Stop cybercriminals stealing your money!

Financial fraud is on the rise. But there are some simple steps you can take to protect your money and info from hackers, fraudsters and scammers.

According to Take Five To Stop Fraud – an organisation that offers straightforward and impartial advice to help everyone in the UK protect themselves against financial fraud – one of the most important things you can do is stop and think. Because, according to the cyber-security experts, you probably already know these basic rules on how to stay safe from financial fraud. You just need to take a breath and stay calm enough to remember them.

What else does Take Five recommend?

  1. Understand that a genuine bank or other financial organisation will never contact you out of the blue to ask for your PIN or full password
  2. Know that a legitimate bank or other business would never ask you to move money to another account for fraud reasons
  3. Never automatically click on a link in an unexpected email or text. This could result in you giving a fraudster access to your personal or financial details
  4. Always question uninvited approaches in case it’s a scam. Instead, contact the company directly using a known email or phone number
  5. Don’t assume an email or phone call is authentic. Just because someone knows your details (such as your name and address or even your mother’s maiden name), it doesn’t mean they are genuine
  6. Be careful who you trust. Criminals may try and trick you by telling you that you’ve been a victim of fraud. Criminals often use this to draw you into the conversation, to scare you into acting and to reveal your security details
  7. Know that criminals can make any telephone number appear on your phone handset. So even if you recognise a number, or it seems authentic, it might not be genuine
  8. Don’t be rushed or pressured into making a decision. A trustworthy organisation would never force you to make a financial transaction on the spot
  9. Listen to your instincts. If something feels wrong, then it is right to question it
  10. Have the confidence to refuse requests for personal or financial information. Stop the discussion if you do not feel in control of it
  11. Never hesitate to contact your bank or financial service provider on a number you trust. For example the one listed on their website or the back of your payment card.

Get more advice from Take Five here. You can also take a quick test to find out if you are too smart to be scammed.

Types of financial fraud

A cyber-attack can take many forms including:

  • Financial data hacks. Hacking can lead to your personal and sensitive data getting into the wrong hands. In the worst cases, this can lead to you falling victim to financial fraud and identity theft. The impact of data hacking can be devastating, and we have seen instances where financial losses only started to occur three to six months later. This is often because data stolen is used in batches over time.
  • Financial phishing attacks. Phishing scammers use emails, texts, websites, phone calls and social media to access your data, your computer, or your financial accounts. Their ultimate goal is to steal your money and/or personal information. Unfortunately, in most cases, where someone has become a victim of a phishing scam, their bank is not responsible for their losses. So, people can be left not knowing where to turn for compensation.
  • Bank and credit card takeover fraud. Takeover fraud happens when a criminal uses another person’s account information (e.g. a credit card number) to buy products and services. Takeover fraud is also used by scammers to extract funds from a person’s bank account.
  • Push payment scams. Push payment fraud (also called APP fraud) happens when cybercriminals deceive individuals into sending them money. Because the victim believes the fraudster to be genuine, they authorise the handover of cash.

Not Just Hackers

Despite fears about cybercriminals, it is human error rather than cybercrime that is the biggest cause of financial data breaches. Typical examples of such errors include where a bank or other financial organisation:

  • Sends sensitive data to the wrong recipient (via email, post or fax)
  • Loses paperwork
  • Forgets to redact data
  • Stores data in an insecure location
  • Loses devices such as laptops, phones and tablets
  • Doesn’t train its staff properly on data protection or where staff deliberately ignore data
  • Leaves sensitive information online without any password restrictions.

Find out more about our #NotJustHackers campaign.

Are banks doing enough to protect customers from data breaches?

In many cases, financial data breaches happen because of a failure to implement reasonable and robust processes. Often because of the cost needed to do this.

But, by not putting adequate processes and training in place, banks and other financial organisations are leaving customers open to an increased risk of cyber scams and avoidable mistakes that lead to data breaches.

