Tag: data protection

GOOGLE ESCAPES FINE OVER STREET VIEW CARS, BUT MUST SIGN UNDERTAKING

Posted on | by Robin Hopkins

Google used cars equipped with cameras to gather material for its much-publicised Street View feature. The material was not confined to photographs, but also included data by which wi-fi hotspots could be located. Earlier in 2010, the ICO investigated this ‘payload data’. It concluded that the information it had inspected was not personal data, in that it could not be linked to identifiable individuals. The ICO stated, however, that it would continue to work with its international counterparts, such as the Canadian authorities, in investigating Google. This co-operation has now shown the payload data to include URLs, passwords and email details.

 

The ICO today announced that:

 

“The Commissioner has concluded that there was a significant breach of the Data Protection Act when Google Street View cars collected payload data as part of their wi-fi mapping exercise in the UK. He has instructed Google UK to sign an undertaking in which the company commits to take action to ensure that breaches of this kind cannot happen again. An audit of Google UK’s Data Protection practices will also be undertaken. The Commissioner has rejected calls for a monetary penalty to be imposed but is well placed to take further regulatory action if the undertaking is not fully complied with”.

 

This follows the ICO’s press release on Monday, in which it commented that:

 

“It is also important to note that none of the regulators currently investigating Google Street View have taken direct enforcement action at this stage, with the US investigation led by the US Federal Trade Commission for example ruling out direct action, although mirroring our own concern that this data was allowed to be collected by an organisation who showed such disregard for international data protection legislation. This week the Metropolitan Police have also closed their case believing it would not be appropriate to pursue a criminal case against Google under the Regulation of Investigatory Powers Act (RIPA). Whilst we continue to work with our other international counterparts on this issue we will not be panicked into a knee jerk response to an alarmist agenda.”

 

The latter press release also explained the ICO is “keen to discuss with MPs and Ministers how we can further defend privacy on the internet as technologies and applications develop”. In this regard, the Guardian reports today that culture minister Ed Vaizey is proposing a new internet code of conduct and a mediation mechanism to resolve complaints by individuals against data controllers. He is reportedly meeting with the ICO today to discuss these matters. Watch this space.

 

EU APPROVES FINANCIAL DATA TRANSFERS TO US FOR COUNTER-TERRORISM PURPOSES

Posted on | by Anya Proops KC

On 13 July 2010, the Council of Europe promulgated a decision whereby it approved an agreement between the EU and the US for the transfer of financial messaging data from the EU to the US, specifically for the purposes of the US’s Terrorist Finance Tracking Programme. The decision has now been published in the Official Journal for the EU. See further the Council decision dated 28 June 2010 confirming the signing of the agreement, which you can find here.

NEW ICO CODE OF PRACTICE FOR PROCESSING OF PERSONAL DATA ONLINE

Posted on | by Robin Hopkins

The Information Commissioner has published a new Code of Practice explaining how the DPA applies in an online world, and offering ‘good practice’ advice for the collection and use of personal data through the internet.

The Code covers (among other things) application and payment forms, social networking sites, cookies and other personally-targeted marketing. It considers the difficulties of ‘non-obvious identifiers’ (such as IP addresses linked to devices rather than to individuals), cross-border data transfers by multinational or non-domestic organisations, and the practice of outsourcing the storage of databases to other web-based companies.

With the aid of examples from such contexts, the Code turns established principles into specific recommendations for internet businesses, including: avoid collecting personal data too early in the relationship or transaction with the user; only collect personal as far as is necessary; provide a clear explanation of how users’ personal data will be processed; ensure that employees only have access to customers’ personal data where necessary, and that this access withdrawn as soon as their employment ends.

Certain suggestions will be particularly welcomed by privacy campaigners: alert users to the security risks associated with ‘autocomplete’ forms; give users a simple option of declining to have their personal data stored and of disabling cookies or other trackers of their online behaviour, and make it easy for them to contact the data controller about how their personal data is being used.

