivered by FeedBurner

Disclaimer

  • The information on this blog is not legal advice. You should not rely on it and we don't accept liability in connection with it. Please read our full disclaimer and let us know if you would like us to advise on any legal issue.

Data protection

New PCI DSS Cloud Computing Guidelines

On 7 February, the PCI (Payment Card Industry) Security Standards Council issued the PCI DSS Cloud Computing Guidelines Information Supplement.  The PCI Security Standards Council develops, manages and raises awareness around payment data security though its PCI Data Security Standard (PCI DSS).  PCI DSS compliance is a benchmark for online merchants and payment service providers.  The Cloud Computing Information Supplement sits alongside, and does not replace, PCI DSS.  The guidance will be of use to both cloud service providers and merchants using cloud technologies for the storage and processing of cardholder data.  Using the guidance will help cloud providers and cloud customers to identify and define their respective security responsibilities, a process that is essential in achieving and maintaining PCI DSS compliance.

Posted by on 07/02/2013 at 14:50 | | Comments (0)

Data security - what's 2013 got in store for you?

Over the last month or so, we've seen a few reports and comments from the Information Commissioner's Office (ICO) concerning data security and use of data. Here’s a round-up of a few key stories:

1. Data audits

Christopher Graham is recommending regular data audits for local government and the NHS to reduce the need for fines relating to “stupid basic errors” like sensitive information being left on an unencrypted memory stick (which of course then gets lost or left behind…). Although Graham was addressing concerns about fines in the public sector, the principle behind conducting regular data audits is a sound one for the private sector as well, and particularly for companies that hold a lot of personal data.

An audit allows a company to take stock of what practices need urgent attention, what it is doing well and how it can continue to improve data security. It is also a useful opportunity for companies to give staff a refresher on what they should and shouldn’t be doing in relation to data security.

2. Data protection reforms

The ICO has recently published its latest thoughts on the proposed reforms to the Data Protection Directive, which you can read here.

It believes that this is likely to be a key topic over the coming year and there is going to be a lot of focus on getting the reforms in place by 2014 at the latest (as the European Parliament and European Commission is due for re-appointment at that time).

By that point the process will have taken around six years in total. Given the technological advances made in that time, will the new legislation be out of date before it even gets used? Only time will tell…

3. Cookie enforcement

In December, the ICO published its latest report on cookies and a summary of the enforcement activities it has undertaken since the new legislation came into force.

Unsurprisingly (if you have used the internet at all over the last few months), the ICO says that consent banners are now the most commonly used means of obtaining explicit consent and, for the first time, the ICO has actually given examples of some popular websites using these banners.

So far only one website the ICO has looked at has been given a deadline for compliance due to its failure to take any steps at all to request consent to use cookies. If it doesn’t comply within the specified timeframe, the ICO is threatening to name and shame (which would be the first under the new regime) – probably enough of an incentive for most to take action.

Posted by on 05/02/2013 at 20:01 | | Comments (0)

Happy New Year data processors!

It looks like Europe’s Article 29 Working Party on data protection’s New Year’s resolution was to be helpful to data processors, as it has decided to launch Binding Corporate Rules (“BCRs”) for data processors from 1 January 2013. Previously, using BCRs to manage cross-border personal data flows was only an option for data controllers. 

As a reminder, BCRs are a set of rules which an entity can voluntarily put in place between members of its corporate group, wherever they are located. The rules need to be blessed by the Information Commissioner, but once that has been achieved they provide some valuable benefits, including:

  1. they allow personal data to be transferred freely intra-group; and
  2. the whole corporate group is considered “adequate” under European data protection law meaning each member is able to receive personal data from others - so safeguards do not have to be assessed each time data is going to be transferred by a processor outside of the EEA and other adequate jurisdictions.

Data controllers (any entity which processes personal data relating to, say, its own employees) have been able to benefit from BCRs for some time but now data processors, like multinational outsourcing companies and cloud service providers which process personal data (e.g. payroll, or medical data) as part of their external business operations (i.e. the services they offer to customers), will be able to take advantage. So an outsourcer based in the EEA could collect personal data from a customer located in the EEA, and then transfer that data to a subsidiary in India, under cover of the group BCR’s. Obviously many outsourcers and cloud service providers use this business model now, but data protection compliance is an ongoing task signing up to the approved model clauses with each new customer.

