When is a breach not a breach?

By Steve Eckersley, Head of Enforcement.

cctv-blogThe ICO has ruled that Virgin Trains East Coast did not break data protection law when it published CCTV footage of Jeremy Corbyn looking for a seat on a service from London.

But the company did breach the law when it published images of other passengers on the same service. The ICO found that Virgin should have taken better care to obscure the faces of other people on the train. Publication of their images was unfair and a breach of the first principle of the Data Protection Act.

Continue reading

Posted in Steve Eckersley | Tagged , | Leave a comment

Subject access policy updated after court rulings on disproportionate effort

By Vivienne Adams, Senior Policy Officer.


As July arrives and brings with it summer (albeit a damp version of it here in Wilmslow so far), there are now fewer than 11 months until the arrival of the much-heralded GDPR.

As you can imagine, that means a busy time in the policy team, working on the guidance to help organisations understand the new law. But while there’s plenty of work still to do there, our work on guidance for the Data Protection Act (DPA) doesn’t stop.

The DPA is, after all, the current law. And as its interpretation is adapted and evolves through court decisions, so must our corresponding guidance.

The latest updates we’ve made to the Guide to data protection and also our CCTV and Subject access request (SAR) codes of practice are a case in point. Please see the appendix below for more details.

Earlier this year, two Court of Appeal judgments – Dawson-Damer & Ors v Taylor Wessing LLP [2017]  EWCA Civ 74  and Ittihadieh v 5-11 Cheyne Gardens RTM Co Ltd & Ors and Deer v University of Oxford [2017] EWCA Civ 121 – were published which were particularly notable for how they dealt with disproportionate effort around subject access requests.

Those judgments clarified that data controllers can take into account difficulties which occur throughout the process of complying with a request, including difficulties in finding the requested information.

That doesn’t mean organisations should try to avoid replying to subject access requests. The burden of proof is on you as data controller to show that you have taken all reasonable steps to comply with the SAR, and that it would be disproportionate in all the circumstances of the case for you to take further steps.

And even if you can show that supplying a copy of information in permanent form would involve disproportionate effort, you should still try to comply with the request in some other way.

It’s another stage of the evolution of the law. If you want to keep up-to-date on future changes to guidance, it’s worth signing up to our e-newsletter, which provides monthly updates on all things information rights.


Details of changes to ICO guidance and codes of practice

Subject access code of practice

Disproportionate effort and the handling of SARs

We have amended chapters 6 and 8 on the application of the disproportionate effort exception in s8(2) of the DPA: the extent of the duty to provide subject access, information contained in emails and supplying information in permanent form.

In chapters 5 and 6 we have highlighted to organisations that when they design or specify systems such as CCTV they should bear in mind the need to facilitate the handling of SARs.

National scope of LPP exemption

We have also clarified in chapter 9 that personal data is exempt from the right of subject access if it consists of information for which legal professional privilege (or its Scottish equivalent) could be claimed in legal proceedings in any part of the UK.

Court’s discretion under s7(9) DPA

We have amended chapters 9 and 11 to state the Court of Appeal’s view that the court has a wide discretion to order compliance with a SAR, and to include the factors it listed. The existence of a collateral purpose or legal proceedings when making a SAR is irrelevant.

Other changes to the SAR code

We have also taken the opportunity to make other changes to the Subject access code of practice:

  • In chapter 10 we have clarified, in order to avoid confusion, that the ICO is not the responsible regulator for legislation on access to pupils’ educational records.
  • At the end of chapter 11 we have inserted a new paragraph stating the position on enforced subject access.
  • Throughout the code, we have changed references to the gender of the Commissioner to the feminine.

CCTV code of practice

We’ve amended section 5.2.3 of the CCTV code of practice to reflect the Court of Appeal’s judgments on the application of the disproportionate effort exception.

We’ve also amended the wording of sections 5, 6 and 7 to highlight to organisations the need to ensure the design of CCTV and other surveillance systems facilitates the handling of SARs.

Finally we’ve removed references to old cases, and updated old links.

Guide to data protection

We’ve amended the sectionWhat if sending out copies of information will be expensive or time consuming?” to reflect the Court of Appeal’s judgments on the disproportionate effort exception.

We have also amended the section on exemptions: “Legal advice and proceedings” to state that the exemption applies where legal professional privilege (or its Scottish equivalent) could be claimed in legal proceedings in any part of the UK.

adams-vivienneVivienne Adams is a Senior Policy Officer in the ICO’s Policy and Engagement Department, working on information rights policies and providing advice and guidance to colleagues and stakeholders.
Posted in ICO, Vivienne Adams | Leave a comment

Four lessons NHS Trusts can learn from the Royal Free case

By Elizabeth Denham, Information Commissioner.


