Top story
Data Protection and Digital Information Bill delayed
Whilst the second reading of the Data Protection and Digital Information Bill had been scheduled for 5th September 2022. However, with the change of leadership of the Conservative Party, the reading has been postponed to allow the new Prime Minister and her Ministers to review the Bill to see if it aligns with their new policy priorities. We await news of what will happen next, and when. As a quick recap, the Bill amends existing UK data protection and direct marketing, cookies and tracking legislation as well as a host of other areas. Many of the amendments improve the position in the UK but lead to greater disparity between UK law and EU law.
Governmental and Regulatory Activity:
ICO publishes draft guidance on privacy enhancing technologies
The ICO has published chapter 5 of its draft anonymisation, pseudonymisation and privacy enhancing technologies guidance, which focuses on privacy enhancing technologies (PETs). PETs are technologies that can help organisations share and use personal data securely, including by minimising the amount of data used and by encrypting or anonymising the information.
They are already used by financial organisations, e.g. when investigating money laundering, and by the healthcare sector to improve public services.
The first half of the draft guidance is called 'How can PETs help with data protection compliance?' and sets out:
- What are privacy-enhancing technologies (PETs)?
- How do PETs relate to data protection law?
- What are the benefits of PETs?
- What are the risks of using PETs?
- What are the different types of PETs?
- Are PETs anonymisation techniques?
- When should we consider using PETs?
- How should we decide whether or not to use PETs?
- How do we determine the maturity of a PET?
The second half is called 'What PETs are there?' and explains:
- the different types of PETs;
- when it is appropriate to use each type; and
- the related risks.
DWF Solutions: if you'd like our advice on any aspect of anonymisation or pseudonymisation, including the use of PETs, please let us know.
EHRC publishes guidance on AI in public services
The Equality and Human Rights Commission (EHRC) has published guidance on artificial intelligence (AI) in public services which includes:
- an overview of what AI is;
- the benefits of AI, including more informed and consistent decision-making, while reducing the likelihood of human error;
- the risks of AI, including discrimination due to biased data;
- guidance on how the Public Sector Equality Duty applies when a public body uses AI; and
- a checklist for public bodies in England and non-devolved and cross-border public bodies.
The guidance flags that inappropriate use of AI may breach other laws, including human rights and data protection law.
DWF Solutions: if you'd like us to advise on your organisation's use or proposed use of AI, whether in the public or private sector, then let us know. We can support you in conducting a data protection impact assessment (DPIA) and identifying and mitigating the risks.
First organisation approved under UK GDPR certification schemes
The ICO has reported that ADISA has approved the first company under its UK GDPR certification scheme. Certification schemes are a way to demonstrate compliance with the UK GDPR. There are currently three ICO-approved UK GDPR Certification schemes:
- ADISA ICT Asset Recovery Certification;
- Age Check Certification Scheme; and
- Age Appropriate Design Certification Scheme.
DWF Solutions: please let us know if you'd like us to advise on whether it would be useful to seek certification under a UK GDPR certification scheme.
Department for Education publishes updated privacy notice model documents
The Department for Education (DfE) has updated its privacy notice model documents, which comprise the following model privacy notices for use by schools and local authorities (LAs) to issue to staff, parents and pupils about the collection of data:
- Explanation of privacy notices;
- Privacy notice: suggested text for pupils;
- Privacy notice: suggested text for school workforce;
- Privacy notice: suggested text for school and trust governance roles;
- Privacy notice: suggested web text for a local authority; and
- Privacy notice: suggested text for looked-after children and children in need.
These templates provide suggested wording that schools and local authorities may wish to use and are drafted to comply with the UK GDPR and the Data Protection Act 2018. However, the guidance states that schools and LAs must review and amend them to reflect local needs and circumstances.
DWF Solutions: if you'd like us to review your privacy notices to ensure that they comply with the law, including the requirement to provide information clearly and transparently, and reflect your use of personal data then let us know.
European Commission adopts proposal for Cyber Resilience Act
The European Commission has adopted a legislative proposal for a 'Cyber Resilience Act', establishing cybersecurity requirements for products with digital elements placed on the EU market, whose use includes a logical or physical data connection to a device or network. The proposed legislation imposes obligations on various parties in the supply chain, in particular on manufacturers. These include obligations to:
- ensure that any product within the Act's scope is designed, developed and produced in accordance with a list of essential cybersecurity requirements, and evidence this by undertaking a conformity assessment procedure;
- provide security support and software updates to address identified vulnerabilities throughout the whole lifecycle of the product;
- provide technical documents and user information with their products, including a cybersecurity risk assessment; and
- comply with a number of external reporting requirements, including notifying ENISA (the EU Agency for Cybersecurity) of any actively exploited vulnerability contained in their product or any incident having an impact on the product's security.
