logo text

Tuesday, 6 June 2017

Is online campaigning by political parties breaking data protection laws?



As the general election campaigning enters its final week, there is growing concern about the way political parties are using online campaigning to target voters. Questions have been raised about whether parties have been sufficiently transparent when targeting adverts at voters based on data held by social media networks including Facebook.

In an interview on BBC News this week, our Principal, Stephanie Pritchett, homed in on the issue at the heart of the debate: “If you’re collecting information, whether it’s through your social media channels or through party members directly … it comes back to this transparency point: you have to be clear with people where you got the information from and what you’re planning to do with that information.

Large-scale digital electioneering was first used in the USA in 2008, for Barack Obama’s presidential campaign, and has grown since. For the current general election, the Conservative and Labour parties are understood to be spending £1 million each on their social media campaigns, focusing mainly on Facebook. These campaigns involve using third-party data to carry out profiling, and then targeting individuals by using analytics, which are regarded as relatively privacy-intrusive methods. The onus will be on the political parties to justify their methods and show that they are protecting the rights of the individuals whom they are profiling.

If they are found to be breaking the rules, the political parties and social media networks could face fines of up to £500,000. The Information Commissioner, Elizabeth Denham, has already announced an investigation into the use of data analytics for political purposes, saying, “the level of awareness among the public about how data analytics works, and how their personal data is collected, shared and used through such tools, is low … these tools have a significant potential impact on individuals’ privacy. It is important that there is greater and genuine transparency about the use of such techniques to ensure that people have control over their own data and the law is upheld.

Update (27 June 2017): A Channel 4 News investigation has since found that the Conservative Party contracted a secret call centre during the election campaign that may have broken data protection and election laws. The investigation claimed that, on the day of the election itself, call centre employees contacted voters in marginal constituencies to promote individual candidates, which may be a breach of electoral law. In response to this, the ICO issued a statement, saying, The Information Commissioner reminded campaigners from political parties of their obligations around direct marketing at the beginning of the election campaign. Where we find they haven’t followed the law we will act. We will be asking the Conservative Party about the marketing campaigns conducted from this call centre.

If you have any questions about how data protection laws might affect your organisation, please don’t hesitate to contact Pritchetts for advice and support.

Monday, 15 May 2017

What can we learn from the recent global ransomware attack?



On Friday 12 May, cybercriminals released the WannaCry virus, with devastating consequences around the world. The virus took control of users’ files and demanded $300 (£230) payments to restore access. Within the first few hours, the UK, France, Spain, Russia and the US had all been affected, with others, including Australia, Sweden and Norway, reporting incidents since that time.

The most recent estimate is that 200,000 machines have been affected in 150 countries. In the UK, the weekend headline centred around 61 NHS organisations that have been disrupted, causing some hospitals to cancel treatments and appointments, and divert ambulances to other sites. Pathology services are said to be the most seriously affected, alongside imaging services, such as MRI and CT scans, and X-rays, which transmit images via computers.

It is reported that:

  • The NHS was relying on the Windows XP operating system, which Microsoft stopped supporting in April 2014.
  • Microsoft was paid £5.5 million to support Windows XP for a further year, but the government decided not to renew that contract after May 2015.

Queries are now being raised about whether the government – in particular, Secretary of State for Health, Jeremy Hunt – made a funding decision that has now exposed NHS systems.

Back in December 2016, the Information Commissioner’s Office (“ICO”) stated, “If the personal data which you are responsible for has been encrypted as a result of a ransomware attack and you are unable to restore that data then the ICO could be of the view that you have not taken appropriate measures to keep it secure and have therefore breached the Data Protection Act.” Now might be a good time to review the ICO’s guidance about how to prevent and recover from a ransomware attack, which provides some top tips for organisations.

The WannaCry ransomware attack serves to remind organisations generally of the importance of reviewing their systems and processes to ensure that they understand the risks of delaying various kinds of software updates while testing is carried out. Of course, it’s a tricky balance because organisations need to test the updates themselves before releasing them within often complex internal systems that contain many potentially conflicting software programs.

Given how many updates are likely to be popping up all the time, many businesses are simply not clear whether an update should be installed at all. We would recommend that software providers are clearer about when an update is truly necessary so that customers can understand the risk they take by not installing an update. Of course, this assumes that the providers are fully aware of the potential risks in the first place: is it possible for them to be clear in a world filled with so many diverse groups with criminal intent?

If your organisation has been affected by the WannaCry virus or by a ransomware attack generally, there is a strong chance that there may have been a breach of the Data Protection Act 1998. You should consider this and record any outcomes of your investigation on your organisation’s data protection breach register. You will also have to consider whether the breach is reportable to the ICO. Please contact Pritchetts if we can provide you with guidance and support with the investigation and handling of your data security breach.

If you have any questions more generally about the effect of ransomware attacks on the personal data that your organisation holds, or how to assess your information security or information governance systems and processes, please don’t hesitate to contact Pritchetts for advice and support.