When looking ahead to data protection compliance over the next twelve months, it's useful to look back at what the regulators have focused on in 2015 (beyond areas covered in our other articles this month) as an indication of key issues. We give a brief overview of some of the main guidance and opinions issued by UK and European regulators and industry bodies and also remind you of some key judgments this year.
ICO guidance on outsourcing and freedom of information
In April, the ICO published guidance on outsourcing and freedom of information which covers: when information will be considered to be held by a public authority; guidance on exemptions under the FOIA 2000 including in relation to trade secrets, commercial interests and personal data; and the approach recommended by the ICO that public authorities should take to achieve transparency by design in their outsourcing contracts. This includes early consideration of responsibility for handling FOI requests, what information may be exempt, what information should be held and proactively making information publicly available.
Guidance on monetary penalty notices
In May, the ICO published guidance on monetary penalty notices under ss55A-E of the Data Protection Act 1998 (also inserted into the Privacy and Electronic Communications Regulations 2003). The guidance replaces the version published in 2012. The guidance does not reflect the recent amendment to PECR (effective since 6 April 2015) which removed the need to prove substantial damage or substantial distress before imposing a fine for a serious breach of Regulations 19-24, which relate to nuisance marketing communications. The ICO will further update the guidance when it has itself received the required statutory guidance.
Guidance on s29 DPA
August saw the ICO publish guidance on the application of s29 DPA which sets out rules for processing personal data when it is necessary for the prevention and detection of crime and related contexts. The guidance contains updated advice on disclosing personal data under the exemption and on other parts of the exemption. Some of the guidance is aimed at HMRC and the police who process personal data for crime and taxation purposes and covers what information they may withhold from individuals about such processing. The guidance also gives advice to companies being asked to give personal data to the police.
Guide on publishing information safely
In November, the ICO published a guide on how to disclose information safely by removing personal data from information requests and datasets. It is aimed at public authorities responding to FOI or environmental information requests, public authorities publishing data or making it available, and organisations responding to subject access requests. The guide gives examples of inappropriate disclosures, suggests best practice and outlines legal requirements.
Other UK regulatory developments
Data sharing guidelines
In May, the Insurance Fraud Bureau published guidelines for UK insurers on how to comply with data protection requirements when sharing information for fraud prevention purposes. The guidelines encourage insurers to set out key fraud indicators, explain why the information cannot be obtained elsewhere, and set out the impact of not receiving the information requested, when making a request for this sort of data from another insurer.
ABI note urging insurers not to provide SAR request forms without taking legal advice
In September, following a warning from the ICO to insurers, the Association of British Insurers published a note to its members advising insurers against providing customers or prospective customers with an option to complete a Subject Access Request (SAR) without first taking legal advice on compliance with s56 DPA (brought in in February last year) which prohibits enforced SARs.
GCHQ publishes advice on passwords
September saw GCHQ publish a report on password protection recommending using simple passwords in favour of complex ones but, for example, using strings of three random words in conjunction with password managers and systems capable of recognising unauthorised activity. It also recommends higher levels of security for administrators and homeworkers involving two-factor authentication.
There is some cynicism around this report as privacy campaigners are concerned that GCHQ has a sinister reason for recommending password managers.
Updated Code of Fundraising Practice
Also in September, the Institute of Fundraising announced changes to its Code of Fundraising Practice as a result of intervention by the ICO. The Code now makes it clear that before unsolicited marketing calls are carried out by fundraisers, they must check whether numbers are registered against the TPS or CTPS lists. If they are, calls must not be made unless the person to whom the number is registered has notified the organisation that they consent to such calls being made by it.
FCA draft guidance on cloud and other IT outsourcing
In November, the FCA published proposed guidance for firms outsourcing to the cloud and other third-party IT services. The guidance is intended to be of particular interest to third party IT providers seeking to provide services to financial services firms; trade associations and consumer groups; law firms and other advisers; and auditors of financial services firms.
The guidance expands on issues covered in "Considerations for firms thinking of using third-party technology (off-the-shelf) banking solutions published in July 2014. In the FCA's view, there is no fundamental reason why the financial services industry cannot use cloud services and manage associated risks.
