Estate agency fined £80,000 for failing to keep tenants’ data safe

The Information Commissioner’s Office (ICO) has fined a London estate agency £80,000 for leaving 18,610 customers’ personal data exposed for almost two years. The security breach happened when Life at Parliament View Ltd (LPVL) transferred personal data from its server to a partner organisation and failed to switch off an ‘Anonymous Authentication’ function. This failure meant access restrictions were not implemented and allowed anyone going online to have full access to all the data stored between March 2015 and February 2017. The exposed details included personal data such as bank…

Former motor industry worker ordered to pay £25,500 from proceeds of data theft

A motor industry employee who was sentenced to six months in prison in November 2018 for accessing personal data without permission, has been ordered to pay a £25,500 confiscation order in a case brought by the Information Commissioner’s Office (ICO). Following a hearing at Wood Green Crown Court, London on 15 July, the judge determined Mustafa Kasim of Palmer’s Green benefited from thousands of pounds as a result of the offences. Kasim had previously worked for accident repair firm Nationwide Accident Repair Services (NARS) and accessed thousands of customer records…

Speech: The future of online advertising regulation

Original script may differ from delivered version. Privacy in adtech is having a moment. There’ve been some interesting fascinating developments recently! Amazon continues to carve out a piece of the adtech pie with their recent purchase of Sizmek. The new Global Alliance for Responsible Advertising held their inaugural meeting in Cannes a few weeks ago. And Uber has launched legal action against some adtech companies on grounds of security. Closer to home, our neighbours at the Irish Data Protection Commission launched investigations into Quantcast and Google. And the French Data…

Blog: Live facial recognition technology – data protection law applies

A blog by Elizabeth Denham, Information Commissioner 9 July 2019 Any organisation using software that can recognise a face amongst a crowd then scan large databases of people to check for a match in a matter of seconds, is processing personal data. For the past year, South Wales Police and the Met Police have been trialling live facial recognition (LFR) technology that uses this software, in public spaces, to identify individuals at risk or those linked to a range of criminal activity – from violent crime to less serious offences.…

Intention to fine British Airways £183.39m under GDPR for data breach

Statement in response to an announcement to the London Stock Exchange that the ICO intends to fine British Airways for breaches of data protection law. Following an extensive investigation the ICO has issued a notice of its intention to fine British Airways £183.39M for infringements of the General Data Protection Regulation (GDPR). The proposed fine relates to a cyber incident notified to the ICO by British Airways in September 2018. This incident in part involved user traffic to the British Airways website being diverted to a fraudulent site. Through this…

Developing the ICO AI Auditing Framework: an update

Simon McDougall, Executive Director for Technology and Innovation reflects on the progress made in developing the ICO approach to auditing Artificial Intelligence (AI), and some of the broad themes emerging from the feedback received so far.  We launched this blog in March to provide regular updates on the development of the ICO Auditing Framework for AI, and encourage organisations to engage with us on this work. Since then we have set out the proposed overall structure of the framework, and explored the data protection challenges and possible controls in relation…

Blog: Cookies – what does ‘good’ look like?

3 July 2019 By Ali Shah, Head of Technology Policy Since the General Data Protection Regulation (GDPR) came into effect last May, there has been a great deal of interest in how it applies to cookies and similar technologies. Cookies can seem a complex issue. The rules on their use are in the Privacy and Electronic Communications Regulations (PECR), not the GDPR. However, some of PECR’s key concepts now come from the GDPR – such as the standard of consent. Today, we’ve published new guidance on the use of cookies.…

Former company director believed to have profited by more than £1.4 million after selling personal data illegally

A former company director found guilty of illegally obtaining people’s personal data and selling it to solicitors chasing personal injury claims, has been fined for breaches of data protection and issued with a confiscation order under the Proceeds of Crime Act 2002. David Cullen of Middleton Road, Manchester, was the managing director of No1 Accident Claims Limited based on Oxford Road, Manchester from 4 March 2010 until 20 December 2012 when the company was liquidated. The business profited from selling illegally obtained personal data to solicitors. The data, belonging to…

ICO searches Liverpool addresses as part of investigation into suspected illegal acquisition and sale of personal data

The Information Commissioner’s Office (ICO) has today (27 June) searched two addresses in Liverpool, as part of an ongoing investigation into the acquisition and sale of illegally obtained personal data. Following a six month investigation, working in partnership with the Insurance Fraud Bureau (IFB), two teams of ICO enforcement officers executed search warrants at a business and a residential address to seize computer equipment and documents which will be analysed for evidence. The business is suspected of carrying out high volumes of data farming activity, known as blagging or vishing,…

ICO’s access to information strategy calls for better compliance by public authorities backed up with enforcement action

The ICO has today published ‘Openness by Design’, its new access to information strategy. The strategy sets out five goals relating to the suite of access to information legislation regulated by the ICO: Freedom of Information Act (FOIA) 2000, the Environmental Information Regulations (EIR) 2004, and the Re-use of Public Sector Information Regulations 2015. The five ‘Openness by Design’ goals are: Ensuring that access to information rights is upheld in a consistent and timely manner and operates effectively in a digital age. Providing excellent customer service to individuals making requests…