The Chief Executive of Cambridgeshire County Council this week signed a formal undertaking with the ICO under which the Council agreed to ensure that all portable devices used by it would be encrypted and that it would carry out regular monitoring of its data protection policies and IT security measures in order to ensure that they were being followed by all staff. This formal commitment by Cambridgeshire County Council was prompted by an incident in November 2010 when an employee of the Council lost an unencrypted memory stick which contained the personal data of at least 6 vunerable individuals. The information on the storage device also included case notes and minutes of meetings relating to the individuals’ support. The unencrypted device was used by a member of the Council's staff only after they had encountered problems using an encrypted memory stick that the council had previously provided. Ironically the breach … Continue Reading ››
All those directly or indirectly involved in preparing payment instruments’ legal structures fully appreciate the sophistication and complexity of the data processing associated with these instruments’ transactions. Many participants, much data, the international character of structures – all these factors contribute to practical difficulties. It was, therefore, quite easy to anticipate that sooner or later, legal aspects of data protection in payment transactions would become the subject of court decisions. This post presents the conclusions of a key Polish court decision in the above matter (Supreme Administrative Court judgment of 1 December 2009, case file no. I OSK 227/09). The court was requested to resolve a dispute between the Polish data protection authority (GIODO) and a Polish bank which issued pre-paid payment cards. The bank was issuing named pre-paid cards and pre-paid cards to bearers. The pre-paid card agreements were concluded with public or private entities (which were the formal cardholders). … Continue Reading ››
The Information Commissioner's Office (ICO) has this week served Ealing Council and Hounslow Council with fines of £80,000 and £70,000 respectively for serious breaches of the Data Protection Act (DPA) following the loss of two unencrypted laptops containing sensitive personal data. Ealing Council provides an out of hours service on behalf of both councils, which is operated by nine staff who work from home.  Personal details of 1,700 individuals were lost when the laptops were stolen from an employee’s home.  The laptops were password protected but unencrypted – in breach of both councils' policies on encryption. Ealing Council was found to be in breach of the DPA by issuing an unencrypted laptop in breach of its own data security policy.  The ICO also found that the council had insufficient checks in place to ensure that the relevant policies were being complied with and were understood by staff.  Hounslow Council was found to … Continue Reading ››
Last week the European Commission formally approved Israel's data protection laws as being adequate for the purposes of the Data Protection Directive (see link to the Commission's decision here). Data protection and privacy in Israel is overseen by the ILITA (the Israeli Law, Information and Technology Authority) which has the power to investigate and intervene in cases where it suspects a breach of data protection and privacy laws has occurred. Formal approval effectively confirms a decision made by the EU back in October 2010 (see Datonomy's previous post here) to add Israel to the list countries whose data protection laws have been deemed by the EU to be sufficiently strong enough to protect personal data to a level that is equivalent to protection afforded by EU Member States. Prior to the decision the only countries that had been approved by the EU were Switzerland, Argentina, the Bailiwick of … Continue Reading ››