Regulatory guidance/campaigns/other news from the Information Commissioner's Office (ICO)/European Data Protection Board (EDPB)
Guidance on the right of access
On 21 October the ICO published its guidance on the right of access, including dealing with data subject access requests (DSARs). The draft guidance was published for consultation in December 2019 and has now been updated in three key ways:
1. Stopping the clock for clarification – one issue on which the ICO received a lot of feedback was that seeking clarification on requests often didn’t leave enough time to respond. As a result, their position now is that, in certain circumstances, the clock can be stopped while organisations are waiting for the requester to clarify their request.2. What is a manifestly excessive request? – to combat confusion over when to class a request as manifestly excessive, the ICO has provided additional guidance and broadened its definition. The guidance now states that an organisation should consider:
- the nature of the requested information;
- the context of the request, and the relationship between you and the individual;
- whether a refusal to provide the information or even acknowledge if you hold it may cause substantive damage to the individual;
- your available resources;
- whether the request largely repeats previous requests and a reasonable interval hasn’t elapsed (you need to consider the nature of the data, e.g. whether it is particularly sensitive and whether you have updated the data since the previous request); or
- whether it overlaps with other requests (although if it relates to a completely separate set of information it is unlikely to be excessive)
- assessing whether or not you are processing the information;
- locating, retrieving and extracting the information;
- providing a copy of the information; and
- communicating the response to the individual, including contacting the individual to inform them that you hold the requested information (even if you are not providing the information).
- photocopying, printing, postage and any other costs involved in transferring the information to the individual (e.g. the costs of making the information available remotely on an online platform);
- equipment and supplies (e.g. discs, envelopes or USB devices); and
- staff time.
DWF offers a solution called DSARs Resolved for clients who receive DSARs or want to put in place processes to deal with them. This is a configurable, tailored solution to meet the client's needs, based on our process. The stages involve triaging the request, checking identity and authority and exemptions, through to reviewing and redacting the personal data located, and finally sending it to the individual. If you would like to discuss how DWF can support your DSAR process, please contact JP Buckley.Draft statutory guidance on the ICO's regulatory action
On 1 October the ICO published draft statutory guidance on its regulatory action for consultation. This provides guidance on how the ICO will take regulatory/enforcement action against organisations which breach data protection law, including:
- Information notices - formal requests to provide the ICO with information, within a specified timeframe, to assist it with its investigations. The guidance explains when the ICO will issue an information notice and what action it will take if the recipient does not respond on time.
- Assessment notices - notices issued to a data controller or processor to allow the ICO to consider whether they are compliant with data protection legislation. The notice may, for example, require the data controller or processor to give the ICO access to premises and specified documentation and equipment. As above, the guidance explains when the ICO will issue an assessment notice and what action it will take if the recipient does not respond on time, but it also provides detailed information about how the ICO conducts assessments of documents, inspections, examinations and interviews, and what happens at the end of the assessment.
- Enforcement notices – these require an organisation to take action or stop action (e.g. data processing or transfer) to remedy a breach, bring about compliance or both. If the organisation fails to comply, the ICO may proceed to issue a penalty notice.
- Penalty notices - formal documents issued by the ICO when it intends to fine an organisation for a breach of data protection law. The guidance sets out a nine-step approach to calculating a penalty and provides a table setting out its starting points for the different categories of breach. While in the run-up to the GDPR much was made of the power to impose penalties of up to 4% of turnover, the ICO's starting point for breaches of a low level of seriousness and culpability is only 0.125%. This will then be adjusted to reflect any aggravating or mitigating features, financial means, the economic impact on the relevant sector, and the factors of effectiveness, proportionality and dissuasiveness and will be reduced by 20% for early payment.
While the draft guidance provides some useful information, your organisation's key priorities should be seeking to ensure that enforcement action is not necessary, through compliance and accountability (being able to demonstrate your compliance). DWF's data protection specialists can support you with all areas of compliance, including mapping your data processing and sharing and identifying the lawful basis for each activity to ensure that it is compliant, and assisting you to design and keep appropriate records so that you can comply with the accountability principle.
ICO report on data security incident trends
The ICO has published a report on the data security incidents reported to it in Q1 2020-21. While over half of the incidents were cybersecurity incidents (e.g. malware, phishing, ransomware and unauthorised access), the remainder were non-cyber incidents, such as sending data to the wrong recipient, failing to redact, failing to use bcc and loss of documents or hardware.
- Consider metadata when redacting information.
- Check all data has been redacted and is not reversible before releasing.
- Get someone to double check redactions.
