DWF Data Protection Insights August 2021

This month's highlights include:

• the ICO's publication of its draft international data transfer agreement (IDTA); and
• the UK government's publication of its post-Brexit global data plans.

Webinar: Personal Data Transfers: A Practical Guide to the new Standard Contractual Clauses

• The structure of the SCCs and how to select the correct modules for your transfer;
• The obligations, risks and liabilities the SCCs create for your business;
• How to incorporate the new SCCs into your template data processing clauses;
• How to address the diverging approaches to UK and EU originating transfers in your contractual arrangements;
• The practical and organisational measures you will need to have in place to support your reliance on the new SCCs;
• How to undertake Transfer Impact Assessments;
• What the new SCCs mean for existing data transfers on the old SCCs; and
• How to approach repapering suppliers and partners with the new SCCs.

Regulatory guidance/campaigns/other news from the Information Commissioner's Office (ICO)/European Data Protection Board (EDPB)/ European Data Protection Supervisor (EDPS)

ICO guidance and news

ICO publishes consultation draft of International Data Transfer Agreement and guidance

The ICO has published a consultation draft of its draft international data transfer agreement (IDTA), which will replace the Standard Contractual Clauses (SCCs) for personal data transfers out of the UK.  Read our summary of the key points here.

ICO publishes public sector direct marketing guidance

The ICO has published new guidance on direct marketing and the public sector.  Click here to read our summary of the key points.

ICO approves first UK certification schemes

On 19 August the ICO announced that it has approved the criteria for three certification schemes. Certification was brought in under the GDPR (and now the UK GDPR) as a way to help organisations demonstrate compliance with data protection rules and inspire trust and confidence in the people who use their products, processes and services. Certification works by providing a framework for organisations to follow, which offers clients and customers assurance that they are adhering to strong standards. Organisations with expertise in a particular area can develop scheme criteria.

The three schemes for which criteria have been approved are:

• ADISA has developed a standard for ensuring that personal data has been handled appropriately when IT equipment is re-used or destroyed; and
• Age Check Certification Scheme (ACCS) has developed criteria for two schemes: the first relating to age assurance and the second looking at children’s online privacy.

As we reported in our recent article Data protection update: A focus on children one of the ICO's top priorities is protecting children online, and the ACCS schemes will support this objective.

If you require advice about seeking certification under one of these schemes or developing a new certification scheme, please contact one of our data protection specialists.

ICO blog post: As the Children’s code comes in – what’s next?

The ICO has published a blog post reminding organisations that the Children's code transition period expires on 2 September and the code comes fully into force.  The post states that the ICO has identified that some of the biggest risks come from social media platforms, video and music streaming sites and video gaming platforms.  The risks include:

• inappropriate adverts;
• unsolicited messages and friend requests; and
• privacy-eroding nudges urging children to stay online.

The ICO states that it will:

• be proactive in requiring organisations in the high-risk sectors identified above to tell the ICO how their services are designed in line with the code;
• identify areas where the ICO may need to provide support;
• should the circumstances require, investigate or audit organisations; and
• set out its position on age assurance (age verification or estimation) in the autumn.

ICO call for views on employment practices

On 12 August the ICO launched a call for views on data protection and employment practices.  The ICO announcement states that the ICO is planning to update its existing employment practices guidance with a new, more user-friendly online resource which reflects the changes in the way employers use technology and interact with staff, including new technology such as artificial intelligence, machine learning, monitoring technologies, and the impact of the pandemic, including remote working and obtaining health data.

The call for views asks whether responders agree that the new guidance should retain the following topic areas from the existing employment practices code:

• Recruitment, selection and verification
• Employment records
• Monitoring at work
• Information about workers' health

The call for views also asks:

• What changes to data protection law responders think that the guidance should focus on, in relation of each of the above areas;
• What other developments that are having an impact on employment practices should the ICO address in future guidance?  The ICO gives the examples: other legal changes, technological developments, cultural changes and the impact of the pandemic; and
• Are there any case studies or scenarios responders would like to see include in the guidance?

