Information Commissioner's Office

🆕 We have issued a reprimand to the London Borough of Hackney (Hackney) after hackers gained access to and encrypted files affecting at least 280,000 people, affecting at least 280,000 people. Read on for details of the incident. Hackney suffered a ransomware attack in 2020 when the attackers gained access via an account with an insecure password which had lain dormant since 2012. Hackney also failed to ensure that a security patch management system was actively applied to all devices. The cyber-attack resulted in council systems being disrupted for many months with, in some instances, services not being back to normal service until 2022. This was a clear and avoidable error from Hackney, one that has resulted in a mass loss of data and has had a severely detrimental impact on many residents. Read about the incident in full: https://lnkd.in/eQD96ruy People need to trust that local authorities will look after their data properly. Hackney residents have learnt the hard way the consequences of these errors. Councils must take preventative measures to reduce the risk and potential impact of human error and must ensure that data that is entrusted to them is protected. In a recent report we analysed the most common security mistakes and have some key tips to help organisations keep the personal information they hold secure: https://lnkd.in/ef65A-Qg

How would your organisation react to a ransomware attack on the personal information you need to run your business? Our recent reprimand for the London Borough of Hackney underlines the importance of having robust security measures in place to protect the personal information of residents. Hackers were able to encrypt 440,000 files. Read about the incident in full: https://lnkd.in/eQD96ruy Ransomware and cyber-attacks use flaws in information security to allow hackers to gain control of information in an attempt to extort money for its return. Over the past few years, we’ve seen the rise in the number and severity of ransomware attacks. In this case, Hackney did do some things well after they found out about the attack: • It let the people impacted know about the attack: • it sent out information and advice to 100,000 homes; • it updated its website informing those affected about the attack; and • it emailed everyone who had consented to receiving marketing information from Hackney. Hackney notified and engaged with the National Crime Agency, the National Cyber Security Centre and the Metropolitan Police to create contingency plans to remove any unlawfully published data. The council created risk assessments to identify people at high risk and had put plans in place in case any more sensitive data exfiltrated by the hacker. And it created emergency business processes in response to the attack. For more information on what your organisation should do in case of a breach, read our guidance: https://lnkd.in/exJWCCsC

Good luck to all our fellow shortlisters! We're in the running for two PRWeek UK awards this year: ✨ In-House Team of the Year (Public Sector) as we work to bring the importance of data protection to as many people as possible; and ✨ Public Sector Campaign for our Help Gran, Stop Spam work to protect the public against predatory marketing calls, encouraging people to protect their family and friends by reporting cold callers and helping them register with the Telephone Preference Service (the UK’s ‘do not call’ list). We'll find out the eventual winners in October but, win or lose, we won't stop working as hard as we can to ensure personal information is treated fairly and securely. Fingers crossed!

How personal data is processed within digital identity systems is a key consideration, as significant harms may arise from misuse of that data, for example, in the event of a personal data breach. We'll continue working closely with our DRCF colleagues, industry and Government departments to ensure privacy is at the heart of the design in order to build and maintain the trust of people using the systems. We've got more information in our Digital Identity Position Paper: https://lnkd.in/gda5QaXG

NEW: We’re working with the Metropolitan Police Service who are trialling the potential use of investigative genetic genealogy, including genetic databases, to investigate the unidentified human remains of missing people, and potentially to help solve ‘cold cases’. ⏳ The project Investigative Genetic Genealogy (IGG is an approach for identifying family relations using genetic testing and genetic databases. The Met are looking at how they could use IGG in the investigation of unidentified human remains to help bring closure to families of missing individuals. IGG is currently used in other countries, where it has been successfully used in many high-profile missing persons cases and ‘cold’ cases, some of which date back decades. The project will: ➡️ assess the available technologies ➡️ explore the potential applications, limitations and ethical impact of IGG in a criminal justice setting. ➡️ identify data protection responsibilities and risks. ➡️ identify relevant data processing regimes. Our Sandbox is a place for organisations developing innovative projects with a real public benefit to test and ensure their approach has data protection built in. If you’d like our support apply to our Sandbox today: https://lnkd.in/eiCcyz2F

