Apple and Google joint initiative on COVID-19 contact tracing technology
The Information Commissioner has published her official Opinion on the Contact Tracing Framework being developed by Apple and Google. This opinion should be read with care with its stated limitations taken into account, in particular the fact that it is limited to the Framework itself and does not extend to Apps developed using it. It also only applies to phase 1 of the project and a more expansive phase 2 is already envisaged.
The Commissioner reaches the conclusion that the Framework is aligned with the principles of data protection by design and by default but it is still clear that there are a number of potential data protection risks which could arise from the way in which it is used, in particular if an app processes data outside the intended scope of the Framework. The Information Commissioner's opinion highlights the risk that users of a contact tracing app might not understand that the data protection by design and by default principles used in the Framework do not extend to all aspects of the app.
Most current proposals for contact tracing apps would rely on consent as the lawful basis for processing and the Commissioner points out that it is not yet clear how consent management will work or what the practical implications of a withdrawal of consent are.
To my mind, the biggest risk to the privacy of individuals would potentially be from 'scope creep' which describes the way in which it is possible that third party app developers will expand the use of Covid-19 tracing apps using the Framework beyond that original stated purpose. The Commissioner mentions this in her Opinion and reassuringly says she will monitor all developments.
Morrisons wins its Supreme Court Case
In a judgement issued on 1st April 2020, the Supreme Court held that Morrisons (i.e WM Morrison Supermarkets plc) was not vicariously liable for the actions of its employee when, motivated by vengeance against Morrisons, he placed the personal data of thousands of Morrisons employees onto a public file sharing site. The judgement contains a long discussion of the case law on vicarious liability which will be of most interest to employment lawyers. The key vicarious liability point was that the employee's bad motive was highly relevant. There is, however, a key data protection point which is that, despite the conclusion on the facts that Morrisons was not vicariously liable, there was nothing in the DPA 1998 which excluded the operation of vicarious liability. On the basis that a similar conclusion is likely to be reached in relation to the Data Protection Act 2018, there is still the distinct possibility that, in the future, on a different set of facts, an employer will find itself vicariously liable for a data protection breach committed by its employee.
Coronavirus update emails - What is the law?
My husband recently commented on what he described as 'huge quantities of Corona spam' arriving in his inbox and asked me if the companies were allowed to send him these. Some appeared to be motivated by a genuine need to communicate information relating to Coronavirus measures, others were perhaps at least to some extent using a marketing opportunity. This off the cuff comment prompted an unsolicited full explanation of the law from me. After my husband had recovered, it occurred to me that this information would be very helpful to businesses (or those with an inquisitive mind).
An email of this kind needs to comply with both data protection law and the Privacy and Electronic Communications Regulations (PECR). It is easiest to start with the PECR. Basically, if an email contains marketing then it usually requires consent. Commercial companies may be able to contact existing customers using a 'soft opt in' rule but this only works if approached carefully and should not be attempted without careful study of the ICO guidance on the subject. Charities cannot use the 'soft opt 'in at all. Many organisations have correctly identified that if a message does not contain any marketing then it is not caught by the PECR. A message about Coronavirus measures alone is just a service message not marketing but companies must be careful not to stray into marketing in the same message, for example by straying from an update on the general availability of goods to advertising certain items.
Even a service message not caught by the PECR must comply with data protection law. Somebody's name and email are being used to contact them and this is a personal data use. This means that the person must reasonably expect such use (consider your privacy notices) and a condition under article 6 of the GDPR must be met. Examples would be that the person has consent, that the company has a legitimate interest in contacting them or that the email contact is necessary for the performance of a contract with that person. Where legitimate interest is relied on, there must be a Legitimate Interest Assessment in place.
In short, desperate times but not an excuse for desperate measures - Approach such emails with care. The ICO's draft Code on Direct Marketing is a helpful resource.
