If the evidence of the Data Guardians misusing data was not already enough, with numerous examples of the police and councils misusing information and the government losing data faster than they are giving money to the banks, another case hardly seems relevant, but it is worth reporting because its slightly different.

In this  latest case n surgeon, Mr Hans Desmarowitz, a vascular surgeon photographs, maps, personal information and medical records relating to a secretary.

This information was stored on his PC and offered to private detectives to investigate her and her boyfriend, all very creepy…and the government want to allow for more access to medical records

Tags: Data Loss, Evidence

The ICO’s budget is to increase from £12 million to £18million, which will allow it to take more enforcement action.

Tags: ICO

Following the loss of data by Virgin in June the ICO has taken enforcement action against Virgin Media.

The ICO has ordered Virgin to encrypt all of mobile devices:

Virgin Media is required, with immediate effect, to encrypt all portable or mobile devices that store and transmit personal information. Further, the company is to ensure that any service provider processing personal information on its behalf must also use encryption software and this requirement has to be clearly stated in all contracts

Source

If only the UK government would be forced to behave in such a manner.

Tags: Encryption, ICO, privacy

The data protection act allows you to access information about yourself on systems, in theory (with lots of potential for it not to happen).

One case where it does work is CCTV from the local council, if you filmed by council CCTV you can request the footage of yourself.

The Manchester Bank The Get Out Clause took advantage of this to produce their own music video, see below.

Tags: CCTV, data protection

1) Myth – “The Data Protection Act means a company is never allowed to give a customer’s details to a third party”.

Reality – Not True Where an organization is satisfied that as someone asking for information about another person’s account is authorized to access it, the Act does not prevent this. The ICO has produced practical guidance on this

2) Myth – “The Data Protection Act stops parents from finding out their children’s exam results”.

Reality – Not True. The Information Commissioners Office has issued guidance on the publication of exam results.

3) Myth – “The Data Protection Act prevents priests from naming sick parishioners during church prayers”.

Reality – Not True. The DPA is designed, in the main, to cover personal information held electronically. Its not very likely that this information would be stored on the priests computer, or detailed filing system. So it would not be covered by the DPA, and even if it was, as long as the individual was happy for their name to be read out that would be fine.

4) Myth – “The Data Protection Act prevents the releases of offenders’ details to victims”.

Reality: Not True. The Data Protection Act does not stop the police disclosing the relevant details when civil proceedings contemplated (e.g the victim wants to take action against the offenders). While the police need to be careful about what information they do disclose, they have, according to the ICO “received clear guidance from the Home Office on what details can be passed on to victims”. 

In the case reported by the Daily Express on the issue the ICO discussed the matter with the police force concerned and the information has since been provided to the owner.

Source

Tags: data protection, ICO

Following on from the previous prosecution of an accountant, the ICO has continued its enforcement of the DPA, with its fourth prosecution of an accountant this year.

The Information Commissioner has prosecuted Mr Satish Lakhani of Lake & Co Accountants ( based in Harrow) for failing to notify/register with the ICO. This is a requirement for all organisations that process individuals’ information.

Despite repeated reminders Mr Lakhani failed to register with the Commissioner for a nominal annual fee of £35.

Mick Gorrill, assistant commissioner at the ICO, said: ‘The Data Protection Act gives us all important rights, ensuring that organisations process and protect our personal information properly. Notifying as a data controller under the Data Protection Act is an important obligation for any organisation which processes personal information.’

‘Today’s case is the fourth accountancy firm that we have prosecuted this year alone’ he added.

Mr Lakhani was fined £300 and ordered to pay costs of £483.40 plus a victim surcharge of £15 at Harrow Magistrates Court.

Source

Tags: Data Protection Act

The Non Disclosure Provisions of the Data Protection Act are defined as:

• The First Data Protection Principle, except where it requires compliance with the conditions in Schedules 2 and 3 of the Act (which define the conditions for processing sensitive data)
• The Second, Third, Fourth and Fifth Data Protection Principles;
• Section 10 (right to prevent processing likely to cause damage or distress)
• Sections 14 (1) to (3) (rectification, blocking, erasure and destruction)

In fact the ICO cautions employers against disclosing information about employees (after looking at the rights and needs of the individuals), unless they have to under specific court orders, laws, or regulations.

