Information Commissioner's Office

NEW: We have reprimanded the Electoral Commission after hackers gained access to servers that contained the personal information of approximately 40 million people. Read on for more details. In August 2021, hackers successfully accessed their server by impersonating a user account and exploiting known software vulnerabilities in the system that had not been secured. Until October 2022 – over a year later – the attackers had access to the personal information held on the Electoral Register, including names and home addresses. The Electoral Commission did not have appropriate security measures in place to protect the personal information it held: ➡️ servers weren’t kept up to date with the latest security updates ➡️ many accounts still used passwords identical or similar to the ones originally allocated by the service desk Read more about our action: https://lnkd.in/dPR_icrb Stephen Bonner, Deputy Commissioner at the ICO, said: “The Electoral Commission handles the personal information of millions of people, all of whom expect their data to be in safe hands. “This action should serve as a reminder to all organisations that you must take proactive and preventative measures to ensure your systems are secure and up-to-date. Otherwise, you put people’s personal information at risk. “I know the headline figures of 40 million people affected caused considerable public alarm when news of this breach emerged last year. I want to reassure the public that while an unacceptably high number of people were impacted, we have no reason to believe any personal data was misused and we have found no evidence that any direct harm has been caused by this breach. The Electoral Commission has now taken the necessary steps to improve its security.” We have more security guidance for all organisations on our website: https://lnkd.in/eVSbmnRT

NEW: Meta Platforms Inc. (Meta) has entered our Sandbox with a project to explore online ad measurement using privacy enhancing technologies (PETs). 💭 The project Meta is researching a system utilising Secure Multiparty Computation (MPC) that aims to enable accurate ad measurement while ensuring user privacy. How will the Sandbox work in this case? Our Sandbox will ensure Meta considers the impact data protection laws have on its project. The results will be published at the conclusion of the project, benefitting wider industry as we assess how PETs can be rolled out in an online advertising measurement context. Read more on our website: https://lnkd.in/e_hHxsqC We’re committed to supporting the creation of a more privacy friendly internet for UK consumers and we’re pushing companies to consider new approaches. It's part of our broader work to ensure that people’s rights are upheld by the online advertising industry. We’re also encouraging the use of PETs as they help organisations unlock the potential of data while keeping people’s personal information private. Find out more in our PETs guidance: https://lnkd.in/eZvPVDTx Our Sandbox is a place for organisations looking to use information in innovative ways to test and ensure their approach has data protection built in. Register interest to our Sandbox today to get our support on your innovative projects: https://lnkd.in/eiCcyz2F

How would your organisation react to a ransomware attack on the personal information you need to run your business? Our recent reprimand for the London Borough of Hackney underlines the importance of having robust security measures in place to protect the personal information of residents. Hackers were able to encrypt 440,000 files. Read about the incident in full: https://lnkd.in/eQD96ruy Ransomware and cyber-attacks use flaws in information security to allow hackers to gain control of information in an attempt to extort money for its return. Over the past few years, we’ve seen the rise in the number and severity of ransomware attacks. In this case, Hackney did do some things well after they found out about the attack: • It let the people impacted know about the attack: • it sent out information and advice to 100,000 homes; • it updated its website informing those affected about the attack; and • it emailed everyone who had consented to receiving marketing information from Hackney. Hackney notified and engaged with the National Crime Agency, the National Cyber Security Centre and the Metropolitan Police to create contingency plans to remove any unlawfully published data. The council created risk assessments to identify people at high risk and had put plans in place in case any more sensitive data exfiltrated by the hacker. And it created emergency business processes in response to the attack. For more information on what your organisation should do in case of a breach, read our guidance: https://lnkd.in/exJWCCsC

Good luck to all our fellow shortlisters! We're in the running for two PRWeek UK awards this year: ✨ In-House Team of the Year (Public Sector) as we work to bring the importance of data protection to as many people as possible; and ✨ Public Sector Campaign for our Help Gran, Stop Spam work to protect the public against predatory marketing calls, encouraging people to protect their family and friends by reporting cold callers and helping them register with the Telephone Preference Service (the UK’s ‘do not call’ list). We'll find out the eventual winners in October but, win or lose, we won't stop working as hard as we can to ensure personal information is treated fairly and securely. Fingers crossed!

