Archive for the ‘Compliance’ Category

Compliance Update – Law Finally Outlaws ‘Back Door’ Criminal Records

March 12, 2015 Leave a comment

litigation%20As of March 10, 2015 United Kingdom’s Ministry of Justice finally passed a law formally outlawing employers and third-parties from carrying out ‘back-door’ criminal record checks on candidates in the United Kingdom. Violators could face criminal charges to include unlimited fines. Buyers of background screening services need to ensure screening providers are acquiring their criminal information in accordance with local legal provisions or could face criminal as well as civil sanctions by local authorities.

For years some third-party background screening providers as well as employers both within the UK and outside have tried to bypass a well-established lawful process for vetting criminal records for employment as well as other nefarious purposes in the UK whether by demanding a potential employee to use their rights under the DPA to see criminal information held about them (also known as ‘Enforced Subject Access’) or by other back-door routes of criminal court records.

Aletheia Consulting Group is the leading Global Background Check Consulting firm. We focus solely on providing industry leading independent third-party best practice advice to global organizations no matter where in the world your organization may operate from. Helping you make the right decisions.


ICO fines NHS £70,000

May 1, 2012 2 comments

The Information Commissioner’s Office has issued its first, significant monetary penalty following a serious data protection breach by an NHS body

The Information Commissioner’s Office (“ICO”) has taken action following an administrative error by Welsh health board, Aneurin Bevan Health Board (“ABHB”), which led to a serious breach of the Data Protection Act 1998 (“DPA”).

As the ICO gets used to using its new powers to issue substantial fines, all organizations which handle personal data need to ensure they are complying with their obligations under the DPA and have the necessary measures in place to avoid serious breaches occurring.


Section 55 of the DPA came into force on 6 April 2010 and allows the ICO, where there has been a serious contravention of the Act, to serve a monetary penalty notice on data controllers. The maximum penalty that can be imposed is £500,000.

What did they do wrong?

The error, which occurred in March 2011, meant that a highly sensitive report containing details of a patient’s health was sent to a former patient who had a similar name. A letter which had been drafted by a consultant and emailed to his secretary for formatting failed to identify accurately the patient to whom it should have been sent. The draft letter misspelt the name of the patient and did not contain sufficient additional details to identify the patient concerned. Furthermore, the letter was not checked prior to it being sent.

The investigation carried out by the ICO into the incident concluded that ABHB did not have in place sufficient checks to prevent personal data being sent to the wrong person and that the members of staff involved had not received any DPA training. An exacerbating factor was that the inadequate procedures followed in this instance were replicated across ABHB.

What was the penalty?

As a result of this incident ABHB has become the first NHS organization to be fined by the ICO.

The ICO has not only issued a fine of £70,000 to ABHB (which will be reduced to £56,000 if early payment is received) but also required it to sign an undertaking with a view to ensuring that all personal data it holds is processed in accordance with the DPA.

Following its investigation into this matter; the ICO had particular concerns about ABHB’s internal practices and the undertaking also includes measures to deal with these, including implementing:

  • new checks across the organization to ensure that a patients’ identities are established before any documentation containing personal data is issued;
  • the provision of training for staff;
  • putting in place and maintaining appropriate IT and other security measures; and
  • regular monitoring of compliance with the DPA.

This decision comes shortly after the ICO indicated that it would be focusing on, amongst others, the health sector in respect of responses to subject access requests. It has highlighted that notice should be taken of this decision by those operating within the health sector and stated that it is vital that the health service ensures that it has appropriate DPA compliance procedures in place.

The future

The Information Rights Strategy that was published by the ICO at the end of 2011 made clear that it would be taking a robust approach to DPA compliance over the coming year. This decision, reflects that approach and should be seriously considered by those organizations and employers operating within the health sector.

Future enforcement action by the ICO is likely to be significant, particularly in view of the European Commission’s proposals for reforming the approach to data protection across the European Economic Area.

