Header graphic for print
HL Chronicle of Data Protection Privacy & Information Security News & Trends

Tag Archives: ICO

Posted in International/EU Privacy

UK ICO Publishes Guidance on Consent Under GDPR

The UK Information Commissioner’s Office has just published draft guidance on consent under GDPR. This is an interesting move given that the Article 29 Working Party has promised guidance on the same topic later this year, but reading the guidance makes it clear why the ICO decided to prioritise it: many of the practices which it identifies as unacceptable are fairly common in the UK, meaning many companies are going to have to re-think their approach to legitimising their data processing.

Posted in International/EU Privacy

ICO Turns Spotlight on Data Broker Industry

Data brokers are organisations that obtain data from a variety of sources and then sell or license it to third parties. Many trade in personal data, which is purchased by their customers for several purposes, most commonly to support marketing campaigns. The UK data protection regulator has for some time been actively enforcing against organisations who buy individuals’ personal data for direct marketing purposes without first conducting appropriate due diligence to ensure that those individuals have adequately consented to receiving marketing communications. However, in a recently issued monetary penalty notice, the ICO indicated that it may be shifting its enforcement strategy. This post discusses the latest developments.

Posted in International/EU Privacy

Recap on the ICO Stance on Data Security

The UK’s Information Commissioner’s Office is known to prefer an “engaging” rather than an enforcement approach with organisations. However, when looking at the “action we’ve taken” page on the ICO website the ICO’s enforcement activity seems to be increasing by the day. While the ICO has stated that it wants to focus its enforcement efforts going forward on unsolicited marketing, such as nuisance messages and calls, breaches of security requirements have to date attracted the majority of the ICO’s enforcement attention. Therefore, organisations operating in the UK would be well-served to focus on understanding and adhering to the ICO’s expectations for data security compliance.

Posted in Consumer Privacy, International/EU Privacy

Sweep Reveals Scale of Cookie Consent Non-Compliance

The results of an international investigation into the cookie consent practices of 478 websites frequently visited by European citizens have now been published. The outcome is perhaps unsurprising: cookies are used en masse by websites operating in Europe, their expiry dates are often excessive, and crucially, not enough is being done to provide notice and obtain valid consent for the use of cookies and other device identifying technologies. The specific websites that were investigated are not identified (as yet), however those selected were amongst the 250 most frequently visited by individuals within each member state taking part in the investigation (as ranked by Alexa.com). Sites in the media, e-commerce and public sectors were targeted in particular because they are perceived by the EU data protection regulators to present the greatest data protection and privacy risks to EU citizens.

Posted in International/EU Privacy

UK Agencies Agree on the Handling of Information Requests in National Security Cases

The UK Information Commissioner and the Secretary of State for Justice have entered into Memoranda of Understanding on the handling of information requests in relation to national security cases under the UK’s Data Protection Act, Freedom of Information Act and Environmental Information Regulations. The new Memoranda set out guidelines as to how the Information Commissioner’s office and government departments will cooperate with one another in cases where a government department refrains from disclosing information to an individual, or the ICO, on the basis of national security.

Posted in International/EU Privacy

UK ICO Suggests Preparations for Draft EU Data Protection Regulation

The continued uncertainty around the draft EU Data Protection Regulation presents something of a challenge for data controllers. It’s clear that it could require them to make significant changes to how they handle individuals’ data, but the ongoing fundamental political disagreements make it difficult to predict which changes will make it into the final form of the legislation. So it is interesting to see the recommendations on the UK ICO’s blog on where to start in preparing for reforms, highlighting three areas: consent, breach notification, and privacy by design.

Posted in Consumer Privacy, International/EU Privacy

Article 29 Working Party Issues Guidance on Cookie Consent

On 14 October, the Article 29 Working Party of EU data protection commissioners published a Working Document providing guidance on obtaining consent for cookies, some eighteen months after the effective date of the so-called “cookie consent law” which required EU websites to obtain consent from Internet users before before placing cookies on their devices. The document analyses, to some extent, the practices more commonly used by website operators to obtain the required consent, and attempts to answer the question as to what measures would “be legally compliant for a website operating across all EU Member States.”

