Data Loss: Foreign Office

August 10, 2008 — 585

The Foreign and Commonwealth Office (FCO), is the last government department to admit to a series of blunders resulting in data loss.

The FCO lost five five sets of data over the past financial year, including:

In May 2007 a contractor allowed information relating to about 50 individuals to be made public due to unauthorized disclosure.

In November 2007 over 50,000 visa applications were accidentally put on view to those visiting an FCO  web site.

Following the November indecent the ICO investigated the FCO and found the department to be  in breach of the Data Protection Act, and required the Foreign and Commonwealth Office to sign a formal undertaking to comply with the DPA.

The agreement the FCO signed compels it to comply with certain directives. The undertaking, is one step below enforcement action, which is covered by Section 40 of the DPA.

There are numerous examples of data loss within the government, virtually all of which could be prevented by encryption,. However the FCO examples appear to be more fundamental IT security issues rather than the typical data loss issues.

Posted in Data Loss. Tags: , , , , . No Comments »

Data Protection Act: Section 40

August 10, 2008 — 585

Under Section 40 of the DPA the ICO can issue “Enforcement Notices” against companies and agencies. So far the ICO has done this against a variety of bodies including the NHS, and most famously the HMRC following the CD debacle.

Section 40 DPA – Enforcement notices

(1) If the Commissioner is satisfied that a data controller has contravened or is contravening any of the data protection principles, the Commissioner may serve him with a notice (in this Act referred to as “an enforcement notice”) requiring him, for complying with the principle or principles in question, to do either or both of the following—

(a) to take within such time as may be specified in the notice, or to refrain from taking after such time as may be so specified, such steps as are so specified, or

(b) to refrain from processing any personal data, or any personal data of a description specified in the notice, or to refrain from processing them for a purpose so specified or in a manner so specified, after such time as may be so specified.

(2) In deciding whether to serve an enforcement notice, the Commissioner shall consider whether the contravention has caused or is likely to cause any person damage or distress.

(3) An enforcement notice in respect of a contravention of the fourth data protection principle which requires the data controller to rectify, block, erase or destroy any inaccurate data may also require the data controller to rectify, block, erase or destroy any other data held by him and containing an expression of opinion which appears to the Commissioner to be based on the inaccurate data.

(4) An enforcement notice in respect of a contravention of the fourth data protection principle, in the case of data which accurately record information received or obtained by the data controller from the data subject or a third party, may require the data controller either—

(a) to rectify, block, erase or destroy any inaccurate data and any other data held by him and containing an expression of opinion as mentioned in subsection (3), or

(b) to take such steps as are specified in the notice for securing compliance with the requirements specified in paragraph 7 of Part II of Schedule 1 and, if the Commissioner thinks fit, for supplementing the data with such statement of the true facts relating to the matters dealt with by the data as the Commissioner may approve.

(5) Where—

(a) an enforcement notice requires the data controller to rectify, block, erase or destroy any personal data, or

(b) the Commissioner is satisfied that personal data which have been rectified, blocked, erased or destroyed had been processed in contravention of any of the data protection principles,

an enforcement notice may, if reasonably practicable, require the data controller to notify third parties to whom the data have been disclosed of the rectification, blocking, erasure or destruction; and in determining whether it is reasonably practicable to require such notification regard shall be had, in particular, to the number of persons who would have to be notified.

(6) An enforcement notice must contain—

(a) a statement of the data protection principle or principles which the Commissioner is satisfied have been or are being contravened and his reasons for reaching that conclusion, and

(b) particulars of the rights of appeal conferred by section 48.

(7) Subject to subsection (8), an enforcement notice must not require any of the provisions of the notice to be complied with before the end of the period within which an appeal can be brought against the notice and, if such an appeal is brought, the notice need not be complied with pending the determination or withdrawal of the appeal.

(8 ) If by reason of special circumstances the Commissioner considers that an enforcement notice should be complied with as a matter of urgency he may include in the notice a statement to that effect and a statement of his reasons for reaching that conclusion; and in that event subsection (7) shall not apply but the notice must not require the provisions of the notice to be complied with before the end of the period of seven days beginning with the day on which the notice is served.

(9) Notification regulations (as defined by section 16(2)) may make provision as to the effect of the service of an enforcement notice on any entry in the register maintained under section 19 which relates to the person on whom the notice is served.

(10) This section has effect subject to section 46(1).

Tags: ,
Posted in Data Protection Act. Tags: , . No Comments »

European Data Protection Supervisor

August 4, 2008 — 585

Peter Hustinx is the 1st and current European Data Protection Supervisor.

He was appointed by the Council of Ministers and the European Parliament in January 2004 to be the first European Data Protection Supervisor. This position is basically the same as that of the ICO within the UK, and within each member state, but the role is at a European level rather than a national level.

European Data Protection Supervisor has three main roles,:

Supervision, monitoring and ensuring compliance with data protection rules where they apply to the institutions and bodies, the Commission, agencies, the Council and Parliament, etc. This is about data
processing by the institutions and bodies.

Consultation on legislation and policies with an impact on data protection. Hustinx described this role as “whenever the Commission adopts a proposal for legislation with an impact on data protection it is under an obligation to send that proposal to me and my office for advice, which is then part of the discussion in Parliament and Council”
Co-operation, with national authorities and with the joint supervisory bodies in the police and judicial bodies.

Posted in Data Protection Act. Tags: , , . No Comments »

Accountant Prosecuted under the DPA

July 31, 2008 — 585

A Whitechapel-based accountant has been prosecuted and fined for breaching the Data Protection Act.

Aziz Arian of Arian & Co Accountants must pay over £900 in fines and costs for failing to notify the Information Commissioners’ Office that the firm processed individuals’ personal information.

It is the third prosecution of an accountancy firm this year.

‘Notifying as a data controller under the Data Protection Act is an important obligation for all organisations which process personal information,’ said Mick Gorrill, assistant commissioner at the ICO

Original Article

Posted in Data Protection Act. Tags: , . No Comments »

UK DNA Sold to companies

July 31, 2008 — 585

Following a series of freedom of information requests, by the Liberal Party, it has been discovered that sample/information from the UK DNA database have been sold onto other companies.

The National Police Improvement Agency whose role include overseeing delivery of the National DNA Database Service has admitted this stating “After approval by the National DNA Database Strategy Board, [the samples] were made available for authorized research purposes demonstrating clear potential operational benefit to the police in terms of detecting and solving crime. These profiles are completely anonymous and are not identifiable in any way”

Jennifer Wilmot (pictured), the Liberal Democrat MP for Cardiff Central, and Shadow Secretary of State for Work and Pensions, Work & Pensions said: “The 25 projects that have been approved by ministers include some sinister explorations into ethnic profiling. It is appalling that these Big Brother practices have been allowed to go on unchecked for so long and with extremely limited ethical standards.”

Obviously the samples were identifiable in some way – else they could not be used to research, e.g identifying sex, race, etc

Original Article

Posted in DNA, UK Law. Tags: , , . No Comments »

Information Tribunal

July 27, 2008 — 585

The Information Tribunal, formerly known as the Data Protection Tribunal, hears appeals from notices issued by the Information Commissioner under:

  • The Freedom of Information Act 2000 (FOIA)
  • The Data Protection Act 1998 (DPA)
  • The Privacy and Electronic Communications Regulation 2003 (PECR)
  • The Environmental Information Regulations 2004 (EIR)
Posted in UK Law. Tags: , . No Comments »

PNC – Police Database Errors

July 10, 2008 — 585

In 2006 it was reported that almost half of all police forces that were audited by the HM Inspector of Constabulary – HMIC – were found to have errors in their police databases

Sir Michael Bichard’s enquiry into the intelligence failures leading up to the murders of Soham school girls Holly Wells and Jessica Chapman led to a 2004 report that recommended measures to improve the quality and timeliness of data input into the Police National Computer (PNC). HMIC’s audits of Britain’s 51 police forces were subsequently trained through Bichard’s lens.

The “progress report” published yesterday was meant to demonstrate how well the Home Office had responded to Bichard by making police data more reliable. It showed how there was a long way to go before police data could be treated as gospel.

“HMIC has commenced direct communications with 13 forces which are causing varying degrees of concern in relation to their actual performance or their general direction of travel,” said the progress report.

It noted evidence provided by HMIC audits about the timeliness of data input into police computers.

Almost a third of British forces were not meeting tough statutory targets for inputting data about arrests and summons on the computer in time, it said, drawing its data from the completed audits of data quality and related working practices HMIC has done of British police forces.

It also noted that 39 per cent of forces were not inputting records of court proceedings within statutory deadlines.

But it skirted over the other key data concern for Bichard, that of data quality. Error rates of between 15 and 86 per cent were identified in police data in the years before the Soham murders. Data errors are still a problem, as demonstrated by recent string of reports about the Criminal Records Bureau, which draws its data from the PNC.

The most recent PNC audit report published by HMIC, that of Avon and Somerset Constabulary, noted that 22 per cent of records that had already been checked by supervisors still contained an error. The error rate concerned a sample of records input in recent months. Old data, which might contain more errors, is not audited.

Full Article

Posted in Data Misuse, Data Protection Act, UK Law. Tags: , , . No Comments »

Phone Records Searched

June 19, 2008 — 585

Phone Records Searched

Liverpool’s Liberal Democrat Council obtained and searched the the phone logs of the Labour Councillor Joe Anderson, the leader of the opposition.

This investigation was, on the face of it, to investigate leak within the council. However this investigation would have given complete access who the councillor called, when, and how often. With tools like I2, this is relatively easily to build profile of his call, and link that into any other data he has. The case is being referred to the ICO office, and this could well be an invasion of privacy. However, it is unclear at this stage if the phone belonged to the council or it was Joe Anderson’s personal phone. If it was the former, access to the logs would have been relatively simple, i.e via the bill which they pay. If it was the latter then access to the information would be highly suspect. A spokesman for the Liberal Democrat, who ran the investigation and control the local council said: “Following the unauthorized leaking of a highly confidential and commercially sensitive report, a number of officers and members were asked to cooperate with an internal investigation into the breach, which involved emails being checked. However, we omitted to notify the individuals concerned that it also included mobile phone records.” A spokeswoman for the ICO said: “We have been contacted by both parties (Councilor Anderson and Liverpool City Council) and we will be looking into the complaint and deciding on the next step.”

Article – BBC

Posted in Data Misuse, Mobile Phones, UK Law. Tags: , , , . No Comments »

International Data Protection and Privacy Commissioners Conference 2007

June 3, 2008 — 585

In 2007 the 29th International Data Protection and Privacy Commissioners Conference was held in Montreal Conference.

During the conference the issues of passenger data being exchanged between countries were highlighted, this was a very thinly veiled snub at the US demand for data from the EU, which goes against the EUs own data protection laws, but a point on which the EU capitulated on after pressure from Washington.

Some of the points conference raised were:

  • passenger data can be used to make inferences about religion, ethnicity and other
    highly sensitive matters;
  • many governments around the world are increasingly asking for more and more data from
    carriers;
  • carriers collect passenger data for commercial purposes and are being asked to provide it
    for law enforcement purposes;

Later the conference noted and reaffirmed that:

..data protection and privacy rights, as enshrined in Article 12 of the Universal Declaration of Human Rights and other legal instruments, protect individuals and their personal data and must be considered along with other rights in any proposals involving the transfer and use of passenger data for law enforcement purposes

The 2007 Report into passenger data is available here – 2007-resolution-on-passenger-data

Posted in Data Protection Act, Terrorism, UK Law. Tags: , , . No Comments »

Making a Request Under the FoIA

May 24, 2008 — 585

To make a request under the Freedom of Information Act 2000 you must make a request in writing/email/fax to the relevant goverment department/agency.

This information must include

  • Your name
  • An address for correspondence
  • Describe as fully as possible the information you are seeking

The correspondence does not have to be in writing and an email or fax are equally acceptable. The Act sets a time limit of 20 working days for dealing with a request for information.

Fees

The agency/department may charge a fee for processing a request:

The fee will be calculated based on the fees regulations published by the Department of Constitutional Affairs.

The fees can be charged for “time spent efficiently” locating or copying records, based on a standard hourly rate if £25.

However as long as the cost does not exceed a limit of of either £450 or £600 (depending on the nature of the department) then there will be no fee charged. No charges can be applied for simply considering the if the information should be provided.

If a fee is required, the limit of 20 working days will be extended by up to three months until the fee is paid.
Exceptions

There are several exceptions to the freedom of information act, i.e just because an application has been made it does not mean that the information will be, or needs to be, provided. The Act does not allow for people to put in numerous spurious requests, nor ask for requests that are already in the public domain.

There are also numerous other exceptions, such as national security, commercial interest (you can not ask for information about a competing company), personal information.

A list of exceptions will be posted later

Rights to information

Any individual will be able to make a request to an institution for information. The individual does not have to be the subject of that information, or be affected by its holding or use.  If an individual is the subject of that information then the principles of the Data Protection Act to protect the data subject will take precedence over any Freedom of Information right.

The Act gives applicants two related rights:

  • to be told whether the information is held by the institution
  • to receive the information, where possible in the manner requested, for example as a copy or summary, or in paper or electronic format. An individual may also request to inspect records in person

There is no obligation to comply with ‘vexatious’ requests, or repeated requests, if the institution/agency/department has recently responded to an identical or substantially similar request from the same person, but there is a duty to provide advice and assistance to anyone making a request.

Posted in UK Law. Tags: . No Comments »
« Older posts
Newer posts »