Click here if you would like to read about how our data protection specialists can support you with critical Data Protection and Cyber Security issues.
Click here to read our data protection specialists' legal insight on the data protection issues which arise with working from home.
The Information Commissioner's Office (ICO) has published some FAQs. In summary, these say:
- The ICO recognises that organisations' data protection practices may not meet their usual standards or there may be a delay in responding to data subject requests. They have said that they will not penalise organisations for prioritising other areas or adapting their usual approach.
- Data protection law does not prevent increased or new types of homeworking and it does not prevent staff using their own equipment. However, you still need to consider the same kinds of security measures that you would use in normal circumstances.
- You need to keep your staff informed about cases of COVID-19 in your organisation. You probably don't need to name individuals and you shouldn't provide more information than necessary.
- While you have an obligation to protect your employees' health, you should not collect more information about them than necessary and you must protect it with appropriate safeguards. The ICO states that it’s reasonable to ask people to tell you if they have visited a particular country, or are experiencing COVID-19 symptoms. It suggests that you could ask visitors to consider government advice before they decide to come, and advise staff to call 111 if they are experiencing symptoms or have visited particular countries.
- If necessary, you can share information about your employees with authorities for public health purposes. The ICO states that this is unlikely to be necessary, but data protection law would not prevent it.
- The ICO has published separate guidance for healthcare organisations
Statement of the EDPB chair
The chair of the European Data Protection Board (EDPB) has issued a statement. In summary, this:
- Echoes the ICO guidance that data protection law does not hinder measures taken to combat the pandemic.
- States that the GDPR enables employers and the competent public health authorities to process personal data in the context of epidemics, without the need to obtain the data subject's consent. This applies, for example, when the processing of personal data is necessary for the employers for reasons of public interest in the area of public health, to protect vital interests or to comply with another legal obligation.
- Covers additional points about national and public security.
On 18 March, Matt Hancock tweeted: 'GDPR does not inhibit use of data for coronavirus response. GDPR has a clause excepting work in the overwhelming public interest. No one should constrain work on responding to coronavirus due to data protection laws.'
It's worth flagging that, while the GDPR does provide an exemption for processing special category data (which includes health data) if it is necessary for reasons of substantial public interest, this is subject to the Data Protection Act 2018 (DPA), which limits the purposes for which you can rely on this lawful basis. If you wish to rely on this exemption, you need to consider whether you fall within the DPA rules. It's also worth considering whether you could rely on an alternative exemption.
Contact one of our data protection specialists if you need support complying with your data protection obligations as you deal with the challenges posed by COVID-19.
Lots of companies are sending emails to their customers past and present with information about the company's response to the COVID-19 pandemic. It's worth flagging that, if you include direct marketing content in such emails, you need to comply with the Privacy and Electronic Communications Regulations 2003 (PECR). The point is highlighted by a recent decision of the First-tier Tribunal (Information Rights), which heard an appeal by the Leave.EU campaign against a fine imposed by the ICO. The ICO's representative submitted that 'a spam sandwich nevertheless contains spam', meaning that if an email which on the face of it is sent for a different purpose (in this case, political campaigning) contains direct marketing, the Regulations still apply. The Tribunal accepted this approach.
Contact one of our data protection specialists if you would like advice on how to comply with PECR when contacting your customers.
Coronavirus Act 2020
This became law on 26 March and gives the Secretary of State the power to make regulations extending the period for which fingerprints and DNA samples may be retained by the police and security forces.
Regulatory guidance/campaigns/other news from the Information Commissioner's Office (ICO)/European Data Protection Board (EDPB)
ICO guidance on Codes of Conduct and Certification schemes
Codes of Conduct
The GDPR envisages that supervisory authorities will encourage the drawing up of codes of conduct to contribute to the proper application of the GDPR. While the GDPR became applicable nearly two years ago, codes of conduct were not available until 28 February, when the ICO launched its scheme. Organisations such as trade, membership or professional bodies can draw up a code of conduct to support compliance with data protection issues identified or specific to their sector. They can submit the code to the ICO for approval, then organisations will be able to sign up to the approved code of conduct to demonstrate their compliance with data protection legislation.
Click here to read the ICO's detailed guidance. If you’re interested in setting up a code of conduct for your sector, the ICO encourages organisations to contact them by email for an informal discussion, using the address firstname.lastname@example.org. Alternatively, please contact one of our data protection specialists if you would like us to support you in developing a code of conduct.