The consultation closes on 21 October.  We will watch out for any updated guidance and report in future issues of DWF Data Protection Insights.  In the meantime, if you require advice on any aspect of collecting or using your employees' personal data, please contact one of our specialist data protection lawyers.

ICO response to European Commission's proposal for AI act

On 6 August the ICO published its response to the European Commission's proposal for a regulation laying down harmonised rules on artificial intelligence (AI).  Read our overview of the proposal here.  The ICO welcomes the proposal, and states that, following the UK's exit from the EU, it will continue to engage with its EU partners.

We will monitor the progress of the Commission's proposal and its impact on UK businesses and report in future issues of DWF Data Protection Insights.

Enforcement action

ICO enforcement

ICO fines company for illegal pensions calls

The ICO has fined a company £50,000 for calling people about their pension schemes in breach of the Privacy and Electronic Communications Regulations (PECR).  The ban on pensions cold calling came into force in 2019 and makes it illegal for companies to call people about their pensions schemes except where:

• the caller is authorised by the Financial Conduct Authority (FCA), or is the trustee or manager of an occupational or personal pension scheme; and
• the recipient of the call consents to calls, or has an existing relationship with the caller.

The ICO received 16 complaints about the company, which admitted to making 96,187 calls.  The company had sourced the data for its calls from a third-party data supplier, which had obtained the data from various websites.  These websites required users to agree to possible marketing from a long list of sectors/organisations without giving them the option to select which, if any, they were happy to receive marketing from.  This meant that the company did not have informed consent from the people it called.

ICO fines nuisance call blocker company for illegal marketing calls

The ICO has fined a company which sells nuisance call blocking systems £170,000 for making nearly 200,000 unsolicited direct marketing calls to customers registered with the Telephone Preference Service (TPS).

These decisions provide a useful reminder of three points:

• the fairly recent introduction of the restriction on pensions cold calls;
• the need to exercise caution when using data sourced from a third-party supplier, to ensure that consent was obtained to the standards required by the GDPR; and
• the need to screen marketing lists against the TPS.

As reported in a number of previous issues of DWF Data Protection Insights, the ICO is continuing to focus its enforcement activity on PECR breaches.  If you need advice on ensuring that your direct marketing campaigns comply with data protection law, including PECR, please contact one of our specialist privacy lawyers.

ICO's first GDPR fine reduced by 2/3 on appeal

As above, the ICO has focused its enforcement activity on PECR rather than the GDPR.  However, in 2019 it fined a pharmacy £275,000 for careless handling of sensitive personal data, including storing documents in unlocked containers in a rear courtyard.  This fine has now been reduced to £92,000 by the First-tier Tribunal, on the basis that the breach was less serious than the ICO's assessment.

Industry news

UK government publishes post-Brexit global data plans

On 26 August DCMS (the Department for Digital, Culture, Media and Sport) announced that it is launching a package of measures intended to "seize the opportunities of data to boost growth, trade and improve public services".  These measures include:

• Prioritising "data adequacy" partnerships, firstly with the United States, Australia, the Republic of Korea, Singapore, the Dubai International Financial Centre (DFIC) and Colombia, and then with India, Brazil, Kenya and Indonesia.
• Naming the New Zealand Privacy Commissioner John Edwards as its preferred candidate to be the UK's next Information Commissioner (subject to the approval of the DCMS Select Committee and the Queen).  The announcement refers to the government's stated aim of empowering the Information Commissioner to promote the responsible use of data to stimulate innovation and economic growth.
• Improving the UK's data protection regime to make it more ambitious and innovation-friendly, while remaining underpinned by secure and trustworthy privacy standards.

While the announcement does not refer to cookies, it has been reported that the Digital Secretary, Oliver Dowden, has said that reforming the rules on cookie banners could be the new regime's first target.

DCMS states that in the coming weeks it will launch a consultation on changes to break down barriers to innovative and responsible use of data.  This consultation is expected to include the role of the ICO.

We will of course follow developments closely and report further in future issues of DWF Data Protection Insights.

FOI update: DCMS guidance on public authorities' information and records management

DCMS has issued an updated Code of Practice on the management of records issued under section 46 of the Freedom of Information Act 2000.  Read our overview of the key points here.