Tag Archive: UK




On 17 June 2016 the House of Commons Select Committee for Culture, Media and Sport (“The Committee”) published its report on the inquiry into the current state of cyber security and protection of personal data. The inquiry was triggered by a cyber attack which compromised the data of TalkTalk customers, on 21 October, 2015. TalkTalk is a UK based telecommunications provider.


The Committee considered the problem of the increasing size and frequency of cyber-attacks upon personal data. The report recognised the limits of the current powers of the Information Commissioner’s Office (“ICO”), the UK’s personal data regulator, and made a number of recommendations concerning how the ICO could become both more proactive in dealing with attacks.


ICO’s Current Powers

Under UK law, the ICO helps companies comply with UK data protection law in a number of ways, including:

  •  through ensuring the proper collection, use and storage of personal information;
  •  through enforcing the Privacy and Electronic Communications Regulations in respect of electronic marketing;
  •  maintaining a register of companies processing personal data as “data controllers”; and
  •  by helping public bodies to correctly apply various Freedom of Information and Environmental Information  laws, regulations and codes.

In order to achieve these aims there are a range of powers available to the ICO including the ability to bring criminal proceedings, non-criminal enforcement, consensual audits, impose fines (up to a maximum of £500,000), and make assessments of good practice. Despite the powers available to the ICO, the current volume of attacks suggests that the body needs reforming to better address cyber security concerns.


Report Recommendations

The Committee recognised the limits to the powers of the ICO and made a number of recommendations for improvement. These are focused around early prevention, increasing consumer awareness of privacy protection and increased capabilities to provide deterrence through more serious repercussions where a breach occurs.

In order to facilitate prevention of attacks the Committee recommended that the ICO be enabled to undertake non-consensual audits of companies, particularly in the health and local government sectors. It also recommended annual reports on the preventative measures that a company is taking. The combination of these should help to keep the ICO informed as to whether or not there are issues of compliance with data protection regulation and enable a more proactive approach to data protection.

The Committee also proposed that the ICO needs more powers to increase customer awareness of their data protection rights. The report recommended imposing fines where a company does not offer adequate guidance to customers on how to verify the authenticity of communications. Under the Committee’s plans, this would be complemented by the proposed ‘privacy seal’ which would work on a traffic light system, demonstrating to consumers that a company follows high compliance standards, is making progress towards this, or is “yet to have taken the issue seriously.” These recommendations should help the ICO to ensure that consumers are able to make informed decisions on whether or not a company demonstrates “good privacy practice” in handling their personal data.

Finally, where an attack has already taken place it was recommended that the ICO needs to be able to access a broader range of remedies, such as custodial sentences by bringing into force sections 77 and 78 of the Criminal Justice and Immigration Act 2008. This would discourage individuals from disregarding the proper handling of data by treating it as “merely” a corporate compliance obligation. The committee also recommended introducing fines for failure to report breaches which would increase dependant upon the time taken to report an incident, therefore incentivising early reporting.


Implications of the GDPR

The Committee made a number of recommendations which overlap with the changes that will come into force in 2018 through the EU wide General Data Protection Regulation (“GDPR“).

The GDPR will increase the powers of the ICO in a number of ways. Companies who commit serious infringements will be liable to pay fines of up to 4% of global annual turnover or €20 million, whichever is the greater amount. The regulations will also introduce mandatory reporting for personal data breaches within a 72 hour timeframe of the breach taking place. Finally, the GDPR will empower the ICO to place greater emphasis on ensuring the transparent handling of personal data by companies, and on the importance of having clear, easily digestible but also comprehensive privacy notices, which tell individuals about how their personal data is used and the rights that they have under the GDPR.

The Committee report acknowledged that the GDPR will “help focus attention on data protection” but sought to make its own recommendations to complement these and increase the ICO’s powers further.



The direction of travel indicated by both the Committee’s report and the changes in EU legislation are clear. We are moving towards a world where personal data handling is treated with the utmost seriousness by regulators. Those regulators will have a mandate to ensure that individuals are provided with clear, upfront information about how their data is looked after, and that strong redress is taken when things go wrong. It is the companies who take a pro-active approach – who engage with their customers, their suppliers and their regulators to ensure that they are providing accurate information about data processing, and that they have the right information security systems in place – that will be best placed to survive in this new landscape.