Certification schemes are also envisaged in the GDPR. In our January edition of DWF data protection insights, we reported that the ICO had announced that it would be working with UK Accreditation Service (UKAS) to deliver certification schemes. On 28 February the ICO published more details, of which the key points are:
- Certification is a way to demonstrate your compliance with the GDPR and enhance transparency.
- The scope of a certification scheme could be quite general and be applied to a variety of different products, processes or services; or it could be specific, for example, secure storage and protection of personal data contained within a digital vault.
- Organisations (controllers and processors) can be certified, not individuals within an organisation.
- Certification criteria should reflect the needs of small and medium-sized enterprises.
- Certification criteria are approved by the ICO and certification issued by accredited certification bodies.
- Certification will be issued to data controllers and data processors in relation to specific processing activities.
- Applying for certification is voluntary. However, if there is an approved certification scheme that covers your processing activity, you may wish to consider having your processing activities certified as it can help you demonstrate compliance to the regulator, the public and in your business to business relationships.
At this time, there are no approved certification criteria or accredited certification bodies for issuing GDPR certificates. Once the certification bodies have been accredited to issue GDPR certificates, you will find this information on the ICO and UKAS websites.
The ICO has published its submission process for the formal approval of GDPR certification criteria and it welcomes enquiries from organisations who are in the process of developing or have developed GDPR certification criteria.
Click here to read the ICO's detailed guidance on certification schemes, or contact one of our specialists if you want to discuss the best way for your business to demonstrate its compliance with data protection law.
ICO/SCC updated data protection impact assessment template and guidance
The ICO has worked with the Surveillance Camera Commissioner (SCC) to update the SCC surveillance camera specific data protection impact assessment (DPIA) template. The new template and associated guidance notes are jointly issued by the Commissioners to reflect updated data protection requirements as set out in the Data Protection Act 2018 and the GDPR as well as comply with the requirements of the Protection of Freedoms Act 2012.
Where organisations are operating surveillance cameras in public places they are required to carry out a DPIA. Organisations who are introducing new surveillance camera systems or upgrading existing systems can use the template to help them ensure they are complying with relevant legislation.
Click here for more information or contact one of our data protection specialists for advice on carrying out a DPIA.
ICO Sandbox 6 months on
In September 2019, the ICO launched the beta phase of the Sandbox, its ICO initiative to support organisations innovating using data protection by design. The ICO selected ten projects to participate, representing a range of industries and organisations looking for solutions to tackle fundamental questions for today’s society, such as:
- How can organisations work together to reduce violent crime?
- What can universities do to better support students with their mental health?
- How can new technologies improve health care?
The ICO has conducted a series of workshops with the participants, considering what additional guidance is needed to ensure that public benefits can be delivered without damaging privacy rights
The ICO has identified the following key issues:
• Realising the benefits of data in the public sector
Some participants are working to overcome historic data sharing challenges across the public sector; others have focused on the more recent challenge of how to incorporate big data. The opportunities afforded by personal data combined with powerful new technologies need to be balanced against the rights and freedoms of data subjects, considering the legal framework for processing and public expectations.
• Consent questions
The ICO is working to ensure that a common understanding is developed around consent and its various legislative definitions, to ensure that all parties understand the differences and apply the requirement for consent consistently and transparently.
The ICO has increased its understanding of the role of digital identity products for vulnerable data subjects and the practical challenges in obtaining consent from children, and those with parental responsibility.
• The challenge of new technologies
The real world application of voice biometrics and facial recognition technology (FRT) are posing some interesting challenges. The ICO has been examining how FRT can be used in situations where there are many other global standards and requirements that need to work alongside data protection law. One issue is the need to identify an appropriate basis for processing special category data in order to assess racial bias in facial recognition.
• Data analytics
The ICO has been examining how data analytics can be used in a data protection compliant manner. This has involved assessing suitable lawful bases and conditions for processing special category data, identifying data protection risks within processing and reviewing data sources that may be used in data analytics to ensure that the purpose would not be incompatible.
The ICO and the Office of the Australian Information Commissioner sign Memorandum of Understanding
The ICO and the Office of the Australian Information Commissioner have signed a Memorandum of Understanding (MoU) for Cooperation in Regulation of the Laws Protecting Personal Data. This states that the parties will collaborate as appropriate, which may include:
- Sharing experiences and exchanging best practices;
- Implementing joint research projects;
- Cooperating in relation to specific projects, e.g. children's privacy, regulatory sandboxes and AI;
- Exchanging information (excluding personal data) in relation to investigations; and
- Joint investigations in relation to cross-border incidents involving organisations in both jurisdictions.
