The government officer who left the “Terror” Document on a train is be charged under the official secrets act, and not section 55 of the data protection act.

The individual has been charged under Section 8.1 of the Official Secrets Act.

Interestingly the BBC article on the issue states that the individual responsible, who can not be named, “was informed of the decision on Monday morning and was moved from his home to an undisclosed location.”

The systems are in place that allow for this massive failure, holding one man responsible for the entire government systems endemic failure hardly seems fair.

Tags: data protection, Terrorism

BERLIN — Germany is to tighten data protection laws, Interior Minister Wolfgang Schaeuble said on Thursday, responding to revelations that Germans’ personal data can be bought easily on the Internet.

Mr. Schaeuble said a working group would draw up proposals on higher fines for data protection violations and tighter rules on the trade with personal and financial information.

“There will be no quick shots but speedy consultations to get the law proposal ready before the end of the year,” Mr. Schaeuble told a news conference after meeting Germany’s justice, economy and consumer protection ministers on the issue.

Germany’s latest privacy scandal was triggered by reports that a call centre employee alerted authorities to a problem with his company’s data collection practices by handing over data on some 17,000 addresses and bank account details to a privacy protection office.

Privacy officials have also said they had been able to buy millions of items of personal data, including bank and phone data, undercover on the Internet.

globeandmail.com: Germany to tighten laws after data theft scandal.

Tags: data protection, Data Theft, Law, privacy

The data protection act allows you to access information about yourself on systems, in theory (with lots of potential for it not to happen).

One case where it does work is CCTV from the local council, if you filmed by council CCTV you can request the footage of yourself.

The Manchester Bank The Get Out Clause took advantage of this to produce their own music video, see below.

Tags: CCTV, data protection

1) Myth – “The Data Protection Act means a company is never allowed to give a customer’s details to a third party”.

Reality – Not True Where an organization is satisfied that as someone asking for information about another person’s account is authorized to access it, the Act does not prevent this. The ICO has produced practical guidance on this

2) Myth – “The Data Protection Act stops parents from finding out their children’s exam results”.

Reality – Not True. The Information Commissioners Office has issued guidance on the publication of exam results.

3) Myth – “The Data Protection Act prevents priests from naming sick parishioners during church prayers”.

Reality – Not True. The DPA is designed, in the main, to cover personal information held electronically. Its not very likely that this information would be stored on the priests computer, or detailed filing system. So it would not be covered by the DPA, and even if it was, as long as the individual was happy for their name to be read out that would be fine.

4) Myth – “The Data Protection Act prevents the releases of offenders’ details to victims”.

Reality: Not True. The Data Protection Act does not stop the police disclosing the relevant details when civil proceedings contemplated (e.g the victim wants to take action against the offenders). While the police need to be careful about what information they do disclose, they have, according to the ICO “received clear guidance from the Home Office on what details can be passed on to victims”. 

In the case reported by the Daily Express on the issue the ICO discussed the matter with the police force concerned and the information has since been provided to the owner.

Source

Tags: data protection, ICO

Results:

On 17^th July 2008, at the ECHR (Strasbourg), in the case “I” v Finland the court found against Finland, and awarded  “I” €13,771 in damages and €20,000 in costs. The full court decision,  I v. FINLAND, case no. 20511/03, is available here.

Outline of the Case:

The applicant “I”, now 48, stated that her private medical records were accessed by the other people (as a result of which she possibly lost her job as a nurse).

The access was not recorded, as there was no records of this at the time (around 1992)

The Court decided that as the hospital was controlled by the State, and as such Finland was responsible for the actions there. The court also stated that personal information relating to a patient undoubtedly belongs to his or her private life. Therefore  Article 8, freedom to a private life, is applicable in this case.

The European Court of Human Rights found that a person’s right to respect for their private life (under the ECHR,) may be breached where the State fails to take appropriate steps to secure data, so that it cannot be accessed improperly.

While Article 8 not means the government must not interfere, but may also have to undertake positive actions to prevent such interference, e.g the adaption of systems/controls to protect data.

In this case there is no statement that there was deliberate and unauthorized access of data, only that there was failure to secure the data appropriately. i.e a breach of Finland’s positive obligations under Article 8. The court found in favour of the Applicant.

Summary: The ECHR found that if personal data is not secured adequately, and the State does not take positive steps to do so (and not just legislation but technical and procedural steps as well), then the state is in breach of Article 8.

Background of the Case:

The claimant “I” was a nurse who worked in Finland, and between 1989 and 1994 she worked on fixed terms contracts in a state/public hospital (i.e working for Finland). However, from 1987 onwards “I” had also been a patient of the same hospital as she had been diagnosed with HIV.

In Early in 1992 the applicant began to suspect that her colleagues were aware of her illness. At that time hospital staff had free access to the patient register which contained information on patients’ diagnoses and treating doctors. Having confided her suspicions to her doctor in summer 1992, the hospital’s register was amended so that henceforth only the treating clinic’s personnel had access to its patients’ records. The applicant was registered in the patient register under a false name. Apparently later her identity was changed once again and she was given a new social security number.

In 1995 the applicant, “I” changed/lost her job as her temporary contract was not renewed.

On 25 November 1996, the applicant complained to the County Administrative Board (lääninhallitus, länsstyrelsen) in Finland, requesting it to examine who had accessed her confidential patient record.  Following this request, the director in charge of the hospital’s archives provided a formal statement with the County Administrative Board. The statement said that is was not possible to find out who, if anyone, had accessed the applicant’s patient record as the data system revealed only the five most recent consultations  - and this was by department and not a named individual. And even this scant information was deleted when the records were returned to the archives.

