Off To See My Lawyer
'Oven-Ready' Document Shop Click here to sign up for our latest updates

Posts Tagged ‘Data Protection’

Beware of the cookie monsters!

Monday, May 21st, 2012

On 26th May 2011 the new EU Cookie law came into force which applies to all website operators who use “cookies” to track their visitors’ movements and choices around their site. Sadly these are not the edible variety otherwise there wouldn’t be such a fuss!  A cookie is a small file of letters and numbers downloaded on to a device when the user accesses certain websites. Cookies allow a website to recognise a user’s device such as a mobile or computer and will assist with logins or enhancing the shopping experience. Say you go to Amazon and browse books on travel to Eastern Europe. A cookie will ensure that next time you visit their site, titles are suggested to you on exactly that subject. Think of a cookie as a little piece of memory.

Beware of the new cookie laws!

Source: itsnicethat.com

The previous rule on using cookies for storing information was that you had to:

  • tell people how you used cookies, and
  • tell them how they could ‘opt out’ if they objected.

Many websites did this by putting information about cookies in their privacy policies and giving people the possibility of ‘opting out’. So they basically kicked in automatically unless you objected.

The new law requires website operators to make sure they have their visitors’ “informed consent” for the use of cookies. This must be in place before 26th May 2012.The changes aim to give users more choice and control over what information businesses and other organisations store on their computers and how they track users.

What should you do now?

  1. Establish what cookies, if any, you have on your website. You may have had the site developed for you and so you need to ask your website developer what cookies they used. See the checklist below for what you need to identify.
  2. If you do have cookies, decide which ones are essential for your visitors’ use of your site. For example, a cookie that tracks what a customer puts in their shopping basket would be considered essential and therefore may not need the customer’s express consent. A non-essential cookie that tracks that the customer had a good browse in home furnishings  before going to children’s’ wear on the other hand may be considered intrusive and therefore require express consent.
  3. Draw up a plan that shows that you are addressing the use of cookies and that you are putting into place a procedure to comply with the new law. This will be important if the ICO does come after you.
  4. Establish how you will get a visitor’s consent to the use of cookies. One option would be to have pop- up box that alerts users to cookies and asks them to agree. Alternatively, the ICO have said that getting users to agree to your Terms of Use/Privacy Policy would also work. However, instead of just displaying them as a link on your website, you would need to get them to tick a box, indicating their express acceptance of them or draw attention to the terms e.g by addign NEW next to them or re-naming your Privacy Policy as ‘Privacy and cookie policy’.
  5. Check that your Privacy Policy spells out exactly what information is being collected by cookies. The bottom line is that you need to be upfront with users about how your website operates. Our ‘oven-ready’ Privacy Policy template can help you do this.

Checklist for cookie audit

  • Cookie ID: ID of the cookie as it appears in the browser cache.
  • Cookie name: label of the cookie.
  • Cookie type: “session” or “persistent Session cookies just remain on a device for a website visitor’s visit whereas persistent cookies remain on the device even after the session ends so that when a user returns to a site, he/she will be remembered
  • Cookie life: if persistent, how long does the cookie last?
  • Cookie owner: first party or third party i.e. has it been placed by the website owner or a third party with whom the website owner has linked up
  • Source domain: domain that the cookie is associated with.
  • Data collected: type of data each cookie collects and whether it links to other information held about users.
  • Purpose: what the cookie is used for.
  • Any tracking? Does the cookie allow tracking across a number of websites?

So in this ever-increasing age of Big Brother and seemingly unfettered trend towards monitoring all of our movements, I believe this law is a move in the right direction. It shows that not everything we do in the e-commerce space needs to be recorded or tracked. We should be free to shop as we please. Just imagine if there were cookie-type robots in real life that stepped out as we entered a shop. I have visions of a middle aged man entering a department store with his stout, middle aged wife and the robot exclaiming: “Ah, Mr Brown! Welcome back! I know last time you visited our shop, you spent half an hour in the lingerie department. Would you like me to take you straight there this time? We still have that little size 8 leopard skin number you liked.” Could lead to all sorts of interesting conversations with his wife ….

A New Era of Consumer Empowerment?

Monday, December 5th, 2011

You are of course familiar with the Government’s endeavours to encourage the people of Britain to co-operate more with one another, and to take responsibility instead of relying on the authority of the State: a vision which David Cameron labels the “Big Society”.  Lately the Government has launched a new programme called “midata”, which aims to increase consumers’ access to their personal data in a portable, electronic format, therefore enabling them to “gain insight into their own behaviour, make informed choices about products and services, and manage their lives more efficiently.”  In turn, this will hopefully boost competition between companies (in terms of value and service) and drive innovation.  In addition, if the dialogue between consumers and businesses is improved, it may facilitate the development of new personal information services and tools, and in turn create a new environment of trust and co-operation.

