Included in this edition of Data & Privacy News: ICO data sharing code of practice comes into force, ICO issue response to DCMS consultation “Data: a new direction” and more

ICO data sharing code of practice comes into force

The Information Commissioner's Office's (ICO) data sharing statutory code of practice, prepared under section 121 of the Data Protection Act 2018 (DPA 2018), came into force on 5 October 2021. The data sharing statutory code of practice was laid before Parliament on 18 May 2021 and issued on 14 September 2021, under section 125 of the DPA 2018.

The code does not impose any additional barriers to data sharing, however in accordance with section 127 of the DPA 2018, the Commissioner must take the code into account when considering whether data protection obligations have been complied with when sharing data. The code contains practical guidance on how to share data fairly and lawfully and how to meet accountability obligations, as well as a series of optional good practice recommendations.

ICO issue response to DCMS consultation “Data: a new direction”

The Information Commissioner's Office (ICO) has published its response to the Department for Digital, Culture, Media & Sport (DCMS) consultation: "Data: a new direction". The consultation acts as the first step in delivering "Mission 2" of the National Data Strategy, by presenting proposals to build on the key elements of the current UK General Data Protection Regulation (UK GDPR) to create an ambitious, pro-growth and innovation-friendly data protection regime that underpins the trustworthy use of data.

In its response, the ICO notes the importance of ensuring the final reforms maintain rights for individuals, minimise burdens for business and safeguard the independence of the regulator. The ICO:

  • supports the intention to make innovation easier for organisations and agrees that there are ways in which the legislation can be changed to make it simpler for companies to ensure they use data responsibly, most notably ensuring that the regulatory and administrative obligations of legal compliance are proportionate to the risk an organisation's data processing activities represent;
  • welcome proposals to ensure the ICO's powers are effective; the proposal to introduce a more commonly used regulatory governance model for the ICO; and the recognition of the value of an independent ICO; and
  • urges the Government to reconsider proposals for the Secretary of State to approve ICO guidance and to appoint the CEO in order to ensure that the independence of the regulator is preserved.

ICO launches consultations on age assurance, the AI and data protection risk toolkit and the draft journalism code of practice

The Information Commissioner's Office (ICO) has published consultations on the following issues:

  • Age Assurance for the Children’s code: This consultation provides the ICO’s view on how the law applies and facilitates consistent, clear, predictable regulation to those who might seek to use age assurance to conform with the Children’s code. The ICO are seeking evidence including details on existing or proposed age estimation approaches, novel approaches to age assurance, systems where data protection by design has been applied and the type of economic impact of age assurance approaches. The consultation closes 9 December 2021.
  • The ICO’s AI and data protection risk toolkit: This consultation focuses on a beta version of the ICO's AI and data protection risk toolkit, which is designed to assist risk practitioners identify and mitigate risks to data protection that AI systems that process personal information create or exacerbate. The ICO are seeking views from people in compliance focused roles and technical roles who are responsible for the development, deployment and maintenance of AI systems that process personal data. The consultation closes 1 December 2021.
  • Draft journalism code of practice: This consultation seeks feedback on the ICO's draft journalism code of practice, which provides practical guidance to help individuals understand data protection law with regard to the processing personal data for the purposes of journalism. The consultation closes 10 January 2022.

Norwegian DPA fine Ferde AS for data transfer issues, including failure to undertake a risk assessment

The Norwegian Data Protection Authority (DPA) has published details of a fine imposed upon Ferde AS relating to the transfers of data to a data processor in China. The Norwegian DPA began investigating whether Ferde had established routines and measures to ensure satisfactory information security for data transferred to China after learning that the company was transferring data related to vehicles passing through toll collection points. Ferde AS were fined approximately €500,000 by the Norwegian DPA.

The Norwegian DPA's key findings included that:

  • over a 1–2 year period, Ferde AS had breached several basic responsibilities under the General Data Protection Regulation (GDPR), including not having a valid basis for transferring personal data to China; and
  • Ferde failed to establish a data processing agreement and to carry out a risk assessment for the transfer, which needed to be completed before the processing of personal data can take place.

Finnish Police reprimanded for illegal processing of personal data with facial recognition software

The Finnish Deputy Data Protection Ombudsman (Finnish SA) has issued a statutory reprimand to the Finnish National Police Board for the illegal processing of special categories of personal data during a facial recognition technology trial. The National Police Board notified the Finnish SA of the breach in April 2021 after being made aware that the National Bureau of Investigation unit specialising in the prevention of child sexual abuse had experimented with facial recognition technology in identifying potential victims in early 2020.

The Finnish SA ruled that:

  • the controller’s responsibility was not fulfilled in these operations;
  • the measures taken by the controller had not prevented the unlawful processing of personal data;
  • the police had not taken into consideration the requirements for processing special categories of personal data; and
  • the processing had been started without obtaining information on how the service being used processed personal data.

The National Police Board were ordered to notify the data subjects of the personal data breach, insofar as their identity could be determined, and to request that Clearview AI erase the data transmitted by the police from its storage platforms.

ICO and Gambling Commission publish first phase of Sandbox Report on Single Customer View

The Information Commissioner's Office (ICO) and the Gambling Commission has published a summary of the outcomes from Phase 1 of the Gambling Commission’s participation in the ICO’s Regulatory Sandbox explore the challenges associated with achieving a 'single customer view' (SCV). A SCV solution would enable a holistic view of a customer’s online gambling behaviour and help identify and prevent potential gambling harms in those who hold accounts with more than one gambling company.

The aim of the Sandbox was to establish whether there is an appropriate lawful basis under Article 6 of the UK General Data Protection Regulation (‘UK GDPR’) that allows for the sharing of behavioural data between online gambling operators via a SCV; and to consider the processing of special category personal data and the appropriateness of Article 9 conditions for processing under the UK GDPR.

The key findings from completion of Phase 1 of the Sandbox conclude that:

  • sharing behavioural data in this context may be lawful under Article 6 (1)(e) ‘Public Task’ or Article 6 (1)(f) ‘Legitimate Interests’ of the UK GDPR;
  • both ‘Public Task’ and ‘Legitimate Interests’ would provide a discretionary gateway to the processing but both would require an assessment of the proportionality of the processing when the benefits to those individuals who are at risk, are balanced against the potential detriment to all the data subjects whose data will be shared in connection with the SCV;
  • should changes be made to gambling legislation, or if in the future the Commission inserted a new requirement into the Licence Conditions and Codes of Practice (‘LCCP’) about implementing the SCV, gambling operators may rely on Article 6 (1)(c) ‘Legal Obligation’ of the UK GDPR as the lawful basis for processing;
  • it is likely that some elements of the data proposed to be processed via a SCV may qualify as special category data and would therefore require an Article 9 condition in the UK GDPR;
  • schedule 1, Part 2, Paragraphs 18 ‘Safeguarding of children and individuals at risk’ or 19 ‘Safeguarding of economic well-being of certain individuals’ of the Data Protection Act 2018 may be appropriate substantial public interest conditions to enable reliance on Article 9 (2)(g), but the applicability of these conditions will depend on the particular SCV model which is developed by industry; and
  • for any processing to be lawful, all data protection principles outlined in Article 5 of the UK GDPR need to be complied with alongside other aspects of the UK GDPR, such as Article 25 data protection by design and by default.

Key Contacts

Ross McKenzie

Ross McKenzie

Partner, Commercial Services
Aberdeen, UK

View profile
Helena Brown

Helena Brown

Partner, Commercial
Edinburgh, UK

View profile
Dr. Nathalie Moreno

Dr. Nathalie Moreno

Partner, Commercial Services and Data Protection

View profile