Cookies - enforcement is now a real possibility

Cookies – “enforcement” now a real possibility

According to the latest press release from the ICO (Information Commissioner’s Office )..

“The rules on cookies are covered by the Privacy and Electronic Communications Regulations. The Regulations also cover similar technologies for storing information eg Flash Cookies.  The Regulations were revised in 2011 and the ICO is responsible for enforcing these new rules...”

The ICO gave a “reprieve” period of one year from when the Amendment came into force – 26 May 2011 – for organisations to address how they may comply with the rules, using ICO published Guidance.  So – in theory – from last Saturday (26 May 2012) you could be in line for a fine up to £1000 for non-compliance if you have not – in line with the Guidance – conducted an audit of your website to see if you utilise cookies; assessed the extent of privacy intrusion and found a method of consent request if necessary (again in line with the Guidance) and appropriately amended your website Privacy Policy.  If you ask your web developer for help and he/she “obstructs” you, they too could be in line for a £1000 fine.

The author was alarmed to hear on national radio on Saturday that fines up to £500,000 were being quoted.  I have spent 6 months carefully reviewing the ICO guidance and can find no mention of anything higher than £1000 – which is bad enough if you are a small enterprise!

You should also be aware that ICO have developed a “tool” by which the public can report websites they don’t believe to be complaint with the new cookies rules.  Anyone can block cookies from being put on their equipment using their browser settings, but this is not necessarily a good thing as cookies can prove useful to the web visitor as well as for the web owner..

If you want to find out more, then why not get in touch...

Have you secured your wi-fi network? Perhaps you should..

Secure your wi-fi network..

Google in trouble again over Street view Cars data uploads

Big article in the Sunday Times 27^th May 2012

In 2009/2010, Google sent out “Street View Cars” around the world to gather data to launch “street View” – the ability to zoom in on a Google map and actually see what the road/landmark looks like.  This service – as this author knows well – is very useful if you are going somewhere you haven’t been before and have little sense of direction on a map.

HOWEVER – there was an outcry at the time that privacy was being invaded – cameras peering over boundary fences, through front windows and the like.. the ICO (Information Commissioner’s Office – privacy regulator in the UK) investigated these claims at the time and found that, according to information provided by Google, not much personal data was being collated and they (Google) would block faces, number plates etc.  The ICO also told Google to delete all the data it had collated for which it had no business purpose..

BUT an American investigation has now uncovered further documentation – presumably previously not shown to the ICO – that clearly reveal that software was designed for the vehicles to intentionally  capture “personal data from home computers for use in other products” – emails, text messages, passwords, photographs, etc from unsecured wi-fi networks.

If ever there was an advert to convince you that you should secure your network – this is surely it!

In May 2010 Google stated that software had been installed “by mistake”.

According to the Sunday Times Article, this was definitely not the case!  In light of the American Report, all European data protection regulators are being urged by the European Commission to re-open investigations.

Google are quoted in the Article as saying..

“We have always been clear that the leaders of this project did not want or inted to use this payload data. Indeed Google never used it in any of our products or services”

Then the question has to be – why did Google collect the data? Collecting it when you don’t have a use for it is just as illegal (under the UK Data Protection Act 1998) as using it for nefarious purposes! – at least to this author’s understanding of the legislation.

This is a story without end currently......

Google's Privacy Policy

Google’s new all-encompassing Privacy Policy was issued on 1^st March 2012.. and has been attracting a lot of controversy, not least with the EU Commission and the French Data Protection Authority, CNIL.  Both have announced publicly and direct to Google that the Policy does not meet the EU Directive on Data Protection on the grounds of “fairness and transparency”.

I have read articles about all this and have read the Policy itself very carefully.  The CNIL is yet, as far as I can tell, to elaborate further on its criticisms.  From my knowledge-base (which is not as a lawyer!), apart from the fact that it is written in “legalese”, the policy seems quite clear on what Google will do with your information which you hand over of your own free will! I can also imagine that the transfer of your personal data between the different companies globally is an issue if the appropriate authorisations from relevant countries and the EU Commission have not been sought (Principle 8).

Please note that this is only my opinion based on what is currently available and my knowledge of the UK Data Protection Act 1998 (based on the EU Directive).  I have to say I have read many Privacy Policies that are a lot less clear than the Google version and a lot less compliant!  I shall watch this story unfold with interest.

What is the Freedom of Information Act 2000?

Many articles in the press or on tv quote using the Freedom of Information Act 2000 to obtain information.. but what is this piece of legislation?

The Freedom of Information Act 2000 came into force in England and Wales on 1^st January 2005.  It applies to all non-personal information held by “Public Authorities” – eg NHS bodies; state educational bodies;  central government; local government etc.  This legislation replaces Codes of Practice for access to official information that existed previously. 

If this law is about the information held by Public Authorities, just how powerful is it?  Just ask an MP!  One example of a journalist using this law to its fullest extent was the resulting MPs Expenses Scandal.  All the information about the MPs “misuse” of public money came into the public domain as a direct result of a journalist requesting  relevant information from the House of Commons (a “public authority”) and the MPs not being able to claim it was not in the public interest to publish!

What use is this for the ordinary person in the street?  Anyone can make a request for information from a Public Authority and they have to consider disclosing it  and also whether or not to make it publicly available as well. There are rules, of course, but the general “rule of thumb” is to disclose unless there are very specific and justifiable reasons not to. This information may include policy information or contract information – the latter can help you grow your business.  How much are they currently paying for a product/service?  If one client had known in advance that a certain NHS Trust would not entertain working in their particular field of complementary therapy, a lot of ensuing problems on both sides would have been avoided! Another client wanted more detail about why a Bid failed with a school- it turned out that the school was only interested in working with a local company, but did not put this into the Specification – information we obtained using this law!.

