Tag Archives: personal data

“We’ve updated our privacy policy”: GDPR two years on

Posted on by

by Scott Faulds

Almost two years ago, the General Data Protection Regulation (GDPR) came into force across the European Union (EU) and European Economic Area (EEA), creating what many consider to be the most extensive data protection regulation in the world. The introduction of GDPR facilitated the harmonisation of data privacy laws across Europe and provided citizens with greater control over how their data is used. The regulation sets out the rights of data subjects, the duties of data controllers/processors, the transfer of personal data to third countries, supervisory authorities, cooperation among member states, and remedies, liability or penalties for breach of rights. However, whilst the regulation itself is extensive, questions have been raised regarding the extent to which GDPR has been successful at protecting citizens’ data and privacy.

Breach Notifications and Fines

Critics of GDPR have argued that whilst the regulation has been effective as a breach notification law, it has so far failed to impose impactful fines on companies which have failed to comply with the GDPR. National data protection authorities (such as the Information Commissioner’s Office (ICO) in the UK) under the GDPR have the ability to impose fines of up to €20m or up to 4% of an organisation’s total global turnover, whichever is higher. Since the introduction of the GDPR, data protection authorities across the EEA have experienced a “massive increase” in reports of data breaches. However, this has yet to translate into substantive financial penalties. For example, Google has been issued a €50m fine, the highest issued so far* by CNIL, the French data protection authority. CNIL found that Google failed to provide sufficient and transparent information that allowed customers to give informed consent to the processing of personal data when creating a Google account during the set-up process of an Android powered device. This is a serious breach of multiple GDPR articles and CNIL argued that the infringements contravene the principles of transparency and informed consent which are at the heart of the GDPR.

*  The confirmation of record fines issued by ICO to British Airways (£183m) and Marriott International (£99m) has been delayed until 31st March 2020.

However, the fine imposed on Google amounts to approximately 0.04% of their total global turnover, which some have argued is simply too small an amount to act as any real deterrent. Therefore, it could be said that while GDPR has been effective in encouraging companies to be transparent when data misuse occurs, national data protection authorities have yet to make use of their ability to impose large financial penalties to act as a deterrent.

In recent months, the German and Dutch data protection authorities have both created frameworks which set out how they intend to calculate GDPR fines. Analysis of their fining structures indicates that both models will operate based on the severity of GDPR violation. However, both structures allow for the data protection authority to impose the maximum fine if the amount is not deemed fitting. The International Association of Privacy Professionals believes this will result in significantly higher and more frequent fines than those issued previously, and has suggested that it is possible that the European Data Protection Board may consider implementing a harmonized fine model across Europe.

Brussels Effect

The effects of the GDPR can be felt beyond Europe, with companies such as Apple and Microsoft committing to extend GDPR protections to their entire customer base, no matter their location.  Even the COO of Facebook, Sheryl Sandberg, admitted that the introduction of GDPR was necessary due to the scale of data collected by technology companies. The ability of the EU to influence the global regulatory environment has been described by some experts as the “Brussels Effect”. They argue that a combination of the size, importance and regulatory power of the EU market is forcing companies around the world to match EU regulations. Additionally, this effect can be seen to be influencing data protection legislation across the world, with governments in Canada, Japan, New Zealand, Brazil, South Africa and California all introducing updated privacy laws based on the GDPR. As a result, it can be said that the introduction of the GDPR has enabled the EU to play a key role in global discussions regarding privacy and how citizens’ data is used worldwide. 

Brexit

Following the UK’s exit from the EU, the GDPR will remain in force until the end of the transition period (31st December 2020), after this point it is the intention of the UK Government to introduce the UK GDPR. However, as the UK will no longer be a member state of the EU, it will require to seek what is known as an “adequacy agreement” with the EU.This allows businesses in the EEA and UK to freely exchange data. The UK government believes that this agreement will be signed during the transition period, as the UK GDPR is not materially different from the EU GDPR. However, it should be noted that the most recent adequacy agreement between the EU and Japan took two years to complete.

Final Thoughts

The introduction of the GDPR almost two years ago has had a variety of impacts on the current discussion surrounding privacy and how best to protect our personal data. Firstly, the GDPR has forced companies to become more transparent when data misuse occurs and gives national data protection authorities the power to scrutinise companies’ approaches to securing personal data. Secondly, the influence of the GDPR has helped to strengthen privacy laws across the world and has forced companies to provide individuals with more control over how their data is used. However, the effectiveness of GDPR is limited due to a lack of common approach regarding fines in relation to GDPR violations. In order to develop fully, it will be important for the European Data Protection Board to provide guidance on how to effectively fine those who breach the GDPR.

