In our previous post here we discussed the ICO’s announcement that it is working on new Standard Contractual Clauses (SCCs) to facilitate transfers of personal data outside the UK. The new UK SCCs will be known as the UK’s International Data Transfer Agreement (IDTA).

The ICO has now launched the public consultation on its IDTA and accompanying guidance (available here). The consultation is open for feedback until 5pm on 7 October 2021.

Purpose of the IDTA

The IDTA will replace the current UK SCCs. The ICO has already made it clear that any transfers to third countries will need to take into account the Schrems II decision and apply supplementary measures, where required. The IDTA is a contract which organisations will be able to use when making a ‘restricted transfer’. The ICO is also consulting on how to define a ‘restricted transfer’ in light of the UK GDPR. In particular, the ICO is consulting on whether to keep its current guidance that says a restricted transfer only takes place where the importer’s processing of the personal data is not subject to UK GDPR. Recognising the complexity of international transfers for businesses, the ICO Executive Director of Regulatory Strategy, Steve Wood, has said that the new guidance is designed to be accessible and to support the full range of organisations, from SMEs to multi-national companies.Continue Reading The UK’s ICO launches public consultation on new Standard Contractual Clauses

The UK’s data protection authority, the Information Commissioner’s Office (ICO), is calling for views on the first chapter of its anonymisation, pseudonymisation and privacy enhancing technologies guidance, available in draft here.

The guidance will help organisations to identify the issues they need to consider in order to use anonymisation techniques effectively. The guidance will sit alongside the ICO’s data sharing code of practice, which provides guidance on how to lawfully share personal data, and offers organisations an alternative way of using or sharing data through anonymisation.

The first chapter introduces and defines anonymisation and pseudonymisation, and places the concepts within the framework of data protection law in the UK.
Continue Reading The ICO publishes first chapter of its new draft guidance on anonymisation, pseudonymisation and privacy enhancing technologies

What is new?

During the ICO’s Data Protection Practitioners’ Conference 2021 today, the ICO revealed that it is working on new Standard Contractual Clauses (SCCs) to facilitate transfers of personal data outside the UK. The ICO’s consultation on the new UK SCCs will take place this summer. This is a separate process to the new SCCs that are currently being finalised by the European Commission. These new EU SCCs will not be valid for use for restricted transfers of data outside the UK.

Why is this change taking place?

From 31 December 2020 organisations in the UK have been relying on existing SCCs (Decisions 2001/497/EC and 2010/87/EU) for transfers of data outside the UK except where such territories are recognised as adequate (e.g. countries in the EU, the EEA, and those that obtained the EU Commission’s adequacy decision). However, the existing SCCs will be repealed when the new EU SCCs come into play. Therefore, the ICO is taking measures to put in place new international transfer mechanisms for restricted transfers outside the UK.Continue Reading ICO announces it is working on bespoke UK set of Standard Contractual Clauses

The ICO Data Sharing Code of Practice which was published earlier this year aimed to provide organisations with practical guidance for data sharing in compliance with data protection law, which we previously wrote about here.

The ICO are aware that data sharing encompasses many other dimensions and thus that the guidance would be updated on an on-going basis. As part of this, the ICO outlined its plans to update its guidance on anonymisation and pseudonymisation and on exploring privacy enhancing technologies. The refreshed guidance will assist in some of the challenges that organisations may face such as determining whether data is personal data or anonymous information and providing appropriate controls that should be adopted.
Continue Reading The ICO unveils its plans for updating anonymisation guidance

On 19 January 2021, the Information Commissioner’s Office (ICO), published a letter dated 11 September 2020, available here, explaining that personal data transfers from UK based companies to the Securities and Exchange Commission (SEC) for the purposes of regulatory compliance may be permitted under the General Data Protection Regulation (GDPR).

Background

Firms regulated by the SEC must fulfil requests for documentation made by the SEC and make their books, records or documents available for inspection, to ensure compliance with U.S. federal securities laws, rules and regulations. This calls for the production of information, documentation, and other records, which may include personal data and special category personal data.Continue Reading The ICO offers guidance on personal data transfers to the SEC

On 21 October 2020, almost a year after the UK’s Information Commissioner Office (ICO) provided draft guidance on the right of access, the ICO published its updated guidance on data subject access requests (DSARs), available here (Guidance).

In a previous post available here, we covered what DSARs are and the principles areas of focus of the draft guidance.

So, what has changed? Overall, the Guidance provides more in-depth advice and further examples to help organisations understand how they can meet Article 15 of the General Data Protection Regulation (GDPR) requirements in handling DSARs.

There are, however, three particular areas of note, where the ICO provided further explanation.
Continue Reading ICO releases updated guidance on data subjects’ right of access

The UK’s Information Commissioner’s Office (“ICO”) published earlier this month its Accountability Framework, available here. The Accountability Framework is designed to assist companies demonstrate compliance with their accountability obligation under the General Data Protection Regulation (“GDPR”) and assess whether their current measures meet the ICO’s expectations.

The Accountability Framework consists of ten categories where the ICO expects companies to be able to demonstrate compliance:

  1. Leadership and oversight;
  2. Training and awareness;
  3. Transparency;
  4. Contracts and data sharing;
  5. Records management and security;
  6. Policies and procedures;
  7. Individuals’ rights;
  8. Records of processing and lawful basis;
  9. Risks and data protection impact assessments; and
  10. Breach response and monitoring.

Continue Reading The UK’s Supervisory Authority releases its Accountability Framework

On 12 June 2020, the UK’s Information Commissioner’s Office (ICO) issued new guidance for organisations on the coronavirus (COVID-19) recovery phase (Guidance).

The Guidance (available here) forms part of the ICO’s wider data protection and coronavirus information hub (available here) which aims to help organisations navigate data protection during this unprecedented time.

The new Guidance comes as the lockdown measures start to ease and businesses begin to reopen. It sets out six key data protection steps that organisations need to consider around the use of personal data.
Continue Reading ICO issues guidance for organisations amid coronavirus recovery

Late last year, we reported that the Information Commissioner’s Office (ICO) had published draft guidance for assisting organisations with explaining decisions made about individuals using with AI. Organisations that process personal data using AI systems are required under the GDPR to provide an explanation of the logic involved, as well as the significance and the envisaged consequences of such processing in the form of a transparency notice to the data subjects.

On 20 May 2020, followings its open consultation, the ICO finalised the guidance (available here). This is the first guidance issued by the ICO that focuses on the governance, accountability and management of several different risks arising from the use of AI systems when making decisions about individuals.

As with the draft guidance, the final guidance is split into three parts. We have outlined the key takeaways for each part below.Continue Reading ICO finalises guidance on explaining decisions made with AI

It has been 64 days since the UK officially went into lockdown due to the COVID-19 crisis, with many ‘non-essential’ workers vacating their workplace. In preparation for sending the UK back to work, the Information Commissioner’s Office (ICO) has issued FAQ-style guidance to assist employers wishing to track and test employees’ symptoms.

Health data is ‘special category data’ under the General Data Protection Regulation (GDPR) and is therefore subject to greater restrictions. Nonetheless, the ICO makes it clear that data protection law does not prevent employers from taking necessary steps to ensure the safety of staff and the public, provided that personal data is handled responsibly and carefully in accordance with the law.

The guidance covers the following specific activities:

  • Testing employees for symptoms of COVID-19
  • Compiling lists of employees with symptoms or positive diagnoses
  • Disclosing positive cases to other employees
  • Using temperature checks or thermal cameras in the workplace

Continue Reading ICO issues guidance on workplace coronavirus testing