Included in this Data Issues Round Up: Islington Council fined after data breach leaves personal information at risk; Array of data protection breaches in Norfolk and Suffolk's NHS; Everton FC implements security system to safeguard cloud-stored data and more...

United Kingdom

Islington Council fined after data breach leaves personal information at risk

The ICO has fined Islington Council £70,000 after it failed to keep up to 89,000 people's personal information secure on its parking ticket system website.

Sensitive data such as medical details, cheques and a prison records, were kept as part of Islington Council's Ticket Viewer system which allows people to see a CCTV image or video of their alleged parking offence. This system was found to have design faults meaning a huge tranche of personal data was at risk of being compromised.

A member of the public brought the problem to light in October 2015 when they stumbled upon folders containing personal data accessed by simply manipulating the URL.

The ICO found that there had been unauthorised access to 119 documents on the system belonging to 71 people, seen 235 times from 36 unique IP addresses.

By failing to test the system prior to going live and regularly after that, the London borough council was found to be in breach of the Data Protection Act as they had not taken appropriate technical measures to keep information secure.

Further information can be found on the ICO website here.

Array of data protection breaches in Norfolk and Suffolk's NHS

Hospitals in Norfolk and Suffolk have reported more than 650 data protection breaches in the last year.

The data breaches included confidential details of 12 patients left on a document at a local restaurant and a ward handover sheet containing details on 35 patients found in a petrol station.

Over the last three years, ten breaches have been reported to the ICO to be investigated further due to the seriousness of the incident.

As a result of the breaches, Norfolk and Suffolk NHS have dismissed staff and said that they are tightening up the procedures in relation to how they look after patient's records.

As reported by the Evening News, more information is available here.

Everton FC implements security system to safeguard cloud-stored data

Everton FC has announced an IT security deal with Netskope to implement software which helps protect players' and fans' confidential information stored in the cloud.

The deal enables the club to access the cloud provider's Active Platform, which analyses all cloud services (both sanctioned and unsanctioned) and provides an overview of real-time cloud usage, allowing them to deal promptly with any detected threats.

Everton said the technology is vital to ensure highly sensitive and confidential information remains private, such as player contract negotiations, medical information and details belonging to the club’s fans. It will also play an important role in ensuring the club complies with the GDPR regulations due to be implemented next year.

As reported by Information Age, more information is available here.

Two in three bosses at Britain's biggest businesses have no cyber attack training

New Government research has revealed two in three executives at Britain's top firms have not been trained to deal with cyber attacks, despite more than half of firms saying that these threats represent one of the biggest risks to their business.

The survey of the UK's biggest 350 companies also found that one in ten have no response plan for dealing with a cyber incident and less than a third of boards receive comprehensive cyber risk training.

Digital minister Matt Hancock said recent cyber attacks had demonstrated the devastating effects of an ineffective cyber security strategy. In May, WannaCry malware majorly disrupted parts of the NHS and thousands more organisations. Just weeks later, NotPetya, another type of malware, struck some of the world’s biggest companies.

Separate new research published on the same day showed how charities are just as susceptible to cyber attacks as businesses, with many staff having limited knowledge on the topic. The charities recognised those responsible for cyber security required further training.

The Government Press Release is available here.

UK government seeks to stay 'aligned' with the EU's data protection regulation post Brexit

In a position paper from the Department for Exiting the EU, the Government has hinted that Britain will seek to stay closely aligned with EU data protection regulations post Brexit.

The plan was welcomed by tech industry chiefs, although warnings followed that this would not be easy to achieve. One of the most pressing of the Brexit talks is how both business and government will uphold legal cross-border data exchanges after Brexit.

The position paper argues that the UK will leave the EU with rules on data-sharing at an “unprecedented point of alignment”, and will seek a prompt resolution from the European side that data flows will be maintained unhindered.

Afterwards, the UK will pursue a new, modified UK-EU model “which could build on” the current model in which the European Commission grants “adequacy” status to non-EU countries which comply with EU data protection standards. This new model would allow the ICO to have an ongoing role within the existing network of EU data protection authorities.

As reported by The Independent, further information is available here.

Key Contacts

Helena Brown

Helena Brown

Partner, Commercial and Data Protection & Head of Data
Edinburgh, UK

View profile