Information Commissioner Update
A – Guidance for Employers
The ICO has recently released two important guidance updates which should be reviewed by all employers.
Updated guidance on Monitoring Employees at Work
The ICO last month opened a consultation on the new draft guidance for employers on monitoring at work. When the consultation closes, this guidance will replace parts of the Employment Practices Code which had not been updated since the introduction of the UK GDPR.
The guidance should be reviewed closely by all employers to ensure that any monitoring at work is lawful and transparent and does not undermine the privacy of employees. With the move over recent years to hybrid working, the guidance acknowledges the increase in the use of innovative technologies and provides helpful advice on the issues to be considered to mitigate the impact and risks of the monitoring of devices or employees.
Updated guidance on employees’ health information
The ICO is also consulting on new guidance for employers relating to the processing of information about workers’ health. Again driven by the pandemic, the ICO has released new draft guidance on the processing of information about employee health which clarifies the ICO’s position on the relevant lawful bases, data minimisation and transparency.
Updated DSAR FAQs
The ICO has also provided some recent updates to its FAQ guidance on how to respond to Data Subject Access Requests (DSARs). In addition to its existing extensive guidance, it has also provided some advice on how to respond to a DSAR when it includes CCTV footage, and also some very useful information as to when an exemption may apply to a DSAR or when a request may be refused entirely on the basis that it is “excessive”.
For further information see the ICO’s DSAR FAQs page.
B - ICO Enforcement Update
Of particular note among recent published enforcement action by the ICO include the following.
The ICO has prosecuted a former health advisor working at South Warwickshire NHS Trust who unlawfully accessed the records of 14 patients of the Trust, who were known personally to him, between June and December 2019, without a valid business reason. Christopher O’Brien pleaded guilty when he appeared at Coventry Magistrates’ Court on 3 August 2022 to unlawfully obtaining personal data in breach of Section 170 of the Data Protection Act 2018. He was ordered to pay £250 compensation to 12 patients, totalling £3,000. Following this case the ICO took the opportunity to remind organisations of the need to ensure their staff are adequately informed and trained as to how to handle people’s sensitive data responsibly, and observed that “just because your job may give you access to other people’s personal information, that doesn’t mean you have the legal right to look at it”.
2. Monetary Penalties (data breach case)
In June 2022 the ICO issued a monetary penalty against the Tavistock and Portman NHS Foundation Trust of £78,400, arising out of an incident which occurred when an email communication was issued to the email addresses of patients associated with the Trust’s Gender Identity Clinic (“GIC”) without being sent via the “BCC” (blind carbon copy) function within Outlook. The recipients of each email could therefore see the email addresses of the other recipients which meant that information was revealed which could infer to a reasonable degree that a recipient was in receipt of services from the GIC. The ICO considered that by virtue of the nature of the service provided, in these circumstances the email address used amounted to “special category” personal data as it revealed something about that individual’s gender identity status. The ICO also commented that in this case the fine could have been significantly higher and up to 10 times the fine imposed, however it took into account the public role of the organisation in this case (see further ICO News below).
3. Enforcement Notice (FoI breach case)
The ICO recently issued an enforcement notice against the Department for International Trade (DIT) and a practice recommendation to the Department for Business, Energy and Industrial Strategy (BEIS) for persistent failures to respond to Freedom of Information requests within the statutory time limit. In particular, DIT’s performance was particularly poor, having issued late responses outside of the 20 working day time limit in over 50% of cases between January and March 2022. This was the first time in seven years that the ICO has issued an enforcement notice, and the Information Commissioner was keen to highlight that it intends to take a more robust approach to applying the enforcement provisions of the Freedom of Information Act. It also highlighted the need for organisations to review and ensure they are complying with its Freedom of Information Code of Practice – available for review here.
C – ICO News
The ICO has recently revised its approach to issuing monetary penalties against public sector organisations. Taking into account recent feedback from his 6-month listening tour, the Information Commissioner recently announced a new approach to fines in the public sector, which is to be trialled over the next two years. The ICO intends to deploy an increased use of its powers other than monetary penalties, with such penalties to be used in only the most serious cases. In line with its revised enforcement approach under its new three year strategy “ICO25”, it will make more use of warnings, reprimands and enforcement notices. This new approach is set out in the open letter to public sector organisations available here.
UK Law Update
Data Protection and Digital Information Bill (DPDIB)
The second reading of the DPDIB which was scheduled for 5 September 2022, has now been paused for further consideration. Michelle Donelan, retained as DCMS Secretary of State stressed at the Conservative Party Conference the government’s intention to move away from the GDPR which she described as a “regulatory minefield”, and indicated the DPDIB will likely be subject to further significant changes before it is reintroduced to Parliament.
The question remains how a new UK data protection regime can be introduced so as to reduce unnecessary burdens under the existing UK GDPR, whilst maintaining data protection standards at a level that meets consumer expectations and retains the UK‘s adequacy determination from the European Commission. Further announcements on the DPDIB are awaited.
The Department for Business, Energy & Industrial Strategy published the RLRRB on 22 September 2022. The RLRRB will abolish the special status of “retained EU law” on 31 December 2023, which will either be removed from, or “assimilated” into UK law, subject to review and extension until 2026. Currently, the UK GDPR and the Privacy and Electronic Communications Regulations 2003 (PECR) would fall within the scope of RLRRB, therefore the default position would be that these instruments will be revoked at the end of 2023, unless the government takes steps to save them. However, there are powers within RLRRB to either exempt these laws or “restate” them into existing law, ie. to ensure that the principles of these laws are retained.
