Stephen Fry is not someone prone to splashing personal details around the web; nevertheless, according to a report in The Guardian, he has fallen into the privacy trap of Plaxo (a LinkedIn-style "business" social networking site).

Fry was unaware that his privacy settings meant that all users (not just those on his contacts list) could access personal information including his work mobile phone number and what The Guardian believes to be his home address. Fry is of the opinion that the site changed his privacy permissions without consulting him, an allegation which is denied by Plaxo. Whether or not this is true, Fry's latest internet spat highlights the dangers associated with social networking sites and how easy it is to inadvertently grant a myriad of unknown users permission to information you only want to share … Continue Reading ››
For some time now, proponents of tougher data protection laws have been arguing the case for the introduction of a stricter regime and greater penalties for misuse of personal data. The previous Information Commissioner, Richard Thomas, called for the introduction of a two-year jail term to deter those convicted of trading unlawfully in personal back in May 2006 in his ICO report to Parliament entitled "What price privacy?". Thomas' updated report, reflecting the six months progress made since the first version entitled "What price privacy now?" repeated this call to action again pressing the case to the government for custodial sentences for the most serious of data protection breaches.

Despite the issue often receiving favourable coverage within the press and the media, there is a widespread view amongst data protection experts that the ICO calls have largely fallen on deaf … Continue Reading ››
You wait ages for the ICO to have decent enforcement powers...then several new ones come along at once. Well, sort of...
Hot on the heels of the proposals to give the ICO power to fine organisations up to £500,000 and proposals on custodial sentences for serious DP breaches , the ICO's new powers to audit organisations for DP compliance have now reached the statute book, as have the provisions relating to the code of practice on data sharing. The necessary additions to the Data Protection Act are contained in the Coroners and Justice Act 2009, which received royal assent on 12 November. The commencement date for these provisions is not yet known. Datonomy wonders whether it will be the next "red tape" day (6 April 2010) which is when the provisions on monetary penalties and custodial sentences are expected … Continue Reading ››
The Use of Animals in Scientific Procedures (vivisection) is covered by the Animals (Scientific Procedures) Act 1986, and there are some interesting similarities between the regulatory structure and that for personal data. A Procedure must be licensed, but the terms are permissive, and reflect the wide range of interests involved – medical, scientific and regulatory. Within this legitimate lawful range, the purpose of the regulations is to keep the number of protected animals used to a minimum, to use the lowest species level compatible with the results required; and outside the procedures to keep the animals at protected environmental levels. Abuses of the regulations are not uncommon. The similarities are clear enough.

Animals, though, don’t consent to being used in a procedure (nor often do people in relation to their data, but the outcome is usually different). Still, on this description you might think that the two regulatory fields … Continue Reading ››
Regulation 1060/2009 of the European Parliament and of the Council of 16 September 2009 on credit rating agencies is the sort of legal provision that you could confidently predict would have a data protection angle of some sort -- and you'd not be wrong.

Right: King Midas had no credit rating problems, yet his personal data remains public knowledge over two millennia after his death

The recitals in the Regulation contain the following:
"(36) This Regulation is without prejudice to the duty of credit rating agencies to protect the right to privacy of natural persons with respect to the processing of personal data in accordance with Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data".
From … Continue Reading ››
Last week, the Home Office released its summary of responses to its reassuringly-titled consultation "Protecting the Public in a Changing Communications Environment" (dubbed "You'll Never Talk Alone" by privacy wags). This relates to the Government's plans to introduce new legislation that would give enforcement authorities greater powers in respect of access to communications data, and oblige communications providers to retain more of that data. As Claire set out in her post marking the release of the original consultation, the general view was a guarded "could be worse", in particular in respect of the Home Office's decision to drop plans for a single, centralised database.

The response document makes interesting reading, not least in showing the Government's approach. In respect of the three consultation questions directly relating to the Government's plans, the highest level of support from respondents that the Government achieved … Continue Reading ››
As reported previously on Datonomy, agreement has been reached between EU institutions on the introduction of rules on reporting data security breaches under the telecoms package. The new requirements only apply to providers of electronic communications services, and Member states will be required to introduce the new rules by 2011.

However, the Commission has committed to extending the breach notification regime to all organisations which process personal data, such as online retailers and banks, as a matter of priority by presenting draft legislation as soon as 2011.

The key elements of the new provisions are:

  • a duty to notify the relevant national regulator "without undue delay";
  • a duty to also notify the affected subscriber or individual if the breach is "likely to adversely affect" that individual's privacy" except where the provider can demonstrate it has applied "appropriate … Continue Reading ››