Data Protection and the construction industry "blacklist"

Did you see the big article on the front page of the Observer newspaper yesterday (4 March 2012) about the blacklisting that had been going on in the construction industry over three decades? They believe that lots of the data had come from the police and security services, which of course is topical at the moment because of the Leveson inquiry into phone hacking.

This story about the construction industry first broke into the public domain about three years ago.  Why is it relevant to aDaVista and the Data Protection Act 1998?  Well, it demonstrates the work of the Information Commissioner’s Office (ICO).  Bear with me while I explain the “case” and its relevance...

(Information taken from the Observer article and my memory of the case!).  Workers in the construction industry had heard rumours for years that a “blacklist” existed. This blacklist could prevent people getting work based on membership of trade unions and being perceived as “troublesome”.  Following a case taken to an Employment Tribunal four years ago, the ICO investigated and discovered the existence of a blacklist on a database held by the “Consulting Association” together with invoices from some of the UK’s biggest construction companies for employment checks. 

More civil cases through the tribunal system have followed and the latest has spurred the Observer article... especially as a representative from the ICO gave evidence that some of the data had come from the police and/or security services.  People often ask me how you can tell if there is other information that has not been provided by a company – if you work with personal data long enough then you can tell whether relevant information has been omitted or indeed where that data may have come from! 

PENALTIES

The ICO closed down the offices and fined Ian Kerr (the keeper of the data) £5,000.   What the Observer do not say is that this is the maximum civil penalty that the ICO can impose and they do not do this without significant evidence of damage to the individuals concerned. The Article states “...only 14 of Kerr’s clients were given enforcement notices, demanding they comply with the law.  In the three years since the blacklist was first revealed, only three people are understood to have successfully won a claim at a full employment tribunal.

The vast majority of those who have attempted to gain redress through the courts have failed” – Personally, this does not surprise me in the slightest!  Damages of this sort are particularly difficult to prove in legal terms as companies can easily state that there were other reasons for not employing someone!  Interestingly, no one seems to have been advised by lawyers to pursue damages under the terms of the Data Protection Act 1998.  Given that the ICO had enough solid evidence to close down the company and hand down the maximum penalty it could at the time, surely the evidence must exist to prove distress and damages to the personal data of the 3,200 individuals affected?  Still this is only my personal opinion...

We should now watch these cases with interest - precedents could easily be set that may help you in the future...

THE DATA PROTECTION ACT 1998

THE DATA PROTECTION ACT 1998... is seen by many as more “useless red tape”...

BUT – is this really true?  I am bound to argue “no” given my profession now, but I respect you to make up your own mind!

The best place to start is to look at the Act as a whole – what’s it about?

The Data Protection Act 1998 replaces the Act of 1984.  The Previous legislation was about electronic processing of information, but this later one is about so much more!  It applies across the United Kingdom and gradually came into force until by 27^th October 2007, it was all in place.

The Data Protection Act 1998 (“the DPA”) is primarily concerned with the individual’s information – retaining control over its use; is it being “processed” appropriately?; are there appropriate security measures in place to protect it?

“processing”? – anything that you may do with personal information in a business environment!  Holding it on a post it note; collection of business cards; database; card index; invoices; emails;... just a few examples of how businesses process personal data on clients/suppliers/staff...

How can the individual know if their data is being respected?  The Act sets out a framework for businesses to comply with so that an individual can tell!

-       Working with the 8 Data Protection Principles

-       Demonstrating compliance with polices; procedures and a “notification” (registration with the Information Commissioner’s Office (ICO)) - these all reflect the work of the individual business involved.

PLEASE REMEMBER that this information provided in these blog posts is designed to be general and apply equally to all types of business and all sectors.  If you would like more details specific to your business then I am happy to arrange a free consultation to discuss further.

What does aDaVista do?

Welcome to the aDaVista blog!  I am Robyn Banks, the owner of aDaVista.

What does aDaVista do?  We specialise in helping business people put in place policies and procedures to comply with the Data Protection Act 1998 and avoid the penalties.  We also help people to utilise the legislation to get copies of their information and rectify irritating mistakes.

For businesses, we help them to utilise the Freedom of Information Act 2000 as well to grow their businesses - when they want to work with public authorities.

We intend to post more detailed information on this Blog about the various pieces of relevant legislation; why you should bother complying and how to avoid the penalties.

WHY BOTHER LISTENING TO ME?  My last job in the Foreign and Commonwealth Office was as the Data Protection Casework officer/Trainer.  For this job I spent a lot of time working with the authors of the legislation as government departments strove to achieve compliance themselves.  This was a unique experience as I don’t work in the same way as others (not just solicitors) in the field – my research shows that they tend to teach the law whereas I help businesses of all sectors and sizes work with the legislation and implement compliance.

aDaVista contact details

There are many ways to contact us for more details about what we do - please see below and make your choice.

Website: www.adavista.com

Email: robyn@adavista.com

Mobile: 07745 772564

You can also find us on:

Facebook: www.facebook.com and search for adavista

Twitter: www.twitter.com @adavista

Linked In: www.linkedin.com and search for Robyn Banks

Blog: www.adavista.blogspot.com

Welcome

Hello and welcome to the all new aDaVista Blog, new for 2012