Categories
10 For 10

Top Compliance Stories For the Week Ending November 11, 2023

Welcome to 10 For 10, the podcast that brings you the week’s Top 10 compliance stories in one podcast each week. Tom Fox, the Voice of Compliance, brings the compliance professional the compliance stories you need to be aware of to end your busy week. Sit back, and in 10 minutes, hear about the stories every compliance professional should be aware of from the prior week. Every Saturday, 10 For 10 highlights the most important news, insights, and analysis for the compliance professional, all curated by the Voice of Compliance, Tom Fox. Get your weekly filling of compliance stories with 10 for 10, a podcast produced by the Compliance Podcast Network.

  • ESG helps in hiring the best and brightest.  (FT)
  • The UK hits Russia with new sanctions. (WSJ)
  • Indian anti-corruption journalist targeted in spy op. (Reuters)
  • GE Aerospace to pay $9.4M in DOJ false claims case. (Compliance Week)
  • WeWork files for bankruptcy.  (FT)
  • ICO apologizes to ex-Nat West chief.  (FT)
  • Integrity in cricket. (University of Sussex)
  • Portuguese PM resigns over corruption. (The Guardian)
  • Supreme Court refuses to take up PdVSA bribery case. (LatinLawyer)

You can check out the Daily Compliance News for four curated compliance and ethics-related stories each day, here.

Connect with Tom 

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
2 Gurus Talk Compliance

2 Gurus Talk Compliance – Episode 18 — Florida Man Games

What happens when two top compliance commentators get together? They talk compliance of course. Join Tom Fox and Kristy Grant-Hart in 2 Gurus Talk Compliance as they discuss the latest compliance issues in this week’s episode! In this episode, Tom and Kristy take on various topics including the state image of Florida Man.

In the complex world of corporate governance, the issues of corporate misconduct, leadership accountability, and professional productivity are of paramount importance. Tom emphasizes the need for thorough due diligence when appointing leaders, particularly those with a history of misconduct. He also advocates for detailed record-keeping as a tool for managing workload and enhancing productivity. Kristy echoes these sentiments, highlighting the significance of ethical leadership and effective compliance measures. She also offers practical strategies for dealing with workplace challenges such as micromanagement and office politics. Join Tom Fox and Kristy Grant-Hart as they delve deeper into these topics in this award-winning 2 Gurus Talk Compliance podcast episode.

 Highlights Include: 

1. FCA bans Jes Staley (Compliance Week)

2. What is the purpose of a policy: Integrity in cricket? (University of Sussex)

3. CA gun shop owner pleads guilty to bribing former county sheriff.   (CSB-SF)

4. US Bankruptcy trustee seeks return of fees award to law firm of paramour. (Reuters)

5. ICO apologizes to ex-Nat West chief.   (FT)

6. Lawmakers Press Costco on China Forced Labor (WSJ)

7. Sam Bankman-Fried convicted of multi-billion dollar FTX fraud (Reuters)

8. UK Parliament Enacts Sweeping New Fraud Legislation Aimed at AML/TF Activities (Volkov)

9. Ever Thought ‘Just Leave Me Alone to Do My Job’? This Is for You (WSJ)

10. Which Florida Man best embodies the state’s spirit? A new contest will decide. (Washington Post)  

 Resources 

Kristy Grant-Hart on LinkedIn

Spark Consulting

Tom

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Daily Compliance News

Daily Compliance News: November 7, 2023 – The Apology Accepted Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee, and listen to the Daily Compliance News. all from the Compliance Podcast Network. Each day we consider four stories from the business world: compliance, ethics, risk management, leadership, or general interest for the compliance professional.

  • ICO apologizes to the ex-Nat West chief. (FT)
  • A 70-hour work week in India? (BBC)
  • Integrity in cricket. (University of Sussex)
  • Do chatbots violate anti-wiretap laws? (Reuters)
Categories
Blog

The Importance of Effective Policies and Training in Data Protection: Lessons from a Scottish Hospital Breach

I recently had the chance to visit with Jonathan Armstrong on a recent data breach case that occurred in the health service provider NHS Lanarkshire (Scotland) during the COVID-19 pandemic. This breach serves as a stark reminder of the challenges organizations face in maintaining data protection and compliance, especially when it comes to communication platforms like WhatsApp. In this blog post we will explore the lessons learned from this incident and discuss practical advice for organizations to ensure robust data protection measures.

