Thursday Thoughts – 24th March 2022
This week’s Thursday thoughts features the NCSC’s most used password list a timely reminder that the “super easy” password we are using really should be changed because it’s probably on the most used list. If you don’t believe me check your password on https://haveibeenpwned.com/ . I’ve also been asked for advice for the board members and trustees this week as well as Data Protection Impact Assessments so I’ve included both in this week’s blog. This week the UK Schrems II compliant International Data Transfer Agreements came into effect.
If you know a vulnerable person who has been the victim of predatory calls there is some new advice on the ICO website and a new mnemonic to remember when speaking to them(GRAN). A word of warning on fake accreditations - just because an organisation’s logo is on a business’s website does not necessarily mean it is endorsed by the organisation – if in doubt check!
In the news this week the use of AI to identify Russian Soldiers Killed in Combat, a cyber attack on Scottish Association for Mental Health, 196 reports of scams related to raising money for those affected by the Ukraine conflict and some examples from Guernsey of the sorts of data that are released in data breaches. Also news of a Data Protection Master Class that I am delivering on 20th April (one in person and one on line) with details of how to book on to these.
Blogs and Vlog of the Week
Debbie Reynolds – The New UK National Algorithmic Transparency Standard
Alex McCann – The Good The Bad and The Ugly of Being Self-Employed
Latest Most Hacked Passwords list
The NCSC reposted it’s “most hacked passwords list” this week. I am constantly amazed that people are still using these passwords. There have been some new additions to the list recently flamingo228, Alexei2005, 91177700, 123Tests and aganesq.
If you are still using any of the following please change it now. When looking for a good password the NCSC gold standard is 3 random words. If you want to check if your password has been compromised you can check on https://haveibeenpwned.com/ . Businesses can download a dataset of these passwords and set their IT systems to screen against the list when staff are setting a new password.
Most usedNamesFootball teamsMusiciansCharacters
123456ashley liverpool blink182superman 123456789michael chelsea 50centnaruto qwertydaniel arsenal eminemtigger passwordjessica manutd metallicapokemon 1111111charlie everton slipknotbatman
ICO video for Vulnerable – Nuisance calls
Following a spate of calls from UK Appliance Cover Limited in 2020 the ICO has fined the company £100,000. If you know a vulnerable person who has been the victim of predatory marketing calls about white goods insurance or another service there is a video and advice on the ICO website: https://ico.org.uk/nuisancecalls …….. and remember GRAN. Get them registered with TPS, Report suspicious calls, Ask if they have had any suspicious calls, Notify Action Fraud or Ofcom.
Advice for Trustees and Board Members- Emails
There are 3 things that board members should think about when using email. The first is using their personal or work email for board related matters, if at all possible it is best to set up email accounts for your board members or trustees (just as you do for staff) and direct all emails to these accounts. If this is not possible encourage the board member to use rules to filter all related materials into a separate email folder. The second is writing emails in the belief that what they are writing will be kept private. The opposite is true and therefore you should make sure your board members know not to write anything in an email that they wouldn’t want to either be made public or be shared with the subject. The last is something many of us are guilty of, keeping emails “forever”. A requirement to carry out a regular purge of old emails and deleting the account when someone ceases to be a board member should be part of your retention policy. You can view a useful video https://www.youtube.com/watch?v=VBcAKHQgnvw
Don’t be Taken in by a Fake ICO Accreditation
In my blog last week there were details of a load of fines targeting companies calling people who were registered with the Telephone Preference Service. All the wrongdoers had bought data from suspect sources, with some of them actively targeting older, more vulnerable people. It was interesting to see that one of the organisations used the fact that their source had the ICO logo on their website as a guarantee that they had got the data from bona fide sources. In my experience (and that of many others) the opposite is true and any commercial organisation using the ICO logo with ”ICO Guidance Complaint” on the page with their other accreditations is almost certainly dodgy. The ICO don’t have such an accreditation so I’ll put money on the fact that they don’t have permission to use the logo.
