Data Protection News Update 18 March 2024

United Kingdom

ICO reprimands London Mayor’s Office for Policing and Crime for complaint web form error

  • The London Mayor’s Office has today been reprimanded by the Information Commissioner’s Office (ICO) for a web glitch that potentially revealed the personal information of people who were complaining about the Metropolitan Police Service.
  • The London Mayor’s Office for Policing and Crime (MOPAC) is responsible for the oversight of the Met and had two forms available on its website- one to contact that Victims Commissioner for London and another to raise a complaint.
  • Due to an error by Greater London Authority (GLA), which runs the website, information shared through web forms intended for four members of staff at MOPAC was accidentally made available to the public.
  • Due to the nature of the personal information that was made publicly accessible on the forms, MOPAC notified 394 people that their data had been made available in error.

ICO reprimands Dover Harbour Board and Kent Police over information sharing

  • The Information Commissioner’s Office (ICO) has issued reprimands to Dover Harbour Board and Kent Police after they breached data protection law.
  • Officers from both organisations used the social media app WhatsApp, and instant-messaging service, Telegram, on their personal phones to share information for the purpose of combatting vehicle crime.
  • At the time of the ICO’s investigation, the Telegram group included 241 officers from multiple UK police forces and international law enforcement agencies.
  • The ICO found that Dover Harbour Board had an inadequate awareness of and compliance with data protection law and a £500,000 fine was considered. They have since provided officers with further data protection training.
  • The ICO concluded that Kent Police had failed to ensure officers were adequately information that the use of personal devices to process data obtained in their official duties was not acceptable. The ICO has recommended the provision of guidance around the use of social media apps.

United States

US health department opens probe into UnitedHealth hack

  • The US Department of Health and Human Services launched an investigation into a cyberattack on UnitedHealth Group that allegedly breached sensitive patient information.
  • Change Healthcare processes about 50% of medical claims in the US for around 900,000 physicians, 33,000 pharmacies, 5,500 hospitals and 600 laboratories.
  • Patient information is protected under the Health Insurance Portability and Accountability Act, or HIPAA, and breaches to individual patients under HIPAA must be reported within 60 days of discovery.
  • However, the scale of the cyberattack could make it difficult for UnitedHealth and other business covered by HIPAA to comply with their reporting obligations in this case.
  • Six civil lawsuits have been filed against UnitedHealth’s Change Healthcare that claim the company “failed to safeguard patients’ personal information, putting them at risk of identity theft and privacy violations.


Sweden’s Klarna fined $733,000 over insufficient GDPR information

  • Swedish payments group Klarna must be a fine of 7.5 million crowns for violating the EU’s General Data Protection Regulation (GDPR) by not providing sufficient information to its users, a Swedish court of appeal ruled on Monday.
  • Klarna has failed to give clients sufficient information about it would store their personal data, and this information was unclear or difficult to assess.
  • Klarna has said the case stemmed from an audit by the Swedish Data Protection Authority (SDPA) of the privacy information provided to clients in 2020 and was not related to how the company collects or handles data.

French startup Nijta hopes to protect voice privacy in AI use cases

  • France-based startup Nijta aims to protect biometric data collected through artificial intelligence with voice anonymization technology.
  • The technology helps companies comply with privacy laws by removing biometric data collected through speech.
  • Call centres are a potential customer of Nijta, specifically when dealing with health data. Other use cases include defence scenarios, and education, such as where children’s voices need to be anonymised.
  • An early collaborator was OkyDoky, a project aimed at better handling medical emergency calls. Nijta enabled voices to be anonymised to remove the identity of the speaker and personally identifiable information from the training data.


Airbnb bans all indoor security cameras

  • As part of updating security policies, Airbnb has banned indoor surveillance devices, including cameras and audio recorders in its rental properties listed globally.
  • While the majority of listings do not report having indoor security cameras, Airbnb said the policy change was made in an effort to prioritise the privacy of guests.
  • This policy takes effect on 30th April and will include outdoor cameras in places “where there’s a greater expectation of privacy.”

New Zealanders more concerned than excited by AI – Office of the Privacy Commissioner

  • New Zealand Privacy Commissioner Michael Webster discussed what AI privacy concerns his office is focused on in an interview with Voxy.
  • Research shows that New Zealanders have privacy concerns about the use of AI, especially because it’s seen as unregulated and can be used for malicious purposes, as well as concerns regarding children accessing inappropriate content on the Internet.
  • During the interview, Webster discussed New Zealand’s Privacy Act, which includes detailed guidance to help people understand how to use AI within the law.
  • Webster also shared that the Commissioner’s office sees children’s privacy as a priority area and that they are currently looking at whether children’s privacy protections in New Zealand are fit for purpose.


More Posts

Send Us A Message