Tag: ICO

ICO messes up copper’s clouds

The Information Commissioner Office (ICO) has made a mess of the legality of police forces using US-based cloud providers to process sensitive law enforcement data.

Computer Weekly exposed in 2020 that dozens of police forces are breaking the law using the cloud-based Microsoft 365 software to process more than a million people’s data.

A major Police Scotland IT system is using Microsoft’s Azure cloud despite having major data protection issues. The Scottish biometric commissioner (SBC) asked the ICO for advice about the system’s legality.

After a cosy meeting with information commissioner John Edwards in early December 2023, SBC Brian Plastow wrote a letter that said the ICO was happy to give the green light to the dodgy cloud deployments. He said the ICO believed that the UK and US governments signed a deal to share data, which overrules the UK’s data protection laws.

UK government needs to stop using private chat channels

The Information Commissioner’s Office (ICO) has told the government to conduct a review into the systemic risks and areas for improvement surrounding the use of private correspondence channels, such as WhatsApp, private email and other messaging apps by ministers and government officials.

According to the data protection watchdog, the Department of Health and Social Care (DHSC), which was the main focus of its review, used these channels frequently, posing real risks to government accountability and transparency.

It said the DHSC did not have the “appropriate organisational or technical controls” to ensure that risks were properly managed. As a result, it has asked for a government-wide examination of how such channels are used across Whitehall.

ICO fines Cabinet Office £500,000

The UK Information Commissioner’s Office (ICO) fined the  Cabinet Office £500,000 over a data breach that disclosed the personal details of more than 1,000 famous people listed for 2020’s New Year Honours.

The ICO said the Cabinet Office had failed to put proper technical and organisational measures in place to prevent disclosure of personal information in breach of UK’s data protection law.

ICO plans to take over police monitoring “ill-conceived”

Government plans to make the Information Commissioner’s Office (ICO) responsible for monitoring the use of biometric and DNA data by the police are “ill-conceived”—we think that means “nuts”, according to the UK’s biometrics and surveillance camera commissioner.

Fraser Sampson has the job of making sure that that the police collect, retain and use a range of biometric material, including digital facial images, as surveillance camera commissioner his job is to get the cops to comply  with the surveillance camera code of practice.

Sampson was appointed to the dual position in March 2021, after the UK Ministry of the Interior announced in July 2020 that it would be amalgamating the roles to make the stand alone statutory functions of each office the responsibility of a single individual.

But the idea of further amalgamating the roles under the purview of the ICO is the brilliant plan of the Department for Digital, Culture, Media & Sport (DCMS) which has currently put the idea out to consultation.

But by “consultation” the government meant not telling anyone about it because it clean forgot to mention it to the bloke who was most affected.

DSG Retail fined by ICO for poor security

DSG Retail Limited (DSG) has been fined £500,000 by the Information Commissioner’s Office (ICO) for a cyberattack that may have affected as many as 14 million people between July 2017 and April 2018.

Malware on 5,390 tills at DSG’s Currys PC World and Dixons Travel stores is thought to have given cybercriminals unauthorised access to the details of 5.6 million payment cards used in transactions and the personal information of approximately 14 million people, including full names, postcodes, email addresses and failed credit checks, from internal servers.

ICO demands transparency for government outsourcing

parliamentThe Information Commissioner’s Office (ICO) said today that when the government outsources technology it’s often very opaque.

Head of Policy at the ICO Steve Wood said freedom of information laws haven’t always been able to follow the public pound.

“We’re calling on public authorities and contractors to consider transparency from an early stage, before a contract is even signed. And we’re asking whether the government might need to step in to make sure the public can access the information they should be entitled to from big government funded contractors,” he said.

Expenditure on outsourced public services represents half of the £187 billion the government spends on goods and services. Sometimes, the ICO said, it is hard for people to negotiate their way through outsourcing contractors’ deals.

The ICO conducted a survey and 75 percent of people said that private companies acting on behalf of public authorities should be subject to the Freedom of Information Act.

