Inside Privacy - Updates on Developments in Global Privacy & Data Security

On 7 March 2013, the UK Information Commissioner’s Office (ICO) issued new guidance on the use of personal devices for business purposes. The guidance is largely informed by a survey commissioned by the ICO and carried out by the market research firm YouGov. According to the survey, 47% of adults in the UK use personal smart mobile phones, laptops or tablets for work purposes, but less than 30% are given guidance on secure use and the risks relating to personal data loss or theft.

UK companies have in recent years been increasingly amenable to allowing employees to use personal devices for business purposes, a practice known as “bring your own device” to work, or BYOD. The driving forces behind the trend for BYOD include cost considerations and a rise in flexible working practices. The ICO guidance reminds employers that their responsibilities as data controllers apply equally in the context of BYOD. In other words, employers remain liable for any data loss, theft, or damage to personal data that occurs, regardless of whether processing takes place in their secure corporate IT environment or on the personal devices of their employees.

Continue Reading

On 24 January 2013, the UK Information Commissioner’s Office (ICO) announced that Sony Computer Entertainment Europe Limited (Sony) would be fined £250,000 following a data breach of the Playstation Network.  The breach occurred in 2011 when hackers accessed the personal details of “millions” of Playstation Network customers, including names, dates of birth, passwords, and other categories of data. 

Following an investigation, the ICO declared that the breach had been “preventable” had software been kept up to date, and stated that “[Sony] is a business that should have known better”. 

The monetary penalty notice redacts key details of the breach -- such as the precise number of Sony Playstation accounts affected -- but nevertheless reveals interesting details about how the ICO reached the decision to fine Sony £250,000, that other companies should take note of.

In particular, the notice cites aggravating factors, including, for example, the “vast amount” of personal data affected, and the ICO’s belief that Sony “should have been aware of the software vulnerability” that led to the breach.  The notice also cites mitigating factors, that presumably reduced the scale of the fine, including, for example, the complexity of the Sony Playstation Network, a lack of previous security breaches, the fact that no complaints were received by Sony after the breach, and Sony's behaviour following the breach (Sony voluntarily reported the breach to the ICO, informed data subjects, and fully cooperated in the investigation).

A short Youtube video of David Smith, Deputy Commissioner and Director of Data Protection at the ICO, commenting about the breach, was also released, and is available here.

By Bonnie Drury and Ezra Steinhardt

The Information Commissioner’s Office (ICO) has produced new guidance on “IT asset disposal for organisations” to help data controllers understand their responsibilities relating to the destruction and disposal of electronic equipment.  The guidance, which addresses one of the areas where organizations are most frequently fined under the UK Data Protection Act 1998 (DPA), explains how controllers should create an asset disposal strategy, take measures when engaging IT disposal companies, and assign responsibility for IT asset disposal within their organization.  These measures are intended to help controllers comply with the seventh principle of the DPA, known as “information security”, which requires data controllers to take measures to ensure the security of the personal data they process. 

There are three main elements to the ICO’s guidance:

• Create an asset disposal strategy. The organisation should formulate an information security policy that includes a section on procedures for IT asset disposal and data deletion.  This section should include information about the devices used by the organization to process personal data; the nature of such personal data; how the devices will be disposed of when they are no longer needed; and how the risks associated with the disposal process will be assessed.

• Engage an IT disposal company. If the organization employs a specialist asset disposal company to deal with the devices, this company will likely be defined as a “data processor” under the DPA. As a result, a written contract should be put in place between the parties, detailing the organization’s instructions for disposal of the assets. The organization should monitor and audit the disposal process to ensure that the asset disposal service provider is complying with its instructions.

• Designate an asset disposal champion. A member of the organization with a suitable level of authority should have responsibility for IT asset disposal. This person should be aware of which devices leave the organization, what personal data is stored on them, and who has responsibility for erasing the personal data.

On 11 September 2012, the UK Information Commissioner’s Office (ICO) announced that it had fined the Scottish Borders Council £250,000 under the Data Protection Act 1998 (the DPA) following the discovery of a former Council employee’s pension records in a supermarket’s car park paper recycling bank. The document was one of at least 676 files containing confidential personal data that were deposited in this way.  The documents were only brought to light when a member of the public alerted the police.

According to the Penalty Notice issued by the ICO, the data protection failure was originally caused when the Council entered an outsourcing arrangement for the digitisation of its former employees’ and former members’ pension records with a third party company without also agreeing a data processing contract with that company to guarantee the technical and organisational security of the data.  Under the DPA, a data controller remains responsible for the security of personal data even when data are transferred to a third party processor.

