Tag Archives: ICO

News

Featured Article : What Happened Recently With The ICO?

Following news of a Freedom of Information (FOI) disclosure revealing a lack of public reprimands issued over GDPR breaches in the public sector, we take a closer look at the FOI, what it can be used for, and how it’s linked to the ICO.

What Is The Freedom of Information Act? 

The Freedom of Information Act (FOIA) and Freedom of Information (Scotland) Act (FOISA) are the UK laws that cover the public’s general right of access to information held by public authorities.

Public authorities include government departments, devolved administrations, other public bodies and committees, local councils, schools, colleges and universities, the NHS, publicly owned companies publicly funded museums, galleries and theatres, the police and fire services, and the National Archives.

Who Can Make One … And How? 

The FOI Act gives everyone a legal right to see information held by public bodies/authorities. A Freedom of Information (FOI) request can be made in writing by letter, email, social media or online form. Those making an FOI request need to include (not needed for environmental information) a contact postal or email address and a detailed description of the information required, e.g. all information held on a subject, or just a summary. The information can be requested in a particular format, e.g. paper or electronic copies, large print, or audio.

What Is The ICO And What Is Its Connection To FOI?

The Information Commissioner’s Office (ICO) is the UK’s independent, non-departmental public body set up to uphold information rights in the public interest.

The ICO should also promote openness by public bodies and data privacy for individuals. The ICO plays a key role in administering the FOI because it is the regulator for Data Protection and Freedom of Information, with key responsibilities under the Data Protection Act 2018 (DPA) and Freedom of Information Act 2000 (FOIA), as well UK GDPR, and other acts. The ICO also has a Regulatory and Enforcement Activity Policy, and its “default position” under this policy is to publish all formal regulatory outcomes such as reprimands issued under GDPR, which can include reprimands issued to private companies. Formal reprimands, fines and other enforcement notices, for example, can be issued to organisations by the ICO where GDPR has been contravened.

What Happened Recently?

A week ago, it was reported that following a FOI request by Jon Baines, a senior data protection specialist at law firm Mishcon de Reya, there appears to have been failings in the disclosure by the ICO of reprimands it had issued to public authorities under GDPR. The FOI request by Mr Baines revealed that although the ICO had issued 42 reprimands between 25 May 2018 (when the UK GDPR came into effect) and 15 November 2021, most were not publicly disclosed.

Considering that the ICO’s default position should be disclosure of the outcomes, the failure to do so in most cases over more than 3 years has led to criticism that the ICO has been failing in this area.

Which Bodies Were Formally Reprimanded By The ICO?

The FIO request revealed that reprimand recipients included some very large organisations, and not just those in the public sector. For example, the supermarket chains Asda and Morrisons, healthcare provider BUPA, apps like Houseparty and Zoom, and EasyJet are reported to have received reprimands. Other recipients are reported to include West Midlands Police (twice), The Home Office (twice), Oxford University, NHS health boards, schools, and some local councils. Mishcon de Reya, the company whose data protection specialist made the FOI request, reports that the Digital Service (part of the Cabinet Office), UKIP, and the CPS were also recipients of reprimands under GDPR. However, the ICO has (according to Mishcon de Reya) withheld the identity of one of the recipients because the information relates to a body dealing with national security and intelligence or serious organised crime.

What Does The ICO Say?

Mishcon de Reya reports that the ICO has confirmed that in the future, when it publishes its online datasets of casework outcomes, these will include reprimands.

A New Information Commissioner

A new Information Commissioner, John Edwards, took over from Elizabeth Denham CBE on 3 January 2022. John Edwards has been New Zealand’s Privacy Commissioner since February 2014, and has practiced law in Wellington, New Zealand for more than 20 years (specialising in information law). The hope is that this area around publishing details of reprimands will be given more attention under his leadership.

What Does This Mean For Your Business?

Data privacy is an important matter to individuals and businesses, and it could be strongly argued that it is in the public interest to see, through reports of reprimands under GDPR, which organisations may not be acting responsibly with their data. This could influence whether consumers choose to use the services of particular company (a matter of trust). It may also be very disappointing to many businesses that have been paying close attention to complying with GDPR to see that the regulator appears not to have been paying attention to its own policy and appears to have been failing in an important area for 3 years. For those companies whose reprimands weren’t made public, the apparent failure of the ICO in this area has been an unexpected let-off that they are likely to have been glad of in terms of protecting their reputations. This story also illustrates how important and powerful the right to make FOI requests can be and how this right should be valued.

