This week's roundup of data issues includes: Draft GDPR guidance from the ICO released which addresses consent; Experts advise on impact of GDPR on UK business and; Report reveals local councils' failure to provide adequate PIAs on body worn camera usage. Read more...


United Kingdom

Draft GDPR guidance from the ICO released which addresses consent

On 2 March, the Information Commissioner's Office (ICO) published its draft consultation on the General Data Protection Regulation (GDPR) consent guidance. This makes recommendations for an "active opt-in" process and states that individuals have the right to withdraw their consent at any point. The guidance reflects the new right to withdraw consent at any time which is being introduced via Article 7(3) of the GDPR. The ICO advises in the draft consultation paper that organisations that process personal data should review their existing consent processes to make them more: “specific, granular, clear, prominent, opt-in, documented and easily withdrawn". On a practical level organisations are advised to review the type of consent they currently hold and whether it is suitable, or whether it needs a refresh to meet the new GDPR standard. For example the GDPR introduces new requirements around consent obtained from children and consent for scientific research data (Article 8 GDPR).

The ICO makes clear in the paper that the GDPR bans the usage of “pre-ticked opt-in boxes” as a lawful means of acquiring an individual's consent.

The ICO advises that organisations should keep records at every step of the consent process as evidence and “build regular consent reviews" into their business processes. According to the ICO, when the GDPR is implemented in May 2018, misuse of personal data will be subject to “the highest tier of administrative fines”, which could be as high as “£17.2 million or 4% of worldwide annual turnover”. Currently, under the Data Protection Act, £500,000 is the highest tier of fines the ICO can levy for unlawful data processing.

The ICO in the paper advises businesses who process data to make “key changes" to their consent requests so that GDPR requirements are met.

The consultation ends on the 31 March 2017 and is subject to further review from the ICO.

As reported by Civil Society, further information can be found here.

For a copy of the draft consultation please click here.  Please note that this includes a checklist for consent on page 38.

Experts advise on impact of GDPR on UK business

A panel of data protection experts have advised the Lords' committee that implementing the EU's GDPR is good business practice and will stand the UK in good stead after Brexit. Challenges could however still arise in getting an EC data protection adequacy ruling due to the onerous provisions in the Investigatory Powers Act. The difference between the former Regulation of Investigatory Powers Act 2000 (RIPA) and the current Investigatory Powers Act 2016 is the ability of relevant agencies to regularly obtain bulk data, rather than specific and targeted data.

When queried by the Lords’ EU Affairs Sub-Committee on the changes they would like to observe after Brexit, the experts stated that as a starting point: "they would like to see the GDPR in operation to an acceptable level". It was also highlighted that the GDPR provides a good framework for business in terms of handling personal data and provides further protection for the consumer.

The government faced questions from the Lords’ committee earlier this year on how the UK will deal with the free flow of data between the UK and EU post-Brexit. The UK's digital minister, Mark Hancock, confirmed in the article that the Government will replace the 1998 Data Protection Act with GDPR-like legislation. However, they warned that it may take two to three years before the EC decide that the UK has an adequate data protection regime.

Ultimately, the UK’s data protection laws could prove to be a major stumbling block to gaining an adequacy ruling, especially in terms of the UK’s approach to mass surveillance and data retention practices under the Investigatory Powers Act. One school of thought is that the UK may need to sign up to a Privacy Shield of its own like the one currently held by the US for transatlantic data flows between the EU and the US.

As reported by Computer Weekly, further information can be found here.

Report reveals local councils' failure to provide adequate PIAs on body worn camera usage

Big Brother Watch, a data privacy rights campaign group, has stated that some UK councils are failing to complete privacy impact assessments (PIAs) on the usage of body-worn cameras (BWCs). According to the group, BWCs have been issued by over half of all UK councils to officials recording parking penalties with inadequate assessments being made on the impact on people’s privacy.

New research suggests that BWCs are being deployed by the majority of councils in the UK (66%) before a PIA has been completed. Furthermore, 21% of local authorities are storing footage for more than the 31 day time limit that is adhered to by the police forces.

In the report, it was found that 54% of the 227 local authorities are currently using or piloting BWC technology to catch minor offences such as littering and violating parking rules. This has accumulated estimated costs of nearly £1.8 million.

More than half of councils are failing to consider the implications of using BWCs, the data that is being captured and how this data is being protected and stored. Organisations are advised to review the BWC Steering Group's guidelines and procedures which are freely available online.

Big Brother Watch CEO Renate Samson provided the following statement in the article:

"Despite repeated warnings about misuse of surveillance powers we have found that once again councils are choosing to use powerful law enforcement tools with little consideration for privacy."

As reported by IT Pro, further information can be found here.

For guidance on BWCs please visit the BWC Steering Group's website here.

Helena Brown

Helena Brown

Partner, Commercial and Data Protection & Head of Data
Edinburgh, UK

View profile