This article was amended on 24 November 2017 to add additional material.
By Steve Wood, Deputy Commissioner (Policy).
In an increasingly digital world, more and more toys and devices aimed at children now have internet-connected technology. As the Christmas shopping season begins, many parents will be considering buying them for their children.
The ICO supports innovation and creative uses of personal data, but this cannot be at the expense of people’s privacy and legal rights, whatever their age. Concerns have been raised in recent months, not only in the UK but in Europe and the USA, that the growth in toys containing sensors, microphones, cameras, data storage and other multi-media capabilities could put the privacy and safety of children at risk.
There have also been data protection concerns relating to some products over what data is collected, by whom, where it is stored and how it is secured.
The Information Commissioner’s Office (ICO) wants parents, guardians and others to consider data protection and privacy issues in the same way they would check on the safety of presents they are planning to give to their children.
By James Dipple-Johnstone, ICO Deputy Commissioner – Operations.
The Information Commissioner’s Office is widely recognised as a leader in Binding Corporate Rules (BCR) authorisations. Around 25 per cent of the BCRs approved across Europe so far have been authorised by the ICO.*
The ICO is also one of the largest regulatory offices in Europe, meaning it has capacity to deal with authorisations at scale and at present we are working on around 40 BCR applications at various stages of the process.
BCRs are one of the ways organisations can comply with data protection rules about ensuring adequate safeguards when personal data is sent outside the European Economic Area (EEA).
By Mike Shaw, Enforcement Group Manager.
Just because you can, doesn’t mean you should.
Most people are familiar with this phrase, but what is its relevance in the world of data protection?
Put simply, just because your job may give you access to other people’s personal information, that doesn’t mean you have the legal right to look at it, let alone share it. In fact, doing so without a valid reason or the knowledge of your employer is a criminal offence and could lead to prosecution by the Information Commissioner’s Office and a day in court.
Pan fydd ymchwil farchnad wleidyddol yn croesi’r llinell
By Steve Eckersley, Head of Enforcement.
The ICO has concluded its investigation into a Conservative Party telephone campaign carried out in the run up to the 2017 general election.
An undercover Channel 4 News investigation raised concerns about the campaign involving calls made by Blue Telecoms, a firm in Neath, South Wales, on behalf of the Conservative Party. Continue reading
By Jo Pedder, Head of Policy and Engagement.
The Article 29 Working Party – the group of EU data protection authorities charged with agreeing European-wide guidance on GDPR – has published guidelines on profiling and breach reporting. Guidelines on administrative fines that were adopted earlier this month, will be published soon too.
Consistency across the EU is one of the fundamental drivers of the GDPR and, as the UK member of Article 29 (WP29), we’re either leading or assisting in the development of guidance on some of the main aspects of the law. Continue reading
By Paul Arnold, Deputy Chief Executive.
As we count down to the General Data Protection Regulation (GDPR) taking effect next May, we wanted to clarify how the fees that data controllers have to pay to the ICO are changing.
Under the current Data Protection Act (DPA), organisations that process personal information are required to notify with the ICO as data controllers (unless an exemption applies). This involves explaining what personal data they collect and what they do with it. They are also required to pay us a notification fee, based on their size, of either £35 or £500. These fees are used to fund most of the ICO’s work. Continue reading
By Steve Wood, Deputy Commissioner (Policy).
Our new series of blogs aiming to bust some of the myths that have developed around the General Data Protection Regulation (GDPR) are proving incredibly popular and we are pleased that so many of you are finding them useful.
Here at the ICO, we took the view that it was time to sort the fact from the fiction before the new law comes into effect on 25 May 2018, given some of the misinformation and outright scaremongering out there – some of which, it must be said, seems commercially driven.
Our first two blogs covered the myths surrounding new fining powers and the issue of consent, and this week we want to talk about another widely held misconception – that the new regime is an onerous imposition of unnecessary and costly red tape.
By Elizabeth Denham, Information Commissioner.
The General Data Protection Regulation comes into force on 25 May 2018.
That’s not new news. But it is a fact.
It’s also fact that not everything you read or hear about the GDPR is true.
For the most part, writers, bloggers and expert speakers have their facts straight. And what they say – and sometimes challenge – helps organisations prepare for what’s ahead.
And there’s a lot to take in. The Data Protection Bill announced this week gives more detail of the reforms beyond the GDPR, for example.
But there’s also some misinformation out there too. And I’m worried that the misinformation is in danger of being considered truth.