Continue Reading

In a surprise turn of events, Google has written today to the UK data protection authority (the “ICO”) and other regulators around the world stating that it still possesses some of the payload data collected by its Street View vehicles in 2010.  This follows the ICO re-opening its probe into Google’s Street View activity last month.

The company confirmed that during an internal review it determined that it still held payload data from both the UK and other countries.  These include Ireland, France, Belgium, Netherlands, Norway, Sweden, Finland, Switzerland, Austria and Australia.  Google has stated that it would like to delete the remaining UK data but would like instructions from the ICO before proceeding. 

The ICO has responded with a letter stating that it intends to examine the content of the UK payload data and asked for the data to be held securely for this purpose.  The ICO has also released a statement noting that the payload data “was supposed to have been deleted in December 2010” and the “fact that some of this information still exists appears to breach the undertaking to the ICO signed by Google in November 2010”. 

Furthermore, the ICO confirmed that it was in touch with other data protection authorities in the EU and elsewhere to coordinate the response to this development.

On 1 April, 2012, the UK press reported that the UK Home Office is preparing to propose new legislative reform of the communications data monitoring law, in the Queen’s Speech in May.  The press reports, and the response from the Home Office on 3 April 2012, provided some further details on a programme that was first announced (without detail) by the current Government in October 2010 in the Strategic Defence and Security Review.  The programme, which resembles a predecessor plan under the prior Labour Government named the “Interception Modernisation Programme”, is now known as the “Communications Capability Development Programme” (CCDP). 

Continue Reading

By Dan Cooper and Maria-Martina Yalamova

On December 13, 2011, the UK data protection authority (the “ICO”) issued updated guidance on the new cookie rules (Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011) implemented as part of the review of the EU e-Privacy Directive.  The guidance is intended to help website operators and those using cookies understand how the rules apply.  As we reported earlier, when the rules were first introduced in May 2011, the ICO made it clear that it would be unlikely to take formal action against those who are taking steps to comply with the rules during a 12 month lead-in period.  When this transition period ends in May 2012, the regulator will expect companies that have not yet achieved full compliance to be able to provide a clear timescale for when compliance will be achieved and demonstrate that steps are being taken to make that happen.  Highlighted below are some of the more notable aspects of the guidance.

Scope.  The guidance confirms that the rules will apply to websites using cookies and other similar technologies for sharing information, such as Local Shared Objects (so-called “flash cookies”), web beacons, bugs, and so forth.  The requirements apply equally to cookies set on computers, mobile devices, and other terminal equipment, such as enabled televisions and games consoles.

New obligations.  The ICO has made it clear that under the new rules, organizations deploying cookies (and similar technologies) must:

• inform  subscribers and users that the cookies are there;
• explain what the cookies are doing; and
• obtain  subscriber or user consent to store a cookie on a device.

The ICO makes it clear that providing information about cookies by means of company privacy policies or website terms and conditions will no longer be sufficient to achieve compliance.  Organizations will need to be more pro-active in providing information to subscribers and users.

Exceptions.  Under UK law, some exceptions will apply to the notice and consent rules, notably where the use of the cookie is:

• for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or
• where such storage or access is strictly necessary (i.e., essential, rather than reasonably necessary or important) for the provision of an information society service requested by the subscriber (i.e., the person who pays for Internet connection) or the user (i.e., the person using a computer or a mobile phone to browse the Internet).

An “information society service” is defined in Article 2(1), Electronic Commerce (EC Directive) Regulations 2002 as “any service normally provided for remuneration, at a distance, by means of electronic equipment for the processing and storage of data, and at the individual request of a recipient of a service”.  These exemptions are the same that appear in the EU-level directive, the e-Privacy Directive 2002/58.

Consent.  Absent an applicable exception, the cookie rules require that a subscriber or a user consents to the deployment of a cookie on their device.  Prior consent is not expressly required (and may not be technically feasible in some cases), but website operators must be able to demonstrate that they have expended effort to reduce the amount of time before a subscriber or user receives information about cookies and is provided with clear options.  At present, the ICO discourages websites from relying on implied consent due to the relatively low user awareness of the functions and use of cookies.  However, as consent mechanisms evolve and user awareness improves, there is a suggestion that the position may change.

Obtaining consent in practice.  The ICO paper highlights a number of consent mechanisms that companies may rely on to achieve compliance, such as pop ups or “splash pages”; message and header/footer bars (particularly in the case of occasional website visitors); information on cookies in terms and conditions presented when a user signs up to a service; settings-led consent (e.g., “remember me?” prompts); and feature-led consent.  The ICO discourages the use of browser settings as a means to obtain valid consent on the basis that today’s browsers are not sophisticated enough to adequately reveal a subscriber or user’s informed consent. 

