Archive for September, 2012

ICO Guidance for charities

Posted on September 18th, 2012 by

Charities frequently hold sensitive information about the individuals they help. Charities are rightly conscious of the damage that could be done to individuals if the sensitive information was misused. Charities must also comply with their obligations under the Data Protection Act 1998. The Information Commissioner has recently published tips and guidance to help charities comply.

The ICO’s top tips for improvement are:

  1. Tell people what you are doing with their information: You should be open and honest with people about how their information will be used – people should know what you are doing with their personal information and who their information will be shared with.
  2. Make sure your staff are adequately trained: New employees should receive data protection training to explain how they should handle personal information; existing staff should receive regular refresher training.
  3. Use strong passwords: All passwords should contain upper and lower case letters, a number and ideally a symbol. This helps to protect information from data thieves.
  4. Encrypt all portable devices: All portable devices such as memory sticks and laptops which are used to hold and store personal information should be encrypted.
  5. Only keep people’s information for as long as necessary: Your organisation should establish data retention periods and there should be a process for securely deleting personal information once it is no longer required.  


As well as highlighting the top tips, the ICO is also offering charities the opportunity to sign up to a free one day advisory visit from the ICO (contact the ICO on The advisory visit will act as a ‘check up’ to allow the ICO to review the charity’s data handling practices and to offer practical advice to help with compliance. The ICO has also created a TH!NK PRIVACY toolkit specifically for the charity sector to help with awareness raising.

Organisations that commit serious breaches of data protection can receive a fine of up to £500,000 from the ICO. The ICO has indicated that he will take account of the nature of the organisation (e.g. voluntary/ charitable) and the organisation’s available resources before determining the amount of the fine. However, trustees of a charity could be ultimately liable for paying the fine.

Privacy in the global village

Posted on September 4th, 2012 by

There is nothing like the Olympic Games to remind us of the diversity of our global village – from the young fully-clothed Saudi athlete to the veteran Japanese rider, including of course the African marathon runner who ran for the world.  Yet among that diversity, all of those athletes have something in common: passion for sport and desire to succeed.  In the ever changing world of privacy and data protection, global diversity is proven every day by fascinating developments taking place in every corner of the planet.  At the same time, a common pattern can be seen in many of those developments: their attempt to strike the right balance between the exploitation and the protection of the most valuable asset of our time.  So whilst Brussels wakes up from its legislative recess, it is worthwhile having a look at what has been happening in other parts of the world and spot trends and priorities in the regulation of personal information.

The most veteran jurisdiction in this area of law in Asia, Hong Kong, has just had a revamp of its 15 year old Personal Data (Privacy) Ordinance.  Interestingly, the changes represent a considerable toughening of the existing regime, covering things like additional requirements in relation to direct marketing, supervisory duties in respect of data processors and enhanced enforcement powers for the privacy commissioner.  So whilst the regulator will not be able to award compensation to aggrieved individuals as originally requested by the Office of the Privacy Commissioner, new financial penalties as well as the potential for up to five years imprisonment signal a stricter approach to the use of personal information.

Further north, in South Korea, the Personal Information Protection Act has only been in force for a few months but is already being branded as the toughest in Asia.  With requirements that mirror some of the most demanding provisions of the proposed EU data protection regulation – like mandatory privacy officers, detailed security measures and data breach notification – Korea’s new law is not one to be taken lightly.  The local regulator is unlikely to be a quiet one and there are reports about a CNIL-like investigation into Google’s changes to its privacy policy, which if anything, will raise the authority’s standing among its peers.

The rest of Asia is not standing still either as countries like Malaysia, Singapore and the Philippines are also making progress in this area.  Malaysia’s Personal Data Protection Act has just come into force, so it is a bit early to say how far reaching it will be in practice but its pedigree looks rather European.  Singapore’s approach is slightly more modest and the legislative process is less advanced, but the draft bill is not without complexity.  As for the Philippines, after some delay, the new Data Privacy Act has now been formally signed by the country’s president and will be fully in force in about a year’s time.  The Philippines’ law is in line with the European approach to privacy as a fundamental right, but much less prescriptive when it comes to regulating international data transfers.

