Included in this Data Issues Round Up: Government to overhaul UK data protection laws; IT scandal threatens Swedish Government; TalkTalk fined for not protecting personal data belonging to up to 21,000 customers. Find out more...

United Kingdom

Government to overhaul UK data protection laws

Digital Minister, Matt Hancock, has announced proposals to overhaul UK data protection laws which could see people obtain more control over what happens with their personal data.

Citizens will be able to ask for information on children or adults to be deleted from social media platforms and to have the right to be forgotten. Reliance on default opt-out or pre-selected tick boxes for personal data consent will also become obsolete.

In a statement of intent the Government has committed to a new Data Protection Bill, updating and strengthening current data protection laws.

Businesses will be supported to ensure they are able to manage data safely and securely. The net widens for those who can be found liable for data breaches and firms that contravene the data laws could face higher fines of up to £17 million or 4 per cent of their global turnover.

Many of the new Data Protection measures are part of the EU's forthcoming GDPR due to be implemented in May 2018. These measures should give businesses clarity about their new obligations, as well as putting the UK in a strong position to obtain unrestricted data flows after Brexit.

IT scandal threatens Swedish Government

Swedish Prime Minister Stefan Lofven has been forced to reshuffle his government after a huge leak of private and sensitive information caused the resignation of two top ministers.

Several ministers had known about the extremely serious security breach that occurred in March 2015, when the Swedish Transport Agency outsourced handling of its IT system to IBM Sweden, but failed to inform the Prime Minister until January 2017. Sensitive information including the entire registry of Swedish drivers' licences, people with criminal records, and those in witness protection was made available to IT workers who had not been given security clearance by the Swedish security service.

The former director-general of the Transport Agency, Maria Ågren, approved the outsourcing contract even though it breached security and privacy laws on this point. She was fired in January and fined 70,000 krona. The Swedish Prime Minister described the incident as a "disaster" despite the fact no harm was caused, in a major damage to Sweden's reputation at putting its citizen's rights at risk.

TalkTalk fined for not protecting personal data belonging to up to 21,000 customers

The ICO has fined TalkTalk £100,000 after it failed to look after its customer's personal data putting it at risk from scammers.

An ICO investigation found the company had breached the seventh principle of the Data Protection Act because it allowed staff from an IT firm working with TalkTalk to access large amounts of customers' data through an online company portal. The unfettered breadth of information available left personal data such as names, addresses and phone numbers open to exploitation by rogue staff at Indian firm.

The breach was exposed in September 2014 when TalkTalk received complaints from customers that they were receiving scam phone calls. Generally, the scammers pretended they were providing assistance with technical problems, quoting TalkTalk account numbers and customer addresses.

The ICO launched an investigation into how customer details were compromised, however they found no direct evidence of a link between the compromised data and the complaints from the scam phone calls.

ICO reminds NHS employees that prying on patients' medical records is an offence

The ICO has warned NHS staff about the potentially serious consequences of accessing patients’ records without a valid reason.

The warning came after Brioney Woolfe, a former health care assistant at Colchester Hospital University NHS Foundation Trust, was ordered to pay a total of £1,715 in fines and costs after pleading guilty to offences of unlawfully obtaining and unlawfully disclosing personal data.

Following a complaint by a patient, an investigation was carried out by the ICO, which found Woolfe had unnecessarily accessed 29 medical records including family members and colleagues between December 2014 and May 2016. She then shared some of the information obtained with others resulting in a breach of patient confidentiality and a breach of the Data Protection Act.

Woolfe received fines of £400 for the offence of obtaining personal information, and £650 for the offence of disclosing personal data.

This case is one of several recent ICO prosecutions involving staff unlawfully accessing patient medical records.

Online retailer cyber-attacks double in a year as hackers steal shoppers' personal information

Figures released by the ICO has shown the number of cyber-attacks on online retailers has doubled in the past year, as hackers try to steal shoppers' personal details from their sites.

Online retailers are becoming a valuable target for cyber criminals due to their growing collection of shoppers' personal data through online shopping, digital marketing and loyalty schemes.

Breaches involving the loss of customer information from hacking or leaking increased from 19 in 2015/16 to 38 in 2016/17.

Earlier in the year, the Government carried out a survey of cyber-attacks and breaches which found that just under half of the UK businesses questioned had been previously struck. A third of the businesses had not spent any money on additional security measures against attacks and a significant proportion didn't have key protections in place.

Key Contacts

Helena Brown

Helena Brown

Partner, Commercial and Data Protection & Head of Data
Edinburgh, UK

View profile