18 September 2014 INFORMATION LAW UPDATE Janine Regan Solicitor Monica Salgado Advogada registered at the Portuguese Ordem dos Advogados Registered European Lawyer with the SRA CPD code - 099/SBIR OUR FIRM AND OUR DATA PROTECTION & INFORMATION LAW TEAM • Speechly Bircham is a full-service law firm with over 200 lawyers, headquartered in London, with offices in Paris, Luxembourg, Zurich and Geneva • Sector specialisms include financial services, private wealth, technology, real estate and construction • Our new firm of Charles Russell Speechlys with additional offices in UK, Bahrain and Qatar will open for business on 1 November 2014 – read the full press release here • The enlarged data protection team have advised on this area of law since 1983 and provide a range of expertise on data privacy audit, compliance, risk management, information security and data breaches • Ranked in Chambers and Legal 500 as a leading law firm for Data Protection • “Robert Bond and his team have always provided comprehensive, practical advice on a timely basis. Their knowledge of the EU regulatory scene, including experience with specific agencies, as well as privacy issues globally has been instrumental in establishing our privacy policies and procedures.” 2 Information Law Update | 18 September 2014 SAVE THE DATE!!! The proposed data protection Regulation: Industry Insight • When: Wednesday 8th October – 5.30pm – 6.30pm with drinks and canapés • afterwards Where: Our offices – 6 New Street Square, EC4A 3LX - We expect that by the end of this year / beginning of the next, the proposed DP Regulation will be in its final form – but what should businesses be doing now to prepare for their obligations under the new law? - During this one hour session we will hear the views of a variety of guest panel speakers including: Steve Wood (Head of Policy Delivery at the Information Commissioner’s Office) James Leaton-Gray (Controller, Information Policy at the BBC) Lori Baker (Senior Compliance & Privacy Attorney at Dun & Bradstreet) Paul Donovan (Head of Legal at Canopius) Email Janine.Regan@speechlys.com if you would like to attend! 3 Information Law Update | 18 September 2014 JANINE REGAN – CIPP / E Janine advises on global data protection compliance and outsourcing projects for multinationals in sectors such as financial services, pharmaceutical, construction and marketing and advertising. She advises on filings with relevant data protection authorities, processor / controller agreements, trans-border flows of personal data, data breaches, data protection provisions in outsourcing contracts and has provided tailored training for clients and for PDP training. “Very impressive data protection knowledge” Client Janine is a regular presenter on Speechly Bircham's data protection webinars and contributes regularly to internal and external publications such as Data IQ, the Society of Corporate Compliance and Ethics, the Society for Computers and Law and Bloomberg BNA. She also possess the Certified Information Privacy Professional (Europe) (CIPP/E) qualification. 4 Information Law Update | 18 September 2014 MONICA SALGADO – CIPP/E & ISEB Certificate in Data Protection Monica is a Portuguese qualified Lawyer and a Registered European Lawyer with experience assisting clients with the most varied data protection issues, both in Portugal and the UK. She regularly assists clients with registrations and requests for authorisation with data protection authorities, analysing processor / controller agreements - including conducting previous due diligence procedures – and trans border flows of personal data. Monica also assists in preparing replies to subject access requests and other data “provides topnotch client service” protection related requests, implementing data protection compliance measures and tools, including drafting relevant data protection policies, performing data protection compliance assessments, providing data protection training and also assisting Legal 500, 2011 business to comply with E-Privacy rules, notably by conducting cookies audits, drafting cookies policies and implementing cookies consent tools. Monica is a regular speaker on Speechly's webinars and external data protection events, such as the Privacy and Data Protection Conference and the SCCE conference in London, and the Minnesota State Bar Association CLE conference on Global Privacy, in Minneapolis and also contributes regularly to internal and external publications, including the PDP journal and Nymity updates. 