In a press release last Wednesday, Information Commissioner Richard Thomas said that episodes of data breach in the UK had risen to 277 over the past year, since HMRC lost 25 million child benefit records. The new figures include 80 reported breaches by the private sector, 75 within the NHS and other health bodies, 28 reported by central government, 26 by local authorities and 47 by the rest of the public sector. The ICO is investigating 30 of the most serious cases.
The UK Government has been consulting on the latest phase of transposition of Directive 2006/24/EC – the Communications Data Retention Directive (for an overview of the Directive see here). The Directive imposes requirements on providers of publicly available electronic communications services or publicly available networks to retain traffic and location data in order to assist law enforcement authorities with the investigation and prevention of terrorism and serious crime. Last autumn the UK transposed the requirements of the Directive in relation to fixed and mobile data (see here). Then, in August this year, the Home Office published the draft Data Retention (EC Directive) Regulations 2008 which addresses retention obligations for internet access, internet email and internet telephony data. The extensive list of data to be retained is that necessary to trace the source, destination, time, date, duration and type of communication plus that necessary … Continue Reading ››
According to an article in the New York Times, European Data Protection Supervisor Peter Hustinx says Europe's data protection regulatory framework needs updating -- but it will be two to three years before businesses even see the reform proposals. In the meantime, companies should take data protection into their own hands by showing they have control over their data and that they are accountable for it, he added. Businesses that store and use data in the ever-changing e-environment are calling for clear guidelines, but it seems that there are none yet on the horizon.
The website of the Official Journal of the European Union has now published the Opinion of the European Data Protection Supervisor on the Commission Decision of 12 December 2007 concerning the implementation of the Internal Market Information System (IMI) as regards the protection of personal data (2008/49/EC). The IMI is an information technology tool that allows competent authorities in Member States to exchange information with each other in the implementation of the Internal Market legislation. IMI is funded under the IDABC (Interoperable Delivery of European eGovernment Services to public administrations, businesses and citizens) programme.
The European Parliament has adopted a report criticising the Council of Ministers for concluding an agreement with Australia on the processing and transfer of passenger name records (PNR) without consulting or even informing the European Parliament. MEPs are concerned about the consequences of the agreement for EU citizens' right to data protection.

The report was adopted with 610 votes in favour, 29 against and 47 abstentions. The House says the procedure followed for the conclusion of the agreement lacked democratic legitimacy, as at no stage was there any meaningful democratic scrutiny or parliamentary approval. Despite repeated requests, Parliament was neither informed nor consulted.
The October 2008 issue of the Olswang Telecoms Update has now been published. You can read it in pdf format here. One of the articles in this issue is "Retention of Internet and email data: Government consults on new regulations", which explains that the UK Government is consulting on new rules to transpose EU requirements on the retention of Internet and email data. Service providers have until 31 October to influence the UK's approach on three key issues: retention periods, reimbursement of costs and identifying exactly which service providers will be affected. The regulations are due to come into force in March 2009. Click here to read the full text.

If you'd like to receive the Telecoms Update regularly, just email Rob Bratby or Lucy Hollis and let them know.
The Foley & Lardner Newsletter reports that Massachusetts has now issued final regulations mandating certain data security standards for all individuals and entities that own, license, store, or maintain personal information regarding Massachusetts residents. From 1 January 2009 companies that hold any personal information about Massachusetts residents will be required to develop policies that match the Massachusetts standard, including encryption of personal information on laptops, new certifications from service providers and amended outsourcing deals.