Tips for organizations

  • Ensure that all your employees are trained on handling personal data particularly those who process it on a day to day basis.
  • Consider carrying out a data protection audit to establish the level of compliance with the DPA within your organization and, if necessary, to decide how this can be improved.
  • Ensure that you actively promote, implement and monitor compliance – it is not enough to have written policies in place if they are not enforced.

Source: Shoosmiths.

Philippine Government ratifies Seafarers’ Identity Documents Convention

April 25, 2012 Leave a comment

The International Labour Organisation (ILO) Convention 185, also known as the Seafarers’ Identity Documents Convention, was duly approved and ratified by President Benigno Aquino III on October 11 2011. The ratification was duly approved by the Philippine Senate and is now being transmitted to the ILO’s headquarters in Geneva for submission.

The convention provides that any seafarer who holds a valid seafarer’s identity document shall be admitted to enter the territory where the convention is in force when entry is requested for:

  • temporary shore leave;
  • joining his or her ship or transferring to another ship;
  • passing in transit to join his or her ship in another country;
  • repatriation; or
  • any other purpose approved by the authorities of the member state concerned.

According to the Joint Manning Group, the shipping industry has welcomed this new development, as the convention facilitates the activities of Filipino seafarers. In particular, it makes it easier for them to take shore leave without the required visa and without any unnecessary inspection and interrogation as to their identity.

For further information on this topic please contact Ruben T Del Rosario at Del Rosario & Del Rosario law Offices by telephone (+63 2 810 1791), fax (+63 2 817 1740) or email (

Violations of Proposed EU Privacy Rules Could Cost Companies Up to Two Percent of Global Revenues

April 24, 2012 Leave a comment

A BEERG-HR Policy Association policy paper describes how a proposed new regulation in the European Union replacing the myriad national laws governing individual data protection with a single set of EU-wide rules would have significant consequences for employment data.  Most significantly, a violation of the regulation could subject a company to a fine of up to two percent of its annual global revenues.  The policy paper, prepared by international law specialist, Malcolm Mason, describes several areas where the proposed regulation would impact the collection of HR data, including:

  • A requirement of a “valid consent” by an employee before her/his data can be processed, and such consent may not be made a condition of employment;
  • Stricter controls on transfers of personal data from within the EU to countries outside the EU;
  • A “right to be forgotten” requiring data controllers to delete personal data relating to a data subject where the individual withdraws consent, objects to that controller’s processing of their information, or where their personal data is no longer needed; and
  • A requirement to appoint a “data protection officer” for a two-year term with enhanced job protections.

While the proposed regulation is mainly targeted at social media and Internet trading, it fails to recognize that the nature of the relationship between an employer and an employee is fundamentally different from that between a user and Twitter or Facebook.  As the proposal moves forward, our European ally BEERG will be making the case that employment data should be treated differently from social media data or client/consumer data and subjected to a separate set of rules.


Serbia set to start Personal Data Protection Project

April 23, 2012 Leave a comment

The implementation of a project funded by the EU and meant to improve the protection of personal data in Serbia officially started last Wednesday.

The implementation of a project funded by the EU and meant to improve the protection of personal data in Serbia officially started on Wednesday.

The project began with a meeting between Rodoljub Sabic, Serbian commissioner for information of public importance and protection of personal data, and Slovenian commissioner for information Natasa Pirc Musar.

Sabic said the project would take six months to complete and would include numerous important activities, “starting with an evaluation of how harmonized our regulations are with the EU standards on the protection personal information.”

He added the project would include “strengthening the institution of the commissioner by educating and training personnel to monitor and improve data protection in accordance with those standards,” Sabic’s office stated.

He said he was pleased to work with Slovenian colleagues, because the team led by Pic Musar had gained recognition “not only in Slovenia, but in the EU also, as a team of excellent experts.”

The protection of identity data in Serbia is still in its first stage, even with the efforts invested by the commissioner and some initial results in the field, he noted.

According to Sabic, it is an issue of extreme significance in terms of respecting constitutionally guaranteed human rights, and it is also an issue “that will be one of the first the EU will inquire about once the start date for the negotiations is set.”

