Monthly Archives: November 2019

What does the law say about protecting your health and other sensitive data?

Health data, identity theft and fraud are among the most significant concerns of data protection, especially where sensitive personal data is concerned.  Now the Information Commissioners Office has published detailed guidance on how data controllers should protect and handle this ‘Special Category’ data. 

Special category data

Known as the most sensitive category of personal data, special category data concerns information on a person’s:

  • health
  • sex life or sexual orientation
  • racial or ethnic origin
  • political opinions
  • religious or philosophical beliefs
  • membership to a trade union
  • genetic data
  • biometric data for uniquely identifying a person such as a fingerprint, or facial recognition

Special care must be taken when processing sensitive data.  Because of its sensitive nature, there is a high risk to individuals if such data were to fall into the wrong hands.  It is illegal to process any of the above categories of data without a specific reason. 

So, data controllers MUST select one of the following legal grounds before processing:

  • explicit consent
  • obligations in employment
  • social security and social protection law
  • to protect vital interests
  • processing by non-for-profit bodies
  • manifestly made public
  • establish, exercise or defend legal claims
  • substantial public interest
  • preventative or occupational medicine
  • public health
  • research purposes.

‘Special Category’ data must also be given extra levels of security to protect it.  For example, limiting the number of individuals who may access such data, minimising the amount of data collected, stronger access controls – these and other such measures help protect the privacy of the individual, and to maintain the integrity and confidentiality of the data.

If you have any questions about data protection, please contact us via email team@datacompliant.co.uk or call 01787 277742

Gareth Evans, 15th November 2019

US Privacy Bill

On October 11, 2019, California Governor Gavin Newsom signed the remaining amendments to the California Consumer Privacy Act (CCPA) into law.  The CCPA provides unprecedented privacy rights to California residents similar to those enjoyed by EU citizens since the implementation of GDPR. Most companies that do business with California will need to comply with the requirements of the new law.  The deadline for compliance with CCPA is 1st January 2020 though some commentators believe that this deadline may be extended.

Other US states are already considering introducing privacy legislation reflecting the measures taken by California. However, events are moving quickly…

On 5th November two Californian Democrat Congresswomen, Anna G. Eshoo and Zoe Lofgren, introduced an Online Privacy Bill to the US House of Representatives.  If successfully enacted the Act would create a federal Data Protection Agency (DPA) covering the whole of the US.

Corporate Data Privacy Obligations

The draft legislation imposes a raft of obligations on organisations, including:

  • disclose why they need to collect and process data
  • minimise employee and contractor access to personal data
  • not disclose or sell personal information without explicit consent
  • not use private communications such as email to target ads or for “other invasive purposes”

The legislation is attempting to tackle a range of abuse of privacy data. This is illustrated by the requirement for organisations to “notify the agency (the DPA) and users of breaches and data sharing abuses, e.g., Cambridge Analytica.”

Citizens Data Privacy Rights

The bill would give citizens the right to:

  • access, correct, delete, and transfer data about them;
  • request a human review of impactful automated decisions;
  • opt-in consent for using data for machine learning / A.I. algorithms;
  • be informed if a covered entity has collected your information; and to choose for how long their data can be kept   

Sound familiar?

If you have any questions about data protection, please contact us via email team@datacompliant.co.uk or call 01787 277742.You can find more of our blogs here.

Gareth Evans, 15th November 2019

Politics. Fines. Data Deletion.

GDPR Regulations begin to bite

We are now beginning to see the impact of the GDPR regulations across politics, businesses and public services.  With the upcoming UK general election, the ICO is issuing timely reminders.  In Europe we are starting to see large fines being levied for GDPR breaches.

ICO Issues Letter to UK Political Parties

In a timely reminder the Information Commissioner has written to 13 political parties in the UK. The letter reminds them of their legal obligations regarding the use of Personal Data in the lead-up to the General Election. The ICO letter highlights the need for parties to:

  • provide individuals with clear and accessible information about how their personal data is being used.  This includes

    • data obtained directly from individuals

    • data obtained from third parties, including data brokers 

    • inferred data – ie data that is inferred from observed behaviour, such as reading or buying habits, responses to advertising and so on 

  • demonstrate compliance with the law. The scope here includes any third-party data processors.  For political parties, this specifically includes data analytics providers and online campaigning platforms
  • have the appropriate records of consent from individuals (where consent is the legal basis for processing) to send political messages through electronic channels (texts, emails)
  • identify lawful bases for processing special category data, such as political opinions and ethnicity.

This places political parties on the same basis as commercial organisations under UK law. 