Notice.  Under the guidance, there is no prescribed format for furnishing adequate notice, but text must be sufficiently full and intelligible for subscribers and users to understand the potential consequences of accepting cookies.  When a website allows third parties to set cookies on a subscriber or user’s device, it must provide clear and comprehensive information to the individuals and allow them to make an informed choice. 

Analytical cookies.  Setting analytical cookies on a user’s device also will require consent as they do not fall within the “strictly necessary” exception criteria.  Where websites do not have a relationship with users (e.g., users simply visit the site to browse), they must ensure information about cookies is highlighted in a prominent place (not just made available via a general privacy policy link).  Where the information collected from a subscriber or user is shared with third parties, this should be made absolutely clear.

Responsibility for compliance.  As a general rule, the organization setting the cookie is responsible for compliance with the UK rules.  However, where third-party cookies are set through a website, both parties are jointly responsible for compliance, but either party may obtain consent. 

On 4 August, 2011, the Cabinet Office of the UK Government opened a new public consultation on disclosure and access to public sector data.  The consultation, which seeks to "establish a culture of openness" in the public sector, comes soon after a statement from the ICO suggesting that public sector organisations should respond to Freedom of Information requests even when they are made via Twitter.  

The consultation will explore ways to make government more transparent, both by increasing rights of data access for individuals, businesses and organisations, and by enhancing transparency standards within government to increase government accountability.  The consultation will also ask stakeholders whether they believe the Information Commissioner's Office has sufficient powers to enforce government transparency (primarily through Freedom of Information Act legislation).  

In an effort to make government data more useful to individuals, NGOs, and industry, the document also envisages the release of more useful and compatible data sets, so that better use can be made of public data.  In this context the consultation will explore whether standards for data publication can be established, how the release of different datasets should be prioritised, and how government should use (and allow the use of) its data inventories.

Responses to the consultation must be received by 27 October 2011.

The U.K. Information Commissioner's Office (ICO) issued a press release yesterday calling on companies to undergo more data protection audits.  (Currently, only some public sector entities in the UK can be made to undergo audits -- the ICO can effectively only request to audit a private sector company).  The ICO issued the "warning" after releasing new figures that show that the private sector was responsible for almost a third of all data breaches in 2010/2011, and that only 19% of private sector organisations voluntarily accepted to undergo audits by the ICO (compared to 71% in the public sector).  The Information Commissioner Christopher Graham proceeded to single out lenders and direct marketing companies as the worst culprits, saying that "many of them are still resisting our offer to undergo audits."

The ICO also released new figures about the progress of such audits, which show that the ICO performed 26 audits in 2010/2011 -- a 60% increase on the previous year.  The figures also reveal that over 90% of ICO recommendations were acted upon following an audit.

Additionally, the ICO released its full Annual Report and held an online webcast and Q & A session on its annual performance.  While further questions can still be submitted, one colourful answer by the Commissioner regarding the new cookie rules (see our previous posts here, here and here) has already been published:  "Website operators", he said, "[should] take their 'consent' obligations seriously under the Privacy and Electronic Communications Regulations -- because I'll be after them if they don't."

Following its vague warning on cookies in March, and confirmation last month that the UK would adopt the amended EU rules on cookies verbatim, the UK ICO has now issued new guidance that makes it clear that websites must obtain users' consent before storing cookies on devices.  The guidance, which relates to amendments to the UK e-privacy legislation that come into force on 26 May, 2011, issues a stark warning to companies that they "cannot ignore these rules".

The new guidance focuses on new European rules that require businesses to obtain user consent before placing cookies on their computers.  Previous measures, which included informing users that cookies were being used and offering 'opt-out' procedures, will no longer be sufficient.  The guidance sets out various ways in which the user's consent may be validly obtained, including via pop-ups, terms and conditions of use, and 'feature-led' consent.  The guidance notes that the list of methods for obtaining consent is not exhaustive, though states that browser settings currently are not "sophisticated enough" to allow websites to assume that users have given consent.

There is an exception to the new rule -- user consent will not be required if the use of the cookie is 'strictly necessary' for the operation of the service requested by the user.  Examples include cookies that enable online 'shopping baskets', for example, where a site needs to remember what was placed in the 'basket' before it is paid for by the user.  However, the ICO does warn that this exception should be interpreted "quite narrowly".

In terms of enforcement, the guidance suggests that businesses which show they are considering how to change their policies to comply with the new rules will not face penalties if they have not fully implemented the change by 26 May, 2011.  This reflects an earlier statement from the UK Communications Minister, Ed Vaizey,  that the government does not expect the ICO to take enforcement action in the short term against businesses and organisations as they work out how to address their use of cookies.  The ICO has stated that further detailed guidance on enforcement procedures is also in the pipeline.