English Wikipedia disabled on January 18 in opposition to SOPA/PIPA

Wikepedia articles in the English language are unavailable today, 18 January 2012, in a protest against two proposed pieces of copyright legislation, the Stop Online Piracy Act (SOPA) in the U.S. House of Representatives, and PROTECTIP (PIPA) in the U.S. Senate. Wikpedia argues that this legislation, should it be approved by Congress, will harm the free and open Internet and bring about new tools for censorship of international websites inside the United States.

SOPA has developed from a conflict over the past 13 years between the “content industry”, especially Hollywood films and the record labels, as an attempt to curb the infringement of copyright online. SOPA aims to prevent US citizens from accessing “foreign infringing sites” and downloading copyrighted content coming from overseas. The bill is also supported by the pharmaceutical and medical industries as it tries to prevent the sale of counterfeit drugs from foreign countries to American patients.

Under the proposals, anyone found guilty of streaming copyrighted material without permission from rightowners 10 or more times within six months could incur a prison sentence of up to five years.

A further proposal is that the US government and right holders would have the right to seek court orders against any site accused of “enabling or facilitating” piracy. This could potentially involve an entire website being closed down because it contains a link to a suspect site.

The bills propose that US-based internet service providers, payment processors and advertisers would be forbidden by law from doing business with alleged copyright infringers. The SOPA proposal would require search engines to remove from their results those sites found to be infringing copyright law. This element is not included in the PIPA provision.

The bills would also outlaw sites from containing information about how to access blocked sites.

The bills originally proposed that internet service providers should block users from being able to access sites which were suspected of infringement – not just those which had been found guilty – using a technique called Domain Name System (DNS) blocking.

There was an immediate and powerful reaction to the bill from leading figures in the Internet industry with ICANN and Google being notable protesters.

As a result, SOPA began to be watered down.

Over the course of the 72 hours leading up the its articles being blocked from public view, Wikepedia says that in the 72 hours immediately before availability of English language Wikipedia articles was blocked, more than 1800 Wikipedians had discussed proposed actions that the community might wish to take against SOPA and PIPA. This is apparently the largest level of participation in a community discussion ever seen on Wikipedia, which illustrates the level of concern that Wikipedians feel about this proposed legislation. According to a Wikipedia statement, the overwhelming majority of participants support community action to encourage greater public action in response to these two bills. Of the proposals considered by Wikipedians, those that would result in a “blackout” of the English Wikipedia, in concert with similar blackouts on other websites opposed to SOPA and PIPA, received the strongest support.

“Today Wikipedians from around the world have spoken about their opposition to this destructive legislation,” said Jimmy Wales, founder of Wikipedia. “This is an extraordinary action for our community to take – and while we regret having to prevent the world from having access to Wikipedia for even a second, we simply cannot ignore the fact that SOPA and PIPA endanger free speech both in the United States and abroad, and set a frightening precedent of Internet censorship for the world.”

Mr Wales continued: “We urge Wikipedia readers to make your voices heard. If you live in the United States, find your elected representative in Washington (https://www.eff.org/sopacall). If you live outside the United States, contact your State Department, Ministry of Foreign Affairs or similar branch of government. Tell them you oppose SOPA and PIPA, and want the internet to remain open and free.

The Wikimedia Foundation is the non-profit organization that operates Wikipedia, the free encyclopedia. Wikipedia is claimed to be available in 282 languages, contain more than 20 million articles contributed by a global volunteer community of more than 100,000 people. Based in San Francisco, California, the Wikimedia Foundation is an audited charity that is funded primarily through donations and grants.

It will be interesting to see whether the actions of Wikipedia, and others, by very effectively pushing the issues to the forefront of many people’s minds (because they cannot access Wikipedia articles for example) will defeat the proposed legislation…

Further information about the Wikimedia Foundation wikimediafoundation.org

blog.wikimedia.org

 

You can read more about the issues on the BBC website: www.bbc.co.uk/news/technology-16596577

You can find more specialised analysis by legal experts via the IPKAT (weblog has covered copyright, patent, trade mark, info-tech and privacy/confidentiality issues from a mainly UK and European perspective) site: www.ipkat.com

US Proposals for Classes of Works to Be Exempted from the Prohibition on Circumvention

The US Copyright Office has received proposals for classes of works to be exempted from the prohibition on circumvention of technological measures that control access to copyrighted works.