DRCF: Delivering impact through cooperation  Published today, this new article measures the DRCF’s impact and how its work benefits regulators, government, industry and the wider economy. Read in full - https://lnkd.in/eSNq9e27 Some highlights - • Stakeholders recognise the value of our joint publications on topics such as harmful online choice architecture, which provide greater clarity of regulator expectations and help improve outcomes for consumers. • Our joint work and shared expertise have supported timely and cost-effective delivery including, for example, the DRCF AI and Digital Hub. This ambitious one-year pilot service helps unlock innovation and supports UK economic growth. • Internationally, the DRCF acts as a vehicle for greater cooperation and is inspiring the adoption of similar models.       We are keen to hear from stakeholders about the impact of the DRCF’s work and the approaches we can take to assess it. Please contact drcf@ofcom.org.uk to share your views.  #digital #regulation #cooperation

NEW: We’ve taken action against Chelmer Valley High School in Essex for introducing facial recognition technology (FRT) to take cashless payments. Read on to see what you can learn from the case ⬇️ ⚖️ The case Chelmer Valley High School first started using the technology in March 2023 to take cashless canteen payments from students. However, the school failed to carry out a DPIA before using the technology. We found that the school sent a letter to parents and guardians in March 2023 if they did not want their child to take part in FRT. This means the school relied on assumed consent and affirmative 'opt-in' consent wasn't sought at this time. The law does not deem ‘opt out’ a valid form of consent and requires explicit permission The school failed to consult with parents, guardians, students or the data protection officer before implementing the technology. 💡 What schools can learn from the case 1. Ensure that your entire organisation knows to ask themselves the question whenever using personal information in a new or different way, does this need a DPIA? ➡️ See our accountability framework to help you assess your processes: https://lnkd.in/eWHiYGwb 2. If you’re considering cashless catering ensure you have given thorough consideration to it’s necessity and proportionality, and to mitigating specific, additional risks such as bias and discrimination. ➡️ See our FRT guidance: https://lnkd.in/eWvs-_th ➡️ See our case study on North Ayrshire Council schools and their use of facial recognition technology: https://lnkd.in/ePmHAw7X 4. Ensure that DPOs are closely included when considering new projects or operations using personal information. You should document their advice and any changes that are made as a result. ➡️ See our Accountability Framework for guidance on how to assess your organisation’s roles and structure: https://lnkd.in/eDbTJm3m You can read the case and reprimand in full: https://lnkd.in/ezmKm4zW

📆 Mark your calendars – October 8 is a memorable day for many reasons… If you’re not going to the birthday parties that Sigourney or Matt are throwing then #DPPC24 is where you need to be! Register for FREE here 👉 https://lnkd.in/eAAgF5aq

A good organisation will have a good privacy notice. Earlier this year we said app developers should meet their data protection obligations to be transparent with their users by being concise, clear and easily accessible. Signing up to an app often involves handing over large amounts of personal information, especially with apps that support our health and wellbeing. Users deserve peace of mind that their data is secure, and they are only expected to share information that is necessary. So, we're urging app users to check if they are clear about who the app is sharing their personal information with. We have lots of advice and guidance on our website to support your organisation get data protection right from the start: https://lnkd.in/epNsjYdA

A good privacy notice shouldn't be difficult to understand, and the information you hand over to health apps is sensitive. So if you check just one thing before you sign up to an app, make it this: 🤔 Are you clear about who the app is sharing your personal information with? Earlier this year we urged app developers to meet their data protection obligations to be transparent with their users and keep their data safe, and to ensure their ‘privacy information’ and is concise, clear and easily accessible: https://lnkd.in/edX9Ysqy The privacy notice should include your information rights, such as how you can object to the way your information is being used. You should also be told how you can complain if you've got concerns about the way the app is using your information. You’re in control, so don’t press ‘agree’ unless you do. We have more guidance on your right to object to the use of your personal information: https://lnkd.in/gik7qRhM