Tag Archives: ICO

Passport Service breaches Data Protection Act

The Information Commissioners Office (ICO) has released details of a data breach involving the Identity and Passport Service (IPS). In May 2010 the personal details of 21 applicants, along with their counter signatories, went missing, contravening the Data Protection Act.

Despite processing more than 25 million applications in the last five years, a spokesman for the IPS said they had already carried out a full internal review of security and had cancelled the application information as soon as it learnt of the breach. It was hoped this hadnít led to any further risk to the applicants or subjected them to identity fraud.

The Chief Executive of the IPS has signed an undertaking to implement a number of measures to prevent this type of breach happening again. It states all those affected by the breach were informed, offered new passports and no complaints were received to the IPS.

Mick Gorrel from the ICO says “A passport is an important identification document and it is clearly of concern that information relating to renewal applications has been lost. However, there is no evidence to suggest that the applications have fallen into the wrong hands and we are pleased that the Identity and Passport Service is taking steps to stop this happening again.”

ICO praises calls for expanding Freedom of Information powers

Reforms to the Freedom of Information (FOI) Act, which are being discussed by the government, have been given the thumbs up by data protection watchdog the Information Commissioner’s Office (ICO), which believes greater transparency will ensure greater fairness in the future.

One of the biggest changes that will be made in the first slew of reforms will reduce the amount of time that data can be withheld from the National Archives, cutting the current 30 year period of retraction to just 20 years. This means it will be easier for anyone to get their hands on court documents and papers which circulate in central government.

Once the legislation passes, it will be possible for FOI requests to be made against a wider range of individuals and organisations, including any business owned by the public sector and the Association of Chief Police Officers.

The practical applications of the FOI act will be considered and the government will also be looking into whether the changes will be effective, with a view to making further amendments if they do not go far enough towards ensuring transparency.

The ICO’s Christopher Graham, said that transparency was already being achieved in many areas, citing the publication of wages collected by high earning members of the Civil Service as just one way in which data was becoming less rigidly protected.

Mr Graham pointed out that the FOI act is six years old and so a revision and expansion of its powers seems sensible.

It is said that the public is hungry for gaining more access to the data which relates to their lives and how the country is being run, with Mr Graham speaking out in favour of this inclusive transparency that the FOI makes a legal requirement.

Mr Graham also said that he hoped the ICO would be seen as a more independent body, able to enact its duties within the public and private sector, without bias, while upholding the basic rights of data protection expected by UK citizens.

DPA breach by Scottish Court Service investigated by ICO

The Information Commissioner’s Office (ICO) has become involved in an investigation into an alleged breach of the Data Protection Act (DPA) by the Scottish Court Service.

Private data contained within court documents was improperly disposed of at a recycling centre in Glasgow, according to reports, which has led to the ICO confronting the organisation with a formal undertaking.

The initial data loss was discovered in September last year when a local newspaper was alerted to the fact that highly sensitive details had been dumped in a public recycling bank and the ICO was subsequently involved in looking into how this could have occurred.

Scrutinising those responsible for the data allowed the ICO to determine that it had in fact been lost by an individual who had edited law reports for the service. The breach had been made possible because no member of the organisation had ensured that this person was properly informed on how to safely use this type of data.

The ICO’s Ken Macdonald,said that there was a possibility such a loss would damage the trust which people involved in the Scottish legal system would feel for the framework of justice that should, theoretically, protect their most basic rights.

Mr Macdonald said that the data should not have been taken outside of the courtroom and warned that if it had been picked up by a malicious third party, it could easily have resulted in the exploitation of those implicated in its contents.

From now on workers at the Scottish Court Service will undergo training in order to ensure that they all understand the data protection policies enacted by the organisation. This includes not only the way in which data is handled and used, but also how incidents of loss or theft are reported.

As part of the ICO’s measures the formal undertaking will require that every employee who shares data as part of their work is signed up to this so-called Memorandum of Understanding sanctioned by the powers that be.

Data harvesting concerns voiced over NHS Choices website

Fears that the NHS Choices website is allowing data about visitors to be gathered by social networking sites and third party firms, have been voiced to the Information Commissioner’s Office (ICO), which has begun investigating the claims.

Analysis of the privacy policy which governs visitors to the site shows that anyone who lands on a page that has a Facebook element embedded, will have data relating to their visit and actions harvested.

In particular the specific time and date, along with the page visited, browser used and operating system installed on the visitors PC, will be taken by Facebook. IP address information will also be gathered, according to reports, with those who are simultaneously logged into the social networking site having their profiles directly linked to this data.

A statement from the Department of Health explained that the data was being harvested in order to improve the way that the NHS Choices site operates, based on how users are accessing its pages and services.

