UNITED KINGDOM

Introduction of Data Protection Bill

The new Data Protection Bill (Bill) was published on Thursday 14 September 2017, and will implement data protection legislation into local UK law following Brexit. Similar to the General Data Protection Regulations (GDPR) coming into force next May, the new proposals within the Bill impose much higher fines on those who do not uphold data protection laws and protect personal data. However, there are provisions in the Bill that deviate from the GDPR and organisations will need to bear in mind these new concepts when considering their data compliance approach. Addleshaw Goddard will continue to update clients on the data protection developments in relation to the Bill and GDPR.

It is worth noting that the Bill proposes that some exemptions are put in place for journalists, financial firms, and anti-doping bodies, in order to protect the freedom of the press, help prevent fraud and to maintain the integrity of professional sports. Journalists are to be able to keep sources anonymous for the public interest and anti-doping agencies are to obtain athlete data without facing consent withdrawal from athlete's part-way through the process. These exemptions are suggested in order to offer a more proportionate set of rules for the UK.

For further information on who would be protect by these exemptions, please find details within this report from the BBC.

Information Commissioners discusses myths surrounding GDPR

Elizabeth Denham, the UK Information Commissioner, has launched a series of blogs to discuss some of the myths surrounding the GDPR. 

Ms Denham stated that there has been "a lot of misinformation out there" on GDPR and this is creating uncertainty, particularly for those new to data protection law.

In her blog entry on 16 August, Ms Denham discussed the high-profile issue of consent and the myths that consent is required if you want to process personal data and that the ICO's formal guidance is required before you can plan for new consent rules. Ms Denham confirmed that where there is a lawful reason for processing personal data consent may not be required (such as when local authorities processing council tax information). The Article 29 Working Party of EU regulators will be releasing further guidance on consent later this year. In the meantime, the ICO has published draft consent guidance which businesses can use as a starting point and the ICO urges businesses to start preparing for new consent rules now.

On 5 September, in another blog entry, Ms Denham responded to myths surrounding the requirements for reporting a serious breach of personal data. She stated that there have been many stories in the press recently which have misled people to believe that all breaches need to be reported to the Information Commissioner's Office and customers. She also disproved the myths that details of the breach need to be provided straight away and failing to report a breach in a timely manner will result in a huge fine. The need to report a data breach is dependent on the risk it poses to people involved, Ms Denham says. She also clarifies that fines can be avoided if businesses "are open and honest and report without undue delay".

ICO warning to Equifax following data breach

The ICO has told Equifax, the US credit ratings firm, to inform British residents "at the earliest opportunity" if their personal information has been put at risk during a cyber-attack on the firm in July.

Equifax admitted that data on its servers had been unlawfully breached as a result of a weakness in its website, putting at risk confidential records of UK and Canadian citizens.  Equifax is said to have known of the problem six weeks before it told the public.

Despite repeated requests for comment, Equifax has remained quiet on the data breach.

This is the first of two data security breaches for Equifax in the last two weeks, as its Argentine online employee portal was also breached this week. It was discovered by a US cyber-security firm that the portal could be accessed simply by entering "admin" as the username and password, which gave access to employee records. Employee system username and passwords were also found to be guessable. Questions have now been raised about how well Equifax protects its data.

More information on this story can be found here.

DNA data sharing to revolutionise healthcare

Big data collected by those within healthcare is being used across the sector and by tech firms in a bid to improve and revolutionise day to day lives for civilians. One such company making the most of the wealth of health data is Sophia Genetics, who offer data mining systems to hospitals across Europe, in exchange for the hospitals sharing patient DNA data. The data mining systems developed by Sophia can identify genetic patterns in relation to hereditary diseases such as cystic fibrosis, some types of cancer, and heart conditions. Sophia Genetics has recently completed a $30m fundraising initiative in order to grow its database of genomes from 125,000 to one million by 2020. The data the company stores within its system is anonymised to protect patient information, however in the wake of many major data breaches many worry that there is a privacy concern for patients whose data is being sold between healthcare providers and commercial entities. Tech companies have also caught onto to just what utilising sensitive health data can do, as health tracking apps and wearable wellness devices continue to dominate the market. It is understood that big data can result in positive advancements in healthcare but it comes with a warning. This is some of the most sensitive data a person has and private companies in particular are reminded of their responsibility for privacy and compliance with data protection law.

For more information, please see this report from the Telegraph