FS companies regulated by the FCA are reminded that they must ensure that their auditors and regulators have access to their data and to the cloud provider's "business premises" so contracts should be under UK law and subject to UK jurisdiction. Firms are also advised to consider data protection and security, regulatory matters and business continuity and to retain full responsibility while preparing an effective exit plan. The guidance is open for consultation until 12 February 2016.
Article 29 Working Party
Clarification on the definition of health data in apps and devices
In February, the WP wrote to the European Commission in response to its request to clarify the scope of the definition of health data in relation to lifestyle and wellbeing apps. After an analysis of different types of health data set against the proposed definition of health data to be used in the new data protection Regulation, the WP summarises health data as being: data which is inherently / clearly medical data; is raw sensor data that can be used in itself or in combination with other data to draw a conclusion about the actual health status or health risk of a person and data setting out conclusions which are drawn about a person's health status or health risk (whether or not they are accurate or legitimate or otherwise adequate or inadequate).
The WP notes that health data which is processed only on the device itself and is not transmitted outside the device will be covered by the exception for purely personal use. Where health data is processed, the data controller needs to be able to rely on one of the Article 8 (of the EC data protection Directive) derogations. With regards to apps and devices which allow for the inference of health data, the WP underlines that the most likely derogation is that of consent. This is also true of data which may only be regarded as health data when combined with location data or other information read from the relevant device. The WP goes on to underline that the principle of transparency is "inseparably connected" to the legal ground of consent. The WP says the data controller must clearly inform users of:
- whether or not the data is protected by any medical secrecy rules;
- how the data will be combined with other data stored on the device or collected from other sources and give clear examples of the consequences of the combination of the data;
- what the purposes of any further processing are; and
- any third parties to whom the data may be transferred.
The WP says that the purpose limitation is another key provision. The data controller must define clear, compatible and legitimate purposes of the data processing. The WP also recommends the application of proper anonymisation techniques and other security measures including privacy by design and data minimisation, as recommended in its opinion on apps on smart devices.
The WP finishes by expressing concern that concepts around pseudonymisation, currently being discussed in the context of the proposed GDPR, should not allow a 'lighter touch' regime in relation to pseudonymised data.
Updated guidance on Binding Corporate Rules for processors
In June the WP updated its explanatory document on Binding Corporate Rules (BCRs) for processors.
The updated guidance principally provides further recommendations on how to deal with requests from non-EU regulators or government agencies to hand over data. The WP says:
- any legally binding request from a law enforcement authority or state security body should be communicated to the data controller (unless the processor is prohibited from doing so);
- in any event, the request for disclosure should be put on hold while the DPA for the controller and the DPA for the BCR for processors are clearly informed about it and the BCRs should make this a binding commitment;
- the BCRs must also commit the processor to assessing each access request on a case-by–case basis;
- the relevant DPAs will endeavour to reply within a reasonable timeframe and will respond either with an order suspending or banning the transfer or with a positive opinion or a prior authorisation;
- if the processor is legally prohibited from disclosing the information, the BCRs must provide that the processor will use its best endeavours to get the prohibition removed or its scope reduced;
- in the event the processor cannot get around the prohibition, it must commit in the BCRs to providing an annual notification of the number and nature of the types of these requests received; and
- disclosures to public authorities must not be made in an indiscriminate or disproportionate manner.
The updated guidance also says BCRs may be updated to reflect changes in group structures or regulatory requirements provided updates are notified group-wide and to the relevant DPA, and it reminds parties that BCRs must comply with EU data protection law and be capable of being understood and applied by relevant group members. Data controllers are also reminded that it is they who are ultimately responsible for ensuring their processors provide sufficient guarantees in relation to the data they are processing.
Opinion on drones
In July, the WP published an Opinion on drones, setting out the data protection issues, highlighting applicable legislation and providing guidance on legitimising the processing of personal data collected by drones. Transparency, security, purpose limitation and data minimisation are set out as key to lawful processing. Privacy by design and default is encouraged. Manufacturers are urged to include information about privacy within the operating instructions. Appointing a Data Protection Officer and adopting industry codes of conduct are also recommended. In addition, the Opinion recommends Member States adopt national policies around the use of drones and that the European Aviation Safety Agency develop pan-European standards. Specific recommendations are made in relation to drones used for law enforcement which, says the WP, should, as a rule, not allow for constant tracking and technical and sensing equipment must be in line with the purpose of the processing.