This is the first step in the Office’s three yearly rulemaking under 17 U.S.C. § 1201(a)(1)(C)-(D).

The deadlines for comments are:

• January 9, 2012 – Due date for responses to any objections filed to the newly designated specialty stations;
• January 9, 2012 – Due date for responses to any of the MPAA objections;
• January 16, 2012 – Due date for comments on small copyright claims.

The proposals are set out on the Copyright Office website at www.copyright.gov/1201/2011/initial/

 

More news stories at http://aslib.com/about/news.htm

Business Information Community of Practice Event

Dear Colleagues 

 

ASLIB, the Association for Information Management, is a membership organization which specializes in information, knowledge and records management. In April 2010 ASLIB was acquired by Emerald Group Publishing Limited.

 

The ASLIB Communities of Practice network provides invaluable support to members in the pursuit of their professional duties within their organizations, large and small.

 

ASLIB’s latest Community of Practice is the ASLIB Business Information Group, the aim of the group is to serve information professionals, information intermediaries and business members from academia, corporate and professional backgrounds.

 

The Group Aims:

To provide a community of practice group for ASLIB members concerned with supplying and using Business Information. 

To promote and share good practice in the searching, retrieval, exploitation and management of Business Information. 

To provide a forum for networking, discussion and support to professionals with an interest in this area.

 

Activities

Visits are arranged to a variety of organizations of relevance to Business Information. Visits allow members to meet and network with other people in the profession and learn how information needs are met in a range of different environments.

 

First Event! Killer business information promotion techniques and how to develop your career

 

The first meeting for the Business Information Community of Practice will be held at the City Business Library at the Guildhall, London on the 22nd February, 6pm for a 6.30pm start. 

 

The meeting is free and open to the public, future events will only be for ASLIB members, non-ASLIB members are invited to join BICoP as an affiliate member (prices start at £100.00). 

 

The meeting will  include information on the City Business Library services to business, their exemplary promotional activities and outreach to the business community. There will also be a presentation followed by questions on developing your business information career from the Sue Hill Recruitment team.

 

To book your place, or for further information about the event or the BICoP email Emmy Rawcliffe: erawcliffe@aslib.com, or call 01274 515663.

 

Join ASLIB

ASLIB provides its members with access to leading publications in information and knowledge management, networking opportunities and professional development. Membership fees start at £499.00. 

 

Contact and Join Group

 

If you would like to find out more about our communities of practice, or if you are interested in joining a group, please contact Holly Shukla: hshukla@aslib.com All ASLIB members are able to join the communities of practice at no additional cost. Non-ASLIB members are invited to join the group as an affiliate member (prices start at £100.00). Visit www.aslib.com for more info.

 

Best wishes,

  Emmy Rawcliffe

 

ASLIB Marketing and Sales Support Executive

Phone:01274 515663

Email:  erawcliffe@aslib.com

Follow ASLIB on Twitter:  https://twitter.com/ASLIB_info

 www.aslib.com

www.emeraldinsight.com

 

 

 

Finance department loses unencrypted USB stick at Rochdale metropolitan Borough Council, UK

 

Rochdale Metropolitan Borough Council has signed a Data Protection underatking following the loss of an unencrypted memory device.

The Information Commissioner (the ‘Commissioner’) was provided with a report of the loss of an unencrypted USB memory stick containing personal data relating to several thousands of the data controller’s constituents. The USB stick had been used by an officer in the finance department to collate information required for the data controller’s final accounts for 2010/2011.

Enquiries revealed that much of the information on the USB stick was already available in the public domain. However, the Commissioner’s investigation also found that the data controller had not provided appropriate data protection training to staff, including the officer involved in this incident, and that its policies and procedures were in need of urgent review and updating. It was also discovered that the data controller did not provide staff with encrypted USB sticks, even where it was known that these would be used to process personal data.

The relevant provision of the Act is the Seventh Data Protection Principle. This Principle is set out in Schedule 1, Part I to the Act. To recap, the Data Protection Act says that appropriate technical and organizational measures must be taken against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

In practice, it means organizations must have appropriate security to prevent the personal data you hold being accidentally or deliberately compromised. The data controller must exercise judgement about what is appropriate, although if a breach is referred to the Information Commissioner, he and his team will form a view of what is appropriate in the circumstances, and if a case went to a court, it is for the court to decide.

