What is so important about somebody’s vaccination status?

As the vaccination program continues to roll out across the country for the COVID-19 virus, people are getting vaccines on a wide scale.

Now I just want to make sure that everybody is aware that somebody’s vaccination status is actually medical information and as such is classified as a special category data and so it needs to be protected.

Who has Vaccination Status Data Protection Concerns?

The Data Protection Commission issued some guidance recently, which is available here. In that they reiterated that except in very limited circumstances, employers are not allowed to ask employees or capture or store information relating to their employees’ vaccination status.

Why is that the case?

That is because there is no current public health advice stating that there is a good purpose for doing so. This is the crucial thing, that it has to be public health advice that has to give a good reason otherwise there is no actually legal basis for capturing and storing somebody’s vaccination status.

Is there a wider concern here?

That guidance was applicable to employers and employees but as the country opens up and there is all this talk about people showing their vaccination status to get into pubs and restaurants and things like that. I think that there will continue to be this limitation. Unless public health authorities come out and say otherwise, pubs, restaurants, hotels, anywhere that people can gather, I don’t believe that capturing somebody’s vaccination status will be permitted.

So watch out for any updates from public health authorities only and not from the likes of the restaurants association, the vintners, hotels federation, etc.

So that’s it for this week. Lets be careful out there and we’ll talk to you again next week.

The post #WeekendWisdom 085 Vaccination Status Data Protection Concerns appeared first on L2 Cyber Security Solutions Ltd..

What data protection issues do we need to consider as lockdown is eased?

Next Monday the 18th of May, Ireland begins the first of 5 phases of the easing of lockdown restrictions. Some companies have been advised to gather people’s personal data more so than usual, to facilitate perhaps contact tracing or making appointments to ensure social distancing. So here are a few things to consider about that gathering of additional personal data.

Staff taking customer contact details

There’s been reports that some restaurants may take the names and telephone numbers of every member of a party that attends the restaurant, such that contact tracing may be facilitated. There was a story that has emerged out of the US where a restaurant worker has made unwelcome advances towards a female customer, by calling her on her mobile number. So be careful about what staff have access to that data.

Secure website booking forms

Also I’ve become aware of riding schools are opening up as they are outside activities. Some of them are taking bookings online, on their websites. You need to make sure that those websites are secure. That there is a certificate on the site. That there is a padlock. So check that.

Health screening of customers

Finally there was another establishment that has installed thermal imaging cameras to screen customers walking in the door. Now that is processing sensitive personal data because that temperature data would be considered a special category of data. So there would absolutely have to be a data protection impact assessment carried out on that setup. Watch out for any kind of health screening you might plan to do.

So that’s it for this week. Let’s be careful out there and we’ll talk to you again next week.

Follow us on Social media:

Liam is available on Twitter, LinkedIn and Instagram.

Follow L2 Cyber on Twitter, LinkedIn, Instagram and Facebook.

© L2 Cyber Security Solutions

The post #WeekendWisdom 028 Data Protection as Lockdown is eased. appeared first on L2 Cyber Security Solutions Ltd..

The post A la carte Data Protection Training appeared first on L2 Cyber Security Solutions Ltd..

The post Staff Data Protection Awareness Training appeared first on L2 Cyber Security Solutions Ltd..

The post Board Management Data Protection Briefing appeared first on L2 Cyber Security Solutions Ltd..

Yep! I’m Working from Home for the first time.

Now that the #COVID19 pandemic has truly gripped the planet, lots of employers are asking their employees to work from home. If you’re in the situation for the first time your employer probably has provided you with a laptop or a tablet, or some device to be able to do this work from home.

If they have done this they probably also have given you some kind of secure way of connecting into the company emails and into the company file data storage. Your IT support might also have given you guidance on things you need to do to keep that machine safe and secure while you’re working from home. So please do follow those guidelines.

So Working from Home and Data Protection, what do I gotta do?

But if you’re working with personal data you really, really want to be very careful about that device and how you use this device in your working from home environment. For example you might have younger people in the house and it can be very tempting to let them play with this device or use this device to access the internet, when you’re not working with it. You must resist that temptation because that device contains potentially sensitive data. You cannot let the young people get access to that data. It must be kept secure.

What about paper personal data?

Similarly if you were printing things at home and particularly if you’re printing sensitive personal data, so things like health information or religious, political persuasions, that type of information.

Sensitive Personal Data:

• Race/Ethnic origin
• Political Opinions
• Religious/Philosophical beliefs
• Trade Union Membership
• Physical/Mental Health
• Sexual Orientation/Sex Life
• Genetic data
• Biometric data

If you’re going to print that out at home you really need to be able to secure those printouts, those hard copies appropriately and as securely as it would be in the office. So you really shouldn’t want to be printing that stuff out.

