Welcome to the March 2019 Data Protection Update. Our newsletter covers the latest topics and trends in the data protection industry.
There is no denying that since inception in 2004, Facebook is the most used social media app in today’s world. With over 1.74 billion active users, they can access and process a huge amount of data. Despite previous data privacy scandals, Facebook are currently facing another investigation.
There has been widespread criticism regarding the company and their processes surrounding data privacy. In 2018, they paid a fine of £500,000 to the Information Commissioners Office. This was due to an offence in 2016 governed by the Data Protection Act 1998. The same offence would cost a maximum fine of 20 million euros, or 4% of their total global turnover under GDPR.
It has been made public that some popular health apps are sending data to Facebook servers. This is even in cases where the user has no Facebook account. The information and data being processed are classed as special category data. This puts a significant question mark over both the apps and the data processes Facebook currently have in place. Special category data and the safeguards required around it are detailed in Article 9 of GDPR . They are required because this type of data could create more significant risks to a person’s fundamental rights and freedoms. Whilst Facebook claims special category data isn’t inputted into algorithms for advertising, this is difficult to verify. Additionally, Facebook have said in a statement that it “prohibits app developers from sending us sensitive data” [sic].
Governor Andrew Cuomo has directed New York’s Department of State and Department of Financial Services to “immediately investigate… a clear invasion of consumer privacy.”
The American politician also pressed for federal regulators involvement in assisting in ending the practice. Facebook is acting as an enabler in this situation. But are the main violators the apps which are processing the sensitive data?
Is your Legitimate Interest Legit?
An increasing number of organisations are now either compliant or are on their journey to GDPR compliance. As this is the case, there is more emphasis on legitimate interest. When other basis’s for processing aren’t appropriate, some question whether they can always fall back on legitimate interest. The ICO have stated that it may be “the most flexible lawful basis”, but it isn’t always the correct basis. In some cases, businesses may have no lawful basis at all.
Article 6 (1) states that:
Processing shall be lawful only if and to the extent that at least one of the following applies:
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”
The Information Commissioners Office suggest applying the following test:
- Purpose test- which asks is there a legitimate interest behind the processing?
- Necessity test- which asks is the processing necessary for that purpose?
- Balancing test- is the legitimate interest overridden by the individuals interests, rights or freedoms?
In order to process data under legitimate interest, you must be able to meet the requirements of these steps. Whilst the GDPR does not include a detailed list of purposes classified as legitimate interest, there is some general advice. Legitimate interest may be used regarding:
- Fraud prevention
- Ensuring network and information security
- Indicating possible criminal security
- Processing employee or client data
- Direct marketing
- Administrative transfers within a group of companies
If one of these purposes apply, this may result in limited work to prove the legitimate interest basis applies.
GDPR in Schools
Here at DPAS, we have recently partnered up with several schools in Kirklees to assist them in becoming GDPR compliant. DPAS has previously delivered similar services to the 41 schools in Jersey.
“We are delighted to be providing Data Protection services to the schools in Kirklees. Keeping data safe, in particular those of children, is not only a legal requirement which schools and their leaders can be personally liable for under the law, but it is the right thing to do. We look forward to helping schools to do just that.”Nigel Gooding, Founder of Data Privacy Advisory Service
If a data subject is under 13, their data falls into the Special Characteristic data category. This means that extra safeguarding is required to be in place. The Wakefield express recently published an article regarding the lack of data protection training within schools, and the lack of engagement.
The article relayed the fact that:
“The most common area of weakness was that not all relevant staff had received data protection / General Data Protection Regulation training (approximately 50 per cent of the schools – in the Wakefield catchment).”
Before May 2018 this may not have been a key focus for organisations, no matter what sector they fall within. However it is more vital than ever that organisations are compliant. This month, the Department of Education have published version 1.5 of a School Census 2018 – 2019 (Business and technical specification). Within this document is key information regarding the type of data schools should be processing.
TikTok face largest ever fine for Children’s data privacy!
The Federal Trade Commission have recently published a report on the video sharing app TikTok. It notes that the app, which is owned in China, has been unlawfully holding data without an age verification processes.
TikTok have collected personal information from children under the age of 13 including names, email, addresses and their location. There is enough evidence to prove that the app has been violating the US Children’s Online Privacy Protection Act. This practice has landed the company with a $5.7 million fine.
“We care deeply about the safety and privacy of our users,” the firm said. “This is an ongoing commitment, and we are continuing to expand and evolve our protective measures in support of this.” To ensure future compliance with regulations, TikTok have made it public that they are launching an “experience” for under-13 users that would strip out much of the functionality of the main app”The Federal Trade Commission
This high level fine applied to breaches in the US. However, TikTok made it clear they will not carry out retrospective checks for those who signed up before May 2018. The scope of their fine did not apply outside of that jurisdiction. It will be interesting to see whether this now becomes an issue in Europe, where the app is also popular.
What’s New at DPAS?
At DPAS we want to support businesses and schools to minimise the risk to cyber attacks. Cyber attacks can shut down systems and, in extreme cases, wipe all hardware and data. Therefore it is imperative that customers, children’s and staff data is protected. Organisations should do what they can to minimise the threat of a cyber attack. At DPAS we have a number of tools available to help Organisations do this and achieve good cyber security throughout.
Cyber Security Risk Assessment
Covering people, process and security, our cyber security assessment tool is a simple to use online questionnaire. It asks the questions needed to understand your Organisations cyber risk profile. The tool collects information and produces a report. This either verifies that systems are secure, or provides the guidance needed to improve.
This is an easy way for your Organisation to understand the risks that they currently have. It also helps with how to address these risks with appropriate training, processes and technology.
Cyber Essentials Certification
Security certification can often feel like a burden – too much paperwork, not enough time. Our online portal is a fast and effective solution.
Our Cyber Essentials Annex provides an automated assessment of whether your Organisation is likely to achieve certification. It includes a customised action list of requirements to help you achieve certification.
This means your application is faster, easier, and more likely to get results.
GDPR Compliance Assessment
Data Protection compliance doesn’t have to be difficult. We can provide a customised non-technical overview to help you understand your schools obligations.
Start your GDPR compliance process using our customised action list based on the specific data processing requirements of your Organisation. With clear, actionable advice, we can help make your GDPR compliance process efficient and effective.
We have just released training course dates. We are running the following courses during May, June and July:
- Data Breach Course (1 day)
- Data Protection Impact Assessment Course (1 day)
- Record of Processing Activity Course (1/2 day)
- DPO Course (3 days)
- Foundation Course (1 day)
Contact us now to reserve your space!
Free Consultancy Visit
Would you like a visit from one of our data protection consultants?
Get our data protection update direct to your inbox. Sign up to our newsletter using the form below.