If you enjoyed this post, you may also like some of our other posts related to GDPR:

Follow us on Twitter to see what topics are interesting our research team.

Digital Leaders Week: Digital government – looking beyond Britain

Posted on by

 

Image: Digital Leaders

This week, the Knowledge Exchange blog is marking Digital Leaders Week with a look back at some of our digital-themed blog posts from the past, and focusing on more recent digital developments.

Our blog has often taken an international view of digital transformation, looking for lessons that might be learned from cities and countries around the world that have been leading the way in making the most of digital technologies in society.

Singapore is one country that has been blazing a trail in digital readiness, and in October 2015, we reported on the city-state’s efforts to ensure that more and more government services could be delivered electronically.

Among the earliest innovations was eCitizen – a first-stop portal for government information and services:

“When the portal was first introduced it pioneered the concept of cross-agency, citizen-centric government services, where users transact with ‘one government’ (the ability to access several government services via the one website).”

That was impressive enough, but, as the Smart Nation website explains, Singapore has continued to explore how digital innovation can improve citizens’ lives. From assistive technology and robotics in healthcare and environmental news updates to autonomous vehicles and an app linking parents and schools, Singapore’s digital revolution is transforming the way its citizens live, work and play.

Closer to home, Estonia has been leading the way on digital government. Our blog post from August 2015 reported on the country’s pioneering approach:

“In Estonia, digital has become the norm, and most government services can now be completed online. They have managed to find a way of creating partnerships between the government, a very proactive ICT sector and the citizens of Estonia. As a result, the country of just 1.3 million people has become a leader in digital government.”

The article went on to highlight some of the key elements in Estonia’s approach to digital government:

  • An ID card (installed on a mobile phone), providing every citizen with secure and instant access to online services such as internet banking and public transport.
  • A national register providing a single unique identifier for all citizens and residents in Estonia.
  • Estonian government services, including verification of citizens’ identities, enabling them to vote in e-elections. Once a voter’s identity has been verified, the connecting digital signature is separated from the vote. This allows the vote to be anonymous.

In 2017, Wired magazine called Estonia “the most advanced digital society in the world.” And with good reason:

“Estonians have complete control over their personal data. The portal you can access with your identity card gives you a log of everyone who has accessed it. If you see something you do not like – a doctor other than your own looking at your medical records, for instance – you can click to report it to the data ombudsman. A civil servant then has to justify the intrusion. Meanwhile, parliament is designed to be paperless: laws are even signed into effect with a digital signature on the president’s tablet. And every draft law is available to the public to read online, at every stage of the legislative process; a complete breakdown of the substance and authorship of every change offers significant transparency over lobbying and potential corruption.”

Our blog noted that there were lessons for the UK to be learned from the Estonian experience:

“…it’s clear that when government, the private sector and citizens come together, it is possible to create a society that is digitally connected.”

As one of the premier election service providers in the UK, Idox is leading the way in the provision of innovative, agile and cost-effective solutions that help authorities deliver across all areas of electoral management, both in the UK and overseas. From canvass tablets and call-centre solutions to electronic voting, Idox delivers democracy through technology, combined with an exceptional customer support service.

In 2019, Idox Elections has gone from strength to strength, delivering local and European Parliament elections in the UK. In addition, Idox made electoral history in Malta, using an Electronic Vote Counting Solution to count the country’s European Parliament election ballots for the first time. Idox’s e-counting software successfully reduced the counting time from days to hours, delivering the poll results in record time.

Protecting privacy in the aftermath of the Facebook-Cambridge Analytica scandal

Posted on by

By Steven McGinty

On 4 June, Information Commissioner Elizabeth Denham told MEPs that she was ‘deeply concerned’ about the misuse of social media users’ data.

She was speaking at the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE) inquiry into the use of 87 million Facebook profiles by Cambridge Analytica and its consequences for data protection and the wider democratic process. The whole affair has shone a light on how Facebook collected, shared, and used data to target people with political and commercial advertising. And, in a warning to social media giants, she announced:

Online platforms can no longer say that they are merely a platform for content; they must take responsibility for the provenance of the information that is provided to users.”

Although this is tough talk from the UK’s guardian of information rights – and many others, including politicians, have used similar language – the initial response from the Information Commissioner was hardly swift.

