Update on GDPR and data protection post-Brexit, latest from the ICO, cyber security and more.
Update on the General Data Protection Regulation (GDPR), the UK’s Data Protection Bill and post-Brexit arrangements
The Queen’s Speech included plans for a Data Protection Bill to “ensure that the United Kingdom retains its world-class regime protecting personal data.” On 7 August 2017, the government published a press release and statement of intent on the proposed Bill which, it is confirmed, will implement GDPR in the UK. See our briefing for more details.
On 24 August 2017, the government published its future partnership paper on the exchange and protection of personal data, one of a number of partnership papers published in the run-up to the next round of Brexit negotiations. The paper “outlines how the UK is considering an ambitious model for the protection and exchange of personal data with the EU that reflects the unprecedented alignment between British and European law and recognises the high data protection standards that will be in place at the point of exit.”
The government says that a UK-EU model should recognise that the UK is compliant with EU data protection law and wider global data protection standards. In light of the UK’s unprecedented position, it wants to explore a UK-EU model which could build on the existing adequacy model (where the European Commission assesses whether a third country’s data protection standards are ‘essentially equivalent’ to those applied in the EU) in two ways. Firstly, by enabling an ongoing role for the Information Commissioner’s Office (ICO) in “EU regulatory fora.” Secondly, by the UK and EU agreeing to mutually recognise each other’s data protection frameworks as a basis for the continued free flows of data between the EU and other EU adequate countries, and the UK, from the point of exit (until longer-term arrangements come into force). This is to avoid regulatory uncertainty for businesses and public authorities in the UK, EEA, and EU adequate countries.
The Information Commissioner herself has spoken previously of the importance of obtaining an adequacy decision post-Brexit and the importance of the UK’s status and influence on the European Data Protection Board, which will make decisions about data processing that impact on UK citizens. Where we go from here will depend on the outcome of the negotiations.
One potential sticking point in relation to adequacy is the UK’s Investigatory Powers Act 2016 (IPA), which gives the government, among other things, wide-ranging powers to monitor and intercept citizens’ communications and internet usage. The Court of Justice of the European Union ruled in December 2016 that the IPA’s predecessor, the Data Retention and Investigatory Powers Act 2014, was incompatible with the EU e-Privacy Directive when read in light of the EU Charter of Fundamental Rights.
Whatever the outcome, GDPR will apply in the UK from 25 May 2018 and businesses should continue to prepare for it.
ICO launches ‘myth-busting’ blogs on aspects of GDPR
The UK’s Information Commissioner has launched a series of ‘myth-busting’ blogs to “separate the fact from the fiction” on GDPR.
The first post addresses the myth that the biggest threat to organisations from the GDPR is massive fines. The Information Commissioner stresses that, while it is true that the ICO will have the power under GDPR to impose much bigger fines than it can now, it is scaremongering to suggest that the regulator will be making early examples of organisations for minor infringements or that maximum fines will become the norm. She notes that, if misinformation goes unchecked, “we risk losing sight of what this new law is about – greater transparency, enhanced rights for citizens and increased accountability.”
The second post deals with consent and the myth that you must have consent if you want to process personal data. The Information Commissioner says that consent is not the ‘silver bullet’ for GDPR compliance. GDPR sets a high standard for consent, but the rules only apply where the organisation seeking to process personal data is relying on consent as its basis for doing so. The Information Commissioner highlights that there are five other conditions for processing data under GDPR that may be more appropriate.
This post also seeks to address the myth that organisations cannot start planning for new consent rules until the ICO publishes its formal guidance on this topic (as we reported in the previous edition, the final version is now unlikely to be published before December 2017 since the ICO is waiting until Europe-wide consent guidelines have been agreed). The Information Commissioner says that the ICO’s draft consent guidance is a good place to start, as the final form version is unlikely to include significant changes. She stresses that the guidance will focus on consent only, and will not cover any of the other lawful bases for processing.
The third post considers the myth that GDPR is an unnecessary burden on organisations. The ICO’s Deputy Commissioner (Policy) describes the new regime as “an evolution in data protection, not a total revolution” and repeats the message we have heard before that “if you are already complying with the terms of the Data Protection Act, and have an effective data governance programme in place, then you are already well on the way to being ready for GDPR.” As to the perceived burdens on SMEs and smaller organisations, the post highlights that it is not the size of the organisation that is relevant so much as the risk that particular businesses and types of data processing pose, for example handling particularly sensitive data, or processing personal data in potentially intrusive ways.
Latest on cyber security
The government is consulting on its plans to implement the Security of Network and Information Systems Directive (or NIS Directive) in the UK. The consultation closes on 30 September 2017. The government identifies that there is a need to improve the security of network and information systems across the UK, with a particular focus on essential services such as energy, health, transport, water and digital infrastructure. It notes that the magnitude, frequency and impact of network and information system security incidents is increasing – a recent example being the WannaCry ransomware attack which affected the NHS.
Businesses identified as “operators of essential services” will be required to take appropriate and proportionate security measures to manage the risks to their systems and to notify serious incidents to the relevant authority. Key digital service providers will also have to comply with security and incident notification requirements. The government sets out its proposed approach to the identification of “operators of essential services” in chapter 4 and Annex 1 of the consultation paper. It intends that the legislation will continue to apply in the UK post-Brexit. The NIS Directive must be transposed into UK law by 9 May 2018.
The government recently published the FTSE 350 Cyber Governance Health Check Report 2017, which found that, of those companies participating, 10% of Boards did not have a plan in place to respond to a cyber incident and 6% of Boards described their business as completely prepared to meet GDPR requirements. A second report, Cyber security among charities, has also been released.
The first annual review of the Privacy Shield has been scheduled to take place in the US during the week of 18 September 2017.
The EU Commission is due to publish a report following the review and the Article 29 Working Party has indicated that it may publish a separate report.
Whilst the beleaguered Privacy Shield has been the subject of heavy criticisms with calls from some quarters for data transfers under the Privacy Shield to be suspended, given that some estimates put the value of transatlantic trade at $1 trillion, the EU is unlikely to be quick to pull the plug.
Businesses should watch this space, and we will be monitoring and publishing updates on developments as they happen.
Ban on pensions cold calling
The government has announced that the new measures to tackle pension fraud will extend the ban on cold calling to emails, text messages and all forms of electronic communications.
Recent ICO enforcement action
The ICO has fined TalkTalk £100,000 after finding that the level of staff access to customers’ personal data was “unjustifiably wide-ranging and put the data at risk.” An investigation by TalkTalk found that three accounts of a multinational IT services company in India (which resolved complaints and handled network coverage problems on TalkTalk’s behalf, and had access to customer information through a TalkTalk portal) had been used to gain unauthorised and unlawful access to the personal data of up to 21,000 customers. TalkTalk’s lack of adequate security measures left the data open to exploitation by rogue employees. The ICO said that TalkTalk “should have known better.” The company received a record £400,000 fine in October 2016 after security failings allowed a cyber attacker to access customer data “with ease.”
August 2017 saw the ICO issue two separate warnings to businesses about making nuisance calls. At the start of the month, two companies were fined a total of £150,000 after they broke the law by calling people who were registered with the Telephone Preference Service (TPS). Both companies were also issued with enforcement notices compelling them to stop making nuisance calls or face court action. Neither had subscribed to the TPS register to check whether those they were contacting had opted out of receiving direct marketing, and they both contacted people again after being told not to.
More recently, a domestic energy saving firm was fined £50,000 after it continued to make unsolicited marketing calls during a period when its usual system for screening numbers against the TPS register was unavailable due to technical issues.
The government recently published direct marketing guidance for claims management companies.
In other enforcement news, Islington Council was fined £70,000 after it failed to take the appropriate technical measures to keep personal information secure on its parking ticket system website. Design faults meant that the personal data of up to 89,000 people was at risk of being accessed by others. The ICO found that the system should have been tested both before it went live and regularly afterwards.
A former NHS employee was ordered to pay £1,715 in fines and costs after she accessed the sensitive health records of friends and people she knew and disclosed some of the personal information.
Interesting decisions on freedom of information and data subject access requests
The Information Commissioner has held that the Cabinet Office could rely on section 14(1) of the Freedom of Information Act 2000 (FOIA) as a basis for refusing to comply with a request which was made for all information held on its ‘Slack’ channel – an online cloud based collaboration tool allowing users to communicate with each other in a variety of ways. Section 14(1) of FOIA allows a public authority to refuse to comply with a request if it is considered to be vexatious. The Cabinet Office sought to refuse the request on that basis because of the burden involved in complying with it. In the Commissioner’s view, section 14(1) is designed to protect public authorities by allowing them to refuse any requests which have the potential to cause a disproportionate or unjustified level of disruption, irritation or distress. This will usually involve weighing the evidence about the impact on the authority and balancing this against the purpose and value of the request. There is a high threshold to be met for refusal. In this case, the request was vexatious “because the amount of time required to review and prepare the information for disclosure would place a grossly oppressive burden on the public authority.” The ICO has issued guidance on dealing with vexatious requests.
The Commissioner noted that this was the first FOIA complaint she had been asked to consider in relation to a request for information held on Slack, and she recognised that public authorities’ use of such cloud based communication tools “raise a number of complicated and novel issues in respect of compliance with the requirements of FOIA, including wider issues related to records management.” The Commissioner will consider any wider implications for government and the public sector more generally and whether further guidance is required.
In a potentially far-reaching decision in the context of data subject access requests, the ICO held that a judge’s handwritten notes created during employment tribunal litigation and placed on the court file were disclosable as they were “data forming part of a relevant filing system” under the Data Protection Act. The key point was that the notes had been placed on the court file, at which point the Ministry of Justice became the data controller. It is unlikely that informal notes retained by a judge will be treated in the same way.