Data & It Law Week, vol. 29: transfer of data, exemptions & data breaches
The article gives an overview of the most interesting articles in the area of data & it law.
Transfer of personal data to third countries by EU institutions
In its position paper, European Data Protection Supervisor analyses the possibilities and obstacles of international transfer of data. In particular, it focuses on the rules laid down in Regulation (EC) No. 45/2011.
Most importantly, EU institutions must respect the “principle of adequate protection”. Controllers must analyze the level of protection provided by the recipient of the data – “adequacy should be determined by the nature of the data protection rules applicable at the destination, and the means for ensuring their effective application (supervision and enforcement).” The European Data Protection Supervisor might intervene in a supervisory role, depending on how the transfers are conducted.
Little-noticed exemption in data protection rules
The Guardian published an article, in which it described the practice of The Home Office. It got an access to NHS records in order to track down illegal immigrants. Although medical records are protected by data protection laws, the Home Office used an exemption to access patients’ non-clinical records, without any need for a court order. “The exemption allows officials to see where people have made use of the health service and when, but not the details of the clinical conditions or medical attention they received.”
The critique was directed about the extent of data use and their reasonable use. The Home Office responded that the use these records was strictly restricted to serious crimes.
How to defend against data breaches?
A study by the Ponemon Institute showed that a majority of IT security professionals believe that “continuous monitoring of the database network is the best approach to prevent large-scale breaches”. The opinion was shared by almost two thirds of 595 US experts.
They argue that continuous monitoring and looking for unusual or anomalous type of behaviour are key activities. Moreover, it is also necessary to use database firewall to prevent the risk of SQL injection. The injection was also considered the most involved component in the attacks.
Quick links
Record number of data protection complaints in UK