|
|
|
|
Its GDPR (and DPA) week!
The General Data Protection Regulation will come into force throughout the 28 Member States of the European Union on Friday. In the UK, Matt Hancock, the Culture Secretary, has announced that the Data Protection Bill has been passed by Parliament, and will (subject to Royal Assent) come into force on Friday. The Bill will go through Parliament without an amendment calling for a second Leveson inquiry, as peers backed down after weeks of ping-ponging between the two Houses. Mr Hancock added a series of new amendments to the Data Protection Bill last week, including one widening the scope of the Information Commissioner's review into media compliance with the new data protection law.
|
Eight countries to miss EU data protection deadline
Eight EU states will not be ready to fully enforce the General Data Protection Regulation when it comes into force on Friday. It is understood that Belgium, Bulgaria, Cyprus, the Czech Republic, Greece, Hungary, Lithuania and Slovenia will not be ready until far beyond the 25th May deadline. Vera Jourova, the European Commissioner for Justice, said she would not hesitate to take the EU countries to court in serious cases, blaming negligence and domestic debates for the delays. Only Austria, Germany, France, Croatia, the Netherlands, Sweden and Slovakia are currently ready, with other countries poised to have their national acts passed by 25th May. Spain, Italy, Portugal, Romania and Latvia are expected to be ready either at the end of May, or beginning of June. The UK passed it's Data Protection Bill yesterday. Although not required to implement the GDPR (which is directly effective in all Member States from Friday), the national Data Protection Acts are required to create local exceptions to some of the GDPR's provisions, such as the those relating to processing special category personal data, and to bestow enforcement powers on the national regulators.
|
Firms needlessly seeking opt-in permissions
In the last few weeks people's inboxes have been awash with requests for opt-in permissions. In many cases these are unnecessary, either due to the existing relationship between the sender and the recipient or because opt-in permission is not needed for the type of communications contemplated. The next edition of Privacy & Data Protection will contain an in-depth article on exactly when opt-in permissions are needed and why many organisations may have been overly cautious in of their recent email communications. |
UK prosecution body fined £325,000 after losing victim interview videos
The Crown Prosecution Service has been fined £325,000 by the ICO after losing unencrypted DVDs containing recordings of police interviews. The recordings were of 15 victims of child sex abuse to be used at trial, and contained the most intimate sensitive details of the victims, as well as the sensitive personal data of the perpetrator, and some identifying information about other parties. The penalty is the second to be imposed on the CPS following the loss of sensitive video recordings. Steve Eckersley, Head of Enforcement, said: "The CPS failed to take basic steps to protect the data of victims of serious sexual offences. Given the nature of the personal data, it should have been obvious that this information must be properly safeguarded, as its loss could cause substantial distress." The CPS has self-identified systemic failings and is taking action to remedy them.
|
Facial recognition technology used by police is 'dangerously inaccurate'
The Metropolitan Police's use of facial recognition is misidentifying innocent people as wanted criminals more than nine times out of 10, according to a privacy campaign group. Civil liberties organisation Big Brother Watch published its findings into the Met's use of facial recognition technology in a report that that it presented to Parliament. The Met admitted that as a result of using facial recognition, it has stored 102 innocent people's biometrics data for 30 days. Despite this, the force is planning seven more deployments this year. Silkie Carlo, Director of Big Brother Watch said: "It is deeply disturbing and undemocratic that police are using technology that is almost entirely inaccurate, that they have no legal power for, and that poses a major risk to our freedoms." The reports have attracted the interest of the UK Commissioner Elizabeth Denham, who said "technology represents both a risk and an opportunity, and this is why I have recently published our first Technology Strategy which addresses these new technological developments and ensures the ICO can deliver the outcomes which the public expect of us.
|
Ipswich Hospital staff disciplined after accessing singer's records
Two members of hospital staff in the UK were disciplined for accessing Ed Sheeran's personal details with no legitimate reason, it has emerged. Ipswich Hospital said in response to a Freedom of Information request that one medical staff member was given a written warning, and one member of admin staff was sacked. The action happened after Sheeran was admitted to hospital last October, having broken his right wrist and left elbow. The incident was not referred to either the ICO or the Nursing and Midwifery Council.
|
Former recruitment consultant prosecuted in UK
A former recruitment consultant has been fined for unlawfully taking personal data from his employer when he left his job to set up his own rival business. Daniel Short left the recruitment company he was working for, VetPro Recruitment, in October 2017 and a short time later set up his own similar company called VetSelect. The ICO later discovered that Short had stolen the details of 272 individuals from VetPro's database for commercial gain. Short pleaded guilty to unlawfully obtaining personal data under section 55 of the Data Protection Act 1998. He was fined £355 and was ordered to pay costs of £700 as well as a victim surcharge of £35.
|
Council of Europe brings data protection Convention in line with GDPR
The Council of Europe has adopted an Amending Protocol which updates its data protection convention (known as Convention 108), bringing it into line with the GDPR. The Convention now requires organisations to notify data breaches, strengthens the accountability of data controllers and the transparency of data processing, and introduces the Privacy by Design principle, as well as additional safeguards for the processing of personal data in the context of algorithmic decision-making. Convention 108 is the only international treaty to address the right of individuals to the protection of their personal data, and is open for any country to sign and ratify. Current parties to the Convention are the 47 Member States of the Council of Europe and Mauritius, Senegal, Tunisia, and Uruguay.