So that’s it for this week. Let’s be careful out there and we’ll talk to you again next week.

www.L2CyberSecurity.com

www.twitter.com/L2Cyber

The post #WeekendWisdom 020 Working from Home and Data Protection appeared first on L2 Cyber Security Solutions Ltd..

Surely this isn’t the first annual report?

The office of the Data Protection Commissioner has been around for many many years and have issued many many annual reports. When the GDPR came along on 25th May, the office was renamed to be the Data Protection Commission. This report (which you can read here) is their first report covering the period 25th May – 31st December 2018.

Due to the fact that there are investigations still going on from before 25th May 2018, under the previous legislation, the report shows two sets of figures. This post will concentrate on the GDPR figures.

What are the highlights?

There were nearly 2,000 complaints made. The top 10 of these accounted for 94% of all complaints. They are:

Issues around access rights was also the number 1 complaint (39%) under the previous legislation, so this is the most important area that a business or organisation should get right. I’m a little surprised by the complaints under Right of Rectification. That is such a simple one to get correct, why were there 30 complaints? ?‍♂️

Data breaches are on the rise.

There were nearly 3,700 data breaches reported. 85% of them were in the category of unauthorised disclosure which wasn’t really surprising.

It’s interesting to note that there were 226 incidents (6%) which related to paper records. I actually think that figure should be a little bit higher, as I suspect people don’t consider losing or poorly disposing of paper records to be a proper data breach.

What about the Facebook problems reported last year?

They are in there too. There are 15 Statutory Inquiries into multinational technology companies. 10 of these inquiries relate to Facebook (7), or Facebook owned companies (WhatsApp 2 and Instagram 1). Of those 10 complaints 4 related to Legal Basis for processing and 3 relate to the data breach reported in September 2018.

The other companies that had inquiries ongoing are Apple with 2, Twitter 2 and LinkedIn 1.

Was there anything else interesting in the report?

Well yes there was. It’s to do with how the DPC acted when dealing with some of the complaints they came across. There were a few case studies provided (pages 24-26). The DPC handled these without the need to impose sanctions, by making the data controller aware of their failings and providing ways to rectify the situation.

What was also interesting was where complaints had come in about data controllers, who had been investigated previously by the Office of the Data Protection Commissioner. In these cases, the DPC prosecuted them in court and had financial penalties applied (pages 64-67). These cases were taken under previous legislation, so the sanctions were small enough. But this shows that if you, as a controller, come to the DPC’s attention multiple times, they will take a dim view of your behaviour.

Conclusion:

There was a lot more to this first annual report than what I covered above, but for most businesses, these are the items that matter.

If you would like to avail of a free 1 hour consultation to find out what you need to do to prepare your business for the GDPR, then please send an e-mail to info@l2cybersecurity.com and somebody will get back to you.

#GDPR #SimpleGDPR

#SecuritySimplified

The post First Annual Report from the DPC appeared first on L2 Cyber Security Solutions Ltd..

Austrian surveillance cost €4.8K

Just to recap, a business owner had CCTV installed outside their premises. One camera was recording a large portion of the public footpath. This was judged to be too invasive and there was poor signage. The regulatory authority hit them with a modest €4,800 fine. The Austrian data protection authority had 36 other proceedings pending at that time.

Portuguese hospital with too many doctor’s accounts hit for €400K

An unnamed hospital in Portugal had 985 doctor’s accounts on it’s IT system and only 296 doctors on staff. It seems that non-Doctor types (e.g. psychologists and dietitians) used doctor accounts to access patient data. What is most troubling is that a doctor account has unrestricted access to every single patient’s data.

You might not think this is a big deal, but you’re dealing with sensitive personal data here. There should be some controls on access to it, including audit logs of any and all access made by authorised personnel.

The regulator has imposed a €400,000 fine on the hospital, which is appealing the judgement. The Portuguese Government have not yet fully implemented the GDPR, but the regulator is acting as if it was in place.

App maker who cooperated, still fined €20K

A German chat platform, knuddles.de had a breach in which 330,000 e-mail addresses (in German) and their account passwords were stolen by hackers. The passwords were in plain text (no hashing or encrypting was applied). It was the screw-up with the password that caused the fine. They hadn’t applied appropriate technical or organisational controls to protect the data.

The regulatory authority acknowledged that Knuddles were very proactive in reporting the breach and the subsequent follow up. They have implemented stronger security controls in a very short time. In consultation with the regulator they have more measures coming in due course.

The regulator also looked at the financial  strength of the company in determining the fine, not wanting to place the business under any financial burden. So the fine was proportionate. I would hate to think what might have been the case if they hadn’t cooperated.