Schrems II compliant International Data Transfer Agreements
The new UK international data transfer agreements (IDTA) come into force on 21st March. This means that exporters will be able to use the IDTA or the Addendum as a transfer tool to comply with Article 46 of the UK GDPR when making restricted data transfers. These agreements replace current standard contractual clauses for international transfers and take into account the “Schrems II” judgement. You will find the guidance here: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-data-transfer-agreement-and-guidance/
Data Protection Impact Assessments
If you are planning any type of processing that is likely to result in a high risk to the rights and freedoms of individuals then you should carry out an impact assessment (DPIA). This should start early in the “concept” phase a project and definitely before you start any processing. There are 9 steps which should run alongside the planning and development process. Identify need for DPIA, Describe the processing, Consider consultation, Assess necessity and proportionality, Identify and assess risks, Identify measures to mitigate risk, Sign off and record outcomes, Integrate outcomes into plan, Keep under review. The process is designed to be flexible and scalable. The ICO has a simple DPIA template or you can create your own. You will find the ICO Template here: https://ico.org.uk/media/for-organisations/documents/2553993/dpia-template.docx
In the News
Ukraine identifies Russian Soldiers Killed in Combat using AI
There will be mixed feelings on the story that the Ukraine defence ministry has started to use facial recognition software to identify Russian soldiers who have been killed in combat so that they can tell their families that their loved one has died. Photographs are scanned and compared to social media accounts and then the family is contacted to let them know. The company offering the technology Clearview AI is doing so free of charge. However, this is the same company that was fined €20Million by the Italian authorities for scraping data off the internet violating the privacy of Italian residents. There are outstanding privacy concerns in the US, France and UK relating to the scraping of this data from the internet and of course there is scope for the misidentification of individuals resulting in the wrong family being informed. There will be those that say as the Russians will not tell families that their soldiers have died this is a humanitarian thing to do, others will dismiss it as Ukraine propaganda and some will see it as a marketing tool for the AI company to try to combat all the negative press. I think that there’s probably a little truth in all of these.
Mental health charity suffers cyber attack
The Scottish Association for Mental Health (SAMH) which works with more than 60 communities within Scotland has been the subject of a ‘sophisticated and criminal’ cyber attack which has been affecting their emails and phone lines were also reportedly impacted.
Phishing scams ‘fundraising’ for Ukraine
Action Fraud has received 196 reports of scam emails from fraudsters claiming to be raising money for those affected by the conflict in Ukraine. This includes sites selling t-shirts and soliciting cryptocurrency donations. If you receive such a request you should check if the charity is registered on www.gov.uk/checkcharity and be doubly sure to type the charity website into your search engine rather than clicking on a link. If you want to help people affected by the conflict in the Ukraine, but are unsure how to do so safely, you can donate via Disasters Emergency Committee.
Guernsey breach statistics
Guernsey have published their latest breach statistics which show that data breaches are not just a matter of random information being sent to the wrong person. More likely very private, often sensitive information about a living person are accessed, altered, destroyed, or disclosed inappropriately or are lost or made unavailable. There were 27 such breaches reported during January and February 2022 which included:
detailed financial data being sent to another client (legal sector);
medical history and clinical data being posted to the wrong patient (health sector);
identity documents relating being sent to the incorrect recipient (finance sector).
Data Protection Master Class
I’m delighted that I will be delivering two Master Classes on 20th April covering "UK GDPR and Data Protection”, one “in person” in the morning and the other “online” in the afternoon. The sessions are aimed at Small and Micro Businesses (but others are welcome to attend) and will provide business leaders with the training and skills they need in order to comply with the UK GDPR and get back to their "day job" as quickly as possible. Places can be booked via https://www.eventbrite.co.uk/e/uk-gdpr-and-data-protection-masterclass-tickets-262527566017 (there is a discount for members of the ASCC).
VLOGs and Blogs of the Week
Debbie Reynolds – The New UK National Algorithmic Transparency Standard
Great discussion here from the Data Diva about the new UK Artificial Intelligence Transparency Standards. Especially topical this week with the use of AI to identify Russian soldiers. Did you know the UK is one of the first countries to set such a standard. I agree with Debbie that it will be good see more of these across the world as the use of Ai becomes more prevalent. It will be good to see more obligations for the organizations using AI to be more transparent with individuals about how their data is being used in the system. https://www.linkedin.com/feed/update/urn:li:activity:6911478310497583104/#:~:text=Did%20you%20know,ico%20%23transpancy%20%23explainability
Alex McCann – The Good The Bad and The Ugly of Being Self-Employed
I’m a regular follower of Alex’s blogs and this week he has turned the spotlight on Self Employment. Alex has been Self Employed most of his adult life and has worked in a variety of industries so has a wealth of experience to share. I agree with him that the plusses outweigh the negatives, especially the flexible hours and getting to call the shots (including who to work with and in which sectors you operate). But it also takes discipline and a bit of a thick skin because being a good boss to yourself is hard, and doing the admin is not fun but is essential … and then there’s the dilemma of having to say no to your business friends who ask for a discount. Read his blog here: https://altrinchamhq.co.uk/the-good-the-bad-and-the-ugly-of-being-self-employed/