Tag: ICO

Former ICO Auditor Joins the Act Now Team 

We are excited to welcome Robert Weston to our growing team of associates at Act Now Training. With extensive experience in the data protection field, Robert brings a wealth of knowledge and expertise to our clients. 

Robert has previously worked at the Information Commissioner’s Office (ICO), where he conducted audits and advisory visits, guiding organisations to better compliance with their data protection responsibilities. His hands-on experience at the ICO gives him unique insight into the inner workings of regulatory compliance; knowledge that few consultants possess. 

Robert is also a law graduate and a retired Chartered Accountant, specialising in forensic accounting. His strong analytical background, combined with his ability to break down complex legal and regulatory issues into clear, actionable insights, makes him an invaluable asset to any organisation looking to strengthen their data protection strategies. 

In addition to his role at the ICO, Robert has served as the Data Protection Officer for a £170 million turnover not-for-profit organisation, as well as a consultant to NHS Trusts, where he advised on sensitive and high-stakes data protection matters.
This diverse background equips Robert with a deep understanding of both private and public sector challenges, helping clients navigate even the most intricate data protection landscapes. 

Ibrahim Hasan, Director at Act Now Training, had this to say about Robert’s arrival: 

 “We’re thrilled to have Robert join the team. With his wealth of experience from both sides of the fence, regulator and practitioner, Robert is perfectly positioned to guide our clients through the complex world of DP implementation. His skill set is a rare combination, and I’m confident he’ll bring immense value to our clients.” 

Tailored Data Protection Services for Your Organisation 

At Act Now Training, we understand that data protection is not a one-size-fits-all approach. That’s why we offer a flexible consultancy service designed to meet the specific needs of your organisation; whether you’re looking for a light-touch review or a comprehensive audit. 

Our services, led by Robert Weston, include: 

  • Desktop Reviews: A focused review of your key documents, policies, and procedures to assess data protection compliance. 
  • Onsite Audits: A deeper dive into your operations, combining desktop reviews with onsite assessments to identify risks and areas for improvement. 

Why is this important? Data protection failures can result not only in regulatory fines, but also serious reputational damage. A breach could lead to negative media coverage, eroding customer trust and impacting your brand. Our services help you avoid these risks by ensuring your data protection practices are robust and compliant with the latest legislation. 

What We Offer: Tailored Solutions for Data Protection Compliance 

Our consultancy services are designed to be flexible and scalable, offering the right level of support based on your needs: 

  • Half-Day Consultation: We’ll discuss your organisation’s approach to data protection, reviewing key documentation and ensuring compliance with legal bases for processing, data subject rights, and breach prevention. 
  • In-Depth Audit (3-4 Days): A comprehensive service where we assess your data protection practices, identify gaps, and provide practical steps to minimize risks, using a detailed review of your policies and procedures. 

During our assessments, we utilise ICO’s toolkits, which provide a structured approach to monitor ongoing compliance. These toolkits, often designed for larger organisations, include trackers to help you keep an eye on your progress. Having worked in the ICO’s assurance department, Robert is intimately familiar with these tools, and he’ll guide your team in implementing them effectively. 

Next Steps: Protect Your Organisation’s Future 

By working with Robert Weston and Act Now Training, you’ll gain peace of mind knowing your data protection practices are thoroughly assessed and enhanced to meet today’s rigorous compliance standards. Whether you’re looking for a quick health check or a detailed audit, we have the expertise and tools to support your organisation’s needs. 

Get in touch today to find out how we can help reduce your data protection risks, protect your reputation, and secure your stakeholders’ personal data. 

Enjoy reading our blog? Help us reach 10,000 subscribers by subscribing today!

  

ICO Reprimands Law Firm for GDPR Breach 

Last week, the Information Commissioner’s Office (ICO) issued a reprimand to a Hampshire law firm following a data breach that affected over 8,000 individuals. 

