Included in this issue of data & privacy news: Data Protection and Digital Information Bill introduced to Parliament, ICO set to investigate the use of AI tools in recruitment processes and more...

Data Protection and Digital Information Bill introduced to Parliament

Following publication of the government's response to the consultation "Data: a New Direction", the Data Protection and Digital Information Bill has been introduced into Parliament.

The Bill aims to create a pro-growth and innovation-friendly data protection regime for the UK, granting more flexibility to organisations in seeking to achieve compliance and removing some of the more prescriptive elements of the General Data Protection Regulation (GDPR). The Bill also addresses several other areas of regulation besides data protection, including Digital Verification Services, access to "business data" by consumers (i.e. data relating to the use of products and services, as opposed to personal data), and registers of births and deaths.  

Despite much speculation to the contrary the Bill remains closely aligned in many respects with the GDPR. The Bill's accompanying Impact Assessment reiterates this by saying "the government's view is that reform of UK legislation on personal data is compatible with the EU maintaining free flow of personal data from Europe".

The Bill is expected to be heavily debated and it is possible that it will be substantially modified as it makes its way through the Parliamentary process.

ICO publishes simplified guidance on UK Binding Corporate Rules

The ICO has published updated guidance on using UK Binding Corporate Rules as a data transfer mechanism. The aim of the new guidance is to simplify the approach for controllers and processors, reducing the scope of the referential tables that organisations have had to complete and allowing organisations to combine their EU and UK BCRs into a single binding instrument. The ICO will also issue revised guidelines on how to complete the new process, with the expectation that it will move from the highly prescriptive methodology that some organisations have experienced to date and focus on a more principles-based approach. The ICO also hopes that by being more transparent with organisations about what they are required to demonstrate it can reduce the amount of duplication and repetition in the process and make approvals more streamlined.

Organisations that already have approved UK BCRs in place will not need to take any action in response to the ICO's new approach. While those who have already submitted their applications will not need to repeat the process with new documentation, further engagement with the ICO in their application process will likely be based on the revised guidance.

ICO publishes report on the use of private correspondence channels within the DHSC

The ICO has laid a report before Parliament following a yearlong investigation into the use of private email and messaging apps by Ministers and officials at the Department of Health and Social Care (DHSC). The main findings of the report included:

  • Ministers and staff employed by the DHSC were extensively using private correspondence channels;
  • Though Ministers were regularly copying information from private correspondence channels to Government accounts, this wasn't followed by all and needs to be improved;
  • The policies surrounding the use of private channels varied between the DHSC and the Cabinet Office presenting a risk for handling of information requests in line with codes of practice under the Freedom of Information Act (FOI);
  • There were risks to confidentiality, integrity and data exchange by using channels this way; and
  • There were concerns for the continued use or private channels following the pandemic without any review of their appropriateness or risks.

The ICO has issued the DHSC with a practice recommendation to improve its management of FOI requests. A reprimand has also been issued under the UK GDPR, which requires the DSHC to improves its processes and procedures surrounding the handling of personal data by means of private correspondence channels. A further set of recommendations have been published to support this.

ICO publishes new strategic plan and consultation

The ICO has published ICO25, its draft strategic plan for the coming three years. The plan sets out:

  • why the work of the ICO is important;
  • what the ICO wants to be known for and by whom; and
  • how the ICO intends to achieve the above by 2025.

The plan should help organisations regulated by the ICO plan and innovate, as it provides clarity about the risks and opportunities that the ICO believe requires the most urgent attention.

The ICO has launched a public consultation on its purpose, objectives and performance measures as detailed in ICO25. The consultation closes on 22 September 2022.

Information Commissioner announces investigation into targeted advertising in the gambling sector

The ICO will be launching an investigation into the use of targeted advertising in the gambling sector. The announcement comes amid the launch of the ICO25 plan. Though the plan itself doesn't specifically mention the gambling sector, the Information Commissioner John Edwards said that he had signed off an investigation into the use of targeted advertising tools in gambling promotion whilst discussing how the ICO would focus its enforcement to those that produce the greatest risk to vulnerable people.

ICO set to investigate the use of AI tools in recruitment processes

The ICO is set to investigate the use of Artificial Intelligence (AI) tools in recruitment processes to see if they could be discriminating against ethnic minorities and people with disabilities.
There are concerns that the speech or writing patterns used by the AI tools could be showing racial bias when dealing with job applications. Many employers utilise algorithms to help short list job applicants, which allows them to realise efficiencies in their recruitment processes.

Helena Brown

Helena Brown

Partner, Commercial and Data Protection & Head of Data
Edinburgh, UK

View profile
Dr. Nathalie Moreno

Dr. Nathalie Moreno

Partner, Commercial and Data Protection

View profile
Ross McKenzie

Ross McKenzie

Partner, Commercial & Data Protection
Aberdeen, UK

View profile
Claire Edwards

Claire Edwards

Partner, Commercial and Data Protection

View profile