What is the Direction of Travel for Data Protection Compliance in the Public Sector?
The Government is reforming Data Protection Law and has recently issued its response to its consultation ‘Data- A New Direction’. I think it is fair to say that the proposals are not as drastic as many data protection practitioners and lawyers had envisaged. However, the intention to make having a Privacy Management Programme a legal requirement hints at an increasing focus on accountability. This focus isn’t new but part of a direction of travel which started under former Information Commissioner, Elizabeth Denham, under whose leadership the ICO produced a full Accountability Framework and Toolkit.
However, there is now another development. On 30 June, the Information Commissioner issued an open letter to the public sector. This announced a revised approach to enforcement in the sector with less of a focus on monetary penalties and more of a focus on (in the words of the Information Commissioner) ‘raising data protection standards across the board and preventing harms from occurring in the first place’. The ICO will launch its 3 year strategic vision later this month and the new focus on raising data protection standards will be part of it.
The Information Commissioner is ‘not convinced large fines on their own are as effective a deterrent within the public sector’ partly because fines reduce the budget for vital services and ‘people affected by the breach get punished twice’.
The ICO will trial the new approach of reducing the impact of fines on the public for two years. It will still investigate breaches in the same way, follow up with organisations to make sure that improvements are made and do more to publicise the cases for others to learn from.
What is behind this is an increasing emphasis on accountability, both in its strict data protection sense of being able to demonstrate compliance with the data protection principles and in its widest sense. The Information Commissioner is very clear about that, saying, ‘I expect to see greater engagement from the public sector, including senior leaders, with our data protection agenda. I also expect to see investment of time, money and resources in ensuring data protection practices remain fit for the future’
New Oxford University Press Book to cover Data Protection in State Schools
Some of you may have noticed that I have neglected my blog of late. I do have a good excuse. I have been writing the chapter covering state schools (maintained schools and academy trusts) for an Oxford University Press book about data protection. We are not quite ready to publicise all the details yet but I am nearing completion of the first draft of my chapter which will be around 15,000 words addressing data protection in the specific school context and covering education related legislation, guidance and practices where these are relevant to applying data protection law. It is likely to be quite some time before the book is published but watch this space for further information in the future.
Explaining the term 'Privacy Policy'
The term 'Privacy Policy' is most often used in an online environment to describe a document which explains to individuals how information about them is collected and used. It may also touch on the wider data protection policy of the organisation. It is important to note that 'Privacy Policy' is not a legal term (at least not in the UK) but a user friendly one. Data protection lawyers typically refer to the document which provides an individual with information about how information about them is used as a 'privacy notice'. The requirements for what should be in such a notice are in articles 13 and 14 of the UK GDPR. Typically an organisation which operates mostly in a real world environment will have a number of privacy notices for different categories of individuals and separate data protection policy. Online, the term 'privacy policy' may refer to something which is designed to cover the requirements under articles 13 or14 or it may be more of a hybrid between 'privacy notice' and 'data protection policy'.
Guidance produced by the Information Commissioner's Office (ICO) does not refer to the term 'privacy policy'. The term 'privacy notice' is normally used by the ICO both in guidance and in their own privacy notices. However, I have noticed that there is one exception; if you click on the link for the privacy notice template then it is, in fact, headed 'Privacy Policy'. All the notes in it then use the term 'privacy notice'. My conjecture is that the ICO takes the line that their guidance should use the term 'privacy notice' but that this heading on the template slipped through the net.
The overall conclusion is that the confusion around the term 'privacy policy' is ubiquitous. 'Privacy policy' may mean the same thing as 'privacy notice' but be aware that a 'privacy policy' may sometimes incorporate an element of data protection policy.
