to help enterprise security across Europe
The resource centre for busy senior executives seeking the latest insights into IT Compliance & Privacy issues for major organizations
 
sarbaines oxley ofcom communications regulator
Latest Resources      data protection register
compliance resources privacy resource center

Breaking Global News
Global Compliance and Privacy News
- Breaking News, updated every 30 minutes
•   Compliance, Privacy and Security
•  Money Laundering
•  Phishing
•  Regulatory Issues
•  SOX, Basel 2, MiFID


You Tell Us:
S
S
L

T
E
C
H
N
O
L
O
G
Y
We use SSL Technology for web data entry points:

Always
Sometimes
Never
What is SSL?

News
Are Smartphones Endangering Security? - Wick Hill
Dealing with Internet Security Threats - Ian Kilpatrick
How the New EU Rules on Data Export Affect Companies in and Outside the EU - Thomas Helbing
Farmers' Data Leak Highlights Old Technology Use - Wick Hill
Saving Money with SFTP - Wick Hill
UK Information Commissioner targets firm selling vetting data - Eversheds e80
12 Key Steps to Internet Security - Wick Hill
Telephone Monitoring Legality in the UK - Dechert
Firewall or UTM - Wick Hill
UK Information Commissioner demands mobile device encryption - Eversheds e80
Data loss - liability, reputation and mitigation of risk - Eversheds e80
Phorm, Webwise and OIX - BCS Security Forum
The challenges of PCI DSS compliance - Thales, Russell Fewing
"Quality" Data Vendor Spams us! Editor astounded!
National Gateway Security Survey 2008 - Wick Hill
Unified Threat Management - Watchguard Technologies

news archives
:
0 | 1 | 2 | 3 | 4 | 5 |
6 | 7 | 8 | 9 | 10 | 11 |
12 | 13
[What is this?]

Industry Blogs
Tim Berners Lee's Blog
Tim Callan's SSL Blog
Davis Wright Tremaine's Privacy & Security Law Blog
Emergent Chaos Blog
Michael Farnum's Blog
Phillip Hallam-Baker's Blog - The dotFuture Manifesto: Internet Crime, Web Services, Philosophy
Stuart King's Security and Risk Management Blog
David Lacey's IT Security Blog
Metasploit Official Blog
Jeff Pettorino's Security Convergence Blog
Jeff Richards's Demand Insights Blog
David Rowe's Risk ManagementBlog
Bruce Schneier's Security Blog
Larry Seltzer's Security Weblog
Mike Spinney's Private Communications Blog
Richard Steinnon's Threat Chaos Blog
The TechWeb Blog
Tim Trent's Marketing by Permission Blog
Rebecca Wong 's DP Thinker Blog

Newsletters
23 February Newsletter
Newsletter Archives are located in "News"

Industry Update
Internet Security Intelligence Briefing - November 2005
Find out the latest trends in e-commerce, web usage & the latest threats from adware/Spyware

Reports
Phorm, Webwise and OIX
- BCS Security Forum

'The Any Era has Arrived, and Everyione has Noticed' - Stratton Sclavos - VeriSign
Identity Security - Time to Share
Malicious code threats - iDefense
Public Alerts - updated as they happen from Stopbadware.org
Public Alerts - updated as they happen from Websense
Public Advisories - updated as they happen, from iDefense
Phoraging - Privacy invasion through the Semantic web: a special report by Mike Davies of VeriSign

Legislation
Privacy Laws & Business International E-news, Issue 57
Privacy Laws & Business UNited Kingdom E-news, Issue 60

Security Reviews
February 2007 - VeriSign Security Review
The security review archive is here

Case Studies
Finance Industry
Case Study Example

A case study on a Finance industry company.