Cathay Pacific Airlines Data Breach - 12 lessons
The monetary penalty notice issued by the Information Commissioner's Office identified 12 failings in Cathay Pacific's security measures. I have extracted these as a simple list and suggest that all organisations check for similar issues:
- Database back-ups not encrypted.
- An internet-facing server was accessible due to a known and publicised vulnerability. Both the vulnerability and the fix had been public knowledge for around 10 years.
- The administrator console was publicly available on the internet.
- One system was hosted on an operating system that was no longer supported.
- There was no evidence of adequate server hardening (a process for removing unnecessary features to minimise attack points).
- Network users were permitted to authenticate past the VPN without multifactor authentication.
- Anti-virus protection was inadequate.
- Patch management was inadequate.
- Accounts were given inappropriate privileges.
- Penetration testing was inadequate.
- Retention periods were too long.
- There was a failure to manage security solutions which it did have in place or to adhere to its own policies.
ICO publishes Draft Guidance on the AI Auditing Framework
This draft guidance relating to applications of artificial intelligence has recently been published for consultation. The guidance is long and detailed. For the most part it is a helpful synopsis of data protection law as it applies to applications of artificial intelligence but it is also useful for the following reasons:
1. It points out where terms are used differently in the AI context from how they are used in a data protection context, thus avoiding confusion.
2. It has specific contextual examples including practical help in minimising risk
3. It points out common pitfalls e.g. the need to treat the training phase differently from the implementation phase when deciding on purpose and the lawful bases for processing.
4. It covers other aspects of law such as the potential for discrimination where discrimination was inherent in the data used to train the models.
5. It points out key dangers e.g. the possibility of model inversion attacks in which attackers are able to recover personal data about the people whose data was used to train the system.
6. It covers how to deal with individual data protection rights, which can be particularly challenging in this context.
In short, this guidance is a ‘must-read’ for all involved in AI applications. The ICO itself identifies the intended audience:
Those with a compliance focus, including:
• data protection officers
• general counsel
• risk managers
• the ICO’s own auditors
Technology specialists, including:
• machine learning developers and data scientists
• software developers/engineers
• cyber security and IT risk managers
EDPB adopts new Guidelines on Video Surveillance
The European Data Protection Board has recently (29 January 2020) adopted its Guidelines on Video Surveillance. There have been changes since the consultation version. These guidelines are very detailed but helpful. Useful real life examples are included and all aspects of data protection are covered. This piece is just an overview of very detailed guidance and those needing the full detail should read the guidance.
Video Surveillance for personal or household activity
The Guidance starts by covering the use of video surveillance for purely personal or household activity, such purposes being outside the scope of the GDPR. However, care must be taken not to assume that the GDPR is irrelevant to any home use. The Guidance stresses:
‘12. This provision – the so-called household exemption – in the context of video surveillance must be narrowly construed. Hence, as considered by the European Court of Justice, the so called “household exemption” must “be interpreted as relating only to activities which are carried out in the course of private or family life of individuals, which is clearly not the case with the processing of personal data consisting in publication on the internet so that those data are made accessible to an indefinite number of people”. Furthermore, if a video surveillance system, to the extent it involves the constant recording and storage of personal data and covers, “even partially, a public space and is accordingly directed outwards from the private setting of the person processing the data in that manner, it cannot be regarded as an activity which is a purely ‘personal or household’ activity.’
It is worth reading the guidance for further examples of when home use can be within the GDPR.
Lawfulness of Processing
The guidance makes it clear that the requirement for transparency means being specific about the reason for the use of cameras:
‘Video surveillance based on the mere purpose of “safety” or “for your safety” is not sufficiently specific (Article 5 (1) (b)). It is furthermore contrary to the principle that personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject (see Article 5 (1) (a)).’
In practice, the use of cameras will usually be justified on the basis of legitimate interests and the guidance helpfully reminds the reader to make a proper assessment:
‘Given a real and hazardous situation, the purpose to protect property against burglary, theft or vandalism can constitute a legitimate interest for video surveillance.
