Concerns raised about privacy, GDPR as Lords peer over Data Protection Bill Fears over privacy and the application of GDPR, concern over lax rules for spies, and the omission of regulation on fake news, were just some of the issues raised at the second reading of the UK Data Protection House Bill in the House of Lords. The bill is intended to overhaul data protection laws in Blighty for the digital …
So you have the right to be forgotten and an actual prison sentence if you forget someone who did not want to be forgotten.
It goes against data backups if you have to delete people from backups.
No wonder these people who read bills for a living are confused. What chance do we have?
I read a bill recently but apparently it means nothing since it's trumped by another bill. I suppose that's why you go to court, to see which bill wins.
"You must delete personal data if you are no longer using it. You must not delete personal data if the subject will ever want to access it."
So I can't delete the data I'm no longer using in case the subject in the future wants to raise a Subject Access Request to see the data that was being held on them.
All seems a bit rushed and poorly written to me
"So I can't delete the data I'm no longer using in case the subject in the future wants to raise a Subject Access Request to see the data that was being held on them."
It's not particularly difficult:
- You only collect what you need.
- You delete it when it becomes irrelevant.
- If someone demands to see what you hold about them you don't then delete it so you can say you don't have anything but if it was deleted as routine prior to the request then you're no longer holding it.
- If there's a demand to delete anything data you have to hold by law or still relevant to an ongoing transaction is exempt.
- You only delete what's feasible: you don't have to delete what's on the backup tapes but on a practical level you'll have to think about keep a copy of the deletion requests since the backup was taken so that you can re-delete it if the backup has to be restored.
"but on a practical level you'll have to think about keep a copy of the deletion requests since the backup was taken so that you can re-delete it if the backup has to be restored."
This is perhaps one area I've struggled to solve yet practically. Lets say I hold data on a subject that is being retained legally, and does not need to be retained by law. A subject can invoke his right to be forgotten and ask that this data is deleted which of course I do. Now, is it legal to keep a copy of the "forget-me" request, considering that the subject has lawfully been asked to be forgotten. I.e. you've forgotten him for one set of data, but created a new set. Admittedly it's a smaller set of data. I can see the following responses to a subject request.
a) Show me your data on me.
b) We have no data on you, sorry.
or
a) Show me your data on me.
b) All data on you was deleted at your request on the dd/mm/yy
The GDPR does make an exemptions for data being held that is subject to a contract (i.e. car lease agreement) or anything involved in litigation or expected litigation. In these instances there is a lawful reason why you do not delete the data ("dear car lease company, please delete all my data from your lease database" or "dear lawyer, please delete all data from your database you intend to produce in court against me"). So I often wonder if the deletion requests could be argued to fall under this exemption, in that you mayd need to prove in court that data was deleted by subject request and not maliciously against policy. More legal minds than mine will have to answer that question.
The problems are in interpretation - what claim needs to be made that it is relevant for you not to delete it for example ?
As an example I used to use paypal - they have all my details, credit card, bank details, etc.
When I'd had enough of their complete disregard for any oversight process, and realised I did not want anything further to do with them as I did not trust them (as a US company AND as paypal) to look after that personal data, I asked for my account to be closed.
At this point they said 'sure - just give us a full copy of your driving licence and password so we can 'identify you'.
Now they were quite happy I was 'me' up to this point - debiting my CC when I make purchases, sending me shite spam, screwing me over as a seller, etc...
And as the whole point is that I don't trust them as far as I can spit, I was damned it I was going to give them copies of 2 important documents - probably the 2 most important ones I own, neither of which they have any right to view AT ALL.
So they refused to close my account. On talking to the Financial Ombudsman I was told 'tough - we can do nothing'.
That was 2 years ago - and still they won't close my account and remove my data.
So - will GDPR force them to do so ? I'd like to think so, but I don't see how it will. They can still claim either:
- prove who you are by giving us even more personal info that we have no legal right to whatsoever then trust we'll delete it after cause like we have a great track record for that....
