1 UK Information Commissioner's Office (ICO) June 2015 ICO request assistance with data sharing scenarios The ICO plans to supplement its Data Sharing Code of Practice with some practical examples. It would like examples, from both the private and public sectors, of data sharing scenarios that will help illustrate the law on data sharing. The ICO is particularly interested in those areas where there is currently confusion. If you would like to assist, please email your data sharing scenario to David Chapman by 14 August: [email protected] 24 June 2015 ICO raids website believed to be behind millions of nuisance calls The ICO has raided a call centre in Manchester suspected of making millions of nuisance calls. It is alleged that the business made automated calls without consent. Those that responded to the calls by pressing a number on their phone keypads were put through to a telephone operator at the call centre. The ICO had received over 7,000 complaints about the business, including two complaints from phone network providers which claimed that the large number of calls made by the business had disrupted its services. "These searches are no oneoff," said Andy Curry, the ICO Enforcement Group Manager. The ICO's action follows its raid on a call centre in March. July 2015 Charity sector reminded of the law The Information Commissioner, Christopher Graham, has written an open letter in The Times newspaper, addressing what charities can and cannot do with regard to direct marketing. The Times had run a story suggesting that an exemption existed for charities when it came to marketing and asking the public for donations. The letter confirms that this is not the case and sets out the responsibilities for charitable organisations which are the same as for all companies. Any organisations, including charities, using direct marketing must adhere to the Privacy and Electronic Communications Regulations. The ICO's direct marketing guidance can be found here. 1 July 2015 The ICO's Annual Report On 1 July 2015, the ICO launched its annual report, "Privacy and Openness: Making a reality of information rights". The highlights from the report are: 2 The key theme this year is "Privacy and Openness"; The ICO has received about 200 complaints this last year related to "right to be forgotten" complaints - most have been resolved but there are one or two cases which might amount to something. The ICO is not currently pushing for the right to be forgotten to extend to all Google domains but are considering the wider principle of where an organisation is considered to be "established" (which may be broader than just Google.co.uk); Most complaints are still SAR related and the ICO hinted that they will be tightening up enforcement in this area; Many of the fines issued in the past year have been against private sector organisations, some for failure to have in place "state of the art" security and some for nuisance calls and texts; There have been 10 prosecutions under Section 55 of the Data Protection Act and there is still one ongoing investigation into an organisation which has been instructing private investigators improperly; Simon Rice is now the lead on the Article 29 Working Party for technology issues; David Smith is retiring soon and the hunt for Christopher Graham's replacement is due to start shortly; The ICO hopes that their privacy seals scheme will be in place by end of the year. The full report can be found here. April - June Enforcement Enforcement for the contemplated period includes: 1 prosecution, 1 monetary penalty notice, 5 sets of undertakings, 1 enforcement notice and 9 follow-up reviews of steps taken by organisations to comply with existing undertakings. Please see the Enforcement Table below for more details. Other 27 May 2015 New Investigatory Powers Bill referred to in the Queen's speech 2015 The Queen's Speech, delivered on 27 May 2015, marked the first time in nearly 20 years that a majority-led Conservative government had the opportunity to set out its policy plans for the next 12 months. Notable, amongst the list of bills referenced, was the 'Investigatory Powers Bill', which is expected to include elements of the previous Communications Data Bill. The new legislation under the Bill will "modernise the law on communications data". The Cabinet Office Prime Minister's Office published further information on the purposes of the proposed legislation. The Bill will seek to: provide the police and intelligence agencies with the tools to keep people safe; address ongoing capability gaps that are severely degrading the ability of law enforcement and intelligence agencies ability to combat terrorism and other serious crime; maintain the ability of intelligence agencies and law enforcement to target the online communications of terrorists, paedophiles and other serious criminals; modernise the law in these areas and ensure it is fit for purpose; 3 provide for appropriate oversight and safeguard arrangements. According to the Cabinet Office site, the main benefits of these clauses would be: better equipping law enforcement