Protect yourself following a financial fraud, data breach or scam

If you are worried about the security of your money and personal information, you should:

  • Contact your bank/credit card provider immediately
  • Consider a credit freeze until the matter is resolved
  • Report the scam to the police and contact Action Fraud for advice on what to do next
  • Keep an eye on your bank and credit card statements to see if there is anything you don’t recognise
  • Let the credit reference agencies know of any activity that was not down to you
  • Register with the Cifas protective registration service. This will slow down credit applications made in your name with additional verification checks made to ascertain that the applicant is actually you.

For more advice on how to keep your data safe, follow us on Twitter and Facebook. Alternatively, if you have been the victim of a financial data breach or cyber fraud, contact us to find out how we can help you to claim compensation for any loss of money and/or emotional distress.

personal details

Head teacher fined for data protection breach after obtaining personal information about schoolchildren

A former headteacher has been fined. This comes after he took personal information about schoolchildren from his old school to his new one. The breach took place at two primary schools where he had worked previously. The violation revealed “large volumes of sensitive personal data” from his previous schools on his new school’s system.

What happened in this data protection breach?

A former headteacher downloaded personal information about his former pupils onto a USB stick. Next, he uploaded this data to servers at his new school. The information included:

  • Names
  • Unique pupil numbers
  • Pupil attainment and progress spreadsheets
  • Performance management data for staff.

The teacher (who was now a deputy head) was suspended from his role. This situation only came to light after an IT audit discovered the data protection breach.

What did the ICO decide?

The Information Commissioner’s Office (ICO), said that the teacher had no lawful reason to process the data. This means that he breached data protection legislation. Initially, the teacher had “no valid explanation” for how the data appeared on his school’s server. But he later admitted that he took the data for professional purposes.

Appearing before Ealing Magistrates’ Court, the teacher admitted two offences of unlawfully obtaining personal data. He was fined £700, ordered to pay costs of £364.08 and a victim surcharge of £35.

What did the ICO say about this breach of personal data?

Commenting on this data protection breach, Mike Shaw, manager of the ICO’s criminal investigation group, said:

“Children and their parents or guardians have the right to expect that their personal data is treated with respect and that their legal right to privacy is adhered to.

“A head teacher holds a position of standing in the community and with that position comes the added responsibility to carry out their role beyond reproach.

“The ICO will continue to take action against those who we find have abused their position of trust.”

Lessons learned following this personal data breach

This case should remind employees across all sectors of the risks data violations. Because if someone accesses or shares personal data without a valid reason, they could face criminal prosecution and fines.

Organisations also need to do more to protect personal data. This includes ensuring comprehensive data protection training is in place. And making sure employees understand the consequences of breaking the law.

Furthermore, organisations must ensure adequate and robust protections so that information is only accessed by those people who need it. There must also be a record of such access.

Helping to reduce the impact of educational personal data violations

The Data Protection Act exists to protect the privacy of individuals. In an educational context, this means students, their families, and staff.

However, many schools have struggled to keep up with changes in the rules covering the use of technology. And this could leave everyone vulnerable.

If an individual’s data is violated by an organisation they trusted to look after it, at Hayes Connor Solicitors, we help them to make a compensation claim.

If you or a member of your family has suffered damage or distress caused by a school, college or university breaching any part of the Data Protection Act, you have a right to claim compensation.

Not Just Hackers

There has been a worrying rise in reported data breaches across the UK education and childcare sector. Competing priorities and limited budgets make meeting data protection requirements challenging and this makes schools, universities and colleges an attractive target for hackers.

But, despite the threat posed by cybercriminals, human error remains the leading cause of data privacy violations.

At Hayes Connor, we want to reduce the number of data violations taking place across the UK. As such, we are sharing such real-life examples of data protection breaches.  In doing this, we hope to raise awareness of this issue. We also want to educate people to prevent similar instances from happening.

For more advice on how to keep your data safe, follow the Hayes Connor #NotJustHackers campaign on Twitter and Facebook.

Alternatively, if you have been the victim of a data breach, find out how we can help you to recover any losses. Or contact us to discuss your case in more depth.

Information Breached

Pensioners’ confidential information breached after printing error at Waltham Forest Council

Human error is the leading cause of privacy violations. And, a mistake at Waltham Forest Council has resulted in thousands of pensioners having their confidential information breached.