Each member state will have powers to:
- carry out evaluations;
- impose corrective action;
- withdraw or recall non-compliant products; and
- issue fines.
The proposed law will apply to any manufacturer or distributor who places products on the EU market, meaning that UK businesses who operate in the EU will be caught. The UK has recently announced similar plans to regulate the cybersecurity of consumer connectable products under its proposed Product Security and Telecommunications Infrastructure Bill. We will monitor the progress of both proposals and provide updates in future issues of DWF Data Protection Insights.
Regulatory Enforcement and Litigation
EDPB to focus coordinated enforcement on DPO appointments
The European Data Protection Board (EDPB) has announced that its second coordinated enforcement action will focus on the designation and position of the data protection officer (DPO). This means that the supervisory authority of each EEA member state, plus the European Data Protection Supervisor, will launch investigations at national level, and the results will be bundled and analysed.
While the UK will not participate in this coordinated enforcement, the DPO requirements under the UK GDPR are at present the same as those under the EU GDPR and state that you must appoint a DPO if:
- you are a public authority or body (except for courts acting in their judicial capacity);
- your core activities require large scale, regular and systematic monitoring of individuals (for example, online behaviour tracking); or
- your core activities consist of large scale processing of special categories of data or data relating to criminal convictions and offences.
The GDPR and UK GDPR set out requirements about the DPO's role, including the requirement that if the DPO also performs another role in your organisation, this must not result in a conflict of interest. The Data Protection and Digital Information Bill contains proposals to reform these requirements under UK law, but the Bill has been put on hold following the appointment of the new Prime Minister and Secretary of State for DCMS.
ICO fines retailer for sending unsolicited marketing emails
The ICO has fined a retailer £30,000 for sending 498,179 unsolicited marketing emails to people without their consent.
The ICO received complaints in relation to a direct marketing email about a government voucher scheme, which allowed people to use a voucher towards the cost of certain repairs. The retailer sent a marketing email encouraging people to book a free assessment and to redeem the voucher at the retailer's store of their choice.
The ICO investigation found that:
- the retailer's email clearly advertised a service provided by the company;
- it could not rely on legitimate interest as an alternative to consent to send the marketing email, as the Privacy and Electronic Communications Regulations (PECR) require consent; and
- it could not rely on the soft opt-in exemption under PECR for customers that received the email, as they had already opted out of, or chosen not to opt in to, marketing emails from the company.
DWF Solutions: Running direct marketing campaigns in accordance with the law can be difficult, as you need to comply with both the UK GDPR and PECR. Please let us know if you'd like us to advise on your marketing plans or indeed on any enforcement action you receive notice of.
ICO takes action against two government departments for failing to comply with FOIA
The ICO has announced that it has issued an enforcement notice to the Department for International Trade (DIT) and a practice recommendation to the Department for Business, Energy and Industrial Strategy (BEIS) for persistent failures to respond to information access requests within the statutory time limit.
The enforcement notice is the first one issued by the ICO under the Freedom of Information Act 2000 (FOIA) for seven years. This action comes under the ICO’s renewed approach to regulating FOIA which commits to taking action against public authorities with consistently poor performance. The approach is set out in the ICO’s new FOI and Transparency Regulatory Manual and strategic plan, ICO25.
The Information Commissioner, John Edwards, made a statement in which he said 'I advise public authorities to take note and learn lessons from the action we have taken today, as we will be making greater use of our powers under the Act to drive good practice and compliance.'
Former health adviser found guilty of illegally accessing patient records
A former health adviser has been found guilty of accessing the medical records of 14 patients without a valid legal reason. Speaking about the case, the ICO's Director of Investigations urged organisations to remind their staff about their data protection and information governance responsibilities, including how to handle people’s sensitive data responsibly.
While the individual was ordered to pay a total of £3,000 in compensation, incidents like this can result in bad publicity and a lack of trust in your organisation, as well as the risk of vicarious liability for the individual's actions with some limited exceptions.
ICO issues TikTok with notice of intent for failing to protect children’s privacy
The ICO has announced that it has issued TikTok with a 'notice of intent': a step which precedes a potential fine. The notice sets out the ICO’s provisional view that TikTok may have breached UK data protection law in the following ways:
- processed the data of children under 13 without appropriate parental consent;
- failed to provide proper information to its users in a concise, transparent and easily understood way; and
- processed special category data without legal grounds to do so.
The ICO has emphasised that its findings in the notice are provisional and no conclusion should be drawn at this stage that there has, in fact, been any breach of data protection law or that a financial penalty will ultimately be imposed. The ICO will carefully consider any representations from TikTok before taking a final decision.
DWF Solutions: if your organisation is processing children's personal data and you would like us to advise on whether you are complying with the law, please let us know.
For advice on any aspect of data protection law, please contact one of our privacy specialists.