Background

According to the Cordery Compliance Client Alert on the matter, over a two-year period between 2020 and 2022, 26 staff at NHS Lanarkshire had access to a WhatsApp group where there were a minimum of 533 entries that included patient names. The information included 215 phone numbers, 96 with dates of birth and 28 included addresses. 15 images, 3 videos, and 4 screenshots were also shared, which included personal data of patients and clinical information, which is a “special category” health data under both EU and UK law. Other data to the WhatsApp group was also added in error. Other communications were also identified where the staff in question had used WhatsApp.

WhatsApp was not approved by NHS Lanarkshire for processing personal data of patients.  The use of WhatsApp was an approach adopted by the staff apparently without organizational knowledge. It was used by the staff as a substitute for communications that would have taken place in the clinical office but did not do so after staff reduced office attendance due to the COVID-19 pandemic. No Data Protection Impact Assessment was in place and no risk assessment relating to personal data processing was completed concerning WhatsApp, as WhatsApp was not approved by NHS Lanarkshire for the sharing of personal data relating to patients. NHS Lanarkshire undertook an internal investigation and reported this matter to the ICO.

ICO Holding

The UK ICO determined that NHS Lanarkshire did not have the appropriate policies, clear guidance and processes in place when WhatsApp was made available to download. Additionally,  there were a number of infringements of UK GDPR, not the least being not implementing appropriate technical and organizational measures (TOMs) to ensure the security of the personal data involved, as a consequence of which personal data was shared via an unauthorized means and an inappropriate disclosure occurred. There was also a failure to report this matter, as a data breach, to the ICO in time.

Armstrong noted that ICO recommended that NHS Lanarkshire should take action to ensure their compliance with data protection law, including:

  1. Considering implementing a secure clinical image transfer system, as part of NHS Lanarkshire’s exploration regarding the storage of images and videos within a care setting;
  2. Before deploying new apps, consideration of the risks relating to personal data and including the requirement to assess and mitigate these risks in any approval process;
  3. Ensuring that explicit communications, instructions or guidance are issued to employees on their data protection responsibilities when new apps are deployed;
  4. Reviewing all organizational policies and procedures relevant to this matter and amending them where appropriate; and,
  5. Ensuring that all staff are aware of their responsibilities to report personal data breaches internally without delay to the relevant team.

Armstrong concluded that “In light of the remedial steps and mitigating factors the ICO issued an official reprimand – a fine has not yet been imposed. The ICO also asked NHS Lanarkshire to provide an update of actions taken within six months of the reprimand being issued.”

Discussion

This case highlights the challenges organizations face when it comes to communication during internal investigations. In many instances, the most interesting documents are not found in emails, as one organization discovered. Employees often turn to alternative platforms like WhatsApp to avoid leaving a paper trail. However, it is crucial to understand that these platforms may not provide the expected privacy and security.

While platforms like WhatsApp may seem secure, they still share data with big tech companies, raising concerns about privacy. Organizations must adapt to the preferences of digital-native employees who may find email restrictive and opt for alternative communication methods. However, this adaptation should be done consciously, ensuring that policies and procedures are in place to protect sensitive information. Armstrong emphasizes the importance of revisiting emergency measures implemented during the pandemic. As remote work continues, organizations must conduct thorough data protection impact assessments to ensure compliance across all communication platforms and measures.

As with all types of compliance, setting policies and procedures is just the first step. It is essential to communicate and educate employees on these policies to ensure their understanding and compliance. Annual online training sessions are not enough; organizations should provide engaging training that goes beyond passive learning. In addition to targeted and effective training there must be ongoing communications provided to employees. Armstrong also related on the ineffectiveness of off-the-shelf online phishing training. Waiting for an incident to occur and then providing training is not enough to prevent people from clicking on malicious links. Organizations should focus on providing better training before incidents happen, rather than trying to enhance training afterwards.

The next step is monitoring as compliance with policies and procedures should be actively monitored. Technical solutions are available to help companies track compliance, but it’s crucial to involve individuals at all levels of the organization when designing these policies. Additionally, a balanced approach is needed, where employees are recognized for their service but also held accountable for policy breaches. The days of solely relying on punishment for enforcement are gone.

The data breach in the Scottish hospital serves as a wake-up call for organizations to prioritize data protection and compliance. Communication challenges during internal investigations, privacy concerns associated with alternative platforms, and the need for effective policies and training are crucial areas to address. By conducting regular data protection impact assessments, providing engaging training, and ensuring buy-in from employees, organizations can strengthen their defense against cyber threats and protect sensitive information. Always remember that compliance is an ongoing process, and continuous evaluation and improvement are necessary to adapt to the evolving digital landscape. Finally stay vigilant and proactive in safeguarding data privacy and protection.

