Information law update - Charles Russell Speechlys

advertisement
18 September 2014
INFORMATION LAW UPDATE
Janine Regan
Solicitor
Monica Salgado
Advogada registered at the
Portuguese Ordem dos
Advogados
Registered European Lawyer
with the SRA
CPD code - 099/SBIR
OUR FIRM AND OUR DATA PROTECTION & INFORMATION LAW TEAM
• Speechly Bircham is a full-service law firm with over 200 lawyers, headquartered
in London, with offices in Paris, Luxembourg, Zurich and Geneva
• Sector specialisms include financial services, private wealth, technology, real
estate and construction
• Our new firm of Charles Russell Speechlys with additional offices in UK, Bahrain
and Qatar will open for business on 1 November 2014 – read the full press
release here
• The enlarged data protection team have advised on this area of law since 1983
and provide a range of expertise on data privacy audit, compliance, risk
management, information security and data breaches
• Ranked in Chambers and Legal 500 as a leading law firm for Data Protection
• “Robert Bond and his team have always provided comprehensive, practical
advice on a timely basis. Their knowledge of the EU regulatory scene, including
experience with specific agencies, as well as privacy issues globally has been
instrumental in establishing our privacy policies and procedures.”
2
Information Law Update | 18 September 2014
SAVE THE DATE!!!
The proposed data protection Regulation: Industry Insight
• When: Wednesday 8th October – 5.30pm – 6.30pm with drinks and canapés
•
afterwards
Where: Our offices – 6 New Street Square, EC4A 3LX
- We expect that by the end of this year / beginning of the next, the proposed DP
Regulation will be in its final form – but what should businesses be doing now to
prepare for their obligations under the new law?
- During this one hour session we will hear the views of a variety of guest panel
speakers including:
Steve Wood (Head of Policy Delivery at the Information Commissioner’s
Office)
James Leaton-Gray (Controller, Information Policy at the BBC)
Lori Baker (Senior Compliance & Privacy Attorney at Dun & Bradstreet)
Paul Donovan (Head of Legal at Canopius)
Email Janine.Regan@speechlys.com if you would like to attend!
3
Information Law Update | 18 September 2014
JANINE REGAN – CIPP / E
Janine advises on global data protection compliance and
outsourcing projects for multinationals in sectors such as
financial services, pharmaceutical, construction and marketing
and advertising.
She advises on filings with relevant data protection authorities,
processor / controller agreements, trans-border flows of
personal data, data breaches, data protection provisions in
outsourcing contracts and has provided tailored training for
clients and for PDP training.
“Very impressive
data protection
knowledge”
Client
Janine is a regular presenter on Speechly Bircham's data
protection webinars and contributes regularly to internal and
external publications such as Data IQ, the Society of Corporate
Compliance and Ethics, the Society for Computers and Law and
Bloomberg BNA.
She also possess the Certified Information Privacy Professional
(Europe) (CIPP/E) qualification.
4
Information Law Update | 18 September 2014
MONICA SALGADO – CIPP/E & ISEB Certificate in Data Protection
Monica is a Portuguese qualified Lawyer and a Registered European Lawyer with
experience assisting clients with the most varied data protection issues, both in
Portugal and the UK.
She regularly assists clients with registrations and requests for authorisation with
data protection authorities, analysing processor / controller agreements - including
conducting previous due diligence procedures – and trans border flows of personal
data.
Monica also assists in preparing replies to subject access requests and other data
“provides topnotch client
service”
protection related requests, implementing data protection compliance measures and
tools, including drafting relevant data protection policies, performing data protection
compliance assessments, providing data protection training and also assisting
Legal 500, 2011
business to comply with E-Privacy rules, notably by conducting cookies audits,
drafting cookies policies and implementing cookies consent tools.
Monica is a regular speaker on Speechly's webinars and external data protection
events, such as the Privacy and Data Protection Conference and the SCCE
conference in London, and the Minnesota State Bar Association CLE conference on
Global Privacy, in Minneapolis and also contributes regularly to internal and external
publications, including the PDP journal and Nymity updates.
5
Information Law Update | 18 September 2014
TOPICS
• Singapore's data protection fine
• Formal warning issued by CNIL against ORANGE
• The latest on celebrity privacy scandal
• More myth busters - debunking the panic
on the Regulation
• ICO audit on local councils
• Returning privacy to users –
Portuguese C3Priv software program
6
Information Law Update | 18 September 2014
SINGAPORE'S DATA PROTECTION FINE
• Singapore’s Personal Data Protection Act –
•
•
came in to force on 2 July 2014
27th August – first fine
Why?