This may all sound very idealistic, but a number of businesses and organisations have already committed to working in partnership with Government to achieve the midata vision: voco Secure; billmonitor; British Gas; Callcredit; EDF Energy; E.ON; Garlik; Google; Lloyds Banking Group; MasterCard; Moneysupermarket.com; Mydex; Npower; RBS; Scottish Power; Scottish Southern Energy; The UK Cards Association; Three; and Visa.  And a number of consumer groups and regulators are working with midata to represent consumers’ interests and concerns. As well as working towards potential benefits, their input plays an important role in identifying potential risks and helping determine how these can be addressed.  Participants include: Citizens Advice; Communications Consumer Panel; Consumer Focus; Information Commissioner’s Office (ICO); OFCOM; Office of Fair Trading (OFT); and Which?

Creating secure passwords

Friday, July 15th, 2011

This is not a strictly legal post , but I thought it was very useful and easy to apply. Given that I am always going on about making sure your data bases and IT systems are secure, this seems to be the perfect tool to get started!

What makes a password strong is the combination of different alphanumeric, special characters, and capitalization that you use, and of course the length of the password.  I don’t know about you, but I don’t want to remember and type an epistle when I fill out a password field. And, ideally, I don’t want to use the same password on many sites, because if one is compromised then my entire life is unlocked.

I want to show you here how to choose very strong passwords for every website that you use, that are different for each website, and are each only 9 characters in length max. A study found that an 8-character password that’s constructed in the manner I’m going to show you has 7.2 quadrillion different combinations, and will take 83.5 days to crack if the hacker can try 1 billion different passwords per second.

Step 1: Pick 2 Starting Characters

To make it easy to remember, all your passwords are going to start with the same characters. But these are not just any characters. Pick 2 characters from the list of special characters that you see above the numbers on your keyboard and to the left of the Enter key.

These characters are: ~`!@#$%^&*()_-+={}[]:;”‘<>?/|\\

Pick any two of them as your password starting characters. To show you an example as you read through the steps, let’s pick $ and % (pick your own two).

In my example, all my passwords are going to start with $%.

Step 2: Pick 2 Ending Characters

In exactly the same way as above, pick two different special characters that will be at the end of your passwords. Don’t pick the same characters as your starting characters.

For the purposes of my example, let’s pick * and ^. Hence, all my passwords are going to end with *^.

Step 3: Construct The Middle Part Using The Website Name

This is the fun part. Take the first 6 characters of the website domain name where you want to use the password. If the domain name is shorter than 6 characters, then use the full domain name.

In my example, let’s create a password www.microsoft.com.

The first 6 characters of the domain name is “micros”.

Now we’re going to substitute some characters and capitalize others.

Substitute the following characters: a becomes @, e becomes 3, i becomes 1, o becomes 0, and u becomes ^.

Now we have “m1cr0s”.

Now, decide on a standard for yourself regarding which character(s) you’re going to capitalize.

For this example, let’s say we’re always going to capitalize the 3rd consonant.

So now we have “m1cR0s”.

The next step is to drop the last character (“s” in our case), and append the Ending Characters (*^) that you picked in Step 2.

Our password is now “m1cR0*^”.

The last step is to add the Starting Characters (Step 1) to the beginning of the password.

The final password is “$%m1cR0*^”.

A Few More Examples

Domain: www.twitter.com, Password: “$%tw1Tt*^”.
Domain: www.facebook.com, Password: “$%f@c3B*^”.

Domain: www.ebay.com: Password: “$%3b@*^”

Remember

Pick your own 2 starting characters and your own 2 ending characters, don’t just use the same ones I used in the example.

In addition, make your own capitalization rule (you can capitalize more than 1 character if you want to.You can also use more than the first 6 characters of the domain name if you want to. It just means your passwords will be slightly longer.

Is This Password Strong?

Yes, it is very strong. With this method you’re potentially using any of 30 special characters, 10 numerals, and 26 lower case and 26 uppercase characters.Unless a hacker happens to have a water-cooled supercomputer in his briefcase, he will not be able to crack your password.

Making It Even Stronger

If you’re concerned that some hackers might know about this password construction method, simply pick 3 starting characters and/or 3 ending characters, or as many as you like. Any slight variation of the method makes your passwords even more secure.

Credits

This password construction method was designed by Sammie, a person with a brilliant technical mind.

Calling all website owners: check your cookies!

Tuesday, May 31st, 2011

On 26th May 2011 a new law* came into force which applies to all website operators who use “cookies” to track their visitors’ movement and choices around their site. A cookie is a small file of letters and numbers downloaded on to a device when the user accesses certain websites. Cookies allow a website to recognise a user’s device.

The previous rule on using cookies for storing information was that you had to:

  • tell people how you use cookies, and
  • tell them how they could ‘opt out’ if they objected.

Many websites did this by putting information about cookies in their privacy policies and giving people the possibility of ‘opting out’.

The new law requires website operators to make sure they have their visitors’ “informed consent” for the use of cookies. The changes aim to give users more choice and control over what information businesses and other organisations store on their computers and how they track users.