Today my office has announced that the Royal Free London NHS Foundation Trust did not comply with the Data Protection Act when it turned over the sensitive medical data of around 1.6 million patients to Google DeepMind, a private sector firm, as part of a clinical safety initiative. As a result of our investigation, the Trust has been asked to sign an undertaking committing it to changes to ensure it is acting in accordance with the law, and we’ll be working with them to make sure that happens.

But what about the rest of the sector? As organisations increasingly look to unlock the huge potential that creative uses of data can have for patient care, what are the lessons to be learned from this case?

it-security-1It’s not a choice between privacy or innovation

It’s welcome that the trial looks to have been positive. The Trust has reported successful outcomes. Some may reflect that data protection rights are a small price to pay for this.

But what stood out to me on looking through the results of the investigation is that the shortcomings we found were avoidable. The price of innovation didn’t need to be the erosion of legally ensured fundamental privacy rights. I’ve every confidence the Trust can comply with the changes we’ve asked for and still continue its valuable work. This will also be true for the wider NHS as deployments of innovative technologies are considered.

it-security-2Don’t dive in too quickly

Privacy impact assessments are a key data protection tool of our era, as evolving law and best practice around the world demonstrate. Privacy impact assessments play an increasingly prominent role in data protection, and they’re a crucial part of digital innovation. Our investigation found that the Trust did carry out a privacy impact assessment, but only after Google DeepMind had already been given patient data. This is not how things should work.

The vital message to take away is that you should carry out your privacy impact assessment as soon as practicable, as part of your planning for a new innovation or trial. This will allow you to factor in your findings at an early stage, helping you to meet legal obligations and public expectations.

it-security-3New cloud processing technologies mean you can, not that you always should

Changes in technology mean that vast data sets can be made more readily available and can be processed faster and using greater data processing technologies. That’s a positive thing, but just because evolving technologies can allow you to do more doesn’t mean these tools should always be fully utilised, particularly during a trial initiative.

In this case, we haven’t been persuaded that it was necessary and proportionate to disclose 1.6 million patient records to test the application. NHS organisations, perhaps more than any other sector, need to remember that we are talking about the medical information of real patients. This means you should consider whether the benefits are likely to be outweighed by the data protection implications for your patients. Apply the proportionality principle as a guiding factor in deciding whether you should move forward.

it-security-4Know the law, and follow it

No-one suggests that red tape should get in the way of progress. But when you’re setting out to test the clinical safety of a new service, remember that the rules are there for a reason. Just as you wouldn’t ignore the provisions of the Health and Social Care Act, or any other law, don’t ignore the Data Protection Act: you need a legal basis for processing personal data. Whether you contact the ICO or obtain expert data protection advice as early as possible in the process, get this right from the start and you’ll be well-placed to make sure people’s information rights aren’t the price of improved health.

The ICO’s dedicated health sector page has a collected relevant guidance and resources together.

elizabeth-denham-blogElizabeth Denham was appointed UK Information Commissioner on 15 July 2016, having previously held the position of Information and Privacy Commissioner for British Columbia, Canada.
Posted in Elizabeth Denham, ICO | Leave a comment

The ICO Grants Programme and why the time is right to support independent research

“Once you stop learning, you start dying.”

So said Albert Einstein, and while the school year may be nearing its end and university students are already returning home for the summer, we at the ICO have launched our first ever Grants Programme for new, independent research into data protection and privacy enhancing solutions, and we believe it is a genuinely exciting development.

Its outcomes will help us stimulate innovative research and solutions into pressing and challenging privacy issues. The solutions should make a real difference to the public and the data protection practices of organisations.  The programme will also help us achieve many of the key goals set out in the ICO’s new Information Rights Strategic Plan – for example, staying relevant and keeping abreast of evolving technology, improving standards, increasing public trust and maintaining and developing international leadership and influence.

But why should the ICO, as a regulator, be funding research at all? Shouldn’t we be concentrating all our efforts and resources on investigating organisations which breach the Data Protection Act and sorting out unsatisfactory responses to Freedom of Information Requests?

Of course, we recognise and value the importance of our day to day work and this is where the core of funding goes. Our recent annual performance statistics revealed we were dealing with more cases and queries than ever before. Demand is increasing by the year and so is our response, whether through enforcement, conversations with stakeholders or engagement with the general public. When you add the work we are doing to prepare for the introduction of the new GDPR regime in May 2018, it’s clear that we have plenty on our plate – and we’re ready and gearing up for that demand.

But a regulator that concentrates solely on what’s right in front of its nose, that fails to look up and look around, is in danger of walking into a lamppost and banging its head.

We have, in fact, commissioned valuable research in the past. For many years the ICO has run research tenders to support specific policy projects and we have very much valued our interactions with the academic community, NGOs and innovators and the input they’ve had into our work.

