This Thursday thoughts phishing, updated guidance and of course the usual round up of all things data protection related. With the reports of increased phishing attacks here are some questions for you to answer ….
When did you last run a malware or anti-virus scan?
DO YOU check emails for bad grammar and spelling?
When did you last review your privacy settings on social media accounts?
Don’t delay with any of these or you/your business are at risk and you only have to look at the Interserve fine to see how that can turn out for your business.
Restricting what you do with personal data and how you keep it safe are also themes this week. All too often we see examples of data being used for a different reason than that given when it was collected. The “because I want to” and “my competitors are doing it” are unlikely to be accepted by the ICO when someone complains. We don’t always get what we want in business or life! You also have a responsibility to keep the data safe, so take a look at the fines for Interserve, the reprimand for the home office and the raft of new guidance on managing data (particularly health data and employment data) that the ICO has recently issued.
Guest Blogs of the week
Data Protection News Digest by Kellie Peters
The Data Diva talks Privacy Podcast with Cameron Kerry
Phishing attacks are on the increase again
Even those who work in the field get caught out. Just because something was on the news and then an organisation contacts you make sure you check, pause and don’t be too quick to believe the contact is genuine….. I’ve news for you … Hackers watch the news and listen to the radio too and phishing attacks now take advantage of the human instinct to act urgently upon bad (or good!) news.
Anything that asks you at act quickly with is definitely something to make you wary. Phrases like “Your account will expire today if you don’t reactivate it now!” “There’s a gift card up for grabs just today” and “Simon was unable to deliver” are all examples of this sort of attack. The latest NCSC advice look out for:
Deadlines and time-sensitive language – does this offer run out in 12 hours? Is your account suspended in a day?
Scarcity – are there only ten gift cards left
A quick fix
Only Process Data for the Reason you gave when you collected it
When processing personal data you need to have a legal reason to do it. This is what you tell the individual on the data gathering form or on your privacy notice. You should not then use the data for another reason. Whether this is business cards in a champagne draw being used to contact potential clients or sending that unanonymised personal data about your staff to ab organisation that benchmarks salaries so that you can compare to other companies. That is definitely NOT the purpose for which you collected it!
Managing Health Data
Health data can be a key worry in the employer-worker relationship. Often the employer knows more about the staff member’s health condition that their family does. It is really important to make sure health data is processed correctly and keep it safe. There are also very clear rules about the use of health data in a work setting and you should seek expert HR guidance here. The ICO have just written some new guidance on managing health data in an employment setting, including information about sickness records, occupational health schemes, it’s in draft form at the moment and out for consultation so if you want to take part here is the link (closes in January 2023): https://ico.org.uk/about-the-ico/ico-and-stakeholder-consultations/ico-consultation-on-draft-employment-practices-guidance-information-about-workers-health/
ICO Fine Interserve Group Following a Cyber Attack
The ICO fined Interserve Group Ltd £4.4 million for failing to keep 113,000 current and former employees’ personal data safe following a cyber-attack. The company “failed to follow-up an alert of a suspicious activity, used outdated software systems and protocols, and had a lack of adequate staff training and insufficient risk assessments”. All of this left them vulnerable to a cyber-attack. Recognising that cybercrime is a real threat to UK businesses the ICO and National Cyber Security Centre have produced advice and guidance on cyber-attacks and ransomware incidents. You will find this guidance here: https://lnkd.in/e2qp39uu
ICO Reprimand the Home Office for Leaving Documents in Public
The ICO issued a formal reprimand to the Home Office earlier this month after sensitive documents were found at a public London venue. The documents in question included Extremism Analysis Unit Home Office reports and a Counter Terrorism Policing report and they contained personal data which included Metropolitan Police staff’s data. The Home Office were lucky in this instance that the venue staff handed the documents to police. It was apparent that the department did not have a “sign-out process” for the removal of documents from the office and that the incident was not reported to the ICO within 72 hours as it should be when a data breach occurs. The reprimand was issued to the Home Secretary (Suella Braverman at the time), as the data controller for the Home Office.