News

Tech Insight : What (Actually) Is The ICO?

In this tech-insight, we look at the role of the Information Commissioner’s Office, and how it can be a source of valuable compliance information and help to businesses.

What Is It?

The Information Commissioner’s Office is the UK’s independent, non-departmental public body set up to uphold information rights in the public interest. The ICO also promotes openness by public bodies and data privacy for individuals and is the regulator for Data Protection and Freedom of Information, with key responsibilities under the Data Protection Act 2018 (DPA) and Freedom of Information Act 2000 (FOIA), as well UK GDPR, and other acts. The ICO gives help and advice to individuals and businesses.

Who It Reports To

The ICO reports directly to the Parliament of the United Kingdom and is sponsored by the Department for Digital, Culture, Media, and Sports, and has physical offices in Wilmslow, Cheshire, Cardiff, Edinburgh, and Belfast.

Who?

The current (although outgoing) Information Commissioner is Elizabeth Denham CBE, who was appointed UK Information Commissioner in July 2016. Her previous roles included Information and Privacy Commissioner for British Columbia, Canada, and Assistant Privacy Commissioner of Canada. In March 2018, she was named as the most influential person in data-driven business in the updated DataIQ 100 list and, In March 2019, Elizabeth was appointed chair of the Governance Working Group of the International Conference of Information Commissioners (ICIC), a global forum for information commissioners and ombudspersons with 45 members across all continents.

In August this year, it was announced the preferred new UK Information Commissioner is John Edwards who has been New Zealand’s Privacy Commissioner since February 2014, and who has practiced law in Wellington, New Zealand, for more than 20 years (specialising in information law).

Like What?

The ICO is the body/regulator responsible for Data protection law advice and information-giving, enforcement, monitoring/audits/studies, recommendations, decisions, and somewhere to complain to for matters like:

– Political campaigning practices (data analytics) e.g., transparency, ethics.

– Charity fundraising practices e.g., compliance laws that protect privacy and prevent nuisance phone calls.

– CCTV systems and facial recognition systems, matters of privacy and compliance with data protection laws.

– Credit and the uses of personal information e.g., by credit reference agencies (CRAs).

– Electoral registration.

– Nuisance marketing calls (enforcing the Privacy and Electronic Communications Regulations 20030). Nuisance calls can be reported to the ICO.

– Spam emails and texts (which can be reported to the ICO).

– Cookies.

– Data protection and journalism.

– Data held by the Police.

– Data protection matters for schools, universities, and colleges.

– Public data access rights.

Advice and Help For Businesses

The ICO provides guides to the legislation, resources, and support for businesses about obligations and how to comply under the Acts. Much of it can be found on the ICO website here: https://ico.org.uk/for-organisations/.

Examples of Action Taken

Part of the role of the ICO is to take action to ensure organisations meet their information rights obligations. Examples of action taken by the ICO can be found on their website here: https://ico.org.uk/action-weve-taken/.

Staying Independent Is Important

The outgoing Information Commissioner, Elizabeth Denham CBE, has warned (in a recent statement) that in order for the ICO to be able to hold the government to account, it is important that it preserves its independence in a way that is workable, within the context of the framework set by Parliament.

What Does This Mean For Your Business?

Businesses and organisations must comply with often complicated and changing data protection laws. Although the ICO is responsible for enforcing those laws, its primary role is really to help by giving advice and information, and the website is a useful resource and signposting place for businesses to use and to stay up to date with the latest developments and news. The ICO is also a place for individuals and businesses to complain (perhaps resulting in action with enough complaints) about practices such as spamming (calls, emails, and texts) or not responding to data requests.

News

Featured Article: New ICO Head and Data Protection Law Reforms

Highlighting an early target of tackling cookie pop-ups, the UK government is to appoint John Edwards as the new ‘light touch’ ICO who will be expected to reform post-Brexit data protection rules for the UK.

Data Protection Reforms

Since Brexit, the UK government has been seeking to reform data protection regulations in the UK in a way that it says will cut down on what Digital Secretary Oliver Dowden has been quoted describing as the “needless bureaucracy” of the current system of data protection and data transfer between countries. The Government message is that the appointment of a new ICO who could “go beyond the regulator’s traditional role” would be a way to reform regulations and make new data adequacy agreements with other countries that would reduce barriers to data transfer, help data (and more trade) to flow more freely, and improve innovation and economic growth.  The government has been keen to stress that despite (and perhaps to facilitate) these planned changes, the new regulator will have a “light touch”, but data will still be protected.