- Tuition company, Star Zest Home Tuition,
not checking DNC registry before sending
marketing messages
- Star Zest and its director, Law Han Wei,
each fined $39,000 SGD (approx £20K),
which equated to $3,000 per charge
- Max penalty under PDPA = $10,000 per
charge
• Key takeways
- Breach of PDPA = personal liability
- Singapore takes breaches of PDPA very
-
7
seriously and not checking DNC registry
has potential for very large fines
If you have a Singaporean subsidiary =
get your house in order!
Information Law Update | 18 September 2014
FORMAL WARNING ISSUED BY CNIL AGAINST ORANGE
• Decision issued on 7 August 2014
• Following a notification of a data
breach
- Which occurred within a subprocessor’s data processing
environment
- Involving non sensitive personal
data
• The CNIL investigated further and
discovered more non compliances
• Formal warning - publicised
- Legally set out as the maximum
penalty when non compliances
have been remedied
8
Information Law Update | 18 September 2014
FORMAL WARNING ISSUED BY CNIL AGAINST ORANGE
Relevant aspects to note
• How important it is to properly
manage the data processing chain
- In the beginning
- During the relationship
- At the end of the contract
• Importance of privacy impact
assessments
• Legal recognition of the reputation
impact of such public warnings
Top ten tips on what to look out for
when outsourcing the data
processing activities
9
Information Law Update | 18 September 2014
THE LATEST ON CELEBRITY PRIVACY SCANDAL
• Private photographs unlawfully obtained from
the iCloud accounts of public figures
- 100 women
- 1 man
• Speculation:
- Hacker used the “Find my phone” app
- There were no limited number of wrong
-
guesses
Hacker accessed the photographs on the
online backup service
• 4chan and Reddit published the photos on 31
August
• Some photographs had previously been
deleted
“Knowing those photos were deleted long ago, I
can only imagine the creepy effort that went
into this. (…)”
10 Information Law Update | 18 September 2014
THE LATEST ON CELEBRITY PRIVACY SCANDAL – APPLE’S POSITION
• Apple’s terms and conditions:
- Automatic back up to iCloud
- Users fully responsible for the content
they upload, download, etc.
- Users “use of the Service and any
Content is at [users’] own risk”
- Users own the Content and give Apple a
license to be able to transmit it
? What about the photos that had been deleted
by the users? Were they still backed up?
- No guarantees against hacking
- Users solely responsible for loss of data
• Apple’s response online
11 Information Law Update | 18 September 2014
THE LATEST ON CELEBRITY PRIVACY SCANDAL – APPLE’S RESPONSE
12 Information Law Update | 18 September 2014
THE LATEST ON CELEBRITY PRIVACY SCANDAL
Our life in the cloud – are we all just up in
the air?
• Celebrities have less privacy rights?
- By opening their lives?
- “Once stolen, no longer personal (…)”*?
• Should we all be as worried as privacy as
celebrities?
- Is privacy dependant on likelihood of
public disclosure?
- We all have a strong digital footprint…
Top ten tips on keeping your digital self
safe!
*Boston globe online
13 Information Law Update | 18 September 2014
THE LATEST ON CELEBRITY PRIVACY SCANDAL - LIKELY
DEVELOPMENTS
Similar situations in the past
• Sarah Palin
- E-mail account hacked
- Hacker jailed for 1 year and 1 day
• Christopher Chaney
- Hacked 50 public figures’ e-mails
- Distributed photographs
- 10 years prison in a federal prison
• Celebrity credit account takeover
- Credit card fraud & aggravated identity theft
- 3 and a half years in federal prison
What about this event?
• FBI is investigating
• Apple may have to notify the individuals affected and
possibly the California Attorney General
• Could Apple be fined?
14 Information Law Update | 18 September 2014
MORE MYTH BUSTERS - DEBUNKING THE PANIC ON THE REGULATION
• “You will need express, opt-in consent to collect personal data” – Relevant article: (6)
• “Everyone will have the right to be forgotten” Relevant article: (17)
• “No more notifications = no more bureaucracy = hurrah!” Relevant articles: (22, 28)
15 Information Law Update | 18 September 2014
ICO AUDIT ON LOCAL COUNCILS
Findings from ICO audits of 16 local authorities – January to December 2013
• 2013 was a bad year for local authorities…
15 October 2013
£80,000
North East
Lincolnshire
Council
A special educational needs teacher at
North East Lincolnshire Council lost an
unencrypted memory device containing
personal data and sensitive personal data
relating to 286 children.
North East Lincolnshire
Council
27 August 2013
£100,000
Aberdeen City
Council
Inadequate homeworking arrangements
led to 39 pages of personal data being
uploaded onto the internet by a Council
employee.
