« March 2006 | Main | June 2006 »

Data Theft is a clear warning

Theft of data from employee's house raises data protection issues

"As many as 26.5 million veterans were placed at risk of identity theft after an intruder stole an electronic data file this month containing their names, birth dates and Social Security numbers from the home of a Department of Veterans Affairs employee" Washington Post.com

This is the biggest single loss of current social security numbers, and puts millions of individuals at risk of identity theft.

In our work as data protection auditors, we often encounter offsite backup media being stored, unencrypted, in staff homes.

Just don't do it!  If the media must be stored in your house, make sure it's encrypted.

May 31, 2006 in Marketing and data protection | | Comments (0) | TrackBack (0)

PNR legality collapses

The legality behind the transfer of Passenger Name Records (PNR) from Europe to the US collapses today as the the European Court of Justice today ruled the existing deal illegal.

Under the previous PNR "agreement" European airlines had to provide the US authorities with 34 pieces of information on each passenger including names, addresses and credit card information, within 15 minutes of a plane taking off.

Civil Liberty groups have always opposed the agreement, and it now looks like they have the upper hand.  Interestingly, the ECJ did not annul the deal on the grounds of privacy, but on the technicality that the Data Protection Directive only covers commercial data and not personal use.

Commentators do not envisage that flights between the EU and the US will grind to a halt, but they are predicting a messy, time consuming (and expensive) road ahead.

Full story in the TIMES

May 30, 2006 in Marketing and data protection | | Comments (0) | TrackBack (0)

ICO New Guidance

Ico_logo_2 New guidance has been published by the Information Commissioners Office (ICO) to help small businesses understand how to outsource the processing of personal data without tangling with the Authorities, and how to buy and sell customer databases.

Outsourcing: From our experience (seven years, that long!) of training companies in data protection, we know that this is one of the oft missed parts of the legislation.  It's not that difficult to get it right, particularly if you are not transferring data outside of the EEA, but the ICO have published a list of good practice recommendations, just like our course slide :-), that helps you think the process through.

Databases: Another useful document, with good common-sense stuff and clears up the question about databases as an asset sold on in the event of a business going bankrupt.

Download the guidance documents here.

May 24, 2006 | | Comments (0) | TrackBack (0)

2 Years in jail for illegal data trading

Richard Thomas (the Information Commissioner) is not happy, he wants bigger teeth!

How big? He wants people who steal data or trade illegally in data to be sent to jail for up to two years. That's big.  Following a lengthy investigation, Mr Thomas is convinced that this is a major problem [We think so too, see our blog on 'Pod Slurping']

The BBC report on Mr Thomas' actions in some detail here, and the ICO has a media FAQ that puts some meat on the bone here.

May 24, 2006 in Marketing and data protection | | Comments (0) | TrackBack (0)

"Pod Slurping"

In an article for CNET News.com Abe Usher describes how he created an application that runs on an iPod and is capable of downloading business related documents (Word, Excel, PDFs etc.) at a rate of 100Mb per minute!

"To the naked eye, somebody doing this would look like any other employee listening to their iPod at their desk. ... the person stealing data need not even have access to a keyboard but can simply plug into a USB port on any active machine."

The article goes on to point out that some of the greatest data risks in organisations now com from the INSIDE!

"[how many businesses] have realized it's possible to plug in an iPod and just walk away with the whole business in a matter of minutes."

Make sure you have the misuse and theft of corporate data as in your Acceptable Use Policy!

And make sure you read our article on the Information Commissioner and his Big(ger) Teeth

May 24, 2006 in Compliance and Policy Management | | Comments (1) | TrackBack (0)

SNP breech TPS

The Scottish National Party (SNP) obviously thought 'the' voice of 007 would make it all right; apparently not!

A recent decision by the Information Tribunal (published on their website - see blog below) makes it quite clear that you cannot use the telephone to deliver an automated message to subscribers who have not consented to receive such calls, even if it is deliverd by Sean Connery; but then you knew that didn't you!

