14 September 2017

Data Protection Update: UK, Canada and Russia

In this edition we update you on Brexit plans, the necessity of audits to prevent data breaches, and news on Canadian and Russian reporting requirements

UK Government Issues Statement of Intent 

The government has noted that data flows account for a larger proportion of GDP  growth than traditional goods and therefore unencumbered data transfers are ‘essential to the UK forging its own path as an ambitious trading partner.’  The UK is therefore seeking to assure the world that we are Brexit ready:

Ahead of the Data Protection Bill which is expected this month, the government has published a Statement of Intent for the future data regime.  While the EU General Data Protection Regulation (GDPR) will become law in the UK on May 25th 2018, the UK is leaving the EU in March 2019 and some asked what this means for compliance.  The Statement emphasises that the GDPR will be transposed into domestic law in order to ensure a smooth data-flow between the UK and EU, insuring there are no issues post Brexit. 

The UK will also secure an adequacy decision from the EU Commission confirming that it meets the EU’s standards for data protection.  The UK has proposed that the UK and EU recognise each other’s frameworks as satisfactory prior to the UK leaving the EU, for the purpose of continuing data exchange to provide business certainty.  This may be a custom relationship similar to the model for EU-US data exchange under the Privacy Shield (although the adequacy of the Privacy Shield is an ongoing issue).  

The government has also stated that it would like the UK Information Commissioner’s Office to continue to play a role in EU data protection by establishing a regulatory dialogue in order to support cross-border commercial activity involving data sharing.

UK Nottinghamshire Council fined £70,000 by ICO – You need to audit your data security

Nottinghamshire County Council has received a substantial fine following its failure to protect personal data relating to vulnerable individuals.  The council had posted online, in a database without security or access restrictions, the gender, addresses (including postcode) and care needs of disabled and elderly people.  The breach was only revealed when a member of the public reported conducting a search using a search engine and being able to access the data.  The information was discovered to have been online and accessible for a period of five years, and 3,000 individuals may have had their data posted on the system.

The ICO considered this a prolonged and serious breach.  It was also noted that the council had the staff and financial resources available to put in place appropriate safeguards, yet failed to do so.  The sensitive nature of the data, as well as the fact it related to vulnerable individuals, were aggravating factors. 

The ICO noted:

Organisations need to understand that they have to treat the security of data as seriously as they take the security of their premises or their finances.

The decision underlines the need for a period audit, to test your security, and know you are still compliant. 

Canada: Draft Regulations on mandatory data breach

On September 2nd 2017, an amendment was proposed to the Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada. 

The proposed regulations require an organisation to report a breach to the Privacy Commissioner of Canada if in light of the circumstances, it is reasonable to believe that the breach results in a ‘real risk of significant harm’ to a data subject.  They also set out the details as to:

  • The contents of the report to the Commissioner;
  • The contents of a notice to a data subject affected by the breach;
  • How notice must be given; 
  • Record keeping requirements.

The contents of the report to the Commissioner are similar to existing requirements for voluntary reporting.

Notice to a data subject is required where there is a real risk of significant harm to that individual.   Notices to the individual, mirror those requirements.  There is a proposal to include steps the data subject can take to minimise the risk of harm.  Notice may be given by post, telephone or in person. Notice by email is permitted only if the individual has consented to receiving information from the organisation in that way. 

Records of breaches must be maintained for 2 years after the date that it was determined that a breach had occurred. 

Notices to the individual, mirror those requirements.  

Russia: New Requirements for Notice of Data Processing

On August 22nd 2017, the Russian data protection authority, Rozcomnadzor, issued an order revising notice requirements for companies processing personal data. 

The order requires companies to give advance notice of personal data processing.  The notice must include: 

  1. Information on security measures used to prevent data breaches;
  2. Intention to transfer data out of Russia, and to which countries;
  3. Confirmation of compliance with law requiring the data of Russian citizens to be stored on servers located within Russia. 

A new notification form is available for companies to provide notifications to Rozcomnadzor.