- Data Protection and Digital Information Bill
- DWF Data In-Depth: UK International Data Transfer Agreement and UK Addendum: An Analysis
Governmental and Regulatory Activity:
- UK and South Korea agree data adequacy agreement
- ICO updates BCR process
- Information Commissioner announces new approach to working with public authorities
- DCMS paper on regulation of AI
- Information Commissioner speaks at DPPC2022
- ICO publishes new strategic plan
Regulatory Enforcement and Litigation:
- Behind the screens: ICO calls for review into use of private email and messaging apps within government
- ICO fines NHS Trust for incorrect use of bulk email
- Interim injunction granted to restrain disclosure of CCTV footage
Our next Tech and Data Leaders Forum webinar on 10th August at 2:00pm UK time will focus on the newly published Data Protection and Digital Information Bill and how the changes to UK data protection law could impact your business in the UK and internationally. We'll review the proposals in depth, and analyse the areas of risk and benefit. You can find out more and sign up for the webinar here.
Earlier this month we published DWF Data In-Depth - 1: UK International Data Transfer Agreement and UK Addendum: An Analysis, which covers the data transfers regime applicable to UK regulated transfers of personal data. Click here to read the article – the first in our new series of DWF Data In-Depth articles.
Governmental and Regulatory Activity
On 5 July the UK government announced that it had reached a data adequacy agreement in principle with the Republic of Korea (South Korea). The European Commission has already granted South Korea an adequacy decision, but this does not apply to the UK, as it was made following the expiry of the post-Brexit transition period. UK organisations should wait for confirmation of the "adequacy regulation" from the Government before relying on this method of data transfer.
DWF Solutions: If you would like any advice on the ever-changing requirements regarding international transfers of personal data (and how the new proposed laws would change this for the UK), please contact one of our data protection specialists.
The ICO has published updated guidance and forms for organisations seeking UK binding corporate rules (BCRs). BCRs provide a mechanism for multinational groups to make intra-group personal data transfers. The key changes are:
- The guidance for both controllers and processors has been updated to take into account the Schrems II judgment and the importance of undertaking a transfer risk assessment (TRA).
- The ICO states that it has updated the process so that:
- the ICO only requests supporting documents and commitments once during the process; and
- the appropriate requirement appears in the most relevant section of the documentation pack.
- The referential table has been revised. This is the table which the applicant must complete to explain how it will satisfy the legal requirements of BCRs.
- The applicant must publish a BCR Policy to provide people with the information they need about their data and how you will transfer it under your BCRs.
DWF Solutions: Applying for BCRs is fairly complex, but DWF's data protection team has experience of supporting our clients through the process. Please contact one of our specialists on this topic (James Drury-Smith, Tughan Thuraisingam, JP Buckley or Gerard Karp) if you would like advice on whether BCRs are appropriate for your organisation and/or you would like us to manage the application process. There are other, simpler, alternatives too such as our popular Intra-Group Data Transfer Agreement.
The Information Commissioner has published a letter inviting senior leaders in the public sector to proactively engage with the Information Commissioner's Office (ICO) as part of the ICO's revised approach to working more effectively with public authorities. The key points are as follows:
- The ICO will proactively engage with senior public sector leaders to encourage data protection compliance, preventing breaches before they occur and learning9 from breaches to help improve data processing operations and breach management procedures.
- The Commissioner does not consider that fines are an effective deterrent within the public sector, because they don't impact shareholders or individual directors in the same way that they do in the private sector, but come from the budget for public services.
- Over the next two years, the ICO will trial an approach that will see a greater use of the Commissioner's discretion to reduce the impact of fines on the public. This will lead to an increased use of public reprimands and the Commissioner's wider powers, including enforcement notices, with fines only issued in the most egregious cases.
- The ICO will continue to investigate breaches in the same way and follow up with organisations to ensure that they make the required improvements.
- The ICO will do more to publicise these cases, including the amount of the fine that would have been levied.
