ICO consults on new Privacy Notices Code
The Information Commissioner's Office (ICO) has published a revised Privacy Notices
Code for consultation. The consultation period runs for eight weeks from 2 February
2016. It has been several years since it was last revised.
The aim of the code is to provide organisations with guidance on privacy notices in a
clear and more engaging way. The revised code is still focussed on the responsibilities
of data controllers with regard to the provision of privacy information and good practice,
but intends to make notices more engaging for individuals. The ICO believes that people
are discouraged by lengthy privacy notices.
The new code also takes account of the increased use of smart devices and pays
special attention to consent in relation to third party marketing.
The consultation consists of a copy of the code and a questionnaire. The latter is for
respondents to complete following review of the revised code. The consultation closes
on 24 March 2016 and all responses must be received by this date. Responses can be
provided via email and post, please see the ICO's website for further detail. Once all
responses have been received, the ICO will work to finalise and make technical
changes, where needed, to the code ahead of publishing.
The results of the consultation will be made available in the latter half of 2016. The new
code will be implemented in 2018 to coincide with the European Data Protection
Regulation which is also due to come into force in the same year.
For the full ICO blog post, including a link to the consultation, click here
Draft Investigatory Powers Bill 'must do more to protect privacy'
The BBC has reported that the Intelligence and Security Committee has raised concerns
that the draft Investigatory Powers Bill does not go far enough to protect privacy. The
committee's report states:
"Given the background to the draft Bill and the public concern over the allegations made
by Edward Snowden in 2013, it is surprising that the protection of people's privacy -
which is enshrined in other legislation - does not feature more prominently."
The committee chairman, Dominic Grieve MP, said that the bill has suffered from a lack
of sufficient time and preparation. The bill is intended to help assist the police and
Untitled Document Page 1 of 4
security services to keep up with technology used by terrorists and organised crime
gangs. The committee has concerns about the potential for investigators to download
and have access to large databases, which could include such personal and sensitive
data as medical or bank records.
A balance is needed between the need for security and the right to privacy. Whilst
investigations require access to data sets (at times) to spot criminal behaviour and
patterns, this type of monitoring can infringe the privacy of those individuals who are not
criminals. Police surveillance of social media is one area where this lack of balance is
prevalent. It is not a new issue and has been widely publicised in the media in the past,
one example being the monitoring carried out on conversations and broadcasts carried
out over a number of social media platforms during the London riots. The argument that
is used to justify this type of monitoring is that it is in the public's interest.
With the progression of technology, the police have access to a wide amount of data
which is available in the digital world, the latest of these being Location Based Services
which allow users of social media, such as Facebook, to 'check in' at a certain location
(i.e. a restaurant or a cinema). If your privacy settings are open on your social media
account then anyone can see this and track your movements, however, if your settings
are private and a third party such as the police gains access to this information (i.e. as
part of a criminal investigation), if you are an innocent party, how appropriate is this type
of surveillance and what happens to the data that has been collected on you?
A final amended version of the bill is due to be published later this year by the Home
The BBC article can be found here
The Intelligence and Security Committee of Parliament Report on the Draft Investigatory
Powers Bill can be found here
WP29 to scrutinise EU-US Privacy Shield
In the wake of negotiations between the EU and US, culminating in the new Privacy
Shield replacement for Safe Harbour, the Article 29 Working Party (WP29) will scrutinise
all documents by the end of February. At this point, WP29 say they will be in a better
position to evaluate whether the Privacy Shield meets four essential guarantees for
intelligence activities they have outlined. These are:
clear, precise and accessible rules on processing;
demonstration of necessity and proportionality with regard to the pursuit of
existence of an independent oversight mechanism; and
availability of effective remedies for the individual.
The full press release can be found here
French data authority warns Facebook over data collection
The Independent newspaper reported on the 10th February 2016 that the French data
protection authority, Commission Nationale de l’Informatique et des Libertés (CNIL),
has given Facebook 90 days (three months) to comply with their rules on data
Untitled Document Page 2 of 4
protection. The CNIL objects to the lack of consent to tracking visitors to the site and the
sending of data to the US. The regulator does not believe that visiting the site counts as
consent and that Facebook must cease tracking these visitors via its cookies use. In line
with the Safe Harbour ruling, CNIL is requesting that no data from France is shared with
the US. CNIL has laid down a comprehensive list of examples where Facebook is
contravening French data protection law. If Facebook does not remedy the issues
identified, CNIL has confirmed that it will issue a formal notice to Facebook and, if this is
not complied with, it will begin to refer the matter to court and impose a variety of
This move comes in the wake of similar concerns expressed by Belgian, Dutch, Spanish
and German data protection authorities. The most notable one being the case brought
in Belgium in relation to the 'datr' cookie back in November 2015. This case is still active
and currently under appeal. Facebook is arguing that the 'datr' cookie serves as a
means to prevent hacking, however, European data regulators argue that this is not the
case and that the cookies track everyone - even users who are not members of the
social media site. The case in Belgium has gained notoriety due to the scale of fines of
up to €250,000 ( 180,000) per day being threatened against Facebook if they are found
These cases serve to highlight a growing concern in Europe with regards to cookie use
REST OF THE WORLD
Australian health privacy watchdog investigates data breach
The Australian health privacy watchdog (The National Health Practitioner Privacy
Commissioner and Ombudsman) has been alerted to a potential data breach after an
employee of the country's health practitioner regulation agency (AHPRA) is alleged to
have used their credentials to find a nurse's home address and phone number in order
to locate her and carry out an assault.
The incident, which was reported in The Australian Guardian, raises growing concerns
of further risks to medical professionals of assaults, fraud and unauthorised access to
personal data. A Privacy Commissioner spokesman stated:
“The national health practitioner privacy commissioner has been made aware of these
matters by AHPRA and is engaged in ongoing dialogue with AHPRA."
AHPRA has confirmed that, if the allegations are founded, there will be no tolerance for
this flagrant abuse of position and an example will be made of the employee in
In the UK, cases of this nature have been met with heavy reprimands, often resulting in
robust police investigations and imprisonment for the employee in question. It is clear in
the treatment of these cases that this type of data breach will not be tolerated. It not
only is a breach of the terms of the employee's employment, it is a misuse of
confidential information. It is worth noting that any complaint that arises out of a data
breach of this type would be against the employee and not the company. The employee
who has access to data of this nature does so because they are in a position of trust.
This trust is broken when the employee abuses their position; this being something that
is outside the control of the company.