This grievous error happened when a “printing error” produced P60 forms which included the confidential information of two different people. Worryingly, this mistake wasn’t spotted. So, pensioners received their P60 forms with their own, correct information on the front, and a stranger’s details on the back.

The confidential information breached included their national insurance details, addresses and other private information.

In total, over 3,000 incorrect statements were issued.

Why was this confidential information breached?

The mistake was flagged on Facebook by James O’Rourke. His mother-in-law received a double-sided P60. He said:  “It appears Waltham Forest Council has yet again been frivolous with its residents’ data.

“My mother-in-law, a former council employee, received her pension P60 this week. To her horror it had been printed upon on both sides, the reverse side being another person’s P60.

“A few days later she received another P60 with an attached letter. No reassurance as to whether her data has not been so sloppily dealt with.

“This is not the first time the council has breached the Data Protection Act this year, so the Information Commissioner’s Office must take immediate action and the ultimate person responsible taken to task.”

Waltham Forest Council admits the breach

In a letter, Waltham Forest Council admitted the breach. The council stated: “Due to an error with our printing partners a small number of these were printed with information on the reverse relating to another customer. We sincerely apologise for this error.

“Please destroy the P60 you were sent originally immediately and securely, using a home shredder if possible.

“You can also send this to the council if you would like us to destroy this for you.

“I can assure you we are taking steps to prevent any future occurrences of this type of error in the future.”

A council spokesperson has also said that: “We take protecting people’s data very seriously and are very sorry for any concern caused.”

What can you do if you have had your confidential information breached?

Waltham Forest Council has investigated the issue, and it has implemented new sign off procedures to prevent this from happening again. It has also sent an apology letter to everyone affected.

But this falls far short of what we would expect.

In far too many cases, when a breach occurs the accepted risk management plan seems to be to apologise and promise it won’t happen again. But such a noticeable absence of care over the very real impact of a data breach should not be tolerated or accepted.

What’s more, the council has also said that there is no risk of fraud because of the data breach. But there is simply no way they can know this. Every day we see what happens when the personal information of people across the UK falls into the wrong hands. And, even where cybercriminals are not initially involved, the consequences can be damaging and long-lasting.

Not just hackers

Data breaches are not just caused by cybercriminals. For more advice on how to keep your data safe, follow our #notjusthackers campaign on Twitter and Facebook.

Alternatively, if you have been the victim of a data breach or cyber fraud, find out how we can help you to recover any losses. You can make a compensation claim if you have struggled emotionally following a data breach, even if you have not experienced any financial loss.

To find out more, give us a call on 0151 363 5895 to discuss your case in more depth.


data breach

Council employee carries out personal data protection breach to help his partner get a job

A former senior local government officer has been fined. This comes after he shared the personal information of rival job applicants with his partner. The man’s partner had applied for a job at the council. As this could have meant the other applicants lost out on the job unfairly, this was a severe personal data protection breach.

What happened in this personal data protection breach?

In July 2017, Nuneaton and Bedworth District Council advertised an administrative job.

Because he was in a relationship with one of the candidates, the local government official was not involved in the recruitment process. Despite this, he decided to access the council’s recruitment system and email the personal information of all the shortlisted candidates to himself and his partner.

The data breached included the names, addresses, telephone numbers and CVs of each candidate.  The breach also included the personal contact details for each of their two referees. This is a shocking violation of data protection laws.

On discovering the data breach, the man resigned from his position at the council. His partner had been successful in her application, so she also had her employment terminated.

What was the result of this personal data protection breach?

The Information Commissioner’s Office (ICO) decided to prosecute this data privacy violation. The man was fined £660, ordered to pay costs of £713.75 and a victim surcharge of £66.

Steve Eckersley, Director of Investigations at the ICO, said:

“People who supply their personal information to an organisation in good faith, such as when applying for a job, have a legal right to expect it will be treated lawfully and ethically.

 “Not respecting people’s legal right to privacy can have serious consequences, as this case demonstrates. Not only might you face a prosecution and fine, along with the attendant publicity, but you may also lose your job and severely damage your future career prospects.”