Levales Solicitors LLP, a law firm specialising in criminal and military law, was reprimanded after an unknown cyber-attacker gained access to its secure cloud-based server.
The attacker used legitimate credentials to infiltrate the system, eventually leaking personal data on the dark web including  

  • Name, Address, Date of Birth
  • National Insurance Numbers 
  • Criminal data, including allegations, investigations, and prosecutions 
  • Details of complainants, victims (including children), and legally privileged information 
  • Prisoner Numbers, Health Status, and previous convictions 

A total of 8,234 data subjects were affected by the breach, with 863 individuals considered at high risk of harm due to the nature of the sensitive data involved.
This included data related to serious offences such as murder, terrorism, sexual offences, and matters involving vulnerable adults or children. 

The ICO’s reprimand focuses on the infringement of two key articles of the UK GDPR: 

  • Article 32(1)(b): The need to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems. 
  • Article 32(1)(d): The requirement to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks involved. 

What Went Wrong? 

The ICO found that Levales Solicitors LLP failed to ensure the ongoing confidentiality of its systems, making it vulnerable to the cyberattack (Article 32(1)(b)). Several critical issues were identified by the ICO: 

No Multi-Factor Authentication (MFA): MFA, a basic yet crucial security measure, was not in place for the domain account affected by the breach. This allowed the attacker to access the system using stolen credentials. Despite its simplicity, MFA is considered one of the most effective ways to prevent unauthorised access. 

Weak Password Management: Levales had no clear password policy in place at the time of the breach, relying instead on computer prompts to guide password strength and updates. The lack of a formalised approach to password management further exposed the firm’s systems to risk. 

Unknown Point of Compromise: Levales Solicitors LLP was unable to determine how the attacker obtained the credentials, demonstrating a lack of sufficient oversight into how the breach occurred. 

The ICO also criticised Levales for failing to implement appropriate technical and organisational security measures (Article 32(1)(d)). Notably: 

Outsourced IT Management: Levales had outsourced its IT management but had not reviewed or updated security measures since 2012. The firm was unaware of basic security processes, such as detection, prevention, and monitoring systems in place with their third-party provider. 

Inadequate Contract Reviews: The ICO expects that organisations outsourcing services conduct regular reviews to ensure security measures are up-to-date and appropriate. Levales had not reassessed their IT service contract since signing it, leaving potential vulnerabilities unchecked. 

The National Cyber Security Centre (NCSC) provides a 12-step guide on supply chain security, which advises that vulnerabilities within contracts can be easily exploited if the responsibilities and security measures between the provider and controller are not clearly defined or regularly reviewed. 

Despite these significant failings, the ICO did acknowledge that Levales had taken remedial steps following the breach, including: 

  • Introducing Multi-Factor Authentication (MFA) for all user accounts. 
  • Updating service contracts with third-party providers to ensure better security. 
  • Conducting a comprehensive review of existing systems and prioritising firewall upgrades. 

After taking all factors into consideration, including the remedial steps taken by Levales, the ICO decided to issue a formal reprimand under Article 58(2)(b) of the UK GDPR.  

Key Takeaways  

The decision reflects the seriousness of the firm’s failings in securing sensitive personal data and underscores the importance of robust data security practices for all organisations, particularly those handling highly sensitive information. All businesses are advised to take the following steps to comply with GDPR requirements: 

  • Implement Multi-Factor Authentication (MFA) for all accounts to reduce the risk of credential theft. 
  • Ensure that password policies are robust and regularly reviewed. 
  • Review contracts with third-party service providers to confirm that appropriate security measures are in place and understood by both parties. 
  • Regularly assess and update security systems to ensure they remain effective against evolving cyber threats. 
  • Document and monitor the security measures in place, ensuring that they are tailored to the specific risks associated with the data being processed. 

This is not the first time that a law firm has been found to be in breach of GDPR.
In 2022 fined Tuckers Solicitors LLP £98,000 for a data breach of GDPR.
The fine followed a ransomware attack on the firm’s IT systems which saw the attacker had encrypting 972,191 files, of which 24,712 related to court bundles.  60 of those were exfiltrated by the attacker and released on the dark web.  Some of the files included Special Category Data. Tuckers reported the breach to the ICO as well as affected individuals through various means including social media.  

