DPAS Data Protection Bulletin – December 23 2024

dpas bulletin - december 23

Welcome back to our monthly DPAS bulletin, where we cover the latest data protection news from all around the world.

Why was Meta fined by the DPC? What bias has been found in benefits fraud detection? And what new AI cameras have been introduced to roads in Britain?

Read about all this and more in our latest DPAS Data Protection Bulletin.

Guernsey Revenue Service reprimanded for personal data breach

An investigation by the Office of the Data Protection Authority (ODPA) has confirmed that Guernsey’s Revenue Service mistakenly sent personal data to an incorrect email address due to a failure to follow policy.

The Revenue Service has a policy that stipulates emails containing personal information (in this case, of those who owed money to the Committee for Health and Social Care) should be sent via a “specialised secure platform”. Though the organisation has now, according to the ODPA, implemented “robust measures” to ensure that this is carried out in future, the Revenue Service has been issued with a reprimand for this error.

Read more about this here.

OBSCC calls for reevaluation of role in annual report

Former biometrics commissioner Tony Eastaugh compiled the annual report from the Office of the Biometrics and Surveillance Camera Commissioner (OBSCC) prior to his August departure. In it, Eastaugh urges the government to reevaluate the commissioner’s role and provide it with adequate resources and staffing.

Areas where the commissioner found reevaluation to be necessary include the OBSCC’s part in developing regulations for modern technologies such as artificial intelligence (AI) and biometrics like facial recognition – particularly in law enforcement. The commissioner states that there are “many options that could work”, and that he looks forward to “seeing what those structures will look like in the near future.”

Read more about this here.

John Edwards gives statement on two-year public sector approach

UK Information Commissioner John Edwards has written a statement about the two-year trial period of the public sector approach that the ICO has undertaken.

The aim of the trial was to work more proactively with senior leaders in public authorities, and to ensure that the ICO was “part of the conversations early on, instead of being on the outside looking in”. Also part of this trial was the idea that fines would be issued less liberally in favour of enforcement notices, reprimands, and warnings, so that victims of data breaches were not “being punished twice in the form of reduced budgets for vital public services”. Edwards adds that the published review of this trial demonstrates “some notable achievements, areas with more to do, unexpected challenges and unintended consequences.”

Read more about this here.

Bias found in AI used to detect benefits fraud

The Guardian has recently revealed that the AI system used in the UK to detect welfare fraud contains significant bias that may make it more likely to recommend subjects for investigation depending on their age, disability, marital status or nationality.

Documents released by the Department of Welfare and Pensions (DWP) under the Freedom of Information Act ultimately revealed this bias. This followed claims from the DWP that the AI system (which attempts to cut an estimated £8 billion of annual loss to fraud and error) “does not present any immediate concerns of discrimination, unfair treatment or detrimental impact on customers” and that its use is “reasonable and proportionate”. This discovery has created concern among campaigners that the government operates under a “hurt first, fix later” policy.

Read more about this here.

Court of Appeal dismisses appeal against ICO’s MPN

An appeal against a monetary penalty notice (MPN) issued by the ICO to Doorstep Dispensaree in December 2019 was rejected by the Court of Appeal early this month, following a hearing that took place on 21st November 2024.

The MPN was originally issued when Doorstep Dispensaree (an organisation that provides medicine to care homes) was reported by the Medicines and Healthcare Products Agency for seizing “unlocked crates of sensitive personal information stored in publicly accessible premises”. Following an appeal to the First Tier Tribunal, this fine was reduced to £92,000 when evidence was provided proving the involvement of less data than originally thought. However, this appeal against an Upper Tribunal judgement has been rejected due to the Court finding that “the burden of proof in an appeal lies with the appellant”.

Read more about this here.

EDPB provides clarity on rules for data transfers to third country authorities

In their latest plenary meeting, the European Data Protection Board (EDPB) published new guidelines for Article 48 of the GDPR, namely on the rules behind responding to data transfer requests from third country authorities, and under which conditions organisations can lawfully respond.

Additionally, this plenary also saw the EDPB approve a new European Data Protection Seal certification for the Brand Compliance certification, that concerns processing activities by controllers or processors.

Read more about this here.

The IAPP explores challenges regarding the GDPR posed by AI hallucinations

In a recent article for the International Association of Privacy Professionals (IAPP), Théodore Christakis – law professor at University Grenoble Alpes – examined the impact of AI hallucinations on data subject rights and data inaccuracies.

Hallucinations (incorrect or inaccurate information that has been invented by an AI program in the absence of the correct data) pose a serious challenge when it comes to adhering to the GDPR’s accuracy principle, while not limiting the abilities and use of innovative technology. Christakis’ article explores this challenge, citing examples of GDPR violations caused by AI hallucinations, and how organisations are addressing these hindrances.

