This week's roundup of data issues includes: People's personal information could be stolen through internet-connected devices; Three experience data breach; ICO issues one of its largest fines for nuisance calls and more...

United Kingdom

People's personal information could be stolen through internet-connected devices

A joint report from the National Cyber Security Centre and the National Crime Agency entitled "The Cyber Threat to UK Business" has warned that smart phones, watches, televisions and fitness trackers could be used to hold people to ransom over their personal data.

The report states that internet-connected devices are giving cyber criminals more opportunities to use "aggressive" and "confrontational" tactics. Devices holding data such as photos, personal messages and fitness information (biometric data) are likely to be targeted. The study forecasts that “ransomware”, which makes devices unusable until their owners pay to unlock them, will increase over the next year. The report confirms that cyber threat to businesses is “significant and growing” and that procedures need to be put in place to prevent hackers obtaining personal data. Another growth area in terms of a threat are botnets. Botnets, also called 'zombie armies', are a system of interconnected computers, often taken over by hackers using malware, which cause the computers to be easily controlled. The report highlights the vulnerabilities that lie in internet-connected devices. These devices, when not secure or protected can be easily taken over by a botnet and used for whatever purpose the hacker controlling it determines. The report also flags the rise in mobile malware such as fake apps and SMS phishing schemes.

There is a timeline of data breaches and attacks that have occurred during 2016 from page 12 onwards of the report.

Facebook announces initiative to deal with third party surveillance concerns

Facebook has confirmed in a blog post that it is updating its data protection policy to bar developers from using data from the social media website for surveillance. Rob Steadman, Facebook's Deputy Chief Privacy Officer, said that the initiative will also extend to Instagram, its online photo sharing platform. He further stated that Facebook's aim is to make its policy clear and that they have already taken action against developers who have created marketed tools for the purpose of surveillance.

This decision comes a few months after the American Civil Liberties Union of California (ACLU) disclosed in a report that Geofeedia, a social media monitoring software developer, had taken data from Facebook, Instagram and Twitter to assist with US police monitor protests. Geofeedia managed to gain special access to user data which could be searched by over 500 law enforcement and public safety clients of the company.

ACLU stated that it is “concerned about a lack of robust or properly enforced anti-surveillance policies” and is asking for social networks to consider no data access for developers of surveillance tools; clear, public and transparent policies; and oversight of developers. It will be interesting to see how social media websites tackle surveillance issues to ensure user data is adequately protected.

Three experience data breach

Three, the mobile phone company, has experienced a new data breach after some customers logging into their accounts were presented with other customers' details such as names, addresses, phone numbers, data usage and call histories. Fortunately, bank details were not accessible. The incident emerged as customers complained to Three on social media sites such as Facebook. A spokesperson for the firm said it was investigating a technical issue with its systems and advised those affected to get in touch with its customer service department.

This is not the first time Three has experienced a data breach, the last being in 2016 where 6 million customers were affected.

The ICO has confirmed it will be "looking into this potential incident".

EU

Should businesses be required to delete old emails to comply with GDPR?

With the General Data Protection Regulation (GDPR) set to be implemented in May 2018 and applying in the UK despite Brexit, many firms are concerned about what to do with personal data stored in their email databases. At a recent event, ‘Getting ready for the GDPR’, a panel of experts were asked about what should be done with this kind of data and how long emails should be kept. The panel confirmed that there isn’t one set time period for how long data should be kept or destroyed. Rules vary for different businesses, however it is important to show that there is an adequate data retention policy in place.

The GDPR gives people the right to request that their personal data is deleted (right to be forgotten), where the retention of such data infringes the regulation or where the data subject simply wants their data erased and no longer processed. One example of this is the withdrawal of consent. The right however does not occur in all circumstances, for instances, where further data retention is required to perform a legal obligation or for archiving in the public interest. What is of key concern to many organisations is how to deal with the loss of data, with fines of up to 4% of annual global turnover or 20 million euros. This is a vast leap from the ICO's current regime of £500,000.

Businesses should therefore ensure that their current systems and controls are GDPR compliant.

ICO publishes updated paper on big data and data protection

The ICO has updated its paper (published in 2014) on big data, artificial intelligence, machine learning and data protection which includes analysis of the applicable GDPR provisions. The update reflects the growth in interest in big data analytics across all sectors and the upcoming implementation of the GDPR in May 2018. The GDPR sets out robust privacy rights in terms of big data and includes provisions dealing with privacy impact assessments, data protection by default and profiling.

In the paper, the ICO recognises the increasing role of accountability which will be strengthened when the GDPR comes into force. It also identifies the advantages of big data analytics, outlines the implications for data protection and provides advice on compliance tools which will help organisations meet their data protection obligations.

Six key ICO recommendations for organisations using big data analytics can be found on p97.

ICO issues one of its largest fines for nuisance calls

The ICO has fined Media Tactics, a Hampshire company, £270,000 after it made nearly 22 million nuisance calls. The ICO’s investigation into the matter revealed that the phone calls were made by the Basingstoke-based Road Accident Consult, trading as Media Tactics. It was determined that Media Tactics did not have the required permission to make the recorded phone calls relating to PPI, personal injury claims and debt management.

Recorded automated marketing calls can only be made to individuals that have agreed to receive such calls. Media Tactics claimed it acquired the data from other companies and believed the individuals on the list had already provided consent. It was found that Media Tactics had gathered the phone numbers from various sources including pay day loans, discount and prize draw websites, an e-cigarette seller and insurance brokers.

The ICO found the privacy notices from the websites where the numbers were collected, were broad and unspecific, and for that reason the consent acquired was found to be inadequate. Media Tactics was given a legal notice forcing it stop making nuisance calls in addition to the fine. Breaching this notice could result in the company facing court action.

Steve Eckersely, Head of Enforcement at the ICO made the following comments:

"Media Tactics fell short of the mark when it treated consent as an administrative box-ticking exercise. Proper consent gives consumers control over how their information is used. The people targeted by Media Tactics were not given that control. From next May, a new data protection law will give people even stronger rights around consent giving them genuine choice and control over how their data will be used.

As reported in our last bulletin, the ICO has released draft guidance on this area which makes clear that businesses who process data should make “key changes" to their consent requests so that GDPR requirements are met.