Rakesh Jha FIP CIPP/E CIPM PMP CSM

GLOBAL PRIVACY NEWS SUMMARY JUNE 18

Discussion created by Rakesh Jha FIP CIPP/E CIPM PMP CSM on Jun 20, 2018

Vietnam approves new cybersecurity law

Vietnam's Parliament has approved a new cybersecurity law that requires social media companies to remove offensive content from their online service within 24 hours at the request of the Ministry of Information and Communications and the Ministry of Public Security's cybersecurity task force. The new law also has the effect that technology companies doing business in the country will be required to operate a local office and store information about Vietnam-based users within the country. Companies could face substantial penalties for failure to disclose information upon governmental request. The law will take effect on 1st January 2019.      
ICO fines Yahoo! UK £250,000
The UK regulator has fined Yahoo! UK Services Limited £250,000 in relation to a cyber-attack in November 2014. The ICO's investigation focussed on the 515,121 UK accounts that Yahoo! UK Services Limited, based in London,  had responsibility for as a data controller (the breach affected a total of approximately 500 million users internationally). The investigation found that the company had failed to take appropriate technical and organisational measures to protect the data, failed to take appropriate measures to ensure that the data processor, Yahoo! Inc, complied with the appropriate data protection standards, and failed to ensure appropriate monitoring was in place to protect the credentials of Yahoo! employees with access to customer data. The inadequacies found had been in place for a long period of time without being discovered or addressed.   

Police body fined for revealing identities of abuse victims in bulk email

Gloucestershire Police has been fined £80,000 by the Information Commissioner's Office after sending a bulk email that identified victims of child abuse. In December 2016, an officer sent an update on an investigation to 56 recipients by email, but entered their email addresses in the 'to' field and did not activate the 'bcc' function. Each recipient of the email, which potentially included victims, witnesses, lawyers and journalists, could see the full names and email addresses of all the others. ICO Head of Enforcement Steve Eckersley said: "This was a serious breach of the data protection laws and one which was likely to cause substantial distress to vulnerable victims of abuse, many of whom were also legally entitled to lifelong anonymity."

Dixons Carphone admits huge data breach

Dixons Carphone has admitted a huge data breach involving 5.9 million payment cards and 1.2 million personal data records as a result of a hacking that begun in July last year. The hackers had tried to gain access to one of the processing systems of Currys PC World and Dixons Travel stores, the firm said. Dixons Carphone said it had no evidence that any of the cards had been used fraudulently following the breach. A spokesperson for the National Cyber Security Centre said it was "working with Dixons Carphone and other agencies to understand how this data breach has affected people in the UK and advise on mitigation measures". An ICO spokesperson said: "We will look at when the incident happened and when it was discovered as part of our work and this will inform whether it is dealt with under the 1998 or 2018 Data Protection Acts."  

ICO responds to publication of audit into Deep Mind

The UK regulator has advised NHS bodies to learn from Royal Free London NHS Foundation's experience with using Google Deep Mind, an app designed to help patients with kidney injury. In 2017, the Royal Free, in partnership with DeepMind, trialled its AI system called Streams, for testing diagnosis of acute kidney disease. In July 2017, the ICO ruled the Trust failed to comply with the Data Protection Act when it provided patient details to Google DeepMind, one major fault being that patients were not adequately informed that their data would be used as part of the test. The Royal Free committed to undertaking an audit, which it has now completed. The conclusion of the audit was that "RFL's use of Streams is lawful and complies with data protection laws [but there are] areas in which further improvement could be made."   

Outcomes