Read more about this here.

Devon and Cornwall Police using AI cameras to detect drunk drivers

As part of the Vision Zero South West road safety partnership, new roadside cameras powered by artificial intelligence are being used to catch drivers under the influence. This is a new experiment being carried out in a joint project between Devon and Cornwall police, and equipment manufacturer Acusensus.

These cameras determine whether drivers have been drinking or taking drugs by using the same technology introduced to detect mobile phone usage to monitor vehicle and driver behaviour. If unexpected behaviour is exhibited by the car, the AI system can detect and flag this, to be picked up and investigated by an intercept team situated further along the road. UK general manager of Acucensus, Geoff Collins, assures this doesn’t share any information and that people’s lives will be unaffected.

Read more about this here.

Irish Data Protection Commission fines Meta €251 million

On 17th December, Meta was fined a huge €251 million by the Irish Data Protection Commission (DPC) for failing to comply with the EU GDPR following a data breach that began in 2017.

The nature of this breach was a bug in Facebook’s design which allowed unauthorised users to take advantage of a vulnerability in the platform’s code, and view profiles that should not have been visible to them. Information in these profiles included full names, phone numbers, and places of work. While Meta detected and fixed the issue back in September 2018, the tech giant failed to fully document the breach and notify regulatory authorities, according to the DPC, which resulted in an €11 million fine. The remaining €240 million of the €251 million total was due to the nature of the breach, which the DPC deemed a “failure to build in data protection requirements throughout the design”.

Read more about this here.

ICO takes action against four public authorities for FOI failings

The ICO has recently taken regulatory action against four public authorities for various shortcomings under the Freedom of Information Act.

  1. City of London Police: issued with an enforcement notice for an FOI compliance rate of 68% in the 2023/24 financial year, plus failures to respond to FOI requests in a timely manner, creating a significant backlog.
  2. Staffordshire Police: issued a practice recommendation for a backlog of requests, with no plan in place to clear it.
  3. Dorset Police: issued a practice recommendation to ensure transparency about any action taken to improve time taken to respond to FOI requests and complete internal reviews.
  4. Goldsmiths, University of London: issued a practice recommendation for failure to respond to FOI requests in a timely manner, due to more complex requests resulting in a backlog.

Read more about this here.

Motor insurance worker imprisoned for unlawfully accessing personal data

Following a hearing at the Manchester Crown Court in late October, an employee of Markerstudy Insurance Services Limited (MISL) has recently been sentenced to six months in prison for unlawfully accessing personal data on computers.

This was investigated internally due to suspicions being raised about the higher-than-usual number of claims being processed. MISL found that this employee had accessed more than 32,000 insurance policies over the weekend, when he was not working. When the ICO investigated his home, they discovered that the employee had been “sending details of personal data he had accessed by mobile phone to another person”. On top of the prison sentence, the worker received a two-year suspension and was ordered to work 150 hours unpaid.

Read more about this here.

ICO fines two companies a total of £290K for millions of unlawful marketing calls

Two fines have been issued by the ICO, totalling £290,000, to two companies based in Greater Manchester for making millions of nonsense marketing calls.

These two companies had been incessantly calling people, sometimes multiple times a day, despite them being registered to the Telephone Preference Service (TPS). The Oldham-based Money Bubble Ltd had made over 168,000 unsolicited marketing calls, and Bolton-based Breathe Services Ltd (BSL) had made more than 4 million. BSL had even attempted to disguise their identity by spoofing their outbound number by presenting more than 1,000 different numbers on phone calls.

Read more about this here.

ENGAGE, EDUCATE, EMPOWER 2025 – Only a few places remain!

We still have a few places remaining for our free conference, Engage, Educate, Empower, but hurry! Spots are filling fast.

This event, taking place on 6th February at the Paintworks in Bristol, is the perfect opportunity to network with other privacy professionals and listen to talks from a range of industry expert guest speakers. Complete with a workshop from the South West Regional Cyber Crime Unit and a networking dinner available in the evening, this is one you won’t want to miss.

Read more about this conference and book your free ticket here.

GET IN TOUCH WITH US!

If you need any support in ensuring your organisation is complying with the relevant legislation, or require training in the areas of data protection and information security, get in contact with us.

Either call us on 0203 3013384, email us at info@dataprivacyadvisory.com, or fill out a contact form. Our dedicated team will get back to you as soon as possible.

related posts

Mel

Looking back at 2024 for DPAS

As we reflect on another remarkable year, I want to take a moment to personally thank you for choosing DPAS. Your loyalty and trust drives us to continually deliver the highest-quality training and services for our clients.

Read More »

Get a Free Consultation