Putting BCR’s in place and obtaining ICO approval is not a particularly quick or easy procedure, but it is a one off – apart from some required notifications. This new development offers an interesting opportunity for organisations which process significant amounts of customer personal data, to potentially cut costs, reduce compliance risks, and perhaps find a new selling point as an ICO-approved cross-border data protection compliant service provider. Obviously someone in marketing might want to come up with a catchier strap line.

Posted by on 11/01/2013 at 10:24 | | Comments (0)

Subject access requests - don't miss your opportunity to comment on the new code of practice

The Information Commissioner's Office (ICO) has just launched a consultation on a new draft code of practice for organisations dealing with subject access requests.

We are often asked for guidance about what needs to be disclosed to an employee following a subject access request. The code of practice is intended to explain the relevant rules in clear and simple language and the aim of the consultation is to gather comments on how it can be improved so that organisations can easily understand and apply those rules.

The closing date for the consultation is 21 February 2013. It can be accessed here.

Posted by on 14/12/2012 at 16:30 | | Comments (0)

Technorati Tags: , , ,

ICO sets the records straight - businesses can be fined for not keeping theirs in order

Monetary penalties from the ICO in relation to breaches of the Data Protection Act 1998 (“DPA”) have become associated with organisations losing significant amounts of personal data, sometimes in more obscure ways such as a disposal in a supermarket car park recycling bin. Yesterday the ICO announced that it had served its first monetary penalty which did not relate to a data loss. Prudential was served with a monetary penalty of £50,000 for mistakenly merging records of two customers who shared the same first name, surname and date of birth. In addition, Prudential failed to rectify its mistake despite being contacted on several occasions.

This decision should serve as a reminder that businesses should ensure that any personal data held, be it of employees or customers, is accurate and up-to-date (in order to comply with Principle 4 of the DPA) and that they ensure appropriate follow-up action is taken upon receipt of notifications by customers which state that details held about them are incorrect.

Posted by on 07/11/2012 at 10:59 | | Comments (0)

Notification process for data controllers - ICO consultation

The current notification system for data controllers and the look of the register may be set to change in the new year. The Information Commissioner's Office has launched a consultation for the public and data controllers to obtain their views on how the notification process can be made easier and the register more user friendly. The consultation closes at 5pm on 30 November and the consultation documents can be found on the ICO website here. The ICO will then aim to publish a summary of the responses and the ICO's reaction to them by the end of January 2013.

Posted by on 02/11/2012 at 09:28 | | Comments (0)

Data protection - he's IC

The first time I saw Christopher Graham speak (he's the UK's Information Commissioner), I thought he still had a bit to learn about his new role. He was about to take office and gave a speech at an event (I've forgotten which one). He gave us a relatively bland snippet of information about his forthcoming reign (sufficiently bland that I can't remember what it was - maybe something about strategy or enforcement). The only bit that sticks in my mind is that he asked us to observe 'Chatham House rules' before he gave it.

Now for someone about to take the top job in information in the UK, charged with enforcing the 'right to know', I thought this was a little naive. It didn't seem to be very sensitive - but even if it was, there was no reason why we, probably a bunch of lawyers and civil servants, should have had privileged access to it. The ICO's in the public sector too, isn't it?

All of which is a slightly unfair way to introduce the fact that I saw him speak again yesterday at pdp's annual Data Protection Compliance Conference. What struck me most from his talk was that the current version of the General Data Protection Regulation is likely to be rather closer to the version that comes into force than I'd perhaps appreciated.

What does this mean for tech businesses?

- If you thought the Data Protection Directive/Act was difficult and they might make things easier, you'll be disappointed. They've cherry picked 'best practice' from across the EU and codified it - the Regulation is much bigger and much more onerous for businesses.
- If you hold data on behalf of your customers and currently take comfort that you are a mere 'data processor', think again. You'll have a raft of new obligations under the new Regulation.
- This probably means revisiting all your standard customer contracts to make sure you have proper protection.
- And it probably means revisiting any existing contracts too - there's not currently any carve-out for contracts signed before the Regulation comes into force.
- Start budgeting now for your Data Protection Officer and his or her team. If you've more than 250 employees or process a lot of data you'll be required to have one (and will probably need one to make sure you comply with your other obligations anyway).
- Don't take this lightly. The ICO will be able to impose penalties of up to 2% of turnover - and is quite likely to target data processors early on to set an example.