We now want to do more to release the potential in these communities. This new programme will take a broader ‘horizon-scanning’ approach, encouraging them to develop new insight and solutions into key data protection and privacy challenges posed by new technologies such as artificial intelligence and machine learning. We are always willing to learn and this external research will feed into our own broader policy thinking and conversations.

This is the right time to launch this programme given the challenges we face and the need to enhance and tap into the expertise of others. The significant public and media interest in our current investigation into the use of data analytics for political purposes is a good example of how quickly things can move and change in the information rights sphere.

By launching the ICO Grants Programme, we are also building on the success of similar schemes already operating overseas. Data doesn’t necessarily recognise physical borders and we believe the ICO should be a global player and always aware of the international implications of our work.

But rest assured, this is not a navel gazing exercise. Foremost in all of our thinking has been the importance of the programme’s practical focus. We want applied research and real solutions with genuine benefits for the UK public, not purely theoretical research.

We also recognise the importance of value for money – the programme will be run in line with the Government’s Minimum Grants Standards and will involve a panel of external experts providing recommendations on which proposals to fund. Successful applicants will be subject to continuous monitoring.

More information about the programme, eligibility and the application process is also available on our dedicated ICO Grants Programme web page. You can also watch our recent webinar outlining further details about the scheme.

Steve WoodSteve Wood is Deputy Commissioner for Policy and responsible for the ICO’s policy position on the proper application of information rights law and good practice, through lines to take, guidance, internal training, advice and specific projects.
Posted in ICO, Steve Wood | Tagged | Leave a comment

Interesting times, and how we navigate them

By Elizabeth Denham, Information Commissioner.

Interesting times, and how we navigate them

I remember hearing my predecessor talk about a Chinese saying “may you live in interesting times”.

I think it’s fair to say we’re living in them!

My term in office is five years, and it’s abundantly clear to me as the first year draws to a close, ‘interesting times’ will be a recurring theme of my term. GDPR, Brexit, and whatever follows those two. Add to that a general election too. Continue reading

Posted in Elizabeth Denham | Tagged , , , | Leave a comment

The Information Commissioner opens a formal investigation into the use of data analytics for political purposes

By Elizabeth Denham, Information Commissioner.

data-political-purposes-blogIn March we announced we were conducting an assessment of the data protection risks arising from the use of data analytics, including for political purposes.

Engagement with the electorate is vital to the democratic process. Given the big data revolution it is understandable that political campaigns are exploring the potential of advanced data analysis tools to help win votes. The public have the right to expect that this takes place in accordance with the law as it relates to data protection and electronic marketing. Continue reading

Posted in Elizabeth Denham | Tagged , , , | Leave a comment

Draft GDPR Consent guidance receives a significant response

By Jo Pedder, Interim Head of Policy and Engagement.

gdpr-12-steps-to-take-nowThe issue of consent surrounding the use of data has proved to be increasingly high-profile recently – and that has been reflected in the large number of responses to our draft GDPR Consent guidance.

I previously announced back in early March that we were running a public consultation on our first piece of detailed, topic-specific GDPR guidance as we were interested in gaining your feedback on our draft.

The consultation is now closed and we received more than 300 responses from organisations across a variety of sectors, along with interested members of the public.

Continue reading

Posted in Jo Pedder | Tagged , , , | Leave a comment

Profiling under the GDPR: feedback request

By Jo Pedder, Interim Head of Policy and Engagement.

Imagine a friend tells you about a holiday deal. You go online to book the same deal but you cannot see it on the website. Unbeknown to you, behind the scenes an algorithm has analysed where you live, your age, gender, occupation, online activity and more and decided you wouldn’t be interested.

This is called profiling. Continue reading

Posted in Jo Pedder | Tagged , , | Leave a comment

ePrivacy reform: Privacy and electronic communications regulations (PECR) under review

By Jo Pedder, Interim Head of Policy and Engagement.

While preparations for the GDPR dominate the headlines, it’s not the only change for the digital economy. As technology evolves at a phenomenal rate, the laws that govern internet-based services are moving at an equally rapid pace.

The next piece of legislation in line for an overhaul is the European directive that forms the basis of the Privacy and Electronic Communications Regulations (PECR). Continue reading

Posted in Jo Pedder | Tagged , , , | Leave a comment

Garages, new homes and old offices: the records management mistakes that put health records at risk

By Leanne Doherty, Group Manager.

When Cabinet Office Minister Ben Gummer announced the government was spending £1.9bn on UK cyber security, he highlighted health data as needing strong protection.

But while money is (rightly) invested in hi-tech cyber security solutions in the health sector, our experience is that data breaches in the sector are often caused by far more basic mistakes.

Indeed, a quick look through the health cases seen by the ICO enforcement team suggests work to do around garages and decommissioning as well as gigabytes and denial of service attacks.

Continue reading

Posted in Leanne Doherty | Tagged , | Leave a comment