Lessons learned?

In this case, little could have been done to protect those people who had their data breached. The man had been trained in data protection. So he fully understood that he was breaking the law.

However, employees must understand that they could face criminal charges and fines if they access or share personal data illegally. In fact, after stealing the data of nearly 100,000 staff from supermarket Morrisons, one ex-employee was jailed for eight years.

Organisations also need to do more to protect personal data. This includes putting robust systems in place to ensure that confidential information is only available to those people who need it to do their jobs.

Not Just Hackers

At Hayes Connor, we want to reduce the number of data violations taking place across the UK. To do this, we are sharing such real-life examples of personal data protection breaches to raise awareness of this issue and educate people to prevent similar instances from happening.

For more advice on how to keep your data safe, follow the Hayes Connor #NotJustHackers campaign on Twitter and Facebook.

Alternatively, if you have been the victim of a data breach, find out how we can help you to recover any losses or contact us to discuss your case in more depth.

data protection claims

Why do some people make a mockery out of data protection claims?

As data breaches continue to rise, we are holding more and more companies to account for their violations of trust when it comes to your valuable information. However, as we do that, we are sometimes compared to “ambulance chasers”.

But, while some might view GDPR claims as opportunist, for the millions of people suffering because of a data breach, this couldn’t be further from the truth. Every day, privacy breaches are causing misery and upset to people across the UK.

Data breaches can be devastating

At Hayes Connor Solicitors, we see many different types of claims. And we know how data breaches can affect people in different ways. For example:

  • As a direct result of a NHS privacy violation – our client’s relationship with her family broke down. She received threats from a family member resulting in police involvement. There was also an ongoing worry of further danger. Our client suffered stress, anxiety attacks and trauma. And she required medication to help manage the psychological effects of this terrible breach of trust
  • A bank sent personal information disclosing our client’s financial situation to his previous address. His ex-partner still lived there. This happened despite him changing his address with his bank five years ago. Our client’s ex-partner shared this information with her friends and family. This caused him significant distress and embarrassment. Furthermore, once aware of his financial position, our client’s ex-partner refused him access to their children and prevented him from taking them on holiday
  • A data mix up and breach saw a stranger turn up at our client’s home and accuse her of attempting to “clone” his daughter’s identity. Our client was alone with her two young children, one of who is disabled. She found this experience both frightening and upsetting.

As you can see, we deal with serious cases that often put people’s mental health. In some cases, even their lives at risk. So downplaying the impact of a data breach claim is extremely disrespectful to the victims.

GDPR data breaches must be taken seriously

When it became clear that people across the UK were mis-sold PPI, often to the tune of thousands of pounds, there was a surge of new claims management companies on the scene. All promising to help consumers get back what they were due.

But, all too often, these companies were more concerned about making fast cash than helping victims. Assurances of no up-front fees turned into extortionate commission rates. And that left people short-changed.

With the deadline for consumers to complain about the sale of PPI products coming to an end, many unscrupulous claims management firms will undoubtedly look to switch from PPI to GDPR to make money.

But, that doesn’t mean that victims of data breaches shouldn’t claim compensation. It’s not their fault that ambulance chasers are preparing to go after the GDPR negligent. What matters is that they get the professional legal representation they deserve.

We hate spam and pushy lawyers!

At Hayes Connor Solicitors, we have never done PPI claims. What’s more, we only ever get in touch with people who have asked us to. This means we never cold call, send spam texts, spam emails, or engage in any other form of nuisance marketing. We never pressure anyone into making a claim.

Instead, we believe that it is vital to educate people to help prevent such breaches from happening. And, where a violation has occurred, we make no excuses for seeking compensation. This is necessary to help people get their lives back on track as soon as possible.

Furthermore, we don’t believe that our obligation to our clients stops there. We also give them all the information we can so that they can protect themselves after a breach, and stop a bad situation from becoming worse.

Organisations must be held to account for data breaches and their failure to protect our personal data

The sheer scale of the information we share on online is enough to leave victims open to the threat of financial and identity fraud. For example, with enough data, cybercriminals can apply for credit in your name, set up fraudulent bank accounts and access your existing accounts.