Under the Seventh Data protection principle organizations need to:

• Design and organize security to fit the nature of the personal data held and the harm that may result from a security breach.
• Be clear about who in the organization is responsible for ensuring information security.
• Ensure the right physical and technical security, backed up by robust policies and procedures and reliable, well-trained staff.
• Be ready to respond to any breach of security swiftly and effectively.

As is common, the Commissioner will not serve an Enforcement Notice under section 40 of the Act, provided that the data controller undertakes the action set out below.

There is the standard opening condition that the data controller must ensure that personal data are processed in accordance with the Seventh Data Protection Principle in Part I of Schedule 1 to the Act. Then some requirements which are more specific to this case are set out.

All portable and mobile devices including laptops, USB sticks and other portable media used to store and transmit personal data, the loss of which could cause damage or distress to individuals, must be encrypted using encryption software which meets the current standard or equivalent.

The data controller must review and revise its policies and procedures with regard to the storage, processing, transmission and disposal of personal data, and information security by no later than 1 December 2011.

The revised policies and procedures referred to above must be brought to the attention of all staff, who will receive appropriate training to allow them to follow these policies in their day-to-day roles by no later than 31 March 2012.

Compliance with the data controller’s policies on data protection and IT security issues must be appropriately and regularly monitored.

Finally, there is a further standard requirement that the data controller must implement such other security measures as it deems appropriate to ensure that personal data is protected against unauthorised and unlawful processing, accidental loss, destruction, and/or damage.

This is an example of a frequent breach – the loss of an unencypted USB. The lessons are that all mobile devices must be adequately encrypted, there must be a carefully thought through Data Protection policy communicated to all staff involved, and there must be adequate training on Data Protection matters and the relevant policies and procedures.

More news stories at http://aslib.com/about/news.htm

Computer back-up device lost at nursery school

The Information Commissioner (the ‘Commissioner’) was provided with a report on 5 April 2011, detailing the loss of a backup tape and supporting device at Phoenix Nursery School in Wolverhampton UK . The backup tape contained details of pupils, parents and guardians as held on the school’s information management system. Neither the device nor the information held on it were encrypted in any way.

The lost tape and supporting device were required to be plugged into the school’s server at all times and rotated weekly with a second backup tape. The second backup tape was locked in the school’s safe when not in use. At the time of the incident the backup tape and supporting device were housed within the school’s office, which is kept locked when not in use.

The data controller noticed the backup device was missing when rotating the backup tape at the end of the week, as per normal procedure. Due to its size, it was at first assumed that the device had been knocked off the server, or that someone had moved it. No other items were missing and there was no sign of forced entry. However, despite numerous searches, both in the office and around the school, the device was not recovered. The school subsequently contacted all parents and guardians affected by the incident to advise them accordingly.

The data held on the device has been recovered in full. However, the Commissioner’s investigation revealed that the technical measures employed by the school, at the time of the incident, were inadequate.

The relevant provision of the Act is the Seventh Data Protection Principle. This Principle is set out in Schedule 1 Part I to the Act. The Data Protection Act says that appropriate technical and organizational measures must be taken against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

In practice, it means organizations must have appropriate security to prevent the personal data you hold being accidentally or deliberately compromised. The data controller must exercise judgement about what is appropriate, although if a breach is referred to the Information Commissioner, he and his team will form a view of what is appropriate in the circumstances, and if a case went to a court, it is for the court to decide.

Under the Seventh Data protection principle organizations need to:

• Design and organize security to fit the nature of the personal data held and the harm that may result from a security breach.
• Be clear about who in the organization is responsible for ensuring information security.
• Ensure the right physical and technical security, backed up by robust policies and procedures and reliable, well-trained staff.
• Be ready to respond to any breach of security swiftly and effectively.

 

A nominal amount of the data lost in this incident consisted of information as to the physical or mental health of the data subjects. Personal data containing such information is defined as “sensitive personal data” under section 2(e) of the Act.

The Commissioner will not serve an Enforcement Notice under section 40 of the Act, Provided that the data controller undertakes as the actions set out below.

The data controller must ensurethat personal data are processed in accordance with the Seventh Data Protection Principle in Part I of Schedule 1 to the Act.

The data controller must implement encryption of either the backup device and/or the information contained on the backup tape.

The backuptape and accompanying device must be securely stored, remote from the server.

