It stores data on every ride you take using the service, as well as the ratings that drivers give their passengers.UK residents can file something called a "subject access request" with a company to find out what data is held about them.Please give me details of the source of this data if available.If you need any more information from me, or a fee, please let me know as soon as possible.It may be helpful for you to know that a request for information under the Data Protection Act 1998 should be responded to within 40 days.If you do not normally deal with these requests, please pass this letter to your Data Protection Officer.Here's what I found:Uber knows where I've beenThe document Uber sent me included the precise locations of where I had requested rides, where each ride began, and where it ended.Five is the best, meaning they were a great driver, and one star means you had a really bad experience.But what you might not realise is that drivers are also encouraged to rate their passengers.I'm not doing that again.Uber stores every email you send itIncluded in the data Uber sent back to me was a record of every support email I've sent the company.Feedback I sent about driversEmails about my request for the dataI've spent over £750 on Uber in less than two yearsThe PDF file that Uber sent me meant that many of the figures weren't readable.
Steve Eckersley, head of enforcement at the ICO, commented: Employees need to be aware that documents containing personal data they have produced or worked on belong to their employer and are not theirs to take with them when they leave.Mrs Smith not her real name was made redundant during maternity leave and believed she had been subjected to maternity/sex discrimination.Mrs Smith denied wrongdoing and refused to cooperate so her employer withheld her redundancy and notice payments and issued a claim in the High Court claiming damages, costs and account of profits for misuse of its confidential information, for Mrs Smith s breach of her equitable duties of fidelity and confidence and for infringements of the employer s database rights.They negotiated a settlement for Mrs Smith which avoided her having to appear before the judge or having to pay the employer s legal costs and negotiated the release of the payments due to her and the ability to refer to her work examples in return for her and Mr Murphy deleting the client list and other information.Even if your employment contract is poorly drafted and doesn t contain a confidentiality provision – or you haven t signed one at all – there s the general law of confidentiality.For example, in July last year Mr Skelton his real name , an employee of Morrisons the supermarket chain, leaked staff salaries, bank details and National Insurance numbers of nearly 100,000 employees and tried to blame a co-worker.
British data protection act should be used when transferring data to US, says ICOThe Information Commissioner s Office ICO says future data protection regulations will have to be as strong as those afforded by the EU if the UK wants to continue trading with the bloc once it leaves.It comes after the United States and the EU agreed to strengthen the Privacy Shield agreement, but with the UK opting to leave the European Union, direction was needed for firms operating in this country.But if the UK wants to trade with the Single Market on equal terms we would have to prove adequacy – in other words UK data protection standards would have to be equivalent to the EU s General Data Protection Regulation GDPR framework starting in 2018.The GDPR has been in the planning since January 2012, and it aims to give citizens back control over their data in the digital age, including the right to be forgotten.Companies that do not comply with its strict new requirements could face fines of up to 4 percent of their global revenue for the previous year, or 20m euros £15.8m depending on which is greater.Earlier this year nearly 80 percent of UK medium and large businesses said they were not confident they will be able to comply with the GDPR regulations.
UK law lets you request a copy of any of your personal data held by a company.First off, here's how it's done: I sent an email to [email protected] which followed a fairly standard subject access request format that's the legal term for this kind of email : NAME ADDRESS PHONE NUMBER THE EMAIL ADDRESS ASSOCIATED WITH MY TINDER ACCOUNT DATE Dear Sir or Madam Subject access request Please supply the information about me I am entitled to under the Data Protection Act 1998.If you need any more information from me, or a fee, please let me know as soon as possible.If you do not normally deal with these requests, please pass this letter to your Data Protection Officer.If you need advice on dealing with this request, the Information Commissioner's Office can assist you and can be contacted on 0303 123 1113 or at Yours faithfully NAME Just over a month later I received a password-locked PDF from Tinder the password was sent in a separate email .I expected to see some messages, maybe some photos too, but does Tinder store my location as well?
