Tag Archive: ico




On 17 June 2016 the House of Commons Select Committee for Culture, Media and Sport (“The Committee”) published its report on the inquiry into the current state of cyber security and protection of personal data. The inquiry was triggered by a cyber attack which compromised the data of TalkTalk customers, on 21 October, 2015. TalkTalk is a UK based telecommunications provider.


The Committee considered the problem of the increasing size and frequency of cyber-attacks upon personal data. The report recognised the limits of the current powers of the Information Commissioner’s Office (“ICO”), the UK’s personal data regulator, and made a number of recommendations concerning how the ICO could become both more proactive in dealing with attacks.


ICO’s Current Powers

Under UK law, the ICO helps companies comply with UK data protection law in a number of ways, including:

  •  through ensuring the proper collection, use and storage of personal information;
  •  through enforcing the Privacy and Electronic Communications Regulations in respect of electronic marketing;
  •  maintaining a register of companies processing personal data as “data controllers”; and
  •  by helping public bodies to correctly apply various Freedom of Information and Environmental Information  laws, regulations and codes.

In order to achieve these aims there are a range of powers available to the ICO including the ability to bring criminal proceedings, non-criminal enforcement, consensual audits, impose fines (up to a maximum of £500,000), and make assessments of good practice. Despite the powers available to the ICO, the current volume of attacks suggests that the body needs reforming to better address cyber security concerns.


Report Recommendations

The Committee recognised the limits to the powers of the ICO and made a number of recommendations for improvement. These are focused around early prevention, increasing consumer awareness of privacy protection and increased capabilities to provide deterrence through more serious repercussions where a breach occurs.

In order to facilitate prevention of attacks the Committee recommended that the ICO be enabled to undertake non-consensual audits of companies, particularly in the health and local government sectors. It also recommended annual reports on the preventative measures that a company is taking. The combination of these should help to keep the ICO informed as to whether or not there are issues of compliance with data protection regulation and enable a more proactive approach to data protection.

The Committee also proposed that the ICO needs more powers to increase customer awareness of their data protection rights. The report recommended imposing fines where a company does not offer adequate guidance to customers on how to verify the authenticity of communications. Under the Committee’s plans, this would be complemented by the proposed ‘privacy seal’ which would work on a traffic light system, demonstrating to consumers that a company follows high compliance standards, is making progress towards this, or is “yet to have taken the issue seriously.” These recommendations should help the ICO to ensure that consumers are able to make informed decisions on whether or not a company demonstrates “good privacy practice” in handling their personal data.

Finally, where an attack has already taken place it was recommended that the ICO needs to be able to access a broader range of remedies, such as custodial sentences by bringing into force sections 77 and 78 of the Criminal Justice and Immigration Act 2008. This would discourage individuals from disregarding the proper handling of data by treating it as “merely” a corporate compliance obligation. The committee also recommended introducing fines for failure to report breaches which would increase dependant upon the time taken to report an incident, therefore incentivising early reporting.


Implications of the GDPR

The Committee made a number of recommendations which overlap with the changes that will come into force in 2018 through the EU wide General Data Protection Regulation (“GDPR“).

The GDPR will increase the powers of the ICO in a number of ways. Companies who commit serious infringements will be liable to pay fines of up to 4% of global annual turnover or €20 million, whichever is the greater amount. The regulations will also introduce mandatory reporting for personal data breaches within a 72 hour timeframe of the breach taking place. Finally, the GDPR will empower the ICO to place greater emphasis on ensuring the transparent handling of personal data by companies, and on the importance of having clear, easily digestible but also comprehensive privacy notices, which tell individuals about how their personal data is used and the rights that they have under the GDPR.

The Committee report acknowledged that the GDPR will “help focus attention on data protection” but sought to make its own recommendations to complement these and increase the ICO’s powers further.



