Category Archives: Data Protection

Draft legislation to boost the Information Commissioner's enforcement powers, to replace the £35 flat fee with tiered notification fees and to permit data sharing by public sector organisations was published last week. You could be forgiven for having missed it – since the relevant provisions form part of the somewhat eclectic Coroner and Justice Bill.

As its name suggests, the Bill deals with the law relating to coroners and to certification and registration of deaths, and sweeps up a wide range of criminal justice reforms. In a lengthy Bill, competing for attention with provisions on homicide, suicide, terrorism, witness protection and criminals' memoirs, last (but in Datonomy's view definitely not least) – are some important amendments to the Data Protection Act 1998.

The proposed changes to the DPA fall into two categories. For the public sector, proposed new sections will … Continue Reading ››
Four major search engine operators are scheduled to sit down at a plenary meeting next month with Article 29 Working Party to work through the findings of Art29WP's Opinion of 4 April 2008.

The business model for search engines is to increase advertising revenues and refine search results and this is clearly best achieved by building up knowledge about the context of an individual search query. The question though is to what extent does this involve or create personal data and what are a search engine's obligations, if any?

The Opinion clearly thinks they should be regulated. Art29WP's view is that, even though an IP address may not be directly identifiable, other associated information is often available which can identify the user behind that IP address. Cookie unique IDs may also reveal further personal data. Unless an operator can establish "with absolute certainty" that data can't be … Continue Reading ››
In a press release last Wednesday, Information Commissioner Richard Thomas said that episodes of data breach in the UK had risen to 277 over the past year, since HMRC lost 25 million child benefit records. The new figures include 80 reported breaches by the private sector, 75 within the NHS and other health bodies, 28 reported by central government, 26 by local authorities and 47 by the rest of the public sector. The ICO is investigating 30 of the most serious cases.
According to an article in the New York Times, European Data Protection Supervisor Peter Hustinx says Europe's data protection regulatory framework needs updating -- but it will be two to three years before businesses even see the reform proposals. In the meantime, companies should take data protection into their own hands by showing they have control over their data and that they are accountable for it, he added. Businesses that store and use data in the ever-changing e-environment are calling for clear guidelines, but it seems that there are none yet on the horizon.
The Foley & Lardner Newsletter reports that Massachusetts has now issued final regulations mandating certain data security standards for all individuals and entities that own, license, store, or maintain personal information regarding Massachusetts residents. From 1 January 2009 companies that hold any personal information about Massachusetts residents will be required to develop policies that match the Massachusetts standard, including encryption of personal information on laptops, new certifications from service providers and amended outsourcing deals.