But what many people don’t understand is that the emotional impact on victims can be just as devastating. For some people, the effects can include a lack of sleep, feeling ill, unsettled or confused. Stress can also affect a person’s friends, family and job.

And, in most cases, data breaches aren’t caused by scammers trying to hack big businesses, but by organisations not taking data protection seriously resulting in simple human errors.

With hacks and breaches happening more and more often, something has to be done to make companies accountable for such loss and anguish. So, claiming compensation isn’t just in the best interests of victims – it could also be the only way to ensure that organisations implement more secure processes.

Perhaps it’s time to turn the spotlight on those businesses not doing enough to meet their legal obligations under the GDPR?

data breach

Data breach help & support

Most of us use the internet to help make our day-to-day lives better. But despite its benefits, the more information we put online, the more likely it is that something will go wrong. At Hayes Connor, our expert solicitors deal with a significant number of data breach cases every day. During our work, we see many different types of claims. So we understand how data breaches can affect people in different ways. If you have suffered because of a data breach – regardless of whether this was caused by cybercriminals or human error – it’s essential that you get the data breach help you need to get you through this difficult time.

Committed to reducing the amount of data privacy violations, and supporting victims wherever we can, here is a list of websites you can turn to for data breach help, advice and support – before, during and after a data breach.

Where to get data breach help & support

Victim Support

Victim Support is the leading independent victim’s charity in England and Wales. It helps people affected by crime and traumatic incidents. Last year it offered support to nearly a million victims of crime across the UK.

Hayes Connor is working with Victim Support to help those affected by cybercrime and data breaches. Ultimately, it’s about ensuring victims have access to the support they need when they need it. Victim Support and Hayes Connor also help to raise awareness of the threat to keep people safe online.

Information Commissioner’s Office

The Information Commissioner’s Office (ICO) is an independent authority, set up to uphold information rights in the public interest, and to promote openness by public bodies and data privacy for individuals. While the ICO does not award compensation, it does have the power to impose hefty fines on organisations in breach of their duties. You have the right to ask the ICO to assess if an organisation breached the Data Protection Act.

At Hayes Connor Solicitors we often work with the ICO to gather as much evidence as possible to help our clients succeed.

Action Fraud

Action Fraud is the UK’s national reporting centre for fraud and cybercrime. Victims of online offences such as scams and financial/identity fraud should contact Action Fraud to report their loss. You can do this online or via telephone.

For any other form of cybercrime such as online stalking, harassment, or fears about sexual grooming, you should contact the police directly.

National Security Cyber Centre (NSCS)

The NSCS is helping to make the UK the safest place to live and work online.

It supports the most critical organisations in the UK, the wider public sector, industry, SMEs as well as the general public. When incidents do occur, it provides effective incident response to minimise harm, help with recovery, and learn lessons for the future.

Cyber Aware

Cyber Aware is a cross-government awareness and behaviour change campaign. It aims to help small businesses and individuals to adopt simple, secure online behaviours to help protect themselves – and their customers – from cybercriminals.

Cyber Essentials

Cyber Essentials is a government-backed scheme that helps to protect organisations, whatever their size, against a whole range of the most common cyber-attacks.

Get Safe Online

Get Safe Online is a leading source of unbiased, factual and easy-to-understand information on online safety. It contains lots of helpful guidance to protect you and your data from the threat of fraud, identity theft and abuse.

Have I Been Pwned

Have I Been Pwned allows you to search across multiple data breaches to see if your email address has been compromised.

Net Aware

Created by the NSPCC and O2, Net Aware provides simple, no-nonsense guidance to parents and guardians on the social networks their kids use. It helps parents and guardians stay up to date and keep their children safe in today’s digital world.

No More Ransom Project

Ransomware is malware that locks your computer and mobile devices or encrypts your electronic files. When this happens, you can’t get to the data unless you pay a ransom. The No More Ransom Project has created a repository of keys and applications that can decrypt data locked by different types of ransomware. It also has advice on how to protect you from this threat in the first place.

