Test and Trace has not passed DPIA in UK
Public Health England did not complete a Data Protection Impact Assessment prior to launching the Covid-19 coronavirus Test and Trace programme on 28th May 2020, it has emerged. The programme, which went live on 28th May without the benefit of its accompanying contact-tracing app, helps track down and isolate the contacts of anybody who tests positive for Covid-19. Recipients of positive test results will be required to share information on their recent contacts (members of their own household and others they have been in direct contact with or within two metres of for over 15 minutes) who must then self-isolate for a fortnight. The data collected include names, gender, dates of birth, home postcodes, telephone numbers and email addresses. Public Health England will retain the data it collects via the programme for 20 years. Labour MP Ben Bradshaw accused the government of launching Test and Trace before it was ready in order to divert attention away from the Dominic Cummings scandal.
Federal Court in Germany rules on obligation to obtain cookie consent
The long-awaited decision of the German Federal Court on the requirements that must be met in order to obtain valid cookie consent has now been issued. The Court held that using cookies for marketing or market intelligence purposes generally requires user consent; that this applies irrespective of whether cookies collect personal data or not; and that consent must be given through active confirmation by the user. Further, the Court ruled that pre-checked checkboxes do not suffice either under the German Tele Media Act or the GDPR; and to satisfy the requirement of an informed consent, information must be detailed but not excessive, as overwhelming amounts of information prevent that users effectively take not of the information they are provided with.
Finland SA issues first fines
The Supervisory Authority in Finland has issued its first fines against three Finnish companies for their infringements of data protection laws. The infringements concerned inadequate informing of data subjects (100,000 euros), failure to carry out a Data Protection Impact Assessment (16,000 euros) and the collection of unnecessary personal data (12,500 euros). The decisions are not legally binding yet, and the companies may appeal against the decisions to an administrative court. The SA said that more administrative fines will follow in the upcoming weeks.
Conducting Data Protection Audits - eLearning
PDP is pleased to announce that the training course How to Conduct a Data Protection Audit is now available to study from home by way of eLearning. All PDP's eLearning courses feature video presentations, written materials and self-assessment multiple-choice questions. A full list of available eLearning training courses can be viewed here.
Telco discloses data breach
Nippon Telegraph & Telephone, the 64th biggest company in the world according to the Fortune 500 list, has disclosed a security breach. NTT says hackers gained access to its internal network and stole information on 621 customers from its communications subsidiary, NTT Communications, the largest telecommunications company in Japan, and one of the biggest worldwide. The hack took place on 7th May, and NTT says it became of the intrusion four days later, on 11th May. NTT says it took down the hacked systems as soon as it learned of the incident. The company is still investigating the breach, but says it plans to notify all customers "when it becomes clear what should be notified."
Working from Home – Advice for Controllers