The Information Commissioner’s Office (ICO) has issued guidance around data protection and coronavirus, recognising the “unprecedented challenges” we face during the pandemic.
On the whole, the ICO is taking a commonsense approach. They state that measures taken should be proportionate: “if something feels excessive from the public’s point of view, then it probably is.”
Here’s a short summary of the guidance provided by the ICO on data protection and coronavirus:
You can read the full guidance from the ICO here.
This is certainly a difficult time for people and organisations, but on the matter of data protection and coronavirus, it’s important to be sensible. Don’t take unnecessary measures; make sure that your response is proportionate.
If you have any more questions about this or any other subject relating to data protection, get in touch with us today and our consultants will provide all the advice you need.
900,000 people have been hit by a Virgin Media data breach in which a database containing personal details was accessible over the internet for 10 months.
The database contained details including email addresses, home addresses, and phone numbers, which were being stored for marketing purposes.
Virgin Media have stated that the breach took place due to the database being “incorrectly configured” by a member of staff. There was no hacking or malicious intent behind the breach, although it was also apparently accessed “on at least one occasion” by an unknown and unidentified user.
Zoe Kleinman, Technology Reporter at BBC News, stated that:
The fact that Virgin Media’s database hasn’t been actively hacked is reassuring for customers, but while the details are light, it sounds like human error is to blame and that is rather embarrassing for a tech firm.
Ten months is a long time for all that data to have just been sitting there, waiting to be found.
And while no passwords or bank details were among it, there’s an awful lot of contact information for a cyber-criminal to work with. Phishing expeditions – when someone tries to get financial information out of a victim by pretending to be a company with a legitimate reason for contact – are not particularly sophisticated, but they are effective for those caught off-guard, and can be a lucrative source of income.
It’s unclear whether this was yet another case of unsecured data being stored on a cloud service that’s easily searchable if you know how. There have been dozens of examples of this lately, including just this week a database of the personal details of people using train station wi-fi around the UK.
Virgin Media has apologised and really, there’s very little practical advice to offer in the light of this kind of breach, beyond the usual protocol of staying alert to any messages requesting personal information or access to any kind of finance.
You can read the full article on this story from the BBC, with Kleinman’s commentary, by clicking here.
This Virgin Media data breach is the latest in a series, from various organisations, which have seen databases left unsecured online. For example, a Microsoft database containing 250 million details was left exposed in December, as we reported here.
This is a worrying trend, and shows that these databases should be configured carefully by people who know the proper procedures and are fully trained and knowledgeable about cybersecurity.
Virgin Media has taken steps to close access the database, contact the ICO, and notify those affected by the breach, with advice about how to protect themselves from potential repercussions. While these are all positive steps, there’s no doubt that significant errors have been made and this breach could easily have been avoided.
If you want advice on how to protect user data, get in contact with our GDPR consultants today for invaluable, expert advice.
Home Office breaches of GDPR took place 100 times between 30th March and 31st August 2019, a report from the Independent Chief Inspectorate of Borders and Immigration (ICIBI) has found.
The breaches took place in relation to the EU Settlement Scheme, which accepts applications from EU citizens so that they can remain in the UK after Brexit. They included unauthorised disclosure of information, documents being sent to the wrong person, and passports being misplaced.
According to an article from Infosecurity, the breaches also saw “23 documents misplaced by a postal company in July” and an incident in April where “240 email addresses were exposed after a Home Office employee forgot to put them in the BCC field when sending a bulk email”.
The article states the following from the ICIBI report:
“The information provided to inspectors regarding data breaches was concerning, not least the increase in breaches each month between April and July 2019 (with a slight dip in August 2019), albeit most of those to the end of June were due to a postal company rather than EUSS staff or processes,” it concluded.
“Data breaches damage public confidence, and applicants will blame the Home Office, whether or not this is fair. It is therefore important for the Home Office to do everything it can to keep breaches to a minimum.”
The response from the Home Office was that its data protection measures and procedures are improving:
“We are also in discussion with the heads of security, integrity and data protection to ensure our processes are aligned to GDPR compliance,” it replied to the ICIBI. “Bulk email processes have changed so there will be no errors going forward.”
The ICIBI also suggested that the problems it uncovered should be easy enough to fix.
“Most appear to have involved document handling errors and these should be easiest to prevent with clear instructions and good organization,” it said.
You can read the full article from Infosecurity here.
This demonstrates that human error is a big problem when it comes to data protection. As we learned at PrivSecLondon last month, it is responsible for 60% of all breaches.
This can and should be countered with training for all employees, at both the lowest and highest levels. A culture shift is also needed across organisations in order to keep up with evolving legislation.
If you want to make sure your employees are up-to-date and know their obligations under GDPR, check out our Staff Training offers, which are available in both in-person and online formats.
