ICO reports security failures across all sectors as fines continue to ramp up in 2019

Since May 2018 when GDPR kicked, the ICO has been progressively investigating data breaches identified to them and no-one has been spared in their enforcements.  From local Government officials illegally accessing personal data, to public bodies (including HMRC for data harvesting), to the Metropolitan Police (responding to Subject Access Requests), the NHS (for illegally accessing medical records), to regulated industries and small businesses carrying out unsolicited communications by email or telephone (affecting up to 4.5 million unsuspecting contacts).  Even in one extraordinary case, a Council employee shared unredacted data about alleged gang members profiled on a police intelligence ‘Gang Matrix’ database to other Council staff and external organisations. This ended up on social media and was then used by the gang members themselves.  Unbelievable, but sadly true.

Amicus ITS Director of Technology, Security & Governance, JP Norman commented:  “The ICO are striking a balance between the severity of a breach individually, the volume of data affected and the harm and distress caused by the breach of security and lack of protocol.   We can see from the  enforcement notices published across 2018-19, the huge variety of cases that the ICO have dealt with in the last 18 months and ultimately this illustrates data responsibility is in the hands of every individual, with fallout picked up by the organisation/company directors”.

Big headliner fines this Summer featured the £183.4m fine published to British Airways following the 2018 cyber incident where users logging in to BA’s website were diverted to a fraudulent site where their personal details, payment information and travel plans were harvested.  This represented 1.5% out of a total possible fine of 4% of global turnover.  Plus, the £99.2m fine to Marriott International hotels group for a data breach whereby 339 million guest records globally were exposed over several years following a merger and lack of due diligence and security measures being adopted.  Both organisations are seeking to defend their position. Other big names included: Equifax (£500,000), Uber (£385,000), and Yahoo! (£250,000) for cyber security failures.

Against this backdrop, the ICO Annual Report for March 2018-19 published in July 2019 recognised that 82% of personal data breaches investigated had been closed with no further action, as corrective measures to avoid a repeat had been taken or were being acted upon, which we should take as positive news as organisations learn to manage their data more responsibly.

JP Norman adds:  “All organisations face the same responsibilities around data management and data security.  At the heart of good practice is education and staff training. This can identify what is appropriate when sharing data and that if approved, it is done lawfully and safely.   Organisations, institutions and businesses of any size must have a Data Protection Officer (DPO), who may also be the Data Controller if appropriate. These representatives need ready access to policies and guidance around data security and measures to be taken in the event of any breach, which can be evidenced and practised as part of a smart Business Continuity Plan.  This can be intimidating for businesses of even medium size to get to grips with and act confidently so we often see the DPO function outsourced”.

Amicus ITS recognises the challenges organisations face and earlier this year published our new Virtual Data Protection Officer service on G-Cloud 11 for public sector customers.  Notably, this service is equally available to SMEs.  Any organisation that is unsure if it has the right security policies and security measures in place can contact Amicus ITS in confidence.  If the service is taken up, this security consultancy could not only save you £000s but also help protect against reputational damage which can be priceless.  Call our Sales team today for a free initial discussion on +44 2380 429429.

Amicus ITS’ privacy policy can be found here

HMRC mark U-turn on VAT for IT Managed Services

HMRC appears to have done something positive for a change in a way that will be welcome news for IT Managed Service Providers.

Last year, HMRC advised that only large system IT integrators would get a VAT refund for aggregated purchases. Public sector organisations were thus being penalised for buying standardised ‘off the shelf’ Cloud services and having to pay the full amount of VAT on purchases.  An unjust penalty where transparency and best price are being argued for by the regulators.

However, following representations to HMRC from public sector bodies which spend several billion pounds per year, happily HMRC have done a pleasing U-turn on VAT refunds. The new document published this week, ‘Contracting Out Services’ guidance, shows that cloud services are now eligible for the VAT reclaim. Hardware can be considered but only if part of a managed service bundle. The new rules also support a “disaggregated” managed IT service, where the various areas of IT such as hosting and networks are broken up into multiple suppliers.

The rules specifically state that the following services should be included in the VAT refund:

• Hosting Computing Services
• Archiving Communication Services
• Data Communications Services
• Desktop Communications Services, for example Picture Archiving Services (PACS)
• Ethernet cable/Data lines and Cloud computing

With the new G-Cloud 7 Digital Marketplace providers to be announced in November to compliment the public sector tendering frameworks, the Government’s linking of a transparent approved supplier system and joined up thinking on tax for public sector buyers will make a positive change for SMEs and their clients on tightened budgets, especially in the downtrodden NHS marketplace.  The latest sales reported for G-Cloud are £753million, with 51% in value and 60% in volume going to SMEs (defined as sub 250 employees with annual turnover not exceeding Euro 50 millions).  77% of total sales by value were through Central Government, with 23% through the Wider Public Sector.

HMRC_svg