Your Data Protection Newsletter - March 2019
There is no denying that since Facebook’s inception in 2004, it is the most used social media app in today’s modern world. With 1.74 billion mobile active users, there is a lot to be said about the amount of data such a platform can access and process. Despite previous data privacy scandals, Facebook are currently facing another investigation.
There has been widespread criticism regarding the company and their processes surrounding data privacy. In 2018, they paid a fine of £500,000 to the Information Commissioners Office due to an offence in 2016 governed by the Data Protection Act 1998. With GDPR regulations now in force through the Data Protection Act 2018, for the same offence Facebook would face the new maximum fine of 20million euros or 4% of their total global turnover.
It has been made public that 11+ popular health apps with several million users are transmitting data in the direction of Facebook server’s, even in cases where the user do not have a Facebook account. With the information and data being processed classed as special category data, this puts a significant question mark over both the apps and the data processes Facebook currently have in place. Special category data and the safeguards required around it are detailed in Article 9 of GDPR . They are required because this type of data could create more significant risks to a person’s fundamental rights and freedoms. Whilst Facebook claims special category data isn’t inputted into algorithms for advertising, this is difficult to verify. Additionally, Facebook have said in a statement that it “prohibits app developers from sending us sensitive data” [sic].
Governor Andrew Cuomo has directed New York’s Department of State and Department of Financial Services to "immediately investigate… a clear invasion of consumer privacy.” The American politician also pressed for federal regulators involvement in assisting in ending the practice. Whilst Facebook is acting as an enabler in this situation, are the main violators the apps which are processing the sensitive data?
Is your Legitimate Interest Legit?
An increasing number of organisations are now either compliant or are on their journey to GDPR compliance. As this is the case, more emphasis is being put on legitimate interest. When other lawful basis’s for processing aren’t appropriate, some question whether they can always fall back on legitimate interest? Whilst the ICO have stated in their guidance that it may be “the most flexible lawful basis” it isn’t always the correct basis. In some cases, businesses may have no lawful basis at all.
Article 6 (1) states that:
Processing shall be lawful only if and to the extent that at least one of the following applies:
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”
The Information Commissioners Office suggest applying the following test:
-Purpose test- which asks is there a legitimate interest behind the processing?
-Necessity test- which asks is the processing necessary for that purpose?
-Balancing test- which asks is the legitimate interest overridden by the individuals interests, rights or freedoms?
In order to process data under the legitimate interest basis, you must first be able to meet the requirements of the 3 steps test. Whilst GDPR does not include a detailed list of what purposes as classified as legitimate interest, the recitals can be used as general advice. Legitimate interest may be used regarding:
-Ensuring network and information security
-Indicating possible criminal security
-Processing employee or client data
-Direct marketing; or
-Administrative transfers within a group of companies
If one of these purposes applies to your processing, this may result in limited work to prove the legitimate interest basis applies.
GDPR in Schools
Here at Data Privacy Advisory Service we have recently partnered up with several schools in Kirklees to assist them in becoming GDPR compliant. DPAS has previously delivered similar services to the 41 schools in Jersey.
“We are delighted to be providing Data Protection services to the schools in Kirklees. Keeping data safe, in particular those of children, is not only a legal requirement which schools and their leaders can be personally liable for under the law, but it is the right thing to do. We look forward to helping schools to do just that.” Nigel Gooding, Founder of DPAS.
If a data subject is under 13, their data falls into the Special Characteristic data category, meaning that extra safeguarding is required to be in place. The Wakefield express published an article last week regarding the lack of data protection training within schools and the lack of engagement around the topic.
The article relayed the fact that “The most common area of weakness was that not all relevant staff had received data protection / General Data Protection Regulation training (approximately 50 per cent of the schools – in the Wakefield catchment).”
Whilst before May 2018 this may not have been a key focus for organisations, no matter what sector they fall within, it is more vital than ever that organisations are compliant. This month, the Department of Education have published version 1.5 of a School Census 2018 – 2019 (Business and technical specification). Within this document is key information regarding the type of data schools should be processing.
Tik Tok face largest ever fine for Children's data privacy!
The Federal Trade Commission have recently published a report on the video sharing app, Tik Tok.
It notes that the app, which is owned in China, has been unlawfully holding data without an age verification processes.
TikTok have collected personal information from children under the age of 13 including names, email, addresses and their location. The information collected and provided has resulted in enough evidence to prove that the app has been violating the US Children’s Online Privacy Protection Act. This practice has landed the company with a $5.7 million fine.
"We care deeply about the safety and privacy of our users," the firm said. "This is an ongoing commitment, and we are continuing to expand and evolve our protective measures in support of this." To ensure future compliance with regulations, TikTok have made it public that they are launching an "experience" for under-13 users that would strip out much of the functionality of the main app”
This high level fine applied to breaches in the US. However, the organisation has made it clear that they will not carry out retrospective compliance verification checks for those who signed up to the app before May 2018, as the scope of their fine did not apply outside of that jurisdiction. It will be interesting to see whether this now becomes an issue in Europe, where the app is also popular.
What's New at DPAS?
At DPAS we want to support businesses and schools to minimise the risk to cyber attacks. With cyber attacks shutting down systems and in extreme cases wiping all hardware and data, it's imperative that customers, children's and staff data is protected, and Organisations do what they can to minimise the threat of a cyber attack. At DPAS we have a number of tools available to help Organisations do this and achieve good cyber security throughout.
Cyber Security Risk Assessment
Covering people, process and security, our cyber security assessment tool is a simple to use online questionnaire that asks the questions needed to understand your Organisations cyber risk profile. It collects information and produces a report, either verifying systems are secure, or providing the guidance needed to improve security.
This is an easy way for your Organisation to understand the risks that they currently have and how to address these risks with appropriate training, processes and technology in place.
Cyber Essentials Certification
Security certification can often feel like a burden - too much paperwork, not enough time.
Our online portal is designed for fast and effective certification.
Our Cyber Essentials Annex provides an automated assessment of whether your Organisation is likely to achieve certification and a customised action list of requirements to help you achieve certification.
This means your application is faster, easier, and more likely to get results.
GDPR Compliance Assessment
Data Protection compliance doesn't have to be difficult - we can provide a customised non-technical overview to help you understand your schools obligations.
Start your GDPR compliance process using our customised action list based on the specific data processing requirements of your Organisation. With clear, actionable advice, we can help make your GDPR compliance process efficient and effective.
We have just released training course dates, and we are running the following courses during May, June and July:
Data Breach Course (1 day)
Data Protection Impact Assessment Course (1 day)
Record of Processing Activity Course (1/2 day)
DPO Course (3 days)
Foundation Course (1 day)
Contact us now to reserve your space!
Free Consultancy Visit
Would you like a visit from one of our data protection consultants, or would you like to fill in our free Data Protection self compliance audit questionnaire?
Get in touch now!