Menu Close

The Week – In Perspective: The ICO responds to the UK government’s proposed reforms to data protection law

The UK data protection regulator responds to the country’s proposed data protection reforms

What happened

  • The data protection regulator in the UK, the Information Commissioner’s Office (ICO), has provided its formal response to the consultation on proposed changes to data protection law issued by the Department of Data, Culture, Media & Sport a few weeks ago.

  • The ICO stresses that as the proposals are developed, the ‘devil is in the detail’ and that it is important that ‘the final package of reforms clearly maintain rights for individuals, minimise burdens for business and safeguard the independence of the regulator’.

Why it matters

  • The ICO provided positive remarks in relation to proposed changes to make it easier to reuse personal data for research purposes and for enhancing protections and controls for people in regards to cookies and nuisance calls.

  • However, the ICO felt that changes to help businesses avoid performing a risk assessment when processing personal data based on legitimate interests would create problems in how individuals are able to object to such processing.

  • The full response from the ICO can be found here.

Danish data protection regulator issues recommendation for businesses processing Covid-19 data of children

What happened

  • A recent case in Denmark involved a company that delivered rapid Covid-19 testing for children aged 12 and over.

  • Information about how the company processes personal data relating to the individuals being tested was provided to both the child as well as their guardian through a digital communication platform.

  • The Danish data protection regulator found that whilst the information that was provided was robust and met the minimum standards defined within data protection law, it was not in a form that could be easily understood and accessible to children.

Why it matters

  • Article 12 of the GDPR requires businesses to ensure that privacy information is in a “concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child”.

  • If services are provided to children involving the processing of their personal data, the Privacy Policy or Privacy Notice that is provided to them describing the processing activities should be in a form that children can understand, such as a video containing animation or a poster in plain English.

Icelandic data protection regulator decides on case involving the accidental disclosure of email addresses 

What happened

  • The data protection regulator in Iceland received a complaint involving a government agency accidentally disclosing email addresses to a number of unintended recipients.

  • However, despite this being noncompliant with data protection law, the Icelandic data protection regulator found that as this was a result of human error and corrective measures were put in place to prevent a similar incident from reoccurring, no fine was imposed.

Why it matters

  • This case emphasises the need for implementing corrective measures as soon as an incident or personal data breach is discovered.

  • The data controller in this case revised and changed procedures to include a review process before emails are sent out as well as refreshing training materials to include additional details relating to incident prevention and detection.

Road toll company in Norway is fined for not establishing proper controls to send data to China

One more thing…

  • Lastly, the Norwegian data protection regulator fined a road toll company around €500k for not having a data processing agreement, not performing a risk assessment and not implementing a mechanism for transferring personal data to China. This case provides some useful tips to consider when sending personal data to a third country. Find out more here.