LAST WEEK IN PRIVACY & DATA PROTECTION
34th Weekly Newsletter -> 25 February - 1 March 2017
UK ICO Issues Guidance Document on GDPR and Consent
Last week the UK Information Commissioner’s Office (ICO) issued the first Guidance Document in 2017 dealing with the topic of consent in the GDPR. The Document describes the changes the GDPR will bring as it sets a high standard for consent. It builds on the Data Protection Act (DPA) standard of consent in a number of areas, and it contains significantly more detail on both the standard and processes for consent.
The Guidance Document includes ICO’s recommended approach to compliance and what counts as valid consent. It helps to decide on when to rely on consent and explains key differences with the DPA. ICO is interested to gain feedback on the Document through a consultation which is running until 31 March 2017.
Read more HERE
Read the Guidance Document HERE
UK ICO Fines Private Health Firm £200,000
The Information Commissioner’s Office (ICO) fined £200,000 a private health company — HCA International Ltd for failing to keep fertility patients’ personal information secure. The ICO investigated into data transfer, storage and transcription practices of the health company. HCA Int. became a part of ICO investigation as a part of a worldwide network of private health care facilities offering a range of services including fertility treatment. In April 2015 a patient found that transcripts including details from interviews with Lister Hospital IVF patients could be freely accessed by searching online. The investigation revealed the hospital had been routinely sending unencrypted audio records of the interviews by email to a company in India since 2009. Details of private conversations between a doctor and various hospital patients wishing to undertake fertility treatment were transcribed in India and then sent back to the hospital. The Indian company could not restrict access to the personal information because it stored audio files and transcripts using an unsecured server. HCA International thus breached the Data Protection Act 1998 by failing to ensure that their sub-contractor acted responsibly.
Read more HERE
Read the Penalty Notice HERE
The Aftermath of YAHOO’s Data Breaches
Yahoo suffered a data breach in 2014 but did not notify its users until September 2016 when it began notifying around 500 million users that their email addresses, birth dates, answers to security questions, and other personal information may have been stolen. Just three months later Yahoo revealed it was hit by a separate hack in 2013, which affected about 1 billion accounts.
As a result Yahoo announced that it is punishing CEO Marissa Mayer and parting ways with its top lawyer for the way the two data breaches were handled. Mayer won’t be paid her annual bonus nor will she receive a potentially lucrative stock award because a Yahoo investigation concluded her management team reacted too slowly to one breach discovered in 2014. Furthermore, Ronald Bell, Yahoo’s general counsel, resigned without severance pay for his department’s rather apathetical response to the security lapses.
Read more HERE
For privacy jobs and vacancies follow @dprecruitment