The ICO cannot lead on reducing barriers to data sharing
Those of you who follow data protection matters closely will know that the ICO's new Data Sharing Code of Practice is waiting to be laid before Parliament for approval. The Information Commissioner, Elizabeth Denham, spoke to the Public Services Committee on 13th January 2021. Following on from this, the Information Commissioner wrote to Lady Armstrong and this letter was published yesterday. It contains some general observations as to the limitations of the Code as a statutory code but the most interesting aspect of the letter is what the Information Commissioner says about the ICO's role in reducing barriers to data sharing which I quote below:
'However, what was clear from our discussion at the hearing, and from thewitnesses that followed, was a recognition that the task of reducing barriers to data sharing is too big to be undertaken by one body in isolation. It needs a cooperative and coordinated effort from stakeholders across society. We see this as a partnership between government, parliament, the regulator, and those sectors at the frontline of data sharing.
The ICO cannot lead the work. This is due to our status as regulator; there is a need for us to strike a balance between our role of giving advice and support to organisations undertaking data sharing, and our need to take appropriate action to protect the data rights of citizens if there is a breach of the law.'
An Early Christmas Present from the ICO - A new Data Sharing Code
The ICO published a new Data Sharing Code of Practice yesterday (17th December 2020). A welcome Christmas present as we have been without an up to date Data Sharing Code since the GDPR came into force in May 2018. This Code is a statutory one and the ICO says it will use the Code in its work to assess the compliance of controllers through its audit programme and other activities. It also says it will take the Code into account when considering whether an organisation has complied with the GDPR or DPA 2018, particularly when considering questions of fairness, lawfulness, transparency and accountability.
The new Code stresses the importance of the Accountability Principle in making data sharing decisions. There is also a heavy emphasis on doing DPIAs (Data Protection Impact Assessments) as a matter of good practice even where they are not legally required. This has been the direction of travel for some time and is logical given the need to show accountability. This Code does reinforce this to such an extent that it would appear unwise to proceed with any planned data sharing without a DPIA except in cases where there is obviously very little risk to individuals.
Data sharing agreements are covered in some detail in the new Code with helpful guidance as to what they should contain. A data sharing agreement is not actually a legal requirement except in a joint controller situation but the ICO says, ‘A data sharing agreement between the parties sending and receiving data can form a major part of your compliance with the accountability principle, although it is not mandatory’. In practice, the ICO expects to see such agreements in place for any routine data sharing arrangements and this is already clear in the ICO audit outcomes which I have seen.
Most of what the Code does is to help an organisation go through the necessary procedural steps to share personal data in a compliant fashion. There are no easy shortcuts or magic answers here though and the Code amounts to more of a ‘How to’ Guide than an answer booklet.
One final point of note is that the Code contains a page and a half of information on due diligence and data sharing in mergers and acquisitions. The previous code had just a short paragraph. This reflects a growing focus on data rights in this situation. I have been plugging the importance of early consideration of data issues in such situations for some time as I think they are often overlooked entirely or only raised late in the transaction. There have been ICO fines that came about because of failures in due diligence on an acquisition, e.g. Marriott Hotels. The European Data Protection Board has also pointed out the need to consider the privacy implications of mergers through its statement earlier this year. This Code provides a clear bullet pointed list of what needs to be covered in such a situation.
Big Fish v. Small Fish - Bargaining Position as between Controller and Processor
The European Data Protection Board is consulting on its Guidelines on the concepts of controller and processor in the GDPR until 19 October 2020. They are long and detailed and only likely to be read by those with a serious interest in the GDPR. I thought I would highlight what I found to be a very interesting paragraph (107) in relation to data processing agreements which may be included in a service provider's standard terms and conditions.
'The fact that the contract and its detailed terms of business are prepared by the service provider rather
than by the controller is not in itself problematic and is not in itself a sufficient basis to conclude that
the service provider should be considered as a controller. Also, the imbalance in the contractual power
of a small data controller with respect to big service providers should not be considered as a
justification for the controller to accept clauses and terms of contracts which are not in compliance
with data protection law, nor can it discharge the controller from its data protection obligations. The
controller must evaluate the terms and in so far as it freely accepts them and makes use of the service,
it has also accepted full responsibility for compliance with the GDPR. Any proposed modification, by a
processor, of data processing agreements included in standard terms and conditions should be directly
notified to and approved by the controller. The mere publication of these modifications on the
processor’s website is not compliant with Article 28.'
