Included in this issue: GP practice fined £40,000 for breach of DPA; Update on EU-US data transfers for organisations: ICO releases comments; Belgian MEP calls for an investigation into dating app privacy rules
United Kingdom
GP practice fined £40,000 for breach of DPA
A GP practice (the Practice) in Hertfordshire, Regal Chambers, has been fined £40,000 by the Information Commissioner's Office (ICO), following the release of personal data relating to a patient and their family, in breach of the Data Protection Act 1998 (DPA).
Mr A was divorced from the mother of his child (Child B) under acrimonious circumstances and Child B's mother specifically told the Practice to take care of their details. Mr A subsequently made a data subject access request (DSAR) for Child B's medical records, providing a court order to prove that he had parental responsibility for the child. Following the request, the Practice sent Mr A the medical records of Child B, containing sensitive personal information and contact details of Child B's mother and other relatives.
The ICO held that the Practice failed to take appropriate organisational measures against the unauthorised processing of personal data, pursuant to the DPA. The member of staff entrusted with the DSAR disclosure process did not receive adequate supervision from GPs, and the Practice did not have a process for checking the documents after they were prepared for disclosure. Further to this, the sensitive nature of the data involved and the broader sensitive context served to highlight the need for robust measures, which the Practice failed to implement. The ICO found that the Practice failed to take reasonable steps to prevent the breach, highlighting that it did not have adequate written policies in place to deal with DSARs.
Data controllers must ensure that they have appropriate written policies in place for dealing with DSARs and protecting personal and sensitive data. Such policies should stipulate that sufficiently experienced staff will carry out the DSAR disclosure exercise, and the results should be physically checked before being sent out. Principle 6 of the DPA covers DSARs and requires you to process personal data in accordance with the rights the Act gives to individuals.
Read the ICO's code of practice on subject access
Europe
Update on EU-US data transfers for organisations: ICO releases comments
Much has been written about the EU-US Privacy Shield (Privacy Shield) since its adoption in July, and now the Information Commissioner's Office (ICO) has released a statement on how organisations should approach data transfers to the US.
The ICO reminds organisations that if they are still relying on the Safe Harbour regime as the basis to transfer data to the US, that they must review their position. The Safe Harbour regime is no longer considered to give adequate protection and should not be included in contracts. The new Privacy Shield is one alternative option for organisations to use when transferring data to the US, and as a starting point, organisations should check whether their US counterparts are intending to become part of the Privacy Shield regime. The US Department of Commerce has released guidance for organisations which contains a link to a current list of Privacy Shield participants.
Alternative options for organisations include putting into place model clauses in contracts with their US partners, or adopting Binding Corporate Rules. But, as the ICO flags, "Doing nothing is not an option". The ICO highlights that it would, in some cases, contemplate enforcement action if organisations have not transitioned away from relying on the Safe Harbour regime. Organisations which have been slow to amend their US data transfer mechanisms should address them now.
Read the US Department of Commerce advice
Belgian MEP calls for an investigation into dating app privacy rules
Belgian politician and Member of European Parliament (MEP), Marc Tarabella, has requested that the European Commission investigates Tinder's privacy policy. Mr Tarabella calls for clarification around what an individual consents to when they register with the app.
The issue surrounds the company's use of data, in particular photos being retained, distributed and modified even after the account has been closed. Mr Tarabella argues this violates European Privacy laws, in particular around storing data only for as long as necessary. Furthermore the app synchronises with the user's Facebook account, significantly expanding the volume of data the company can access. Whilst this doesn't contravene Tinder's privacy policy, Mr Tarabella argues it is this lack of transparency around what data is actually being collected which requires investigation.
Tinder provided the following statement "We take Mr Tarabella's comments seriously, and we will review them as part of a process that is already under way at Tinder to best address the needs of our users and ensure we are compliant with applicable privacy laws." It will be interesting to see if Mr Tarabella's comments prompt a European Commission investigation, as it would be likely to have implications across the dating app sector and could affect many other mobile app providers.
Currently many dating apps can be easily accessed via submitting Facebook login details. Whilst this appears relatively straight forwards, very convenient and avoids the need to fill in countless data fields, the lack of transparency over what is happening to your personal data and who it is being shared with (especially across a wider group company) is of concern.
