Included in this edition of data & privacy news: ICO publishes data protection guidance for collecting customer information, Facebook takes legal action against Data Protection Commission and more...

Privacy Risk 2020: New Perspectives Webinar on Tuesday 6 October 

Join our Data Management Team on Tuesday 6 October at Midday as they provide some insights into the latest market and legal changes driving privacy decision making. Sign up here. 

ICO publishes data protection guidance for collecting customer information

The Information Commissioner's Office (ICO) has published guidance for businesses mandated to collect customer information for the test and trace programme. This includes those in the hospitality sector, leisure and tourism sector and close contact businesses. 

The ICO has provided five simple steps to help organisations handle people's information responsibly:

• Only ask individuals for the specific information as set out in government guidance;
• Be clear, open and honest with individuals about their personal data use;
• Keep individuals data secure;
• Only use the personal data collected for contact tracing; and 
• Erase or dispose of the personal data collected within 21 days.

Facebook takes legal action against Data Protection Commission 

Facebook has been granted leave to seek judicial review of the Irish Data Protection Commission's preliminary decision that the Standard Contractual Clauses "cannot in practice be used" by Facebook to transfer data from the EU to the U.S.

The decision of the Irish Data Protection Commission was made following the Schrems II ruling by the Court of Justice of the European Union in July.

As result, a stay has been put on the order that the Data Protection Commission had made blocking such transfers, meaning that the transfers can go ahead at least until the judicial review has taken place.

Information Commissioner publishes blog on data protection considerations and the NHS COVID-19 app

In a recent blog, Information Commissioner Elizabeth Denham discussed the regulatory work the ICO have been involved in for the NHS COVID-19 app.

Ms Denham stated that tech innovation has been one of the themes of the ICO's recent work in responding to the COVID-19 challenge and said how the regulator plays an important role by enabling progress that can help society, as well as protecting the individuals whose data is relied on. 

The ICO have been engaged in the NHS COVID-19 app from the start, published a formal Opinion on the joint Google-Apple exposure notification API when it was launched and developed an "expectations document" serving as a reference point throughout.

Norwegian data regulator fines Norwegian government agency 37,000 EUR

Norwegian Public Roads Administration has been issued a fine of 37,400 EUR by the Norwegian Data Protection Authority for processing personal data that was incompatible with the original stated purpose, and for failing to erase video recordings after 7 days.

The Government Agency used fixed road cameras to extensively monitor contract parties, employees, subvendors and the subvendor's employees. The photos, documenting breaches of contract, were then used several months after the incidents took place when they should have been for immediate security measures. 

The Norwegian data regulator emphasised how the new usage was at considerable disadvantage to the contract parties and its employees, contradicting how the contract parties expected the personal information to be used.