and intelligence agencies to meet their key operational requirements, and addressing the gap in these agencies’ ability to build intelligence and evidence where subjects of interest, suspects and vulnerable people have communicated online; maintain the ability of intelligence agencies to target the online communications of terrorists, and other relevant capabilities; provide for appropriate oversight arrangements and safeguards; respond to issues raised in the independent review by the Independent Reviewer of Counter-Terrorism legislation. It is understood that the legislation will also respond to issues raised under a report produced by David Anderson QC, the official independent reviewer of terrorism legislation, entitled 'A Question of Trust: Report of the Investigatory Powers Review'. For further information on the report, please see our commentary later in this month's Bulletin. June 2015 Verizon Publish 2015 Data Breach Investigations Report The Verizon Data Breach Investigations Report (DBIR) provides a detailed analysis of almost 80,000 incidents, including 2,122 confirmed data breaches across 61 countries. In particular, the report makes the following observations: incidences of malicious activity compromising wireless devices over a six-month period were found to be extremely low; old techniques such as phishing scams remain popular with attackers and are becoming more effective, and, across the 20,000 organisations that the report looked at, 170 million non-specifically targeted malware events were intercepted; just ten vulnerabilities accounted for almost 97% of exploits in 2014, with the remaining 3% consisting of 7 million other vulnerabilities; Verizon's 2014 report identified nine incident patterns which covered most of the potential challenges faced by organisations, and, in 2015, these patterns covered 96% of all incidents; the average cost to an organisation of failing to protect its data for a breach of 1,000 records will be between $52,000 and $87,000 ($52 to $87 per record), and, by contrast, the average cost to an organisation of failing to protect its data for a breach of 10 million records will be between $2.1 million and $5.2 million ($0.21 to $0.52 per record); in 56% of cases it takes organisations hours or more to discover an attack, and in 25% of cases it takes days or longer; 25% of breaches could have been prevented by using multi-factor authentication and patching internet-accessible web services. In conclusion, seven common themes emerge from the report: be vigilant, make people your first line of defence, only keep data on a 'need-to-know' basis, patch promptly, encrypt sensitive data, use two-factor authentication, and don't forget physical 4 security to prevent tampering and theft. The Verizon press release can be found here. 11 June 2015 Anderson Report on surveillance laws published On 11 June 2015 the Report of the Investigatory Powers Review, conducted by David Anderson QC, the Independent Reviewer of Terrorism Legislation, was laid before Parliament. The review was conducted under Section 7 Data Retention and Investigatory Powers Act 2014 (DRIPA), which required the Independent Reviewer of Terrorism Legislation to examine: (a) Current and future threats to the UK; (b) Capabilities required to combat those threats; (c) Safeguards necessary to protect privacy; (d) Challenges of changing technologies; (e) Issues relating to transparency and oversight; and to report to the Prime Minister on the effectiveness and proportionality of existing legislation and the case for new or amending legislation. The Report, which runs to 373 pages, is critical of the existing Regulation of Investigatory Powers Act 2000 which is described as “obscure,” “incomprehensible” and “ undemocratic” . It advocates repeal of existing internet surveillance laws and their replacement with a new law that is “ both comprehensive in its scope and comprehensible.” The Report recognises the importance of intrusive surveillance powers but recommends that such powers should be shown to be necessary, clearly spelled out in law, limited in accordance with international human rights standards and subject to visible safeguards. It makes 124 specific recommendations. These include: There should be judicial oversight of the use of interceptions with judges, not ministers, signing off interception warrants. The role of ministers should be restricted to identifying warrants as necessary in the interests of national security New legislation which will replace DRIPA when it expires in December 2016 should comply with international human rights safeguards Rulings of the Investigatory Powers Tribunal should be subject to appeal on matters of law There should be greater transparency regarding the UK’s surveillance capabilities Rejection of some elements of the draft Communications Data Bill Bulk collection of communication data (records of user interaction with the Internet) should continue, subject to effective safeguards Police access to communications data in relation to special groups ( e.g. lawyers and journalists) should be