Category Archives: Data and Records

Trump’s version of a paperless office?

This shouldn’t surprise us, I suppose.

Meet the guys who tape Trump’s papers back together
Armed with rolls of clear Scotch tape, Lartey and his colleagues would sift through large piles of shredded paper and put them back together, he said, “like a jigsaw puzzle.” Sometimes the papers would just be split down the middle, but other times they would be torn into pieces so small they looked like confetti.

It was a painstaking process that was the result of a clash between legal requirements to preserve White House records and President Donald Trump’s odd and enduring habit of ripping up papers when he’s done with them — what some people described as his unofficial “filing system.”

Makes me wonder if that Trump Kim document is worth the paper it’s written on.

University data breach

With GDPR still getting attention, here’s news that the Information Commissioner has fined the University of Greenwich over a significant data breach that happened in 2016.

Greenwich University fined £120,000 for data breach
The fine was for a security breach in which the personal data of 19,500 students was placed online. The data included names, addresses, dates of birth, phone numbers, signatures and – in some cases – physical and mental health problems. It was uploaded onto a microsite for a training conference in 2004, which was then not secured or closed down.

The Information Commissioner said Greenwich was the first university to receive a fine under the Data Protection Act of 1998 and described the breach as “serious”.

[…]

In a statement, the university said it would not appeal against the decision.

It said it had carried out “an unprecedented overhaul” of its data protection and security systems since the discovery of the breach in 2016, and it had invested in both technology and staff.

So the personal data was added to a website in 2004 and left there for 12 years until the breach was discovered?

The University of Greenwich fined £120,000 by Information Commissioner for “serious” security breach
The investigation centred on a microsite developed by an academic and a student in the then devolved University’s Computing and Mathematics School, to facilitate a training conference in 2004.

After the event, the site was not subsequently closed down or secured and was compromised in 2013. In 2016 multiple attackers exploited the vulnerability of the site allowing them to access other areas of the web server.

A timely warning for others, I guess. Under GDPR, these fines could be significantly higher.

Happy GDPR Day!

Remember though, 25 May is just the beginning, not the deadline. Don’t panic.

US sites block users in Europe: Why are they ghosting EU? It’s not you, it’s GDPR
Visitors in the bloc trying to load articles from the Tribune, or stablemates the Los Angeles Times – the fifth-biggest daily – and the Orlando Sentinel are shown the same error message from publisher Tronc.

“Unfortunately, our website is currently unavailable in most European countries,” it reads. “We are engaged on the issue and committed to looking at options that support our full range of digital offerings to the EU market. We continue to identify technical compliance solutions that will provide all readers with our award-winning journalism.”

The finger is pointed at the General Data Protection Regulation, which, although it is only just being enforced today, was adopted on 14 April 2016 – meaning organisations have had more than two years to prepare.

Help, my lightbulbs are dead! How GDPR became bigger than Beyonce
But the potential of huge fines hasn’t been the only reason for GDPR mania. There’s also a growing market of people working in data protection and offering dubious services related to GDPR. In the UK there are more than 100 registered companies with the GDPR acronym in their titles – and the vast majority of these were formed after the regulation was approved in 2016. Their purpose? To offer advice on how companies can get their data in order and create products that can help organise information.

[…]

In a post on LinkedIn, George Parapadakis who formerly worked at IBM, wrote that technology wouldn’t solve GDPR issues. “The nonsense that I read on a daily basis, defies belief,” Parapadakis wrote. Turner adds: “Don’t get me wrong, we’re all in it to pay the mortgage but I think as the panic has increased, there is something of a feeding frenzy of, ’Let’s see how much we can get before the momentum goes out of the market.’” This may have peaked when GDPR became more popular than Beyonce.

Another day, another GDPR e-mail

GDPR finally comes into force on Friday, and there seems to be no let up in the privacy notice update e-mails we’re all getting. This raised a smile though.

Most GDPR emails unnecessary and some illegal, say experts
What’s more, Vitale said, if the business really does lack the necessary consent to communicate with you, it probably lacks the consent even to email to ask you to give it that consent.

“In many cases the sender will be breaching another set of regulations, the Privacy and Electronic Communications Regulations, which makes it an offence to email someone to ask them for consent to send them marketing by email.”

I wonder if we’ll still receive these e-mails after 25 May. If we do, are the companies that send them admitting they weren’t compliant initially? I’m sure the ICO won’t be too concerned, but it’ll be interesting to see what happens.

Last-minute frenzy of GDPR emails unleashes ‘torrent’ of spam – and memes
The whole process has inspired the internet to rope in everyone from Julian Assange to Donald Trump to Prince William in an attempt to illustrate their frustration at the electronic onslaught.