White Papers
VeriSign® Intelligent Infrastructure for Security
VeriSign® Intelligent Infrastructure: An Overview
Identity Protection Fraud Detection Service - description of the service
Life of a Threat - Video on Threat Management Lifecycle
Optimizing Enterprise Information Security Compliance - Dealing with all the audits
For a full list of all whitepapers, visit our Whitepaper library

Legal Notices
Privacy Policy
Terms of use

basel 2 sarbanes oxley
    legislation
data controller notification binding corporate rules BCR data transfer third countries third part data transfer basel 2 regualtor regulation regulate FSA banking network security RSA encryptin algorithm Bits sacked bank staff
Blogs compliance Reports compliancy Legislation Data Protection Case Studies data privacy White Papers data protection act News information commissioner Events security standards Links information security iDefense
Retail Solutions

Rebecca Wong's "DP Thinker" Blog

compliance and privacy

Current News Updates

Rebecca Wong's "DP Thinker" Blog

Rebecca has a commentary on Data Protection, usually with a United Kingdom bias. She is a Lecturer in law at Nottigham Trent University. Recent works include assisting the  European funded project, PRIVIREAL , which aimed to  examine the implementation of the Data Protection Directive 95/46/EC in relation to medical research and the role of ethics committees.

DP Thinker is a UK based cyberblog by a legal scholar, specialising in privacy and data protection developments (be it within Europe or the US). Any feedback/views to postings on DP Thinker are always welcome.

Currently exploring the implications of outsourcing and data protection. If you have views on this subject, please email her.

Publications to Date

  • Wong, R. The shape of things to come: Swedish developments on the protection of privacy, Script-Ed , (2005), 2.
  • Wong, R. Privacy: charting its developments and prospects In: Klang, M. & A. Murray, Human Rights in the Digital Age , January 2005.

  • Recommend blog posts
    For researchers working on privacy developments, here are a few suggested links to keep abreast of the latest:

    1) Hunton and Williams Privacy Law Blog -
    2) Datanomy, the data protection weblog
    3) European Digital Rights in Europe (EDRI)
    4) Pogowasright - US focussed
    5) Privacy Exchange - slightly outdated, but still relevant
    6) European Commission: Data Protection Commissioners
    7) PrivacyOS - European Privacy Open Space
  • ICO Consultation
    Having been overwhelmed with plenty of books to read on my to do list, here is just the latest on data protection developments. The ICO is currently undergoing a public consultation (view on this later) into an online code of practice. If you have not yet aired your views, it is still not too late. By way of recap:

    The code will provide comprehensive, accessible guidance on the following broad areas: Operating a privacy-friendly website Rights and protections for individuals Privacy choices and default settings Cyberspace and territoriality

    We intend to publish the code in May 2010, following a public consultation exercise.

    Further details can be found here.

    On a different note, Oxford Brookes University and BILETA are hosting a one day event for doctoral researchers engaged in the field of IT, IP and Cyberspace law on September 11, 2009. Please mark this in your diaries. Further details about registration can be found here.

  • How well do you know your privacy policies?
    Whilst updating my reading, came across this recent update that EFF has introduced the ToS Tracker, which keeps an eye on 58 website privacy policies. Courtesy of Dark Reading:

    The EFF on Thursday launched TOSBack.org, a "terms of service" tracker for Facebook, Google, eBay, and other major Websites. The idea is to give users an easy way of finding the privacy policies used by their favorite sites, and to be alerted when those policies change. TOSBack.org offers a real-time feed of changes and updates to more than three dozen policies from the Internet's most popular online services. Clicking on an update brings users a side-by-side, before-and-after comparison, highlighting what has been removed from the policy and what has been added, the EFF says. The issue of terms-of-service changes -- and how and why they are made -- was highlighted earlier this year when Facebook
    modified its terms of use. Facebook users worried that the change gave the company the right to use their content indefinitely. After a user revolt, Facebook announced it would restore the former terms while it worked through the concerns users had raised "Some changes to terms of service are good for consumers, and some are bad," says EFF senior staff attorney Fred von Lohmann. "But Internet users are increasingly trusting Websites with everything from their photos to their 'friends lists' to their calendar -- and sometimes even their medical information. TOSBack will help consumers flag changes in the Websites they use every day and trust with their personal information."