20. The legitimate interest needs to be of real existence and has to be a present issue (i.e. it must not be fictional or speculative). A real-life situation of distress needs to be at hand – such as damages or serious incidents in the past – before starting the surveillance. In light of the principle of accountability, controllers would be well advised to document relevant incidents (date, manner, financial loss) and related criminal charges. Those documented incidents can be a strong evidence for the existence of a legitimate interest. The existence of a legitimate interest as well as the necessity of the monitoring should be reassessed in periodic intervals (e. g. once a year, depending on the circumstances).’
In practice, such analysis and the second stage of balancing the legitimate interests of the Controller against those of the individuals whose images are captured can be done using a Legitimate Interest Assessment following the template on the ICO website. Part of the exercise in balancing the legitimate interests of the Controller against those of the individual will involve an assessment of the reasonable expectations of the individual. This is where the new guidance makes some very useful comments:
‘Data subjects can also expect to be free of monitoring within publicly accessible areas especially if those areas are typically used for recovery, regeneration, and leisure activities as well as in places where individuals stay and/or communicate, such as sitting areas, tables in restaurants, parks, cinemas and fitness facilities. Here the interests or rights and freedoms of the data subject will often override the controller’s legitimate interests.’
‘Signs informing the data subject about the video surveillance have no relevance when determining what a data subject objectively can expect. This means that e.g. a shop owner cannot rely on customers objectively having reasonable expectations to be monitored just because a sign informs the individual at the entrance about the surveillance.’
Consent
Everybody has probably seen a sign along the lines of ‘ by entering these premises you consent to video surveillance’ and considered that they are being presented with little choice in practice. The new guidance is very helpful on this issue:
’44 Regarding systematic monitoring, the data subject’s consent can only serve as a legal basis in accordance with Article 7 (see Recital 43) in exceptional cases [My emphasis]. It is in the surveillance’s nature that this technology monitors an unknown number of people at once. The controller will hardly be able to prove that the data subject has given consent prior to processing of its personal data (Article 7 (1)). Assumed that the data subject withdraws its consent it will be difficult for the controller to prove that personal data is no longer processed (Article 7 (3)).’
‘46 If the controller wishes to rely on consent it is his duty to make sure that every data subject who enters the area which is under video surveillance has given her or his consent. This consent has to meet the conditions of Article 7. Entering a marked monitored area (e.g. people are invited to go through a specific hallway or gate to enter a monitored area), does not constitute a statement or a clear affirmative action needed for consent, unless it meets the criteria of Article 4 and 7 as described in the guidelines on consent.'
'47. Given the imbalance of power between employers and employees, in most cases employers should not rely on consent when processing personal data, as it is unlikely to be freely given. The guidelines on consent should be taken into consideration in this context.’
Special category data including biometric data
The new guidance clarifies that a video surveillance system is not processing special category data just because, for example, it captures a wheelchair user (i.e potentially information about health). However, if the system is being used for the purpose of processing health information e.g. in a hospital setting, then it would be processing special category data and the usual need for justifications under both articles 6 and 9 of the GDPR apply.
Similarly images of faces do not automatically count as biometric data, only when the image is used to identify an individual does it become biometric data.
Coming back to the issue of consent in the context of the processing of biometric data, the new guidance is very clear:
‘Finally, when the consent is required by Article 9 GDPR, the data controller shall not condition the access to its services to the acceptance of the biometric processing. In other words and notably when the biometric processing is used for authentication purpose, the data controller must offer an alternative solution that does not involve biometric processing – without restraints or additional cost for the data subject.’
Subject Access Requests
There is much coverage of this topic including expectations as to redaction of other individuals but one of the most helpful snippets is the statement that an individual ought to be assisting the controller to find the requested images:
‘…… the data subject should (besides identifying themselves including with identification document or in person) in its request to the controller, specify when – within a reasonable timeframe in proportion to the amount of data subjects recorded – he or she entered the monitored area. The controller should notify the data subject beforehand on what information is needed in order for the controller to comply with the request.’