The direction of travel indicated by both the Committee’s report and the changes in EU legislation are clear. We are moving towards a world where personal data handling is treated with the utmost seriousness by regulators. Those regulators will have a mandate to ensure that individuals are provided with clear, upfront information about how their data is looked after, and that strong redress is taken when things go wrong. It is the companies who take a pro-active approach – who engage with their customers, their suppliers and their regulators to ensure that they are providing accurate information about data processing, and that they have the right information security systems in place – that will be best placed to survive in this new landscape.



Permanent link to this article: http://blogs.dlapiper.com/privacymatters/uk-government-report-recommends-stronger-powers-for-the-ico/

Extent of mobile location tracking in the UK laid bare by new report

An e-privacy organisation has today released the findings of an investigation which reveals the extent of mobile location tracking in the UK.

The report, published by Krowdthink Limited, examines the contracts, policies and practices of mobile Wi-Fi service providers in relation to location tracking.

According to the report, mobile and Wi-Fi service providers know – ‘without you knowing – where you are, how you got there and can figure out where you are going.’ Many people are location-tracked by their mobile phone device each day, unaware of the highly sensitive data that this generates which can and is then sold on for profit. The report reveals that many mobile phone and Wi-Fi service providers, including wireless hotspots, are not telling customers upfront at the point of contract signature or online via their websites that the customer’s movements will be tracked and location data (which can be saved for up to 12 months) can then be used for marketing purposes or sold onto third parties. The details of this is often concealed in contracts and the fact that customers can opt out of location tracking is often unclear.

The level of detail extracted by service providers can reveal a customer’s gender, sexual orientation, religion and many other personal details that could present serious risks to blackmailing. Mobile phone service providers often anonymise data which means that they are not legally obliged to ask for consent, however customers need to be aware of the weakness of anonymisation alone to secure our personal information as low dimension data can be de-anonymised.

93% of UK citizens opt in to location tracking by default, meaning that nearly every one of us with a mobile phone, even a simple one, is being location tracked all the time. Under the Data Protection Act (DPA), consumers can opt out of this by contacting their service provider and following the introduction of the General Data Protection Regulation (GDPR) we will, in certain circumstances, have the right to have all of our data erased (the so-called “right to be forgotten”).

The GDPR will require mobile phone service providers and providers of Wi-Fi networks to provide more transparent and consumer friendly privacy contracts. At the moment, the report has found that  many of these contracts  separate out the clauses that discuss what data is collected from consumers from the clauses that discuss usage with location . Service providers try to legitimise their obtaining of location data as something that is needed for routing phone calls or meeting the requirements of government security, however this is not always true.

Mobile phone companies and providers of Wi-Fi networks should consider doing the following:

  •  communicate privacy notices, including information about location tracking, at the point that data is first collected from users;
  • ensure consent is obtained to the use of location tracking data, in accordance with the Privacy and Electronic Communications Regulations;
  • make privacy policies as clear, transparent and consumer friendly as possible;
  • ensure privacy policies communicate to data subjects what their rights are;
  • consider providing users with easy to follow instructions about how to switch off GPS or Wi-Fi location tracking features;
  • ensure users understand who location data will be shared with and for what purposes; and
  • only retain location data for as long as is necessary to fulfil the purposes for which it was collected.

You can find Krowdthink’s report here – http://www.krowdthink.com/report.pdf

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/extent-of-mobile-location-tracking-in-the-uk-laid-bare-by-new-report/

UK – Freedom of Information – Independent Commission report

The Independent Commission on Freedom of Information, tasked with the job of examining the Freedom of Information Act over the last ten years, published its report earlier last week. The resounding opinion was that overall the Act is “working well” and there will be no wholesale changes.

In our previous blog post we had hoped that we would see even more transparency in Government contracting, purchasing, invoicing and service performance, and to this extent the Commission appears to agree. It intends to spread transparency throughout public services, making sure all public bodies routinely publish details of senior pay and perks. However, the Commission could only express an opinion (not make any recommendations) that the Act should be extended to those who are providing public services under contract.

Those public bodies inundated with FOI requests may be disappointed with the Commission’s recommendation that monetary charges should not be introduced.

