ICO addresses concerns about committing data breaches whilst seeking to contain outbreak
The UK regulator has issued a statement regarding coronavirus, attempting to address any data protection concerns that could be inhibiting measures to prevent the spread of the virus. "Data protection and electronic communication laws do not stop government, the NHS or any other health professionals from sending public health messages to people, either by phone, text or email as these messages are not direct marketing" said the regulator. "Nor does it stop them using the latest technology to facilitate safe and speedy consultations and diagnoses," it added. The GDPR allows the temporary suspension of some data protection rights in times of crisis. Specifically, Article 9 (2) (i) of the GDPR allows the processing of these special categories of data if the processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health. Italy, the most affected country in Europe, has already adopted an urgent measure to combat the spread of COVID-19: an Ordinance granting civil protection personnel in Italy extensive powers to process personal data related to the outbreak. Currently, the measure is only valid until July 2020, but it could be extended. An article on how data protection interlays with coronavirus will feature in the upcoming edition of Privacy & Data Protection.
Google and Swedish SA lock heads over delisting notifications
The Swedish data protection authority has fined Google SEK75m (€7m/ Â£6.13m) for right to be forgotten failures in a dispute that shows how contested certain aspects of the GDPR remain. "When Google removes a search result listing, it notifies the website to which the link is directed in a way that gives the site owner knowledge of which webpage link was removed and who was behind the delisting request," the regulator said - an act that "does not have a legal basis". However, Google says doing this is consistent with the GDPR. The fine follows three years of audits by the SA into how Google handles the requested removal of individuals' search results, when information published on websites is "demonstrably false, irrelevant or superfluous." A Google spokesperson said: "We disagree with this decision on principle and plan to appeal."
Princess Cruises admits data breach
A cruise liner which was forced to halt its global operations after two of its ships confirmed on-board outbreaks of the coronavirus, has now confirmed a data breach. The notice posted on its website in early March said the company detected unauthorised access to a number of its email accounts over a four-month period between April and July 2019, some of which contained personal information on its employees, crew and guests. Princess said names, addresses, Social Security numbers and government IDs - such as passport numbers and driver license numbers - may have been accessed, along with financial and health information. the cruise liner said the potentially impacted data is 'not specific' to each guest.
Israeli PM sparks privacy scare with move to track corona patients' phones
Prime Minister of Israel, Benjamin Netanyahu, has announced that Israel would begin using advanced digital monitoring tools to track carriers of the coronavirus, raising major privacy concerns and prompting accusations of mass surveillance. "Up until today I avoided using these measures in the civilian population but there is no choice," Netanyahu said. The Taiwanese government credited its aggressive tracking program with helping the island territory rein in the coronavirus outbreak, though in that case, GPS data were primarily used to ensure that those in quarantine remained at home, rather than tracking their past movements, as Israel is proposing. The head of the left-wing Meretz party in Israel, Nitzan Horowitz, denounced the proposal, saying that such surveillance shouldn't take place without parliamentary and judicial oversight. "Monitoring citizens with the help of information databases and advanced technology is a harsh blow to privacy and basic liberty. Therefore, this is forbidden in democratic countries," Horowitz said.
|Everyone has a problem with India's New Data Protection Law|
Privacy advocates, business and social media giants are all opposing India's long-awaited national data protection law, the Personal Data Protection Bill, currently under inspection by a joint Parliamentary Committee. The main issue for privacy advocates is that the law allows the government to exempt itself from the requirements. Any government agency can be granted exemption from the data protection law for a variety of fairly vague reasons including 'preventing incitement', 'in the interest of sovereignty and integrity of India', 'breakdown of public order' or 'friendly relations with foreign states'. Private companies are also objecting to the terms, which stipulate fines and costs they feel are too high. Mozilla noted that privacy protection could be compromised by government access. The Software Alliance, a lobbying firm that represents information technology giants such as IBM and Microsoft, specifically criticised the bill's requirement that companies keep sensitive personal information about users on servers located in India. And social media companies have objected to the data protection law's requirement that 'voluntary identity verification' of users be made available, claiming it will be a massive drain on resources.
Receive further Expert guidance and in-depth articles on data protection direct to your mailbox or home address...
Privacy & Data Protection Journal
Subscribe to two or more titles at the same time and receive a 15% discount off the cheapest journal
8th & 9th October 2019 - London, UK
London's leading two-day Data Protection Conference
This year, the conference is dedicated to examining the developments in data protection; the continued practical implications for organisations of complying with the GDPR, as well as what could be next for organisations post-Brexit.
Hunton Andrews Kurth
**Day 2 Workshops have now
Full details of each workshop can now be viewed online.