If you're not sure about PECR (that's the Privacy and Electronic Communications Regulations 2003) and how it impacts on marketing then get on one of our courses!  You can also download a very useful flowchart that helps explain the whole thing in marketing terms.

How much? Free! It's here

May 24, 2006 | | Comments (0) | TrackBack (0)

Tribunals Service

Not had a chance to visit the Tribunal Service's website yet?

It's a great resource for anyone who wants to know how the information law and privacy regulations in the UK have been applied.

The Information Tribunal (formerly the Data Protection Tribunal) is resonsible for hearing appeals and publishes its rulings on their website.

A recent decision regarding the use of telephone canvassing and the Privacy and Electronic Communications Regulations 2003 is the subject of one of our bloglines.

May 24, 2006 in Marketing and data protection | | Comments (0) | TrackBack (0)

New ICO Guidance

The Information Commissioner gives guidance on privacy enhancing technologies (PETs)

Ico_logo_1

The guidance begins with the paragraph ...

"This technical note is intended to raise awareness of the concept of privacy enhancing technologies and is aimed at system designers and those commissioning them."

The note isn't really that technical (it is non-techie accessible) and by far the best part of the document are the informative links provided to other learn-ed research bodies who have been studying PETs.

  >> Download the document here.

>> Press release here

May 05, 2006 in Marketing and data protection | | Comments (0) | TrackBack (0)

NHS - Electronic Staff Records (ESR)

Staff concerns over central data warehouse come to the fore as NHS introduces Electronic Staff Records.

The ESR Programme is managed by the ESR Central Team which includes NHS, McKesson and Oracle staff working together in the design and implementation of the solution >> ESR Website

Logo

Looks like this one is set to ruffle innumerable feathers as ‘Management’ takes a hard line as witnessed at one NHS Trust …

“The Finance Director of my organisation has said that staff are not allowed to opt out, and if they do, they can no longer be employees of the Trust”

Ouch! The first thought of many is that such a draconian position is contrary to the Data Protection Act 1998; but is it? Under s.10 of the DPA you can seek to prevent processing that is likely to cause substantial damage or substantial distress, but only when none of the first four Schedule 2 conditions apply; this is unlikely in the employment scenario.

Given that staff are unlikely to have grounds for opting out of the ESR, do we feel that there is sufficient confidence in public sector data warehousing to quell the concerns of many?

Full thread of this discussion appeared on data-protection@JISCMAIL.AC.UK

May 05, 2006 in Marketing and data protection | | Comments (1) | TrackBack (0)

"Improve your Image"

This month, Duncan Smith of iCompli writes in Public Servant about some of the security issues raised by IT decision makers who visited the PixAlert stand at InfoSecurity Europe 2006.

Issue51_smlWe met a lot of public sector people on the Stand this year, and a clear message was being aimed at us; "how can we give assurances that out ICT assets are not being abused?"

Demonstrating how inappropriate images are downloaded passed gateway filters was quite an eye-opener for many. Existing security is fallible. 

Our offer of a free Discovery Audit, identifying illicit images on a proportion of ICT networks, was greatly oversubscribed, although we have extended the offer on a first come first served basis.

Infosec_hadleyWhy is the Discovery Audit popular? Because we all (should) have a healthy degree of sceptisim when it comes to 'being sold a technology solution' to any problem.

And rightly so, it has to work and it has to solve a problem.  The discovery audit is a simple way for us to demonstrate that the technology is effective at identifying inappropriate images on ICT Networks, and the management reporting is a very effective way at identifying and managing any abuse of ICT resources.  It works, and it solves a problem.

As John Nolan, CEO of PixAlert said at the show ...

"Knowing what your gateway filters have stopped is not the assurance businesses seek from Network Controllers; it's knowing what they have failed to stop!"

May 05, 2006 in Illicit Image Abuse | | Comments (0) | TrackBack (0)