How personal data is processed within digital identity systems is a key consideration, as significant harms may arise from misuse of that data, for example, in the event of a personal data breach. We'll continue working closely with our DRCF colleagues, industry and Government departments to ensure privacy is at the heart of the design in order to build and maintain the trust of people using the systems. We've got more information in our Digital Identity Position Paper: https://lnkd.in/gda5QaXG

NEW: We’re working with the Metropolitan Police Service who are trialling the potential use of investigative genetic genealogy, including genetic databases, to investigate the unidentified human remains of missing people, and potentially to help solve ‘cold cases’. ⏳ The project Investigative Genetic Genealogy (IGG is an approach for identifying family relations using genetic testing and genetic databases. The Met are looking at how they could use IGG in the investigation of unidentified human remains to help bring closure to families of missing individuals. IGG is currently used in other countries, where it has been successfully used in many high-profile missing persons cases and ‘cold’ cases, some of which date back decades. The project will: ➡️ assess the available technologies ➡️ explore the potential applications, limitations and ethical impact of IGG in a criminal justice setting. ➡️ identify data protection responsibilities and risks. ➡️ identify relevant data processing regimes. Our Sandbox is a place for organisations developing innovative projects with a real public benefit to test and ensure their approach has data protection built in. If you’d like our support apply to our Sandbox today: https://lnkd.in/eiCcyz2F

DRCF: Delivering impact through cooperation  Published today, this new article measures the DRCF’s impact and how its work benefits regulators, government, industry and the wider economy. Read in full - https://lnkd.in/eSNq9e27 Some highlights - • Stakeholders recognise the value of our joint publications on topics such as harmful online choice architecture, which provide greater clarity of regulator expectations and help improve outcomes for consumers. • Our joint work and shared expertise have supported timely and cost-effective delivery including, for example, the DRCF AI and Digital Hub. This ambitious one-year pilot service helps unlock innovation and supports UK economic growth. • Internationally, the DRCF acts as a vehicle for greater cooperation and is inspiring the adoption of similar models.       We are keen to hear from stakeholders about the impact of the DRCF’s work and the approaches we can take to assess it. Please contact drcf@ofcom.org.uk to share your views.  #digital #regulation #cooperation

NEW: We’ve taken action against Chelmer Valley High School in Essex for introducing facial recognition technology (FRT) to take cashless payments. Read on to see what you can learn from the case ⬇️ ⚖️ The case Chelmer Valley High School first started using the technology in March 2023 to take cashless canteen payments from students. However, the school failed to carry out a DPIA before using the technology. We found that the school sent a letter to parents and guardians in March 2023 if they did not want their child to take part in FRT. This means the school relied on assumed consent and affirmative 'opt-in' consent wasn't sought at this time. The law does not deem ‘opt out’ a valid form of consent and requires explicit permission The school failed to consult with parents, guardians, students or the data protection officer before implementing the technology. 💡 What schools can learn from the case 1. Ensure that your entire organisation knows to ask themselves the question whenever using personal information in a new or different way, does this need a DPIA? ➡️ See our accountability framework to help you assess your processes: https://lnkd.in/eWHiYGwb 2. If you’re considering cashless catering ensure you have given thorough consideration to it’s necessity and proportionality, and to mitigating specific, additional risks such as bias and discrimination. ➡️ See our FRT guidance: https://lnkd.in/eWvs-_th ➡️ See our case study on North Ayrshire Council schools and their use of facial recognition technology: https://lnkd.in/ePmHAw7X 4. Ensure that DPOs are closely included when considering new projects or operations using personal information. You should document their advice and any changes that are made as a result. ➡️ See our Accountability Framework for guidance on how to assess your organisation’s roles and structure: https://lnkd.in/eDbTJm3m You can read the case and reprimand in full: https://lnkd.in/ezmKm4zW

📆 Mark your calendars – October 8 is a memorable day for many reasons… If you’re not going to the birthday parties that Sigourney or Matt are throwing then #DPPC24 is where you need to be! Register for FREE here 👉 https://lnkd.in/eAAgF5aq

A good organisation will have a good privacy notice. Earlier this year we said app developers should meet their data protection obligations to be transparent with their users by being concise, clear and easily accessible. Signing up to an app often involves handing over large amounts of personal information, especially with apps that support our health and wellbeing. Users deserve peace of mind that their data is secure, and they are only expected to share information that is necessary. So, we're urging app users to check if they are clear about who the app is sharing their personal information with. We have lots of advice and guidance on our website to support your organisation get data protection right from the start: https://lnkd.in/epNsjYdA