Included in this edition of data & privacy news: Data Download Webinar; retention of customer data as pubs re-open; ICO release report on mobile phone data when conducting criminal investigations and more...

Data Download webinar on Tuesday 7 July

Join our Data Management Team on Tuesday 7 July at Midday as they look at the UK's emerging approach on developing services that are attractive to young people when using their personal data. The session will help you to identify whether your business will be caught by the new rules. Sign up here.

Retention of customer data as pubs and restaurants re-open

As the pubs and restaurants begin to reopen, the government has issued updated guidance recommending that customer data is retained for 21 days in order to support NHS Test and Trace. 

Organisations will need to put in place measures to safely record this information, adhering to data protection principles such as data minimisation, security and transparency. Certain organisations will already have access to this information due to their online booking system however questions arise as to whether functionality changes are required, privacy policies need updating and / or if the system captures all visitors to the establishment.

Experts claim informed consent is essential for success of UK's track and trace app

Chief strategy and marketing officer at a leading mobile data company has said informed consent is essential for the UK's track and trace app to be a success. 

The app, which relies on personal data such as postcodes, has raised data privacy concerns. In order to work, experts claim that it needs an adoption rate of 60% but other countries have so far shown little impact when launching their contact tracing apps. 

Trusted consent can be gained from giving clear information on the apps purpose, the data required to be shared with the public and who has ultimate control over it. 

ICO release report on mobile phone data when conducting criminal investigations

The Information Commissioner’s Office (ICO) has released an investigation report on policy extraction of mobile phone data when conducting criminal investigations in England and Wales following concerns about excessive processing of personal data. 

Information Commissioner Elizabeth Denham said that the report makes clear a "whole-of-system approach is needed to improve privacy protection whilst achieving legitimate criminal justice objectives".

Recommendations in the report include the introduction of a new code of practice to improve practices and better support for police and prosecutors in their work.

EDPB publishes register of One-Stop-Shop decisions 

The European Data Protection Board (EDPB) has published a register containing One-Stop-Shop decisions taken by national supervisory authorities. The register also contains summaries of the decisions in English prepared by the EDPB Secretariat. 

Data protection practitioners will be able to use the register to gain information on how supervisory authorities work together to enforce the GDPR. 

New rules allow EU consumers collective redress

Parliament and Council negotiators have reached a deal to allow EU consumers to defend their rights collectively. 

The new rules will introduce a harmonised model which will guarantee consumers are protected against harm, safeguard them from abusive lawsuits and allow the internal market to function better by facilitating access to justice for consumers. 

Approval is now required by Parliament and the Council before the rules will enter in force 20 days following its publication in the Official Journal of the EU. 

Google to automatically delete search and location history after 18 months

Google will now automatically delete all web or in-app search and location data after 18 months, as it attempts to ease regulator concerns over the amount of information it collects.

Users will also have the option to change their settings to wipe their data every three months.

Chief executive Sundar Pichai said the company was "dedicated to keeping private information safe and giving users more control over their data".

Gmail and Google's storage platforms Photos and Drive will not follow the rules. 

Swedish DPA issues condominium association fine for use of camera surveillance

The Swedish data protection authority, Datainspektionen, has fined a condominium association SEK 20,000 for use of cameras surveillance at entrances and in stairwells.

The data regulator said the condominium association did not have "weighty reasons" for the surveillance cameras and residents were not sufficiently informed of the surveillance or its monitoring. 

Accessories retailer Claire's hit by cyber-attack

The jewellery and accessories retailor Claire's has confirmed that criminals intercepted payment card details used on its online store from 25 April to 13 June 2020.

A spokesperson for Claire's said that "the company does not know how many customers have been affected - and that it is investigating the matter so victims can be informed".