The ICO concluded that were a number of areas in which Tuckers had failed to comply with, and to demonstrate that it complied, with the Security Principle. Their technical and organisational measures were, over the relevant period, inadequate.
Amongst other things the lack of Multi-Factor Authentication was highlighted by the ICO. 

Data security is a cornerstone of GDPR compliance, and reprimand involving Levales Solicitors LLP highlights the potential consequences of not taking proper precautions. Organisations should treat this as a wake-up call to evaluate and strengthen their own data protection measures, particularly in areas where sensitive or high-risk data is involved. 

We have two workshops coming up (How to Increase Cyber Security in your OrganisationandCyber Security for DPOs) which are ideal for organisations who wish to up skill their employees about cyber security. See also ourManaging Personal Data BreachesWorkshop. 

Enjoy reading our blog? Help us reach 10,000 subscribers bysubscribingtoday! 

Police Service of Northern Ireland Fined £750,000 for GDPR Breach 

The Information Commissioner’s Office has issued a GDPR fine of £750,000 to the Police Service of Northern Ireland (PSNI) for a personal data breach affecting thousands of officers.  

In August 2023, in response to a Freedom of Information (FoI) request, the PSNI mistakenly divulged information on “every police officer and member of police staff”, a senior officer said at the time. The FoI request, via the What Do They Know.Com website, had asked the PSNI for a breakdown of all staff rank and grades. But as well as publishing a table containing the number of people holding positions such as constable, a spreadsheet was included. This contained the surnames of more than 9,483 PSNI officers and staff, their initials and other data, but did not include any private addresses. The information was published on the WDTK website for more than two hours, leaving many fearing for their safety. 

The ICO investigation found that simple-to-implement procedures could have prevented the breach. The ICO’s statement said: 

“Mindful of the current financial position at PSNI and not wishing to divert public money from where it is needed, the Commissioner used his discretion to apply the public sector approach in this case. Had this not been applied, the fine would have been £5.6 million.” 

On 26th June 2024, the ICO announced that it will review the two-year trial before making a decision on the public sector approach in the autumn. The Notice of Intent issued to the PSNI before this fine was issued, was also in the sum of £750,000.  

In August this year, the ICO issued a Notice of Intent £6.09 million to an NHS IT supplier, Advanced Computer Software Group Ltd (Advanced), following a significant data breach in 2022. This came after the ICO found that the company failed to adequately protect the personal data of 82,946 individuals. It will be interesting to see if, here too, the actual fine will be the same as the notice. 

Data Protection Fees Consultation Announced 

The Department for Science, Innovation and Technology (DSIT) recently launched a consultation on a proposal to increase the annual data protection fees payable by Data Controllers to the Information Commissioner’s Office (ICO). This follows a statutory review in 2023 of the Charges Regulations 2018, mandated by section 138(3)(a) of the Data Protection Act 2018. The review found that the current fee levels are no longer sufficient to cover the ICO’s operational costs. 

The proposed increase of 37.2%, distributed evenly across the tiers, aims to ensure that the ICO has the necessary funding to carry out its statutory duties effectively and provide support to data controllers. Here is a breakdown of the proposed changes: 

  • Tier 1 – Micro organisations with maximum turnover of £632,000 or no more than 10 members of staff: Increase by £15, from £40 to £55 
  • Tier 2 – Small and medium organisations with maximum turnover of £36 million or no more than 250 members of staff: Increase by £22, from £60 to £82 
  • Tier 3 – Large organisations which do not meet criteria for tier 1 or 2: Increase by £1,079, from £2,900 to £3,979 

The DSIT has confirmed that there will be no changes to the tiering structure, exemptions, or direct debit discounts. 

The aim of these proposals is to secure the resources needed for the ICO to provide guidance, advice, and support to organisations for compliance with data protection obligations. This is also in line with HM Treasury’s principles on Managing Public Money, ensuring full cost recovery. The ICO’s response to the consultation can be read here. Nobody will be surprised to learn that it is in favour of the fee increase. 

The consultation is open until 26 September 2024. 

Enjoy reading our blog? Help us reach 10,000 subscribers bysubscribing today!   

