Data Protection Bulletin - September 19 2023
Welcome to the latest edition of our Data Protection Bulletin, where we keep you informed on the latest key insights, government regulatory activity, and enforcement actions in the world of data protection.
Here is our round-up of the most significant data protection developments in the UK and overseas in recent weeks. Visit our website for more news.
Key Insights
Recap: “Data Ethics – What is Right and Wrong” Webinar
In our commitment to staying at the forefront of evolving data landscapes, we recently hosted a thought-provoking webinar titled “Data Ethics – What is Right and Wrong”.
The session delved deep into the complexities of ethical data usage, drawing the line between innovation and privacy, and highlighting responsible data practices that balance business objectives with core ethical values. Through engaging discussions and pertinent case studies, the webinar provided a comprehensive view of the current state of data ethics.
Missed the live session? Not to worry! You can catch up on all the insights and discussions by watching the full recording HERE.
Government Regulatory Activity
ICO Q1 2023/24 Data Protection Update: Key Takeaways from ICO’s Reprimands
The ICO recently published a summary of its reprimands as part of its enforcement strategy. It shed light on the patterns of data protection lapses the ICO had observed in various organisations. Here’s a brief summary:
- Inappropriate Disclosure of Personal Data:
- Five organisations, including Thames Valley Police and the Ministry of Justice, faced penalties due to mismanagement of personal information.
- Key Action: Reinforce data protection policies, bolster staff training, and ensure secure internal email protocols.
- Timely Response to Subject Access Requests (SARs):
- Both Plymouth City Council and Norfolk County Council were penalised for delayed responses to SARs.
- Key Action: Familiarise yourself with SAR guidelines and ensure timely responses, especially for complex requests.
- Data Protection in App Development:
- Sussex and Surrey Police were penalised for an app that unlawfully captured personal data.
- Key Action: Adopt a data protection by design approach from the outset of app development and provide clear guidelines to staff.
It’s paramount for all organisations to heed these lessons and implement the recommended practices to ensure robust data protection. We, as a consultancy, are here to guide and support you through these essential measures. You can find the full report HERE.
ICO Publishes New Guidance On Data Sharing for Safeguarding Purposes
The ICO recently published new guidance to address concerns from organisations and frontline workers that may be scared to share information for fear of falling foul of data protection law.
According to the ICO, The need to improve data sharing practices has been highlighted in recent serious case reviews in the UK where children have died or been seriously harmed through abuse or neglect. Poor information-sharing among organisations and agencies was identified as one of the factors contributing to failures to protect the children.
The guidance outlines 10 steps for organisations to follow, including ascertaining the lawful basis for the sharing, as well as entering into a data sharing agreement that complies with the provisions of the UK GDPR. At DPAS, we assist organisations with creating data sharing agreement templates that are flexible enough to be adapted to suit various circumstances, including ones where safeguarding, and thus urgency, are priorities.
Enforcement Actions
TikTok fined $379M for failing to keep kids’ data safe
Irish regulators have penalised TikTok with a substantial €345m (£296m) fine for breaches related to children’s data privacy during 2020. The penalty, handed down by Ireland’s Data Protection Commission (DPC) under the EU’s General Data Protection Regulation (GDPR), focuses in on TikTok’s approach to age verification and default privacy settings. The investigation revealed that TikTok made accounts of users aged between 13 and 17 public by default, thereby exposing their content to all users.
The DPC’s decision stemmed from various violations under the GDPR, where TikTok was found lacking in areas such as transparency in data processing, data security, and ensuring the rights of minor data subjects. The app’s design permitted children to have public-by-default settings, thus allowing unfiltered access to content posted by these younger users. Furthermore, a feature known as “Family Pairing” could potentially pair a child’s account with an unverified user, with no proof of the latter being the guardian or parent. TikTok has announced that it is considering a possible legal appeal against the decision. Meanwhile, ongoing scrutiny surrounds TikTok’s potential allegedly illegal transfers of EU data to China.
Google to Pay $93m Over Deceptive Location Tracking Practices
Google has agreed to a $93m settlement following accusations of misleading consumers about its location tracking methods. The decision comes after a lawsuit into Google’s data practices, filed in California, USA. The lawsuit highlighted that Google may have given users the impression they had full control over their location data. However, even when users turned off their “location history”, Google continued to collect and save location data via other sources, most notably the “web and app activity” trackers which are typically on by default.
The suit further asserted that Google deceived users regarding their ability to opt out of location-based advertisements. While Google hasn’t admitted any fault as part of this settlement, they have committed to several measures. These include greater transparency about their location tracking methods, notifying users when their location data is being used for ad profiling, and requiring internal approvals for major changes to privacy practices. In their response, Google mentioned that the settlement addresses outdated product policies that have been updated in recent years.
Council officer Convicted for Unlawfully Accessing Social Services Records
A former family intervention officer at St Helens Borough Council has been sentenced for unlawfully accessing social services records. The former officer was prosecuted for viewing records on the council’s case management system between 17 January 2019 and 17 October 2019 without having a business need to do so.
An internal council audit found the defendant unlawfully looked at the records of 145 people whilst employed in the social services department.
The former officer resigned from the council before disciplinary proceedings commenced, and subsequently pleaded guilty to one offence of unlawfully obtaining personal data, in breach of s170(1) of the Data Protection Act 2018. Anderton was fined, ordered to pay court costs and a victim surcharge.
ICO Fines Marketing Company £40,000 For Sending Unlawful Text Messages
Simply Connecting Ltd sent 441,830 direct marketing text messages to individuals in breach of regulation 22 of PECR which provides the conditions in which an organisation can lawfully send communications for direct marketing purposes. The company had relied on a marketing list obtained from a third-party but the Information Commissioner decided that it had not done its full due diligence to confirm that it had the necessary valid consent for the messages received by subscribers.
The company was fined £40,000 and issued with an enforcement notice.
How can we help you?
At DPAS, we provide Data Protection and Information Security Consultancy and Training internationally. We support businesses to achieve their organisational objectives and goals, by transforming data protection compliance from an obstacle into a value-added asset.
Take a look at our website to see what we can do for you.