- claim it's still 'relevant' for some shite reason or other they make up.
So frankly I won't be holding my breath on anything changing AT ALL with GDPR with big foreign (usually US) based companies/wankers like PayPal.
"you don't have to delete what's on the backup tapes but on a practical level you'll have to think about keep a copy of the deletion requests since the backup was taken so that you can re-delete it if the backup has to be restored."
Yeah, right, that will never go wrong.
"You must delete personal data if you are no longer using it. You must not delete personal data if the subject will ever want to access it."
Basically a organisation must have a clear and published process for the deletion and retention of data that is agreed upon by the subject at contract*. If their policy states that after 12 months they delete the data, and they do so, then the subject who agreed to that policy at contract will have no redress if 24 months later they want to access data that was deleted as per policy. Where things get messy is if an organisation has no defined policy, then responds to access requests with "This was deleted last week, sorry", or an organisation changes the retention period without notice.
*subject to mandatory exemptions and obligations such as personal data held for taxation purposes which must be retained for 7 years, and is exempt from deletion requests by the subject but available upon request.
Also for VAT processing records must be retained for 10 years. A tax authority of any EU member state can request transaction details of any sales in that time frame. Those details must include the two non-conflicting pieces of evidence used to justify the rate of VAT applied to each sale. One is the person's billing address. For on-line sales another can be there IP address. These pieces of evidence cannot be deleted if a business is to comply with the EU VAT Directive (2005).
This post has been deleted by its author
The ICO is still struggling to understand the DPA, never mind the GDPR. I had to get my MP to ask a question in Parliament about the DPA because the ICO couldn't give me a straight answer. And my MP has just asked them a load of questions on my behalf and they can't answer those either. They're hopeless so how does anyone expect us to understand it?
I had some questions for the ICO as I was updating our data protection & privacy training and I had to confirm a few (not difficult) legal points about data that falls outside the scope of the DPA. Our training makes sure that our customers' data is held in compliance with both the DPA and also to a further extent of full regard to general customer privacy (which isn't covered by the DPA).
I got a callback from an ICO officer and spent 30 minutes talking to him with me having to explain the reason and coverage of the DPA to him. He was extremely condescending with nearly every answer being " well if it was your data what would you want to happen?" - I was asking for specific legislation not a moral question. He had no clue about PCI and the requirements of it (not expecting him to be an expert but I would think he would've heard about it)
At the end of the call after I had gone through endless hair pulling moments I just said "so there is no law against it then" (which had been my assumption) and he said "No, I don't think so". Great, goodbye.
"it will make re-identification of de-identified personal data unlawful"
If you can reidentify it then it wasn't de-identified (whatever that means).
Even ignoring that I suggest that we at least need an exception for research/security analysis - else you can't tell if you have actually anonymised the data.
"it will make re-identification of de-identified personal data unlawful"
In public health and pharma, data is often used to identify trends and analyse things such as reactions to medication or likelihood of serious reactions. In most cases, this data is pseudonomised so a key is used instead of identifiable information. However that seems to be allowed... ( https://www.twobirds.com/~/media/pdfs/gdpr-pdfs/bird--bird--guide-to-the-general-data-protection-regulation.pdf?la=en )
This enables Member States to extend by law the circumstances
where sensitive data may be processed in the public interest.
9(2)(h) – Necessary for the purposes of preventative or
occupational medicine, for assessing the working capacity of
the employee, medical diagnosis, the provision of health or
social care or treatment or management of health or social
care systems and services on the basis of Union or Member
State law or a contract with a health professional
AND
9(2)(i) - Necessary for reasons of public interest in the area
of public health, such as protecting against serious crossborder
threats to health or ensuring high standards of
healthcare and of medicinal products or medical devices
Yeah, as in "send everything to the NSA".
As for the rest, I can't help of thinking about this particular episode of Yes Minister.