This particular issue is one that concerns global organisations seeking to adopt a coherent and consistent methodology for compliance in respect of data flows.  The European approach to international data transfers is intimidating to say the least, so it is understandable that those organisations that are investing in programmes like Binding Corporate Rules want to take advantage of that solution on a truly global scale.  Otherwise, it would be hugely frustrating to devise and implement a data protection framework that worked for Europe but didn’t quite cut it in a growing number of jurisdictions.

Fortunately, here is where the accountability model championed under the APEC Cross-Border Privacy Rules throughout Asia and other countries around the Pacific Ocean does the trick, as it gives organisations the opportunity to decide how best protect the personal information they collect and use around the world.  That way, whether one is trying to meet the expectations of data protection regulators in Europe, Asia or indeed America in respect of international data flows, it is not only possible but advisable, to devise a system like BCR that regards data protection as a global response to a business need and not as a box-ticking exercise.

This article was first published in Data Protection Law & Policy in August 2012.

The Justice Committee’s first bite of the new Data Protection Framework Proposals

Posted on September 4th, 2012 by

This morning the UK Parliament’s Justice Select Committee held its first evidence session on the EU Data Protection Framework Proposals. Representatives from the Association of Chief Police Officers, the Met Police, the Federation of Small Businesses, Microsoft as well as the Information Commissioner’s Office provided their views on the two draft EU legal instruments – the Directive (concerned with criminal data) and the Regulation (concerned with pretty much everything else).


While the witnesses accepted that the Regulation did bring welcome changes to reduce certain aspects of the current regime’s bureaucracy (for instance, around notifying DPAs), the overwhelming response was to criticise the overly-engineered text of the Directive and Regulation (including the numerous delegated powers given to the EU Commission).  A key tension in the Regulation exists between the drive towards harmonisation (particularly dear to the Commission) and the consequent prescriptive practices and procedures that the Commission’s version of harmonisation requires.

The Business view

Although international businesses are keen on a single data protection standard across the EU, this becomes less palatable when the requirements for that standard are set out in precise detail. Additionally, while the Regulation appears to hold out all sorts of new rights to individuals as data subjects, industry queried what incentives the Regulation contained for them to comply and what compensation they would receive for the additional administrative burdens they would have to bear (such as maintaining detailed documentation about their data processing and responding to subject access requests if the fee is abolished). Industry supported an approach that encouraged codes of conduct and certification to promote trust between consumers and business.

The Regulator’s view

In his evidence, Christopher Graham, the Information Commissioner, was particular trenchant in his view that full compliance by the Information Commissioner’s Office with the requirements of the Regulation was not only unworkable but also exorbitantly expensive. He indicated that potentially millions more pounds would need to be allocated to the ICO for the office to fulfil its obligations under the Regulation such as checking that data controllers appoint DPOs or carry out PIAs. The ICO emphasised the need for the Regulation to focus on good data protection outcomes rather than prescribing the means by which this is achieved. For the ICO, the Regulation should promote a risk-based rather than one-size fits all approach.

The ICO was optimistic that its view during the negotiations on the Regulation would make some headway.  In particular the ICO was not keen to see its reputation as a regulator that advises and assists transformed into an administrative centre where it is obliged to punish compliance failures with no ability to apply discretion and judgment.

The right to be disappointed….

Although there was some discussion amongst the Committee and witnesses on the impact of the right to be forgotten, some witnesses considered this would swiftly become a ‘right to be disappointed’. Though packaged up as a new right, witnesses made the point that a similar if not identical right already exists in the current regime. Additionally the practical feasibility of organisations scouring the internet to identify and delete every reference to an individual means that it will be well nigh impossible for an organisation to conclusively delete every reference to an individual. Disappointment and disenchantment would inevitably set in. The ICO also mentioned that it is still unclear whether search engines would be caught by the obligation to implement an individual’s right to be forgotten.