Following this investigation the Finnish County Administrative Board decided, on 20 October 1997 that while there should be privacy for the individual the records are not detailed and therefore Board decided that it could not further rule on whether information had been viewed inappropriately. However, it did advise the records should be changed so that access to the files are recorded.

As a result of this, in March 1998, the hospital’s register was amended so that it became possible retrospectively to identify any person who had accessed a patient record.

In 15 May 2000, the applicant “I” instituted civil proceedings against the District Health Authority (sairaanhoitopiirin kuntayhtymä, samkommunen för sjukvårdsdistriktet), which was responsible for the hospital’s patient register at the time of the incident, claiming non-pecuniary and pecuniary damage for the alleged failure to keep her patient record confidential.

On 10 April 2001, the District Court (käräjäoikeus, tingsrätten) rejected the action.  The applicant then appealed to the Court of Appeal (hovioikeus, hovrätten), maintaining her claim that the hospital had not complied with the domestic law, in breach of her right to respect for her private life

On 7 March 2002, the Court of Appeal, found against the applicant and ordered her to pay costs for the respondents legal expenses for both the district court and appeals court – 2,000 and 3271 euros  respectively.

Following this “I”, then applied to the Finish Supreme Court (korkein oikeus), claiming that there been a violation of her right to respect for her private life. On 23^rd Decemeber 2002 the Supreme Court refused leave to appeal.

Still pursuing the case “I” applied to the ECHR and requested that her name was with held. On  20th June 2003 the president of the Chamber (Nicolas Bratza) agreed to this. On 19^th January 2006 the ECHR decided that there was a case to hear and informed Finland that the ECHR would hear the case.

On 17^th July 2008 the court decided in favour of the applicant “I”.

Tags: data protection, ICO, Law, privacy

Section 27 Data Protection Act

(1) References in any of the data protection principles or any provision of Parts II and III to personal data or to the processing of personal data do not include references to data or processing which by virtue of this Part are exempt from that principle or other provision.

(2) In this Part “the subject information provisions” means—

(a) the first data protection principle to the extent to which it requires compliance with paragraph 2 of Part II of Schedule 1, and

(b) section 7.

(3) In this Part “the non-disclosure provisions” means the provisions specified in subsection (4) to the extent to which they are inconsistent with the disclosure in question.

(4) The provisions referred to in subsection (3) are—

(a) the first data protection principle, except to the extent to which it requires compliance with the conditions in Schedules 2 and 3,

(b) the second, third, fourth and fifth data protection principles, and

(c) sections 10 and 14(1) to (3).

(5) Except as provided by this Part, the subject information provisions shall have effect notwithstanding any enactment or rule of law prohibiting or restricting the disclosure, or authorising the withholding, of information.

Tags: data protection, Law

35 Disclosures required by law or made in connection with legal proceedings etc

(1) Personal data are exempt from the non-disclosure provisions where the disclosure is required by or under any enactment, by any rule of law or by the order of a court.

(2) Personal data are exempt from the non-disclosure provisions where the disclosure is necessary—

(a) for the purpose of, or in connection with, any legal proceedings (including prospective legal proceedings), or

(b) for the purpose of obtaining legal advice,

or is otherwise necessary for the purposes of establishing, exercising or defending legal rights.

————————

Relevant Articles

Civil Procedure Rules Part 35

Tags: Civil Procedure Rules, data protection, Law

Following a call for evidence, by the House of Lords, for their investigation and report entitled “The Impact of Surveillance and Data Collection upon the Privacy of Citizens and their Relationship with the State” several different bodies and individuals provided their expertise, including GeneWatch, the Royal Engineering Academy, and ARCH. On 8^th July 2007 Richard Thomas of the ICO submitted a report to House of Lords on the issue. The full report is available here.

Highlights from the report include:

• The commissioner believes that the risks of excessive surveillance are with us today.
• The risks to individuals [privacy]….. are evident and positive action is required to ensure that these risks do not manifest themselves and that unwarranted harm does not occur.
• The Commissioner proposes that the Committee gives particular consideration to the following measures:

1. • Mandatory privacy impact assessments by government departments.
2. • Requirements to have codes of practice in place for pro active information sharing in the public sector.
3. • Proper consultation with the Commissioner before significant new developments.
4. • Increased audit and inspection powers for the Commissioner.
5. • Effective penalties for serious disregard for the requirements of the data protection principles.

Tags: data protection, Evidence, ICO, privacy

The Incorporated Society of British Advertisers (ISBA) has complained that the Data Protection Act (DPA) will stop the junk mailers – the people who send out millions of junk mail adverts every year (the industry name for it is direct mail) – from doing their job

Updates to the DPA means that marketing people can no longer use the electoral register as means to send our huge volumes of marketing material.

With no hint of irony the ISBA stated that the electoral register allows to be environmentally friendly. As it allows them to target people (rather than empty address), and if they can no longer use the electoral register they may get a few wrong houses.

One could argue that sending out millions of unwanted letters with a very low success rate(1% to 2%) was not the most environmentally friendly method of advertising in the world.

Should you want to avoid junk mail here are some tips

Source Article

Tags: data protection

The EU commissioner for information society and media, Viviane Reding, has written a letter to the UK Government asking it to confirm is Phorm is in breach of EU data laws, and to respond by the end of August.

So far the UK ICO, which looked at the use of Phorm, and in particular the use of Phorm by BT without informing those being monitored, has found that BT did not breach any of the UK Data Protection Laws. The EU Data Commissioner has not stated that Phorm is in breach of EU laws, either.

Therefore this latest action is interesting, as it requires the UK to comment on UK law, not EU law.

Articles

Dow Jones

BBC

Tags: data protection, ICO, Law, Phorm