UK ICO Encourages Voluntary Data Protection Audits and Advisory Visits

Throughout 2011, the UK Information Commissioner’s Office (“ICO”) escalated its use of data protection audits, encouraging organizations to submit to voluntary audits and seeking to increase its ability to conduct compulsory audits. Currently, the ICO has the authority to compel central government departments to undergo audits, but it would like to extend compulsory audits to include local government, the national health service and the private sector.

Voluntary audits are conducted free of charge and the ICO has indicated that it will not issue monetary penalties if it discovers compliance breaches during a voluntary audit. Following a voluntary audit, the ICO produces a comprehensive report of findings and an executive summary.  The executive summaries are made available to the public on the ICO’s website (with the relevant organization’s permission), and full reports on audits of public authorities may be subject to freedom of information requests.

The ICO is eager to use audits as an educational and best practice-sharing tool, to encourage organizations to improve their data protection procedures. Although it convinced 52 organizations to submit to voluntary audits last year, the ICO is keen to see greater participation in its audit service, noting that it “can still be an uphill struggle to get organisations to see the benefits.”

With this in mind, the ICO has recently begun to roll out “advisory visits” as an alternative to voluntary audits. Advisory visits are aimed at small and medium-sized organizations (“SMEs”) for whom a full audit may be too comprehensive. As with voluntary audits, advisory visits are conducted free of charge. A member of the ICO’s good practice team conducts a day visit to the organization and provides basic, practical advice focusing on three key areas: (1) data security, (2) records management and (3) subject access mechanisms. Following the visit, the ICO prepares a short report with guidance and next steps for the organization. As with voluntary audits, the fact that a visit has been conducted is published on the ICO’s website, together with a summary of the visit (with the consent of the organization). The first two advisory visits were undertaken in December 2011, and the ICO hopes to encourage more SMEs to follow suit during 2012.

UK and U.S. Regulators Introduce New Breach Guidance, Notification Forms

In recent weeks, regulators in California and Illinois have issued guidance on responding to data security breaches, while UK and California authorities released online forms for organizations to use when providing notification of a breach to regulators.

In December 2011, the UK Information Commissioner’s Office (“ICO”) released a new breach notification form, reinforcing its expectation that organizations provide notification whether or not such notification is legally required. Sector-specific breach notification requirements were introduced in the UK by The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011, and since May 2011, public electronic communication service providers have been required to notify the ICO, and in some cases affected individuals, in the event of a data security breach. All other organizations are strongly encouraged to notify the ICO of serious security breaches, and the fact that an incident was reported voluntarily is something the ICO takes into consideration when determining the appropriate enforcement action.

Breaches may be reported to the ICO in writing, by email or postal mail, or by using the new breach notification form, which sets forth specific questions regarding the breach and is available online. The completed form must be submitted via email. Although use of the form is not obligatory, its content gives organizations the clearest indication yet of the type of information the ICO expects to receive regarding a breach.

As we reported in September 2011, California recently amended its breach notification law, adding new notification requirements that came into effect on January 1, 2012. Further to these changes, the California Attorney General introduced an electronic form to be filled out and submitted online in the event of a security breach affecting more than 500 California residents. The California Office of Privacy Protection also posted an updated version of its “Recommended Practices on Notice of Security Breach,” which provides guidance and best practices for businesses with respect to “managing personal information in ways that promote and protect individual privacy interests.”

Both the UK and California breach notification forms ask businesses to provide certain details of the breach, including the date of the breach, the date of notice provided to affected individuals, and the type of personal information involved. Unlike the non-binding UK initiative, California law now requires businesses to submit the electronic reporting form and upload a sample copy of the notification letter being sent to affected individuals when a breach affects more than 500 California residents. The California breach form includes questions about other law enforcement agencies that have been notified of the breach, and the ICO’s form asks for information regarding other regulatory bodies that have been informed of the incident, such as The Office of Fair Trading and the Financial Services Authority.