Categories
Life with GDPR

ICO Gets Serious About Subject Access Requests

Jonathan Armstrong and Tom Fox return for another episode of the award-winning Life with GDPR. In this episode, we discuss the recent action by the ICO against seven UK organizations that failed to respond to Subject Access Requests (SAR), which follows a trend across Europe of more enforcement action on SAR. Some of the highlights  include:

1.     What is a Subject Access Request (SAR)?

2.     Why are these companies in the ‘Naughty Corner.’

3.     How does this follow a trend across Europe of more enforcement action on SAR?

4.     What happens next?

5.     Who is the constituency for change in the SAR process in the UK?

6.     What are the lessons learned?

Resources

For more information on the issues raised in this podcast, check out the Cordery Compliance News Section. For more information on Cordery Compliance, go to their website here. Also, check out the GDPR Navigator, one of the top resources for GDPR Compliance, by clicking here.

Categories
Life with GDPR

Changes to UK Data Protection Regime

Jonathan Armstrong and Tom Fox return for another episode of Life with GDPR. In this episode, we discuss the changes in the UK Data Privacy regime currently proposed in the wake of Brexit. Some of the highlights  include:

  1. Why these changes are so significant.
  2. Are things really more complicated now?
  3. What does it mean for compliance?
  4. What happens next?
  5. Will the new PM request any changes?
  6. Practical steps you can take now.

Resources

For more information on the issues raised in this podcast, check out the Cordery Compliance News Section. For more information on Cordery Compliance, go to their website here. Also, check out the GDPR Navigator, one of the top resources for GDPR Compliance, by clicking here.

Categories
Life with GDPR

Changes to UK Data Protection Regime

Jonathan Armstrong and Tom Fox return for another episode of Life with GDPR. In this episode, we discuss the changes in the UK Data Privacy regime currently proposed in the wake of Brexit. Some of the highlights  include:

  1. Why these changes are so significant.
  2. Are things really more complicated now?
  3. What does it mean for compliance?
  4. What happens next?
  5. Will the new PM request any changes?
  6. Practical steps you can take now.

Resources

For more information on the issues raised in this podcast, check out the Cordery Compliance, News Section. For more information on Cordery Compliance, go their website here. Also check out the GDPR Navigator, one of the top resources for GDPR Compliance by clicking here.

Categories
Life with GDPR

Clearview AI Fine by the ICO


Jonathan Armstrong and Tom Fox return for another episode of Life with GDPR. In this episode, we take up a fine in the UK by the ICO against Clearview AI. We have discussed other EU countries’ fines against Clearview previously. Some of the highlights  include:

  1. What is this case all about?
  2. What did the ICO decide?
  3. Why is AI under the spotlight again?
  4. Other actions and penalties against Clearview?
  5. Key takeaways.

Resources
For more information on the Clearview AI fine by the ICO, check out the Cordery Compliance client alert on this topic; click here. For more information on Cordery Compliance, go to their website here. Also, check out the GDPR Navigator, one of the top resources for GDPR Compliance, by clicking here.

Categories
Life with GDPR

Tuckers Enforcement Action


Jonathan Armstrong and Tom Fox return for another episode of Life with GDPR. In this episode, we consider the UK Data Protection Authority, the Information Commissioners Office (ICO) recent announcement that it had fined a law firm, Tuckers Solicitors LLP for GDPR breaches.  Tuckers was fined £98,000 after being hit by a ransomware attack.

  1. Law firms are not unique.
  2. What about other legal regulations and regulatory bodies?
  3. The background facts.
  4. What did the ICO say?
  5. Lessons learned.

Resources
For more information on the Tuckers enforcement action, check out the Cordery Compliance, client alert on this topic, click here. For more information on Cordery Compliance, go their website here. Also check out the GDPR Navigator, one of the top resources for GDPR Compliance by clicking here.

Categories
Life with GDPR

Cathay Pacific Enforcement Action


In this episode of Life with GDPR, Jonathan Armstrong and Tom Fox consider the recently released UK Information Commissioner’s Office (ICO) Cathay Pacific Airways Limited fine of £500,000 for failing to protect the security of its customers’ personal data. This is a pre-GDPR case and the fine represents the maximum fine under the ICO’s pre-GDPR powers. The ICO took into particular account the fact that Cathay Pacific failed to follow its own policies and ignored fundamental best practices.
Some of the highlights in this episode include:

  1. What were the background facts of the enforcement action?
  2. What are the implications of a pre-GDPR enforcement action?
  3. Why was the maximum fine levied?
  4. What were the regulators findings?
  5. What are the lessons learned for the data protection practitioner?
  6. Where listeners can go for more information.

Resources
Cordery Breach Navigator
Cordery Client Alert “Client Alert: ICO Fines Cathay Pacific £500k for Data Security Breach