Source: As reported by Ekonom:east Media Group

European Companies Preparing for Data Protection Overhaul

April 21, 2012 Leave a comment

The recently unveiled European Union (EU) data protection proposals call for hefty fines, new rules for reporting data breaches, large companies to appoint a data protection officer and several other regulations. Although the legislation has yet to be put into effect, many European enterprises are already planning ahead, making changes to their IT security strategies and policies.

The data protection proposal would enable the EU to fine companies in violation of the laws up to 2 percent of their global annual turnover. Combined with the increasing prevalence of cyberattacks and data breaches, the threat of severe financial punishment has prompted many businesses among EU member states to make continuous compliance an organizational priority.

According to a recent study by Tufin Technologies, 42 percent of network security managers believe the EU proposal has led to heightened risk awareness in their organization. Additionally, 34 percent of respondents said their attitude toward continuous compliance has changed due to the data protection legislation, and 54 percent said automating compliance audits would help reduce the risk of violating the regulations, potentially saving the company from being fined.

“While 29 percent of respondents have partially automated compliance audits, those processes that are not automated run the risk falling out of compliance the moment after the auditor signs off on the audit,” said Shaul Efraim, vice president of marketing and business development for Tufin.

The report said respondents provided vastly different answers regarding best practices in reducing the risk of noncompliance. According to Tufin, some IT security professionals said a strict regulatory compliance strategy that includes a comprehensive data security awareness program would help organizations meet EU compliance standards.

While the proposed legislation may cause headaches for enterprise compliance officers and other IT professionals, the EU and Justice Commissioner Viviane Reding are confident the laws will facilitate stronger data protection standards for government organizations, businesses and consumers.

“Seventeen years ago less than 1 percent of Europeans used the internet,” Reding said. “Today, vast amounts of personal data are transferred and exchanged, across continents and around the globe in fractions of seconds. The protection of personal data is a fundamental right for all Europeans, but citizens do not always feel in full control of their personal data.”

Reding said the presented changes to the existing policy will save businesses around €2.3 billion per year by providing them with a single set of rules and one data protection authority to report to, reducing costs related to paperwork and other compliance expenses. Meanwhile, enterprises will be required to notify authorities about data breaches as quickly as possible – within 24 hours if feasible. Also, companies with more than 250 employees will have to appoint an independent data protection officer.

With the new regulations requiring organizations to quickly report data breaches, and large fines for companies that fail to do so, it’s essential for IT decision-makers to consider implementing security solutions capable of detecting and eliminating advanced threats before a major breach occurs. Some IT security providers offer integrated, state-of-the-art systems that can analyze security events in real time, giving enterprises the ability reduce costs, efficiently detect threats and decrease risk. These advanced solutions can also help organizations meet regulatory compliance standards by encrypting critical data, controlling access and constantly monitoring company networks, systems and endpoints.

The importance of data protection legislation, organizational policies and awareness is at an all-time high, as cyberattacks are more sophisticated and widespread adoption of mobile devices has opened the door for new threats. According to a recent global survey, 86 percent of IT professionals believe their job would be at risk if a data breach occurred, revealing yet another reason enterprises must develop better security and data protection plans.

Security News from by Trend Micro

China Adopts Internet Regulations

April 19, 2012 Leave a comment

China’s Ministry of Industry and Information Technology has promulgated regulations governing the collection, storage and use of personal information by parties providing information services over the Internet.  Coverage by the regulations includes not only entities known in the West as Internet Service Providers, but also Chinese companies whose principal business is online as well as Chinese companies with more limited online activities.  The new rules, Several Regulations on Standardizing Market Order for Internet Information Service, adopts the European definition of personal information; requires user consent for collection and disclosure; imposes obligations to secure data and take immediate remedial measures in case of breaches; requires expressly informing users of the method, content and purpose of collection and limiting use to such purpose; and makes violators subject to sanctions that include rectification orders, warnings and modest financial penalties.  The regulations come into effect on March 15, 2012.

Categories: Compliance, Regulations
%d bloggers like this: