Data & Privacy News - 7 April 2021 | Addleshaw Goddard LLP

Included in this edition of Data & Privacy News: Government aims to remove "unnecessary" barriers to data flows, ICO issues new guidance on national security and defence and more...

Ofcom and the ICO release plan to tackle nuisance calls

Ofcom and the Information Commissioner’s Office (ICO) have released their updated 2021/22 plan for tackling nuisance and scam calls. The update comes after the regulators saw complaints about nuisance calls and messages fall overall in 2020, however the final quarter of the year saw Ofcom record an 83% increase in the number of complaints compared with the same period in 2019.

In May 2020, Ofcom and the ICO set out their five primary areas of focus in tackling nuisance calls. These were:

taking targeted action against people or companies that are not following the ICO’s and Ofcom’s rules;
raising awareness of and tackling Coronavirus related scams and continuing to support the work of Stop Scams UK;
working with telecoms companies to improve how they disrupt and prevent nuisance calls, by reviewing solutions made available to customers;
working with other regulators and enforcement agencies to identifying new opportunities to prevent nuisance calls and scams; and
sharing intelligence with others, including international partners and enforcement agencies.

This latest announcement reconfirms the regulators commitment to these areas, with Ofcom also publishing advice on how to avoid nuisance calls and messages and the relevant complaints procedure.

Read more here.

Government aims to remove "unnecessary" barriers to data flows

A Government Minister has revealed plans to "make the case for removing unnecessary barriers to data flows, where the significant benefits of growth and innovation are put at risk by more protectionist forces".

The comments, made by Minister of State for Media and Data John Whittingdale, are the latest clue that the Government plans to create an independent post-Brexit data protection regime. They come just one month after Culture Secretary Oliver Dowden announced that the Government is seeking to adapt the UK's data protection regime towards encouraging more use of data for economic and social goals.

In Mr Whittingdale's article, he claims that the objective is "for personal data to flow as freely and as safely as possible around the world, while maintaining high standards of data protection". The first step for this process will be to reach data-sharing agreements with a wider range of countries than those judged to have 'adequate' data protection laws.

Read more here.

ICO guidance for schools collecting and sharing information for contact tracing

A new case study published by the Information Commissioner’s Office (ICO) examines the data protection considerations for schools when collecting and sharing data for coronavirus related contract tracing.

The case study notes that while it is not mandatory for schools to provide information to a contact tracing scheme, they also do not require parental consent to share any requested information, such as that collected on a daily register. The ICO reminds schools that current data protection legislation enables organisations to share data where it is necessary, justified and proportionate to do so and that consent may not be the most appropriate lawful basis to rely upon for sharing the data in these circumstances.

The ICO also states that schools should clearly document their justifications and decision-making process in the event of any queries or complaints, as if the school chooses to rely on public task or legitimate interests, then people will have the right to object to the processing of their personal data under GDPR. In the event that they do receive a complaint, the ICO advises schools to consider whether the objection or any risks of sharing the data outweigh the public interest in disclosure for public health reasons. If the school can then still demonstrate that disclosure for public health reasons overrides the parent, guardian or child’s interests, then they may continue with the sharing of data.

Read more here.

ICO issues new guidance on national security and defence

Information Commissioner’s Office (ICO) has published new guidance on the exemption provided under section 26 of the Data Protection Act (DPA). The exemption is capable of excluding personal data from most of the data protection principles and obligations, and individual's rights, where this is required to safeguard national security or for defence purposes.

In its updated guidance, the ICO reminds controllers that this is not a blanket exemption, and that controllers must be able to show that the exemption from specified data protection standards is required for the purposes of safeguarding national security. When making this decision, a certificate issued by a Minister of the Crown can cover processing in relation to national security, with this certificate acting as conclusive proof that the exemption applies. However, it should not be assumed that an exemption must be applied simply because a certificate has been issued.

The guidance focuses solely on the national security aspects of this exemption, with the ICO committed to developing additional content on the defence aspects of this exemption in the future. The ICO will also publish an amended version of this guidance in due course.

Read more here.

Information Commissioner believes data protection law can create trust in COVID-status certification schemes

In a blog post on 26 March 2021, UK Information Commissioner Elizabeth Denham stated the Information Commissioner’s Office's (ICO) belief that public trust and confidence in COVID-status certification schemes can be aided by data protection law.

In her statement, Ms Denham argued that the success of any future COVID-status schemes will rely on people trusting them and having confidence in how their personal data will be used. Consequently, the UK administrations will have a leadership role to play in instilling public trust and confidence as, the ICO believe, the failing of one initiative due to failures in governance and protections for personal data may undermine public trust in all such schemes

Ms Denham also confirmed that the ICO is continuing to advise the UK Government on privacy considerations that can contribute to schemes earning public trust from the outset and ensuring that data protection law and regulation need not be a barrier to the responsible use of personal data in any certification scheme. The ICO is also engaging with the devolved administrations.

Read more here.

Panama brings Personal Data Protection Law into force

On 29 March 2021 Panama’s new Personal Data Protection Law (Ley No.81) came into force. The law now applies to databases in Panama, including any databases that contain personal data from nationals or foreigners and any person in charge of data processing who is domiciled in Panama.

Among other things, the new law requires that the prior, informed, and unequivocal consent of the data subject is received before personal data can be processed, as well as providing data subjects with the rights to be informed about and then access, erase, opt-out, port or rectify data that is held about them. The data that is collected must also be treated as confidential and stored, under surveillance of the database custodian, in a secure database for up to 7 years.

The law also enables the Autoridad Nacional de Transparencia (ANTAI) to: