This is the last information compliance newsletter of 2016. Privacy is the focus of this issue, but there are also updates on FOI, Security, Privacy and Electronic Communications Technology, Records Management and training.
We hope you find this useful. If you'd like to let us know what you think, conduct firstname.lastname@example.org
- TalkTalk given a record £400,000 fine after 2015 data breach. The Information Commissioner noted TalkTalk's 'failure to implement the most basic cyber security measures'. They were using outdated and unsupported software and had no knowledge of the bug affecting the software, or the fix which would have prevented the hack from occurring. The fine relates to their breach of the 7th principle of the Data Protection Act, and a criminal investigation is ongoing.
- Tim Turner, an information law blogger, gives advice on how to write a privacy notice.
- ICO has published a new code of practice on privacy notices. The new code directly addresses the GDPR and shows what information is mandated under the GDPR for inclusion in a privacy notice.
- A legal challenge has been made against the EU-US Privacy Shield putting into question its suitability as a tool to facilitate data transfer to the US.
- A reflection on the use of personal data by companies to their own benefit (data capital), without any reciprocal dividend enjoyed by the subjects of that personal data.
- A recent ruling by the information rights tribunal suggests that organisations should be prepared to make multiple notifications to the ICO as the investigation into a data breach progresses.
- A worldwide study of devices connected to the internet (IOT) found that 60% did not properly tell users how their personal data would be used.
- The majority of US students think the supply of personal information will transform college experience in 10 years.
- The government's digital minister Matt Hancock has confirmed that the General Data Protection Regulation (GDPR) will come into force in the UK in May 2018.
- The new Information Commissioner Elizabeth Denham gave a speech at the annual conference of NADPO. In it she outlined preparations for the GDPR.
- The Investigatory Powers Bill currently passing through Parliament had its last outstanding issues resolved on 16 November 2016 and is expected to be shortly passed into law. Andrew Cormack from Janet comments on the impact on universities. The Verge comments on what the new legislation will mean.
- Chartered Institute of Marketing blog about their recent research report 'Whose data is it anyway?'. Their research found that 92% of consumers do not fully understand how organisations are using their personal data. Although the report highlights respondents' significant concerns about data use, it also found that 67% would share more personal information if organisations were more open about how they will use it. UEA needs to take into account both the DPA and Privacy & Electronic Communications Regulations when sending marketing communications.
- The Information Rights and Wrongs blog explains why retailers are increasingly keen to provide electronic receipts. An interesting insight into how companies can justify marketing communications under the 'soft opt-in'. This option isn't open to the University as we're not a commercial organisation.
- Outlaw and the Campaign for Freedom of Information comment on the implications of a recent ECHR ruling that denying access to information can breach freedom of expression rights. CFFOI report 'Article 10 [of the European Convention on Human Rights] guarantees the right to freedom of expression, including the right to 'receive and impart information'. Traditionally, this has been interpreted as preventing governments from censoring what one person wanted to communicate to another. However, recent Strasbourg decisions have found that it also includes the right to obtain information from government.
- Be careful when connecting your phone to rental cars. You could be losing control of the personal data on your device.
- National Audit Office report highlights lack of cohesion and governance in government approach to cybersecurity. Reporting of data breaches was described as 'dysfunctional'.
- The Chancellor Philip Hammond has launched the new cyber security strategy with £1.9bn of funding.
- Students warned about new phishing scam.
- Payday loans company manager pleads guilty to charges he hired DDoS Service to attack business rivals' sites, and receives a four-month suspended prison sentence, and ordered to carry out 180 hours of unpaid work.
- Scotland Yard has lost the case files of thirteen unsolved murders. According to the blog 'Londonlowlife', 'A 2014 memo marked "restricted" stated: "The MPS [Metropolitan Police Service] does not know what information it holds, where is is stored or how to retrieve it". Another found last year: "54% of files were missing".
Online and face to face training is available for all UEA staff. For those who prefer online training, you can choose from:
- Data Protection (mandatory for any member of staff handling personal data)
- Freedom of Information
- Records Management
- Information Security (available from Blackboard)
- Copyright (available from Blackboard)
Each module takes around 30 minutes to complete, and includes activities to ensure you've mastered the key points.
Face to face training can be booked via CSED, or contact us to find out more about bespoke training for your department.