 

UK makes Google change privacy policy

OgleThe Information Commissioner’s Office (ICO) has made Google sign an undertaking to improve information about how it collects personal data in the UK.
The ICO said that following an investigation it found that Google’s search engine was “too vague” in describing how it used personal data it had collected.
The ICO said Google has signed a formal undertaking to make changes to its privacy policy so that it meets the needs of the UK Data Protection Act.
The ICO worked with other European data protection authorities, it said.
The enforcement officer at the ICO, Steve Eckersley, said: “This investigation has identified some important learning points not only for Google, but also for all organisations operating online, particularly when they seek to combine and use data across services.”
Google will have to make agreed changes by the 30th of June this year, and take even more steps over the next two years.
Google’s undertaking can be found here.

 

Office warned over data hack

wargames-hackerThe Information Commissioner’s Office (ICO) has warned high street retailer Office after a hacker gained access to over a million customer records.
The ICO said the hacker accessed contact details by cracking open an unencrypted database that was due to be phased out.
The information went undetected and the ICO has had Office sign an undertaking to ensure problems associated with the hack are resolved.
In that undertaking, Office CEO Brian McCluskey said that the firm made no reference to retention of data and didn’t give formal data protection training.  Both these are now being addressed.
The ICO said that there was no suggestion that the breach went further and no bank details were stored.

 

Human error causes most data breaches

Detail showing fleeing Persians (King Darius centre) from an AncA request to the Information Commissioner’s Office (ICO) under the Freedom of Information Act has revealed that most data breaches are caused by human error.

Egress Software made the FOI request and the ICO revealed that only seven percent of breaches in the first three months of this year were because of technical glitches.

That means the fast majority were down to human error and carelessness by people.  And fines levied because of technical errors amounted to zero, while the ICO levied £5.1 million for companies that made the mistakes.

The data breaches are across many different sectors. The public sector showed healthcare organisations are top of the disgrace league, followed by local government and educational organisations.

The private sector also showed a rise in data breaches with the financial industry, the housing sector, telecoms and recruitment all showing big rises.

Tony Pepper, CEO of encryption company Egress Software, said: “It is concerning that such a high number of data breaches occur as a result of human error and poor processes. Confusion can often put confidential data at risk, with users unsure of when and how to encrypt.”

Facebook falls foul of ICO

George OrwellYesterday Facebook announced the results of a psychological experiment into human behaviour to find if Facebook could alter the emotional state of its users and prompt them to post either more positive or negative content.

It was all fairly tame stuff, but it did raise the eyebrows of the UK Information Commissioner’s Office (ICO).

It is concerned that Facebook might have broken data protection laws when it allowed researchers to conduct a psychological experiment on 700,000 unwitting users in 2012 users of the social network.

The ICO monitors how personal data is used and has the power to force organizations to change their policies and levy fines of up to £500,000 pounds ($839,500).

Facebook said that it could do what it liked with the 700,000 because they had signed an terms of use agreement when they joined.  Of course they had not read it, but they had signed it.
It is not clear what part of UK data protection laws Facebook might have broken, but it does seem that if there is not a clause which says you cannot submit the personal data of your customers to scientific experimentation, there should be.

Private eyes nicked for stealing data

Clink Prison MuseumTwo private detectives that routinely extracted personal information from organisations and individuals have been found guilty of breaching the Data Protection Art.

Barry Spencer (41) and Adrian Stanton (40) ran a company called ICU Investigations Ltd, based in Feltham. The company as an individual entity was also found guilty of breaking the law.

Five other people had already pleaded guilty – Robert Sparling (38), Joel Jones (43), Michael Sparling (41), Neil Sturton (43) and Lee Humphreys (41). Sentencing will take place on the 24th of January next year.

The court heard that the company worked on behalf of a number of clients including Allianz, Leeds Building Society and Dee Valley Water to trick GPs, TV Licensing, and utility companies for the purpose of debt collection.

There were nearly separate offences committed between the 1st of April 2009 and the 12th of May 2010. There was no evidence that the company’s clients were aware information was being illegally obtained.

The offence carries a fine – up to £5,000 in a magistrates court or an unlimited amount in a Crown Court.  The Information Commissioners Office, which instigated the investigation, is pressing for more stringent sentences including prison.

Information Commissioner Christopher Graham said: “The public expects to see firmer action taken against people who break the rules in this area, and Parliament needs to recognise that. I spoke with the Home Secretary, Teresa May, on this matter earlier this week to urge her to introduce more effective sentences for these kinds of offences, and she has agreed to meet me to discuss the matter. That conversation needs to result in action.”

There is provision for prison for the offences as part of the Criminal Justice and Immigration Act 2008, but those measures haven’t yet been implemented.