Tag Archives: ICO

ICO enforcement actions in Q1 2022

By Asélle Ibraimova and Angelika Bialowas on Posted in Privacy & Data Protection, Regulatory
In Q1 2022, the UK’s Information Commissioner’s Office (ICO) issued 26 enforcement actions. There were 15 monetary penalties issued, ranging between £2k – £200k, and 11 enforcement notices. The majority of the fines and enforcement notices related to unsolicited marketing activities, two related to data subject rights infringements, and one related to a failure to … Continue Reading

DCMS launches public consultation on reforms to the UK’s data protection regime

By Cynthia O’Donoghue and Howard Womersley Smith on Posted in Privacy & Data Protection
On 10 September 2021, the Department for Digital, Culture, Media & Sport (DCMS) launched a public consultation on its proposed reforms to the UK’s data protection regime, with a view to assessing the case for legislative change. The consultation comes as the first step in the government’s plans to deliver on ‘Mission 2’ of its … Continue Reading

The ICO approves the first UK GDPR certification schemes

By Cynthia O’Donoghue and Asélle Ibraimova on Posted in Privacy & Data Protection
Controllers and processors can demonstrate their compliance with the GDPR by adhering to approved data protection certification mechanisms established by data protection authorities. The ICO has approved such certification mechanism  for three UK GDPR certification schemes, in the following areas: IT asset disposal – the Asset Disposal and Information Security Alliance (ADISA) have developed a … Continue Reading

The UK’s ICO launches public consultation on employment practices

By Philip Thomas and Carl De Cicco on Posted in Privacy & Data Protection
The ICO has announced plans to replace its existing employment practices guidance with a more user-friendly online resource. The new resource will be divided into specific topics such as recruitment and selection, employment records, monitoring of workers, and information about workers’ health. In particular, the new guidance aims to: Address the changes in data protection … Continue Reading

The UK’s ICO launches public consultation on new Standard Contractual Clauses

By Cynthia O’Donoghue and Sarah O'Brien on Posted in Privacy & Data Protection
In our previous post here we discussed the ICO’s announcement that it is working on new Standard Contractual Clauses (SCCs) to facilitate transfers of personal data outside the UK. The new UK SCCs will be known as the UK’s International Data Transfer Agreement (IDTA). The ICO has now launched the public consultation on its IDTA … Continue Reading

The ICO publishes first chapter of its new draft guidance on anonymisation, pseudonymisation and privacy enhancing technologies

By Cynthia O’Donoghue and Sarah O'Brien on Posted in Privacy & Data Protection
The UK’s data protection authority, the Information Commissioner’s Office (ICO), is calling for views on the first chapter of its anonymisation, pseudonymisation and privacy enhancing technologies guidance, available in draft here. The guidance will help organisations to identify the issues they need to consider in order to use anonymisation techniques effectively. The guidance will sit … Continue Reading

ICO announces it is working on bespoke UK set of Standard Contractual Clauses

By Cynthia O’Donoghue and Asélle Ibraimova on Posted in Privacy & Data Protection
What is new? During the ICO’s Data Protection Practitioners’ Conference 2021 today, the ICO revealed that it is working on new Standard Contractual Clauses (SCCs) to facilitate transfers of personal data outside the UK. The ICO’s consultation on the new UK SCCs will take place this summer. This is a separate process to the new … Continue Reading

The ICO unveils its plans for updating anonymisation guidance

By Cynthia O’Donoghue on Posted in Privacy & Data Protection
The ICO Data Sharing Code of Practice which was published earlier this year aimed to provide organisations with practical guidance for data sharing in compliance with data protection law, which we previously wrote about here. The ICO are aware that data sharing encompasses many other dimensions and thus that the guidance would be updated on … Continue Reading

The ICO offers guidance on personal data transfers to the SEC

By Cynthia O’Donoghue and Sarah O'Brien on Posted in Privacy & Data Protection
On 19 January 2021, the Information Commissioner’s Office (ICO), published a letter dated 11 September 2020, available here, explaining that personal data transfers from UK based companies to the Securities and Exchange Commission (SEC) for the purposes of regulatory compliance may be permitted under the General Data Protection Regulation (GDPR). Background Firms regulated by the … Continue Reading

ICO releases updated guidance on data subjects’ right of access

By Cynthia O’Donoghue and Katalina Bateman on Posted in Privacy & Data Protection
On 21 October 2020, almost a year after the UK’s Information Commissioner Office (ICO) provided draft guidance on the right of access, the ICO published its updated guidance on data subject access requests (DSARs), available here (Guidance). In a previous post available here, we covered what DSARs are and the principles areas of focus of … Continue Reading