Permanent link to this article: http://blogs.dlapiper.com/privacymatters/uk-government-report-recommends-stronger-powers-for-the-ico/

Extent of mobile location tracking in the UK laid bare by new report

An e-privacy organisation has today released the findings of an investigation which reveals the extent of mobile location tracking in the UK.

The report, published by Krowdthink Limited, examines the contracts, policies and practices of mobile Wi-Fi service providers in relation to location tracking.

According to the report, mobile and Wi-Fi service providers know – ‘without you knowing – where you are, how you got there and can figure out where you are going.’ Many people are location-tracked by their mobile phone device each day, unaware of the highly sensitive data that this generates which can and is then sold on for profit. The report reveals that many mobile phone and Wi-Fi service providers, including wireless hotspots, are not telling customers upfront at the point of contract signature or online via their websites that the customer’s movements will be tracked and location data (which can be saved for up to 12 months) can then be used for marketing purposes or sold onto third parties. The details of this is often concealed in contracts and the fact that customers can opt out of location tracking is often unclear.

The level of detail extracted by service providers can reveal a customer’s gender, sexual orientation, religion and many other personal details that could present serious risks to blackmailing. Mobile phone service providers often anonymise data which means that they are not legally obliged to ask for consent, however customers need to be aware of the weakness of anonymisation alone to secure our personal information as low dimension data can be de-anonymised.

93% of UK citizens opt in to location tracking by default, meaning that nearly every one of us with a mobile phone, even a simple one, is being location tracked all the time. Under the Data Protection Act (DPA), consumers can opt out of this by contacting their service provider and following the introduction of the General Data Protection Regulation (GDPR) we will, in certain circumstances, have the right to have all of our data erased (the so-called “right to be forgotten”).

The GDPR will require mobile phone service providers and providers of Wi-Fi networks to provide more transparent and consumer friendly privacy contracts. At the moment, the report has found that  many of these contracts  separate out the clauses that discuss what data is collected from consumers from the clauses that discuss usage with location . Service providers try to legitimise their obtaining of location data as something that is needed for routing phone calls or meeting the requirements of government security, however this is not always true.

Mobile phone companies and providers of Wi-Fi networks should consider doing the following:

  •  communicate privacy notices, including information about location tracking, at the point that data is first collected from users;
  • ensure consent is obtained to the use of location tracking data, in accordance with the Privacy and Electronic Communications Regulations;
  • make privacy policies as clear, transparent and consumer friendly as possible;
  • ensure privacy policies communicate to data subjects what their rights are;
  • consider providing users with easy to follow instructions about how to switch off GPS or Wi-Fi location tracking features;
  • ensure users understand who location data will be shared with and for what purposes; and
  • only retain location data for as long as is necessary to fulfil the purposes for which it was collected.

You can find Krowdthink’s report here – http://www.krowdthink.com/report.pdf

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/extent-of-mobile-location-tracking-in-the-uk-laid-bare-by-new-report/

UK – Freedom of Information – Independent Commission report

The Independent Commission on Freedom of Information, tasked with the job of examining the Freedom of Information Act over the last ten years, published its report earlier last week. The resounding opinion was that overall the Act is “working well” and there will be no wholesale changes.

In our previous blog post we had hoped that we would see even more transparency in Government contracting, purchasing, invoicing and service performance, and to this extent the Commission appears to agree. It intends to spread transparency throughout public services, making sure all public bodies routinely publish details of senior pay and perks. However, the Commission could only express an opinion (not make any recommendations) that the Act should be extended to those who are providing public services under contract.

Those public bodies inundated with FOI requests may be disappointed with the Commission’s recommendation that monetary charges should not be introduced.

Overall it appears that the Commission has drawn a careful balance between being more sympathetic to greater openness, while also backing some changes that would help public authorities to keep some material secret. It will be interesting to see where the balance is struck when Government begins to implement the Commission’s recommendations.