This and other data protection developments will be discussed in detail on our forthcoming  GDPRUpdateworkshop.  

Labour Party Reprimanded for Subject Access Delays 

Last week, the Information Commissioner’s Office (ICO) issued the Labour Party with a Reprimand, under the UK GDPR, for repeatedly failing to respond to subject access requests (SARs). This is an embarrassing development for a party in government which recently announced a number of parliamentary bills in the area of information governance.   

Background 

In November 2022, the Labour Party found itself inundated with 352 SARs that required timely responses. 78% of these requests remained unanswered within the maximum compulsory time limit of three months, and more than half (56%) were significantly delayed by over one year. The backlog stemmed from a cyber-attack on the Labour Party in October 2021, which triggered a surge in SARs. 

During the ICO’s investigation, it came to light that a ‘privacy inbox’ within the Labour Party had not been monitored since November 2021. This inbox contained approximately 646 additional SARs and around 597 requests for deletion of personal data. None of these requests had been responded to.  

This reprimand comes a few months after a report by openDemocracy, an independent international media platform. The report claims that people requesting copies of their data, such as police or immigration records, have faced long delays or had their requests ignored entirely. Others have been given folders with key documents missing. Apparently this is having a knock-on effect on the justice system, with lawyers telling openDemocracy that asylum applications and claims for false imprisonment have been put on hold due to the delays. Victims of the Windrush Scandal have also struggled to obtain copies of their immigration papers in order to claim compensation. 

Since engaging with the ICO, the Labour Party has taken steps to address its backlog including assigning three temporary staff members to focus solely on handling outstanding requests and allocating  additional resources to expedite responses.  

Enjoy reading our blog? Help us reach 10,000 subscribers bysubscribing today!  

Our upcoming Handling SARs course can help you deal with complex subject access requests. Places are limited so book early to avoid disappointment. 

ICO 5th Call for Evidence on Generative AI 

Recently we wrote about how “How Generative AI’s Data Appetite is Fuelling Privacy Battles.” Last week the Information Commissioner’s Office (ICO) published its fifth call for evidence on Generative AI.  This call focuses on the allocation of accountability for data protection compliance across the generative AI supply chain. It is part of the ICO’s consultation series on generative AI ICO consultation series on generative AI and data protection

The fifth call for evidence addresses the recommendation for ICO guidance on the allocation of accountability in AI as a Service (AIaaS) contexts made in Sir Patrick Vallance’s Pro-innovation Regulation of Technologies Review.  
 
The allocation of accountability is complicated because of the different ways in which generative AI models, applications and services are developed, used and disseminated, but also the different levels of control and accountability that participating organisations may have.  
 
The ICO is interested in additional evidence on how this works in practice. In the meantime, it provides a summary of our current analysis, the policy positions we want to consult on and some examples which show how this analysis could be applied in practice.  
 
The deadline for submissions is 18th  September 2024.  

Enjoy reading our blog? Help us reach 10,000 subscribers by subscribing today! 
 
Join our Artificial Intelligence and Machine Learning, How to Implement Good Information Governance workshop for hands-on insights, key resource awareness, and best practices, ensuring you’re ready to navigate AI complexities fairly and lawfully. 

ICO to Review Public Sector GDPR Compliance Enforcement Approach

In June 2022, the Information Commissioner’s Office (ICO) revised its approach to enforcement of the UK GDPR against public sector organisations.  The two-year trial was announced in an open letter from the Information Commissioner, John Edwards, to public authorities in which he indicated that greater use would be made of the ICO’s wider powers, including warnings, reprimands and enforcement notices, with fines only issued in the most serious cases. Mr Edwards said:

“I am not convinced large fines on their own are as effective a deterrent within the public sector. They do not impact shareholders or individual directors in the same way as they do in the private sector but come directly from the budget for the provision of services. The impact of a public sector fine is also often visited upon the victims of the breach, in the form of reduced budgets for vital services, not the perpetrators. In effect, people affected by a breach get punished twice.”