Direct Marketing: Common Issues and Pitfalls and How to Avoid Them
An effective direct marketing strategy is critical for most organisations. However, direct marketing is fraught with danger for the unwary and regulators have shown their willingness to punish non-compliance in this area. This Workshop, which is based in real-life war stories and case studies, provides practical guidance on:
- the legal requirements in relation to direct marketing, as well as the latest guidance from the ICO's Direct Marketing Code 2020
- common problems and issues faced by organisations in complying with these requirements, including adtech and using cookies
- solutions and strategies to overcome these challenges
For more information and to book your place:
- Visit PDP Conferences
- Send us an Email
- Telephone +44 (0)207 014 3399
Our professional and practical Training Courses enable delegates to understand the legal requirements in key areas of information and data protection compliance. Courses run throughout the year around the United Kingdom.
Here are a selection of courses taking place shortly:
This course is an introductory level course for all those that are new to data protection, or those that require a refresher on the fundamental concepts. It is designed for people who work with, or will work with, data protection issues on a regular basis.
This invaluable and practical training session examines core concepts of practical data protection compliance.This course can be used as credit towards the Practitioner Certificate in Data Protection
The next available dates for this course are:
- London Monday, 11th May 2020
- Cardiff Monday, 6th July 2020
- London Monday, 13th July 2020
For further information and to make a booking,
- Visit PDP's website
- Telephone PDP at +44 (0)207 014 3399
- Download the PDF Training Catalogue
The Level 1
and Level 2
courses taken together constitute a complete training package on the fundamentals of data protection. This session provides a thorough grounding in the important aspects of data protection practice.
This session, which is fully up to date with the requirements of the General Data Protection Regulation (GDPR), the Data Protection Act 2018 and the implications of Brexit, provides a thorough grounding in the following important aspects of data protection practice:
Attendance on this course can be used as credit towards the Practitioner Certificate in Data Protection.
- transferring data to third parties - the legal requirements for transferring data between organisations
- data retention - the restrictions on keeping data, and how to establish a retention schedule
- the main exemptions, including 'crime and tax' and 'disclosures required by law'
- the role and powers of the data protection regulator, including the circumstances where fines can be imposed
- an introduction to when it will be necessary to carry out a Data Protection Impact Assessment
The next available dates for this course are:
- London Tuesday, 12th May 2020
- Cardiff Tuesday, 7th July 2020
- London Tuesday, 14th July 2020
For further information and to make a booking,
Breaches of information security are consistently one of the top two reasons for data protection regulator enforcement action. And fines for breaches of security are usually higher than for other types of breaches.
With mandatory breach notification under the GDPR and the significant uplift in potential monetary penalties, compliance professionals need to be suitably empowered with cybersecurity knowledge and awareness to assist their organisations to both mitigate ongoing data security risks and to deal with personal data breaches. It is also useful for compliance professionals to have a basic knowledge of cybersecurity terminology to facilitate effective communications with IT Team members.
This session is prepared specifically in the context of the GDPR and the objective of compliance professionals dealing more assuredly and knowledgeably with cybersecurity within their organisations. The session addresses:
- what exactly cybersecurity means and encompasses
- threats, vulnerabilities and risk from a security perspective
- comparing and contrasting "risk" in security, and data protection under the GDPR
- risk analysis and management from a security and data protection standpoint
- cryptography as a privacy tool: encryption, at rest and in transit; hashing and salting
- managing identity and authentication, security operations
- security baselines: including ISO 27001 and Cyber Essentials
- introduction to malware: botnets, ransomware, Denial of Service (and DDoS), Advanced Persistent Threats (APTs)
- personal data breach / incident management and crisis management
- business continuity planning and disaster recovery
- data breach simulations
No technical knowledge is required in order to attend this session. A basic working knowledge of data protection legal requirements would be useful. Delegates with limited data protection knowledge may find it helpful to attend Data Protection Essential Knowledge Level 1 before attending this training course.
The next dates for this training session are:
- London Thursday, 30th April 2020
- Manchester Thursday, 2nd July 2020
- Edinburgh Friday, 16th October 2020
For further information and to make a booking
Data protection law requires that personal information be held and used securely. The law also requires that relevant security arrangements be put in place for all outsourcing arrangements. News headlines consistently show that organisations are not doing enough to ensure the security of people's personal information, both within the organisation and externally. It is not always obvious what measures should be taken by organisations to comply with the legal obligations.
This session, which is fully up to date with the requirements of the General Data Protection Regulation (GDPR), as well as the implications of Brexit, examines the law as it relates to data security and the practical steps that organisations need to take to ensure compliance with their obligations. It concentrates on how to avoid a data security breach, as well as what can be done to mitigate the effects of a breach that does occur. It also considers the steps that must be taken when an organisation outsources operations, such as payroll, website hosting, digitisation of records, debt collection and waste management. The session considers lessons that must be learned by the fines that have been imposed by regulators.
This session can be used as a credit towards the Practitioner Certificate in Data Protection (GDPR)
The course is next taking place on the following dates (further dates available online):
- London Wednesday, 13th May 2020
- Cardiff Wednesday, 8th July 2020
- Belfast Thursday, 16th July 2020
For further information and to make a booking: