UK Data Protection E-news - February 2011
- ICO seeks examples of cookie compliance
- Your views sought on ICO guidance
- Protection of Freedoms Bill will be debated 1 March
- Protection of Freedoms Bill announced
- ICO fines two councils £80,000 and £70,000
- Two more fines are imminent, ICO says
- Bribery Act delayed
The ICO is asking organisations to inform them of their plans to comply with the revised European Union e-Privacy Directive and its cookie clause, due to come into force on 25 May.
The ICO says it ‘would like to ensure that the new rule is one that not only protects individuals from unwarranted intrusion but also allows organisations to conduct legitimate business online’. It is currently preparing guidance for data controllers.
Please send your response to email@example.com with 'cookie compliance' in the subject line.
The ICO is sometimes criticised for publishing too long or vague guidance, or not fully understanding the business point of view. Now is your chance to give feedback on the matter. The ICO aims to make its guidance more relevant and has launched a consultation, which closes 15 March. The ICO wants to hear your views on whether its guidance covers the right subjects, there is enough of it, it is easily accessible and in the right format.
The Protection of Freedoms Bill, which includes several DP and FOI aspects, was presented to Parliament on 11 February 2011. The Second Reading and debate will take place on 1 March.
Read more about the bill in the next issue of PL&B UK Report, due late March.
The Home Office announced today the Protection of Freedoms Bill, which includes several data protection and FOI elements.
The aim is to have DNA samples and fingerprints of hundreds of thousands of innocent people deleted from police databases. Children will not be fingerprinted in schools without parental consent, and local governments’ covert monitoring powers under the Regulation of Investigatory Powers Act (RIPA) will be cut back.
The Bill will introduce of a code of practice for CCTV and Automatic Number Plate Recognition (ANPR) systems, introduce a Surveillance Camera Commissioner to oversee this area, and extend the scope of the Freedom of Information Act to companies wholly owned by two or more public authorities. Also, public authorities will be required to release ‘datasets’ upon request or through their publication schemes (see PL&B UK issue 53, p. 13).
Information Commissioner, Christopher Graham, said:
“I welcome the publication of the Protection of Freedoms Bill and support its aims of strengthening privacy, delivering greater transparency and achieving improved accountability, as well as greater independence for the ICO. The Bill engages with issues that have been longstanding concerns for us: ensuring the right organisations are subject to freedom of information requirements; that the information the public need is available when they need it; increased privacy safeguards on biometric information such as DNA profiles and ensuring effective regulation of camera surveillance, including the increasing use of automatic number plate recognition.
“The detail of these important provisions will need careful consideration. The current proposals on improved regulation of CCTV and ANPR are limited to the police and local government only but their use is much more widespread. We will be examining all of the Bill’s provisions closely to be satisfied that they will deliver in practice.”
The ICO will be able to charge fees for the provision of more than one copy or versions of published material, training and conferences on a cost recovery basis.
The Government aims to gain Royal Assent by late 2011 or early 2012.
The Information Commissioner’s office (ICO) has issued monetary penalties on Ealing Council and Hounslow Council in London for the loss of two unencrypted laptops containing sensitive personal information.
Ealing Council provides an out of hours service on behalf of both councils, which is operated by nine staff who work from home. Personal details of 1,700 individuals were lost when the laptops were stolen from one of the employee’s home. Both councils have a policy on encryption but the laptops were unencrypted. The ICO emphasises that password protection is not enough. Both councils have contacted the affected individuals and so far there is no knowledge of the data having been accessed.
Ealing Council is faced with a fine of £80,000, while Hounslow Council’s monetary penalty is £70,000. Both councils are said to be considering the ICO’s suggestion for an audit. The ICO says that Ealing Council was in breach of its own policy as it was not checking that it was followed or understood by staff. Hounslow Council breached the Act by failing to have a written contract in place with Ealing Council. Also, Hounslow did not monitor Ealing Council’s procedures for operating the service securely.
A similar incident last year led to a £60,000 fine against an employment advice firm A4e. Organisations need to now check carefully that their employees understand their encryption policies and actually follow them.
Ealing Council monetary penalty of 4 February.
Hounslow Council monetary penalty of 4 February.
The Information Commissioner Christopher Graham said two more fines are to be issued soon, and one is in the pipeline. While he did not want to specify what kind of breaches are in question, he indicated that reputable companies that follow his advice had little to worry about, as the ICO would first make suggestions to achieve compliance, and only resort to fines if its advice was not taken on board. Breaches discovered during an audit will not incur a fine unless there is a recurrence of the same breach.
Speaking at the PL&B Privacy Officers’ Network meeting on 27 January, Graham said he will use his fining power as and when needed, for serious breaches of the DP Act which cause damage and distress, but does not envisage more than a handful of cases per year.
The ICO issued its first fines at the end of 2010, set at £100,000 and £60,000 respectively, with the maximum being £500,000.
To read more about this topic, subscribe to PL&B UK Report.
The Bribery Act, which was due to come into force in April, has now been delayed. The government says it will review the burdens on business.
The Act has some data protection implications as draft guidance requires that companies have due diligence procedures in place, stretching to suppliers and intermediaries. Companies will therefore need to ensure that they can monitor individuals’ actions legally.
For further details on the Privacy Laws & Business UK Newsletter, please click here.
Copyright Privacy Laws & Business 2011