"I still think the offence should be not properly de-identifying the data rather than taking advantage of that fact or atleast there should be an intent to cause harm requirement"
Let's say I have a record of things bought from me. I have a record that you bought a yellow-spotted whatsit, your address and paid from an account at Grip and Holdfast Bank. I delete all the names and addresses except for the post codes. I've deidentified the record of your purchase. By having the post code and bank details I can still verify a warranty claim you may make. If I don't retain sufficient for that I might reject any such claim. Short of such a claim I've no longer any idea of who bought what.
Someone else makes a list of people seen in possession of yellow-spotted whatsits and where they were seen. If they then come into possession of my records they could reidentify them by matching up with their own and deduce that you have an account at Grip and Holdfast.
Their reidentifications may not be 100% correct but those which are could be enough to cause trouble.
I've deidentified the record to the best of my ability, bearing in mind any future need I may have. The reidentification is entirely down to the person who matched up two sets of records. What, in your view, have I done wrong?
This post has been deleted by its author
"
Postcodes are PII so you have not fully deidentified anything."
Post codes are not PII, they don't identify an individual and are freely available for download from government websites. If you combine it with other data it could result in what might be considered a PII dataset.
This law is a total mess, even the ico doesn't know what guidance to issue. At best we'll end up with the pii equivalent of the websites must notify about cookies rule. Most likely it'll all be decided in a wide variety of court cases which means legal standpoints will be a total shambles.
It is possible that postcode can uniquely identify an individual. They therefore have to be treated as PII when included in a dataset. You have no idea how many people reside at a given postcode. It may be 1 person, it may be 20 people, it may be 100 people. It may be two people, male and female, but the data it is part of may be specific to that sex, which then identifies the person.
That's about the only sensible thing said, the rest just sounded like people that don't quite understand what it is they are looking at, what exactly they are going to get or how they are going to get it. They don't even know what they already have.
e.g. “protects personal data processed by our intelligence agencies. We live in a time of heightened and unprecedented terrorist threat… The intelligence services already comply with robust data-handling obligations and, under the new Investigatory Powers Act, are subject to careful oversight.”
What oversight? A home secretary signing a piece of paper? What "robust data-handling obligations"? They have been cracking on with this data for years under the 1984 Telecommunications Act and are only updating it now because they got caught.
As I read the article about what they said my mind automatically pictured them all dressed as clowns, no idea why.
The idea of gov't "regulating" news stories to determine veracity? Anyone who dreamed that idiocy up must be alt+left wing or a trans-nationalist socialist.
You're talking government there - many many of them are lying liars who lie - and you want them to be determiners of truth in publishing?
Why is that people have gotten so lazy in their minds that they want the government telling them what to think? While these are wonderful times, they are also 'sort a' sad.
While I agree with not wanting government regulating news stories, has to be a downvote due to your spewing of bullshit such as "alt+left wing or a trans-nationalist socialist." Aren't you late for a rally at Nuremberg or Trump Towers?
Former Employee: "Dear former employer. With reference with my being sacked for starting work late. please provide me with copies of CCTV of the building entrance that shows me entering and leaving the premises on time each day for the past 28 days so that I can produce them at the employment tribunal."
Former employer: "Dear former employee, purely by coincidence our CCTV tapes were accidentally erased 15 minutes after receiving your request, for a period of 8:45am to 9:15 AM each morning for the 28 days in question. We therefore have no evidence to give you."
This is about as simple as it gets. Data is being deleted on purpose, in order to prevent it being requested.
Also covers someone using a subject access request to ask for their personal details and you then quickly remove all the notes on file or emails of customer service saying what a 'pain'* this person or what a stupid name they've got before passing it on.
* or replace with an appropriate expletive
Dear Microsoft,
As your software does not comply with the data protection act, I can no longer rely on it. Please consider this as notification that I wont be renewing next year.
Sincerely,
HMRC
----------------
Dear Linux,
I've seen you about but never really had the nerve to have a conversation with you. I've decided to change partners now, and something exotic and exciting and different looks interesting. Please be gentle.
Sincerely,
HMRC
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