subject to judicial authorisation 5 Data retention arrangements under DRIPA should continue There should be a new independent surveillance and intelligence commission to replace the three existing Commissioners dealing with surveillance. The government is now considering the Report as part of a process that is expected to result in the publication of a new draft Investigatory Powers Bill in the Autumn of 2015 with a view to bringing new legislation into effect in 2016 when DRIPA lapses. The full report can be found here. 17 June 2015 CMA publishes findings of call for information on commercial use of consumer data The Competition and Markets Authority (CMA) has published a report setting out its findings following a call for information in relation to the commercial use of consumer data. The aim of this project has been to increase the CMA's understanding of the issues relating to the collection and use of consumer data. This will inform its future competition and consumer work. The report sets out a factual review of the way that consumer data is collected and used and how it is regulated. It identifies potential benefits created for firms, consumers and the economy. In particular, both firms and consumers can benefit from better targeting of offers and service improvements. However, the CMA notes that these benefits will only be realised if consumers are willing to provide data and firms use this data in transparent and competitive markets. The CMA has examined possible competition issues (barriers to entry, increasing market power from restricting access to data or leveraging, and price discrimination). It considers that its existing competition and markets tools would be effective at tackling any conduct that gave rise to competition concerns in the markets for data protection and use. The CMA has, however, identified certain consumer concerns about the use of data, as well as concerns about the effectiveness of privacy policies, terms and conditions and cookie notices in enabling consumers to control the collection and use of their data. Some of these concerns may be addressed by changes in data protection regulation. The full report can be found here. Cases 17 July 2015 R ( on the application of Davis, Watson and others) v Secretary of State for the Home Department  The approved judgment of the High Court in the case of R (on the application of Davis, Watson and others) v Secretary of State for the Home Department ([ 2015]EWHC 2092 (Admin)) was handed down on 17 July 2015. The case involved a claim by way of judicial review as to the validity of the data retention powers in section 1 of the Data Retention and Investigatory Powers Act 2014 (“DRIPA”) and the Data Retention Regulations made under it. DRIPA had been introduced into UK law in 2014 following the finding of the CJEU in the Digital Rights Ireland case ( QB 6 127) that the Data Retention Directive (Directive 2006/24 EC) was invalid because it had exceeded limits required by the principle of proportionality in the light of Articles 7, 8 and 52(1) of the Charter of Fundamental Freedoms of the European Union (“the Charter”) and had failed to provide sufficient safeguards against unlawful access to, and use of, retained data by public authorities. Section 1 DRIPA conferred powers on the Secretary of State to issue a retention notice to public telecommunications operators to retain relevant communications data if the Secretary of State considers retention necessary and proportionate for certain purposes set out at s22(2) of the Regulation of Investigatory Powers Act 2000. The claimants argued that, like the former Data Retention Directive, arrangements for the retention and access of communications data under section 1 DRIPA, were incompatible with rights protected under the Charter. The High Court considered Digital Rights Ireland in detail. Although the court noted certain difficulties with the CJEU's judgment, it concluded that the CJEU had made certain points in its judgment with sufficient emphasis that it should be understood to have laid down mandatory requirements of EU law and acknowledged "the binding nature of the conclusions of the CJEU as to what is required in order for legislation to comply with the Charter". It found the ratio of the CJEU judgment in Digital Rights Ireland to be that legislation establishing a general retention regime for communications data infringes rights under Articles 7 and 8 of the EU Charter (which protect the right to respect for private and family life home and communications and the right to the protection of personal data) unless it is accompanied by an access regime which provides adequate safeguards for those rights. The Court found in favour of the claimants and granted a Declaration to the effect that section 1 DRIPA is inconsistent with European law in so far as: It does not lay down clear and precise rules providing for access to and use of communications data retained pursuant to retention notices to be strictly restricted to the purpose of preventing and detecting precisely defined offences or conducting related