    ToS TrackerEFF launches TOSBack

  • Art. 29 Working Party Opinion on SNS
    According to the latest press release, the Art. 29 Working Party has issued an opinion (pdf) on social networking sites ("SNS") . In particular, it addresses how the SNS can meet its data protection obligations by considering who is the data controller (SNS providers; application providers; users are exempt under Art. 3.2 Data Protection Directive, but leaves the possibility that they could have data controller responsibilities); information to be provided by SNS; third party access and whether retention of data under a SNS. In sum, the Art. 29 Working Party provides:
    Applicability of EC Directives

    1. The Data Protection Directive generally applies to the processing of personal data by SNS, even when their headquarters are outside of the EEA.
    2. SNS providers are considered data controllers under the Data Protection Directive.
    3. Application providers might be considered data controllers under the Data Protection Directive.
    4. Users are considered data subjects vis-à-vis the processing of their data by SNS.
    5. Processing of personal data by users in most cases falls within the household exemption. There are instances where the activities of a user are not covered by this exemption.
    6. SNS fall outside of the scope of the definition of electronic communication service and therefore the Data Retention Directive does not apply to SNS.

    Obligations of SNS
    7. SNS should inform users of their identity, and provide comprehensive and clear information about the purposes and different ways in which they intend to process personal data.
    8. SNS should offer privacy-friendly default settings.
    9. SNS should provide information and adequate warning to users about privacy risks when they upload data onto the SNS.
    11. Users should be advised by SNS that pictures or information about other individuals, should only be uploaded with the individual?s consent.
    12. At a minimum, the homepage of SNS should contain a link to a complaint facility, covering data protection issues, for both members and non-members.
    13. Marketing activity must comply with the rules laid down in the Data Protection and ePrivacy Directives.
    Art. 29 Working Party Opinion (pdf)
  • Rand Report
    With the Rand Report finally published, some observations on a few points:


    1) Common interpretations of certain provisions of the [Data Protection] Directive (charter for effective interpretation) was needed to ensure that its functions optimally in the future. In particular, reference was also made to the Swedish model, which established a set of regulations using a risk based approach (misuse-orientated approach) without undermining the Directive. According to the report, the ?Swedish regulator was convinced that such a route remains legally acceptable without violating the current provisions of the Directive?. The report further commends the Swedish model, by recommending that the Charter should encourage the use of a risk-based approach to the application of the rules focusing on acts of data processing where harm can reasonably expected [read Seipel's commentary on Swedish developments in Nordic Data Protection Law and short commentary here]

    2) Recommendation 2: improving the effectiveness of the Adequacy rule and facilitate the use of alternatives to the adequacy rule (it is all about ?contracts? to enable the transfer of personal information from one organisation to another in a non-EEA country) [Only criticism is that this should not impact on the everyday processing such as the internet (uploading of files containing peripheral personal information such as news report; book or article should not be brought within Art. 25; even if the interpretation should be stretched, then the exemptions under Art. 26 ought to be embraced]

    3) Develop more suitable privacy policies ? in particular, reference is made to encouraging clearer guidelines for data controllers on communicating their policies to data subjects with reference to Creative Commons model of intellectual property right licences. In a Creative Commons model, certain standard types of licences are developed which can be communicated to end users through short, easy to understand descriptions (e.g. ?attribution?, ?non-commercial?, ?no derivative works?,...). A comparable approach could be adopted with regard to privacy policies, by providing summary notices based on such standardised descriptions. These should be relatively easy for interested consumers to understand [on this note, any privacy policies ought to complement the existing Data Protection Directive and national Data Protection Acts 1998 - for those unfamiliar with a Privacy Commons model, a short commentary]