In short, a small controller cannot use its poor bargaining position as an excuse for poor GDPR compliance but large processors cannot abuse their bargaining position by simply dictating terms.
Artificial Intelligence and identifying Controllers and Processors - 2021 may bring further clarity
The ICO has just published new guidance on Artificial Intelligence (AI). I wrote a detailed blog piece on the consultation version so I will not write about it generally now. However, some important new information is that the ICO has acknowledged that AI systems involve a number of organisations and so working out who is a Controller or Processor for the purposes of data protection law can become complex. The ICO plans to address these issues in more detail when it revises its Cloud Computing Guidance in 2021. It will consult with stakeholders because of the questions of policy raised. Most helpfully, the new guidance will include example scenarios covering when an organisation is a Controller or Processor in the context of AI services.
The Fall of the Privacy Shield – What next? The ICO and the EDPB have different approaches
The decision of the European Court of Justice in Case C-311/18 – Data Protection Commissioner v Facebook Ireland and Maximillian Schrems struck down the EU-US Privacy Shield with immediate effect. This caused gasps of horror in the data protection world and more widely as people realised just how significant this judgement was and just how often the Privacy Shield was the mechanism under which personal data was being transferred to the US. Initial articles on the subject sometimes mentioned using Standard Contractual Clauses (SCCs) instead as they appeared to have survived the Court’s scrutiny. Then there was the slow recognition that there were serious question marks over the use of SCCs as US law does not ensure an equivalent level of protection for personal data.
Such were the repercussions of the judgement and the many questions being asked that on 23 July the EDPB (European Data Protection Board) adopted a set of Frequently Asked Questions (FAQ). These are helpful to a point but by no means provide any real answer to the problems caused by the judgment. What is most interesting is the stark contrast between the EDPB’s approach and that of the ICO. The EDPB FAQ document says of the Privacy Shield, ‘Transfers on the basis of this legal framework are illegal’. However, a visit to the Privacy Shield page of the ICO website reveals a statement as follows:
‘We are currently reviewing our Privacy Shield guidance after the judgment issued by the European Court of Justice on Thursday 16 July 2020.If you are currently using Privacy Shield please continue to do so until new guidance becomes available. Please do not start to use Privacy Shield during this period’
However, continuing to use the Privacy Shield carries risks, even if one assumes that there is no risk of ICO enforcement while the ICO statement remains as above. For example, individuals could bring claims for compensation. The ICO has not mentioned this but the Berlin Data Protection Authority has referred to it in a press release (which is only available in German) and has also told organisations in Berlin to shift their data storage from the US back to Europe.
IMPORTANT UPDATE: On 27th July 2020, the ICO changed its statement on its website to read:
'The judgment in the Schrems II case issued by the European Court of Justice on Thursday 16 July 2020 found that Privacy Shield is no longer a valid way to transfer personal data outside of the EEA. For more information please read our latest statement.'
This statement brought it into line with the EDPB.
The End of the Brexit Transition Period - Will we get an Adequacy Decision?
The European Commission has issued a communication to all member states about the changes they can expect after 31 December 2020. A small part of this covers data protection. It explains that there are existing mechanisms under the GDPR to allow transfers of personal data to a third country and that these can be deployed for the UK. However, will one of these be an adequacy decision?
This communication says ‘As underlined in the Political Declaration, the EU will use its best endeavours to conclude the assessment of the UK regime by the end of 2020 with a view to possibly adopting a decision if the United Kingdom meets the applicable conditions. The Commission is currently conducting this assessment and has held a number of technical meetings with the United Kingdom to gather information in order to inform the process’
The clear advice for businesses in the EU is that they should plan ahead including for the scenario where there is no adequacy decision in respect of the UK. A hint perhaps that an adequacy decision may not be forthcoming.
Workplace Testing for Covid-19 - A joint HR and Data Protection Perspective
Kate Grimley Evans and Caroline Banwell of Harmony HR Solutions have collaborated to provide a unique and helpful perspective on Workplace Testing for Covid-19,