The Information Commissioner’s Officer ruled, on 3 July 2017, that the Royal Free NHS Foundation Trust had failed to comply with the Data Protection Act 1998 when it provided 1.6 million patient details to Google DeepMind as part of a trial diagnosis and detection system for acute kidney injury, and required the Trust to sign an undertaking. The investigation brings together some of the most potent and controversial issues in data privacy today; sensitive health information and its use by the public sector to develop solutions combined with innovative technology driven by a sophisticated global digital company. This analysis provides insight on the investigation into Google DeepMind with focus on how the General Data Protection Regulation may impact the use of patient data going forward.
On 7 August 2017, the UK Department for Culture, Media and Sport published its Statement of Intent on a proposed Data Protection Bill, which will replace the current UK Data Protection Act 1998. The Bill is designed to fully implement the two new laws emanating from the EU – the General Data Protection Regulation and the Data Protection Law Enforcement Directive – in an effort to make the UK’s transition out of the EU as smooth as possible from a data protection perspective and to ensure that both commercial and law enforcement data flows ‘remain uninterrupted after the UK’s exit from the EU’.
“A new law will ensure that the United Kingdom retains its world-class regime protecting personal data”. This is today’s strong statement by Her Majesty The Queen reflecting the level of priority given by the UK government to privacy and data protection. Aside from the political controversies surrounding the recent general Election and the prospect of Brexit, the Queen has confirmed that during this Parliament the government intends to pass a new Data Protection Act replacing the existing one.
On 19 April 2017, the UK Government’s Department for Culture, Media and Sport (DCMS) published a report on cyber security breaches and how they affected UK companies in the last year. The report indicates that a number of UK companies have not implemented comprehensive cybersecurity policies or implemented strong safeguards to protect against cyber attacks. The General Data Protection Regulation — in particular the requirement to ensure all personal data is protected by appropriate technical and organisational measures — provides a real opportunity for any organisation to build a new cyber security strategy. Documenting the decisions taken on these measures will be useful for showing compliance with the new requirements for data protection by design and by default.
The UK ICO has published what it describes as a feedback request on profiling and automated decision-making, with the intention that responses will “help inform the UK’s contribution to the WP29 guidelines due to be published later this year.” The deadline for responses is 28 April.
The UK Information Commissioner’s Office has just published draft guidance on consent under GDPR. This is an interesting move given that the Article 29 Working Party has promised guidance on the same topic later this year, but reading the guidance makes it clear why the ICO decided to prioritise it: many of the practices which it identifies as unacceptable are fairly common in the UK, meaning many companies are going to have to re-think their approach to legitimising their data processing.
Last week, the UK’s Information Commissioner’s Office published a monetary penalty notice, which fined a private healthcare company, HCA International, £200,000 for its failure to keep sensitive data secure.
Data brokers are organisations that obtain data from a variety of sources and then sell or license it to third parties. Many trade in personal data, which is purchased by their customers for several purposes, most commonly to support marketing campaigns. The UK data protection regulator has for some time been actively enforcing against organisations who buy individuals’ personal data for direct marketing purposes without first conducting appropriate due diligence to ensure that those individuals have adequately consented to receiving marketing communications. However, in a recently issued monetary penalty notice, the ICO indicated that it may be shifting its enforcement strategy. This post discusses the latest developments.
After all of the 2016 drama, the start of a brand new year is a welcome development in itself – a clean sheet for a script yet to be written. However, 2017 will not be without challenges and the same applies to the world of privacy and data protection. Many of the big issues that arose during 2016 will need to be addressed in 2017. In addition, new questions will no doubt emerge. Here is an overview of the privacy challenges that lie ahead and what can be done about them.
The 2016 holiday gift guides have heavily featured consumer drones; as such, it is not unfeasible that you or someone you know will receive a drone in the coming weeks. In anticipation of that happy event, on 21 December the UK Department for Transport gave its own gift: a consultation paper on ensuring the safe use of drones, to help the UK to tap into this growing market.
In yet another key case dealing with the balance between citizens’ privacy and the ability of the state to intrude into it, the Court of Justice of the European Union has ruled on the compatibility with European Union law of legislation that authorises the retention of communications data, which includes personal data. The reference from the UK Court of Appeal resulted from a challenge to the Data Retention and Investigatory Powers Act 2014 brought by individuals that include Tom Watson, deputy leader of the Labour Party and represented by Liberty. Interveners include the Law Society of England and Wales, the Open Rights Group, and Privacy International. The CJEU considered the compatibility of such legislation with the e-Privacy Directive, Articles 7 and 8 of the Charter of Fundamental Rights of the European Union—which protect private and family life and personal data respectively—and its previous decision in C-293/12 Digital Rights Ireland—which invalidated the Data Retention Directive.
The people of the UK have spoken and our collective choice is to leave the European Union. Some are dreading the likely tsunami of economic hardship. Others are excited about what may lie ahead. Most of us are shocked. But as numbing as the verdict of the UK electorate may be, there are crucial political, legal and economic decisions to be made. The ‘To Do’ list of the UK government will be overwhelming, not least because of the dramatic implications that each of the items on the list will have for the future of the country and indeed the world. Steering the economy will be a number one priority and with that, the direction of travel of the digital economy – which, at the end of the day, is one of the pillars of prosperity in the UK and everywhere else.