5 Information Law Update | 18 September 2014 TOPICS • Singapore's data protection fine • Formal warning issued by CNIL against ORANGE • The latest on celebrity privacy scandal • More myth busters - debunking the panic on the Regulation • ICO audit on local councils • Returning privacy to users – Portuguese C3Priv software program 6 Information Law Update | 18 September 2014 SINGAPORE'S DATA PROTECTION FINE • Singapore’s Personal Data Protection Act – • • came in to force on 2 July 2014 27th August – first fine Why? - Tuition company, Star Zest Home Tuition, not checking DNC registry before sending marketing messages - Star Zest and its director, Law Han Wei, each fined $39,000 SGD (approx £20K), which equated to $3,000 per charge - Max penalty under PDPA = $10,000 per charge • Key takeways - Breach of PDPA = personal liability - Singapore takes breaches of PDPA very - 7 seriously and not checking DNC registry has potential for very large fines If you have a Singaporean subsidiary = get your house in order! Information Law Update | 18 September 2014 FORMAL WARNING ISSUED BY CNIL AGAINST ORANGE • Decision issued on 7 August 2014 • Following a notification of a data breach - Which occurred within a subprocessor’s data processing environment - Involving non sensitive personal data • The CNIL investigated further and discovered more non compliances • Formal warning - publicised - Legally set out as the maximum penalty when non compliances have been remedied 8 Information Law Update | 18 September 2014 FORMAL WARNING ISSUED BY CNIL AGAINST ORANGE Relevant aspects to note • How important it is to properly manage the data processing chain - In the beginning - During the relationship - At the end of the contract • Importance of privacy impact assessments • Legal recognition of the reputation impact of such public warnings Top ten tips on what to look out for when outsourcing the data processing activities 9 Information Law Update | 18 September 2014 THE LATEST ON CELEBRITY PRIVACY SCANDAL • Private photographs unlawfully obtained from the iCloud accounts of public figures - 100 women - 1 man • Speculation: - Hacker used the “Find my phone” app - There were no limited number of wrong - guesses Hacker accessed the photographs on the online backup service • 4chan and Reddit published the photos on 31 August • Some photographs had previously been deleted “Knowing those photos were deleted long ago, I can only imagine the creepy effort that went into this. (…)” 10 Information Law Update | 18 September 2014 THE LATEST ON CELEBRITY PRIVACY SCANDAL – APPLE’S POSITION • Apple’s terms and conditions: - Automatic back up to iCloud - Users fully responsible for the content they upload, download, etc. - Users “use of the Service and any Content is at [users’] own risk” - Users own the Content and give Apple a license to be able to transmit it ? What about the photos that had been deleted by the users? Were they still backed up? - No guarantees against hacking - Users solely responsible for loss of data • Apple’s response online 11 Information Law Update | 18 September 2014 THE LATEST ON CELEBRITY PRIVACY SCANDAL – APPLE’S RESPONSE 12 Information Law Update | 18 September 2014 THE LATEST ON CELEBRITY PRIVACY SCANDAL Our life in the cloud – are we all just up in the air? • Celebrities have less privacy rights? - By opening their lives? - “Once stolen, no longer personal (…)”*? • Should we all be as worried as privacy as celebrities? - Is privacy dependant on likelihood of public disclosure? - We all have a strong digital footprint… Top ten tips on keeping your digital self safe! *Boston globe online 13 Information Law Update | 18 September 2014 THE LATEST ON CELEBRITY PRIVACY SCANDAL - LIKELY DEVELOPMENTS Similar situations in the past • Sarah Palin - E-mail account hacked - Hacker jailed for 1 year and 1 day • Christopher Chaney - Hacked 50 public figures’ e-mails - Distributed photographs - 10 years prison in a federal prison • Celebrity credit account takeover - Credit card fraud & aggravated identity theft - 3 and a half years in federal prison What about this event? • FBI is investigating • Apple may have to notify the individuals affected and possibly the California Attorney General • Could Apple be fined? 14 Information Law Update | 18 September 2014 MORE MYTH BUSTERS - DEBUNKING THE PANIC ON THE REGULATION • “You will need express, opt-in consent to collect personal data” – Relevant article: (6) • “Everyone will have the right to be forgotten” Relevant article: (17) • “No more notifications = no more bureaucracy = hurrah!” Relevant articles: (22, 28) 15 Information Law Update | 18 September 2014 ICO AUDIT ON LOCAL COUNCILS Findings from ICO audits of 16 local authorities – January to December 2013 • 2013 was a bad year for local authorities… 15 October 2013 £80,000 North East Lincolnshire Council A special educational needs teacher at North East Lincolnshire Council lost an unencrypted memory device containing personal data and sensitive personal data relating to 286 children. North East Lincolnshire Council 27 August 2013 £100,000 Aberdeen City Council Inadequate homeworking arrangements led to 39 pages of personal data being uploaded onto the internet by a Council employee. Aberdeen City Council 23 August 2013 £70,000 Islington Borough Council Personal details of over 2,000 residents were released online via the What Do They Know (WDTK) website which is a website which enables individuals to submit freedom of information requests to local authorities. Islington Borough Council 4 June 2013 £150,000 Glasgow City Council Theft of two unencrypted laptops from the Council’s offices. Glasgow City Council 4 June 2013 £70,000 The home address of adoptive parents was wrongly disclosed by the Council to the birth family. Halton Borough Council 16 Information Law Update | 18 September 2014 Halton Borough Council ICO AUDIT ON LOCAL COUNCILS Findings from ICO audits of 16 local authorities – January to December 2013 • Compulsory audits for NHS – likely to be expanded to local authorities – and possibly private sector in due course? 