Included in this issue: Children's Commissioner calls for digital education on data protection in schools; Difficult start to 2017 for charity sector; ECJ setback for UK's "snooper's charter" and more...

United Kingdom

Children's Commissioner calls for digital education on data protection in schools

The UK Children's Commissioner, Anne Longfield, last year commissioned a taskforce "Growing Up Digital" charged with assessing the risk of children inadvertently sharing personal data online.

The taskforce's report has revealed that children are providing personal data to social media firms without properly understanding the terms and conditions that they sign-up to when opening accounts.

It was found that whilst almost 50% of eight to 11 year-olds sign up to terms and conditions for websites such as Facebook and Instagram, none of the children in the study's focus group could understand the terms and conditions of either platform.

The Commissioner has suggested that the government ensures that children are taught about how to protect their personal information online via the introduction of 'Digital Citizenship' lessons to the school curriculum. She has also advised that a specialist ombudsman be created to help to protect children who use social media.

The Commissioner commented: "It is vital that children understand what they agree to when joining social media platforms, that their privacy is better protected, and they can have content posted about them removed quickly should they wish to.

Under the General Data Protection Regulation (GDPR) parental consent will be required for any child under the age of 13 when it comes to 'information society services', however in the UK this age has been raised to 16, this being an agreed opt out introduced back in 2015.

As reported by Computer Weekly, further information can be found here.

Difficult start to 2017 for charity sector

At the end of 2016, RSPCA and the British Heart Foundation were served fines by the Information Commissioner for breaching data protection rules by sharing supporter information. PDSA, the UK's leading veterinary charity, is now also fearing censure as a result of breaching the data rules regarding fundraising. In October 2016, the charity suspended its face to face fundraising after carrying out an internal investigation in response to complaints about an outside agency that they had been using. The charity made a statement that they would be updating their procedures following this. PDSA relies on public funding to run its 430 pet hospitals and practices which have a spend of over £100m with no government funding, therefore the outcome of any investigations into its practices are of key importance. They have stated that they no longer share supporter information, however they are still awaiting the outcome of investigations from the ICO over accusations from the past.

The investigations carried out into the RSPCA and the British Heart Foundation have revealed that data and tele matching was utilised in order to procure further information form data subjects without their knowledge. Both charities had been carrying out this practice since 2005 and 2009 respectively in order to target their campaigns and ultimately receive more money from donors.

Information Commissioner Elizabeth Denham has issued the following statement:

Our investigations suggest that the activities we’ve fined the RSPCA and the British Heart Foundation for today are also being carried out by some other charities. This widespread disregard for people’s privacy will be a concern to donors, but so will the thought that the contributions people have made to good causes could now be used to pay a regulator’s fine for their charity’s misuse of personal information.

Businesses are reminded that the ICO's power to levy fines is on the increase and all monetary enforcement notices are made public which in itself carries substantial reputational damage.

As reported by The Guardian, further information can be found here.

The ICO investigation can be viewed here 

ECJ setback for UK's "snooper's charter"

The European Court of Justice has ruled that the "general and indiscriminate" collections of citizens' emails is not compatible with EU law.

Although the initial legal challenge was lodged against the Data Retention and Investigatory Powers Act 2014 (DRIPA), which is due to be repealed, the ruling is a major blow to its successor, the Investigatory Powers Act, dubbed by some as the "snooper's charter". One of the core elements of the Investigatory Powers Act, which received royal assent in November of last year, is the requirement that internet and phone providers retain, and make available to numerous arms of the government, 12 months of their users' call histories and browsing data.

The ECJ did, however, concede that member states are permitted to retain citizens' e-communications data if they do so in a targeted manner and solely for the purpose of fighting serious crime. A broader approach, it was held, would be unjustifiable when read in light of the European Convention on Human Rights.

A spokesperson for the Home Office commented: “We are disappointed with the judgment from the European Court of Justice and will be considering its potential implications. It will now be for the court of appeal to determine the case. The government will be putting forward robust arguments to the court of appeal about the strength of our existing regime for communications data retention and access. Given the importance of communications data to preventing and detecting crime, we will ensure plans are in place so that the police and other public authorities can continue to acquire such data in a way that is consistent with EU law and our obligation to protect the public.

Martin Spurrier, director of Liberty made the following comment,

Today’s judgement upholds the rights of ordinary British people not to have their personal lives spied on without good reason or an independent warrant. The UK may have voted to leave the EU – but we didn’t vote to abandon our rights and freedoms.

Click here to read the full story in The Independent. 

KFC issues security advice to Colonel's Club members

Global fast food chain KFC has advised the 1.2 million members of its loyalty scheme to change their passwords following the hacking of its website. KFC opted to issue the advice to all of the loyalty scheme members despite the fact that only a small number of user accounts were targeted by the hackers.

This response has been praised as forward-thinking in a climate where data breaches have become commonplace and companies are often reluctant to inform their customers of such issues.

Brad Scheiner, Head of IT, KFC UK & Ireland, said: "We take the online security of our fans very seriously, so we’ve advised all Colonel’s Club members to change their passwords as a precaution, despite only a small number of accounts being directly affected. We don’t store credit card details as part of our Colonel’s Club rewards scheme, so no financial data was compromised."

More information about this story can be found on Computer Weekly's website, to view this please click here.