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/uk-freedom-of-information-independent-commission-report/


Earlier this month, the UK data protection authority, the Information Commissioner’s Officer (“ICO”), published guidance on safely processing personal data derived from Wi-Fi location analytics. This guidance is important not only to retail businesses who provide Wi-Fi networks to their customers, but also to companies who just provide Wi-Fi access solely to their employees. With most large organisations and businesses now providing Wi-Fi access it is certainly a fitting time to consider this issue.


Wi-Fi analytics is the ability of businesses to track customers or employees using the media access control (MAC) address which a Wi-Fi enabled device transmits when it is searching for Wi-Fi networks.


By monitoring signal strength organisations can estimate the distance of a device from a particular access point and, in effect, monitor the location of a device and track the behaviour of a particular device over time.


If an individual can be identified from a MAC address, or other information in possession of the network operator, then the data will be personal data – regardless of whether the name of the individual remains unknown. Where an organisation uses a MAC address or other unique identifier to track a device with the purpose of singling them out or treating them differently, or storing or using that information in any way, it will be processing personal data. As there is no requirement for the device to connect to the Wi-Fi network there is also a risk that data relating to an individual is processed in a covert manner.


With businesses now seeing the benefits of using Wi-Fi analytics to monitor their customers and employees, this guide outlines some of the ways privacy-friendly design solutions can be embedded to ensure compliance. The guidance outlines that businesses should be providing clear and prominent information to alert individuals that certain processing is taking place. Recommended notification methods include the use of signage at the entrance to the collection area or information on websites (for example in a privacy policy) and in any sign-up or portal page of the Wi-Fi network the business may be providing.


The guidance also reiterates that organisations using Wi-Fi analytics should take care to avoid excessive data collection and to reduce the risk of identification of individuals in the collected data. By way of example, this could be accomplished by converting the MAC addresses into alternative formats that continue to suit the specified purposes whilst removing the identifiable elements. Location of the data collection device as well as sampling methods could also be used to reduce the volume or privacy intrusion of the data collected or to define specific collection periods. Organisations should also be considering the use of effective control mechanisms allowing individuals a simple and effective means to control the processing.


It is now clear that the processing of device identifiers collected through the provision of Wi-Fi networks can involve the processing of personal data. In light of this, if you use Wi-Fi analytics you must now begin to implement the ICO’s guidance to ensure that they remain compliant. In summary, you should:


  • understand what personal data you collect over your Wi-Fi network, including MAC addresses and location data;
  • provide clear and prominent notices – in privacy policies, on the log-in pages for Wi-Fi networks and in physical locations such as shop floors;
  • consider anonymising MAC addresses if your analytics can be carried out in this way;
  • try other data minimisation techniques, such as sampling, to reduce the volume of personal data collected.


You can find the ICO guidance here – https://ico.org.uk/media/for-organisations/documents/1560691/wi-fi-location-analytics-guidance.pdf


For more information about the issues contained in this post, please contact Andrew Dyson, Partner (andrew.dyson@dlapiper.com), JP Buckley, Legal Director (jp.buckley@dlapiper.com) or James Clark, Associate (james.clark@dlapiper.com), all at DLA Piper UK LLP.


Permanent link to this article: http://blogs.dlapiper.com/privacymatters/uk-ico-issues-guidance-on-wi-fi-location-analytics/

UK: ICO says watch this space following ECJ Safe Harbor Decision

The ICO issued a statement yesterday in relation to the European Court of Justice’s Safe Harbor ruling. The ICO recommends that businesses which have been relying on Safe Harbor review their data transfers to the US and ensure that these are carried out in line with the law.  The statement goes on to say that the ICO will be considering the judgment in detail in conjunction with other national data protection regulators, and will issue more detailed guidance in due course.

The ICO also notes that negotiations have been underway for some time between the European Commission and US authorities with the aim of introducing more robust and protective arrangements to replace the Safe Harbor scheme, and that these negotiations are understood to be at an advanced stage.

The full statement can be viewed at https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2015/10/ico-response-to-ecj-ruling-on-personal-data-to-us-safe-harbor/


Permanent link to this article: http://blogs.dlapiper.com/privacymatters/uk-ico-says-watch-this-space-following-ecj-safe-harbor-decision/