Take Five To Stop Fraud

Take Five offers straight-forward and impartial advice and helps everyone in the UK to protect themselves against financial fraud.

Hayes Connor Solicitors

If you need data breach help, at Hayes Connor, we have created a wealth of advice, news and other resources to raise awareness of the importance of data protection. We encourage individuals and organisations across the UK to use this information to help keep everyone safe.

Alternatively, for more data breach help and advice, follow us on Twitter and Facebook.

If you have been the victim of a data breach or cyber fraud, you can also contact us to find out how we can help you to recover any losses.

data breach

Is your local council doing enough to protect your data?

Wokingham Council has suffered its fifth data breach in a year. This demonstrates why more and more residents are looking to sue for breach of data protection.

The latest data breach happened when a woman had her benefit payment details leaked to another resident. Just a month earlier, the council had to apologise after a sex abuse victim had her data shared with her attacker. This happened not once but twice and could have caused significant upset and harm for the victim.

Worryingly, when talking about the failures, the council’s customer service team said that “it happens”.

A spokesperson for the council has since apologised for the data breaches. And the local authority is implementing measures to safeguard sensitive information.

But, people have the right to expect that councils across the UK have already established robust privacy processes. Why do people have to sue for breach of data protection before councils give this issue the attention it so obviously needs?

Local authority data breaches

The truth is, at Hayes Connor know that councils are neglecting people’s privacy all the time.

For example:

Local governments must do better if they don’t want people to sue for breach of data protection

Despite the threat of crime, all too often it is human error that is to blame for council data breaches. And, while in many cases local councils argue that the violations are “low risk”, we believe that playing down the risk is the wrong approach to take.

Instead, councils must understand the harm caused when they don’t look after our data correctly. The impact of such negligence can’t be underestimated.

Just having access to an individual’s name and address can result in financial fraud and/or identity fraud. With enough information, cybercriminals can apply for credit in your name, set up fraudulent bank accounts and access your existing accounts. Even if you haven’t lost out financially after a data breach, this doesn’t mean that there is no harm done. A data breach can also lead to distress and psychological trauma.

What’s more, even if nothing has been done with that information as yet, it doesn’t mean the data is safe. Working exclusively on data breach and cybercrime cases, it has become clear to our solicitors that the impact and losses people sustain following a data privacy violation are not always immediately apparent. We see instances where the effects only became clear months later.

What can you do to stop a breach of data protection from happening to you?

If you are concerned that your data might be at risk by a local authority, you can ask for a copy of the data the council holds about you. This is called a subject access request (SAR).

This won’t guarantee that an error doesn’t result in your information being exposed, but it is a reasonable safety precaution to take. You can also ask the council for a copy of their acceptable use policy and data protection policy.

Not just hackers

Our local governments were hit by almost 100 million cyber-attacks over five years. And one in four council systems were successfully breached. But, while the threat of cybercrime is something that the public sector needs to take seriously, it must also do more to address the issue of human error.

Waiting until a data breach happens is simply not good enough.

For advice on how to keep your data safe, follow our #NotJustHackers campaign on Twitter and Facebook.

Alternatively, if you have been the victim of a data breach or cyber fraud and you want to sue for breach of data protection, contact us. We will answer any questions you might have and discuss your case in more depth.

eu data breach
, ,

Home Office guiltily of EU Settled Status data breach

In a recent blog, we looked at how an administrative error by the Home Office exposed the email addresses of hundreds of Windrush migrants. And the department hasn’t learned from its mistakes. An EU Settled Status data breach has now endangered the details of hundreds of EU citizens in the UK.

EU Settled Status data breach

In the latest “administrative error”, the Home Office failed to conceal email addresses in a group communication. This email was sent to applicants of the EU Settled Status scheme. The controversial scheme allows EU nationals and their families to secure their rights in the UK after Brexit.

In total around 240 email addresses were revealed.

The breach happened on Sunday 7 April. It occurred because the department failed to use the ‘bcc’ function when sending a bulk email. The breach is likely to have made a stressful situation even worse. Particularly as these applicants had already faced technical difficulties while trying to keep their rights in the UK.

