Included in this issue of Data & Privacy News:Motor industry employee receives prison sentence in ICO's first Computer Misuse Act prosecution; ICO calls for views on direct marketing code of practice;Brexit campaign fined over 'serious' data breaches and more

Motor industry employee receives prison sentence in ICO's first Computer Misuse Act prosecution 

Mustafa Kasim, a motor industry employee who worked for Nationwide Accident Repair Services (NARS), has been sentenced to six months in prison in the first prosecution to be brought by the Information Commissioner's Office (ICO) under the Computer Misuse Act 1990.

Mr Kasim used his colleagues' log-in details without permission to access thousands of customer records on Audatex, a software system that estimates the cost of vehicle repairs. The records contained customers' personal information such as names, phone numbers, vehicle and accident information.

NARS noticed an increase in customer complaints related to nuisance calls and contacted the ICO.

Prosecution for these types of cases is usually under the Data Protection Act 1998 or 2018. However, the ICO is allowed to prosecute under other legislation such as the Computer Misuse Act in order to reflect the extent of an offence by virtue of having on offer a wider range of penalties.

ICO calls for views on direct marketing code of practice 

The ICO is calling for views on a direct marketing code of practice from relevant stakeholders, including trade associations, data subjects and those representing data subjects' interests.

Under the Data Protection Act 2018, it is for the Commissioner to produce a code of practice that provides guidance and promotes good practice.

The new code will build on previously published direct marketing guidance, as well as addressing new legislation that is relevant to direct marketing such as the Privacy and Electronic Communications Regulations 2003.

Responses from the consultation, which closes on 24 December 2018, will be used to inform the ICO's work in developing the code.

ICO refers Facebook fake ads to  the IDPC 

The ICO has revealed in a report to Parliament that it has asked the Irish Data Protection Commission (IDPC) to look into ongoing data protection concerns surrounding Facebook's ad platform. 

The ICO's concerns relate to Facebook's targeting functions and techniques used to monitor individuals' browsing habits and interactions, but lay outside the remit of those issues triggered by the Cambridge Analytica case.

A recent example of the ICO's concerns saw a fake political ad passing Facebook's checks and circulating on the social media platform until a journalist spotted it

The UK's Information Commissioner, Elizabeth Denham, has also raised concerns about the use of 'lookalike audiences' for targeting voters via Facebook stating that the system needs to be looked at closely in light of the GDPR.

Brexit campaign fined over 'serious' data breaches 

The ICO has fined Eldon Insurance and the Leave.EU campaign for serious data breaches of electronic marketing regulations.

The ICO has confirmed that Eldon Insurance and Leave.EU will both receive a fine of £60,000 for sending insurance marketing without consent, with Leave.EU receiving an additional £15,000 fine for a separate breach involving a newsletter.

Leave.EU has stated that the newsletter was sent by accident to insurance customers and that the ICO has sabotaged its right of reply, by leaking findings to the media before the official report was published. 

The ICO is still looking into how personal data was handled by the Remain side of the referendum campaign.

CAP introduces new rules on the use of data for marketing 

The Committee of Advertising Practice (CAP) is introducing new rules on the use of data for marketing, to ensure that the most relevant data protection issues are covered and to align with the standards introduced by the GDPR.  

Earlier in 2018, CAP consulted on proposals for the removal of section 10 rules relating to "pure data protection matters", the amendment of marketing-related section 10 rules and the removal of Appendix 3 of the CAP code.

Section 10 of the new rules will take effect immediately, but will be subject to a 12-month review. It is likely that the Advertising Standards Agency will deal with matters informally in the first 6 months, though will tackle some cases formally where required.

CAP is imminently due to publish consultations on marketing to children and publication of prize-winners’ name. The consultation period will last for four weeks. 

Industrial plants face major security threat from USB devices 

A recent report by Honeywell Industrial Cyber Security has revealed that removable USB devices are posing a major cyber threat to the control networks of industrial plants.

Figures from the report show that almost half of all analysed USBs have at least one file blocked as a result of a security issue with a quarter of those detected capable of causing serious operational loss.