prosecutions; and Access to the data is not made dependant on a prior review by a court or an independent administrative body whose decision limited access to and use of the data to what is strictly necessary for the purpose of attaining the objective pursued. The Court made an order disapplying section 1 DRIPA to the extent that it permits access to relevant retained data but suspended the order until 31 March 2016. Permission to appeal to the Court of Appeal has been granted. In the meantime the government has already announced its intention to legislate in the current session of Parliament to replace DRIPA (as is necessary in any event in light of the fact that DRIPA will expire on 31 December 2016 as a result of its section 8(3) 'sunset clause'). As a result of this judgment (and subject to the outcome of any appeal) it is noteworthy that successor legislation that does not give effect to rights protected by the Charter of Fundamental Freedoms may be similarly vulnerable to legal challenge. 7 The full judgment can be found here. Europe News 21 May 2015 EDPS publishes opinion on mHealth On 21 May 2015, the European Data Protection Supervisor published Opinion 1/2015 on Mobile Health ("mHealth"). The Opinion identifies the many potential benefits of mHealth for health care and the lives of individuals as well as the privacy challenges that mHealth poses. In particular, the Opinion emphasises the importance of building privacy protection into mHealth apps and devices, in order to ensure that concerns about privacy risks and lack of user trust do not inhibit user engagement and prevent society from reaping the benefits of mHealth. The Opinion notes a number of significant privacy challenges associated with mHealth. These include: mHealth's dependency on business models that are based on the monetisation of user generated personal data ; The multiplicity of stakeholders means that it can be difficult to ensure responsibilities are properly allocated and for users to identify all players; Information asymmetry as between operators and users; Research and commercial interests driving data duplication and data maximisation (contrary to established privacy principles of purpose limitation and data minimisation); Risks associated with health profiling, adverse selection, and differential pricing (for example in the fields of employment and insurance) and the potential for discrimination against those with poor health profiles or those who resist engagement with mHealth; Risks associated with inadequate technical security. The Opinion makes a number of recommendations. These include: App designers and operators should recognise the breadth of the definition of personal data and the sensitive nature of health data; There should be an emphasis on user empowerment; there should be transparency as to the identities of data controllers, and the way mHealth data are used, shared and reused; users should have the option of retaining mHealth data locally on their own devices rather than on providers' central servers; users should have clear options to permit or 8 refuse the sharing or transfer of their data to third parties; in order to comply with ePrivacy rules, operators should access data held on users' devices only with their consent; Responsibilities of operators and third party data recipients should be allocated in a coherent and systematic fashion; The current emphasis on purpose limitation and data minimisation should be maintained; Privacy by default and by design are important concepts in the mHealth context; designers should devote the same creativity to 'designing in' privacy as they display in designing apps and devices; Profiling, other than for certain research purposes, should be strictly regulated; Operators should guarantee security, integrity, and accessibility of mHealth data; there should be privacy engineering throughout the mHealth ecosystem and continuous risk management; To the extent that the forthcoming GDPR will allow national discretion in the healthcare domain, this should not be allowed to create discrepancies in mHealth regulation; An mHealth code of conduct should be elaborated by mHealth stakeholders with contribution of DPAs. The full Opinion can be found here. 15 June 2015 General Data Protection Directive – A Council General Approach at Last! On Monday 15 June 2015, Ministers representing the Member States at the EU Justice and Home Affairs Council at long last agreed a General Approach to the proposed General Data Protection Regulation. This decision has been built up slowly and with difficulty since the European Commission published its proposal in January 2012. Our full summary can be found here. 16 June 2015 Article 29 Working Party publishes Opinion on drones On 16 June 2015, the Article 29 Working Party published an Opinion on data protection issues in relation to drones. For our full commentary, please see here. The full Working Party Opinion can be found here. 10th July 2015 Review of the EC's ePrivacy Directive The European Commission recently published a study on the ePrivacy Directive. Amongst other issues, the study concludes that the Directive has become outdated, with provisions which not technologically neutral and which (in the case of cookies) have not achieved their objective. 