Overall it appears that the Commission has drawn a careful balance between being more sympathetic to greater openness, while also backing some changes that would help public authorities to keep some material secret. It will be interesting to see where the balance is struck when Government begins to implement the Commission’s recommendations.

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/uk-freedom-of-information-independent-commission-report/


Earlier this month, the UK data protection authority, the Information Commissioner’s Officer (“ICO”), published guidance on safely processing personal data derived from Wi-Fi location analytics. This guidance is important not only to retail businesses who provide Wi-Fi networks to their customers, but also to companies who just provide Wi-Fi access solely to their employees. With most large organisations and businesses now providing Wi-Fi access it is certainly a fitting time to consider this issue.


Wi-Fi analytics is the ability of businesses to track customers or employees using the media access control (MAC) address which a Wi-Fi enabled device transmits when it is searching for Wi-Fi networks.


By monitoring signal strength organisations can estimate the distance of a device from a particular access point and, in effect, monitor the location of a device and track the behaviour of a particular device over time.


If an individual can be identified from a MAC address, or other information in possession of the network operator, then the data will be personal data – regardless of whether the name of the individual remains unknown. Where an organisation uses a MAC address or other unique identifier to track a device with the purpose of singling them out or treating them differently, or storing or using that information in any way, it will be processing personal data. As there is no requirement for the device to connect to the Wi-Fi network there is also a risk that data relating to an individual is processed in a covert manner.


With businesses now seeing the benefits of using Wi-Fi analytics to monitor their customers and employees, this guide outlines some of the ways privacy-friendly design solutions can be embedded to ensure compliance. The guidance outlines that businesses should be providing clear and prominent information to alert individuals that certain processing is taking place. Recommended notification methods include the use of signage at the entrance to the collection area or information on websites (for example in a privacy policy) and in any sign-up or portal page of the Wi-Fi network the business may be providing.


The guidance also reiterates that organisations using Wi-Fi analytics should take care to avoid excessive data collection and to reduce the risk of identification of individuals in the collected data. By way of example, this could be accomplished by converting the MAC addresses into alternative formats that continue to suit the specified purposes whilst removing the identifiable elements. Location of the data collection device as well as sampling methods could also be used to reduce the volume or privacy intrusion of the data collected or to define specific collection periods. Organisations should also be considering the use of effective control mechanisms allowing individuals a simple and effective means to control the processing.


It is now clear that the processing of device identifiers collected through the provision of Wi-Fi networks can involve the processing of personal data. In light of this, if you use Wi-Fi analytics you must now begin to implement the ICO’s guidance to ensure that they remain compliant. In summary, you should:


  • understand what personal data you collect over your Wi-Fi network, including MAC addresses and location data;
  • provide clear and prominent notices – in privacy policies, on the log-in pages for Wi-Fi networks and in physical locations such as shop floors;
  • consider anonymising MAC addresses if your analytics can be carried out in this way;
  • try other data minimisation techniques, such as sampling, to reduce the volume of personal data collected.


You can find the ICO guidance here – https://ico.org.uk/media/for-organisations/documents/1560691/wi-fi-location-analytics-guidance.pdf


For more information about the issues contained in this post, please contact Andrew Dyson, Partner (andrew.dyson@dlapiper.com), JP Buckley, Legal Director (jp.buckley@dlapiper.com) or James Clark, Associate (james.clark@dlapiper.com), all at DLA Piper UK LLP.


Permanent link to this article: http://blogs.dlapiper.com/privacymatters/uk-ico-issues-guidance-on-wi-fi-location-analytics/


What has happened?

Building on JP’s blog post of this morning, the ICO has written to 1,000 companies who are involved in the buying and selling of personal data and asked them to explain in detail how they comply with the law.

