The UK’s data protection authority, the Information Commissioner’s Office (ICO), is calling for views on the first chapter of its anonymisation, pseudonymisation and privacy enhancing technologies guidance, available in draft here. The guidance will help organisations to identify the issues they need to consider in order to use anonymisation techniques effectively. The guidance will sit … Continue Reading
What is new? During the ICO’s Data Protection Practitioners’ Conference 2021 today, the ICO revealed that it is working on new Standard Contractual Clauses (SCCs) to facilitate transfers of personal data outside the UK. The ICO’s consultation on the new UK SCCs will take place this summer. This is a separate process to the new … Continue Reading
The ICO Data Sharing Code of Practice which was published earlier this year aimed to provide organisations with practical guidance for data sharing in compliance with data protection law, which we previously wrote about here. The ICO are aware that data sharing encompasses many other dimensions and thus that the guidance would be updated on … Continue Reading
On 19 January 2021, the Information Commissioner’s Office (ICO), published a letter dated 11 September 2020, available here, explaining that personal data transfers from UK based companies to the Securities and Exchange Commission (SEC) for the purposes of regulatory compliance may be permitted under the General Data Protection Regulation (GDPR). Background Firms regulated by the … Continue Reading
On 21 October 2020, almost a year after the UK’s Information Commissioner Office (ICO) provided draft guidance on the right of access, the ICO published its updated guidance on data subject access requests (DSARs), available here (Guidance). In a previous post available here, we covered what DSARs are and the principles areas of focus of … Continue Reading
The UK’s Information Commissioner’s Office (“ICO”) published earlier this month its Accountability Framework, available here. The Accountability Framework is designed to assist companies demonstrate compliance with their accountability obligation under the General Data Protection Regulation (“GDPR”) and assess whether their current measures meet the ICO’s expectations. The Accountability Framework consists of ten categories where the … Continue Reading
On 12 June 2020, the UK’s Information Commissioner’s Office (ICO) issued new guidance for organisations on the coronavirus (COVID-19) recovery phase (Guidance). The Guidance (available here) forms part of the ICO’s wider data protection and coronavirus information hub (available here) which aims to help organisations navigate data protection during this unprecedented time. The new Guidance … Continue Reading
Late last year, we reported that the Information Commissioner’s Office (ICO) had published draft guidance for assisting organisations with explaining decisions made about individuals using with AI. Organisations that process personal data using AI systems are required under the GDPR to provide an explanation of the logic involved, as well as the significance and the … Continue Reading
It has been 64 days since the UK officially went into lockdown due to the COVID-19 crisis, with many ‘non-essential’ workers vacating their workplace. In preparation for sending the UK back to work, the Information Commissioner’s Office (ICO) has issued FAQ-style guidance to assist employers wishing to track and test employees’ symptoms (available here). Health … Continue Reading
The UK Information Commissioner’s Office has published a draft Code of Practice on Direct Marketing, which is now out for consultation. Here we discuss the context for this and key takeaway points from its 120+ pages. Read more about this topic in our recent client alert. … Continue Reading
On 4 December 2019, the Information Commissioner’s Office (ICO) published draft guidance on data subject access requests (DSARs) (Guidance). This updated Guidance comes just 18 months after the current version was first published in April 2018. Previously, in June 2019, the ICO (here) criticised the Metropolitan Police for its handling of DSARs. The ICO also … Continue Reading
Artificial intelligence (AI) is a key area of focus for the Information Commissioner’s Office (ICO). The ICO is already working on a related AI project that focuses on building the ICO’s Auditing Framework. One of the goals of the ICO is to increase the public’s trust and confidence in how data is used and made … Continue Reading
On 14 November 2019, the Information Commissioner’s Office (ICO) published guidance (link here for organisations that process special category personal data (the Guidance). Previously, organisations tended to focus only on GDPR article 9 processing bases when processing special category personal data. Following this update from the ICO, organisations are reminded that they must have both … Continue Reading
In March 2019, the Information Commissioner’s Office (ICO) released a Call for Input on developing the ICO’s framework for artificial intelligence (AI). The ICO simultaneously launched its AI Auditing Framework blog to provide updates on the development of the framework and encourage organisations to engage on this topic with the ICO. On 23 October 2019, … Continue Reading
On 15 October 2019, the Information Commissioner’s Office (ICO) released the latest in its series of blogs on developing its framework for auditing artificial intelligence (AI). The blog (here) focuses on AI systems and how data subjects can exercise their rights of access, rectification and erasure in relation to such systems. Below, we summarise some … Continue Reading
In July 2019, the UK’s Financial Conduct Authority (FCA) held a week-long Global Anti-Money Laundering and Financial Crime TechSprint (FCA TechSprint) event. The FCA TechSprint looked at ways to effectively combat financial crime and money laundering within the financial services industry. On 16 October 2019, the Information Commissioner’s Office (ICO) released a blog (here) that … Continue Reading
On 12 September 2019, the Committee of Ministers of the Council of Europe announced that an Ad hoc Committee on Artificial Intelligence (CAHAI) will be set up to consider the feasibility of a legal framework for the development, design and application of Artificial intelligence (AI). On the same day, the United Kingdom’s data protection supervisory … Continue Reading
Earlier this year, the Information Commissioner’s Office (ICO) issued a consultation on a draft code of practice for designing age-appropriate access for children accessing online services (Code). The consultation closed on 31 May 2019 but the ICO has recently released an update on its progress in producing the Code. The finalised Code will be informed … Continue Reading
The UK’s new prime minister, Boris Johnson, has vowed that the UK will leave the EU on October 31, 2019. A unilateral (or “hard”) Brexit poses many privacy and data protection challenges for companies that operate in the UK. Post-Brexit privacy and data protection issues that you need to consider include: how to maintain uninterrupted … Continue Reading
The Information Commissioner’s Office (ICO) has published its 2018/19 Annual Report, covering the 12 months to 31 March 2019. This is the ICO’s first annual report to parliament since the GDPR came into force in May 2018. It sets out exactly what the ICO has been up to in what has been an interesting year. … Continue Reading
Avid readers of this blog (and we trust there are many of you!) will recall that the UK government recently published a white paper. The white paper sets out the UK government’s approach to regulating the internet to tackle online harms. The Information Commissioner’s Office (ICO) has just published the Information Commissioner’s (Commissioner) full response to … Continue Reading
On July 3, 2019 the Information Commissioner’s Office (ICO) published an updated guidance on the use of cookies. Although the guidance confirms requirements of which most data practitioners already comply, it outlines steps for non-compliant companies. Now that the ICO has confirmed its regulatory expectations and detailed immediate enforcement, companies need to take action to … Continue Reading
The Information Commissioner’s Office (ICO) announced a £100,000 fine imposed on the telecoms company, EE Limited (EE), for breaching the Privacy and Electronic Communications Regulations 2003 (PECR). The timing of the breach meant that the General Data Protection Regulation 2016/679 (GDPR) was not applicable. What happened? EE sent customers a text message encouraging them to … Continue Reading
The Information Commissioner’s Office (ICO) and the Alan Turing Institute have recently released an interim report (Report) outlining their approach to best practices in explaining artificial intelligence (AI) to users. The Report is of particular relevance to operators of AI systems who may be considering their duties under the General Data Protection Regulation 2016/679 (GDPR). In … Continue Reading