The UK’s Supervisory Authority releases its Accountability Framework

By Cynthia O’Donoghue and Sarah O'Brien on Posted in Privacy & Data Protection
The UK’s Information Commissioner’s Office (“ICO”) published earlier this month its Accountability Framework, available here. The Accountability Framework is designed to assist companies demonstrate compliance with their accountability obligation under the General Data Protection Regulation (“GDPR”) and assess whether their current measures meet the ICO’s expectations. The Accountability Framework consists of ten categories where the … Continue Reading

ICO issues guidance for organisations amid coronavirus recovery

By Cynthia O’Donoghue and Angelika Bialowas on Posted in Privacy & Data Protection
On 12 June 2020, the UK’s Information Commissioner’s Office (ICO) issued new guidance for organisations on the coronavirus (COVID-19) recovery phase (Guidance). The Guidance (available here) forms part of the ICO’s wider data protection and coronavirus information hub (available here) which aims to help organisations navigate data protection during this unprecedented time. The new Guidance … Continue Reading

ICO finalises guidance on explaining decisions made with AI

By Cynthia O’Donoghue and Sarah O'Brien on Posted in Regulatory
Late last year, we reported that the Information Commissioner’s Office (ICO) had published draft guidance for assisting organisations with explaining decisions made about individuals using with AI. Organisations that process personal data using AI systems are required under the GDPR to provide an explanation of the logic involved, as well as the significance and the … Continue Reading

ICO issues guidance on workplace coronavirus testing

By Cynthia O’Donoghue and Nadia Avraham on Posted in Privacy & Data Protection
It has been 64 days since the UK officially went into lockdown due to the COVID-19 crisis, with many ‘non-essential’ workers vacating their workplace. In preparation for sending the UK back to work, the Information Commissioner’s Office (ICO) has issued FAQ-style guidance to assist employers wishing to track and test employees’ symptoms (available here). Health … Continue Reading

ICO consultation on draft guidance on the right of access

By Cynthia O’Donoghue and Daniel Millard on Posted in Privacy & Data Protection, Regulatory
On 4 December 2019, the Information Commissioner’s Office (ICO) published draft guidance on data subject access requests (DSARs) (Guidance). This updated Guidance comes just 18 months after the current version was first published in April 2018. Previously, in June 2019, the ICO (here) criticised the Metropolitan Police for its handling of DSARs. The ICO also … Continue Reading

Updated ICO guidance on handling special category data

By Cynthia O’Donoghue and John O'Brien on Posted in Privacy & Data Protection, Regulatory
On 14 November 2019, the Information Commissioner’s Office (ICO) published guidance (link here for organisations that process special category personal data (the Guidance). Previously, organisations tended to focus only on GDPR article 9 processing bases when processing special category personal data. Following this update from the ICO, organisations are reminded that they must have both … Continue Reading

AI Auditing Framework: data protection impact assessment

By Cynthia O’Donoghue and Eleanor Brooks on Posted in Privacy & Data Protection, Regulatory
In March 2019, the Information Commissioner’s Office (ICO) released a Call for Input on developing the ICO’s framework for artificial intelligence (AI). The ICO simultaneously launched its AI Auditing Framework blog to provide updates on the development of the framework and encourage organisations to engage on this topic with the ICO. On 23 October 2019, … Continue Reading

ICO blogs on AI and data subject rights

By Cynthia O’Donoghue and Daniel Millard on Posted in Privacy & Data Protection
On 15 October 2019, the Information Commissioner’s Office (ICO) released the latest in its series of blogs on developing its framework for auditing artificial intelligence (AI). The blog (here) focuses on AI systems and how data subjects can exercise their rights of access, rectification and erasure in relation to such systems. Below, we summarise some … Continue Reading

At odds no more: can regulatory collaboration bring innovation and data privacy closer together?

By Cynthia O’Donoghue and Howard Womersley Smith on Posted in Privacy & Data Protection, Regulatory
In July 2019, the UK’s Financial Conduct Authority (FCA) held a week-long Global Anti-Money Laundering and Financial Crime TechSprint (FCA TechSprint) event. The FCA TechSprint looked at ways to effectively combat financial crime and money laundering within the financial services industry. On 16 October 2019, the Information Commissioner’s Office (ICO) released a blog (here) that … Continue Reading

Artificial intelligence: ICO considers security risks and the need for a new legal framework

By Cynthia O’Donoghue and Daniel Millard on Posted in Privacy & Data Protection
On 12 September 2019, the Committee of Ministers of the Council of Europe announced that an Ad hoc Committee on Artificial Intelligence (CAHAI) will be set up to consider the feasibility of a legal framework for the development, design and application of Artificial intelligence (AI). On the same day, the United Kingdom’s data protection supervisory … Continue Reading
LexBlog