17 Information Law Update | 18 September 2014 ICO AUDIT ON LOCAL COUNCILS Findings from ICO audits of 16 local authorities – January to December 2013 • Data Protection Governance A council has a SIRO who sits on the Corporate Management Board (CMB), the data protection steering group, the information security steering group and a further data protection improvement group for key managers. The DPO chairs both the data protection and improvement steering groups. The council has a Caldicott Guardian and nominated Information Asset Owners (IAOs). All senior managers have a clear understanding of data protection issues and review them at regular management meetings. Services and/or individuals are able to create policies themselves. The council does not oversee these policies, which do not require approval from senior management. These policies do not follow an approved format or version control process, have named owners or enforce at least an annual review. 18 Information Law Update | 18 September 2014 ICO AUDIT ON LOCAL COUNCILS Findings from ICO audits of 16 local authorities – January to December 2013 • Requests for personal data A council DPO trains its social workers to do their own redactions. Managers across all directorates check any redacted information. The DPO also quality checks most responses, but may not have any further input if the request is simple. In response to subject access requests, the council explains any redactions or exemptions it has applied in its covering letters. A council has not given formal specialised training to most employees processing subject access requests, and they tend to consult Legal Services for relevant advice. 19 Information Law Update | 18 September 2014 ICO AUDIT ON LOCAL COUNCILS Findings from ICO audits of 16 local authorities – January to December 2013 • Security of personal data A council conducts regular internal and external penetration testing of its network to minimise the risk of external threats. It uses a computer-aided vulnerability assessment tool to identify risks to the network (eg open ports or missing security patches). The council has recently completed firewall and penetration testing. A council has no mandatory foundation or regular refresher information security training for all employees and no advanced training for those employees in specialist information security roles. 20 Information Law Update | 18 September 2014 ICO AUDIT ON LOCAL COUNCILS Findings from ICO audits of 16 local authorities – January to December 2013 • Training and awareness The Learning and Development Team is responsible for the content and availability of the training. The council has dedicated training officers and champions, and managers are responsible for ensuring that all staff, permanent and temporary, complete the training, including refresher training. A council does not have a formal needs-based data protection training programme which applies to all staff and historically, data protection training has centred on the ad hoc delivery of basic presentations by the DPO at the request of team managers. 21 Information Law Update | 18 September 2014 ICO AUDIT ON LOCAL COUNCILS Findings from ICO audits of 16 local authorities – January to December 2013 • Data sharing With the input of local champions from each service, the data protection steering group has created a central record of all the council’s ISAs. The council also uses the information to help create departmental Information Asset Registers (IARs). The responsibility for carrying out reviews lies with the directorate which owns the agreement as opposed to a key individual or relevant steering group. There is no corporate oversight to ensure that reviews are carried out on at least an annual basis. 22 Information Law Update | 18 September 2014 RETURNING PRIVACY TO USERS C3Priv • Software developed by a Portuguese University & Portuguese Data Protection Authority • Downloadable from the C3Priv website into a USB stick - Portable apps downloaded into the - USB stick These apps will have privacy friendly settings already • Aim – returning privacy control to the user, without the user having to worry about the applications’ settings • Data protection by default 23 Information Law Update | 18 September 2014 ADDITIONAL HAND OUTS • Top ten tips when using an outsourcer • Top tips to protect yourself online and beyond • “Application of BCRs by multinational group of companies in non EU countries which adopted the Convention 108” - Volodymyr Kozak - The State Service of Ukraine on Personal Data Protection 24 Information Law Update | 18 September 2014 FURTHER INFORMATION For more information on our services, please contact Monica Salgado 020 7427 6554 Monica.Salgado@speechlys.com Janine Regan 020 7427 6798 Janine.Regan@speechlys.com 25 Information Law Update | 18 September 2014