Memorandum of understanding

A Memorandum of Understanding has been Signed Between the UK’s ICO and the Office of the Australian Information Commissioner

A Memorandum of Understanding has been signed between the UK’s ICO and the Office of the Australian Information Commissioner (OAIC), to facilitate cooperation and collaboration.

A memorandum of understanding has been signed between the UK’s ICO and the Australian Information Commissioner, due to the fact that the two share similar functions and duties in their respective countries. The two parties have realised the need for increased cross-border enforcement and cooperation, with the nature of this modern global economy, and the rate at which personal data crosses borders. With the signing of this memorandum of understanding the parties involved have set out the broad principles of their collaboration and a legal framework, which governs the exchange of irrelevant information and Intelligence between the two.

Overview of the Scope of the Memorandum of Understanding.

This memorandum of understanding that the parties signed last month should not be seen as a requirement on the part of any of these two parties to cooperate with each other. There is no legal requirement to cooperate in circumstances that would breach their individual responsibilities. This is simply a way for the two parties to deepen their existing relations and develop them further, in an effort to promote exchange and assistance with the enforcement of laws protecting personal information. The intent is to work together by sharing expertise, experiences and best practices, cooperating on specific projects and investigations and also, sharing information and Intelligence to support their individual and collective work. This collaboration is made without the intent of sharing any personal data. If the parties do wish to share personal data they will consider compliance with their own data protection laws which may require entering into a written agreement or arrangement regarding the sharing of that personal data. Based on section 132(1) of the DPA 2018, the UK commissioner can only share certain information if she has the lawful authority to do so.

Review of the Memorandum of Understanding.

The UK’s ICO and the OAIC will monitor the operation of their memorandum of understanding and biennially review it. Either of the parties do have the right to request a review sooner. There is a designated point of contact for each of the parties in the event that any issues arise in relation to this memorandum of understanding. In addition this agreement may only be amended by the parties in writing and signed by each of them.

As stated above, the memorandum of understanding between the ICO and the OAIC does not affect the transfer of personal data between both countries. Currently, there is no adequacy decision for data transfers to Australia, so one of the safeguards covered by the GDPR should apply, like Standard Contractual Clauses or Binding Corporate Rules. Furthermore, one should note that an anti-encryption law was approved two years ago in Australia, which obliges Australian companies to construct back access doors to information in such a way that it is available to the Government, while being required not to communicate the existence of such System to the users or customers, therefore directly colliding with GDPR.

Do you have questions about how this new agreement may affect your company? We can help you. Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

coronavirus pandemic and data protection

The Coronavirus Pandemic and Data Protection.

The Coronavirus (COVID-19) Pandemic and Data Protection: Guidelines for employers regarding privacy laws during the pandemic.

With recent developments in the global arena, the outbreak of the corona virus has led to many changes in the workplace. Numerous employees have taken to working from home with the new push for social distancing and self quarantining. There has been lots of concern over who may or may not be infected by, or have definitely been exposed to the virus or may have visited a country with severe outbreaks. The sharing of information has become critical as medical and other professionals recognize the need for disclosure for the sake of the health of the general public.

The ICO recently released a statement regarding data protection during the coronavirus (COVID-19) pandemic in which the organization expressed an understanding of the fact that businesses will need to adapt the way that they work. While there will be understandable delays where individuals or businesses make information rights requests during this pandemic, the ICO is unable to extend the statutory timescales. However, the ICO maintains that they will not penalise organisations who need to prioritise other aspects of their business over the usual compliance and information governance.

Employee Health and Data Protection.

For the duration of this global pandemic, office staff should be informed about any cases of the virus within the organisation. Names do not need to be disclosed, however because businesses do have an obligation to ensure the health and safety of their employees, data protection does allow them to divulge information on confirmed cases within the organisation.

It is not necessary to collect loads of information on employees’ health, however it is reasonable to stay informed on their travel history, or whether they are presenting symptoms of the virus. It is important, if there is a need to collect specific health data, that businesses only collect data that is necessary and treat that data with the appropriate safeguards. In the context of an epidemic, employers and relevant health officials do not need consent to process this data, especially when the processing of personal data is necessary for the employers for reasons of public interest in the area of public health or to protect vital interests or to comply with another legal obligation.

In a recent statement, Andrea Jelinek, Chair of the European Data Protection Board (EDPB), said: “Data protection rules (such as GDPR) do not hinder measures taken in the fight against the coronavirus pandemic. However, I would like to underline that, even in these exceptional times, the data controller must ensure the protection of the personal data of the data subjects. Therefore, a number of considerations should be taken into account to guarantee the lawful processing of personal data.”

If it is not possible to process exclusively anonymous data, Article 15 of the ePrivacy Directive allows Member States to introduce legislative measures for the sake of national and public security. This emergency legislation is allowed under the condition that, within a democratic society, it forms part of a necessary, appropriate and proportionate measure, given the circumstances. If these measures are introduced, the Member State will need to apply adequate safeguards, like granting individuals the right to judicial remedy.

Communication of Vital Information by Authorities and the GDPR

During this time of pandemic the government, the NHS or any other health professionals may also need to send health messages to the general public either by phone, text or email. These messages are not considered direct marketing or advertising and therefore are not hindered by data protection laws.

Remote workers and Data Protection.

With more people working from home or working remotely due to the pandemic, the ICO reminds businesses that the same type of security measures must be in place for people who are working remotely as is the case for workers in a normal office setting. Employees may use their own computers and other devices, however, with security measures maintained, data protection does not hinder employees who need to work from home.

