Over the last month or so, we've seen a few reports and comments from the Information Commissioner's Office (ICO) concerning data security and use of data. Here’s a round-up of a few key stories:
1. Data audits
Christopher Graham is recommending regular data audits for local government and the NHS to reduce the need for fines relating to “stupid basic errors” like sensitive information being left on an unencrypted memory stick (which of course then gets lost or left behind…). Although Graham was addressing concerns about fines in the public sector, the principle behind conducting regular data audits is a sound one for the private sector as well, and particularly for companies that hold a lot of personal data.
An audit allows a company to take stock of what practices need urgent attention, what it is doing well and how it can continue to improve data security. It is also a useful opportunity for companies to give staff a refresher on what they should and shouldn’t be doing in relation to data security.
2. Data protection reforms
It believes that this is likely to be a key topic over the coming year and there is going to be a lot of focus on getting the reforms in place by 2014 at the latest (as the European Parliament and European Commission is due for re-appointment at that time).
By that point the process will have taken around six years in total. Given the technological advances made in that time, will the new legislation be out of date before it even gets used? Only time will tell…
3. Cookie enforcement
Unsurprisingly (if you have used the internet at all over the last few months), the ICO says that consent banners are now the most commonly used means of obtaining explicit consent and, for the first time, the ICO has actually given examples of some popular websites using these banners.
It looks like Europe’s Article 29 Working Party on data protection’s New Year’s resolution was to be helpful to data processors, as it has decided to launch Binding Corporate Rules (“BCRs”) for data processors from 1 January 2013. Previously, using BCRs to manage cross-border personal data flows was only an option for data controllers.
As a reminder, BCRs are a set of rules which an entity can voluntarily put in place between members of its corporate group, wherever they are located. The rules need to be blessed by the Information Commissioner, but once that has been achieved they provide some valuable benefits, including:
Data controllers (any entity which processes personal data relating to, say, its own employees) have been able to benefit from BCRs for some time but now data processors, like multinational outsourcing companies and cloud service providers which process personal data (e.g. payroll, or medical data) as part of their external business operations (i.e. the services they offer to customers), will be able to take advantage. So an outsourcer based in the EEA could collect personal data from a customer located in the EEA, and then transfer that data to a subsidiary in India, under cover of the group BCR’s. Obviously many outsourcers and cloud service providers use this business model now, but data protection compliance is an ongoing task signing up to the approved model clauses with each new customer.
Putting BCR’s in place and obtaining ICO approval is not a particularly quick or easy procedure, but it is a one off – apart from some required notifications. This new development offers an interesting opportunity for organisations which process significant amounts of customer personal data, to potentially cut costs, reduce compliance risks, and perhaps find a new selling point as an ICO-approved cross-border data protection compliant service provider. Obviously someone in marketing might want to come up with a catchier strap line.
The Information Commissioner's Office (ICO) has just launched a consultation on a new draft code of practice for organisations dealing with subject access requests.
We are often asked for guidance about what needs to be disclosed to an employee following a subject access request. The code of practice is intended to explain the relevant rules in clear and simple language and the aim of the consultation is to gather comments on how it can be improved so that organisations can easily understand and apply those rules.
The closing date for the consultation is 21 February 2013. It can be accessed here.
Monetary penalties from the ICO in relation to breaches of the Data Protection Act 1998 (“DPA”) have become associated with organisations losing significant amounts of personal data, sometimes in more obscure ways such as a disposal in a supermarket car park recycling bin. Yesterday the ICO announced that it had served its first monetary penalty which did not relate to a data loss. Prudential was served with a monetary penalty of £50,000 for mistakenly merging records of two customers who shared the same first name, surname and date of birth. In addition, Prudential failed to rectify its mistake despite being contacted on several occasions.
This decision should serve as a reminder that businesses should ensure that any personal data held, be it of employees or customers, is accurate and up-to-date (in order to comply with Principle 4 of the DPA) and that they ensure appropriate follow-up action is taken upon receipt of notifications by customers which state that details held about them are incorrect.
The current notification system for data controllers and the look of the register may be set to change in the new year. The Information Commissioner's Office has launched a consultation for the public and data controllers to obtain their views on how the notification process can be made easier and the register more user friendly. The consultation closes at 5pm on 30 November and the consultation documents can be found on the ICO website here. The ICO will then aim to publish a summary of the responses and the ICO's reaction to them by the end of January 2013.
