In this issue
Governmental and Regulatory Activity:
- New UK approach to international data transfers
- EU review of UK data reform plans
- ICO employment guidance
- ICO guidance on direct marketing using email
- ICO consultation on how it prioritises complaints under FOIA and the EIR
Regulatory Enforcement and Litigation:
- ICO reprimands DfE for misuse of up to 28 million children's personal data
- ICO reduces Cabinet Office fine for New Years Honours data breach
- CJEU decision: Controllers must take reasonable steps to inform third parties of erasure request
Governmental and Regulatory Activity
New UK approach to international data transfers
In a further divergence from the EU approach, the ICO has published a Transfer Risk Assessment (TRA) tool along with updated international data transfers guidance. As you may recall, the Schrems II case led to the need to conduct risk assessments when transferring personal data internationally. The EU approach of the Transfer Impact Assessment was followed up by the UK's approach in the TRA. The TRA has now been amended in this new tool to be more risk-based, asking 6 key questions to determine the risk of the transfer. This is significantly simpler than the EU's approach – and the ICO argues that it is more achieveable and means that the more transfers with more risk will have more appropriate protections applied. Further guidance on the TRA tool (and the previously published International Data Transfer Agreement and Addendum) are promised.
DWF Solutions: If we can assist with distilling the detail of this change applicable to your organisation, and/or mapping your data transfers, please get in touch with one of our specialists.
EU review of UK data reform plans
A delegation of MEPs visited the UK from 2-4 November to examine the UK's plans to reform data protection law. As we reported in DWF Data Protection Insights July 2021, the European Commission's adequacy decisions in respect of the UK are limited in time to four years, during which the Commission will monitor the UK and take action if the UK deviates from the level of protection in place. While it has been reported that the meetings between the EU and UK representatives did not go well, much depends on Rishi Sunak's government's approach to the data reforms, which were announced while Boris Johnson was Prime Minister and put on hold by Liz Truss. We will of course monitor developments closely and report in future issues of DWF Data Protection Insights. The information we have is that there will be some kind of consultation in the next few weeks, of which we eagerly await details.
DWF Solutions: While we wait to see what the Government does next, please contact us if you would like advice on the transfer of personal data between the UK and the EU, as this is the area that would be impacted by any possible withdrawal of the EU's adequacy decision for the UK
The ICO has recently published two sets of draft employment guidance as part of its work to update the 2011 Employment Practices Code:
- Monitoring at work guidance: read our separate article here; and
- Information about workers' health guidance, which aims to provide practical guidance about handling the health information of workers in accordance with data protection legislation and to promote good practice. The guidance applies not only to employees, but to all workers, including contractors, volunteers or 'gig' and platform workers.
The draft guidance contains the following sections:
- Data protection and worker health information
- How do we handle sickness, injury and absence records?
- What about occupational health schemes?
- What about medical examinations and testing?
- What about genetic testing?
- What about health monitoring?
- When can we share worker health information?
All these sections cover similar issues, including:
- lawful collection, processing and retention;
- the difficulty of relying on consent;
- the other lawful bases;
- the additional processing conditions for special category data;
- what you need to tell workers, including the fairness and transparency principles;
- keeping data accurate, up to date and secure;
- data protection impact assessments (DPIAs) – the guidance states that it is good practice to carry out a DPIA given the sensitive and potentially intrusive nature of processing workers' health information and it may be a requirement for some processing activities;
- automated decision making – because this guidance is about special category data, Article 22(4) of the UK GDPR applies, meaning that you must not use your workers’ health information in any automated decision-making systems unless you have the worker’s explicit consent or the processing is necessary for reasons of substantial public interest;
- organisational responsibility – this covers accountability and governance and the importance of training; and
- data sharing, including identifying whether the sharing relationship is controller-processor or controller-controller and sharing in an emergency.
DWF Solutions: Please contact one of our data protection specialists if you would like advice on any aspect of processing workers' personal data, including health data. It is a topical area and requires thought before implementing solutions or changes.
ICO guidance on direct marketing using email
To understand how the Privacy and Electronic Communications Act 2003 applies to direct marking using email, please read our separate article here.
ICO consultation on how it prioritises complaints under FOIA and the EIR
The ICO has launched a consultation on how it prioritises complaints under the Freedom of Information Act (FOIA) and the Environmental Information Regulations (EIR). The ICO proposes to prioritise complaints where there is a clear public interest in the information that has been asked for. The consultation sets out new criteria for prioritisation, including the following tests:
- Is there a high public interest in the information requested? Does it raise a novel or clearly high-profile issue that the ICO should look at quickly? This includes:
- Is the case subject to significant media interest (or may be in the future, if a journalist makes the request)?;
- Does the case concern an issue that involves a large amount of public money, either nationally or in the context of the size of the public body involved?; or
- Does the requester need the information to respond to a live and significant public consultation and the timeframe for achieving resolution is reasonable to inform the decision-making process?