Police forces across the UK have been responsible for at least 2,315 data breaches over the last five years, according to research by Big Brother Watch, prompting concerns about the increasing amount of data they're holding.Titled Safe in Police Hands?the 138-page report is released today after months of requests made by the campaign group under the Freedom of Information Act, covering police forces' breaches of the Data Protection Act from June 2011 to December 2015.According to Big Brother Watch, the results show officers misusing their access to information for financial gain and passing sensitive information to members of organised crime groups .Over the last five years, more than 800 members of staff at police forces accessed personal information without a policing purpose and information was inappropriately shared with third parties more than 800 times .The issues span improper disclosure of information, accessing police systems for non-policing purposes, inappropriate use of data for personal reasons and more, says BBW.
Image caption The French data authority has said Microsoft has breached the country's Data Privacy ActWindows 10 gathers an "excessive" amount of personal data on users, the French data authority has said in a formal notice.Following complaints the operating system breached France's Data Protection Act, the National Data Protection Commission CNIL found "many failures".The CNIL has now given Microsoft three months to comply with the act.A Microsoft executive said the company would "work closely" with the CNIL.By default, Windows 10 collects various data on how it is used - this includes what apps are installed and how much time is spent within them, for example.
News: Microsoft has three months to address issues.The French data authority, Commission Nationale de l Informatique et des Libertés CNIL , has issued a formal notice to Microsoft to stop collecting excessive data and tracking of users without their approval.CNIL took this action after being alerted by media and political parties.Meanwhile, a Contact group was created within the G29 working party including national data protection agencies in Europe to examine the issue and conduct investigations in several states concerned.The CNIL, in this regard has conducted over seven online observations in April and June this year and questioned Microsoft over its privacy policy to check whether Windows 10 was following the French Data Protection Act.CNIL revealed several areas of concerns including irrelevant or excessive data collection, lack of security, lack of individual consent, lack of information and missing options to block cookies and data being transferred outside EU on safe harbour basis.
Indeed, if PrivacyShield is deemed adequate, why can t the UK also replace the current Data Protection Act 1988 DPA with something as flexible as PrivacyShield; after all the DPA is based on a European Data Protection Directive 95/46/EC which will no longer apply in a post-Brexit Britain.Importance of the Council of EuropeAny step towards a UK without a data protection law would require the UK to withdraw from the Council of Europe and its European Convention of Human Rights ECHR , something that Mrs. May has categorically stated will not happen under her watch as Prime Minister.necessary and proportionate exemptions with respect to data controllers involved in policing, state security etc .The universality of the Convention is specified in Article 3 which requires Member States of the Council of Europe to undertake to apply this Convention to automated personal data files and automatic processing of personal data in the public and private sectors my emphasis .In other words, the UK is required to enact general data protection legislation based on the Convention s provisions.
The UK's energy regulator is creating a database service that farms out information on Britons' energy tariffs to rival companies for the sake of ensuring a competitive market2 .The CMA report found that "two thirds of households are disengaged" from the energy market, "and paying over the odds for their energy compared to those who have switched tariff."As a remedy it recommended that the Office of Gas and Electricity Markets Ofgem develop a database of customers for the explicit purpose of allowing "rival suppliers" to nag each others' customers, if those customers have been on the default tariff for three years or more.Responding to the CMA's initial paper, the Information Commissioner's Office suggested PDF the service could be operated on top of the Electricity Central Online Enquiry Service ECOES database, which contains all Meter Point Administration Numbers MPANs in the UK.MPANs are 21-digit reference codes which uniquely identify electricity supply points in the UK, most often a particular property.Any data linked to the MPAN of a domestic property, according to the ICO, "is likely to be personal data, even if the name of the individual or individuals who live there is not known" and as such will be protected by the Data Protection Act 1998.