This new approach has seen the Commissioner over the last two years issue more reprimands than fines. One example of this approach was the issuing of reprimand to the Department for Education (DfE) following its misuse of the personal data of up to 28 million children. The ICO said at the time that, had the new trial approach not been in place, the DfE would have been issued with a fine of over £10 million. Some would say that the DFE got off very lightly and, given their past record, perhaps more stringent sanctions should have been imposed. Two years ago, the ICO criticised the DfE for secretly sharing children’s personal data with the Home Office, triggering fears it could be used for immigration enforcement as part of the government’s hostile environment policy.

More recently the ICO was criticised for only issuing a  reprimand to the Electoral Commission following the discovery that unspecified “hostile actors” had managed to gain access to copies of the electoral registers, from August 2021. Hackers also broke into its emails and control systems. The Commission estimated the register for each year contained the details of around 40 million people. The ICO reprimand revealed that the Commission did not take basic security steps to ensure the protection of personal data.

On 26th June 2024, the ICO announced that it will now review the two-year trial before making a decision on the public sector approach in the autumn. It will be interesting to see whether the ICO views the approach as a success and if it will be continued or even extended to the private sector.

Enjoy reading our blog? Help us reach 10,000 subscribers by subscribing today!

This and other data protection developments will be discussed in detail on our forthcoming  GDPR Update  workshop.

£6m Potential Fine for NHS IT Supplier

The Information Commissioner’s Office (ICO) has announced today that it has issued a GDPR Notice of Intent to an NHS IT supplier, Advanced Computer Software Group Ltd (Advanced), following a significant data breach in 2022.

The ICO’s preliminary decision is to impose a £6.09 million fine on Advanced.
This comes after its findings that the company failed to adequately protect the personal data of 82,946 individuals in breach of Article 32 of the UK GDPR.
As a key IT and software provider for the NHS and other healthcare organisations across the country, Advanced often holds role of Data Processor for many of its clients.

The breach in question occurred during a ransomware attack in August 2022.
Hackers exploited a vulnerability through a customer account that lacked multi-factor authentication, gaining access to multiple health and care systems operated by Advanced. The compromised data included phone numbers, medical records, and even details on how to access the homes of 890 individuals receiving at-home care.

The cyber-attack caused widespread disruption, with NHS 111 services impacted and some GPs resorting to pen and paper as electronic systems went offline. At the time, doctors warned that it could take months to clear the backlog of paperwork created by the incident.

This Notice of Intent serves as a reminder that Data Processors, like Advanced, have a duty to implement robust technical and organisational measures to safeguard personal data. This includes regularly assessing risks, applying multi-factor authentication, and keeping systems updated with the latest security patches. Data Processors cannot shift the responsibility to Data Controllers; their GDPR security obligations are independent of those of the Data Controller.

It is important to note that a Notice of Intent is not a fine — yet. It is a legal precursor, outlining the ICO’s provisional stance. Advanced now has the opportunity to make representations that could influence the final decision. This process is not without precedent: in 2018, British Airways faced a Notice of Intent for a £183 million fine due to a cybersecurity breach, but the actual fine  issued in 2020 was reduced to £20 million. Similarly, Marriott International Inc.’s fine dropped from £99 million to £18.4 million after a Notice of Intent in 2020.

It will be interesting to see how the ICO’s final decision on Advanced compares with its approach in other cases, such as the Police Service of Northern Ireland (PSNI) incident. The PSNI was issued a Notice of Intent for £750,000 earlier this year after mistakenly releasing sensitive information about every police officer and staff member in response to a Freedom of Information request.

The Act Now Advanced Certificate in GDPR Practice is designed for experienced Data Protection Officers seeking to develop their skills and confidence to tackle the most challenging data protection projects within their organisation.

Please subscribe to this blog and help us to get to 10,000 subscribers. 

Electoral Commission Reprimanded for Data Breach Affecting 40 Million People

Last week the Information Commissioner’s Office(ICO) issue a GDPR reprimand to the Electoral Commission.