New Guidance From the ICO
The ICO have updated their “Guide to the UK GDPR” as part of their Guide to Data Protection. It is for those who have day-to-day responsibility for data protection and explains the sort of regime UK businesses and organisations are expected to have in place. References to UK GDPR have been included as well as links to more detailed guidance and other resources, including ICO guidance, statutory ICO codes of practice and guidance published by the European Data Protection Board (EDPB).
The following links will be useful;
Guide to the UK GDPR
SME web hub – advice for all small organisations
Making our employment guidance work for you
Warning about the use of emotion analysis technologies
EU Digital Services Act Released
The new EU Digital Services Act has new rules aiming to “foster innovation, growth and competitiveness, and facilitate the scaling up of smaller platforms, SMEs and start-ups”. The rules are there to protect consumers online, ensure transparency and accountability for online platforms and allow for innovation, growth and competitiveness within the single market. Not for the fainthearted but for those who like a good read there are 300 pages talking about the responsibilities of users, platforms, and public authorities. https://ec.europa.eu/info/strategy/priorities-2019-2024/europe-fit-digital-age/digital-services-act-ensuring-safe-and-accountable-online-environment_en#
GDPR Risk Assessment Tool Released by the Spanish DPA
The Spanish DPA have recently released an online version of its GDPR Risk Assessment Tool. The resource is for controllers and processors and helps them to identify risk factors for the rights and freedoms of data subjects , assess the intrinsic risk, consider whether a DPIA is required and then to estimate any residual risk if certain measures and safeguards are taken. It’s in English as well as Spanish in case you are wondering why I’ve included it here! https://evalua-riesgo.aepd.es/index_en.html
International Data Transfers
President Biden has signed an executive order on the EU/US data privacy agreement which means that International Data transfers may just get a bit easier. The commitments in the order address the Schrems II ruling and set surveillance limits and established a new court in which EU citizens can redress any privacy concerns with US intelligence agencies.
In response to this the first EU DPA to review the order has raised concerns on whether the additional safeguards provided by the EO are sufficient to fully address the standards specified by the CJEU and there’s an article by David Heinemeier Hansson called “American data spies will never care where the servers are” which calls into question the commitments and whether any American company would ever refuse the intelligence agencies irrespective of where the data is hosted. So the Schrems debate rolls on.
Looking to Move into The Cyber Security Field?
The NCSC have an initiative to encourage people to work in cyber security. Their Industry 100 Scheme promotes collaboration between the NCSC and industry. It’s a voluntary scheme in which organisations second their staff into the NCSC on a part-time basis. It recruits people from every background, working in companies of every size, from SMEs to multi-nationals across all sectors. They are especially keen to hear from women as they are currently underrepresented in their workforce. The aim is to trying to make the UK the safest place to live and work online. You can find out more here: https://www.ncsc.gov.uk/blog-post/industry-100-women-can-do-it
Blog of the Week
Data Protection News Digest by Kellie Peters
Kellie has started to produce a new summary of the latest data protection news that catches her eye. Last week was Zoom for Mac Users, Workplace Surveillance the ICO Consultation - Monitoring at Work, Working from the Pub and a formal reprimand for the Home Office from the ICO. This week news that the ICO are to issue Biometric Guidance in Spring 2023, CNIL Fined Clearview €20million for scraping data from public websites and the Australian Health Insurer Medibank has been hacked. You will find her blogs here https://www.linkedin.com/pulse/data-protection-news-digest-kellie-peters-1e/?trackingId=ljw7Cu%2FVSyO7lsSAw%2FJyIA%3D%3D
The Data Diva talks Privacy Podcast with Cameron Kerry
In this podcast Debbie Reynolds talks to Former General Counsel and Secretary of the U.S. Department of Commerce in the Obama Administration about privacy and information security and how to apply privacy principles in the fast-changing world of business and technology. The conversation covers surveillance, the Cloud Act, data transfer between the US/EU/UK and the American Data Privacy Protection Act versus the California privacy Act. https://www.debbiereynoldsconsulting.com/podcast/e103-cameron-kerry