- In return, the Commissioner expects to see greater engagement from the public sector, including senior leaders, with the ICO's data protection agenda. He expects to see investment of time, money and resources in ensuring data protection practices remain fit for the future. If not, he will review this approach.
- This approach to raising data protection standards forms part of ICO25 (please also see the section below for more details).
The future of AI in the UK: The government proposals for regulating AI to be the next area of divergence from the EU
The UK Government has released a policy paper that confirms the UK will not follow the EU's proposed approach to regulating AI, instead a lighter-touch 'pro-innovation' approach is proposed that is industry-agnostic, but with the overlay of sector-specific guidelines. Find out more in our article here.
DWF Solutions: Please contact Shervin Nahid or any member of our team for further details or to discuss your AI approach.
On 19 July, members of DWF's Data Protection and Cyber Security team attended the ICO's annual Data Protection Practitioners' Conference (DPPC). Shervin Nahid shared on LinkedIn his views on the speech given by the new Information Commissioner John Edwards:
"Interesting perspective from the Information Commissioner, John Edwards this morning at the DPPC2022. It's not all about fines, there are other enforcement tools that can be just as impactful.
When asked whether the number of fines will increase during John's tenure as the Commissioner, Mr Edwards' response was that the ICO are enforcing every day and are using a wide range of regulatory tools to ensure proportionate approaches to enforcement are taken. However, it cannot be said that this will necessarily result in an increase in fines.
Mr Edwards provided an example from the public sector: public authorities may not respond to fines in the same way private sector businesses might, as it is unlikely to affect wages or bonuses, etc. Therefore, in some cases it is more impactful to publicly call out the organisation and/or senior responsible individuals, which is likely to grab the attention of ministers and other key stakeholders, which has a greater deterrent effect.
To consider the matter more holistically, it is essential to not just look at a potential fine from the regulator as your core 'adverse scrutineer'. There are many other angles of scrutiny that your organisation may receive as part of data processing BAU. Taking one example, we are now seeing more and more organisations requiring third parties that they share personal data with to have good data protection compliance as a core part of doing business in a B2B context. Think about due diligence questionnaires (DDQs) and DPA negotiations and how you can prepare for these to make the process as efficient as possible."
You can read more about DPPC 2022 here.
DWF Solutions: We've developed a wide range of due diligence approaches and toolkits for acqusitions, post-merger integration and entering into supply chain data sharing (including DPAs – data processing agreements). Please contact one of our data privacy specialists if you're interested to learn more.
On 14 July the ICO published ICO25, its new strategic plan setting out the ICO's priorities, including:
- Safeguard and empower the public, particularly vulnerable groups:
- Develop a subject access request generator to help people to identify where their personal information is held and how to request it (so presumably reducing the ICO's input into such complaints).
- Help people understand their rights, using technology and FAQs.
- Continue to enforce the Children's Code and influence industry to ensure children benefit from an age-appropriate online experience, including age verification, improved transparency and use of privacy notices children can understand.
- Update the Code as required by legislative reform and promote closer policy alignment with the Online Safety Bill.
- Respond to emerging technologies to guide organisations to ensure that people are protected.
- Investigate concerns over AI-driven discrimination and provide updated guidance.
- Work with industry to set expectations on how biometric technologies are used.
- Influence the phasing-out of third party cookies, move away from cookie pop-ups and work to give web users meaningful control over online tracking (being mostly in line with the proposals in the Data Protection and Digital Information Bill).
- Look at CCTV use, in particular in care homes.
- Work on issues relevant to the cost-of-living crisis, including working with the financial industry on how they use and collect intelligence databases, explore the use of adtech to target advertising of gambling on social media and continue to focus on predatory marketing calls, scams and fraud.
- Enable sector-based resolution of data protection complaints, including joining up existing services and providing technical advice.
