The UK’s data protection regulator, the Information Commissioner’s Office (‘ICO’), has released draft guidance on the research provisions within the UK’s General Data Protection Regulation (‘UK GDPR’) and Data Protection Act (‘DPA’). The guidance is out for public consultation until 22 April 2022.
Continue Reading What does the ICO tell us about using data for research purposes?

The ICO Data Sharing Code of Practice which was published earlier this year aimed to provide organisations with practical guidance for data sharing in compliance with data protection law, which we previously wrote about here.

The ICO are aware that data sharing encompasses many other dimensions and thus that the guidance would be updated on an on-going basis. As part of this, the ICO outlined its plans to update its guidance on anonymisation and pseudonymisation and on exploring privacy enhancing technologies. The refreshed guidance will assist in some of the challenges that organisations may face such as determining whether data is personal data or anonymous information and providing appropriate controls that should be adopted.
Continue Reading The ICO unveils its plans for updating anonymisation guidance

The UK’s supervisory authority, the Information Commissioner’s Office (ICO), published a new data sharing code of practice (Code), available here, which addresses the requirements for data sharing under the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA 2018).

Once approved by Parliament, the Code will become a statutory code of practice. Thereafter, the Code will be used by the ICO when assessing whether organisations have complied with their data protection obligations when sharing personal data. The Code applies to the sharing of personal data between controllers, as well as giving access to personal data to third parties. It does not, however, apply to data sharing with a processor, nor the disclosure of data within an organisation.

The Code contains practical guidance for controllers on how they can share data fairly and lawfully and how they can meet their accountability obligations under the GDPR and the DPA 2018. It also addresses misconceptions regarding data sharing, such as clarifying that data protection laws do not prevent data sharing (as long as the sharing is lawful, fair and proportionate) and that most data sharing does not rely on consent as the lawful basis.
Continue Reading The ICO publishes a new data sharing code of practice

On October 18, the Consumer Financial Protection Bureau (“CFPB” or “Bureau”) entered into the long simmering debate over consumer-authorized data sharing.  This debate pits mainstream financial institutions, which are typically reticent to share customer data with third parties, against data aggregators and other fintechs.  Those newer companies provide services directly to consumers—or to enhance the consumer experience—and rely on data from mainstream institutions in order to do so.  Both sides are grappling with complex issues surrounding consumer information, including who owns consumers’ financial data, as well as how it can be used, shared, and kept secure.

The CFPB released a set of nine consumer protection principles to address those issues and “help safeguard consumer interests as the consumer-authorized aggregation services market develops.”  While pointedly refusing to ease any existing regulatory burden currently on the banks to ensure safety and privacy, the Bureau has now articulated a yet-to-be fully defined set of requirements for traditional financial institutions to cooperate with demands for openness.  Each consumer right embedded in these requirements implies a financial institution obligation, in some cases with considerable associated cost and operational disruption.

The release follows a November 2016 Request for Information where the CFPB asked stakeholders to weigh in on the challenges consumers face in accessing, using, and securely sharing their financial records.  The CFPB also released a 12-page report that summarized stakeholder insight and informed development of the following principles:
Continue Reading The CFPB Releases Data Sharing Principles, Setting Off A New Round of Controversy

The U.S. Judicial Redress Act has been signed into law by President Obama. The move marks an important step in data transfer relations between the EU and the United States, gives the green light to the EU-U.S. law enforcement data Umbrella Agreement and helps to underpin the Privacy Shield.

Click here to read more in

As 2015 draws to a close, the UK’s Data Protection Regulator, the Information Commissioner’s Office (‘ICO’), is making sure it ends the year with a bang. The past few months have seen a significant increase in enforcement action, a theme which seems to be common for the regulator at this time of year because of the rise in shopping and promotional activities.

A key area of focus for the ICO has been to crack down on nuisance calls and inappropriate data-sharing practices through ‘Operation HIDA’.
Continue Reading The UK’s data protection regulator cracks the enforcement whip