Donald Trump's controversial luxury golf resort in Aberdeenshire has a chequered history of putting its neighbours' noses out of joint, but this time, it's flouted the UK's data laws by failing—possibly for years—to register with the Information Commissioner's Office.The Guardian found that the £30 million resort in north-east Scotland hadn't been registered under the Data Protection Act, "despite operating an extensive CCTV system and handling data on thousands of golfers and guests, its staff, and suppliers," potentially putting Trump's golf resort at risk of being found guilty of a criminal offence and fined.However, just as the ICO was preparing to write to Trump International Golf Course to remind it of its legal duties, it received registration details, somewhat taking the wind out of the sails of the newspaper's investigation.And, despite the Guardian pressing for legal action, a spokesperson for the ICO told Ars: "We were asked whether we would prosecute them retrospectively for having not been registered; we would not," adding:Where data controllers respond to advice from the ICO that they need to notify and complete the registration process, it generally would not be a proportionate response to then commence a prosecution.We treat those that we regulate in a consistent way and to pursue the golf course in these circumstances would be inconsistent to how we have dealt with others in similar circumstances.
Police are investigating a data breach at the large UK software company Sage.It is understood that the the personal details of employees at 280 UK businesses may have been compromised.Sage, based in Newcastle, says it is investigating the "unauthorised access" of data by someone using an "internal" company computer login.The information was accessed at some point over the past few weeks, but it is unclear whether it was stolen from the FTSE-listed firm, or merely viewed.The company, which provides business software for accounting and payroll services to firms across 23 countries, says it is taking the breach extremely seriously.The police are investigating and the Information Commissioner's Office ICO , responsible for the enforcement of the Data Protection Act 1998, has been informed.
A controversial data-sharing agreement between Google-owned AI company DeepMind and the UK s National Health Service NHS has caught the eye of the National Data Guardian — the government appointee who works with the Department of Health to try to ensure citizens confidential health data is safeguarded and used properly.The NDG role does not have powers of enforcement, so cannot launch a formal investigation into the data-sharing arrangement, but a spokeswoman told TechCrunch the NDG is considering how data was shared by the Royal Free NHS Trust with Google DeepMind .The same Royal Free-DeepMind data-sharing agreement is already being investigated by the UK s data protection watchdog, the ICO, which confirmed to TechCrunch today that its probe remains ongoing.NHS data-sharing and due processThis is just the latest regulatory bump in the road for the data-sharing agreement between DeepMind and the Trust — which was inked last September and publicly announced in February this year; the first such collaboration between the Google-owned company and the NHS.The Royal Free Trust and DeepMind have maintained that patient consent to the sharing of the data in this instance can be implied rather than explicitly obtained , because they say they are using the data for so-called direct patient care .
Upon the conclusion of Article 50, data centres resident in Britain will no longer be subject to EU data protection rules.Today, UK data centres are bound by the EU Data Protection Directive 95/46/C , which was in turn based on the 1980 OECD Recommendations of the Council Concerning Guidelines Governing the Protection of Privacy and Trans-Border Flows of Personal Data .One of the biggest areas of focus is on data governance.In the event of a data breach, a notification requirement will apply across the board and the maximum penalties go up: the ICO can currently levy fines of up to £500,000 but the GDPR ups that to €20m, or four per cent of total annual worldwide turnover.Right up to the minuteThere are some interesting advanced technical issues in the GDPR, too.
The fine is the biggest ever levied by the Information CommissionerThe UK s data watchdog has fined TalkTalk a record £400,000 over last year s cyber attack on the company in which the personal details of thousands of customers were exposed.The attack last October breached the accounts of 157,000 customers to steal data that included credit cards, bank account numbers, names and phone numbers.On Wednesday, the Information Commissioner s Office said TalkTalk had failed when it came to the basic principles of cyber security , and found it to be in breach of the Data Protection Act.The fine is the biggest the ICO has ever laid down, moving close to the maximum £500,000 penalty it can order, and comes just months after the new Information Commissioner Elizabeth Denham took the post.TalkTalk s failure to implement the most basic cyber security measures allowed hackers to penetrate TalkTalk s systems with ease, she said.
TalkTalk has been hit with a £400,000 fine from the data protection regulator following a massive cyberattack on the company last year.The Information Commissioner's Office issued the fine – the largest ever for a data protection incident – to the company following an investigation.Investigators from the ICO found that hackers were able to get into TalkTalk's systems "with ease" and take advantage of "technical weaknesses"In total, 156,959 TalkTalk customers had their personal details stolen by hackers who accessed names, addresses, dates of birth, phone numbers and email addresses.Elizabeth Denham, the Information Commissioner, said TalkTalk "should have done more" to protect customer information and that it failed to "implement the most basic cyber security measures.""The incident is only part of the story – the underlying breach is the failure to have appropriate measures in place," Turner said.