Finally, on January 27, 2012, Illinois Attorney General Lisa Madigan released Information Security and Security Breach Notification Guidance, which provides advice on preventing, preparing for, and responding to data security breaches. The guidance encourages businesses to establish comprehensive information security programs and includes practical considerations for notification in the event of a breach. Illinois recently amended its breach notification law to require that notification letters to affected individuals include certain content, such as the toll-free numbers and addresses of the FTC and the major credit reporting agencies and a statement that individuals can obtain information about fraud alerts and security freezes from those sources.

Chinese Ministry of Industry and Information Technology Issues New Data Protection Regulations

The Ministry of Industry and Information Technology of the People’s Republic of China (the “MIIT”) recently issued a regulation entitled “Several Provisions on Regulating Market Orders of Internet Information Services” (the “New Regulations”). The New Regulations, which will take effect on March 15, 2012, include significant new data protection requirements applicable to Internet information service providers (“IISPs”). Consistent with data protection regimes currently in place elsewhere in the world, IISPs will be required to provide much stronger protection for the personal data they collect from users in China, and will be subject to notice and consent requirements, collection limitations and use limitations.

Specifically, IISPs will be prohibited from collecting user personal information or providing user personal information to third parties without the user’s consent. When collecting user personal information after having obtained consent, IISPs will be required to expressly inform the user of the method, content, and purpose for collecting and processing the personal information. Further, IISPs will be prohibited from collecting information that is not necessary to provide their services, or using user personal information for any purpose other than providing those services.

The New Regulations also impose custody, remedy and breach notification obligations. IISPs will be required to keep user personal information in proper custody and take steps to mitigate possible harm resulting from any actual or suspected unauthorized disclosure of personal information. In the event an IISP suffers a severe breach incident or anticipates the potential for a severe breach, the IISP must immediately report the event to the relevant telecommunication authority and cooperate in any investigation by the authority.

The definition of user personal information in the New Regulations includes both (1) information that independently identifies a user, and (2) information that may be used to identify a user when combined with other information.

View the New Regulations (in Chinese).

UK ICO Outlines the Year Ahead

On December 28, 2011, UK Information Commissioner Christopher Graham outlined the ICO’s agenda for 2012 in a post on the ICO blog, highlighting the European Commission’s proposals for reviewing the EU data protection framework, the post-legislative scrutiny process with respect to the UK Freedom of Information Act (“FOIA”) and the ICO’s Information Rights Strategy. The Commissioner cautioned against allowing data protection compliance to fall by the wayside in the current, tough economic climate, especially given the inevitable reputational damage caused by big data breaches and the ICO’s power to impose fines.

Regarding FOIA, Christopher Graham warned of a widening gap between “the rhetoric of openness” and “the day-to-day reality of reluctance and foot-dragging.” Despite FOIA taking effect seven years ago, some public authorities still regard it as a “distraction.” The Commissioner argued that information rights can deliver “huge benefits in terms of better government, better services, and the protection of freedoms,” but conceded that post-legislative scrutiny may be beneficial in some respects.

On enforcement, in both the blog post and the Information Rights Strategy document, the Commissioner affirmed the ICO’s current prioritization of action in health, credit and finance, criminal justice, Internet and mobile services, and information security. The Commissioner made clear his desire to operate transparently, and by explicitly stating his priorities indicated that we can expect to see increased enforcement action in these fields in 2012.

Within the sphere of credit and finance, the Commissioner is widely considered to be focusing particular attention on the insurance industry. Not dissimilarly, in 2010, the Irish DPA published a special investigation into the use of a shared database within the Irish insurance industry. Scrutiny of the UK insurance industry is expected to follow in 2012, and it is believed that the ICO has requested an increased number of voluntary audits of insurance industry participants. The ICO’s current emphasis on using voluntary audits as an enforcement tool is expected to continue more generally across all industry sectors in 2012.