Many of these types of incident can be avoided or at least significantly reduced by putting in place robust workplace data protection policies, training your workers on them and monitoring their compliance. Please contact one of our data protection specialists if you would like us to draft your policy, or to review and advise on updating your existing policy.ICO data protection and coronavirus information hub
The ICO is continuing to expand and update its data protection and coronavirus information hub, which provides advice on how to navigate data protection law during the pandemic. This month it has aimed to simplify its guidance on contact tracing by adding five simple steps for business:
- Ask for only what’s needed
- Be transparent with customers
- Carefully store the data
- Don’t use it for other purposes
- Erase it in line with government guidance
While this is obviously a much-simplified version of their more detailed advice, it does provide a useful and easy to remember overview of the key principles that form the basis of data protection law: data minimisation, transparency, integrity and confidentiality, purpose limitation and storage limitation.
On 20 October the EDPB adopted a final version of its guidelines on data protection by design and by default. The guidelines (the draft version of which was published in November 2019) provide some useful practical guidance on how to comply with a rather esoteric principle. We will report in more depth on the final version in a future issue of DWF data protection insights.
Enforcement actionICO enforcement
Sending marketing emails without consent
The ICO has fined a software consultancy £40,000 for sending up to 9,000 marketing mails advertising face masks which the consultancy was seeking to sell at a profit. The firm did not have the recipients' consent, so was in breach of the Privacy and Electronic Communications Regulations 2003 (PECR). This fine demonstrates the ICO's continuing focus on enforcing PECR and taking action against organisations which seek to exploit the pandemic.
The ICO has fined a claims management company £250,000 for breaching PECR by making 15.1 million nuisance calls (of which 1.1 million connected) about services such as mis-sold PPI.
Breach of the transparency principle
The ICO has also issued an enforcement notice against a credit reference agency for the following breaches of the GDPR:
- failure to be transparent with individuals about how their personal data was being used;
- using personal data provided in order to provide their statutory credit referencing function for marketing purposes; and
- using certain lawful bases for processing incorrectly.
- using a well-drafted privacy notice tailored to your organisation which clearly explains how you are using personal data;
- only using the data as set out in the notice; and
- identifying the most appropriate lawful basis for each processing activity and observing the relevant conditions.
Industry newsEuropean Parliament legislative initiative on artificial intelligence (AI)
On 20 October the European Parliament published a press release announcing (among other items) a legislative initiative urging the EU Commission to present a new legal framework outlining the ethical principles and legal obligations to be followed when developing, deploying and using AI, robotics and related technologies in the EU including software, algorithms and data. The press release states that:
- Future laws should be made in accordance with several guiding principles, including: a human-centric and human-made AI; safety, transparency and accountability; safeguards against bias and discrimination; right to redress; social and environmental responsibility; and respect for privacy and data protection.
- High-risk AI technologies, such as those with self-learning capacities, should be designed to allow for human oversight at any time. If a functionality is used that would result in a serious breach of ethical principles and could be dangerous, the self-learning capacities should be disabled and full human control should be restored.
UK government advice on using personal data in your business or other organisation after the transition period
On 16 October the government published advice on what action you need to take regarding data protection and data flows with the EU/EEA after the end of the transition period. This covers:
Receiving personal data from the EU/EEA
While the guidance states that the government is confident that an adequacy decision can be concluded before the end of the transition period, if this is not achieved then businesses need to put in place an alternative transfer mechanism, usually standard contractual clauses.
Receiving personal data from third countries covered by an adequacy decision
The government guidance provides a link to information published by the ICO about data transfers to the UK from the countries outside the EU/EEA which have received an adequacy decision (Andorra, Argentina, Canada (commercial organisations only), Faroe Islands, Guernsey, Isle of Man, Israel, Japan (private-sector organisations only), Jersey, New Zealand, Switzerland and Uruguay, now that the EU-US Privacy Shield (which was a partial adequacy decision for the USA) has been declared invalid). The ICO states that UK officials are working with these countries to make specific arrangements for transfers to the UK where possible and provides a list of links to the latest information on specific arrangements in each territory (except Andorra).
Appointing EU-based representatives
The guidance includes a reminder that some UK organisations will need to appoint EU representatives. This applies to UK-based controllers and processors:
- with no offices, branches or other establishments in the EEA; but
- which are offering goods or services to individuals in the EEA or monitoring the behaviour of individuals in the EEA.
In the September 2020 issue of DWF data protection insights, we reported on the uncertainty surrounding whether the UK will receive an adequacy decision. This uncertainty has increased during October, in part because of the Court of Justice of the EU ruling on 6 October that the UK's surveillance practices are unlawful.
Please contact one of our data protection specialists if you want to discuss your organisation's preparations, for example putting in place appropriate safeguards for the transfer of personal data between the UK and the EU and vice versa, or appointing an EU representative. We can help strategically with those, as well as by delivering mass contract updates through our group business DWF Mindcrest.