- Empower responsible innovation and sustainable economic growth:
- Bring down the burden or cost of compliance;
- Provide assured regulatory advice;
- Produce proportionate and transparent guidance to provide regulatory certainty;
- Encourage public sector standards and efficiency;
- Deliver timely regulatory interventions; and
- Enable international data flows through regulatory certainty.
- Promote openness, transparency and accountability:
- Enable the public's access to information through freedom of Information requests, appeals and complaints.
- Develop the ICO's culture, capability and capacity.
It's clear we are going to see more regulatory change in the coming months – we'll share insights as we have them!
DWF Solutions: To help you assess your regulatory, cyber and practical data protection risks quickly and provide graphical, insightful reporting on key risks, we created DWF RAPID. Organisations must consider their information, data and cyber security risk positions in order to be confident that they can resiliently deal with disruptive events when, not if, they occur. This tool is designed to help organisations on that journey. Please contact JP Buckley or Shervin Nahid if you'd like a free demo.
Regulatory Enforcement and Litigation
Behind the screens: ICO calls for review into use of private email and messaging apps within government
On 11 July the ICO published a report on its investigation into the use of private correspondence channels, including private email, WhatsApp and similar messaging apps, by ministers and officials at the Department of Health and Social Care (DHSC) during the pandemic. The key points are:
- A lack of clear controls and the rapid increase in the use of these technologies had the potential to lead to important information being lost or insecurely handled. This included some protectively marked information being located in private accounts outside DHSC's official systems.
- The ICO concluded that there were real risks to transparency and accountability within government and called for a review of practices and improvement action.
While business use of messaging apps like WhatsApp has increased in the last two years, you must ensure that all such usage complies with data protection law. Your organisation should put in place information security and 'bring your own device' (BYOD) policies to ensure that your employees understand what they are permitted and not permitted to do.
DWF Solutions: we draft policies to deal with social media service use, as well as assist with data collation for data subject access requests which can extend into these services. We can also provide training to all staff remidning them of the consequences of "stream of consciousness" messaging conversations, and the risks for them and their organisation. Please contact one of our data privacy specialists for more details.
The ICO has fined an NHS Trust, which runs a gender identity clinic, £78,400 for sending an email to 1,781 patients, whose email addresses were entered in the "To" field instead of the "Bcc" field. The ICO found that special category data could be inferred, connecting the recipients with a provider of gender identity related services, so the data should have been treated with the utmost care and afforded an elevated level of protection.
The case provides a reminder of the risk associated with sending bulk emails, the importance of putting in place a procedure to ensure that recipients' email addresses are not shared and that all staff should be trained on how to follow this procedure.
DWF Solutions: we can cover this in memorable and insightful training to your organisation – please contact one of our data privacy specialists for more details.
The background to this case is that two parties were negotiating a Share Purchase Agreement under which one party would buy a company partly owned by an individual seller. During the negotiations, two representatives of the buyer attended an in-person meeting with the seller at the target company's offices. While the seller was away from the meeting room, the buyer's representatives had a private conversation about the negotiations, their strategy, plans for the future of the target company and their impressions of the seller. The seller claimed that he could hear what they were saying through the wall and sent the claimants text messages with a screenshot from the CCTV system of them having the conversation and threatened to disclose the information. The buyer's representatives brought claims for breach of confidence, misuse of private information and breach of the GDPR/UK GDPR, and were granted an interim non-disclosure order.
The High Court approved the order and held that the claimants were likely to succeed at trial. Regarding the GDPR claim, the court noted that the screenshot contained the buyer's representatives' personal data that had been compiled and retained without their consent or without the basis of any other legitimate interest of the seller. Although there was a CCTV warning saying "CCTV in operation", this would not assist in showing consent.
This decision provides a reminder that if individuals can be identified from CCTV footage, this is personal data which can only be used in accordance with data protection law, meaning that there must be a lawful basis for all uses made of it.
DWF Solutions: we can provide guidance, policies and training on appropriate CCTV use, sharing and retention. Please contact one of our data privacy specialists for more details.