The first time I saw Christopher Graham speak (he's the UK's Information Commissioner), I thought he still had a bit to learn about his new role. He was about to take office and gave a speech at an event (I've forgotten which one). He gave us a relatively bland snippet of information about his forthcoming reign (sufficiently bland that I can't remember what it was - maybe something about strategy or enforcement). The only bit that sticks in my mind is that he asked us to observe 'Chatham House rules' before he gave it.
Now for someone about to take the top job in information in the UK, charged with enforcing the 'right to know', I thought this was a little naive. It didn't seem to be very sensitive - but even if it was, there was no reason why we, probably a bunch of lawyers and civil servants, should have had privileged access to it. The ICO's in the public sector too, isn't it?
All of which is a slightly unfair way to introduce the fact that I saw him speak again yesterday at pdp's annual Data Protection Compliance Conference. What struck me most from his talk was that the current version of the General Data Protection Regulation is likely to be rather closer to the version that comes into force than I'd perhaps appreciated.
What does this mean for tech businesses?
- If you thought the Data Protection Directive/Act was difficult and they might make things easier, you'll be disappointed. They've cherry picked 'best practice' from across the EU and codified it - the Regulation is much bigger and much more onerous for businesses.
- If you hold data on behalf of your customers and currently take comfort that you are a mere 'data processor', think again. You'll have a raft of new obligations under the new Regulation.
- This probably means revisiting all your standard customer contracts to make sure you have proper protection.
- And it probably means revisiting any existing contracts too - there's not currently any carve-out for contracts signed before the Regulation comes into force.
- Start budgeting now for your Data Protection Officer and his or her team. If you've more than 250 employees or process a lot of data you'll be required to have one (and will probably need one to make sure you comply with your other obligations anyway).
- Don't take this lightly. The ICO will be able to impose penalties of up to 2% of turnover - and is quite likely to target data processors early on to set an example.
There's a whole lot more too. On the bright side, the law hasn't been finalised yet - so there's still time to lobby your MEP or tell the government if you're worried. And the IC made clear that he feels that the draft Regulation is too prescriptive - so he'll be trying to keep things in check. But he also made clear that people should start readying themselves for change because, diplomacy notwithstanding over the next year, something looking rather like the current draft is probably coming our way.
Looking back at our old Naked Law blog, we wrote quite a lot of posts about cookies, the upcoming change in law requiring “explicit consent” from users and what website owners needed to be doing to comply (in fact my very last post dealt with the subject – see here). But where are we now, four months on from the big 'doomsday' deadline?
The main change I have noticed is the use of many different types of banners, roll-over links and cookie policies popping up on websites I visit, which highlight which cookies are being used and how. Many of these aren’t strictly compliant with the letter of the law, because they don’t actually ask a user to consent. Examples of these are where:
The problem with where we have got to now is that everyone just seems to be sitting and waiting for someone else to come up with a strictly compliant solution which doesn’t effect user experience, rather than actually working on alternatives themselves. That may be a bit of a generalisation, but I haven’t seen or heard of any new solutions so far. Perhaps, being in the technology sector, one of you can prove me wrong?
In case you have somehow managed to miss the whole debate so far, the ICO's guidance on the new requirements is available through this link.
The fifth principle set out in the Data Protection Act is that "personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes". As personal data can be processed simply by being stored, the fifth principle requires the deletion of personal data (plural) when they no longer need to be held for the purpose for which they were collected. It is important to be aware that if personal data are archived in a standard, retrievable manner, instead of being deleted, the rules of data protection (including subject access rights) will still apply to that data. Readers may recall that Google's failure to comply with the fifth principle hit the headlines this summer when it admitted that it had not deleted certain user's data gathered during surveys for its Street View service, an issue that is currently being examined by the Information Commissioner's Office (ICO).
The ICO has now acknowledged that "deletion" can mean different things in relation to electronic data and published detailed guidance on how organisations can comply with the requirements for deleting electronic data. Notably, the ICO accepts that it is possible to put information "beyond use" and for data protection compliance issues to be suspended if the data controller organisation holding it:
Technorati Tags: archive personal data, archiving personal data, beyond use, data, data protection, delete personal data, deleting personal data, ICO guidance, Information Commissioner guidance, Information Commissioner's Office guidance, personal data