In August 2023 the Electoral Commission revealedin a public notice issued under Article 33 and 34 of the UK GDPR, that it had been the victim of a “complex cyber-attack” potentially affecting millions of voters. It had discovered in October 2022 that unspecified “hostile actors” had managed to gain access to copies of the electoral registers, from August 2021. Hackers also broke into its emails and “control systems”.

The Commission said the information it held at the time of the attack included the names and addresses of people in the UK who registered to vote between 2014 and 2022. This included those who opted to keep their details off the open register, which is not accessible to the public but can be purchased. The data accessed also included the names, but not the addresses, of overseas voters.  The Commission further explained that it was difficult to predict exactly how many people could be affected, but it estimated the register for each year contains the details of around 40 million people. 

The ICO reprimand reveals that the Commission did not take basic security steps to ensure the protection of personal data. The ICO said:

“If the Electoral Commission had taken basic steps to protect its systems, such as effective security patching and password management, it is highly likely that this data breach would not have happened.”

Many have criticised the ICO for issuing a “slap on the wrist” rather than a fine for an entirely preventable cyberattack that exposed the personal data of 40 million UK voters. But the reprimand is in line with the ICO’s approach to public sector enforcement which has been the subject of a two year trial since June 2022. 
Explaining the approach at the time, the Information Commissioner wrote:

“I am not convinced large fines on their own are as effective a deterrent within the public sector. They do not impact shareholders or individual directors in the same way as they do in the private sector but come directly from the budget for the provision of services. The impact of a public sector fine is also often visited upon the victims of the breach, in the form of reduced budgets for vital services, not the perpetrators. In effect, people affected by a breach get punished twice.”

In June the ICO announced that it will now review the two-year trial before making a decision on the public sector approach in the Autumn.

The Act Now Advanced Certificate in GDPR Practice is designed for experienced Data Protection Officers seeking to develop their skills and confidence to tackle the most challenging data protection projects within their organisation.

Please subscribe to this blog and help us to get to 10,000 subscribers. 

ICO Issues Two FOI Enforcement Notices

Under the Freedom of Information Act 2000, an Enforcement Notice may be served where the Information Commissioner is satisfied that a public authority has failed to comply with any of the requirements of Part I of the Act. If a public authority fails to comply with a Notice, the Commissioner may commence court proceedings under section 54 of the Act, which may be dealt with as contempt of Court.

The ICO recently served an Enforcement Notice on both Devon and Cornwall Police and Barking, Havering and Redbridge Hospitals NHS Trust for their ongoing FOI failings which have seen hundreds of information requests go unanswered.

Devon and Cornwall Police

In 2023, as part of the ICO’s routine work to monitor public authorities’ compliance, the ICO found that between 2022 and 2024 the percentage of requests responded to by Devon and Cornwall Policewithin the statutory FOI timeframe (20 working days) was consistently low (between 39% and 65%). Their rate of response to internal review requests was also poor, averaging between 0% and 22%. The Force had a backlog of older FOI requests which had increased from 77 in December 2023 to 251 in June 2024.

The ICO Enforcement Notice orders the Force to devise and publish an action plan in the next 30 days which must detail how they will comply with their duties to respond to information requests in a timely manner. It has also been given six months to clear the existing backlog.

Barking, Havering and Redbridge Hospitals NHS Trust

The ICO first contacted the Trust in June 2023 due to a number of complaints received about its late compliance with FOI requests. The ICO found that, over 12 months, the Trust had only responded to 29% of requests during the statutory timeframe, with January 2024 seeing just 2.5% of requests responded to in a timely manner.

The Trust had a backlog of 589 requests in April 2024, which increased to 785 by June 2024. The ICO Enforcement Notice gives the Trust 35 days to devise and publish an action plan to clear this backlog by the end of the year.

Since last year, the ICO has pursued a tougher FOI enforcement policy. Recently it issued Enforcement Notices against three other police forces for poor FOI performance which has led to significant backlogs in their responses.

Our FOI Intermediate Certificate strengthens the foundations established by our FOI Practitioner CertificateIt will help you become an adept FOI practitioner by delving deeper into the intricacies of the FOIA, equipping you with the skills and confidence to navigate its complexities.