Data Protection News Roundup – 10th September 2019

The Data Guardians Managing Director and lead consultant Matthew Lamb is a Certified Cyber Risk Management Practitioner. Get in touch with us to ask about how we can help you with your GDPR and Data Protection Act compliance.


Who’s getting it wrong?

An NHS clinic has exposed the email addresses of nearly 2,000 transgender patients. The Charing Cross Gender Identity Clinic in London sent out a mass email about an art competition to patients, and forgot to blind copy the details of other patients which meant everyone on the email list going through or considering gender therapy could see each other’s email address. A spokesperson for Tavistock and Portman NHS Trust, which runs the clinic, said: “We are hugely apologetic and understand that this is a serious data breach. We can confirm we are reporting this breach to the Information Commissioner’s Office as well as treating it as a serious incident within the trust.” Read more here.

The phone numbers of Facebook users have been found online by a security researcher who discovered 419 million records on an unsecured server. A total of 18 million were from users in the UK. Facebook said the phone numbers have now been removed, claiming there is no evidence that any accounts were compromised with SIM-swapping attacks. “This dataset is old and appears to have information obtained before we made changes last year to remove people’s ability to find others using their phone numbers,” a Facebook spokesperson said. Read more here.

New research from UK-based advocacy group Privacy International uncovered that some period-tracking apps were sharing sensitive data with Facebook. Read more here.


Other News

The House of Commons has voted to compel Boris Johnson to relinquish the internal communications between Downing Street’s most senior advisors. The passing of an emergency motion by 311 to 302 votes means the government will now be forced to publish documents relating to its no-deal planning project, known as Operation Yellowhammer. The motion also demands the publication of “all correspondence, whether formal or informal in both written and electronic form” sent between staff through a raft of personal social media channels. Read more here.

The ICO has decided not to take enforcement action against two former Met Police officers, after looking into whether the former officers had acted unlawfully by retaining or disclosing personal data. The investigation was instigated after the former officers had spoken to the media about a case they had worked on as serving officers involving an MP. The case was investigated under the previous legislation, the Data Protection Act 1998. The law has since been strengthened through the Data Protection Act 2018, which adds a new element of knowingly or recklessly retaining personal data without the consent of the controller. The ICO is advising anyone dealing with the personal details of others in the course of their work to take note of this update to the law, especially when employees are retiring or taking on a new job. Read more here.

The ICO has said it intends to issue new advice and guidance after a series of parking fines were handed out to motorists stopping at East Midlands Airport’s petrol station. Currently, any private parking firm can request details from the Drivers and Vehicle Licensing Agency if they can provide evidence that that person has illegally stopped. They simply complete a form on the DVLA website and pay £2.50. The form states: “DVLA handles your personal data in accordance with road vehicle law and data protection laws. The law allows us to release your data to the police and other enforcement bodies.  We also provide data to other parties where the law allows it.” The introduction of the GDPR has led some to question if the selling of personal details could be problematic for the DVLA. Read more here.

Startup browser maker Brave has filed new evidence with the Irish Data Protection Commission stating that Google has created a GDPR workaround that is sharing the personal data of billions of people to thousands of companies globally. The issue in question involves data being transferred to advertisers in high-speed real-time bidding for digital ads. Google denies any wrongdoing. Read more here.


Don’t miss another news roundup, subscribe to our mailing list and receive a monthly email with essential data protection news and insights. Subscribe here.

Leave a reply

You must be logged in to post a comment.