The Data Protection Bill had its Second Reading in the House of Lords on Tuesday. Lord Ashton of Hyde said the Bill aims to satisfy three objectives: to maintain trust by increasing security, transparency and enforcement; to support future trading relationships by allowing the free flow of data across international boundaries; and to ensure cyber crime is tackled. Labour’s Lord Stevenson of Balmacara raised concerns that even if the Bill ensures the UK is compliant with EU regulations at the point of Brexit, after that there need to be provisions to make sure the Bill keeps up with EU regulations so as not to risk a situation where the flow of data between the UK and EU is stopped. Find the full Hansard report in two parts here and here.
The European Union Committee’s 3rd Report ‘Brexit: EU Data Protection Package’ was taken note of in the House of Lords late on Tuesday evening.
Since Parliament returned from recess last week many MPs and Lords have tabled questions relating to data protection and the Equifax data breach, including 13 by the SNP’s Stephen Gethins on ‘The exchange and protection of personal data’ future partnership paper released on 24 August. None have received responses yet so the questions and their answers will be detailed in a future round up.
The head of the treasury select committee, Nicky Morgan, has written a letter to Equifax’s European chief, Patricio Remon, asking for the full scope of the data breach and what compensation will be provided to those affected. A letter has also been sent to the FCA to ask whether it has plans to move against Equifax’s UK arm. Read more here.
The European Parliament’s Civil Liberties Committee has passed amendments to new EU rules on the processing of personal data by EU institutions. The amendments mean the new rules will not only cover EU institutions, but also bodies, offices and agencies to ensure a strong and coherent framework for data processing throughout the EU. Read more here.
Who’s getting it wrong?
A Liverpool firm, The Lead Experts Limited, has been fined £70,000 by the ICO for making over 100,000 automated calls to people who had not agreed to be contacted. The firm had bought contact details from another company and paid them to carry out the calls. It was, however, the responsibility of The Lead Experts to ensure they had the necessary consents to make the calls. Steve Eckersley, ICO Head of Enforcement, said: “companies cannot hide behind another firm…they must take responsibility and accept the consequences if they break the law”. Read more here.
- Following the ICO’s investigation, Companies House posted plans for the firm to be struck off and dissolved. The ICO made it clear that it is committed to recovering fines and will work with insolvency practitioners and liquidators if a company moves to insolvency after being fined.
Vanquis Bank Limited, based in Bradford, has been fined £75,000 by the ICO for illegally sending 870,000 spam text messages and 620,000 spam emails to promote its credit cards. Recipients had not consented to receiving such messages. Read more here.
London based advertising firm, Xerpla, has been fined £50,000 by the ICO for sending 1.26 million spam emails promoting products and services such as dog food, boilers, and competitions on behalf of other firms without having the right consent from recipients. Read more here.
The Hyatt Hotel Group has discovered that between March and July this year payment card information had been accessed without authorisation at some of its locations worldwide. This is not the first time Hyatt has faced data breach problems as in 2015 its payment processing system was infected with malware that stole credit-card information in 250 of its hotels. Read more here.
The University of East Anglia, which in June accidently sent the details of 191 students’ health problems, personal issues and family bereavements to 298 students will face no further action by the ICO. The ICO said that no regulatory action is needed because the UEA is now following the recommendations given by auditors on how to prevent similar breaches. However, some students who had their data leaked are considering legal action against the university. Read more here.
- The university has also published a data incident report detailing the incident itself, the university’s immediate response, the key issues identified by the independent internal auditors and the university’s subsequent action plan. Find it here.
The ICO is inviting Data Protection Practitioners to register their interest in attending the Data Protection Practitioner Conference on 9 April 2018. Registration closes on 8 December with places allocated in January. Usually, one place will be offered to each organisation and if accepted, a £50 fee would be required.