Information Commissioner’s Office publishes guidance on key data protection issues

Written on 5 May 2016

The UK’s data protection authority (the Information Commissioner’s Office or “ICO”) has published guidance over the past few months on a number of key areas of the data protection regime in the UK. These include the ICO’s approach to the new EU data protection legislation, its attitude towards encryption, and its updated guidance on privacy policies.

12 steps to GDPR

With the EU’s new General Data Protection Regulation (GDPR) due to be adopted in the next few months, on 14 March 2016 the ICO has published its recommended 12 steps that organisations should take now in order to prepare for implementation of GDPR.

The 12 steps that organisations should take are to:

  1. increase awareness of data privacy requirements in general, and the GDPR in particular, within the organisation;
  2. document the personal data which it already holds, including where it came from and who you share it with;
  3. review the organisation’s current privacy notices, and put in a plan in place to make changes for GDPR;
  4. check that there are procedures in place to address the new rights in the GDPR – for example, can the organisation delete personal data if requested;
  5. update the organisation’s procedures for subject access requests;
  6. identify and document the organisation’s legal basis for processing personal data;
  7. review policies for seeking, obtaining and recording consent;
  8. for children’s data, consider how the organisation will verify an individual’s age and obtain parental consent to data processing when required;
  9. review the organisation’s data breach policies;
  10. review the ICO’s guidance on privacy by design and privacy impact assessments, and how to include these as part of the organisation’s general business procedures;
  11. consider whether the organisation needs a data protection officer and, if so, who is the appropriate candidate within the organisation; and
  12. if the organisation operates internationally, identify which data protection authority will supervise you under GDPR. 

The key theme running through this is that organisations should be starting to audit the personal data already held by them, review current procedures and policies, and increase awareness of the required changes amongst the key stakeholders, even at this early stage.

The ICO stresses the importance of organisations developing the required procedures now and identifying how to implement mandatory changes ahead of 2018, when the GDPR comes into force. The emphasis is on ensuring that organisations get “it right from the start”.

For further information on the guidance, please click here.

ICO encryption

On 3 March 2016, the ICO published new guidance on the use of encryption. This is presumably a response to the number of ICO enforcement actions brought due to the loss of unencrypted personal data by organisations.

The ICO stresses that encryption is now a widely available and low cost method of protecting personal data and can ensure that organisations comply with their duty to use appropriate measures to keep the personal data they hold secure.

This guidance contained the following recommendations:

  1. organisations should have an encryption policy which outlines when encryption should be used – for example, a policy may include a guideline over whether emails containing certain types of personal data should be sent in an encrypted format;
  2. organisations must comply with any sector specific guidelines on encryption;
  3. personal data should usually be stored in encrypted form, especially if unauthorised access is reasonably likely to occur; and
  4. when organisations transmit personal data, and especially sensitive personal data, over the internet or other network (such as WiFi), then they should use an encrypted communication protocol. 

The guidance goes on to give a variety of different scenarios in which organisations should encrypt personal data. These include (not an exhaustive list): the transfer of personal data by CD, DVD or USB; the sending of personal data by email; the sharing of personal data online; mobile devices; fax; CCTV; audio recordings; photography and video equipment; and even drones.

For further information on the ICO guidance on encryption, please click here.

ICO consultation on revised privacy notices code of practice

On 19 February 2016, the ICO published its code of practice on privacy notices for consultation.

The new code is based on similar principles to the previous privacy code. For example, it stresses that the data processor must use the information in the way that people would reasonably expect and ensure that people know how they data will be used. Under the ICO guidance, the emphasis is on the relevant organisation to decide what measures to put in place to meet their specific legal burdens.

Osborne Clarke’s Georgina Graham considers the code in more detail in a marketinglaw.co.uk article which can be read here.