9 The study concludes that some provisions of the Directive seem to relate solely to public communications service providers (e.g. fixed line and mobile operators) whereas others (rules on cookies) seem also to apply to providers of content services. This has led to inconsistent implementation in member states. It also means that some provisions no longer make policy sense – in particular, there seems no reason to treat location data from telecom operators differently to location data from GPS, or to treat email differently to messages sent via social networks. The study recommends widening the scope of the Directive to address this. The study questions the success of rules relating to cookies. The study recommends maintaining the current opt-in approach to cookies, but limiting it to situations where the user's privacy is interfered with in some way – analytics should be exempted, cookies used for interest based ads should not. The report also recommends an attempt to harmonise some of the rules relating to interception – especially provisions which permit monitoring by employers. The full report can be found here. 10 UK Enforcement Date Entity Enforcement notice, undertaking, monetary penalty, or prosecution Description of Breach Summary of steps required (in addition to the usual steps) 16 April 2015 Lismore Recruitment Limited ('Lismore') Prosecution Lismore was prosecuted for failing to notify with the ICO. Lismore pleaded guilty. Fine of £375, costs of £774.20 and a victim surcharge of £38. 30 April 2015 The Racing Post ('RP') Follow-up review of undertaking signed August 2014. RP signed an undertaking after its website was attacked and a database containing the details of 677,335 individuals was accessed. The ICO concluded that RP has taken appropriate steps and put plans in place to address the requirements of the undertaking and to mitigate the risks highlighted: Introduction of an Information Security Risk Register (ISRR), which identifies information security risks; Provision of technical information to establish that they store encrypted passwords on secure servers; Creation of a Patch Management Process which outlines the steps that should be taken upon receiving new security patch information; Production of security policies in line with DPA and ISO27001 requirements; Information security training updates. The majority of these policies and procedures are still in their infancy and will require monitoring over time by RP to ensure that they become fully embedded into RP's working practices. 30 April 2015 Office Holdings ('OH') Follow-up review of an undertaking signed on 13 January 2015 A member of the public hacked into an unencrypted OH database that was being stored on a server outside the core infrastructure of the current website. The personal data, including contact details and passwords, of over a million Office customers were The ICO noted that OH's retention period for Customer Relationship Marketing data is five years. This may be too long 11 accessed. In its follow-up review, the ICO concluded that OH had taken appropriate steps to address the requirements of the undertaking: Implemented a penetration testing programme; Introduced a Data Protection Policy, Data Protection Human Resources Policy and a Document Retention Policy, to be monitored in 6 months and annually thereafter; Introduced company-wide data protection training; and Implemented other security measures to keep personal data secure and ensure it is not held for longer than necessary. for this type of data and OH should keep this under review. 11 May 2015 Northumbria Health Care NHS Foundation Trust ('The Trust') Undertaking In March 2014, faxes containing patient identifiable data were erroneously sent to a member of the public. The data controller put controls in place to address the issue but, in May 2014, the same member of the public received further faxes containing patient identifiable data. The ICO found that there was a lack of urgency in addressing and recovering the fax disclosures. The faxes in question were sent from several different wards and, despite this, not all wards were instructed to take action following the incidents. Further, no attempts were made to retrieve the faxed documents immediately. The ICO's investigation revealed that the fax machines on all wards were not checked to ensure that they had been reprogrammed with pre-selected numbers. Given the quantity of faxes sent throughout the day from all wards, the measures introduced by The Trust were not considered adequate. The Trust shall ensure: Procedures are implemented to ensure security breaches are dealt with promptly; Fax procedures are implemented consistently across all wards and regularly monitored; The process around the use of safe haven fax machines should be clear and unambiguous; and Other security measures as it deems appropriate to ensure that personal data is protected against unauthorised and unlawful processing, accidental loss, destruction and/or damage. 