Category Archives: Data Protection

The Information Commissioner's Office (ICO) has opened a file on Google's controversial Street View 360 degree street level imagery facility, though it has not at this time taken an official position. A statement on the ICO's website currently reads:
"Google's Street View includes a facility which allows vehicle registration marks and faces to be blurred. Individuals who feel that an image does identify them (and are unhappy with this) should contact Google direct to get the image removed. Individuals who have raised concerns with Google about their image being included - and who do not think they have received a satisfactory response - can complain to the ICO".
No specific mention has at this stage been made of fears expressed in some quarters that the images stored on the Street View database may be used by local authorities … Continue Reading ››
A friendly word of caution for Datonomy readers: if you post anything about anyone online without their consent, you might be breaking the law.

In today's world of rampant online social networking and virulent blogging, lots of us write stuff about other people on the internet all the time. Most of us are aware that if we write something really offensive, then we might get into trouble – we've at least heard of the law of defamation.

But what about where we post something that is not defamatory? An example – I update my Facebook status to say that I'm "celebrating my wife's 40th birthday". Not unlawful, right?

Well, ludicrously enough, it might be. Unless she had told me I could reveal her age to the world, I would probably have just unlawfully processed her personal data, in contravention of the Data Protection Act.

When we … Continue Reading ››
Draft legislation to boost the Information Commissioner's enforcement powers, to replace the £35 flat fee with tiered notification fees and to permit data sharing by public sector organisations was published last week. You could be forgiven for having missed it – since the relevant provisions form part of the somewhat eclectic Coroner and Justice Bill.

As its name suggests, the Bill deals with the law relating to coroners and to certification and registration of deaths, and sweeps up a wide range of criminal justice reforms. In a lengthy Bill, competing for attention with provisions on homicide, suicide, terrorism, witness protection and criminals' memoirs, last (but in Datonomy's view definitely not least) – are some important amendments to the Data Protection Act 1998.

The proposed changes to the DPA fall into two categories. For the public sector, proposed new sections will … Continue Reading ››
Four major search engine operators are scheduled to sit down at a plenary meeting next month with Article 29 Working Party to work through the findings of Art29WP's Opinion of 4 April 2008.

The business model for search engines is to increase advertising revenues and refine search results and this is clearly best achieved by building up knowledge about the context of an individual search query. The question though is to what extent does this involve or create personal data and what are a search engine's obligations, if any?

The Opinion clearly thinks they should be regulated. Art29WP's view is that, even though an IP address may not be directly identifiable, other associated information is often available which can identify the user behind that IP address. Cookie unique IDs may also reveal further personal data. Unless an operator can establish "with absolute certainty" that data can't be … Continue Reading ››
In a press release last Wednesday, Information Commissioner Richard Thomas said that episodes of data breach in the UK had risen to 277 over the past year, since HMRC lost 25 million child benefit records. The new figures include 80 reported breaches by the private sector, 75 within the NHS and other health bodies, 28 reported by central government, 26 by local authorities and 47 by the rest of the public sector. The ICO is investigating 30 of the most serious cases.
According to an article in the New York Times, European Data Protection Supervisor Peter Hustinx says Europe's data protection regulatory framework needs updating -- but it will be two to three years before businesses even see the reform proposals. In the meantime, companies should take data protection into their own hands by showing they have control over their data and that they are accountable for it, he added. Businesses that store and use data in the ever-changing e-environment are calling for clear guidelines, but it seems that there are none yet on the horizon.
The Foley & Lardner Newsletter reports that Massachusetts has now issued final regulations mandating certain data security standards for all individuals and entities that own, license, store, or maintain personal information regarding Massachusetts residents. From 1 January 2009 companies that hold any personal information about Massachusetts residents will be required to develop policies that match the Massachusetts standard, including encryption of personal information on laptops, new certifications from service providers and amended outsourcing deals.