UK regulator (ICO) seeks feedback on the draft guidance
In this week’s issue of In Perspective, Samad Miah, Data Protection Consultant at Xcina Consulting, looks at the draft guidance issued by the UK’s data protection regulator on research provisions. A decision from Malta relating to a mismanaged data subject access request and a fine in Belgium that might make you rethink who you should nominate as your Data Protection Officer.
Stay informed of other key emerging themes as events unfold. Follow our round-up of latest stories and find out what the latest developments mean for you. Our weekly review below helps you decide.
ICO draft guidance for the research provisions within the UK GDPR and the DPA 2018
What happened
- Data protection law contains a number of provisions for processing personal data for research purposes.
- The new guidelines from the Information Commissioner’s Office (ICO) aims to explain where in the law the various provisions relating to research may be located, how they fit together, and what effect they have in practise.
- The guidelines also include the definition of important terms that will assist organisations in determining when they can depend on the research provisions.
- The guidance aims to provide additional information and clarity on this complex topic of data protection.
- It will assist researchers in carrying out their work while remaining consistent with the law.
- It should offer researchers the confidence to employ the provisions when they are needed.
Why it matters
- The research provisions are currently under consideration as part of the UK Government’s stated intent to reform data protection.
- However, the ICO has emphasised the importance of creating guidelines on current legislation in order to assist organisations that are currently using personal data for research purposes.
- The ICO is committed to providing guidance to stakeholders in this complicated area, making data protection compliance easier.
- The ICO also believes that the guidance addresses some of the concerns that the data protection reform consultation identified as being troublesome for research organisations
Company is fined €8,000 for failing to respond to a data subject access request
What happened
- The Maltese data protection authority has fined a bank €8,000 for failing to adequately respond to a data subject access request.
- The data subject requested access to their personal data, but did not obtain a response from the data controller, i.e. the bank.
- Upon further investigation by the Maltese data protection authority, the data controller initially stated that a response had been provided to the data subject. However, the data controller later admitted that the response had not been sent
Why it matters
- According to the data controller, the response had not been sent due to a mistake made by an individual employee who had applied restrictive settings to their mailbox.
- It was also found that this employee left the company without a proper handover of the case to another employee.
- This a relatively high fine compared to other decisions on a failure to comply with the right of access to personal data (Article 15 of the EU GDPR).
- This the case confirms the importance of a robust joiners and leavers process so that workloads can be effectively transferred to another employee.
Belgian data protection authority fines bank for not having a sufficiently independent Data Protection Officer
What happened
- The Belgian data protection authority fined a bank €75,000 after it found that the Data Protection Officer was also the head of three departments with decision-making powers over the processing of personal data.
- This was considered a conflict of interest and a breach of Article 38(6) of the EU GDPR.
- Article 38(6) of the EU GDPR states that the Data Protection Officer may fulfil other tasks and duties but the controller or processor shall ensure that any such tasks and duties do not result in a conflict of interests.
Why it matters
- The investigation revealed that there might be a conflict of interest since the Data Protection Officer held a number of other functions, including leading the bank’s Operational Risk Management, Information Risk Management and Special Investigation teams.
- The data protection authority held that the Data Protection Officer could still determine the purposes and means of processing of personal data.
- This was further confirmed by the bank’s Record of Processing Activities, which listed a significant number of categories of personal data that are processed by these departments.