Relaxed data

Data is such a funny word. It’s a plural, strictly. Part of me wants to use it that way, and show off, but a larger part of me always feels too self-conscious to do that. Thankfully, as Nathan Yau from FlowingData has discovered, the ‘rules’ around its use have been ‘officially’ relaxed.

Data is, sometimes
If you read data as singular then write it as such. For example, we already allow singular for ‘big data’. And we should for personal data too. An easy rule would be that if it can be used as a synonym for information then it should probably be singular — and if we are using it as economic data and mean figures, then we should stick to plural.

Photocopiers have long memories

They say elephants never forget, and it seems neither do photocopiers.

In light of all the attention currently on GDPR and data protection generally, here’s an interesting article from 2010 about the dangers hiding within our photocopiers. For some time now, our digital copiers contain hard drives that store an image of everything it copies, scans or e-mails. That’s potentially a lot of valuable personal data that can stay on the machine long after you’ve thrown it away.

Digital photocopiers loaded with secrets
It took Juntunen just 30 minutes to pull the hard drives out of the copiers. Then, using a forensic software program available for free on the Internet, he ran a scan – downloading tens of thousands of documents in less than 12 hours.

The results were stunning: from the sex crimes unit there were detailed domestic violence complaints and a list of wanted sex offenders. On a second machine from the Buffalo Police Narcotics Unit we found a list of targets in a major drug raid.

The third machine, from a New York construction company, spit out design plans for a building near Ground Zero in Manhattan; 95 pages of pay stubs with names, addresses and social security numbers; and $40,000 in copied checks.

But it wasn’t until hitting “print” on the fourth machine – from Affinity Health Plan, a New York insurance company, that we obtained the most disturbing documents: 300 pages of individual medical records. They included everything from drug prescriptions, to blood test results, to a cancer diagnosis. A potentially serious breach of federal privacy law.

Something to add to our risk registers, perhaps?

GDPR Day’s getting nearer

The EU’s Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data was signed off on 27 April 2016, two years ago. It becomes enforceable from 25 May 2018. Have we been using these last two years to get ready?

This, from a year ago, sums it up, I think.

Concern that schools are not preparing for new rules on personal data
The General Data Protection Regulations are the ‘biggest change in 25 years’ to how organisations must manage personal data, but only a fifth of schools are aware of the May 2018 deadline.

Employers and schools are all certainly busy now, in these last few weeks, reviewing data asset registers and updating privacy notices. The news that the fines for noncompliance could be as high as  £17 million is certainly a motivator, although here’s Elizabeth Denham, the Information Commissioner, suggesting they won’t be levying such large fines lightly.

What is GDPR? Data protection law is changing in 2018. Here’s what you need to know
But Denham says speculation that her office will try to make examples of companies by issuing large business-crippling fines isn’t correct. “We will have the possibility of using larger fines when we are unsuccessful in getting compliance in other ways,” she says. “But we’ve always preferred the carrot to the stick”.

[…]

“Having larger fines is useful but I think fundamentally what I’m saying is it’s scaremongering to suggest that we’re going to be making early examples of organisations that breach the law or that fining a top whack is going to become the norm.” She adds that her office will be more lenient on companies that have shown awareness of the GDPR and tried to implement it, when compared to those that haven’t made any effort.

As well as some of us acting as data controllers or data processors, we’re all data subjects too. These are new rules designed to protect our data. I’m sure we’ve all been getting e-mails from companies like Twitter, Instagram and Fitbit and so on, about their revised data and privacy policies.

Here’s a great summary from Danny O’Brien of the Electronic Frontier Foundation, on what to look out for.

Why am I getting all these terms of service update emails?
The EU regulators are certainly paying attention to these email updates. A strongly-worded blog post this week by EU’s head enforcer, European Data Protection Supervisor (EDPS) Giovanni Buttarelli, warned the public and his fellow regulators to be “vigilant about attempts to game the system”, adding that some of these new terms of service emails could be “travest[ies] of the spirit of the new regulation”.

[…]

As Buttarelli says, such “legal cover” might well be against the spirit of the GDPR, but it’s going to take a while for companies, regulators, and privacy groups to establish what the law’s sometimes ambiguous statements really mean. One particularly knotty problem is whether the language that many of these emails use (“by using our service, you agree to these terms”) will be acceptable under the GDPR. The regulation is explicit that in many areas, you need to give informed, unambiguous consent by “a statement or clear affirmative action.” Even more significantly, if the data being collected by a company isn’t necessary for the service it is offering, under the GDPR the company should give covered users the option to decline that data collection, but still allow them to use the service.