Do you have questions about how to navigate data protection laws during this global coronavirus pandemic in your company? We can help you. Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

statement on privacy implications of mergers

EDPB Releases Statement on Privacy Implications of Mergers.

The European Data Protection Board released a statement last month on the privacy implications of mergers.

The European Data Protection Board has expressed concern over the privacy implications of mergers upon becoming aware of the intention of Google LLC to acquire Fitbit Inc. The board is primarily concerned that this may put a major tech company in the position to acquire even more sensitive personal data about people in Europe, and this could cause a high level risk to the fundamental rights to privacy and the protection of personal data. The EDPB has stated before that it is imperative that we assess longer-term implications of significant mergers like this, on consumer rights and data protection. In the statement, the EDPB reminds the parties of this proposed merger to assess and mitigate any possible risks of this merger to the rights to privacy and data protection before notifying the European Commission of the proposed merger.

“The EDPB therefore reminds the parties to the proposed merger, in accordance with the principle of accountability, of their obligations under the GDPR and to conduct in a transparent way a full assessment of the data protection requirements and privacy implications of the merger” The board will itself consider the implications that this merger may have for the Protection of personal data in the European Economic Area and, while remaining vigilant on this and similar cases in the future, stands ready to contribute its advice on the proposed merger to the Commission if so requested.

In a 2018 statement, considering the acquisition of Shazam by Apple, the EDPB warned that increased concentration in digital markets could potentially threaten the level of data protection and freedom enjoyed by digital consumers, and advise that independent data protection authorities may aid in the assessment of such an impact on the consumer or society. They also added that “This assessment, as well as the identification of conditions or remedies for mitigating negative impacts on privacy and other freedoms, may be separate to and independent from, or integrated into, the analysis carried out by competition authorities during their assessment under competition law. “

When it comes to sharing customers’ data in this context, margers might be the suitable way to go, because they imply that the controller entity does not change. All other ways would need to be extremely transparent and give the involved users a chance to object. However, if the controller becomes part of a corporate group, the data could be shared within the group subject to a legitimate interest assessment (LIA). This should be done on a case-by-case basis anyway, as the LIA might not pass the proportionality test always.

According to Cristina Contero Almagro, Aphaia’s Partner, “the assessment of the data protection requirements and privacy implications of the merger should cover, as one of its main elements, a full evaluation of the security measures that are in place in the other company, not only the current ones, but also those implemented during the previous years. The data breach suffered by Marriott last year is a good example that shows the relevance of properly checking and monitoring the security measures before going ahead with an acquisition or a merger”.

Do you have questions about how a merger or an acquisition may impact data protection in your company? We can help you. Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

Impersonation feature on company platforms

The Reality of the Impersonation Feature on Company Platforms.

Many company platforms and apps include an impersonation feature which allows administrative users to access accounts as though they were logged in as the users themselves.

Imagine knowing that by simply having an account with a company, you are unknowingly granting access to this company’s everyday employees to access your data in just the same way that you would, had you logged in with your username and password. Such is, or has been the case with many companies that we all use on a regular basis. The truth is that there are “user impersonation” tools built into the software of many tech companies like Facebook and Twitter, which not only allow employees to access your account as though they have logged in as you, but also this could be happening without your knowledge. The account holder, or user is typically not notified when this happens, nor is their consent needed in order for this to happen. According to a recent article on OneZero, “…these tools are generally accepted by engineers as common practice and rarely disclosed to users.” The problem is that these tools can be, and have been misused by employees to access users’ private information and even track the whereabouts of users of these companies’ platforms.

The Fiasco Surrounding Uber’s “God mode” Impersonation Feature.

In recent years, the popular transport company, Uber has come under fire for its privacy policies, and in particular, its questionable impersonation features, known as “God mode”. Using the feature, the company’s employees were able to track the whereabouts of any user. Uber employees were said to have been tracking the movements of all sorts of users from famous politicians to their own personal relations. After being called to task by US lawmakers, the company apologized for the misuse of this feature by some of its executives and stated that it’s policies have since been updated to avoid this issue in the future. Uber is not unique to this sort of privacy breach. Lyft is also known to have comparable tools, along with several other companies.

Impersonation Features Form Part of Most Popular Programming Tools.

Impersonation Feature use is much more widespread than just a few known companies. Popular programming languages like Ruby on Rails and Laravel offer this feature, which has been downloaded several million times. The impersonation tools offered by these services do not usually require users’ permission, nor do they notify users that their account has been accessed. It is pretty common for developers to simply white list users with administrator access giving them access to impersonator mode, thereby allowing them to access any account as though they were logged in as that user.

How Impersonation Features Can Be Made Safer.

Some companies have made changes to their policies and procedures in order to make impersonation features safer for customers. For example Uber, following their legal troubles over the ‘ God mode’ feature, have made it necessary for their employees to request access to accounts through security. Other companies have resolved to require the user to specifically invite administrators in order to grant them access.

According to Dr Bostjan Makarovic, Aphaia’s Managing Partner, “Whereas there may be legitimate reasons to view a profile through the eyes of the user to whom it belongs, such as further app development and bug repair, GDPR requires that such interests are not overridden by the individual’s privacy interests. This can only be ensured by means of an assessment that is carried out prior to such operations.”

Does your company use impersonation features and want to be sure you are operating within GDPR requirements? We can help you. Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.