|
UK University fined after serious breach
The University of Greenwich has been fined £120,000 by the Information Commissioner following a security breach involving the personal data of nearly 20,000 people, including students and staff. The investigation centred on a microsite developed by an academic and a student in the then devolved University's Computing and Mathematics School, to facilitate a training conference in 2004. After the event, the site was not subsequently closed down or secured and was compromised in 2013. In 2016, multiple attackers exploited the vulnerability of the site allowing them to access other areas of the web server. The University is the first education body to have been fined by the Commissioner under the current UK data protection law.
|
| |
|
More in depth data protection news and articles...
Subscribe to two or more titles at the same time and receive a 15% discount off the cheapest journal.
|
Keynote:
How the ICO will exercise its New Powers
James Dipple-Johnstone
Infomation Commissioner's Office (ICO)
|
This year, the conference is dedicated to reviewing the practical implications of the General Data Protection Regulation, and to help organisations ensure they are compliant.
 The UK Data Protection Act 2018 - gloss or substance?
Rosemary Jay - Senior Consultant Attorney, Hunton Andrews Kurth LLPAlthough the GDPR is designed to bring greater harmony to EU law than the previous Directive, Member States are still permitted to deviate from the GDPR's provisions in limited areas. This talk, by the author of 'Guide to the General Data Protection Regulation', considers the key provisions of the UK's upcoming Data Protection Act, and provides delegates with practical guidance on how to implement them.
For more information and to book your place:
|
|
Our professional and practical Training Courses enable delegates to understand the legal requirements in key areas of information and data protection compliance. Courses run throughout the year around the United Kingdom.
Here is a selection of courses taking place shortly:
|
From May 2018, organisations will be required to notify serious data breaches to both national data protection authorities and individuals, except in a narrow range of circumstances. This practical training session looks at the new breach notification obligations in detail, including:
- the types of incidents that will trigger the requirement to notify
- actions that organisations should be taking now in order to prepare for mandatory breach notification
- incident response plans and opportunities to mitigate risk
- implications for data processors
- what the ICO, and other relevant regulators, will expect organisations to do
- the requirement for an internal breach register and how to maintain it
- consequences of failing to notify breaches
It is recommended that delegates attending this session have a basic knowledge of current data protection legal requirements. Delegates with no existing knowledge may find it helpful to attend Data Protection Essential Knowledge Level 1 before attending this training course.
The next available dates for this course are:
- London Monday, 25th June 2018
- London Monday, 3rd December 2018
For further information and to make a booking,
- Visit PDP's website
- Telephone PDP at +44 (0)207 014 3399
- Download the PDF Training Catalogue
|
|
All organisations are required to observe the rights of individuals under data protection law. A key objective of the GDPR is to strengthen and extend those rights. Additionally, individuals have a right to claim compensation from both controllers and processors where financial loss or other damage occurs as a result of processing operations which breach the requirements of the GDPR.This training session looks at the new rights under the GDPR in detail, and also considers the changes to the pre-existing rights, including updates to time limits and new requirements for documentation. The session covers:
- the right to be informed
- requirements for handling subject access requests
- profiling and automated decision taking
- the right to data deletion
- the right to restriction of processing
- the right to object to processing
- the right to data portability
- compensation
- the right to cessation of direct marketing
- exemptions for organisations
- changes that should be made to organisations' privacy policies
Delegates attending this session must have a basic knowledge of current data protection legal requirements in order to be able to understand the material in this session. Delegates with little no existing knowledge should attend Data Protection Essential Knowledge Level 1 before attending this training course. The course is taking place on the following dates:
- Belfast Thursday, 7th June 2018
- Glasgow Monday, 24th September 2018
|
|
Big Data is big business, and the technology that gives rise to the activity known as profiling has multiple benefits for both organisations and individuals. However, these benefits come with risks, and it is these risks that the General Data Protection Regulation ('GDPR') seeks to mitigate against.This practical session considers how organisations can reap the benefits of Big Data whilst minimising the risks of falling foul of the legal provisions, including:
- how data protection law applies to profiling and Big Data
- how the extended territorial scope of the GDPR catches ever more profiling activities
- the rights individuals have under the GDPR, including transparency, control, data minimisation and data portability
- controllers' increased accountability to individuals and the remedies available to individuals
- the circumstances in which profiling is acceptable
- how to reduce the risks of 'discriminatory' decision-making
- the relevance of the privacy by design and default regime
- the GDPR position on profiling and special category personal data
- practical guidance on what information must be supplied to customers and others
- how to obtain explicit consent, where required.
The course is taking place on the following dates:
- London Tuesday, 12th June 2018
- Belfast Thursday, 6th December 2018
|
|
|
|
|
| |
|
We have uploaded two articles for IHRIM members only, to access them please log in to the website via the MEMBERS tab, then click IHRIM Documents for Download and Members Files (IHRIM membership and website account required).
From April 2018 the new Data Security and Protection Toolkit