Cookie Pop-Ups

It appears that cookie pop-ups have been used by the UK government as an example and as part of the justification for wanting to make changes to data protection laws. Digital Secretary Oliver Dowden has argued in recent media reports that the requirement for the kind of cookie pop-ups that are present on most large sites, asking for permission to store a user’s personal information, are a visible example of the kind of needless bureaucracy at work that could be avoided with a change to data regulations.

What Is Data Adequacy?

Data Adequacy partnerships are agreements that protections are in place and are similar in two countries, thereby allowing the safe sending of people’s personal data internationally. Having a data adequacy partnership in place was part of the negotiations with the EU for Brexit.

For post-Brexit UK, heralded by the impending appointment of John Edwards as the new ICO, the UK government is now keen to make new, more frictionless data adequacy partnership agreements with the EU and many different countries which the UK wants to trade with.

Criticism

Critics of the UK government’s post-Brexit push to reform data protection regulations with new data adequacy partnerships are worried that this could weaken the UK GDPR and lead to the personal and private data of UK citizens being put at risk of being taken and shared.

Privacy advocates have also been sceptical as to whether it is realistic and possible for the UK government to give UK citizens and consumers more control over how their data is used on the one hand, while also giving businesses (and the government) greater freedoms to use that data through new agreements.

EU and GDPR

It was only in June this year that the UK government managed to achieve a data adequacy agreement with the EU, and any more proposed changes to that agreement now by the UK may be difficult to negotiate.

Who Is John Edwards?

John Edwards, the person named to succeed the current Information Commissioner (data protection regulator) Elizabeth Denham, is currently New Zealand’s Privacy Commissioner and head of its Office of the Privacy Commissioner (OPC), where he has been in the job for more than 7 years. Prior to his work with the OPC, he was a self-employed barrister and solicitor focusing on information and privacy law, and Chair of the Global Privacy Assembly from 2014-17.

In addition to his obvious legal background and experience, he is also known for overseeing New Zealand’s adequacy status with the EU, which is one of the reasons why he is favoured for the UK job.

Hates Facebook?

Mr Edwards is also known for his apparent dislike for Facebook. In April 2019 for example, after Facebook appeared to not accept any responsibility for the Christchurch massacre (mosque shootings) where one shooter described YouTube to be “a significant source of information and inspiration”, Mr Edwards was quoted from his Twitter account in the Guardian as saying, “Facebook cannot be trusted” and that the company were “morally bankrupt pathological liars”. He was also quoted as saying of Facebook that they “allow the live streaming of suicides, rapes, and murders, continue to host and publish the mosque attack video, allow advertisers to target ‘Jew haters’ and other hateful market segments, and refuse to accept any responsibility for any content or harm”.

Recently, Mr Edwards has indicated on his Twitter account that he doesn’t hate Facebook.

Why Is This Relevant?

The relevance of a possible Facebook-hater as the ICO is that he would be responsible for imposing fines for breaches of the UK Data Protection Act 2018 and the Privacy in Electronic Communications Regulations (PECRs) and would have an influence over the UK government’s Online Safety Bill.  This Bill is designed to establish a new regulatory framework to tackle harmful content online and would, therefore, potentially affect Facebook as a major content hosting platform.

Is An Overseas Regulator A Problem?

Some critics have highlighted the fact that the current UK ICO, Elizabeth Denham, who has been criticised for not enforcing data protection laws well enough, has been working from home in Canada throughout most of the pandemic, and the UK now looks set to appoint another ICO from overseas where there is a different data protection regime.

What Does This Mean For Your Business?

If the government’s argument is to be accepted, changing data protection laws to help data transfers between different countries and the UK could unlock more trade and benefits for British businesses. If the argument of some data privacy/security advocates is to be accepted, new data laws could mean that our personal data is more at risk and that the government is proposing a balancing act that may not be possible to realistically achieve. For Facebook and other social media companies, the appointment of John Edwards as the new ICO may give them cause for concern given his previous comments about Facebook, and his soon-to-be power over the imposition of penalties and the possible impact of the development of the UK’s Online Safety Bill.