Included in this issue of Data & Privacy News: ICO agrees extensions with BA and Marriott, ICO issues first fine under the GDPR to pharmacy and more...

ICO agrees extensions with BA and Marriott

The ICO has agreed with British Airways and Marriott International an extension to the "regulatory process" for another three months. 

British Airways and Marriott International were issued with a notice of intent to fine for £183.39m and £99.2m retrospectively, in July 2019. 

Under the Data Protection Act 2018, the ICO has a strict six-month period from serving a notice on intent to confirming the monetary penalty, however this can be extended by agreement between the regulator and the offending company. 

The ICO has confirmed that an extension is in place until 31 March 2020 but has offered no further details regarding the progress of their investigations.

ICO issues first fine under the GDPR to pharmacy  

The ICO has issued Doorstep Dispenseree Ltd, a London-based pharmacy, a fine of £275,000 for failing to ensure the security of special category data. 

The company left approximately 500,000 sensitive medical documents in unlocked containers outside its premises in Edgware.

Personal information in the documents included names, addresses, dates of birth, NHS numbers, medical and prescription information. 

The ICO were alerted to the insecurely stored documents by the Medicines and Healthcare Products Regulatory Agency, who were carrying out a separate enquiry. 

Doorstop Dispensaree has three months to improve its data protection practices or face further enforcement action.  

Calls for urgent inquiry after New Year's Honours data security breach 

Politicians have called for an urgent inquiry into how the personal details of more than a 1,000 prominent figures named in the New Year honours list were published on the Cabinet Office's website for around an hour on Friday 27 December 2019.

The Cabinet Office has apologised for the data security breach and said it was contacting affected individuals to provide advice and guidance should they have any security concerns.

The ICO confirmed that it has launched an investigation into the data breach.

AG Opinion affirms sufficiency of standard contractual clauses 

Advocate General Henrik Saugmandsgaard Øe has reaffirmed the sufficiency of standard contractual clauses in the "Schrems II" case, but called into question the national security of U.S. protections for personal data. 

This opinion of the AG, will please many companies around the world who rely on the standard contractual clauses to transfer data globally. 

However, it still leaves uncertainty suggesting companies and data protection authorities should assess the adequacy of foreign countries national security protections on a case-by-case basis, which according to the DPC could create EU fragmentation. 

The CJEU is expected to issue a final decision on Schrems II in the first quarter of 2020.  While the CJEU is expected to confirm the AG's opinion, it is not obligated to do so and it may reach a different outcome.