The Information Commissioners Office (ICO) struggled at the first hurdle, failing to secure a search warrant for Cambridge Analytica’s premises. Four days after the Elizabeth Denham announced her intention to raid the premises, she was eventually granted a warrant following a five-hour hearing at the Royal Courts of Justice. This delay – and concerns over the resources available to the ICO – led commentators to question whether the regulator has sufficient powers to tackle tech giants such as Facebook.

Unsurprisingly, it was not long before the Information Commissioner went into “intense discussion” with the government to increase the powers at her disposal. At a conference in London, she explained:

Of course, we need to respect the rights of companies, but we also need streamlined warrant processes with a lower threshold than we currently have in the law.”

Conservative MP, Damien Collins, Chair of the Digital, Culture, Media and Sport select committee, expressed similar sentiments, calling for new enforcement powers to be included in the Data Protection Bill via Twitter:

Eventually, after a year of debate, the Data Protection Act 2018 was passed on the 23 May. On the ICO blog, Elizabeth Denham welcomed the new law, highlighting that:

The legislation requires increased transparency and accountability from organisations, and stronger rules to protect against theft and loss of data with serious sanctions and fines for those that deliberately or negligently misuse data.”

By introducing this Act, the UK Government is attempting to address a number of issues. However, the Information Commissioner, will be particularly pleased that she’s received greater enforcement powers, including creating two new criminal offences: the ‘alteration etc of personal data to prevent disclosure‘ and the ‘re-identification of de-identified personal data’.

GDPR

On 25 May, the long awaited General Data Protection Regulation (GDPR) came into force. The Data Protection Act incorporates many of the provisions of GDPR, such as the ability to levy heavy fines on organisations (up to €20,000,000 or 4% of global turnover). The Act also derogates from EU law in areas such as national security and the processing of immigration-related data. The ICO recommend that GDPR and the Data Protection Act 2018 are read side by side.

However, not everyone is happy with GDPR and the new Data Protection Act. Tomaso Falchetta, head of advocacy and policy at Privacy International, has highlighted that although they welcome the additional powers given to the Information Commissioner, there are concerns over the:

wide exemptions that undermine the rights of individuals, particularly with a wide exemption for immigration purposes and on the ever-vague and all-encompassing national security grounds”.

In addition, Dominic Hallas, executive director of The Coalition for a Digital Economy (Coadec), has warned that we must avoid a hasty regulatory response to the Facebook-Cambridge Analytica scandal. He argues that although it’s tempting to hold social media companies liable for the content of users, there are risks in taking this action:

Pushing legal responsibility onto firms might look politically appealing, but the law will apply across the board. Facebook and other tech giants have the resources to accept the financial risks of outsized liability – startups don’t. The end result would entrench the positions of those same companies that politicians are aiming for and instead crush competitors with fewer resources.

Final thoughts

The Facebook-Cambridge Analytical scandal has brought privacy to the forefront of the public’s attention. And although the social media platform has experienced minor declining user engagement and the withdrawal of high profile individuals (such as inventor Elon Musk), its global presence and the convenience it offers to users suggests it’s going to be around for some time to come.

Therefore, the ICO and other regulators must work with politicians, tech companies, and citizens to have an honest debate on the limits of privacy in a world of social media. The GDPR and the Data Protection Act provide a good start in laying down the ground rules. However, in the ever-changing world of technology, it will be important that this discussion continues to find solutions to future challenges. Only then will we avoid walking into another global privacy scandal.

The Knowledge Exchange provides information services to local authorities, public agencies, research consultancies and commercial organisations across the UK. Follow us on Twitter to see what developments in policy and practice are interesting our research team. 

If you found this article interesting, you may also like to read our other digital articles.

General Data Protection Regulation (GDPR): 10 things business needs to know

Posted on by

 

European Union flag with a padlock in the centre.

By Steven McGinty

On 25 May 2018, the data protection landscape will experience its biggest change in over 20 years.  This is because the European Union’s (EU) General Data Protection Regulation (GDPR) will come into effect for all member states. The regulation, which has been described as ‘ambitious’ and ‘wide-ranging’, introduces a number of new concepts, including the high profile ‘right to be forgotten’ – a principle established in a case involving technology giant Google.

Below we’ve highlighted ten of the most important points for business.

Directly effective

The GDPR is ‘directly effective’, which means that the regulation becomes law without the need for additional domestic legislation (replacing the Data Protection Act 1998). However, member states have also been given scope to introduce their own legislation on matters such as the processing of personal data. This may result in some EU states having more stringent rules than others.

Sharing data and monitoring

It also seeks to increase the reach of EU data protection law. Not only will EU-based data controllers and processors fall under the scope of the GDPR, but its authority will also extend to any business which either processes personal data or monitors the behaviour of individuals within the EU.

