UK: Weekly Roundup Of Data Issues – 8 June 2010

UNITED KINGDOM

OFT market study on behavioural advertising and targeted pricing practices

On 25 May 2010 The Office of Fair Trading (OFT) published a market study setting out its current views on behavioural advertising and targeted pricing practices. The report finds that more could be done to provide consumers with better information about how personal information is collected and used.

Click here to view the report.

Consultation on Personal Information Online Code of Practice

The ICO held an online consultation between December 2009 and March 2010 on a draft code of practice entitled 'Personal Information Online'. A summary of responses has now been published. The consultation considered the need to provide organisations with practical guidance for protecting a user's privacy whilst online.

Click here to view the responses.

ICO: Assessment notices code of practice

The code of practice for assessment notices has been published and outlines the role of the ICO when undertaking 'compulsory' audits of certain data controllers.

Click here to view the report.

HM Revenue and Customs apologised after it sent the confidential details of thousands of tax credit claimants to the wrong people

HM Revenue and Customers (HMRC) posted tax credit renewal packs to claimants but some included the earnings, bank sort code and last four digits of bank accounts of other claimants while some received packs with the pages listed in the wrong order. Up to 50,000 people overall were affected.

Longest FOI battle ends in defeat over cancer data

Scotland's first and longest Freedom of Information case has ended. After two investigations by the Scottish Information Commissioner, and appeals to the Court of Session in Edinburgh and the House of Lords in London, numbers that might reveal links between children's blood cancer and radioactive pollution will not be released. The Scottish Information Commissioner has now ruled that it is impossible to do so without disclosing sensitive personal data which must be kept confidential under the DPA.

Ofcom to ban silent calls

On 1 June 2010 Ofcom launched a consultation on proposed new rules to prevent consumers being harassed by repeated silent calls. The new rules are expected to come into force in early 2011. Ofcom is proposing a new rule to prevent a company calling an answer phone more than once in any 24 hour period, unless a call centre agent is on hand to answer the call. This would mean that consumers currently worst affected would no longer receive silent calls over the course of a day.

Click here to view the consultation.

West Berkshire Council loses children's information

West Berkshire Council is taking remedial action after the ICO found it in breach of the DPA following the loss of a USB stick containing the sensitive personal information of children and young people. The unencrypted memory stick, which was not password protected, contained information relating to the ethnicity, physical and mental health of children. The council introduced encrypted memory sticks in 2006 but unencrypted devices were still used by staff.

Click here to view press release.

Lampeter medical practice breached DPA

The ICO has found Lampeter Medical Practice to be in breach of the DPA after an unencrypted memory stick containing personal details of 8,000 patients was reported lost. The Head of Lampeter Medical Practice has agreed to take remedial action by ensuring sufficient steps are taken to ensure a security breach does not occur again. The ICO said that it was unnecessarily risky to download 8,000 personal details on a memory stick.

Click here to view press release.

1,000 data breaches reported to the ICO

The number of data breaches involving people's personal information reported to the ICO has reached 1,000. The ICO maintains that it is essential that the protection of people's personal information is part of organisations' culture and DNA. The ICO's Guide to Data Protection and tips for avoiding wrongful disclosure will help minimise the risks of security breaches occurring.

Click here to view press release.

Police worker jailed for drugs and data offences

A Grampian police worker caught with secret police documents at her home has been jailed for 28 months and fined £1,250 at Aberdeen Sheriff Court. The police worker admitted drug dealing and Data Protection offences.

Ireland - consultation on draft data security code of practice

The Data Protection Commissioner (DPC) has published a draft Data Security Breach Code of Practice for public consultation in response to a recommendation in the recently published report of the Data Protection Review Group.

All instances of the loss of personal data (except where the data can be considered inaccessible due to proper security) must be reported to the Office of the Data Protection Commissioner where it affects more than a hundred people or where it involves any loss of sensitive personal data or personal financial data that could be used to carry out identity theft.

Failure to comply with the disclosure obligations of the Code could lead to prosecution by the DPC.

Click here to view the consultation.

EUROPEAN

Article 29 Working Party says Google, Microsoft and Yahoo! do not comply with data protection rules

On 26 May 2010 the Article 29 Working Party told the three major search engine operators - Google, Yahoo! and Microsoft - that their methods of making users' search data anonymous still do not comply with the Data Protection Directive. In letters sent to the search engines, the Working Party urged them to use an outside auditor to verify their commitments to make users' internet search data anonymous. The Article 29 Working Party sent copies of these letters to the FTC and to Viviane Reding European Commission Vice-President in charge of Justice, Fundamental Rights and Citizenship.

Click here to view the press release. The letters are available here.

Spanish Data Protection Agency impose fine

The data of the claimant's under-age daughter was collected by a website without proper parental consent and without confirmation of the data subject's age.

The Spanish Data Protection Agency ("SDPA") imposed a fine of €2,000 on Boombang Games, S.L. for breach of Article 6.1 Spanish Data Protection Act ("DPA") relating to the need to obtain consent for processing personal data in relation to Article 13 of the Regulation implementing the DPA (Royal Decree 1720/2007), which sets out the requirements for processing the data of minors.

SeCure

SeCure is Addleshaw Goddard's unique, holistic and pragmatic approach to information management for organisations who have suffered an information breach or who may be concerned about their potential exposure. SeCure seeks to minimise risk and the impact of information losses on an organisation's business, through three interdependent approaches, addressing the commercial and legal requirements at each stage of the information management cycle.

For further information: SeCure Z-mag or the SeCure website: SeCure Website

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.