At the PrivSec London conference on the 4th and 5th February, we enjoyed hearing how leading professionals in our field are tackling the many shared challenges of doing business under the changing needs of the 2020s.
Here are some final thoughts from the event’s keynote speaker, Baroness Neville-Rolfe, and from ourselves…
Baroness Neville-Rolfe (Member, European Union Committee, and a former minister under David Cameron, who was heavily involved in negotiating GDPR) said that data is the “oil equivalent” of an extraordinary digital revolution.
This revolution is now affecting almost everything on the planet. The effects are impossible to predict, but like other revolutions, this one started slowly and is now picking up speed.
There were some interesting official statements made by government, EU, or other regulators which indicate:
Overall, PrivSec London 2020 was an extremely informative conference. The key things that we learned are:
What we can do for you about all this – check out our offers to find out how we can help you with your data protection programme:
Our thanks to the following guest speakers at PrivSec London 2020:
At the PrivSec London conference last week, we heard from Sheila Fitzpatrick, a global expert in privacy and compliance. Here’s our pick of what she had to say and her advice about GDPR, the culture shift it has already brought about, and data privacy and security.
Anonymising data doesn’t truly make data safe, because someone in the organisation still has access to the original data. You need to really think about why your company is getting and using data – achieving an ‘improved user experience’ is not a good enough excuse. Companies often think that security is the same thing as privacy, and point enquiries about privacy to security protocols – but this is an ‘instant fail’ in Fitzpatrick’s book.
Companies in many other countries don’t realise they’re still subject to other countries’ Data Protection laws such as GDPR – and many countries are also planning laws that will exceed its requirements. GDPR created an awareness of changing legal focus from data security to the lawful bases for processing data, which in turn became the impetus for new laws across the world – as well as adding new technologies which also created privacy issues.
GDPR became the biggest revenue generator since Y2K – and there are a lot of solutions in the market. Companies often like to believe that they can buy ‘compliance in a box’, which is impossible and shows a lack of understanding of privacy; they often throw technology at the problem and assume that innovation will provide a better user experience.
They think that privacy will become irrelevant as a result of this approach; that it can be addressed through a simple checkbox, or that they have a “legitimate interest” in processing personal data. However, this probably isn’t true if the basis can’t be explained on a page clearly. It also shouldn’t be forgotten that if consent is ambiguous, it’s invalid under GDPR.
Big Data is problematic for GDPR compliance on many fronts, and so are AI and Smart Cities: it’s difficult to meet consumer rights demands for example, and to maintain anonymity where necessary.
Fitzpatrick noted that to access public Wi-Fi from a major telecommunications company recently, she had to wade through 5 pages of Privacy Policy and still couldn’t find out how to turn cookies off – which is not compliant with GDPR requirements.
You need to always be honest about what you’re doing; if you can’t, you’ve got a problem. Be upfront about your use of third parties who receive data from you, and don’t let vendors dictate terms to you as their terms can put you in breach. Privacy improvements give a competitive advantage and failing to comply can damage reputations badly.
Our thanks to Sheila Fitzpatrick for these insights and for giving an engaging and thought-provoking talk.
From what we heard at the PrivSec London conference this week, it was clear that a culture shift is needed in many – maybe most – companies coming into the new decade. Our thanks go to the guest speakers who provided these insights – you can see a full list of those whose talks we attended at the end of this article.
Here are some culture shifts that companies need to be making in order to keep up with changing legislation and guidelines:
CULTURE SHIFT #1: Have a plan for privacy and cybersecurity, with people and budgets allocated to it.
CULTURE SHIFT #2: Don’t assume that privacy = cybersecurity, you’ll fail if you assume it’s a tech matter. Do a dummy run of a data breach at your organisation – it’ll probably throw up some significant issues.
CULTURE SHIFT #3: To get buy-in across the organisation, explain Privacy and Cybersecurity matters in the business terms of each department or stakeholder group’s business goals, such as making money, reputation protection, and so on.
CULTURE SHIFT #4: Getting your data into one place (e.g. the cloud) makes it more controllable in one place with a lot of access but is also where the biggest risk lies. Work out what you’ve got and what you are moving to the cloud – delete as much as you can of your data set defensively, use the infrastructure and systems there to look after every piece of information in one system and apply policies across everything.
CULTURE SHIFT #5: Get tighter on checking, stating and enabling opt-outs for all the cookies working on your website(s), such as trackers: many of these may be coming from your third-party hosting provider rather than your own web developers and plugins! ‘Continued browsing’ or browser settings aren’t adequate to demonstrate consents anymore under the latest government guidances.
CULTURE SHIFT #6: For businesses, ethics ARE sustainability. They’re about only using data for transparent, legitimate reasons that genuinely improve the user experience and give users control over the data held about them and how it is used. They’re about not ruining trust or making customers uneasy about using your business or website or platform.
Our thanks to the following guest speakers at PrivSec London 2020: