logo text

Monday, 15 May 2017

What can we learn from the recent global ransomware attack?

On Friday 12 May, cybercriminals released the WannaCry virus, with devastating consequences around the world. The virus took control of users’ files and demanded $300 (£230) payments to restore access. Within the first few hours, the UK, France, Spain, Russia and the US had all been affected, with others, including Australia, Sweden and Norway, reporting incidents since that time.

The most recent estimate is that 200,000 machines have been affected in 150 countries. In the UK, the weekend headline centred around 61 NHS organisations that have been disrupted, causing some hospitals to cancel treatments and appointments, and divert ambulances to other sites. Pathology services are said to be the most seriously affected, alongside imaging services, such as MRI and CT scans, and X-rays, which transmit images via computers.

It is reported that:

  • The NHS was relying on the Windows XP operating system, which Microsoft stopped supporting in April 2014.
  • Microsoft was paid £5.5 million to support Windows XP for a further year, but the government decided not to renew that contract after May 2015.

Queries are now being raised about whether the government – in particular, Secretary of State for Health, Jeremy Hunt – made a funding decision that has now exposed NHS systems.

Back in December 2016, the Information Commissioner’s Office (“ICO”) stated, “If the personal data which you are responsible for has been encrypted as a result of a ransomware attack and you are unable to restore that data then the ICO could be of the view that you have not taken appropriate measures to keep it secure and have therefore breached the Data Protection Act.” Now might be a good time to review the ICO’s guidance about how to prevent and recover from a ransomware attack, which provides some top tips for organisations.

The WannaCry ransomware attack serves to remind organisations generally of the importance of reviewing their systems and processes to ensure that they understand the risks of delaying various kinds of software updates while testing is carried out. Of course, it’s a tricky balance because organisations need to test the updates themselves before releasing them within often complex internal systems that contain many potentially conflicting software programs.

Given how many updates are likely to be popping up all the time, many businesses are simply not clear whether an update should be installed at all. We would recommend that software providers are clearer about when an update is truly necessary so that customers can understand the risk they take by not installing an update. Of course, this assumes that the providers are fully aware of the potential risks in the first place: is it possible for them to be clear in a world filled with so many diverse groups with criminal intent?

If your organisation has been affected by the WannaCry virus or by a ransomware attack generally, there is a strong chance that there may have been a breach of the Data Protection Act 1998. You should consider this and record any outcomes of your investigation on your organisation’s data protection breach register. You will also have to consider whether the breach is reportable to the ICO. Please contact Pritchetts if we can provide you with guidance and support with the investigation and handling of your data security breach.

If you have any questions more generally about the effect of ransomware attacks on the personal data that your organisation holds, or how to assess your information security or information governance systems and processes, please don’t hesitate to contact Pritchetts for advice and support.

Wednesday, 15 March 2017

ICO issues draft guidance on consent under the GDPR

The General Data Protection Regulation (GDPR) is due to come into force in just over a year’s time. The Information Commissioner’s Office (ICO) has recently issued its much-anticipated draft guidance on consent under the GDPR for public consultation, which states, “The GDPR sets a high standard for consent. Consent means offering people genuine choice and control over how you use their data. When consent is used properly, it helps you build trust and enhance your reputation.

The ICO has made it clear that it cannot give a definitive view on how consent will be handled in the context of direct marketing, because this will be addressed under the upcoming e-Privacy Regulation. It is, however, quite easy to see in which direction the ICO is heading. We expect to see an update on this shortly.

Of course, the concept of consent is not a new one in the world of data protection, but the bar for what constitutes consent is set far higher, and made much clearer, in the GDPR. For example:
  • Organisations cannot bury consents within terms and conditions and privacy policies. The consent request must be identified clearly up front. A consent cannot be a condition of a contract unless it is necessary for the service.
  • Organisations will need users to take an affirmative step to demonstrate their consent. Opt-outs, or having to untick a pre-ticked opt-in box, are clearly not acceptable. In addition, options should be presented with equal prominence, rather than seeking to exploit individuals’ natural tendency to choose the most prominent option.
  • Consent for different forms of processing and different purposes must be separated out. This requirement conflicts with perhaps a more overriding requirement to keep privacy notices intelligible and easily accessible. The ICO accepts this, and suggests that the solution is to look for an alternative legal basis for your processing (such as performance of a contract, legitimate interest or, a public purpose), or accept that you may not be able to ask for all consents in one go.
  • If any third parties rely on consent, they must be named. Common, although by no means advisable, practice is to rely on a vague reference to third parties to which a data controller may pass data. That is categorically not going to work under GDPR if you expect to rely on historic consents. This will have a huge impact on businesses that make their money by passing personal data to as yet unknown (or rapidly changing) third-party marketing companies. It also makes us wonder what will happen to companies when they sell a business that relies on a database that is processed on the basis of consent. Can that purchaser rely on a legal basis other than consent (such as performance of a contract or legitimate interest)? If not, what happens to the value of the personal data within that database as an asset? Due diligence will be key here.
  • With the overriding emphasis on accountability, businesses must be able to evidence consent. Records must be kept to show what consent was given and when, including by reference to the specific consent language, privacy notice and privacy policy that applied at the time when consent was given.
  • Consent must be as easy to withdraw as to give. What this means in practice remains to be seen, but if an individual gave consent by clicking a button, a mirror image route will be the best way to satisfy that. A withdrawal route that enables the data controller to process those withdrawals at a later date won’t suffice. Equally, however, if consent was given by written letter, a written letter route will need to be created – not all individuals have access to email and the Internet.
  • Consent will not be freely given if there is an imbalance in the relationship between the individual and the data controller. Public authorities and employers may find it difficult to rely on consent, and should review their processing to determine whether there is an alternative legal basis.
  • Consent should be seen as an ongoing matter. For example, businesses will need to assess how long a consent is valid. If consent clearly only related to a one-off interaction, is it reasonable to continue processing? In the absence of any other reasonable basis for determining the right period, the ICO has recommended that consents should be refreshed every two years. Your business may need to consider its strategy for conducting these refresh exercises efficiently, not too obtrusively from the individual’s perspective and in a way that minimises impact on the business.

Organisations should review their databases to determine whether the consent provided under the current Data Protection Act (DPA) regime is sufficient under the GDPR. If it is, there is no need to obtain fresh consent. We would be surprised if many databases meet the requirements of the GDPR consent regime. The ICO has provided a useful checklist within its guidance, which should enable you to run a high-level check of your current consents.

As part of any checks, you are encouraged to check for an alternative legal basis to consent that could be more appropriate. Often, businesses plump for consent where an alternative legal approach would have been more appropriate – and that can be what trips you up and causes mistrust from consumers. 

For detailed analysis of consent under the DPA and under the GDPR, see our blogs, Obtaining valid consent under the Data Protection Act 1998 and Obtaining valid consent under the GDPR.

If you have any questions about the implications of the GDPR, or the use of consent-based processing, please don’t hesitate to contact Pritchetts for advice and support.