12 21 May 2015 Oxford Health NHS Foundation Trust ('The Trust') Follow-up review of undertaking signed on 16 September 2014. During the process of creating a new website for the Oxford Centre for Cognitive Therapy, a file containing personal data relating to approximately 4,200 registered users was unintentionally placed on the Internet. The personal data included email addresses, usernames, passwords and billing addresses. The ICO concluded that the Trust has taken appropriate steps to address the requirements of the undertaking by: Including in their procurement procedures a section requiring IG approval for all contracts with external suppliers which involve data processing; Putting in place data controller/processor agreements for use in contracts which include data protection provisions; Including a breach management checklist as part of their incident reporting system; and Establishing a mechanism to monitor undelivered mail using a dedicated PO Box. The Trust shall ensure: That the revised Procurement Policy is approved as soon as possible; and That all data processor clauses for contracts are reviewed and are sufficient. 3 June 2015 South West Yorkshire Partnership NHS Foundation Trust ('The Trust') Undertaking The Trust disclosed a patient discharge letter to a third party. An investigation found that two discharge letters were erroneously sealed in a single envelope and the envelope was not checked before it was posted. The Trust did have a policy in place that dealt with posting information but it did not specify that personal data needed to be verified before being sent. Subsequent to this, other similar breaches took place. The Trust shall ensure: (1) It updates its Safe Haven policy to ensure it covers the checking of correspondence before letters are sent; (2) Guidance on checking contact details is formalised in a policy; (3) All security incidents involving personal data are thoroughly investigated; (4) Other appropriate measures are implemented to ensure that personal data are protected from unauthorised 13 processing. 9 June 2015 Pembrokeshire County Council Undertaking The council disclosed a significant quantity of highly sensitive personal data in response to a Subject Access Request, much of which did not relate to the data subject. Some redactions had been made but these were incomplete and inadequate; details could still be seen underneath the redaction. An investigation revealed that the council had procedures in place in the Children's Services Department that would have prevented the breach from occurring if they had been followed. However, this procedure was not replicated across the council. The Commissioner expressed concern at the lack of supervision in relation to this complex request. It was unclear if staff had had the appropriate training to deal with such a request. The council shall ensure: (1) The guidance in the Children's Services Department is replicated across all areas; (2) All staff who are required to responded to subject access requests are trained on the requirements; (3) Proper supervision of any subject access requests that are voluminous, complex or highly sensitive; (4) It implements such other security measures as are appropriate to ensure personal data is protected against unauthorised processing. 10 June 2015 Thamesview Estate Agents Ltd ('TEAL') Follow up review of undertaking signed in July 2014 A brand of TEAL was insecurely disposing of personal data in transparent refuse sacks left in the street. TEAL had been warned of this by a Community Support Officer but continued to dispose of the data insecurely. The ICO instructed TEAL to cease this practice but a further incident was subsequently reported. Photographic evidence shows that transparent sacks were left outside the premises and personal data was clearly visible inside them. The data included copies of passports and tax credit awards. Further enquiries revealed that staff were not aware of TEAL's policies concerning the disposal of confidential waste. TEAL signed an undertaking to: The Commissioner found that TEAL has taken appropriate steps to address some of the requirements of the undertaking, such as: Including data protection requirements in the company handbook Supplying all TEAL offices with cross shredders to allow proper disposal of confidential waste Putting in place a Data Handling Policy to cover 14 (1) Introduce formal, mandatory data protection training for all staff who handle personal data. This should recur annually; (2) Review its arrangements for storing confidential waste prior to collection by waste disposal companies; (3) Maintain a record of all data processors it uses to process personal data on its behalf and enter into a written contract with data processors it uses to securely dispose of or otherwise process its personal data; (4) Continue to review its procedures and policies; (5) Implement such other security measures to ensure that personal data is protected against unauthorised and