The ICO spoke to V3.co.uk and said that health-related details were essentially the definition of personal, private data. It explained that it had requested for the NHS to provide details as to whether third party organisations would be privy to the specific health data accessed by each user.

Privacy expert, Mischa Tuffield, said that although the NHS Choices privacy policy pointed out that certain pages with obvious Facebook elements would harvest data about users, in her experience, this was not entirely accurate since other pages which should not be included under this definition had still been shown to send data back to the social networking site.

Tuffield said that although the NHS was within its rights to improve services both online and off by gathering user data, it should also give consideration to the privacy of its customers.

The Department of Health has dismissed claims that it has breached the terms of the Data Protection Act with the data harvesting activities of the NHS Choices website.

It said that such eventualities are brought about because of the way in which Facebook operates, not the site itself, with advice for future users being that they should sign out of Facebook before visiting, to avoid being monitored.

ICO issues fines months after new punitive powers were gained

The Information Commissioner’s Office (ICO) has for the first time taken advantage of new powers it was issued with earlier in the year, to level fines against private and public organisations which have been held responsible for data loss or theft.

In an announcement made this week, the ICO said that a £100,000 fine is being put at the feet of Hertfordshire County Council, in response to a pair of significant data losses and security breaches.

The events in question occurred in June this year with private data accidentally leaking out of the litigation unit dealing with childcare cases for the council. Two separate faxes containing incorrect details exposing data relating to unrelated individuals were issued to the wrong recipients, with the council notifying the ICO on both occasions.

The incidents occurred within two weeks of one another, with one fax going awry and ending up on a private citizen’s machine, after which the council attempted to cloak the details of the mistake from the media.

The second incorrectly sent fax with data of three local children, along with information about people who had been convicted of domestic violence, turned up in the office of a barrister who was not involved in the particular case.

The ICO concluded that a fine of £100,000 was an adequate penalty in the face of these data loss incidents, which were considered to be serious in nature and potentially harmful to the members of the public who were exposed as a result.

£60,000 in fines have also been charged to a private company called A4e, which lost the private data of 24,000 citizens when a laptop which lacked encryption was stolen from an employee of this employment services firm, in the summer of 2010.

A4e took steps at the time to inform the affected parties and also report the data loss to the ICO. The regulator concluded that the firm had not behaved responsibly when the worker was allowed to use a laptop which lacked proper encryption, that might have protected the data after its theft.

Some experts welcome the news that the ICO has begun to throw its weight around, although others are concerned that this is still not enough of a deterrent, with one identifying that A4e has been made to pay under £3 per lost entry.

Freedom of information requests could apply to government contractors

Private sector firms which handled data for public sector organisations could come under the remit of Freedom of Information (FoI) legislation, if a Cabinet Office Review carried out by Southampton University’s Nigel Shadbolt find in favour of this proposal.

The revision to enforce data transparency if private businesses are working on the government’s dime was proposed as part of the Lib Dem manifesto before the election and the party is seeing through its promise, thanks to its position of power in the coalition government with the Conservatives.

Mr Shadbolt spoke to Computer Weekly about the review and said that the Transparency Board is involved in the process. He identified the problematic nature of outsourcing the management of public data to third party firms and then retaining the transparent nature of the data should FoI requests be lodged.

Shadbolt and Sir Tim Berners-Lee, the man who is credited with inventing the web in the early 90s, are campaigning to make government data more accessible and open in its nature.

Significant attention has been drawn to this subject as a result of Suffolk County Council’s announcement that it would be seeking to contract out a majority of public services to private firms.

A meeting held by the Local Public Data Panel concluded that outsourcing data management might be used as a way to lessen the transparency of public sector organisations and protect their actions from independent scrutiny.

Government cuts are leading to the closure of almost 200 quangos and experts are attempting to call for the reams of data stored by these groups to be retained in the public interest. The panel, over which Mr Shadbolt presides, agreed that this data should be made available in the interests of transparency, particularly since during the heyday of the quangos there was a general reluctance to do so.

Not every quango is being disbanded, but campaigners are seeking to make the remaining bodies more accountable and open with the data which they generate and store in the future.

Our Customers

  • ATOS
  • Age UK
  • Alliance Pharma
  • Liverpool Football Club
  • CSC
  • Centrica
  • Citizens Advice
  • City of London
  • Fujitsu
  • Government Offices
  • HCL
  • LK Bennett
  • Lambretta Clothing
  • Leicester City
  • Lloyds Register
  • Logica
  • Meadowvale
  • National Farmers Union
  • Network Rail
  • PKR

Sales question? Need support? Start a chat session with one of our experts!

For support, call the 24-hour hotline:

UK: 0800 999 3600
US: 800-220-7013

Or, if you've been given a screen sharing code:

Existing customer?

Click below to login to our secure enterprise Portal and view the real-time status of your data protection.

Login to Portal