To avoid GDPR fines, budget now to prepare early in 2019

If your business hasn’t put in place any policies or procedures to address the requirements of the GDPR, you should look at addressing this soon. Most annual budgets will have been exhausted by now, so put in place a sensible sum for GDPR preparation work, early next year.

• If you haven’t attended a GDPR awareness event, then seek one out or give us a call on 087-436-2675.
• We are now offering Practical GDPR Training, which can give you virtually everything you need to be as compliant as possible. Being “100% GDPR compliant” is not something that can be stated presently, as there is no certification available to support such a declaration.
• Or if you prefer to keep making money for your business and not be distracted, then we can do the work for you. Send us an e-mail to info@L2CyberSecurity.com and we’ll get in touch.

#GDPR

#SimpleGDPR

#SecuritySimplified

The post GDPR fines are starting to come. appeared first on L2 Cyber Security Solutions Ltd..

While the University is unclear on the contents of the portable device, it may have held a file containing names of approximately 5% of the student body, their student number and exam results.

It’s the uncertainty that is most worrying to me. Also their claim that they have strict policies in place relating to portable devices is a bit disingenuous. I’ve been through the policies and also looked at their data protection section and found some conflicting direction with regard to data handling and USB memory sticks.

The Data Handling Policy states the following about “NUI Galway Highly Restricted” data:

Storage of this data outside of the source system, for example on a laptop or memory stick; must be approved by the data owner. Where data is held outside the source system it must be encrypted.

That seems quite sensible, as approval would mean that somebody would know exactly what data is on there and it would then be encrypted. However their Encryption policy, has something else to say on USB memory sticks:

Portable storage capability such as DVD’s, CD’s and USB flash drives should not be utilised for classified data storage or transfer, even in an encrypted format.

So the handling policy says it’s fine, but the encryption policy says no. It’s obvious that the data handling policy wasn’t followed with this data breach.

I thought it interesting that they have plenty on their site for how to use USB memory sticks and the protections they have in place.

ISS have disabled Autorun on the all computers in the PC Suites as a precautionary measure to prevent the spread of viruses.  When autorun is disabled, a USB memory stick or software on a CD or DVD will no longer automatically start when inserted.

So that’s great … lots of protection there … or maybe not. What if the USB device impersonated a keyboard? It could inject keystrokes that open up a command line, execute a command to download dodgy software and execute it. I’m not making this up. The USB stick could also fry the electronics on your computer. Again this is something that happens.

These USB memory sticks are such a problem from a data breach perspective that I always recommend companies and organisations to either block them completely or put in place a solution that automatically encrypts all data on them.

I did dedicate an entire commandment to USB memory sticks. So you can get my deeply held views in there.

The NUI Galway data breach was an embarrassment for the University. I don’t think the exam results could be classified as sensitive personal data (special category). But I’m sure students wouldn’t like these been released publicly. As long as the powers that be learn a lesson from this sorry situation and implement more rigorous technical solutions, then it will hopefully prevent future, larger and more sanction-worthy breaches.

Lets be careful out there.

#SecuritySimplified #GDPR #SimpleGDPR

The post NUI Galway Data Breach – Lessons learned? appeared first on L2 Cyber Security Solutions Ltd..

“But where are the €20m or 4% of turnover fines for violating the GDPR?” you shout. As the underlying data breach incident occurred some years ago and surfaced before the #GDPR went into effect in May 2018, then they couldn’t be prosecuted under the Data Protection Act 2018, which implements the GDPR.

But this is still a significant judgement. The ICO has gone for the maximum possible penalty against Facebook, showing that what they were up to was completely unacceptable and rightly so. They found that Facebook had breached two of the principles of data protection:

1. Facebook had unfairly processed personal data.
2. And they didn’t put in place appropriate measures to prevent unauthorised or unlawful processing of personal data.

So while Facebook are only fined £500,000 this time, this is a clear indication that data protection authorities won’t be afraid of going after the maximum fines available to them for failures in respect to protecting peoples personal data.

Also don’t forget that the Irish Data Protection Commissioner is investigating Facebook for a GDPR era incident. That incident started with 50m people affected with another 40m possibly impacted. It dropped down to only ~30m affected … but that’s still ~30,000,000 people. Of those, 14m had the following personal data accessed:

Username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or Pages they follow, and the 15 most recent searches.

That is a massive amount of personal data to have been harvested, and could definitely be used against the victims. That particular investigation will be a big one and will probably run into some time in 2019.

In the meantime, lets be careful out there.

#SecuritySimplified

The post Facebook are only fined £500,000 appeared first on L2 Cyber Security Solutions Ltd..