Posted in Consumer Privacy, International/EU Privacy

ICO Provides Further Guidance on Encryption

The UK Information Commissioner’s Office (the “ICO”) recently published further guidance on encryption on its blog. The ICO has taken the position for some time that if a business holds sensitive personal information on portable or mobile devices, it should protect that information using appropriate encryption software. If that does not occur and such information is compromised, the ICO has stated that it may pursue regulatory action. The guidance does not modify the ICO’s position on encryption, but it does explain in layman’s terms what the ICO means by encryption and the different types of encryption that are available, so non-technical data protection officers may find it a helpful introduction to this topic.

Posted in Cybersecurity & Data Breaches, Employment Privacy, International/EU Privacy

UK Council Successfully Appeals ICO Fine Arising from Processor Breach

The UK First Tier Tribunal issued a decision on August 21 finding that the Information Commissioner’s Office (ICO) was wrong to impose a £250,000 fine on Scottish Borders Council in relation to an incident where pension records of former Council employees were discovered overflowing from recycling bins outside a local supermarket. The Tribunal held that the contravention, while serious, was not of a kind likely to cause substantial damage or substantial distress, which is a requirement for imposing such a penalty. The decision may have implications for the ICO’s approach to imposing monetary penalties in the future.

Posted in Consumer Privacy, International/EU Privacy

UK ICO Publishes Guidance on Social Networking and Online Forums

The UK Information Commissioner’s Office recently published new guidance on the application of data protection laws to social networking and online forums that clarifies that organizations operating social networking sites or online forums may have responsibilities as data controllers under the UK Data Protection Act, including the responsibility to take reasonable steps to check the accuracy of any personal data posted on its site by third parties.

Posted in International/EU Privacy

UK ICO Publicizes Concerns on Draft Data Protection Regulation

Concerned that the prescriptive nature of the proposed EU Data Protection Regulation will impose a significant additional administrative burden on regulators, the UK Information Commissioner’s Office as published on its website a letter to the Secretary of State for Justice which re-states the Information Commissioner’s concerns about the proposed Regulation.

Posted in International/EU Privacy

Amended UK Cookie Regulation Grace Period Expires; Implied Consent Can Be Valid

For over a year companies have been trying to determine how to achieve compliance with the UK Information Commissioner’s Office’s (ICO) amended Privacy and Electronic Communications Regulations (the “cookies law”), which implemented 2009 amendments to the EU’s Privacy and Electronic Communications Directive of 2002. Last week, the ICO made it clear that reliance on implied consent would be an acceptable form of consent.

Posted in News & Events

Blogging from the IAPP London Data Protection Intensive

IAPP Europe is currently holding its Data Protection Intensive 2012 in London. This entry from London partner Quentin Archer contains an instant report from today’s opening session, and summarizes the comments of UK’s Information Commissioner and Yahoo’s Vice-President for EMEA Advertising Marketplaces. The comments of the Information Commissioner are especially insightful regarding enforcement, cookies, and the pending European Regulation.

Posted in Cybersecurity & Data Breaches, International/EU Privacy

UK Takes Step That Likely Will Result in Significantly Increased Penalties for Data Breaches

In a move that likely will result in a significant increase in civil penalties that can be assessed in the UK for data security breaches, this month the UK Ministry of Justice began consultation on the introduction of a maximum civil monetary penalty for serious breaches of the Data Protection Act 1998 (DPA).

Posted in International/EU Privacy

New Notification Fee for Data Controllers in the UK

The United Kingdom Information Commissioner’s Office ("ICO") has announced that with effect from 1 October 2009, a new notification fee of £500 will be payable by some larger organizations.  This is the first change to the fee structure since the Data Protection Act 1998 became law in 2000. Notification is the process by which data […]