It has been 64 days since the UK officially went into lockdown due to the COVID-19 crisis, with many ‘non-essential’ workers vacating their workplace. In preparation for sending the UK back to work, the Information Commissioner’s Office (ICO) has issued FAQ-style guidance to assist employers wishing to track and test employees’ symptoms.

Health data is ‘special category data’ under the General Data Protection Regulation (GDPR) and is therefore subject to greater restrictions. Nonetheless, the ICO makes it clear that data protection law does not prevent employers from taking necessary steps to ensure the safety of staff and the public, provided that personal data is handled responsibly and carefully in accordance with the law.

The guidance covers the following specific activities:

  • Testing employees for symptoms of COVID-19
  • Compiling lists of employees with symptoms or positive diagnoses
  • Disclosing positive cases to other employees
  • Using temperature checks or thermal cameras in the workplace

Continue Reading ICO issues guidance on workplace coronavirus testing

On 4 December 2019, the Information Commissioner’s Office (ICO) published draft guidance on data subject access requests (DSARs) (Guidance). This updated Guidance comes just 18 months after the current version was first published in April 2018. Previously, in June 2019, the ICO (here) criticised the Metropolitan Police for its handling of DSARs. The ICO also outlined some of the practical steps for responding to DSARs.

The new Guidance further recognises the importance of some of the issues organisations are facing when dealing with DSARs, while the consultation process seeks to refine this further by taking into account organisations’ experiences in dealing with DSARs made since May 2018, when the General Data Protection Regulation (GDPR) came into force.

Below, we take a look at some of the key, new provisions of the updated Guidance.Continue Reading ICO consultation on draft guidance on the right of access

Artificial intelligence (AI) is a key area of focus for the Information Commissioner’s Office (ICO). The ICO is already working on a related AI project that focuses on building the ICO’s Auditing Framework. One of the goals of the ICO is to increase the public’s trust and confidence in how data is used and made available. In line with this, on 2 December 2019, the ICO published a blog on explaining decisions made by AI (here). The ‘Explaining decisions made with AI’ guidance (Guidance) has been prepared in collaboration with the UK’s national institute for data science and artificial intelligence, the Alan Turing Institute. The Guidance seeks to help organisations explain how AI decisions are made to those affected by them.

We have outlined some of the key takeaways below. Continue Reading ICO publishes draft guidance on explaining decisions made with AI

The new Regulation (EU) 2018/1807 on a framework for the free flow of non-personal data in the EU (Free Flow of Non-Personal Data Regulation), which we discussed in a previous blog, became applicable from 28 May 2019. Together with the General Data Protection Regulation (EU) 2016/679 (GDPR), the two regulations now provide a “comprehensive framework for a common European data space and free movement of all data within the European Union”. The European Commission has published practical guidance to help users understand the interaction between these two regulations.
Continue Reading European Commission issues guidance on the free flow of non-personal data in the EU

In August, the UK’s data protection regulator, the ICO, fined a Hertfordshire GP practice £40,000 under the Data Protection Act 1998 (“DPA”) after a subject access request (“SAR”) went badly wrong. A lack of process, training and supervision resulted in confidential details about a patient being sent to her estranged ex-partner, who then used them

At the end of March, the Information Commissioner’s Office (ICO) issued updated guidance on the law in relation to Direct Marketing. The ICO notes in its accompanying blog post that the law applies “equally to any and all organisations who are engaging in direct marketing activity via electronic means, regardless of their sector.”

The updated guidance gives new focus to:

  • The collection of third-party (indirect) consent, which it indicates will only be validly obtained in limited circumstances
  • How to ensure that consent is freely given, and how this interacts with either incentivising individuals to give consent, or making access to a service conditional on giving consent

Continue Reading Information Commissioner’s Office issues updated guidance on Direct Marketing