Record Fine in Austria

The Austrian Data Protection Authority has imposed an €18 million fine on the Austrian Postal Service, Österreichische Post AG (“ÖPAG”).  After an investigation, the Austrian DPA established that ÖPAG processed and sold data regarding its customers’ political allegiances amongst other violations.This is a violation of the GDPR.

The fine is subject to an appeal.

Record Fine in Germany

On November 5, 2019, the Berlin Commissioner for Data Protection and Freedom of Information announced that it had imposed the highest fine issued in Germany since the EU GDPR became applicable.  Deutsche Wohnen SE, a real estate company, was fined  €14.5 million.

After onsite inspections, the Berlin Commissioner noticed the company was retaining personal data of tenants for an unlimited period. It had not examined whether the retention was legitimate or necessary.

Data should be removed without delay. once it is no longer needed for the specific purpose for which it was collected. Deutsche Wohnen SE was using an archiving system that did not enable the removal of such data. Affected data related to financial and personal circumstances, such as bank statements, training contracts, tax, social and health insurance data.

This fine should act as a strong reminder to all companies to review and update their data retention and deletion policies, processes and supporting procedures.

More news later this week. In the meantime, if you have any questions about data protection, please contact us via email team@datacompliant.co.uk or call 01787 277742.  You can find more blogs here.

Gareth Evans, 11th November 2019

Politics and social media

Politics, Social Media and Data Protection

This has been a week where the combination of politics, social media and data protection have been much in evidence.

Twitter political advertising ban

Twitter boss Jack Dorsey decided to ban political advertising on Twitter globally, which has focussed attention on the use of personal data in targeting political messages. This has gained traction in the UK particularly as it coincides with an unscheduled General Election campaign.

Facebook agrees to pay maximum fine 

At the same time, the ICO announced an agreement with Facebook over their investigation into the misuse of personal data in political campaigns. The investigation began in 2017.

As part of that investigation, on 24 October 2018 the ICO issued a monetary penalty notice (MPN) of £500,000 against Facebook.  £500,000 was the maximum allowed under the Data Protection Act (DPA) 1998.  The ICO identified “suspected failings related to compliance with the UK data protection principles covering lawful processing of data and data security”.  

Following an appeal referred to a Tribunal, Facebook and the ICO have agreed to withdraw their respective appeals. Facebook has made no admission of liability, but has agreed to pay the £500,000 fine.

In a statement following the joint agreement, Facebook’s General Counsel said:  

The ICO has stated that it has not discovered evidence that the data of Facebook users in the EU was transferred to Cambridge Analytica. However, we look forward to continuing to cooperate with the ICO’s wider and ongoing investigation into the use of data analytics for political purposes.”

The ICO’s fine is the maximum available under DPA 1988.  Under current law (which implements the GDPR), sanctions can be up to 4% of annual global turnover or €20 million – whichever is greater.  

Facebook withdraws political campaigns

In the spirit of cooperation on the responsible use of data analytics in political communications, Facebook has withdrawn a number of political communications. The Government’s MyTown campaign was aimed at key marginal seats.  It was withdrawn as it did not contain the appropriate disclaimers.  In addition, an advert by the Fair Tax Campaign was withdrawn because it did not disclose that it was sponsored content.   

More news next week. In the meantime, if you have any questions about data protection, please contact us via email team@datacompliant.co.uk or call 01787 277742.  You can find more blogs here.

Gareth Evans, 5th November 2019

There Now Follows A Brief Interlude…

This blog, charting the progress of the UK towards Brexit and its impacts from a data protection perspective, has been running for a few months now. It seems that every week there has been a new twist or sudden change in direction.

This week, again contrary to many commentators’ predictions, came the news that we have a General Election in six weeks’ time, on 12th December. It is highly unusual to hold an Election so late in the year, a fact that adds to the overall sense of uncertainty over the final outcome.   Voters are likely to cast their vote in line with their Remain or Leave preference as much as their traditional party allegiance.  It may well throw up some surprises.

What is certain however that during the six weeks of the election campaign Brexit and the Withdrawal Agreement Bill will not progress. There now follows, as broadcasters used to say, a brief interlude.  In the meantime, we will continue to monitor and report on data protection developments both in the UK and internationally on our blogs.

Follow the money

And if readers are concerned about the fate of the millions of commemorative 50 pence pieces minted to celebrate the UK’s departure from the EU on 31st October, I understand they have been melted down. They will be re-minted (if that’s the word) when a new Brexit date has been secured.

Please contact us if you have any queries or concerns about how Brexit will affect your business.  Call 01787 277742 or email teambrexit@datacompliant.co.uk

Gareth Evans, 1st November 2019