This will impact businesses who transfer data outside the European Economic Area (EEA). It will be their responsibility to ensure that the country the data is being transferred to has adequate levels of data protection. The most prominent example of this issue was the US Safe Harbour scheme, which was intended to protect European individuals whose personal data is transferred between the EEA and the USA. In 2015, the European Court of Justice ruled that this scheme had ceased to provide a valid legal basis for EEA-US transfers of all types of personal data. It has now been replaced by the Privacy Shield.

Transparency and consent

Greater obligations have been placed on business with regard both to seeking consent for use of personal data and providing detailed information to individuals on how their personal data is being used. The GDPR requires that consent notices are ‘unambiguous’ – not assumed from a person’s failure to respond – and that consent is sought for different processing activities. Law firm, Allen and Overy recommends that businesses review their notices to ensure they are fit for purpose.

Personal data/ sensitive data

Article 4(1) of the GDPR includes a broader definition of ‘personal data’ than previous legislation. It states that any information relating to an individual which can be directly or indirectly used to identify them is personal data. Specifically, it refers to ‘online identifiers’, which suggests that IP addresses and cookies may be considered personal data if they can be easily linked back to the person.

Enhanced rights

New rights and the enhancement of existing rights will require some businesses to improve the way their data is stored and managed. These rights include:

  • Data portability – Business must ensure that individuals can have easy access to their personal data in case they want to transfer their data to other systems.
  • Strengthening subject access rights – Individuals can now request access to their data for no cost and it must be responded to within 30 days (this is a change from the current legislation which requires a £10 fee and there is 40 days to respond).
  • Right to be forgotten – Individuals can request that an organisation delete all the information they hold on them (although this would not apply if there was a valid reason to hold that data).
  • Right to object to processing – Individuals have the right to object to the way an organisation is processing their data.
  • Right to restrict processing – Individuals have the right to request that the processing of personal data is temporarily stopped. This may be invoked whilst a right to object request is being investigated.

Personal data breach

Businesses have an obligation to report breaches to their national regulator, such as the Information Commissioners Office (ICO) in England.  The GDPR requires that notice must be provided “without undue delay and, where feasible, not later than 72 hours after having become aware of it.” This may be challenging for some businesses, particularly if the incident is discovered at the end of the working week.

Failure to comply with GDPR

The regulation introduces two levels of fines. Less serious offences under the regulation will be liable for a fine of up to €10,000,000 or 2% of global turnover – depending on which is highest. However, for more serious breaches, such as a breach of an individual’s rights or a breach during international transfers, a business may be held liable for up to €20,000,000 or 4% of global turnover.

In addition, individuals are also given the right of redress, and those who have had their rights violated may seek to receive compensation. This has led digital marketers to suggest that GDPR could be the next PPI – a practice where insurance was mis-sold to customers, which resulted in a large number of successful claims against financial institutions.

Privacy by design

Technology businesses should also consider data protection at the initial design stage of product development. This could involve adopting technical measures such as pseudonymisation – the technique of processing personal data in such a way that it can no longer identify a particular person. Additional measures, such as policies and programmes, would also show a national regulator’s commitment to compliance with the GDPR.

European Data Protection Board (EDPB)

A new body has been created to issue opinions and to arbitrate between disputes that arise with national regulators.  The board will be made up of heads of national regulatory bodies (or their representatives) and the European Data Protection Supervisor (EDPS), who govern the data processing activities of EU institutions. The opinions expressed by this board may have important implications for data protection legislation.

Impact of Brexit

Evidence suggests some businesses may be delaying taking action until they see the results of the Brexit negotiations. This possibly explains the research by cloud security firm, Netskope, which found that 63% of UK workers have never heard of the GDPR. Similarly, research by Veritas Technologies, a leading information management firm, has found that 54% of organisations have not ensured they will comply with the new GDPR.

However, it would be very surprising if the UK did not ‘mirror’ the protections offered by the regulation, particularly considering the UK’s significant input to the new legislation. Digital minister Matt Hancock has also confirmed that the UK government intends to fully implement the GDPR.

Final thoughts

If businesses already have policy and procedures in place to meet the requirements of the Data Protection Act, then they should have a solid foundation to comply with the GDPR. In many ways, the new regulation simply provides a clear framework for delivering good practice in data protection.

However, all businesses will need to take action to ensure compliance with the GDPR. Otherwise, the financial penalties (as well as reputational damage) of a breach could have serious consequences for their business. And this is not just an IT issue. The whole organisation, starting from board level, must show a willingness to understand the legislation and implement procedures that protect the fundamental rights of individuals.