The letters (codenamed Operation HIDA) are part of a wider effort by the ICO to crackdown on the nuisance calls industry and inappropriate data sharing practices. This particular action represents an attempt to go after the organisations which may be supplying the nuisance call operators with the data they use to run their campaigns.  The recipients of the letters are all companies who have indicated on the Data Protection Register, which is maintained by the ICO, that they are in the business of trading or sharing personal data.  Responses to the letter, which are required within 21 days, must address a 15 point questionnaire, which asks for information such as the following:

  • a description of the consents relied on to buy, sell, share or rent personal data;
  • a list of the companies from which personal data has been purchased or rented in the last 6 months; and
  • confirmation of whether the organisation screens individuals against the Telephone Preference Service (“TPS“) list.

In addition, each organisation is also required to send the ICO a sample copy of a contract which it uses to buy, sell or rent personal data.One issue which the ICO is particularly concerned about involves organisations making calls to subscribers on the TPS list, and relying on the data they have purchased from third parties having sufficient consent to allow the call to be made. However, when the ICO has investigated these consents, it has often found them to be insufficient to override the TPS registration.


What steps should targeted organisations take?

As well as preparing a detailed response to the letter, if you represent a targeted organisation you may wish to take some of the following practical steps to strengthen your compliance in the eyes of the ICO:


  1. maintain an accurate internal suppression list of those individuals who have expressed a desire not to be contacted (and not simply delete individuals’ details as they may ask you to do);
  2. ensure the notice you give to customers when data is collected, in the form of a privacy policy, the terms and conditions of sale or elsewhere, clearly covers the trading or sharing of data with third parties for marketing purposes if this is what you wish to do;
  3. where third parties want to carry out electronic direct marketing (email, text, fax and automated calling) with data purchased from you, your customers must give explicit opt-in consent to marketing by those third parties (see the recent Optical Express decision);
  4. put in place strong contracts with any companies which buy, rent or share personal data from or with you, to ensure both parties understand how the data should be used and who will be liable for what if things go wrong and how queries/complaints from individuals will be resolved;
  5. have a retention policy in place to guide the business on how long it should retain and use someone’s personal details for – details may change, and relying on a dated consent can be risky – but tracking technologies allow you to see when people open emails and whether they click through to websites for example, supporting continued retention.



Companies which have received an Operation HIDA letter might be tempted to view it as a time-consuming compliance hurdle. However, it can also be seen as a useful opportunity to review the way in which personal data is traded and passed on to third parties by the business, which should lead to positive outcomes in terms of increased understanding, tighter controls of data flows, and better use of customer consents.  Ultimately, addressing these issues will lead to increased trust from, and better relations with, members of the public, many of whom find unwanted marketing to be a major irritant.


Further Reading


ICO guide to Direct Marketing

The Telephone Preference Service

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/uk-data-sharing-operation-hida-ico-investigates-the-trading-and-sharing-of-personal-data/

UNITED KINGDOM – Freedom of Information Act and DSAR Update – Key Statistics and ICO Guidance on Redacting Personal Data

On 17 July this year, the UK government established an Independent Commission to review the operation of the Freedom of Information Act 2000 (“FOIA”). Since its introduction in 2005, the public right to request information under FOIA has proved to be extremely popular (over 46,000 requests were received by central government departments alone in 2014-15), but that same right has also been an expensive burden for public authorities who have to carefully consider all requests, particularly where sensitive information is concerned.  The Independent Commission is tasked with considering whether that balance between the public interest in transparency and the robust protection of sensitive information has been correctly struck.


In the light of this review, there have been two recent developments which will interest FOIA practitioners. First, the Independent Commission published its Call for Evidence, which in its appendices includes some revealing statistics from the Ministry of Justice and the UK’s data protection authority, the Information Commissioner’s Office (“ICO“), about how requests are  currently being handled.  Second, the ICO published guidance on “disclosing information safely” and removing personal data from information requests.


The FOIA statistics comprise the internal numbers from central government bodies on how they have responded to requests, together with the figures from the ICO on how complaints about responses have been dealt with (all figures are for 2014-15). Some noteworthy statistics are:


  • 50% of requests for information were granted in full;
  • 33% of requests were withheld in full;
  • just 15% of requests were withheld in part;
  • the public authority’s decision was upheld in 79% of internal reviews;
  • the public authority’s decision was upheld in 81% of ICO appeals;
  • when all public bodies are included, the percentage upheld for ICO appeals drops to 62%; and
  • the ICO’s decision was itself upheld in 77% of appeals to the First-tier Tribunal.


