Included in this edition of Data & Privacy News: Class action raised against Ticketmaster for major data breach; UK government admits data breach in connection with its Windrush compensation scheme; ICO opens beta phase of Regulatory Sandbox service and more...


Class action raised against Ticketmaster for major data breach

A group of more than 650 individuals have raised the first UK post-GDPR class action against Ticketmaster at the High Court in Liverpool following a major data breach by the company between February and June 2018. 

Reports suggest that the personal data of around 40,000 UK customers was stolen via malicious malware on third-party software and Ticketmaster failed to action the data breach for two months. 

Claims have been made that individuals have suffered "significant stress and heightened anxiety" as a result of their data being stolen, with multiple attempts made to hack into their email accounts. 

Ticketmaster denies liability for the data breach and the subsequent damages suffered by its customers. 

UK government admits data breach in connection with its Windrush compensation scheme

The government has admitted that a data breach took place when it launched the Windrush compensation scheme.

The breach happened when the Home Office sent information to Windrush migrants in a way that exposed the recipients' email addresses to other people.

An internal review has been launched and the Information Commissioner's Office (ICO) has been informed.

ICO opens beta phase of Regulatory Sandbox service

The ICO has launched the beta phase of its Regulatory Sandbox, taking applications from organisations to work with its specialist team to ensure they comply with data protection rules during the development of new technologies using personal data.

The beta phase of the Sandbox is scheduled to run until September 2020 and is open to a range of organisations including those from the public and voluntary sector. 

Applications will be assessed by the ICO until the 24 May with approximately 10 organisations being picked for the beta phase. 

The experience of Sandbox participants may help the ICO develop further public guidance and resources on compliance. 

Latest news from the UK Data Protection Practitioners Conference

Information Commissioner, Elizabeth Denham, gave a keynote speech at the recent Data Protection Practitioners Conference, hinting that there is still a lot of work to be done by organisations to comply with the GDPR, particularly in respect of the accountability principle.  

Ms Denham stated that "accountability encapsulates everything the GDPR is about", but commented that so far, this change hasn't been replicated in practice. The ICO haven't seen accountability being embraced in the organisations they have encountered in the breaches reported to them, the cases they investigate or audits they carry out. 

The ICO is trying to lead by example with the accountability approach but believes everyone needs this same vision in order to make changes to the world around them and use this as an opportunity to make an impact.

Also during the conference, Mikko Niva, Group Policy Office at Vodafone Group Services Ltd, was awarded the second ICO Practitioner Award for Excellence in Data Protection. Mikko was chosen by an independent panel who recognised him for delivering a pioneering global privacy compliance programme for Vodafone across 21 countries.

London council fined £145,000 for disclosing personal information relating to alleged gang members

Newham Council has been fined £145,000 by the ICO for disclosing sensitive personal information of more than 200 people from their 'Gangs Matrix' database.

The ICO investigation found that personal data such as dates of birth, home addresses and alleged associated gang names of individuals was exposed when a Newham Council employee sent an email to 44 recipients, including external organisations, containing both redacted and unredacted versions of the 'Gangs Matrix'.

Between May and September 2017, rival gang members obtained photographs of the unredacted version of the exposed information via Snapchat. The Borough of Newham experienced numerous incidents of serious gang violence during 2017 which included individuals featured on the shared 'Gangs Matrix'.

Newham Council also failed to notify the data breach to the ICO and were delayed in starting their own internal investigation.

Key contacts

Ross McKenzie

Ross McKenzie

Partner, Commercial Services
Aberdeen, UK

View profile
Helena Brown

Helena Brown

Partner, Head of Data
Edinburgh, UK

View profile