A review of current operational processes and procedures with regard to matters of data protection must be completed. Where there is a need to do so applicable policies and procedures must be implemented or improved accordingly.

All appropriate staff must be made aware of the data controller’s policy and procedure with regard to matters of data protection and are trained how to comply accordingly.

The data controller must implement any other security measures as it deems appropriate to ensure that personal data is protected against unauthorized and unlawful processing, accidental loss, destruction, and/or damage.

This case puts a spotlight on devices which might easily be overlooked – backup devices. The Commissioner’s statements make it clear that backup devices must also be adequately encrypted. Again, a Data Protection audit would reveal this as a vulnerability. Also again, a well thought out data protection policy and adequate training are essential – as set out under Principle Seven of the Data Protection Act.

Gambling worker found guilty of selling 65,000 bingo players’ details

A former gambling industry worker who was accused of unlawfully obtaining and selling personal data relating to over 65,000 online bingo players has pleaded guilty to committing three offences under section 55 of the Data Protection Act.

Marc Ben-Ezra, of Finchley, London, UK, was given a three year conditional discharge and ordered to pay £1,700 to Cashcade Limited as well as £830.80 costs at Hendon Magistrates Court.

Information Commissioner, Christopher Graham, commented that the case shows that the unlawful trade in personal information is unfortunately still a thriving and lucrative activity. He went on to say that Mr Ben-Ezra sold people’s personal details on an industrial scale, making in the region of £25,000 at the expense of the tens of thousands of bingo players whose privacy he compromized, and who he exposed to the nuisance of being approached by rival betting websites and, at worst, the risk of identity theft.

The Commissioner also said that we still don’t have a punishment that fits the crime. The ICO continues to push for the government to activate the 2008 legislation that would allow courts to consider other penalties like community service orders or the threat of prison.”

The offences were first uncovered in May 2011 when Mr Ben-Ezra sent a series of emails to a number of contacts within the UK gaming industry offering customer data for sale. The emails were sent under the pseudonym Malcolm Edwards and contained a sample data set relating to 400 Foxy Bingo customers.

Cashcade Limited, which provides marketing services for the Foxy Bingo brand and is the data controller for its customer information, was concerned and wanted to know how its customer data had been obtained. The company instructed an investigative services company to conduct a test purchase of the data – which contained over 65,000 Foxy Bingo customers’ personal details – and paid Mr Ben Ezra £1,700 cash for it. Cashcade Limited then handed this information to the ICO and co-operated fully with investigators to find out who was responsible.

Cashcade Limited believe that the acquired test data, which did not contain customers’ bank account details, was unlawfully obtained in 2008 and sold to Mr Ben-Ezra, who was working for a poker company in Israel at the time. Attempts by Cashcade to identify the perpetrators of the 2008 breach have so far been unsuccessful but remedial action to prevent a recurrence has been taken. The company is continuing to pursue the other perpetrators.

The data that was acquired contained customers’ names, addresses, email addresses, telephone numbers and usernames. Cashcade Limited has assured the ICO that no customer accounts were compromised.

The email sent to the investigative services company by Mr Ben-Ezra also included customer information relating to 404 Gala Coral customers from 2008. The data controller – Gala Coral Group – has confirmed that they believe that the information was unlawfully obtained from their management information system.

Mr Ben-Ezra was exposed as the individual behind the offences in August 2011 when the ICO’s investigators traced the email address which was found to be registered to the business address of Mr Ben-Ezra’s father-in-law. After enquiries were made at that address, Mr Ben-Ezra contacted the ICO and during his meetings with officers co-operated fully and handed over the laptops containing the data. During an interview under caution he admitted the offences and stated that the practice of buying and selling customer data was widespread during his time working in the gaming industry in Israel. He told officers that he kept the data which he had obtained whilst in Israel and, on moving to London, he sold it as a way of paying off his gambling debts.

The ICO has not received any complaints from the customers on the lists. Foxy Bingo and Gala Bingo have proactively contacted affected customers to assure them that their account information is secure.

Unlawfully obtaining or accessing personal data is a criminal offence under section 55 of the Data Protection Act 1998. The offence is punishable by way of a financial penalty of up to £5,000 in a Magistrates Court or an unlimited fine in a Crown Court. The ICO continues to call for more effective deterrent sentences, including the threat of prison, to be available to the courts to stop the unlawful use of personal information.