Specific rules included within the RLRRB would not make sense if the UK’s data protection framework were revoked, suggesting the government intends that the UK GDPR will not be left to lapse. It is also likely that PECR will be saved to ensure rules on areas such as direct marketing and cookie consent continue to apply given the ICO’s views on inappropriate marketing practices. This update will track ongoing developments with the RLRRB and announcements on future data protection policy closely.
EU Law Update
Enforcement Action by EU Supervisory Authorities
The Irish Data Protection Commission (DPC) has imposed a record €405million fine on Instagram (Meta) in relation to its user registration process and how it processed the contact information of child users. The case was interesting in that the DPC’s initial draft decision was subject to the European Data Protection Board’s review under Article 65 of the GDPR for a binding decision, as it affected multiple European jurisdictions and the draft decision was therefore initially circulated to other European supervisory authorities for their review, which triggered referral to the EDPB for a binding decision. Effectively, this means that the decision was handed down by the EDPB, which provided the substantial analysis of the legal issues involved in the Decision. Meta were strongly criticised for failing to sufficiently protect childrens’ rights, and that it had failed to establish a legal basis for processing childrens’ contact information data. The fine is the second highest fine to be issued under the GDPR, following the €746million fine similarly issued against Meta by Luxembourg’s data protection authority in 2021.The case is interesting for its discussion of how organisations should apply the legal bases of performance of a contract (Article 6(1)(b) and legitimate interests (Article 6(1)(f) in the context of childrens’ personal data. For further information regarding this case and the EDPB analysis see the EDPB’s decision.
Data Protection Officers’ Update
The Berlin Commissioner for Data Protection and Freedom of Information in September 2022 issued a €525,000 fine against a Berlin-based retailer for violation of data protection officer requirements under Articles 37-39 of the GDPR. Following an investigation, the Supervisory Authority considered that the company had deployed their DPO to act in such a way that it created a conflict of interests as between the DPO’s duty of independence under the GDPR and his role as managing director of two service companies within the same group. The case is interesting as it highlights the contrast between the strict approach of supervisory authorities within the European Union as regards the independence of a data protection officer, as contrasted with the proposal within the UK government’s draft Data Protection Bill for the DPO role to disappear and for a “Senior Responsible Individual” within an organisation to have responsibility for that organisation’s privacy management programme.
International Data Transfers
Executive Order – UK-US data transfers
On 7 October 2022 President Biden signed an Executive Order aimed at addressing the ongoing issues surrounding data transfers between the EU and U.S., namely the lack of limits on governmental surveillance activities and the absence of redress mechanisms for EU citizens.
The Executive Order requires safeguards be put in place, limiting access to data by US intelligence authorities to what is “necessary and proportionate” to protect national security. A definition of the word “proportionate” has not been agreed. It is likely to be the subject of future CJEU litigation.
A redress mechanism is also to be established. A Civil Liberties Protection Officer (CLPO) will carry out a preliminary investigation of any complaints made regarding access to an EU citizen’s data by US national security authorities, decide whether there has been a violation and determine next steps. A Data Protection Review Court will provide an “independent and binding review” of the CLPO’s decisions. It is, at present, unclear whether this will be sufficient to constitute a court competent to uphold the rights of EU citizens.
The Executive Order is not legally binding and, as yet, there is no U.S. law enacting the proposed framework. The European Commission will propose a draft adequacy decision and launch its adoption procedure. A final adequacy decision may take 6 months. Once the new framework is ratified, US companies will be able to join the framework by committing to comply with the privacy obligations contained. Companies will then be able to rely on the framework when sending data from the EU to the U.S.
ICO publishes its own Schrems II guidance and Transfer Risk Assessment tool
Nine months after the ICO published its version of the EU’s Standard Contractual Clauses, known as the International Data Transfer Agreement (IDTA) and also the separate UK Addendum, it has just published its updated guidance on international data transfers, together with a risk assessment transfer tool.
The ICO’s blog instantly seeks to differentiate the UK position from the European stance taken by the European Data Protection Board’s strict application of the Schrems II decision. The approach taken by the ICO emphasises the impact that such a transfer would have on a data subject’s ability to enforce their data protection rights in the destination country, as opposed to the assessment advocated by the EDPB which is focused on an assessment of the laws and practices within the importing country. Significantly the ICO indicates that it is open to organisations applying either approach to the risk assessment.
However, the risk assessment tool provided by the ICO focuses on their rights based approach, and sets out six questions for the data exporter to consider, targeted at a consideration of whether or not the clauses within the IDTA are able to be enforced in the destination country and provide a legal cause of action for enforcement of those rights. The ICO says that if the relevant transfer mechanism (ie. IDTA or SCCs plus UK Addendum) will not provide appropriate safeguards and enforceable data subject rights for the relevant personal data, then the restrictive transfer should not be made.
In other news...
Roll out of NHS app
Previously patients had to specifically ‘opt in’ to the NHS App in order to be able to access their health records online. As of 1st November, the intended default position was to be that GP practices would have to take a blanket approach to sharing this information with the app, rather than dealing with individual patient requests on an ad hoc basis. The intention being, among other things, to reduce the burden on GPs in the long term. In principle, therefore, once patients register to hold the NHS App on their phone they should be able to see a summary of the information their GP holds about them.
However, the data protection position is that currently IT suppliers act as data processors on behalf of GP practices (who are the data controllers). In respect of those medical records the IT suppliers, as data processors, must act as instructed by the data controller only. IT suppliers, therefore, cannot grant the NHS app automatic access to any medical records on a blanket basis. Instruction to do so must come from the individual GP practices. NHS England are currently working with GP practices and representative bodies to see if a solution can be achieved. This update will keep readers posted on any developments in this area.
This article was co-written by Laura Cook, Trainee Solicitor.
If you have any questions about the issues raised in this update, please contact a member of our Information Law team.