Privacy Notice/Signage
Anybody who has already considered this issue will realise that displaying a compliant full privacy notice in relation to the use of cameras is most impractical given what such a notice should cover. The new guidance supports the use of a layered approach with the most important information on the initial sign. However, it should be noted that the expectation is still for a considerable amount of information on the initial sign so ‘Cameras in Use – for further details see our Privacy Notice’ is not good enough. An example sign is included in the guidance.
Much of this new guidance is, in practice, already covered by the available ICO guidance, including the need to assess whether the system is needed at all and to make sure that the system is only used for the stated purpose. However, the new guidance adds an important layer of extra detail and clarification.
Today is Brexit Day - What does it mean for data protection?
As confirmed by the Information Commissioner's Office, it is business as usual for data protection until the end of end of December 2020. What happens at that point is still unclear because it depends on negotiations which will take place during the transition period. The ICO has, however, produced list of helpful FAQs.
One thing is absolutely certain; the GDPR is not going away. We will have a UK version of the GDPR and the data protection regime as a whole is likely to look exceptionally familiar.
ICO Publishes Draft Code on Direct Marketing- Sit up and Take Notice!!
This new Code came out for public consultation yesterday (8th January 2020). At just over 120 pages it is a lengthy piece of guidance but one with some extremely helpful practical examples. Anyone involved in direct marketing ought to really sit up and take notice because a number of common marketing practices are identified as being very difficult to square with legislation in this area. When I say legislation, the GDPR, Data Protection Act 2018 and the PECR (Privacy and Electronic Communications Regulations 2003) are potentially relevant. My recommendation is to read it in full.
I stress that this is a DRAFT Code and has not yet been approved by Parliament but these are some interesting snippets:
• In most cases it is unlikely that you will be able to make using an individual’s data for direct marketing purposes a condition of your service or buying your product.
• In most instances, buying additional contact details for your existing customers or supporters is likely to be unfair unless the individual has previously agreed to you having these extra contact details.
• You are unlikely to be able to justify tracing an individual in order to send direct marketing to their new address – such tracing takes away control from the individual to be able to choose not to tell you their new details.
• If you are planning to use cookies or similar technologies for direct marketing purposes you must provide clear and comprehensive information to the user about these and gain their consent (which must be to the GDPR standard).
• If the direct marketing has not been specifically requested, it is unsolicited and the PECR rules apply. This is true even if the customer has ‘opted in’ to receiving marketing in general from you.
• You cannot avoid the direct marketing rules by labelling your message as a survey or market research
• You must be able to justify that a message is a service message and not an attempt to promote or advertise for it to fall outside of the direct marketing definition. Care must be taken over the content and tone.
• Remember you do not automatically have an individual’s consent to process their personal data for direct marketing purposes just because you have a pre-existing relationship with them – for example because they are your customer, previously donated to your cause, or are one of your alumni.
• If you do not have the individual’s explicit consent you cannot process their special category data for direct marketing purposes.
• You cannot escape your GDPR and PECR obligations by asking existing customers or supporters to provide you with contact details for their friends and family to use for direct marketing purposes. In practice it is very difficult to comply with the GDPR when collecting details for direct marketing purposes in this way or to demonstrate your accountability.
• If you process an individual’s data to target them with advertising, merely omitting that individual’s name from the final marketing communication does not prevent the processing being for direct marketing purposes.
The new draft Code also sets out the position on business to business marketing more clearly than the existing Code, saying:
‘However, the GDPR does apply wherever you are processing personal data. This means if you can identify an individual either directly or indirectly, the GDPR applies, even if they are acting in a professional capacity. For example, you must comply with the GDPR if you have the name and number of a business contact on file or their email address identifies them (eg initials.lastname@company.com).
If you collect an individual’s contact details in their business capacity and you intend to send them direct marketing you must make them aware of this and have a lawful basis for the processing.’
This has always been my interpretation of the law but I have sometimes been challenged on it so it is good to see it stated so clearly!
