International (UK): First-tier Tribunal dismisses Optical Express appeal on marketing texts

Although not local - take note of what consent means when you want to use Personal Information for Direct Marketing - the same principle/condition will apply in the RSA as well:

The First-tier Tribunal has upheld the Information Commissioner’s enforcement notice requiring Optical Express (Westfield) Limited (Optical Express) to stop sending unsolicited marketing texts, in contravention of section 22(2) of the Privacy Regulations 2003 (as amended), to individuals whose details were obtained under data supplier agreements.

Case: Optical Express used personal data provided by a number of suppliers, including Thomas Cook, to send text messages marketing its laser eye surgery. The Information Commissioner received 7506 complaints from individuals about this. Optical Express argued, among other things, that if their suppliers agreed in their contracts to only supply "consented data" that should be sufficient proof of consent. Brian Kennedy QC disagreed, " ... when consent was obtained by Thomas Cook or whomever, it was not stipulated (or at least it has not been shown to have been stipulated) that the personal data would be processed by OE. Neither was the marketing of specific types of products stipulated ... This falls under the "to guarantee fair processing" category. If the data subject doesn't know what other products might be marketed then how can he exercise his right to object to some of them whilst being happy to receive others?" In failing to obtain "proper, fully informed and specific consent", Optical Express had not met the requirements of regulation 22(2) 

Data Protection: How important is it to know what to do if there is a data breach?

Grupo Financiero Banorte, Mexico’s third largest bank, suffered a data breach earlier this year and is now reportedly being fined 32 million pesos ($1.98 million) by the Mexican data protection authority, the National Institute of Transparency, Access to Information and Protection of Personal Data, for failing to inform all of its clients immediately after the hack occurred.  Mexico’s National Banking and Securities Commission is also investigating the matter  and is expected to issue corrective measures.

To formulate and implement an effective incident response solution, including but not limited to an attorney and forensic experts on stand buy, contact Gerrie van Gaalen

International: China Seeks To Tighten Control Over Internet With Draft Cybersecurity Law

The Chinese parliament has issued a draft cybersecurity law aimed at “safeguarding China’s sovereignty over cyberspace and national security and public interests.”  The law outlines a plan for a multi-level system to prevent unauthorized network access, and calls for Internet-related industry associations, ISPs, and businesses to strengthen their cybersecurity standards.  It also establishes specific security requirements for operators and suppliers of networks and critical information infrastructure, including a provision that requires ISPs to store on Chinese territory any data collected within China and to obtain government approval before storing data overseas for business purposes.  If enacted, the draft law would allow the Chinese government to expand its online censorship practices and its control over Internet service providers and foreign firms operating in the country.

Sounds like certain movements in South Africa...worrying movements.

© Copyright 2015 Steptoe & Johnson LLP

Data protection - App Stores: selling goods without the necessary paperwork?

A group of 23 global data protection authorities has sent a letter to seven of the biggest appstore providers urging them to make the use of privacy policies mandatory for all apps using personal data sold via their platforms. 

The letter follows an enforcement sweep by 26 privacy enforcement authorities involved in the Global Privacy Enforcement Network (GPEN) in September 2014, which aimed to assess whether mobile app providers comply with data protection laws. Among other things, the results of the sweep indicated that 85% of the mobile app providers surveyed did not provide clear information on how the apps collect, process and disclose users' personal data.

The letter states that although app developers clearly have a responsibility to communicate their privacy practices to their users, mobile operating system developers and appstore providers also play a unique and integral role in users' interactions with apps they make available through their stores.

If you need a Mobile app privacy policy, then contact Gerrie van Gaalen

Russia Extends Deadline For Data Localization Law

Russian President Vladimir Putin approved a deadline of September 1, 2015, for companies to relocate their computer servers containing Russian citizens’ #personalinformation within the country’s borders.  The new timeframe for compliance with Russia’s data localization law was approved last month by both the upper house of Parliament and the Duma.  The Duma had previously passed a bill that would have moved the deadline up to January 1, 2015, over a year ahead of the law’s original effective date of September 1, 2016.  Lawmakers agreed to change the date after hearing from affected businesses concerned about the feasibility of setting up the necessary IT infrastructure in time to meet the law’s requirements.

© Copyright 2015 Steptoe & Johnson LLP

US: Boston Hospital Settles Data Breach Suit Over Unencrypted Laptop

Beth Israel Deaconess Medical Center in Boston has agreed to pay $100,000 to settle the Massachusetts Attorney General’s lawsuit over a 2012 data breach involving the theft of a physician’s unencrypted laptop.  In addition to the financial penalty, the hospital will also have to revise its data security measures to ensure compliance with state and federal law.  The consent agreement requires BIDMC to track and encrypt all hospital-purchased devices and to implement ActiveSync or other technology that prevents unencrypted smartphones and tablet devices from accessing personal information on the hospital’s email servers.  BIDMC must also review its policies and procedures regarding portable device security and train employees on how to handle personal and protected health information.  

© Copyright 2014 Steptoe & Johnson LLP. Steptoe & Johnson LLP 

How to avoid a similar risk at your organisation?

i) establish your current position against the applicable legislation

ii) determine realistic goals to achieve the recommended position in terms of data protection

iii) Implement appropriate deliverable, including but not limited to a Data Protection Policy, IT Security Policy, Mobile Device policy and BYOD policy

iv) Implement standard training and audit procedures at your oganisation.