Business groups and privacy watchdogs are divided, though, on exactly what “informed consent” means. Luckily, the Information Commissioner’s office (‘ICO’), the government body responsible for enforcing the law, has published a Guidance Note on what they expect website operators to do. However, the guidance is not definitive and leaves it up to organisations to decide how best to obtain the necessary consent. Thankfully, the ICO has given businesses a year in which to change their use of cookies to comply with the law before it will start to take enforcement action.

What should you do now?

  1. Establish what cookies if any you have on your website. You may have had the site developed for you and so you need to ask your website developer what cookies they used.
  2. If you do have cookies, decide which ones are essential for your visitors’ use of your site. For example, a cookie that tracks what a customer puts in their shopping basket would be considered essential and therefor may not need the customer’s express consent. A cookie that tracks that the customer had  a good browse in home furnishings  before going to children’s’ wear on the other hand may be considered intrusive and therefore require express consent.
  3. Draw up a plan that shows that you are addressing the use of cookies and that you are putting into place a plan to comply with the new law. This will be important if the ICO does come after you.
  4. Establish how you will get a visitor’s consent to the use of cookies. One option would be to have pop- up box that alerts users to cookies and asks them to agree. Alternatively, the ICO have said that getting users to agree to your Terms of Use/Privacy Policy would also work. However, instead of just displaying them as a link on your website, you would need to get them to tick a box, indicating their express acceptance of them.
  5. Check that your Privacy Policy spells out exactly what information is being collected by cookies. The bottom line is that you need to be upfront with users about how your website operates

“Some uses of cookies can involve creating detailed profiles of an individual’s browsing activity. If you are doing this, or allowing it to happen, on your website or across a range of sites, it is clear that you are doing something that could be quite intrusive – the more privacy intrusive your activity, the more priority you will need to give to getting meaningful consent,” the ICO guidance said.

“It might be useful to think of this in terms of a sliding scale, with privacy neutral cookies at one end of the scale and more intrusive uses of the technology at the other. You can then focus your efforts on achieving compliance appropriately providing more information and offering more detailed choices at the intrusive end of the scale,” the ICO said.

*The Privacy and Electronic Communications (Amendment) Regulations 2011.

For the Guidance Note see here

For the Information Commissioner’s Office see here

Privacy Policies more important than ever

Wednesday, October 6th, 2010

The Information Commissioner’s powers to fine businesses who do not comply with the Data Protection Act has been increased. Look out for fines up to £500,000 if you lose people’s data or flout the Act. One way to comply withe Act is to have a Privacy Policy which alerts your customers or website visitors as to how you plan to use the personal details you collect from them. Ideally have a link to your Privacy Policy from every website page and get your customers to tick a box accepting the terms.

Don’t have a Privacy Policy? Buy and download one instantly from our Document Shop

Check your pockets or you may end up with a £500,000 fine!

Monday, May 10th, 2010

I was stunned to read in a recent survey that last year 4,500 memory sticks were forgotten in people’s pockets as they took their clothes to be washed at the local dry cleaners! I have washed a couple of my daughters’ memory sticks  which were stuck in skirt pockets, but I didn’t realise this happened on such a large scale. :roll: As I pointed out in an ealier blog, from 6th April onwards if data is lost and it causes a major security breach, this could now cost a company up to £500k in fines . This is because of the new powers given to the Information Commissioner’s office to fine companies who have not sufficiently protected customers details under the Data Protection Act .

If you use memory sticks, check out the ones that can be encrypted such as the ‘Safe Stick’. There are also some clever ones that self detruct if you find you have lost one or that an employee has stolen vital data on a memory stick.. More on that soon

Businesses to be fined up to £500,000 for losing data

Tuesday, April 6th, 2010

Check out this article from the very useful on-line magazine Growing Business

Bottom line: you cannot take data protection seriously enough. In this day and age when the devices for storing information are getting smaller and smaller-even smaller than some lipsticks!-make sure you know exactly where they are.

Ideally, encrypt the information on them, so that if they are lost, no one can read the contents.

Key questions to ask yourself on data protection

Wednesday, March 17th, 2010

If you are gathering personal details on your website or in business, ask yourself these questions to see if you comply with the Data Protection Act. A “YES” does not guarantee compliance, but it means you are heading in the right direction. If you don’t have one, a Privacy Policy can be found in our document shop.

  • Do I really need this information about an individual? Do I know what I am going to use it for?
  • Do the people whose information I hold know that I’ve got it, and are they likely to understand what it will be used for?
  • If I’m asked to pass on personal information, would the people whose information I hold expect me to do this?
  • Am I satisfied the information is being held securely, whether its on paper or on computer? And what about my website? Is it secure?
  • Is access to personal information limited to those who absolutely need to know?
  • Am I sure the personal information is accurate and up to date?
  • Do I delete or destroy personal information as soon as I have no need for it?
  • Have I trained my staff in their responsibilities under the Data Protection Act? Are they fulfilling them in practice?
  • Do I need to notify the Information Commissioner? If so, is my notification up to date?

For more information and advice on good information handling go to : www.ico.gov.uk or phone 08456 306060