    4) The Chief Privacy Officer role may be identified as an alternative to a privacy policy, there mainly to provide for accountability within an organisation. Regulations should be designed that would make Chief Privacy Officers personally responsible and/or criminally liable for willingly engaging in risky, unscrupulous or irresponsible behaviour by their organisations regarding the use of personal data. This would be comparable to the model of the Chief Privacy Officer in certain organisations in the US, which hold real decision making and enforcing power and are highly respected both within their organisations and by regulators and DPAs [on this recommendation, whilst making CPOs accountable, yet verging onto ?criminally liable? is one which would be considered too onerous a measure and would likely inhibit ?would be? Privacy Officers (data protection officers in the UK). Furthermore, the level of responsibilities by Privacy Officers in an organisation may be varied and it is unclear whether they would be considered to be solely responsible only for the oversight of privacy rules. In other words, CEOs, Directors may also play a role].
    See also Commentary from:
    Out-lawH&W
  • Book Review
    Whilst ploughing through Privacy Advocates (and marking to complete), particularly on the role of the Privacy Consultant (in the UK, data protection/privacy officers), came across this sage advice:"The role of academics within the privacy advocacy community raises larger questions about the responsibility of intellectuals within the society. Should academic work be driven by the pressing social problems of the day?... Here is Stanley Fish's advice..."Do your job; don't try to do someone else's job, as you are unlikely to be qualified...don't confuse your academic obligations with the obligation to save the world; and don't surrender your academic obligations to the agenda of a non-academic constituency... don't cross the boundary between academic work and partisan advocacy, whether the advocacy is yours or someone
    else's...The job of the academic is not to change the world, as Karl Marx said, but to interpret it"
    Thought provoking analysis for privacy researchers!
  • Data Protection Developments
    The ICO has recently published its press release entitled: Data Protection in the EU: promising themes for reform:

    The Review of the EU Directive prepared for my Office by RAND Europe has been presented to participants at this conference as a draft. The presentation by Neil Robinson and Hans Graux has highlighted their main findings and short and long-term recommendations. Peter Hustinx has added some very perceptive and important observations. We plan to publish the final version of the RAND Report in May ? shortly before the conference which has been convened by Commissioner Jacques Barrot. We have always been clear that the RAND study is intended to provide food for thought and to stimulate debate. It is a not a blueprint for reform, still less does it contain the draft of a new Directive. We are equally clear that any reform will take many years, but the debate must start somewhere. That debate has started here in Edinburgh today. As the draft Edinburgh Declaration which will be discussed tomorrow makes clear, the fundamental role for Commissioners in this debate is that of Leadership

    The press release goes into detail over the strengths of the DPD including:

    The Directive is comprehensive, broadly-drafted and sets out a basic framework
    of protection, drawing on OECD and Council of Europe approaches. ? It sets standards which are widely seen as ?High? and has a strong Human
    Rights resonance, with sharp focus on fundamental rights? and freedoms.

    ? It has given people important and usable access and other rights.

    ? The basic Data Protection Principles have stood the test of time well
    and are flexible in their drafting and application.

    ? The Directive seeks to be largely neutral in terms of technology.

    ? The Directive can claim significant success in harmonising DP rules and promoting an internal market across the European Union.

    The press release also identifies the following:

    There must be more emphasis on the benefits of maximum and genuine transparency, for example:

    ? Privacy by Design and the use of published Privacy Impact Assessments.

    ? There is much more scope to encourage and require organisations to adopt Privacy Policies, make them easily available and ? of course - hold them to account for fulfilment.

    ? There is more scope for trust marks, accountability agents and 3rd party certification.

    ? More controversially, perhaps, we can envisage greater use of self-certification.

    ? And we must improve the use and content of Privacy Notices, getting the right information to the right people in the right language at right time.

    More details can be found in their press release (pdf).

    Update: The full report is now available including its recommendations with commentaries from Out-law and H&W.



  • Phorm saga
    According to press release from Out-Law News, in the latest on the Phorm saga, the European Commission has issued proceedings against the UK over its implementation of the European Union Directives:
    UK laws protecting the privacy of people's communications are inadequate, the European Commission has said. The Commission has launched a legal case against the UK over its implementation of European Union Directives.

