Information Commissioner's Office

The UK’s supervisory authority, the Information Commissioner’s Office (ICO), published a new data sharing code of practice (Code), available here, which addresses the requirements for data sharing under the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA 2018).

Once approved by Parliament, the Code will become a statutory code of practice. Thereafter, the Code will be used by the ICO when assessing whether organisations have complied with their data protection obligations when sharing personal data. The Code applies to the sharing of personal data between controllers, as well as giving access to personal data to third parties. It does not, however, apply to data sharing with a processor, nor the disclosure of data within an organisation.

The Code contains practical guidance for controllers on how they can share data fairly and lawfully and how they can meet their accountability obligations under the GDPR and the DPA 2018. It also addresses misconceptions regarding data sharing, such as clarifying that data protection laws do not prevent data sharing (as long as the sharing is lawful, fair and proportionate) and that most data sharing does not rely on consent as the lawful basis.
Continue Reading The ICO publishes a new data sharing code of practice

After a long period of negotiation, the United Kingdom (UK) and the European Union (EU) have reached a deal on the sharing of personal data, only a few days before the end of the Brexit transition period.

The agreed trade deal allows for the continued free flow of personal data from the EU to the UK for a maximum of six months after the transition period expires. During that time, the UK hopes that the European Commission will issue an adequacy decision in relation to the UK, thus allowing the free flow of personal data to continue beyond the six months. In relation to transfers of personal data outside the UK, the UK has already deemed adequate the 30 EU/European Economic Area countries and the 12 countries that have received EU adequacy decisions, as mentioned in our previous blog post (available here).Continue Reading EU-UK data flows following the Brexit transition period

Earlier this year, the Information Commissioner’s Office (ICO) issued a consultation on a draft code of practice for designing age-appropriate access for children accessing online services (Code). The consultation closed on 31 May 2019 but the ICO has recently released an update on its progress in producing the Code.

The finalised Code will be informed

The Information Commissioner’s Office (ICO) has published its update reflecting on its GDPR experience over the past year and its upcoming priorities to stay relevant, foster innovation and maintain its position as an “influential regulator on the national and international stage”.

Supporting the public, DPOs, SMEs and other organisations

The first year of the GDPR has made individuals aware of the control they have in relation to their personal data and of the powers regulators have in connection with protecting such rights. On the flip side, organisations have been under pressure to ensure their handling of personal data is compliant under the new regime. The ICO has seen an increase in engagement from businesses, data protection officers (DPOs) and individuals. The number of contacts made via the ICO helpline, live chat and written advice services has increased by 66 per cent in the past year.

Still, the ICO has pointed out that there is “a long way to go to truly embed the GDPR and to fully understand the impact of the new legislation”. Almost half of respondents to the ICO survey confirmed they had experienced certain unexpected consequences resulting from the GDPR.

The ICO has, therefore, continued to produce comprehensive guidance, blogs, toolkits, checklists, podcasts and FAQs to support businesses, especially small organisations and sole traders where GDPR compliance may have been particularly challenging. Guidance released by the ICO has included: the Guide to the GDPR, the Guide to Law Enforcement Processing, and its interactive tools for understanding lawful bases for processing and for continued data flow in the event of a no-deal Brexit.Continue Reading One year of GDPR – lessons learned by the ICO

The UK’s Information Commissioner’s Office (ICO) has published new guidance on certification and codes of conduct for data processing as well as expected timetables for finalising its revised guidelines on these topics.


Certification is a voluntary mechanism for organisations to validate their compliance with the General Data Protection Regulation 2016/679 (GDPR). Once the submissions

Researchers at the Information Commissioner’s Office (ICO) have started a series of blogs discussing the ICO’s work in developing a framework for auditing artificial intelligence (AI). In the first blog of the series, the discussion revolves around the degree and quality of human review in AI systems, specifically, in what circumstances human involvement can be

The UK Information Commissioner’s Office (ICO) issued a consultation on a draft code of practice for designing age-appropriate access for children accessing online products and services provided by information society services (ISS). The consultation closes on 31 May 2019. The draft code sets out principles for any online service accessed by children under the age of 18.

Best interests of the child at the core

This code of practice is based on the key principle in the United Nations Convention on the Rights of the Child that the best interests of the child should be a primary consideration in all actions concerning children. In the context of today’s myriad of online services, it has become increasingly difficult for both parents and children to make informed choices or exercise control over the way services use children’s personal data. The code aims to respect the rights and duties of the parents but also the children’s evolving capacity to make their own choices.

16 headline ‘standards of age-appropriate design’

The code requires ISS providers to abide by 16 cumulative standards when processing personal data of children through their services:
Continue Reading Protection of children’s online space: ICO issues code of practice on age-appropriate design

“2018 was the year that people have woken up to the importance of privacy and have begun to bite back at big tech”.

This was the view expressed by James Dipple-Johnstone, Deputy Commissioner (Operations) at the UK Information Commissioner’s Officer (ICO), during his recent speech at the Institute of Directors in London.

The speech focused on the ICO’s regulation of tech giants in the digital age. It highlighted the many benefits of big tech and big data, indicating that their influence and importance is only likely to grow. However, his speech also stressed that there are deep public concerns about the business models of some tech giants and their increasingly opaque uses of personal data.Continue Reading Regulating the tech giants

In April, we reported that the European Commission had opened a public consultation seeking the views of various stakeholders on the current wording of, and possible changes to, the Privacy and Electronic Communications Directive (2002/58/EC as amended) (“ePrivacy Directive”). The retrospective evaluation was necessary to ensure the ePrivacy Directive is fit for the digital age,