- Is the requester a person or group who is raising information rights awareness, supporting vulnerable groups or raising awareness of potentially significant public interest issues? This may include requests from journalists, civil society groups and elected representatives.
- Are vulnerable people or groups significantly affected by the information requested? This may include information:
- which covers policies, events or other matters that potentially have a significant impact on vulnerable people or groups;
- that has a high potential impact or harm on a proportionately large number of people nationally or in a particular locality; or
- that may directly affect the requester’s health or another issue, that means they need a swift resolution (e.g. it may impact on treatment or is about a live court case).
- Would prioritisation have significant operational benefits or support regulated bodies, e.g. is the request:
- novel, or could provide the basis for guidance or support for other regulated bodies;
- linked to a response to several similar cases, and quick resolution would help this; or
- part of a round robin request?
The consultation also sets out:
- How the ICO will apply the criteria;
- The effect of prioritisation;
- The service standards the ICO will use to measure its progress; and
- The circumstances in which the ICO can refuse to consider complaints.
The consultation is open until 19 December, following which the ICO will finalise and publish the prioritisation criteria. We will of course monitor progress and report in a future issue of DWF Data Protection Insights.
Regulatory Enforcement and Litigation
ICO reprimands DfE for misuse of up to 28 million children's personal data
The ICO has issued a formal reprimand to the Department for Education (DfE) following an investigation which revealed that a database of pupils’ learning records (the learning records service database, or LRS, for which the DfE has overall responsibility) was used by an employment screening firm to check whether people opening online gambling accounts were 18. The ICO discovered that the DfE continued to grant the screening firm access to the database when it advised the DfE that it was the new trading name for a training provider. The use of the data in the LRS for screening meant that it was being used for a purpose other than the original purpose, which is a breach of the GDPR/UK GDPR.
The ICO has stated that this breach would have justified a fine of over £10 million, but under the ICO's new approach towards the public sector, a reprimand was more appropriate. See DWF Data Protection Insights July 2022 for more information about the ICO's new public sector approach.
DWF Solutions: The ICO's investigation indicated that this breach was caused by the DfE's poor due diligence, i.e. accepting the information about the training provider's new name without running appropriate checks. It is critical that your organisation has a clear picture of who you are sharing personal data with and what purposes it is being used for, often referred to as "data mapping". It is also essential to conduct due diligence on any third parties with whom you share personal data, either in their capacity as processors or controllers. DWF's specialist data team can support your organisation with all of these activities – please contact us for assistance.
ICO reduces Cabinet Office fine for New Years Honours data breach
In the November/December 2021 issue of DWF Data Protection Insights, we reported that the ICO had fined the Cabinet Office £500,000 for disclosing the postal addresses of the 2020 New Year Honours recipients online due to an IT error. The breach was caused by the Cabinet Office setting up the IT system incorrectly, and then, due to tight timescales, amending the file instead of modifying the system. At the time of the breach, there was no specific or written process in place to sign off documents and content containing personal data prior to being sent for publication. The Cabinet Office appealed against the level of the fine and, in the light of the ICO's new approach to working with public sector bodies (see above), the ICO agreed to reduce the fine to £50,000.
DWF Solutions: While the ICO's new public sector approach is likely to lead to lower fines, this is coupled with "better engagement including publicising lessons learned and sharing good practice". While the financial risk for public sector bodies may be lower, the possibility of reputational damage remains high. All organisations, in both the private and public sectors, need to manage their data governance to the standard required to prevent data breaches.
CJEU decision: Controllers must take reasonable steps to inform third parties of erasure request
The Court of Justice of the EU (CJEU) has ruled on questions relating to the withdrawal of subscriber data from an online directory and confirmed that the data controller is required to take reasonable steps to inform third parties of a data subject's request for erasure.
The CJEU confirmed that:
- Consent by a subscriber is required to include their contact details in directories published by a telecommunications operator or other directory provider. This consent must meet the GDPR requirements, but it does not necessarily require that the data subject knows the identity of all the providers which will process their personal data.
- In line with the GDPR right to erasure, subscribers must have the opportunity to have their personal data withdrawn from directories.
- The controller must then take appropriate technical and organisational measures to inform third-party controllers, namely the telecommunications operator and other directory providers, that the data subject has withdrawn their consent.
- Where a number of controllers rely on a single consent, the data subject should be able to withdraw consent by notifying any one of them.
While the UK courts are not bound by this decision, they may have regard to it.
DWF Solutions: Please contact us if you would like advice on managing data subject rights, including the right of erasure. You can read more about our rights handling support here: Cyber Security Compliance, Data Compliance | DWF (dwfgroup.com).