Data Protection News Update 07 May 2024

United Kingdom

Information Commissioner: Persistent sensitive information breaches failing people living with HIV

  • Information Commissioner John Edwards has condemned data protection standards at health services for people living with HIV and has called for urgent improvements.
  • The ICO has issued a fine to the Central Young Men’s Christian Association (the Central YMCA) of London for £7,500 for a data breach where emails intended for those on a HIV support programme were sent to 264 email addresses using CC instead of BCC, revealing the email addresses to all recipients.
  • This resulted in 166 people being identifiable or potentially identifiable.
  • The ICO is calling for better staff training, appropriate technical procedures, and prompt reporting from HIV services.

OnlyFans faces UK investigation into age-verification measures

  • Britain’s media regulator, Ofcom, has opened an investigation into whether adults-only website OnlyFans is doing enough to prevent children from accessing the content on its platform.
  • Ofcom states there is “grounds to suspect the platform did not implement its age-verification measures in such a way as to sufficiently protect under-18s from pornographic material.”
  • Ofcom was also investigating whether OnlyFans failed to comply with its duties to provide complete and accurate information in response to statutory requests.
  • Ofcom gained new powers when Britain’s Online Safety Act came into law last year, requiring social media companies to stop children accessing harmful content online.

United States

UnitedHealth CEO tells lawmakers the company paid hackers a $22 million ransom

  • UnitedHealth Group CEO Andrew Witty confirmed that the company paid a $22 million ransom to hackers who breached its subsidiary, Change Healthcare, which caused widespread fallout across the health care sector.
  • The company states the reason for paying the ransom was to try and protect patient data.
  • Witty stated that cybercriminals accessed Change Healthcare through a server that was not protected by multi-factor authentication, which requires users to verify their identity in at least two ways. UnitedHealth now has MFA in place across all external-facing systems.


Court hands Kivimäki 6-year prison sentence in historic hacking case

  • Finland’s District Court of Western Uusimaa sentenced hacker Aleksanteri Kivimäki to six years in prison for a cyberattack that stole the data of 33,000 Vastaamo therapy patients.
  • Kivimäki was also charged with aggravated blackmail after he threatened to “spread sensitive patient data on the dark web” if the company did not pay him 370,000 euros in Bitcoin.
  • In deciding the prison sentence, the court said it considered the seriousness of the crimes, the manner in which they were committed, and the individuals own reckless attitude.

EU-Japan: the Council approves a protocol to facilitate free flow of data

  • The Council of the European Union adopted a protocol allowing for free data flows between the EU and Japan as part of an economic partnership agreement.
  • The protocol will provide greater legal certainty, ensuring that data flows between the EU and Japan will not be hampered by unjustified data localisation measures, and also ensuring the benefit from the free flow of data according to the EU and Japan’s rules on data protection and the digital economy.


Shanghai hotels stop scanning faces at check-in; should boost inbound tourism, insiders say

  • Many hotels in Shanghai no longer require visitors who have valid identity documents to have their faces scanned when checking in after the city ended the requirement earlier this month.
  • Hotels, B&Bs, leisure centres and theme parks in almost all of China’s cities have facial recognition scanners, which not only hike costs and reduce efficiency, but also leads to complaints from tourists, shared Dai Bin, head of the China Tourism Academy.
  • Senior economist Zhao Huanyan emphasises how many foreign visitors are not used to facial scanning, and although this practice might have made sense during the height of the COVID-19 pandemic, collecting unnecessary personal information only serves to irk tourists.

DIA proposes cutting eight roles relating to information security, union says

  • The New Zealand Department of Internal Affairs proposed that the government should cut privacy and information security positions to reduce government spending.
  • The Union (PSA) National Secretary Duane Leo shared that positions which the DIA aim to end are essential in keeping citizens information safe, and that “as the risks from cybersecurity grow, as more of us engage with public services online and as the dangers posed by AI become better understood, the government should be investing more in these areas, not less.”
  • The Government Chief Privacy Officer’s (GCPO) job was to provide “a whole of government approach” to privacy, ensuring the public service securely collected and managed personal information lawfully.


More Posts

Send Us A Message