However, the ICO does provide advice on when there are exemptions from this non-disclosure, they are:

• Where the disclosure is needed for legal proceedings or prospective proceedings or for obtaining legal advice.
• where a failure to disclose would be likely to prejudice the prevention or detection of crime, the apprehension or prosecution of offenders or the assessment or collection of tax.

This does not mean there is a requirement under law to provide this information, only that companies should consider this information, and if they chose not to then only a court order can compel them to provide this information.

Exemption  to the Non Disclosure Provisions

As indicated above there exemptions to the non disclosure provisions, this are described in the Data Protection Act (Section 34 and 35) and referred to in other sections, including 29.

Section 34 of the DPA states that

Personal data are exempt from the non-disclosure provisions, if the data consist of information which the data controller is obliged by or under any enactment to make available to the public, whether by publishing it, by making it available for inspection, or otherwise and whether gratuitously or on payment of a fee.

This is reinforced by Section 35 of the Data Protection Act which states that:

Personal data is exempt from the non-disclosure provisions when the disclosure is required by any law, or court order or for the purpose of, or in connection with, any legal proceedings (including prospective legal proceedings, and obtaining legal advice)

Tags: Data Protection Act

Rectification, blocking, erasure and destruction

(1) If a court is satisfied on the application of a data subject that personal data of which the applicant is the subject are inaccurate, the court may order the data controller to rectify, block, erase or destroy those data and any other personal data in respect of which he is the data controller and which contain an expression of opinion which appears to the court to be based on the inaccurate data.

(2) Subsection (1) applies whether or not the data accurately record information received or obtained by the data controller from the data subject or a third party but where the data accurately record such information, then—

(a) if the requirements mentioned in paragraph 7 of Part II of Schedule 1 have been complied with, the court may, instead of making an order under subsection (1), make an order requiring the data to be supplemented by such statement of the true facts relating to the matters dealt with by the data as the court may approve, and

(b) if all or any of those requirements have not been complied with, the court may, instead of making an order under that subsection, make such order as it thinks fit for securing compliance with those requirements with or without a further order requiring the data to be supplemented by such a statement as is mentioned in paragraph (a).

(3) Where the court—

(a) makes an order under subsection (1), or

(b) is satisfied on the application of a data subject that personal data of which he was the data subject and which have been rectified, blocked, erased or destroyed were inaccurate,

it may, where it considers it reasonably practicable, order the data controller to notify third parties to whom the data have been disclosed of the rectification, blocking, erasure or destruction.

(4) If a court is satisfied on the application of a data subject—

(a) that he has suffered damage by reason of any contravention by a data controller of any of the requirements of this Act in respect of any personal data, in circumstances entitling him to compensation under section 13, and

(b) that there is a substantial risk of further contravention in respect of those data in such circumstances,

the court may order the rectification, blocking, erasure or destruction of any of those data.

(5) Where the court makes an order under subsection (4) it may, where it considers it reasonably practicable, order the data controller to notify third parties to whom the data have been disclosed of the rectification, blocking, erasure or destruction.

(6) In determining whether it is reasonably practicable to require such notification as is mentioned in subsection (3) or (5) the court shall have regard, in particular, to the number of persons who would have to be notified.

Tags: Law

Under the Data Protection Act, there are eight principles that are regards as the “core” of the DPA. They are in Part 1, Schedule 1 of the Act.

They are listed below

1. Personal data shall be processed fairly and lawfully
2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
4. Personal data shall be accurate and, where necessary, kept up to date.
5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
6. Personal data shall be processed in accordance with the rights of data subjects under this Act.
7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

Tags: Law

Section 27 Data Protection Act

(1) References in any of the data protection principles or any provision of Parts II and III to personal data or to the processing of personal data do not include references to data or processing which by virtue of this Part are exempt from that principle or other provision.

(2) In this Part “the subject information provisions” means—

(a) the first data protection principle to the extent to which it requires compliance with paragraph 2 of Part II of Schedule 1, and

(b) section 7.

(3) In this Part “the non-disclosure provisions” means the provisions specified in subsection (4) to the extent to which they are inconsistent with the disclosure in question.

(4) The provisions referred to in subsection (3) are—

(a) the first data protection principle, except to the extent to which it requires compliance with the conditions in Schedules 2 and 3,

(b) the second, third, fourth and fifth data protection principles, and

(c) sections 10 and 14(1) to (3).

(5) Except as provided by this Part, the subject information provisions shall have effect notwithstanding any enactment or rule of law prohibiting or restricting the disclosure, or authorising the withholding, of information.

Tags: data protection, Law