There's a whole lot more too. On the bright side, the law hasn't been finalised yet - so there's still time to lobby your MEP or tell the government if you're worried. And the IC made clear that he feels that the draft Regulation is too prescriptive - so he'll be trying to keep things in check. But he also made clear that people should start readying themselves for change because, diplomacy notwithstanding over the next year, something looking rather like the current draft is probably coming our way.

Posted by on 19/10/2012 at 17:47 | | Comments (0)

Navigating the clouds for data outsourcing

The ICO yesterday released new guidance for businesses on outsourcing of data handling to cloud network providers. A copy of the guidance can be found here.

Posted by on 28/09/2012 at 15:14 | | Comments (0)

Technorati Tags: , ,

Cookies – the road to compliance

You will no doubt have been aware of the 26 May 2012 deadline, which heralded the end of the Information Commissioner's grace period for website owners to comply with the change in law in relation to the use of cookies.

Looking back at our old Naked Law blog, we wrote quite a lot of posts about cookies, the upcoming change in law requiring “explicit consent” from users and what website owners needed to be doing to comply (in fact my very last post dealt with the subject – see here). But where are we now, four months on from the big 'doomsday' deadline?

The main change I have noticed is the use of many different types of banners, roll-over links and cookie policies popping up on websites I visit, which highlight which cookies are being used and how. Many of these aren’t strictly compliant with the letter of the law, because they don’t actually ask a user to consent. Examples of these are where:

  1. there is just a link to the website’s cookie policy;
  2. there is a banner or pop-up saying you are ‘deemed’ to accept the use of cookies by continuing to use the website; or
  3. you can continue to use the website without actually ticking the ‘I consent’ box (unless cookies are automatically switched off until you tick the box, which probably isn’t the case for most websites).

I can’t really be said to have “explicitly” consented to the use of cookies in any of the above examples. However, it does show that website owners are 'taking steps' towards compliance in order to avoid the threat of enforcement action being taken against them by the ICO. Most will also see this as a ‘safety in numbers’ approach.

The problem with where we have got to now is that everyone just seems to be sitting and waiting for someone else to come up with a strictly compliant solution which doesn’t effect user experience, rather than actually working on alternatives themselves. That may be a bit of a generalisation, but I haven’t seen or heard of any new solutions so far. Perhaps, being in the technology sector, one of you can prove me wrong?

In case you have somehow managed to miss the whole debate so far, the ICO's guidance on the new requirements is available through this link.

Posted by on 21/09/2012 at 10:00 | | Comments (0)

New ICO Guidance on Deleting Personal Data: Avoid Total Recall

The fifth principle set out in the Data Protection Act is that "personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes". As personal data can be processed simply by being stored, the fifth principle requires the deletion of personal data (plural) when they no longer need to be held for the purpose for which they were collected. It is important to be aware that if personal data are archived in a standard, retrievable manner, instead of being deleted, the rules of data protection (including subject access rights) will still apply to that data. Readers may recall that Google's failure to comply with the fifth principle hit the headlines this summer when it admitted that it had not deleted certain user's data gathered during surveys for its Street View service, an issue that is currently being examined by the Information Commissioner's Office (ICO).

The ICO has now acknowledged that "deletion" can mean different things in relation to electronic data and published detailed guidance on how organisations can comply with the requirements for deleting electronic data. Notably, the ICO accepts that it is possible to put information "beyond use" and for data protection compliance issues to be suspended if the data controller organisation holding it:

  • is not able, or will not attempt, to use the personal data to inform any decision in respect of any individual or in a manner that affects the individual in any way
  • does not give any other organisation access to the personal data
  • surrounds the personal data with appropriate technical and organisational security, and
  • commits to permanent deletion of the information if, or when, this becomes possible.
This new guidance will be relevant to all organisations that have to, or wish to, delete personal data and we recommend giving it a read.

Posted by on 20/09/2012 at 17:33 | | Comments (0)

Technorati Tags: , , , , , , , , , ,