Aberdeen City Council
23 August 2013
£70,000
Islington Borough
Council
Personal details of over 2,000 residents
were released online via the What Do They
Know (WDTK) website which is a website
which enables individuals to submit
freedom of information requests to local
authorities.
Islington Borough Council
4 June 2013
£150,000
Glasgow City
Council
Theft of two unencrypted laptops from the
Council’s offices.
Glasgow City Council
4 June 2013
£70,000
The home address of adoptive parents
was wrongly disclosed by the Council to
the birth family.
Halton Borough Council
16 Information Law Update | 18 September 2014
Halton Borough
Council
ICO AUDIT ON LOCAL COUNCILS
Findings from ICO audits of 16 local authorities – January to December 2013
• Compulsory audits for NHS – likely to be expanded to local authorities – and
possibly private sector in due course?
17 Information Law Update | 18 September 2014
ICO AUDIT ON LOCAL COUNCILS
Findings from ICO audits of 16 local authorities – January to December 2013
• Data Protection Governance
A council has a SIRO who sits on the Corporate Management
Board (CMB), the data protection steering group, the information
security steering group and a further data protection improvement
group for key managers. The DPO chairs both the data protection
and improvement steering groups.
The council has a Caldicott Guardian and nominated Information
Asset Owners (IAOs). All senior managers have a clear
understanding of data protection issues and review them at regular
management meetings.
Services and/or individuals are able to create policies themselves.
The council does not oversee these policies, which do not require
approval from senior management. These policies do not follow an
approved format or version control process, have named owners or
enforce at least an annual review.
18 Information Law Update | 18 September 2014
ICO AUDIT ON LOCAL COUNCILS
Findings from ICO audits of 16 local authorities – January to December 2013
• Requests for personal data
A council DPO trains its social workers to do their own redactions.
Managers across all directorates check any redacted information.
The DPO also quality checks most responses, but may not have
any further input if the request is simple. In response to subject
access requests, the council explains any redactions or
exemptions it has applied in its covering letters.
A council has not given formal specialised training to most
employees processing subject access requests, and they tend to
consult Legal Services for relevant advice.
19 Information Law Update | 18 September 2014
ICO AUDIT ON LOCAL COUNCILS
Findings from ICO audits of 16 local authorities – January to December 2013
• Security of personal data
A council conducts regular internal and external penetration testing
of its network to minimise the risk of external threats. It uses a
computer-aided vulnerability assessment tool to identify risks to the
network (eg open ports or missing security patches). The council
has recently completed firewall and penetration testing.
A council has no mandatory foundation or regular refresher
information security training for all employees and no advanced
training for those employees in specialist information security roles.
20 Information Law Update | 18 September 2014
ICO AUDIT ON LOCAL COUNCILS
Findings from ICO audits of 16 local authorities – January to December 2013
• Training and awareness
The Learning and Development Team is responsible for the
content and availability of the training. The council has dedicated
training officers and champions, and managers are responsible for
ensuring that all staff, permanent and temporary, complete the
training, including refresher training.
A council does not have a formal needs-based data protection
training programme which applies to all staff and historically, data
protection training has centred on the ad hoc delivery of basic
presentations by the DPO at the request of team managers.
21 Information Law Update | 18 September 2014
ICO AUDIT ON LOCAL COUNCILS
Findings from ICO audits of 16 local authorities – January to December 2013
• Data sharing
With the input of local champions from each service, the data
protection steering group has created a central record of all the
council’s ISAs. The council also uses the information to help create
departmental Information Asset Registers (IARs).
The responsibility for carrying out reviews lies with the directorate
which owns the agreement as opposed to a key individual or
relevant steering group. There is no corporate oversight to ensure
that reviews are carried out on at least an annual basis.
22 Information Law Update | 18 September 2014
RETURNING PRIVACY TO USERS
C3Priv
• Software developed by a Portuguese
University & Portuguese Data
Protection Authority
• Downloadable from the C3Priv
website into a USB stick
- Portable apps downloaded into the
-
USB stick
These apps will have privacy
friendly settings already
• Aim – returning privacy control to the
user, without the user having to worry
about the applications’ settings
• Data protection by default
23 Information Law Update | 18 September 2014
ADDITIONAL HAND OUTS
• Top ten tips when using an outsourcer
• Top tips to protect yourself online and
beyond
• “Application of BCRs by multinational
group of companies in non EU
countries which adopted the
Convention 108”
- Volodymyr Kozak
- The State Service of Ukraine on
Personal Data Protection
24 Information Law Update | 18 September 2014
FURTHER INFORMATION
For more information on our services, please contact
Monica Salgado
020 7427 6554
Monica.Salgado@speechlys.com
Janine Regan
020 7427 6798
Janine.Regan@speechlys.com
25 Information Law Update | 18 September 2014
Download