So what do these statistics tell us? First, that a relatively small number of requests are being redacted (i.e. withheld in part) – the vast majority are either disclosed in full or completely withheld.  This is perhaps unsurprising given the volume of requests received, but potentially concerning as it suggests authorities are often struggling to take a nuanced approach.  Second, the public authority does normally get it right first time (which is encouraging)! Third, central government seems to be doing a better job compared to public bodies in general – and again, this is perhaps not surprising given the superior resources of, for example, a government department versus a local council.


Something that should help public authorities to respond to FOIA requests (and that will also be useful for companies dealing with data subject access requests) is the new ICO paper which offers guidance on safely disclosing information which has been derived from personal data.


The guide showcases some of the most common types of inappropriate disclosures and ineffective redaction techniques that the ICO has seen in recent years. Examples of “bad practice” include: hiding columns on Excel documents (which can be revealed with a couple of mouse clicks), redacting text by highlighting it black (even once converted to PDF, the hidden text can easily be revealed by copying it into a text editor such as Notepad), and failing to remove the metadata from files (which can reveal details ranging from the name of the document’s author to the location where a person was when a photograph was taken).


Thankfully the guide also offers plenty of guidance on best practice, including the use of CSV files, image editing tools and even straightforward “print and scan” techniques. The guide can be used in conjunction with the detailed National Archives Redaction Toolkit, which, although not FOIA or Data Protection Act specific, is a useful practical resource which the ICO has referenced in previous guidance.

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/united-kingdom-freedom-of-information-act-and-dsar-update-key-statistics-and-ico-guidance-on-redacting-personal-data/

UK: CCTV consultation and App privacy – regulators catching up with technology

The UK’s Information Commissioner’s Office (ICO) have recently published a new draft CCTV Code of Practice.  It is open for consultation until 1 July 2014 – visit http://ico.org.uk/about_us/consultations/our_consultations to review the draft code of practice, and to provide feedback.  The changes address emerging and increasingly available technologies (e.g. body mounted cameras, and drones), and the privacy impacts of those, as well as building in legislative updates and case law.  The underlying compliance regime remains firm – if you believe there is the need for CCTV technologies, then before using it undertake a Privacy Impact Assessment to ensure that its use is proportionate and that privacy concerns can be mitigated.  If it use is justified, then ongoing monitoring and management is vital as well, with at least a yearly check of its use continuing to be compliant and appropriate. 

App Privacy is another developing area, and one of concern for customers and suppliers alike.  Regulators are realising that there is the potential for there to be major privacy impacts and that it is a global issue.  The ICO’s research in 2013 found that half of potential customers had rejected an app due to privacy concerns.  These permissions are commonly summarised in a box when downloading an app and in some cases go beyond what is really needed for that app to function.  The ICO issued its guidance for app developers late last year – http://ico.org.uk/for_organisations/data_protection/topic_guides/online/mobile_apps – and the ICO is now involved in a global effort to review global app privacy issues as part of the Global Privacy Enforcement Network.  We expect to see more compliance reviews and guidance in this area, and potentially some enforcement action dependent on the reviews.  The French data protection authority (CNIL) is also active in this area and undertook a sweep of 100 mobile apps earlier this month as we have mentioned in a previous post (http://blogs.dlapiper.com/privacymatters/france-the-cnil-is-auditing-the-100-most-commonly-used-mobile-apps-in-france-as-part-of-internet-sweep-day/).  The takeaway is clear – to avoid regulatory action and to encourage customers to download their apps, app developers should ensure that their compliance is fully considered and properly documented in its app permissions and applicable privacy policies.

For further details on these issues, please contact JP Buckley (jp.buckley@dlapiper.com).

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/uk-cctv-consultation-and-app-privacy-regulators-catching-up-with-technology/