DATA PROTECTION IN EUROPE – JUDGMENT IN BAVARIAN BEER

Posted on | by Anya Proops KC

On 29 June 2010, the European Court of Justice handed down an important judgment on how provisions within EU law which permit access to documents held by EU institutions are to be applied where the documents contain third party personal data – European Commission & United Kingdom v Bavarian Lager (Case C-28/08 P). The case involved an application for disclosure of a document held by the European Commission which recorded discussions on the application of certain beer import restrictions within the UK. A number of individuals were identified by name in the document. The application for disclosure was made by Bavarian Lager under EU Regulation 1049/2001 (the Access Regulation). The Access Regulation is designed to facilitate public access to documents held by EU institutions with a view to increasing their transparency and accountability. Importantly, like FOIA, the Access Regulation is, on its face, motive-blind (i.e. it does not require the applicant to establish a legitimate reason for accessing the information). The Commission provided the requested document, save that it redacted the names of certain individuals identified in the document. The key issue which arose in the case was whether, in deciding whether to release the names of the individuals in question, the Commission had been entitled to take into account whether Bavarian Lager had established that it had legitimate interests in receiving this particular data.

The Court of First Instance (now ‘the General Court’) held that: (a) particularly having regard to the motive blind nature of the Access Regulation, the Commission had erred in taking into account Bavarian Lager’s interests in receiving the information and (b) the names should be disclosed. On appeal by the Commission, the ECJ overturned the CFI’s judgment. In summary, the ECJ reached the following conclusions on the appeal:

(1)   the CFI had erred because it had failed to have due regard to the way in which the Access Regulation effectively deferred to provisions contained in other EU legislation, particular Regulation 45/2001 which is specifically concerned with protecting individuals with regard to the processing of their personal data by EU institutions (“the DP Regulation”);

 

(2)   the DP Regulation itself required consideration of the question of whether the applicant had a legitimate interest in receiving the particular personal data;

 

(3)   accordingly, the Commission had not erred when it decided that Bavarian Lager had not established a legitimate interest in receiving the personal data contained in the documents;

 

(4)   the data had been lawfully withheld by the Commission.

11KBW’s Jason Coppel appeared on behalf of the United Kingdom.

WATCH THIS SPACE

Posted on | by Timothy Pitt-Payne KC

The Coalition’s Programme for Government contains a great deal that is of interest to information lawyers: see here.  But when and how will any of this be given legislative effect?

The Queen’s Speech was delivered on 25th May 2010. The website of the Prime Minister’s office gives a list of the proposed Bills , with further information about each one. Three of the proposed Bills have potential implications for information law.

(i) The Public Bodies (Reform) Bill will enhance the transparency and accountability of quangos: though it is not clear as yet whether enhanced information access rights will play a role in this.

(ii) The Decentralisation and Localism Bill will (among other matters) require public bodies to publish online the job titles of every member of staff and the salaries and expenses of senior officials.

(iii) The Freedom (Great Repeal) Bill is intended to cover a wide range of subjects, to be announced in due course: it may include an extension to the scope of FOIA, and also various provisions in relation privacy (e.g. relating to CCTV cameras, and the DNA database).

Of these Bills, it is the third that is likely to be much the most significant. 

PATIENT INFORMATION – MADE FOR SHARING?

Posted on | by Timothy Pitt-Payne KC

Sharing patient information in the NHS has proved highly controversial.  We posted about this subject here a while back.  Now there’s a new report from UCL researchers, suggesting that two key recent NHS IT programmes for handling patient information have so far delivered only modest benefits.   A short summary appears here, with links to the executive summary and the full report.  A research paper based on the findings has been published in the BMJ.

The three year UCL project looked at the Summary Care Record (SCR) and at Healthspace, both introduced as part of the NHS National Programme for IT. 

The SCR is an electronic summary of key health data, taken from GP records and other sources, and available to a range of NHS staff.   According to the UCL report, very few people had chosen to opt out; less than 1% of those who had been sent the relevant information.  But SCRs were not yet widely used; even where available, they were only accessed in 21% of clinical encounters.  So far there was little evidence that SCRs improved patient safety or reduced consultation length or hospital admissions.

HealthSpace is a tool that allows patients to update their own health information, plan healthcare appointments, and contact their GP via a secure internet connection.  So far, take up has been very low.  According to the UCL study only one person in 200 who was invited to open a basic account did so, and only one in 1000 opened an advanced account.

The report’s lead author, Professor Greenhalgh, is quoted as saying:  “This reseach shows that the significant benefits anticipated for these programmes have, by and large, yet to be realised – and that they may be acheived only at high cost and enormous effort … It serves to demonstrate the wider dilemma of national databases:  that scaling things up doesn’t necessarily make them more efficient or effective.”