The MoU does not relate to the sharing of personal data, either between the parties or between organisations in their respective countries. Each party must comply with applicable data protection laws. The Deputy Information Commissioner confirmed that this arrangement was part of the ICO's ongoing programme to build on its relationships with important international stakeholders.
ICO fines airline for failing to use appropriate security measures
On 4 March the ICO announced that it had fined an airline £500,000 for failing to use appropriate security measures to protect its customers' personal data, which resulted in that data being exposed. The breach had been ongoing for a number of years and affected approximately 9.4 million data subjects. The breach occurred under the Data Protection Act 1998, so the ICO imposed the highest fine permitted under that act. If a breach of similar scope and duration occurred under the GDPR, it is likely that the fine would be much higher.
DWF has a team of data protection and cyber security experts who can work with you to help prevent data breaches. One of the reasons that the ICO imposed the maximum fine was the length of time that it took the airline to resolve the breach. Please contact us if you would like us to advise on breach response strategies and policies, so that your organisation can act swiftly to address any breach that does occur.
Icelandic data protection authority fines medical centre for sending former employee box containing patients' special category data
As we wrote in the February 2020 issue of DWF data protection insights, while cyber-related data breaches are given the highest profile, it is easy for businesses to make errors involving physical data, causing a data breach. The Icelandic data protection authority has recently fined a medical centre €20,000 for sending a former employee a box of his personal belongings which also contained personal data relating to approximately 3,000 patients. The authority concluded that the breach was a result of a lack of implementation of appropriate data protection policies and appropriate technical and organisational measures to protect the data by the controller, which was a breach of the GDPR. The personal data included health data, which falls into the category of special category data, making the breach even more serious.
All organisations should have a workplace data protection policy, which reminds all workers of their responsibilities under data protection law and what action they need to take to ensure that the organisation complies. Contact one of our experts if you want us to advise on drafting, reviewing or implementing such a policy.
Sharing children's photographs (and other personal data)
This month, the ICO has reprimanded two schools for sharing photographs of adopted children whose parents had notified the schools that they should not do so. In a blogpost, the ICO flagged that schools (although this also applies to other organisations that work with children, e.g. sports clubs and workplace crèches) should learn the following lessons:
- Photos taken for official use, such as in a prospectus or to be sent to the local paper, will be covered by data protection law and so the legislation should be followed.
- Ensure your organisation has an appropriate procedure for handling children's images. Don’t just rely on a single member of staff remembering to check a spreadsheet of parental permissions
- Make sure to report any breach to your data protection officer as soon as it happens and consider if the incident needs to be reported to the ICO.
- Know what personal data the organisation holds and where. Documentation and accountability is a key part of the GDPR and an information audit or data-mapping exercise will help with this.
- Staff should be educated about the organisation’s data protection policies and procedures. These should be reiterated to them on a regular basis, such as annually or as soon as changes are made. Keep accurate and up-to-date records of staff training, policy updates and the internal communications that bring these to the attention of staff. This will create an audit trail to evidence compliance with the GDPR.
It’s important to note that data protection law is unlikely to apply in many cases where photographs are taken in schools and other institutions. If photos are taken purely for personal use, such as by parents at a sports day for the family photo album, they will not be covered by data protection legislation.
On 2 March the House of Commons Library published a briefing paper outlining the procedure for negotiations, key objectives of both parties, and possible contentious issues. This states that the EU hopes to reach a decision on data adequacy (i.e. whether personal data can be transferred from the EU to the UK without an additional safeguard) by the end of 2020, when the transition period is due to end. However, the paper recognises that there are a number of potential obstacles to an adequacy decision, including the UK surveillance regime under the Investigatory Powers Act 2016 (IPA), in particular the framework on the retention of electronic telecommunications data.
While negotiations have been hampered by the COVID-19 pandemic, we will continue to monitor developments and update you in future issues of DWF data protection insights.
On 10 March the Scottish Parliament passed the Scottish Biometrics Commissioner Bill, which is intended to provide greater oversight of how the police take, store, use and dispose of data such as DNA samples, fingerprints and facial recognition images. The bill provides for the appointment of a biometrics commissioner, who would be appointed by Holyrood and accountable to MSPs. They would prepare a code of practice and have the power to make recommendations if they believe an organisation is not adhering to the code. This could lead to the relevant body being called to account to the Scottish Parliament.
Please note that the scope of this Bill is limited to Scotland, so does not at this time extend to the rest of the UK.