February Data Protection Bulletin
Welcome to the latest edition of our Monthly Data Protection Bulletin, where we keep you informed on the latest key insights, government regulatory activity, and enforcement actions in the world of data protection.
This month, we will be diving into the latest developments and trends in data privacy, discussing how businesses and organisations can stay compliant with data protection laws, and exploring the consequences of non-compliance. Whether you’re a data privacy professional or simply interested in staying informed, this bulletin is your go-to source for all things data protection.
- Key Insights
- Government Regulatory Activity
- Enforcement Actions
Missed our last update? Check out January’s bulletin.
The ICO has continued its data protection by design and default series by issuing new guidance to gaming companies. Although the guidance is targeted at video gaming, its principles apply to all organisations that produce interactive software, especially when such software is used by children:
The ICO’s recommendations include:
- Running user research to trial child friendly privacy information with different age groups.
- Displaying transparency information based on ability rather than age. For example, transparency information at beginner, intermediate, and expert levels.
- Designing different ways to communicate privacy information which may be more effective for children of different ages. For example, you could use age-appropriate videos and graphics in ‘bite sized’ chunks, using mission-style storylines or deploying in-game pop-ups or messages.
- Ensure that all optional uses of personal data are off by default, and only activated after valid consent is obtained from the player (or for children under 13-years-old, their parent or guardian).
GOVERNMENT AND REGULATORY ACTIVITY
First Tier Tribunal Rules in Landmark Experian v ICO Case
The First-Tier Tribunal (Information Rights) has ruled on the ICO’s action to require Experian Limited to change how it handles people’s personal data. The Judgment supported aspects of the ICO’s decision, while allowing Experian’s appeal in other areas.
The Tribunal found, in support of the ICO, that Experian had not processed the personal data of over 5 million individuals transparently, fairly or lawfully because it failed to notify them that it was processing their data for direct marketing purposes. However, it rejected the ICO’s view that Experian’s privacy notice was not transparent, that using credit reference data for direct marketing purposes was unfair, or that Experian did not properly assess its lawful basis.
The ICO issued the Enforcement Notice to Experian Limited in October 2020 following a two-year investigation into how the company and two other major credit reference agencies (CRAs) were using the personal information of UK adults for direct marketing purposes. Experian subsequently appealed against the decision notice.
European Union Commences amendment of the GDPR
The European Commission has announced that it will propose a new law before the summer that’s aimed at improving how EU countries’ privacy regulators enforce the GDPR.
The new EU regulation that is expected in the second quarter of 2023 wants to set clear procedural rules for national data protection authorities dealing with cross-border investigations and infringements. The law “will harmonise some aspects of the administrative procedure” in cross-border cases and “support a smooth functioning of the GDPR cooperation and dispute resolution mechanisms,” the Commission wrote.
ICO Carries Out Audit of Scottish Government
The ICO announced that it carried out a consensual data protection audit of various directorates of the Scottish Government. It reported that it identified predominantly good practise, but also noted some areas where improvement was required:
Areas identified for improvement include:
- Carrying out a data flow mapping exercise to fully understand how data is used across departments
- Identifying data protection risks when undertaking new projects
- Training information asset owners
- Improving security measures to ensure people’s data is kept safe
The good practice we found includes the following:
- A positive staff culture and enthusiasm for the role
- Good refresher training for all staff
- Project teams can access data protection specialists
ICO Issues Practice Recommendations to Greater Manchester Police and Three Rivers Council over FOI Failures
According to the ICO, following its investigations, it ascertained that Greater Manchester Police (GMP) and Three Rivers District had a consistently poor level of performance in terms of its response times to FOIA requests.
There had been disproportionately high number of complaints about response times submitted to the Information Commissioner, as well as high numbers of decision notices the ICO had issued to the organisations to compel them to respond to outstanding requests, leading The Commissioner to reach the view that their request handling practices did not conform to part 4 of the section 45 Freedom of Information Code of Practice, issued by the Cabinet Office in July 2018 (the Code).
Company fined £200,000 for ‘nuisance call campaign’
The Information Commissioner’s Office (ICO) has today fined It’s OK Ltd £200,000 for what it called a “sustained and exploitative campaign” of nuisance calls.
It’s OK Ltd have been found to have made 1,752,149 nuisance calls over the period 1 July 2019 to 1 June 2020 to people registered with the Telephone Preference Service (TPS), representing an average of over three calls every minute.
111 Call Centre Advisor Convicted for Improperly Accessing Personal Data After ICO Investigation
A former 111 call centre advisor has been found guilty and fined for illegally accessing the medical records of a child and his family. A complaint had been raised against the operator, following a disagreement during a 111 call over the distance to a medical centre, prompting him to access the records of the complainant, the complainant’s child and two other relatives.
Following the investigation from the Information Commissioner’s Office, Mr Swan pleaded guilty to five counts of unlawfully obtaining personal data in breach of Section 55 of the Data Protection Act when he appeared at Uxbridge Magistrates’ Court on 15 February 2023. He was fined £630 with a victim surcharge and court costs totalling £1,093.
A former employee of the RAC has been prosecuted for obtaining the personal data of individuals involved in road traffic collisions after 21 drivers were harassed by claims companies.
Insurance Worker Convicted for Improperly Accessing Personal Data After ICO Investigation
After an investigation revealed that while working as a customer solutions specialist, he had stored data from 272 separate traffic incidents on phones he owned, the man was fined £5,000, ordered to pay court costs of £937.40 and a victim surcharge of £170, after pleading guilty to two counts of data theft following an investigation from the Information Commissioner’s Office. The court also made an order under s153 of the Sentencing Act 2020 for deprivation of the two phones.