unlawful processing, accidental loss, destruction and/or damage. data protection and confidential waste. The policy is to be reviewed annually. Implementing a scanning process to allow the storage of personal data electronically However, TEAL should also: Organise a data protection course and test to be completed by all staff annually Ensure that contracts with third party confidential waste disposal service providers adequately cover data protection 19 June 2015 London Borough of Hammersmith and Fulham ('the Borough') Undertakings A typing error in the address of a letter sent by the Borough to a data subject resulted in that letter being received by a neighbour. The ICO discovered that there had been a delay in recognising and treating the breach as a data protection incident and noticed that there was no formal policy to refresh employee's data protection training. The employee concerned last received data protection training in 2011. Additionally the ICO noted that the completion rate for mandatory data protection training was 65% organisation wide and only 46% and 54% within Children and Adult Services respectively. The ICO was also advised of a further breach where the name, address and details of a parking offence were emailed to an unrelated individual. This error also occurred as a result of a The Borough shall ensure that: Mandatory data protection induction training is appropriately enforced in respect of all employees including temporary and contract employees; All staff handling personal data receive the above training by 1 December 2015; A refresher programme is set up to ensure the data protection training is updated and refreshed at 15 manual typing error. The employee concerned had last received data protection training in September 2012. Additionally the ICO noted that the completion rate for mandatory data protection training was only 55% for Parking Services staff as at 1 October 2014. regular intervals not exceeding 2 years; Attendance at data protection training sessions is monitored and appropriate follow up procedures are in place to ensure compliance. 29 June 2015 South Wales Police ('the Police') Monetary penalty notice, Undertakings In September 2013, three DVDs, comprising the master copy and the only two working copies of an interview with the victim of historic sexual abuse, were lost by the Police. The loss had originally been reported locally in November 2011; however it was not escalated internally until much later, when a formal complaint was made by the data subject. The ICO discovered that no policy existed for the storage and management of recorded interviews with witnesses and victims, despite having an equivalent policy in place for the storage and management of recorded suspect interviews. The data lost in this incident represented 'sensitive personal data' under s2(g) of the Act. The ICO exercised his power under s55B of the Act to issue a monetary penalty notice of £160,000. In addition, the data controller undertakes to ensure personal data are processed in accordance with the Seventh Data Protection Principle in Part I of Schedule 1 to the Act, and in particular that: The 'Storage, Custody and Destruction of Visual Recordings of Vulnerable adult and child interviews' policy is implemented fully and disseminated to all relevant staff by 30 June 2015. 30 June 2015 St Helens Metropolitan Borough Council ('the Council') Follow-up review of undertaking signed 23 June 2014 The Council signed an undertaking after a report on 11 September 2013 stated that a bundle of documents relating to a child in foster care had been disclosed. As a result, the address of the child was disclosed to the child's biological parents. On 8 December 2014, the ICO conducted a follow-up assessment of the actions taken by the Council. The review demonstrated that appropriate steps had been taken and plans put in place to address the requirements of the Further action should be taken to ensure that the remaining 37% of staff complete their appropriate training. 16 undertaking and to mitigate the risks highlighted. In particular: A secondary peer checking process has been included in the Subject Access Request Procedure which was introduced in September 2014; An email has been sent to all partner organisations involved in the statement process advising them to remove any unnecessary personal data before providing it to the Council; Data Protection refresher training has been made mandatory for all staff and is being conducted through the online training platform and Manager briefings. As of the end of September 2014, 63% of staff have received the required training; All data breaches are reported to the Information Management Group including action taken. 