European Data Protection Supervisor
Opinion on m-health
In June, the European Data Protection Supervisor (EDPS) published an Opinion on m-health. The Opinion highlights the areas of data protection law which are particularly relevant to the sector. It goes on to urge app developers and device manufacturers, as well as other stakeholders, to include privacy by design features by default, guarantee security and ensure a significant degree of user control. While the EDPS recognises the potential benefits of Big Data to medical research, it urges the health market to use safeguards to secure and anonymise the data and to use Big Data for purposes which are beneficial to the individuals. In particular, it discourages using data for practices which might cause them harm such as user profiling. Fostering accountability will be key although the EDPS notes that this should be aided by the General Data Protection Regulation which will require privacy by design and default and introduce other safeguards for individuals.
Opinion on setting up Digital Ethics Advisory Board
In September, the EDPS published an Opinion in which he states his intention of setting up an Ethics Advisory Board which would analyse the ethical dimensions of data processing and make recommendations about how to meet the challenges posed by technological developments, particularly in the areas of Big Data and the Internet of Things. The EDPS says the Board will comprise "distinguished persons from the fields of ethics, philosophy, sociology, psychology, technology and economics" alongside data protection experts.
EDPS Opinion on the challenges of Big Data
In December, the EDPS issued an Opinion on the challenges of Big Data. The Opinion follows familiar themes: calls for data protection by design and default, strengthening of data protection principles, transparency for data subjects, accountability and granular consent are all championed.
Distinctions are drawn between use of Big Data for general societal benefit and for commercial gain. Opt-outs are questioned as a means of consent although the EDPS says that with the right structure, they can be useful in borderline cases where the balance between data subject rights and the legitimate purposes of the data controller is difficult to strike.
Other European regulators
ENISA publishes report on cyber threat landscape
In January, the European Network and Information Security Agency (ENISA) published a report on the cyber threat landscape in 2014. The report shows a wider range of threats than ever before, despite an increasingly successful coordinated response from law enforcement agencies.
ENISA also published a paper on network and information security in the finance sector, recommending that guidelines be developed for financial services companies using the cloud and calling on the companies to address compliance issues in relation to information security.
ENISA approves CIF code of practice for cloud service providers
In June, the European Agency for Network Information and Security approved the Cloud Industry Forum's code of practice for cloud service providers as meeting the standards required to be included in its cloud certification scheme list. Also on ENISA's list is ISO/IEC27001, three schemes operated by the Cloud Security Alliance and a Payment Card Industry data security standard.
New internet payment security guidelines
In August, the European Banking Authority published EU guidelines covering security standards for payment security services providers (PSPs). The FCA has, however, said it will not enforce the guidelines as it does not have the power to make PSPs comply without a change in the law. Some other European countries have similar issues so the guidelines are not absolutely binding in the EU. UK-based PSPs serving customers based across the EU will have to comply where the guidelines are in full force.
International Chamber of Commerce cyber security guide for businesses
Although international rather than European, it's also worth mentioning that in April, the International Chamber of Commerce (ICC) launched a new, free to download cybersecurity guide for businesses. The guide lists five principles to adopt and six essential actions to optimise security including training staff, monitoring, keeping IT systems up to date and layering security defences as well as having plans in place to help deal with breaches. The guide also includes suggestions for implementing the principles and a self-assessment questionnaire. The ICC has also set up a portal with resources and contacts in relation to cybersecurity.
Vidal Hall v Google Inc.
This concerned an application heard by the Court of Appeal to serve outside the jurisdiction. It was held that that damages can be awarded for distress alone (whether or not there has been financial loss). It also confirmed that there was a serious issue to be tried in this case in relation to tracking and collection of personal information without consent, and that there is a strong case to answer that browser generated information is personal data, even when it does not directly identify an individual. You can read more about this here.
Released in the midst of the Safe Harbor storm, this CJEU judgment was somewhat overlooked but is of interest because it deals with the question of what constitutes an "establishment" for the purposes of data protection law enforcement. It expands on the wide interpretation discussed in last year's Google Spain judgment and is important, at least until the new GDPR is in place, and possibly beyond. See here for more.
Further updates to the European privacy landscape are undoubtedly around the corner, and we can expect 2016 to be just as busy (if not busier) than this year.