    The Commission's investigation was sparked by outrage over trials by BT of a system which monitors web use and tries to match advertising to people's perceived interests. The trials were done without BT customers' knowledge or permission. The Commission has investigated complaints made to it and to police and has found the UK's laws inadequate in protecting the privacy of communications. "The Commission has concerns that there are structural problems in the way the UK has implemented EU rules ensuring the confidentiality of communications," said a Commission statement. BT used technology made and promoted by Phorm to track users' online activity. It has since run trials in which it did ask users' permission. The Commission said that BT's trials have been the subject of complaints to privacy regulator the Information Commissioner's Office (ICO) and to police. The Commission believes that UK laws do not properly implement two Directives aimed at protecting privacy, the Privacy and Electronic Communications Directive and the Data Protection Directive. Update: Commentary from:Open Rights.org

  • Reading list
    Having been slightly disorganised over the last week, and with plenty of reading to do over the Easter, including a recommended book by Clay Shirky titled "Here comes everybody" this post will diverge from discussion over data protection developments.
    Short excerpt of the book:

    Welcome to the new future of involvement. Forming groups is easier than it?s ever been: unpaid volunteers can build an encyclopaedia together in their spare time, mistreated customers can join forces to get their revenge on airlines and high street banks, and one man with a laptop can raise an army to help recover a stolen phone. The results of this new world of easy collaboration can be both good (young people defying an oppressive government with a guerrilla ice-cream eating protest) and bad (girls sharing advice for staying dangerously skinny) but it?s here and, as Clay Shirky shows, it?s affecting ? well, everybody. For the first time, we have the tools to make group action truly a reality. And they?re going to change our whole world.
    As for forthcoming conferences, that researchers ought to go to include (not exhaustive):

    BILETA Privacy, Laws and Business, 22nd Annual International Conference 6-8 July 20095th Annual Freedom of Information Conference, 12-13th May 2009
  • Google Streetview
    According to the latest UK ICO press release on Google Streetview:


    Google's Street View includes a facility which allows vehicle registration marks and faces to be blurred. Individuals who feel that an image does identify them (and are unhappy with this) should contact Google direct to get the image removed. Individuals who have raised concerns with Google about their image being included - and who do not think they have received a satisfactory response - can complain to the [UK] ICO. See also: BBC Press clip: Call to "shut down" Street View, 24 March 2009

    Art. 29 Working Party's Opinion on Personal Data
  • 2nd Privacy OS Conference
    The 2nd Privacy OS Conference will be held in Berlin, 1-3 April 2009. More details of the Conference can be found here. A brief background of PrivacyOS:

    About PrivacyOS

    PrivacyOS is a European project aimed at bringing together industry, SMEs, government, academia and civil society to foster development of privacy infrastructures for Europe and is coordinated by the Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein (ULD), which is also the office of the Privacy Commissioner of the German State of Schleswig Holstein. The general objectives of PrivacyOS are to create a long-term collaboration in the thematic network and establish collective interfaces with other EU projects. Participants exchange research and best practices, as well as develop strategies and joint projects following four core policy goals: Awareness-rising, enabling privacy on the Web, fostering privacy-friendly Identity Management, and stipulating research.

    Further information can be found at
    http://www.privacyos.eu/ .
  • Phorm and Websites
    In the latest saga on Phorm and websites, according to Beeb:

    "Seven of the UK's biggest web firms have been urged to opt out of a controversial ad-serving system. Phorm - aka Webwise - profiles users' browsing habits and serves up adverts based on which sites they visit. In an open letter, the Open Rights Group (ORG) has asked the firms to block Phorm's attempts to profile their sites, to thwart the profiling system. Before now, Phorm has defended its technology saying that it does not break data interception la ws. Legal view Chief privacy officers at Microsoft, Google/Youtube, Facebook, AOL/Bebo, Yahoo, Amazon and Ebay have been sent copies of the letter signed the digital rights campaign group and anti-phorm campaigners."
    Open Rights Group has more on this.
    BBC: Big websites urged to avoid Phorm
  • Art. 29 Working Party Opinion on E-Privacy Directive
    According to SCL, the Art. 29 Working Party has issued its third opinion on proposals amending the Directive on Privacy and Electronic Communications 2002/58/EC. More from SCL:In a further official Opinion on the e-Privacy Directive, dated 10 February and now available online, the Article 29 Working Party has emphasised some of its concerns about the impending e-Privacy Directive. While much of the Opinion retreads old ground, the tone of the comments on the data breach notification aspects of the Directive is arresting.