30 June 2015 Worcestershire Health and Care NHS Trust ('the Trust') Follow-up review of undertaking signed May 2014 The Trust signed an undertaking after receiving information about an incident in August 2013 whereby local press were given a patient handover sheet. The sensitive patient data related to 18 patients and had been found on a table in the waiting room at Evesham Railway Station. On 12 January 2015 the ICO conducted a follow-up assessment of the actions taken by the Trust. The review demonstrated that appropriate steps had been taken and plans put in place to address the requirements of the undertaking and to mitigate the risks highlighted. In particular: The procedure for the disposal of confidential information has been agreed and made available to staff through various methods including: the intranet; email; a booklet; and at team meetings; The Trust have updated a number of documents following review of best practice guidelines; The majority of new staff are required to attend formal Trust induction on their first day, which includes a 30 17 minute IG section. Staff are required to complete the Trust Induction Workbook and complete annual mandatory IG training. Training is recorded on the electronic staff record; Junior Doctors have a specific induction which takes place four times a year. From February 2015 this will include an IG training video and discussion. They are issued with an induction CD and are required to complete an annual IG training module. Written assurance has been sought in relation to how NHS Professionals ensure staff are compliant with annual IG training and that the content of their materials are relevant and up to date; Locums are required to undertake IG training with the agency they are registered with and the Trust will seek confirmation of IG training compliance. All locums who work in the Trust are required to sign a confidentiality agreement and are issued with the ‘IG Code’ booklet; All Facilities, Housekeeping and Estates Staff at band 2 go through a local induction process on their first day. 30 June 2015 Office Holdings Follow-up review of undertaking signed 13 January 2015 The review undertaken was to provide the ICO assurances that the agreed undertaking requirements signed on 13 Janaury 2015 had been appropriately implemented. A member of the public had hacked into an unencrypted historic Office Holdings database. A desk based review of correspondence and policies supplied by Office Holdings was conducted. It was decided that Office Holdings had undertaken appropriate steps to mitigate the risk. The steps taken by Office Holdings were: Implementing a regular penetration testing programme. Introduced a Data Protection Policy, Data Protection Human Resources Policy and a Document Retention Policy, to be reviewed in 6 months' time; It was noted that Office Holdings should keep its retention period for the Customer Relationship Marketing Database under review as 5 years may be too risky a period to retain information. 18 Data protection training across the company alongside new starter and refresher training; Implemented a range of other security measures to ensure data is protected. 30 June 2015 The Racing Post Follow-up review of undertaking signed 20 August 2014 The Racing Post was required to put in place new policies and procedures to address problems raised at undertaking. The Racing Post website was subject to an internet-based SQL attack which allowed the attacker to access customer information. The steps taken by The Racing Post were: Introducing an Information Security Risk Register which identifies Information Security risks. Planned undertaking of penetration testing on an annual basis. Technical information provided to demonstrate level of encryption of passwords. Patch Management Process outlining actions and steps to be taken from receiving new security patch information. Produced a full initial set of security policies in line with DPA and ISO27001 requirements to protect systems data. Updated IS training and rolled out to senior management. In process of becoming ISO27001 accredited, by 2016. Many of these problems are still in their infancy and require continual management. The Racing Post must ensure these polices become embedded into the working practices of the organisation. 30 June 2015 Aberdeenshire County Council ('the Council') Follow-up of undertaking signed 12 June 2014 A file relating to the mental health of a patient was lost after an employee of the Council left it on the roof of his car. The follow-up was to ensure steps had been taken to mitigate and address the risks highlighted in the undertaking. The steps taken by the Council were: Recording the completion of mandatory data protection training via ALDO e-learning system or the paper equivalent. Updates should be provided to Employee Further work is required to address the requirements of the undertaking: Data protection training for new starters; Refresher training is completed as and when required. 19 Management Information System (EMIS). This should be done on a weekly basis, flagging roles which process personal data on the EMIS; Training is monitored and reports presented to the senior management team; Encrypting all memory sticks, laptops and smartphones Developing corporate procedure to remove manual records from the office; Including reminders on Office Outlook to select the correct recipient when more than one person of the same name exists.