The Home Office has since apologised to those affected. The Information Commissioner’s Office (ICO) is aware of the breach. It will now decide whether or not to launch a full inquiry.

What have people said about the EU Settled Status data breach?

Nicolas Hatton, from the 3 Million campaign group said: “It feels like it adds insult to injury”. While one recipient of the email told the BBC that she was outraged and was considering returning to Germany.

Shadow Home Secretary Diane Abbott said: “Data breaches are now a matter of routine, while all those who are unfortunate enough to have to deal with the Home Office face a combination of indifference, incompetence and the hostile environment.”

Conservative MP Alberto Costa has called on the Government to scrap the “morally repugnant” system.

What can you do if you have suffered because of the EU Settled Status data breach?

Experiencing a data breach can result in significant stress and anxiety. And this can lead to a diagnosable psychological injury.

For people who are already worried about their rights being removed following Brexit, knowing that their personal information has been violated could be particularly distressing.

If you have suffered damage or distress caused by the EU Settled Status data protection breach you could have a right to claim compensation. To find out how we can help you recover any losses, contact us to discuss your case.

For more advice on how to keep your data safe, follow us on Twitter and Facebook.

childrens personal data

New standards for online services will help to protect children’s personal data

In our digital age, all parents and guardians worry about whether their children are protected online. In response, the Information Commissioner’s Office (ICO) has introduced a new set of standards that all online services must meet to safeguard children’s personal data.

Who does the new code apply to?

This code of practice sets out what is expected of those responsible for designing, developing or providing online services likely to be accessed by children. This includes apps, connected toys, social media platforms, online games, educational websites, streaming services, etc.

However, the code is not restricted to services specifically directed at children. It also applies to online services that process the personal and sensitive data of children.

What could happen if these standards are not met?

The code states that the best interests of the child should be a primary consideration when designing and developing online services. Or put simply, that privacy must be built in. Not bolted on.

Once law, online service providers will have to follow the code. They will also have to demonstrate that they use children’s data fairly and in compliance with data protection legislation. Those that don’t could face a hefty fine and be ordered to stop what they are doing.

Failure to adhere to these standards could also result in data protection compensation claims being made against online service providers.

What are the proposed standards to ensure children’s personal data is protected?

There are 16 standards that organisations will be obliged to follow:

  1. Best interests of the child: The best interests of the child should be a primary consideration when you design and develop online services likely to be accessed by a child
  2. Age-appropriate application: Consider the age range of your audience and the needs of children of different ages. Apply the standards in this code to all users, unless you have robust age-verification mechanisms to distinguish adults from children
  3. Transparency: The privacy information you provide to users, and other published terms, policies and community standards, must be concise, prominent and in clear language suited to the age of the child. Provide additional specific ‘bite-sized’ explanations about how you use personal data at the point that use is activated
  4. Detrimental use of data: Do not use children’s personal data in ways that have been shown to be detrimental to their wellbeing, or that go against industry codes of practice, other regulatory provisions or Government advice
  5. Policies and community standards: Uphold your own published terms, policies and community standards (including but not limited to privacy policies, age restriction, behaviour rules and content policies)
  6. Default settings: Settings must be ‘high privacy’ by default (unless you can demonstrate a compelling reason for a different default setting, taking account of the best interests of the child).
  7. Data minimisation: Collect and retain only the minimum amount of personal data you need to provide the elements of your service in which a child is actively and knowingly engaged. Give children separate choices over which elements they wish to activate
  8. Data sharing: Do not disclose children’s data unless you can demonstrate a compelling reason to do so, taking account of the best interests of the child
  9. Geolocation: Switch geolocation options off by default (unless you can demonstrate a compelling reason for geolocation, taking account of the best interests of the child), and provide an obvious sign for children when location tracking is active. Options which make a child’s location visible to others must default back to off at the end of each session
  10. Parental controls: If you provide parental controls, give the child age appropriate information about this. If your online service allows a parent or carer to monitor their child’s online activity or track their location, provide an obvious sign to the child when they are being monitored
  11. Profiling: Switch options which use profiling off by default (unless you can demonstrate a compelling reason for profiling, taking account of the best interests of the child). Only allow profiling if you have appropriate measures in place to protect the child from any harmful effects (in particular, being fed content that is detrimental to their health or wellbeing).
  12. Nudge techniques: Do not use nudge techniques to lead or encourage children to provide unnecessary personal data, weaken or turn off their privacy protections, or extend their use.
  13. Connected toys and devices: If you provide a connected toy or device ensure you include effective tools to enable compliance with this code
  14. Online tools: Provide prominent and accessible tools to help children exercise their data protection rights and report concerns
  15. Data protection impact assessments: Undertake a DPIA specifically to assess and mitigate risks to children who are likely to access your service, taking into account differing ages, capacities and development needs. Ensure that your DPIA builds in compliance with this code
  16. Governance and accountability: Ensure you have policies and procedures in place which demonstrate how you comply with data protection obligations, including data protection training for all staff involved in the design and development of online services likely to be accessed by children. Ensure that your policies, procedures and terms of service demonstrate compliance with the provisions of this code.