    The Working Party believes that: ?an extension of personal data breach notifications to Information Society Services is necessary given the ever increasing role these services play in the daily lives of European citizens, and the increasing amounts of personal data processed by these services. Online transactions including access to e-banking services, private sector medical records and online shopping are few examples of services that may be subject to personal data breaches causing significant risks to a large number of European citizens. Limiting the scope of these obligations to publicly available electronic communications services would only affect a very limited number of stakeholders and thus would significantly reduce the impact of personal data breach notifications as a means to protect individuals against risks such as identity theft, financial loss, loss of business or employment opportunities and physical harm.?

    Art. 29 Working Party on Proposals amending the Directive on Privacy and Electronic Communications 2002/58/EC (pdf)

    Bruce Schneier's view on personal data breach notification laws

    UPDATE: In a further development of proposed data breach notification laws, according to Out-law, the Council of Ministers have rejected plans to expand the scope of the European Union security breach law beyond telecoms companies. More from Out-Law.


  • Surveillance Report
    The House of Lords Constitution Committee has recently published a report discussing the expansion of 'surveillance society', reiterating the warning that the right to privacy is being undermined by pervasive and routine electronic surveillance and collection of personal data:

    The report makes over forty recommendations, including statutory regulation of the use of CCTV cameras, a clear legislative framework for the DNA database, a review of the provisions of the Regulation of Investigatory Powers Act, and amendments to the Data Protection Act to provide for 'privacy impact assessments' before any new surveillance regime is introduced. A complaints procedure for breaches of Article 8 should be established, and "where appropriate", legal aid should be made available for Article 8 claims. Compensation should be paid to the victims of "unlawful surveillance" by public authorities. The report also endorses tighter controls within government and a new joint parliamentary committee on surveillance and data powers, to which the Information Commission, whose powers should be strengthened, could report.

    Source: 5RB

    Open Rights Group considers this in more detail.

    See:

    House of Lords Constitution Committee Report
  • DS Breaches
    According to the latest findings, data breaches appear to become a common occurence:

    The personal information of UK citizens is being lost and stolen at an unprecedented rate, the UK?s privacy watchdog said today. Nearly 100 data breaches were reported to the Information Commissioner?s Office (ICO) in the last three months alone, with millions of bank details, addresses, emails, private health information and employee salary statements lost or stolen in 2008. Data breaches jumped by 36 per cent last year, the ICO said. Personal information is now lost - on average - more than once a day.

    In June, Virgin Media lost a CD containing private information on more than 3,000 customers while a hospital in Wembley recently had two computers stolen which contained the unencrypted details on 400 patients. Richard Thomas, the Information Commissioner, said it was ?unacceptable? that private companies - responsible for 112 of the 376 data breaches last year - could not be investigated by the ICO without their permission.

    Source: The Times, 8 Feb. 2009
    Ensuring technical security standards by organisations is covered under the 7th data protection principle within the UK Data Protection Act 1998. Getting a privacy audit (or a privacy impact assessment test) of the organisation's technical security procedures would be a starting point. More details can be found on the ICO website.

Complete list of Bloggers featured by Compliance and Privacy:


Please note: Blogs contain items that are the responsibility of the author and are presented "as is" with no endorsement from, nor editing by, nor approval from complianceandprivacy.com. The copyright owner for the blog items is that of the originator of the item. Each blog item is reproduced from the relevant feed from the originating blog, either in full or in part as that feed itself determines. All blog item header links lead directly to those items on the original blog. Blogs are dynamic. We offer them in good faith, but, where the content is outside our control we cannot be responsible for their errors, omissions or other conduct. Some of the links on this page remain on this site, others go to other sites; that is the nature of a blog. When you leave this site you are encouraged to be aware of the privacy policy of the new site before leaving personal data there.


 


This site is independent of all its sources
The contents of the site are sourced from across the industry. All copyrights are acknowledged.