It is very worrying that 65,000 people’s personal details could be stolen. The details of how the data controller’s procedures have been tightened to prevent a recurrence have not been disclosed, but would be interesting. It does seem that custodial sentences for more extreme cases of data theft would be more of a deterent.

Research project on embedding information rights in schools

The Centre for Research on Families and Relationships at the University of Edinburgh has been appointed to lead a research project on embedding information rights in the education system, the ICO has announced.

The research project aims to ensure that children and young people are aware of the threats to their privacy and how to protect themselves, understanding the practical and legal safeguards that can help them. The project will also explore how children and young people can be encouraged to exploit the availability of public information to their advantage.

Email sent to wrong recipient

 

On 31 March 2011, Spectrum Housing Group contacted the Information Commissioner (the “Commissioner”) to report an incident concerning personal data sent by email. The Commissioner was provided with a report explaining that a non-secure excel email attachment had been sent in error to an unintended recipient outside of the organisation. The attachment contained personal data relating to some 200 employees of the data controller. Initially it appeared to the data controller that the spreadsheet recorded a small amount of personal data. However it was later discovered that data within ‘hidden’ pivot cells forming part of the spreadsheet could be revealed.

The Information Commissioner’s enquiries determined that the attachment did not contain sensitive personal data within the meaning of section (2) of the Act. Consequently, no sensitive personal data was disclosed as a result of the error. Further, the unintended recipient was contacted by the data controller within 30 minutes of realising the mistake and it was confirmed that the email had been deleted.

The Commissioner’s enquiries also revealed that the email was inadvertently sent to the wrong individual due to the data controllers’ e-mail system automatically predicting the intended recipient based on previous sent messages.

Whilst the spreadsheet did not contain sensitive personal data on this occasion, at the time of the incident there was no clear policy in place in relation to the sending of personal or sensitive personal data by email. Further, it was neither policy, nor common practice for emails containing personal or sensitive personal data to be encrypted or protected by password. It has however been noted that the data controller has implemented a number of remedial measures to minimise the repeat of such an incident.

The Commissioner has considered the data controller’s compliance with the provisions of the Act in the light of this matter. The relevant provision of the Act is the Seventh Data Protection Principle. This Principle is set out in Schedule 1 Part I to the Act.

The specific actions required are set out below.

The data controller must ensure that personal data are processed in accordance with the Seventh Data Protection Principle in Part I of Schedule 1 to the Act.

Spreadsheets or other documents containing personal data shall be must be sent by email only when necessary. The minimum data required for the purpose must be sent and in particular pivot cells must be examined for unintended data.

When sent by email, consideration should be given to implementing password or encryption controls to documents containing personal and in particular, sensitive personal data, All staff with access to company email accounts should be made aware of the risks of using auto suggested addresses when sending personal data by email.

Staff with responsibility for sending personal data by email should be informed of company policies in this regard. Compliance with these policies should be monitored regularly.

More news stories relating to information management, data protection and interlectual property available at aslib.com.

Emmy Rawcliffe

Protect yourself online

 

The New Zealand has also issued guidance for people about how to protect themsleves online. The Commissioner says that many people use the internet to communicate and socialise with their friends by posting messages, photos and other information. Maintaining online privacy depends on the individual’s ability to control the amount of personal information that they provide and who has access to that information. Once information is posted on the internet it can be very hard, if not impossible, to completely remove it.

Social networking

Carefully choose how much personal information you post or share online. Once information is on a social networking site it’s essentially public information. Potentially anyone can see your information including employers or other family members. There are tools to help you limit who sees the information but be aware that they’re not failsafe.

Use privacy settings and categories such as ‘friends only’ to limit who can see your information. But you need to be aware that your information could still be seen by people you didn’t expect. For example, your friends may republish the information without controls over who sees it. Treat posting messages and uploading photos as publishing your information.

Don’t put date of birth, your mother’s maiden name or contact details on your page. People who share identity information, addresses, telephone numbers, holiday plans and other personal information put themselves and their family at a greater risk of identity theft, stalking and harassment.

Think before you upload. Is the information you are sharing something you want your future employers, friends or family to see? Posting something offensive about another person or business may reflect badly on you and may have legal consequences. Posting pictures of your expensive belongings could make you a target for burglary if a thief manages to find out your address.