Age appropriate design

Age appropriate design: a code of practice for online services has been published for consultation. You can read the document in full here. The code is out for consultation until 31 May. The final version will be laid before Parliament. It is expected to come into effect before the end of the year.

Children’s personal data must be protected

At Hayes Connor, we want to reduce the number of data violations taking place across the UK. So welcome the new standards.

For more advice on how to keep your data safe, follow us on Twitter and Facebook.

Alternatively, if you or your child has been the victim of a data breach, contact us to discuss your case in more depth.



Beware of using unauthorised IT systems at work

Human error is the leading cause of data breaches. So, the Information Commissioner’s Office (ICO) has produced a handy toolkit to help businesses boost their information security. This includes not using unauthorised IT systems.

At Hayes Connor, we’re sharing some of the tips included in this toolkit. In doing this, we hope to raise awareness of this issue. We also want to help organisations across the UK improve their data protection processes.

Tip: All the information you work with has value. Only use authorised IT systems

The risk of using unauthorised systems  

It is easier to keep confidential data safe if it is processed and accessed via authorised IT systems. On the other hand, systems that are not effectively managed will be vulnerable. In many cases, such cyber attacks are entirely preventable.

Quick tips

Here are some tips to help employers keep their data safe.

  • Put strict policies and procedures in place to ensure the safe processing of information. Both in and out of the office
  • Establish what devices and applications are allowed to access your network. Also, where, when, and how it can be accessed
  • Make sure employees understand the penalties for breaching the policy
  • Implement tools to protect data on mobile devices. For example, Two Factor Authentication (2FA) and password controls
  • Make sure you can remove sensitive data from mobile devices remotely
  • Make sure that all staff receive regular data protection training
  • Make sure employees understand the potential consequences of breaching data protection laws.

Even authorised IT systems can be hacked if not managed properly. For example, Equifax’s failure to patch a server flaw resulted in hackers stealing the data of 143 million US citizens and up to 15 million Brits. This sensitive information included email addresses, passwords, driving license numbers and phone numbers.

So employers should also make sure that they:

  • Only use supported software, operating systems, web browsers and apps
  • Develop and implement policies to update and patch systems regularly
  • Create and maintain hardware and software inventories
  • Keep track of the version and patch status of all software
  • Deploy tools to help identify unauthorised hardware or software
  • Make sure that any functionality or app that doesn’t support a business need is removed or disabled
  • Conduct regular vulnerability scans
  • Establish configuration control and management policies for all systems
  • Disable unnecessary devices
  • Prevent removable media access
  • Ensure that regular users can’t install or disable any software or services
  • Limit privileged user functionality.

Under the GDPR, businesses must process personal data securely by means of ‘appropriate technical and organisational measures’.

Find out more about how to do this on the ICO’s website.

Not just hackers

Data breaches are not just caused by cybercriminals. For more advice on how to keep your information safe, follow our #NotJustHackers campaign on Twitter and Facebook.

Alternatively, if you have been the victim of a data breach or cyber fraud, find out how we can help you. Or give us a call on 0151 363 5895 to discuss your case in more depth.