March Edition
I will publish a monthly newsletter summarising the latest data protection news at the end of each month. This may include data breaches, cybersecurity incidents, reprimands, and enforcement notices, as well as any new guidelines and best practices issued.
Rewind << Electoral Commission Cyberattack
You may recall that in August 2023, the Electoral Commission announced it had been subject to a cyberattack that affected 40 million voters. The attack took place in August 2021. This week, various news outlets reported that the Chinese state accessed personal data. Let's watch this space to see what, if anything, the UK Government does to respond to this matter.
Glassdoor Reviews No Longer Anonymous
How to kill your own business and destroy years of trust invested in you by your users in one easy step.
This is a quote from one Glassdoor user who found out that their reviews of current or previous employers were no longer anonymous. So, how did this happen? Glassdoor acquired a company called Fishbowl (a network of professionals not dissimilar to LinkedIn). Every Glassdoor user had a Fishbowl account created as part of the integration process. The account required user verification, which combined the Glassdoor and Fishbowl data, thus identifying the once-anonymous Glassdoor user.
Question: how often do you review your software vendors?
I recommend you create an annual vendor due diligence process and examine any acquisitions, new subprocessors, and/or even new technology (e.g., AI) used in the review. This will make you more aware of any potential risks to the data being processed.
Full story: https://www.techradar.com/pro/glassdoor-added-real-names-to-supposedly-anonymous-profiles
Scottish Government's Use of WhatsApp to be Reviewed
Former Channel Islands Data Protection Commissioner Emma Martins has been appointed by the Scottish Government to review the use of mobile messaging apps and non-corporate devices.
“It will consider how mobile messaging apps and personal devices are used in government in line with the principles of digital ethics, records management, freedom of information, and human rights.
During the Covid-19 Inquiry, it was revealed that Nicola Sturgeon and other senior figures involved in managing the Scottish Government's response to the Pandemic had deleted WhatsApp messages.
Question: What is your organisation's policy on using messaging apps such as Facebook Messaging, WhatsApp, Signal, Telegram, etc.?
I recommend that you determine all the systems and tools used by your organisation to process personal data and update your policies and procedures with practical guidance on how you expect your staff to use them.
领英推荐
Chief Constable of Kent Police Reprimanded
On the 5th March, the UK's Information Commissioner issued a reprimand to the Chief Constable of Kent Police regarding an incident which occurred two years earlier. The reprimand states
A reprimand is being issued to Kent Police in respect of an incident in February 2021 when a Kent Police officer took a photograph of an individual’s identity document using her personal mobile phone and uploaded the image onto Telegram, a social media application (the App). From the evidence provided to the ICO, the Telegram distribution group onto which the image was uploaded was being used by multiple UK police forces and international law enforcement agencies for the purpose of combatting vehicle crime. The Kent Police officer did not inform the individual that further processing of his personal data would take place; how it would be processed; or the purpose for doing so.
The Telegram App was not officially sanctioned; however, 25 Kent Police officers downloaded it (though only 5 used it). The distribution group had 241 members! The reprimand raises concerns about the length of time the app could have been in use and the lack of awareness of data protection responsibilities. It was interesting to read that while all officers and staff must confirm their understanding of published policies and procedures before being granted access to official systems, when a policy or procedure was modified, those same staff and officers were not required to re-confirm their understanding!
Question: When you update a policy or procedure, do you circulate it to staff to confirm their understanding?
I recommend reviewing policies and procedures annually, and staff should be updated on where changes are applied.
Read the reprimand in full: https://ico.org.uk/media/action-weve-taken/reprimands/4028824/20240305-kent-police-reprimand.pdf
Inappropriate Access to Medical Records
Sadly, this next story is not at all uncommon. It has been reported that staff at the London Clinic have attempted to access the medical records of the Princess of Wales while she was receiving treatment.
At least one member of staff tried to access Kate’s notes while she was a patient at the private hospital in central London in January, according to the Mirror.
The Information Commissioner's Office has confirmed receipt of a data breach report from the London Clinic.
Just because you have access to software systems that contain sensitive personal data about an individual (regardless of whether or not they are high-profile) does not give you the right to 'snoop'.
Question: How often do you deliver refresher data protection training relevant to the types of personal data your organisation processes and the system it uses?
Training is not a tick-box exercise. Your organisation is responsible for educating its staff on data protection, and staff must adhere to the training, policies and procedures.
That's all for this month! Let me know what you think.
Kellie
Consultant unlocking progress for businesses with 20+ years of process expertise | Prince2 Agile Practitioner | MBA
11 个月Very useful information. Thank you, Kellie.