Get consent from friends and family before posting information or photos about them. Their privacy is in your hands. Will they be comfortable with you posting information about them online?

Be wary of strangers. Some people deliberately disguise who they really are. If you have online friends you have never met, be careful about the amount of information that you reveal about yourself, and don’t agree to meet them in person. Be particularly alert if they start asking you for money.

Read the privacy policy regularly. Read the privacy policies of websites before you give away any personal information about yourself. Take the trouble to find out what’s going to happen with your information. Make sure you keep up to date with changes to privacy policies – many sites, such as Facebook, change them regularly.

Online shopping

Use familiar websites. Use well known websites or websites of companies that have a good reputation instead of browsing the internet. Large retailers commonly have an online store.

Use a secure payment method. Only use websites that offer a secure internet connection. Check for https at the beginning of the address bar and a locked padlock in the browser. Use a low-limit credit card to further reduce your risk.

Be wary of adverts, even for companies you know. Adverts are sometimes posted by scammers to direct you to a fake website which could steal your personal information like passwords and credit card details.

Online trading

Check auction feedback for negative comments about traders. Auction websites like TradeMe and eBay use a feedback rating system. Check the comments left by previous buyers and sellers.

Be wary of suspicious behaviour. If the seller asks you to bypass the auction process or to pay into an overseas bank account, be on your guard. Many of these requests are from scammers, or leave you without any protection.

Internet banking

Use a secure computer for access. Use your home or work computer for transactions involving highly sensitive information. Avoid public computers like those at internet cafes, libraries, airports and hotels as they are more likely to be infected by malicious software.

Access your bank website by typing the address directly into the browser or select the website from your favourites tab. Never follow a link to your banking website. It could be a hoax directing you to a fake website.

Set a strong password and update it regularly. Passwords should be at least 8 characters long and consist of a mixture of upper and lower case letters and at least one numeral. Change passwords regularly, at least every 30 days. Don’t use the same password in more than one place. Don’t choose a password that is easily identified with you (for example, your date of birth, telephone number or your name or any part of it).

Be suspicious of unexpected emails claiming to be from your bank. Banks don’t do business via email and they never ask you for confidential information via email.

Email

Have more than one email address. Use a separate account for personal emails and another for online shopping/financial transactions. This reduces your risk if your email, or someone you deal with, has their email system hacked.

Be wary of emails from people you don’t know offering money or deals too good to be true. The offer is likely to be a hoax or scam.

Be aware of phishing emails. These are fake emails that appear to come from trusted organisations like your bank, but are intended to trick you into disclosing information. Don’t answer emails that inform you about some problem and then request passwords, pin numbers or credit card details. Contact the organisation directly if you want to know whether the problem is genuine.

Never use a link to your online banking that is sent to you by email. The link will almost certainly take you to a fake website, which could steal your banking login details.

Never email details such as password or bank account/credit card details. Most emails sent over the internet are not protected from snooping by hackers.

Don’t respond to unsolicited (spam) emails. By responding, you are confirming to the sender that your email address is valid. This can open you up to more spam emails.

Protect your friends and associates. Use Bcc (blind copy) when sending an email to a large group of recipients so their email addresses remain hidden from others. When forwarding an email, delete the previous recipients’ email addresses from the email text.

Public internet

Log off at the end of your session. Otherwise, the next user can see where you’ve been and what you have done.

Don’t save your user name and password. The next person using the computer may be able to access your accounts if you forget to log off before leaving.

Don’t access any sensitive information online. Public computers may have malicious software installed that can capture your password, credit card number and bank details.

Delete your browsing history before you log out of the computer. Internet browsers store information about your passwords and the websites you visited.

Browsing the internet

Consider how much personal information you give. If a website asks for information about you, you have a choice about what information you provide. You can refuse to provide the information because the information asked for may seem to be unnecessary. But you may not receive the service offered.

Read website privacy notices. If a website has a privacy notice this may give the purpose for collecting personal information. It may also say how the website uses and shares information and the choices you have. Make sure you keep up to date with changes to privacy policies – many sites, such as Facebook, change them regularly.

Adjust your browser settings to control the collection of information. Behind the scenes, websites can collect information about your browsing habits through the use of ‘cookies’. Cookies can store personal information like your name, address and other identifying information. Advertisers can track you if web pages you access contain their advertisements. A cookie sent by a website and stored on your computer can identify your computer in the future.