Follow us on Twitter to see what developments in public and social policy are interesting our research team. If you found this article interesting, you may also like to read our other data-related articles

Counting the cost of data protection failures in local government

Posted on by

A laptop keyboard with a padlock on it.

By Steven McGinty

In August, Hampshire County Council were fined £100,000 by the Information Commissioner’s Office (ICO) after social care files and 45 bags of confidential waste were found in a building, previously occupied by the council’s adults’ and children’s services team.

Steve Eckersley, the ICO’s head of enforcement, explained that this data protection breach affected over 100 people, with much of the information “highly sensitive” and about adults and children in vulnerable circumstances.  In his view:

“The council’s failure to look after this information was irresponsible. It not only broke the law, but put vulnerable people at risk.”

A widespread problem

In 2015, Big Brother Watch, an organisation which encourages more control over personal data, published a report highlighting that local authorities commit four data breaches every day. It found that between April 2011 and April 2014 there were at least 4,236 data breaches. This included, at least:

  • 401 instances of data loss or theft
  • 159 examples of data being shared with a third party
  • 99 cases of unauthorised people accessing or disclosing data
  • 658 instances of children’s personal data being breached

In the past year, local authorities have reported a 14% increase from the previous year in security breaches to the ICO. The figures show that 64% of all reported breaches involved accidentally disclosing data. This supports research which suggests that human error is a major cause of data protection breaches.

These statistics are both positive and negative for the ICO. Peter Woollacott, CEO of Huntsman Security, suggests that it could show that local government is becoming better at identifying security breaches. However, he also acknowledges that most organisations are subject to multiple attacks, with only some being detected.

Areas for improvement

In 2014, the ICO conducted nine advisory visits and four audits of social housing organisations. It found that improvements could be made in ten areas, including:

  • Data sharing – organisations regularly share personal data but few have formal policies and procedures to govern this sharing.
  • Data retention – few organisations have data retention schedules for personal data, which provide details on when records should be disposed of, although most only extend to physical records. Data protection legislation sets out that data must not be stored for ‘longer than necessary’.
  • Monitoring – there is little evidence that organisations monitor their compliance with data protection policies.
  • Homeworking – where organisations allow staff to work flexibly, it often wasn’t formalised.
  • Training – there are varying levels of data protection training found in organisations.

Public confidence

Unsurprisingly, high-profile data breaches, such as the loss of 25,000,000 child benefit claimants’ details in the post by HM Revenue and Customs (HMRC), have left the public concerned about their data.

In October, a YouGov poll showed that 57% of people believed that government departments could not share personal data securely. And 78% of people didn’t believe or didn’t know whether the government had the resources and technology to stop cyber-attacks.

A poll by Ipsos Mori has also shown that 60% of the public are more concerned about online privacy than a year ago. The three main reasons given were: private companies sharing data; private companies tracking data; and the reporting of government surveillance programmes.

The cost of data protection failures   

The implications of failing to protect the public’s data are serious. Not only could local government be heavily fined by the ICO, but it could also have an emotional or economic impact on individuals if their data enters the wrong hands and is used maliciously (e.g. to commit an act of fraud).  However, there are wider issues for government.

At the moment, both local and central government are undergoing digital transformation programmes, digitising their own operations and moving public services online. Examples include social workers using electronic social care records and the public paying council tax or booking appointments through their local council’s website.

If the public buy into ‘digital by default’ (the policy of ensuring online is the most convenient way of interacting with government), then services could be delivered a lot more efficiently, resulting in significant savings. However, if the public are concerned over the security of their personal data, they may be less willing to consent to its use by government.

We’ve already seen this in some areas. In 2014, the Scottish Government announced plans to expand an NHS register to cover all residents and share access with more than 100 public bodies, including HMRC. This year, the Scottish Government attempted to bring into effect the ‘Named Person Scheme’, where every child in Scotland would be assigned a state guardian, such as a teacher or health visitor.

With both of these schemes concerns have been raised over privacy, including from the ICO in Scotland. The Supreme Court has also ruled against the Named Person Scheme, over the data sharing proposals.

Final thoughts

Local government needs to be robust in ensuring compliance with data protection legislation. The financial costs could be great for local government, but the bigger concern should be public trust. If councils fail to meet their legal obligations, they may find it challenging to implement policies that use public data, even if it brings the public benefits.

Follow us on Twitter to see what developments in public and social policy are interesting our research team. If you found this article interesting, you may also like to read our other data related articles.