A legal case alleging that Facebook is liable for photos published on its website could radically change the way social media companies deal with explicit images.What does the case involve?A 14-year-old girl from Belfast is taking Facebook to court, arguing the company is liable for the publication of a naked picture of her posted repeatedly as an act of revenge on a "shame page".The girl, who cannot be named for legal reasons, alleges misuse of private information, negligence and breach of the Data Protection Act by Facebook.Northern Ireland's high court rejected Facebook's attempt to have the case thrown out last week and a trial will begin early next year.Is this a common problem?
Patient data access concerns prompts ICO probeDeepMind Health, the healthcare arm of the artificial intelligence business owned by Google, has signed a deal with the Royal Free London NHS Foundation Trust to provide an app called Streams.The deal, which establishes a five-year partnership between the organisations, builds on DeepMind Health's pilot project with the Trust to build Streams, which DeepMind describes as an app which will alert "clinical teams as soon as test results show that a patient is at risk of developing acute kidney injury AKI ".A spokesperson for the Information Commissioner's Office told The Register: "Our investigation into the sharing of patient information between the Royal Free NHS Trust and Deep Mind is ongoing."We ve been in contact with the Royal Free and Deep Mind who have provided information about the development of the Streams app," the spokesperson continued, noting: "It s the responsibility of businesses and organisations to comply with data protection law."Streams is DeepMind's healthcare app, which while currently focused on alerting clinicians to AKI is planned to be expanded to cover "other illness where early intervention is key and technology can ensure this intervention happens" by automating the collection of patients' data and running it through DeepMind's proprietary software.
DeepMind co-founder Mustafa Suleyman has said negative headlines surrounding his company s data-sharing deal with the NHS are being driven by a group with a particular view to pedal .The five-year deal, described by the Royal Free as landmark and DeepMind as groundbreaking, will share information on more than 1.6 million patients every year and historical data going back five years.The information gathered will be put to work in an app called Streams, which uses DeepMind artificial intelligence to send clinicians real-time alerts about patients at risk of acute kidney disease.Yet despite the back and forth and subsequent changes, privacy experts are still concerned about the scope of the deal.While he praised certain aspects of the new agreement, including infrastructure for auditing and greater data transparency, he argued the same questions remain.', still hasn't really been answered.
The other relates to the non-compliance of the national security agencies with their existing data protection obligations under the Data Protection Act 1998 DPA .The consequence of such plans can be illustrated by the case of Marper v UK dealing with the retention of DNA samples by the police.In Marper, the UK s highest Court the House of Lords as it then was came to a unanimous decision with a panel of 5 judges that retention of DNA profiles, on individuals who had been arrested but who had been subsequently acquitted, comprised a lawful interference of private life in terms of Article 8 of the ECHR.Such retention of DNA profiles and related personal data also did not breach Article 8.It is a subsequent use or disclosure that activates the stored personal data and which creates any interference with private life.If the ECHR follows previous judgments, it is likely to find such bulk personal dataset retention unacceptable in terms of Article 8.
In five questions or less, an industry expert defines and explains a technology, term or trend – with this installment seeing James Wickes, CEO and co-founder at Cloudview, tackle cloud surveillance.JW: Cloud surveillance delivers a step change in the effective management and protection of corporate assets by enabling businesses to consolidate, record, observe and share visual data and sound from both digital and analogue cameras networked across multiple locations.JW: Organisations connect their existing analogue or IP CCTV cameras to cloud-based visual surveillance services via the internet using specialist network adapters or software.Visual data is securely transmitted to and securely stored on a cloud-based system.Authorised users can instantly, securely access and manage data from any camera from any location at any time – generally using a browser-based client.JW: The key benefits are instant access from any location, greater scalability and increased storage.