PL&B UK E-news, Issue 75
1. FSA fines stockbroking firm £77,000 for lapses in data security before any data is lost
The Financial Services Authority (FSA) has fined Merchant Securities Group Limited for not adequately protecting its customers against the risk of identity theft. Several data security lapses were identified; eg. the firm relied on identifying customers just from their voices, and back up tapes containing unencrypted customer information were stored overnight in a bag at the home of a member of staff.
While there was no evidence that personal data had ended up in wrong hands, the FSA decided to take action.
Margaret Cole, Director of Enforcement at the FSA, said: “Reducing financial crime in the UK is a priority for the FSA and our recent data security report showed that many firms still need to do more to get it right. We will not wait until information has been lost or stolen before taking action against a firm. The level of the fine for a firm of this size should serve as a warning to others to take data security seriously.”
2. MPs call for data minimisation
Parliament’s Home Affairs Committee calls on Government to “adopt a principle of data minimisation” in the information it collects and holds on citizens - it should collect only what is essential, to be stored only for as long as is necessary - and it should “resist a tendency to collect more personal information and establish larger databases”. The committee also given its support for Privacy Impact Assessments, and suggests that the Information Commissioner should produce an annual report on the state of surveillance in the UK to Parliament.
The report, from 8 June, which includes these suggestions has been welcomed by the Information Commissioner Richard Thomas: “I am pleased that the Committee has recognised the work of my Office in raising awareness of the issue and supports our call for the introduction of privacy impact assessments. Before new developments take place which could increase levels of surveillance, full consideration must be given to the privacy impact on individuals, ensuring safeguards are in place to minimise intrusion.”
Richard Thomas will speak about the latest DP developments, his new powers, and how they affect organisations at the Privacy Laws & Business Annual International Conference 7-9 July.
Read more about the views of the Home Affairs Committee is the next issue of PL&B’s UK Newsletter.
3. ICO publishes guidance on business transfers
New guidance from the Information Commissioner’s Office (ICO) advises on how to deal with transferring employee data during a business transfer or outsourcing situation.
The guidance addresses the Transfer of Undertakings (Protection of Employment) Regulations 2006, which provide protection for employees if their details are transferred to another organisation. TUPE ensures that employees’ terms and conditions of employment are preserved when a business or undertaking is transferred to a new employer. To achieve this, TUPE requires that certain information is provided to the new employer before the transfer takes place. Both parties must comply with the provisions of the Data Protection Act.
Read more about how companies deal with TUPE regulations in a future issue of PL&B UK Newsletter.
4. ICO not taking action against Phorm or BT
The Information Commissioner is not going to formally investigate BT or Phorm, although a leaked document reveals the detail of Phorm trials conducted by BT, reports Znet.com on 9 June. "The ICO seeks to resolve issues informally," said an ICO spokesperson. "We didn't have the internal [leaked] document, but Phorm and BT did present us with information [after the trial]. We've worked with BT and Phorm and we are not going to take any punitive action at this stage.
Phorm, the technology behind revealing individuals’ browsing habits on the Internet and then sending them targeted advertising, was used by BT for trials without notifying the people subscribing to the service provider. The ICO previously said that it has been in contact with Phorm, which assured the regulator that it holds no personally identifiable information on web users.
For further details on the Privacy Laws & Business UK Newsletter, please click here.
Copyright Privacy Laws & Business 2008