ICO critical of data handling care of property agents

The Information Commissioner's Office (ICO) has criticised estate agents  and  letting agents over their care in handling customers' personal data. After site visits to a number of agents, the ICO discovered a lack of formal training in data protection, lack of awareness over controls like encryption and lax security in the storage of paper records.

Key findings of the report included:

  • Staff had little formal data protection training
  • Customers not always told how their personal information would be used
  • Storing customer data for longer than necessary
  • A lack of awareness about the importance of using tools like encryption for security
  • Paper records containing personal data weren’t securely kept

The ICO has reminded organisations that they have the power to issue fines of up to £500,000 for breaches of the law with regard to data protection.

This warning highlights an ongoing issue that is not isolated purely to estate agent businesses. Many organizations do not have appropriate training in place when it comes to data protection. Data protection is fast becoming a major issue especially in light of ever increasing threats of data breaches, cyber attacks and identity theft. Companies need to assess how they use data, what type of data they are dealing with and how they are going to protect it. Gone are the days when companies could turn a blind eye to data protection. If you are using or collecting customer data in any way a sharp assessment and an appropriate action plan are required and fast.

The full article can be seen here


New deal reached between EU and US to replace Safe Harbour

The European Commission (EC) has issued a press statement on the agreement of a new framework for transatlantic data flows. The release states that the EU-US Privacy Shield reflects the European Court of Justice (ECJ) ruling of 6 October 2015, which invalidated the old Safe Harbour regime.

Key features of the EU-US Privacy agreement:

  • US companies that want to import personal data from Europe will need to commit to obligations on how this data is processed and guarantee individual rights
  • The US Department of Commerce will monitor companies to ensure they publish their commitments, which makes them enforceable under US law
  • The US has given the EU written assurances that the access of public authorities for law enforcement and national security will be subject to clear limitations
  • The US has ruled out indiscriminate mass surveillance on the personal data transferred to the US
  • To monitor the functioning of the system there will be an annual review by the US and EU
  • Any citizen who considers that their data has been misused under the new arrangement will have several redress possibilities
  • A new Ombudsman will be created for complaints
  • European Data Protection Authorities can refer complaints to the Department of Commerce and the Federal Trade Commission

The BBC reports that while the announcement has been welcomed  by  businesses, privacy groups still have some concerns. They quoted lobby group TechUK deputy chief executive, Antony Walker:

"The fact that EU and US negotiators have work ed day and night for several months to secure this agreement reflects how important transatlantic data flows are to the global digital economy."

The EC will now prepare a draft in the next few weeks, which after obtaining advice from the Article 29 Working Party and consultation with Member State representatives, could be adopted. The US will start preparations for the new framework, including the new Ombudsman.

European privacy regulators have demanded that they receive the new framework by 29 February. It may be a case that following their review the framework may still be deemed inadequate and will require further amendments. Agreement is required by all 28 Member states on the new EU-US Privacy Shield which is being hailed by some as the new and improved Safe Harbour 2.0. This development serves to show a sharp turn by the EU, back to the event which served as a catalyst to the Safe Harbour ruling - the Edward Snowden revelations regarding the mass surveillance being carried out across the world by the NSA. Whilst Safe Harbour 2.0 is a step in the right direction, how long it will take to finalise remains to be seen.

The EC press release can be found here

A statement from US Secretary of Commerce, Penny Pritzker, can be found here

Ethics Advisory Group goes live

The new group set up by the European Data Protection Supervisor (EDPS) is effective from 1 February 2016 and will remain active until January 2018.The remit of the group is to examine the relationships between human rights, technology, markets and business models in the 21st century. It will particularly scrutinise the implications for the rights to privacy and data protection in the digital environment.

The Group will consist of six individuals, experts in their fields, who will submit recommendations to the EDPS upon request.

The types of work the group will oversee is research, studies, clinical trials, technical assistance and the publication of journals. Research is conducted by the 'Union' - the International Union Against Tuberculosis and Lung Disease. Current areas of key concern are tuberculosis, HIV, tobacco control and non-communicable diseases. One of the function of the EDPS is to scrutinise how data is being collected in mass research of this scale and how this data is being utilised and for what purposes. Although the use of data mining for a good cause is ultimately beneficial for the population, data subjects have rights when it comes to their personal data and these need to be protected.  Data collection should not be carried out to the detriment of the data subject.

The EDPS press release can be found here


US Judicial Rdress Act passed with amendments

On 28 January, the US Senate Judiciary Committee passed an amended version of the Judicial Redress Act (HR 1428). The proposed act now progresses to the full senate. The Act would give EU citizens rights to sue in the US with regard to certain privacy issues.

The amendment states:

"in order to qualify as a covered country, a foreign country must permit commercial data transfers with the United States and may not impede the national security interests of the United States."

If the amended version becomes law it could impact any new Safe harbour agreement between the US and EU and cause further delays in its agreement or a need for it to be revised again in future.

A link to the amendment can be found on the Senate Judiciary Committee website here