Useful links:

http://privacy.org.nz/advice-cards/
http://privacy.org.nz/youth/
www.staysmartonline.gov.au/home_internet_users/protect_yourself2
http://security.yahoo.com/
www.netsafe.org.nz/
www.consumeraffairs.govt.nz/scams
www.google.co.uk/goodtoknow/online-safety/

UK Information Commissioner calls for compulsory Data Protection audits

 Powers to conduct compulsory data protection audits in local government, the health service and the private sector are needed to ensure compliance with the law, the Information Commissioner said at the 10th annual data protection compliance conference in London.

Christopher Graham’s call came as figures showed that the ICO is being blocked from auditing organisations in sectors that are causing concern over their handling of personal information. As is evident in Managing Information’s coverage of Information Commissioner decisions, the situation is serious with some truly outrageous breaches in the Health Service – often due to carelessness, the lack of training, and evidence of a lack of a culture of concern over Data Protection.

The only compulsory data protections audit powers the ICO currently has are for central government departments. For all other organisations the ICO has to win consent before an audit can take place.

Data breaches in the NHS continue to be a major problem. Of the 47 undertakings the ICO has agreed with organisations that have breached the Data Protection Act since April, over 40% (19) were in the healthcare sector. In addition, the most serious personal data breaches that have resulted in a civil monetary penalty occurred in the local government sector. Four of the six penalties served so far involved local authorities.

Businesses remain the sector generating the most data protection complaints. Despite this, as reported in July, just 19% of companies contacted by the ICO accepted the offer of undergoing an audit. The ICO has written to 29 banks and building societies and so far only six (20%) have agreed to undergo an audit. The insurance sector has also shown reluctance in this area. Of the 19 companies contacted this year by the ICO, only two agreed to an audit.

 Information Commissioner, Christopher Graham said: “Something is clearly wrong when the regulator has to ask permission from the organisations causing us concern before we can audit their data protection practices. Helping the healthcare sector, local government and businesses to handle personal data better are top priorities, and yet we are powerless to get in there and find out what is really going on.”

“With more data being collected about all of us than ever before, greater audit powers are urgently needed to ensure that the people handling our data are doing a proper job. I am preparing the business case for the extension of the ICO’s Assessment Notice powers under the Coroners and Justice Act 2009 to these problematic sectors.

” The Information Commissioner also used his speech at the conference to give a six month update on the ICO’s complaints handling performance. Complaints about marketing texts, some of which are known as spam texts, have trebled in volume since 2008/9, and now account for approximately 13% of all data protection complaints to the ICO. Over 1,000 complaints have been received since April.

The overall number of new data protection (DP) complaints is up by 2% compared to the same period last year. The number of freedom of information (FOI) complaints has also risen by around 5%. The ICO has increased its output to match the increase and has closed a record number of FOI cases during the first half of the year. Closures on DP cases are also up.

Surviving the Recession Seminar- 15th November

Dear Colleagues,

 

The ASLIB engineering and Technology Group are holding the Surviving the Recession Seminar on Tuesday 15th November 2011, 10am 5pm.

 

Event Programme

The one-day seminar will be followed by the annual general meeting and will feature presentations on:

• Welcome address Speaker: Frances Boyle

• Gathering statistics to prove support to students Speaker: Penny Bailey

• Electronic collection management: how statistics can and can’t help Speakers: Selena Killick and John Harrington

• Professional skills in an age of austerity: what matters most Speaker: Maria Cotera • Lunch • Shared services Speaker: Liam Earney

• Plone, Improving library services using open source Speaker: Lynne Seddon • Break • Using Koha @ the Kings Fund Speaker: Matthew Hale

• Free Software Speaker: Phil Bradley Note that the AGMs for both groups will be held after the sessions

 

Where: Council Room, Imperial College of Science and Technology, 170 Queens Gate, London SW7

Cost: Full day £70 to ASLIB/ADLG members, £90 to non-members Half day ASLIB/ADLG £50 members and £60 to non-members. Early bird discount to the first 20 non-members to book: £70 Lunch is included in the half-day sessions.

 

Contact If you are interested in attending or for further information contact Jessica Goff, on j.c.goff@cranfield.ac.uk or telephone 01793 785487.

 

Best wishes, Emmy Rawcliffe erawcliffe@aslib.com