EU proposes tougher regulations for electronic communications providers

The European Commission has put forward a proposal which could have a limiting effect on the ability of electronic communications providers to monitor their users. The proposal requires email and instant messaging providers, such as Yahoo and WhatsApp, to obtain user consent before monitoring their conversations and emails for the purpose of providing tailored advertisements and to guarantee that all monitored conversations would remain confidential.

The proposal also seeks to level the playing field between traditional telecoms companies and their online rivals by permitting the former to use customer data, such as call length and location, to provide new services to their customers.

The providers of web browsing software would also be affected by the proposed rule changes. They would be required, upon installation, to give users the option to consent to websites placing cookies on their browsers. However, this obligation is considerably less harsh than an earlier version of the proposal, which proposed a default 'no' setting for all browsers.

Speaking to Reuters, Yves Schwarzbart (head of policy and regulatory affairs at the Internet Advertising Bureau), said:

"It will particularly hit those companies that ... find it most difficult to talk directly to end users and what I mean by that is tech companies that operate in the background and sort of facilitate the buying and selling of advertising rather than the ones that the user directly engages with."

To view the Reuters article please click here.

To view the EU press release please click here.

W29 issues guidance on GDPR

The Article 29 Working Party (W29) has issued guidance in relation to the General Data Protection Regulation (GDPR) which is coming into force on 25 may 2018. The issuance of the guidance comes in line with the action plan on GDPR, issued on 2 February last year.

The guidance, adopted on the 13th of December focuses on 3 areas in the GDPR - data portability, data protection officers and lead supervisory authority.

Data Portability

This right is covered under Article 20 of the GDPR and allows data subjects the right to have their data transferred to another data controller in a form agreed by the data subject. Under this right the data subject can also receive their own personal data in an easy to read medium. The idea is that this will help to facilitate a greater degree of control for the data subject over how their data is used. This right ties into the wider piece around the EU Digital Economy and the free flow of data across member states. The right to data portability should assist with data transfers between service providers.

The guidance issued provides clarity as to the conditions for data portability and makes recommendations to data controllers as to how to incorporate this new right into their service offerings. The guidance makes reference to the introduction of 'download tools' to assist with this.

The guidance makes clear that the right to data portability should not be used to dilute other rights under the GDPR such as the right to erasure ' the right to be forgotten'.

The guidance on data portability can be found here.

Data Protection Officers

Under Article 37(1), as the guidance makes clear, a data protection officer is required in 3 circumstances. The guidance makes clear that although having a data protection officer is not mandatory for some companies, any voluntary efforts to introduce one will be met positively by WP29. The guidance provides an explanation for the terminology used in the GDPR, such as what a 'public body', 'core activities', 'large scale processing' and 'regular and systematic monitoring' means.

Further interpretation is provided on article 37 in terms of the skill set a DPO should have and how they should conduct their position.

The guidance on data protection officers can be found here

Lead Supervisory Authority

Identifying a lead authority can for some organisations pose an issue, especially where multiple jurisdictions are involved. This issue is especially relevant when undertaking a Binding Corporate Rules exercise wherein a lead authority must be identified for the purposes of the application form and submission of draft text.

Like the guidance on data protection officers, this guidance provides assistance in terms of how to interpret the text of the GDPR. The key focus is around how to look at such terms as 'substantial affect' and 'main establishment'. The guidance provides a couple of useful practical examples and a questionnaire at Annex 1 as to how to identify a lead supervisory body.

The guidance on lead supervisory authority can be found here.

We recommend that businesses review the guidance in these areas.

We expect to see further guidance on GDPR to be issued by the ICO and further policy outputs to be made in the form of both ICO and European guidance such as WP29.

To see the ICO's plan for GDPR please click here.


Russian hacking attempt on Vermont power grid

US Security refer to the code used by Russia in the widespread operation to interfere with the November 2016 US presidential election as "Grizzly Steppe". This code was the method used by Russian hackers to infiltrate the Democratic party emails, and the same code was recently found after US Homeland Security sent out an alert to all those who own or operate critical infrastructure, prompting Burlington Electric Department to scan its computer network. The department immediately found the laptop and alerted national security to the discovery.

Burlington Electric has made a statement confirming that the laptop was not connected to the power grid at the time of the breach, that their system has remained protected, and that there is no suggestion that customer data has been stolen. The Vermont power grid serves roughly 16,000 residential and 3,600 commercial customers in Vermont, therefore an attack on their electric grid during the middle of the winter months would have massively interfered with their quality of life. It is unclear why an attack was targeted to this location.

As reported by BBC, further information can be found here.


Civilian "cyber warriors" recruited to assist Thai Army

The Thai Army is reportedly responding to recent threats to their cyber security by recruiting civilians to serve as "cyber warriors".

It is hoped that the move will lead to improvements the Army's online security and help them to develop new data protection systems. The need for increased cyber expertise was highlighted by the recent series of cyber-attacks, known as "OpSingleGateway", which knocked a number of Government sites offline, including the Thai Defence Ministry website.

A group, known as Civilians Against Single Gateway Group, has taken responsibility for the attacks, which were made in response to the new Thai cyber law known as the Computer Crime Act (CCA).

The CCA makes possessing data that has been ordered to be deleted by the Government illegal, which means that people could potentially break the law without realising that they have done so.

This story was reported in Computer Weekly, further information can be found here.

Helena Brown

Helena Brown

Partner, Commercial and Data Protection & Head of Data
Edinburgh, UK

View profile