The thing about referendums is that the consequences of one outcome or another are likely to be rather disparate. If Brexit turns out to be rejected by the majority of the UK electorate, we will simply carry on as normal – quietly enjoying the benefits of the European Union whilst moaning about the threat that […]
If you’ve ever opened your washing machine to find white socks turned a pale shade of pink, you can relate to the sentiment of Buzzfeed UK’s piece “14 Laundry Fails We’ve All Experienced.” Humorous and empathetic, the piece mimicked Buzzfeed’s editorial tone and style, but also subtly promoted the message of a commercial advertiser—in this case, Dylon, a color dye manufacturer. And in what may be a sign of things to come in the US, the piece drew the attention of the U.K.’s advertising regulator, the Advertising Standards Authority, which cited Buzzfeed for failing to make the piece “obviously identifiable” as commercial content, a violation of the U.K.’s Committee on Advertising Practices Code.
The need for proper and legitimate powers to enable intelligence and law enforcement agencies to do their job and to keep everyone safe requires little justification. However, in our data-rich and uber-connected way of life, those powers necessarily involve a substantial degree of intrusion into our digital comings and goings, and that makes things complicated. In a show of political awareness and legislative dexterity, in November 2015, the UK government presented its draft Investigatory Powers Bill—an attempt to strike a balance between intelligence and law enforcement needs with the protection of ordinary citizens’ privacy. The Bill seeks to adopt a comprehensive and sophisticated framework of modern law enforcement and intelligence gathering powers. It is currently being scrutinized by a parliamentary committee and subject to public consultation.
The UK’s Information Commissioner’s Office is known to prefer an “engaging” rather than an enforcement approach with organisations. However, when looking at the “action we’ve taken” page on the ICO website the ICO’s enforcement activity seems to be increasing by the day. While the ICO has stated that it wants to focus its enforcement efforts going forward on unsolicited marketing, such as nuisance messages and calls, breaches of security requirements have to date attracted the majority of the ICO’s enforcement attention. Therefore, organisations operating in the UK would be well-served to focus on understanding and adhering to the ICO’s expectations for data security compliance.
On 10 July, the UK government announced cross-party backing for emergency legislation designed to ensure that the police and security services can continue to access communications data held by communications service providers for the purpose of investigating criminal activity and protecting national security. This is in response to the recent European Court of Justice judgment of 8 April 2014 in joined cases (C-293/12 Digital Rights Ireland & C-594/12 Seitlinger) which declared the Data Retention Directive (2006/24/EC) invalid.
A recent survey from the UK Government’s Department for Business, Innovation and Skills has highlighted that the majority of FTSE 350 firms are not regularly taking cyber risks into account in their decision making. Despite a growing international trend in cyber crime targeted at businesses, the survey showed that only 14 percent of FTSE 350 companies regularly consider cyber threats, and nearly half of those surveyed do not even include cyber risks on their company’s strategic risk register.
The continued uncertainty around the draft EU Data Protection Regulation presents something of a challenge for data controllers. It’s clear that it could require them to make significant changes to how they handle individuals’ data, but the ongoing fundamental political disagreements make it difficult to predict which changes will make it into the final form of the legislation. So it is interesting to see the recommendations on the UK ICO’s blog on where to start in preparing for reforms, highlighting three areas: consent, breach notification, and privacy by design.
The UK Information Commissioner’s Office recently published new guidance on the application of data protection laws to social networking and online forums that clarifies that organizations operating social networking sites or online forums may have responsibilities as data controllers under the UK Data Protection Act, including the responsibility to take reasonable steps to check the accuracy of any personal data posted on its site by third parties.
Concerned that the prescriptive nature of the proposed EU Data Protection Regulation will impose a significant additional administrative burden on regulators, the UK Information Commissioner’s Office as published on its website a letter to the Secretary of State for Justice which re-states the Information Commissioner’s concerns about the proposed Regulation.
In February 2013 the European Union published the EU Cyber Security Strategy and accompanying proposed Directive. Now, in anticipation of the implementation of the Directive, the UK’s Department for Business, Innovation and Skills (BIS) has published a call for evidence to look at the impact of the Directive upon businesses in the UK.
On June 28, the UK Parliament Justice Select Committee, chaired by Sir Alan Beith MP, issued a request for written evidence for its new inquiry into the European Union Data Protection framework proposals, including the much-debated proposal for a new EU Data Protection Regulation. This post discusses the questions posed by the request.
IAPP Europe is currently holding its Data Protection Intensive 2012 in London. This entry from London partner Quentin Archer contains an instant report from today’s opening session, and summarizes the comments of UK’s Information Commissioner and Yahoo’s Vice-President for EMEA Advertising Marketplaces. The comments of the Information Commissioner are especially insightful regarding enforcement, cookies, and the pending European Regulation.