The ICO is consulting on the new (draft) Right of Access Guidance
This new consultation was launched yesterday (4th December 2019).
The guidance is much needed as the previous guidance - the Subject Access Code of Practice - referred to the pre-GDPR position. There are no big surprises in the new guidance but I note some interesting and helpful points:
Requests made under FOI by mistake
There is clear confirmation that if a requester makes a request for their own personal data and mistakenly does this under the FOI regime then it should be treated as a subject access request but there is no need to issue a formal FOI refusal notice.
Normal Course of Business Requests
The ICO recognises the concept of ' normal course of business requests'. This has been the case for some time in the FOI context but this guidance extends the concept to requests which would normally be assumed to fall under the GDPR right of access. The guidance says 'For example, if an individual requests copies of letters which you have sent them previously, it is unlikely that you need to deal with this as a formal SAR [subject access request]'
Complex Requests
There is a helpful explanation of when a request does and does not count as 'complex'. This is important because if a request is complex then the time for responding may be extended.
'The following are examples of factors that may in some circumstances add to the complexity of a request. However, you need to be able to demonstrate why the request is complex in the particular circumstances.
• Technical difficulties in retrieving the information – for example if data is electronically archived.
• Applying an exemption that involves large volumes of particularly sensitive information.
• Clarifying potential issues around disclosing information about a child to a legal guardian.
• Any specialist work involved in redacting information or communicating it in an intelligible form.
Requests that involve a large volume of information may add to the complexity of a request. However, a request is not complex solely because the individual has requested a large amount of information.
Also, a request is not complex just because you have to rely on a processor to provide the information you need in order to respond.
Bulk requests
The ICO makes it clear that the deadline for responding to requests stands even where there are bulk requests, although it does suggest that there may be some leniency at the enforcement stage saying that it won't take enforcement action if it would be unreasonable to do so.
Back ups and deleted items
The draft guidance also goes into some detail on back up records and deleted items which will be of use to those dealing with the practicalities of searching for information.
'The process of accessing electronically archived or backed-up data may be more complicated than the process of accessing ‘live’ data. However, there is no ‘technology exemption’ from the right of access. You should have procedures in place to find and retrieve personal data that has been electronically archived or backed up.
Search mechanisms for electronic archive and back-up systems might not be as sophisticated as those for ‘live’ systems. However you should use the same effort to find information to respond to a SAR as you would to find archived or backed-up data for your own purposes.'
The information on deleted records is on page 25 of the draft guidance. It is not summarised here as a summary may be misleading. The key point is that there may be information which the organisation thinks is 'deleted' which nevertheless can be retrieved and will fall within the scope of a subject access request.
The consultation closes on 12 February 2020.
ICO Guidance on Special Category Data - 5 Points of Note
The new ICO Guidance on Special Category Data was published on Thursday 14th November 2019. It is 38 pages long and detailed.
I have listed here, 5 key points of note (not a replacement for actually reading it!)
1. Why Special Category Data deserves special protection
Special Category Data is does not just merit special protection because it may be seen as more sensitive or ‘private’ but because use of this data could create significant risks to the individual’s rights and freedoms. For the first time, there is a clear list of what those rights and freedoms might be.
• Freedom of thought, conscience and religion
• Freedom of expression
• Freedom of assembly and association
• The right to bodily integrity
• The right to respect for private and family life
• Freedom from discrimination
This list will be useful in other GDPR contexts, for example when evaluating the risk to individuals following a data protection breach.
2. Help with deciding what is and isn’t Special Category Data
The guidance offers some help with deciding what is and isn’t Special Category Data so, for example, it acknowledges that details about an individual’s mental health are much more sensitive than whether they have a broken leg but stresses that both are data concerning health. This appears to be a clear rule – if it is in the list of Special Category Data it must be treated as such, regardless of the perceived lack of sensitivity.
That said, the guidance adopts a commonsense approach to the issue of letters concerning medical appointments, which has vexed many a DPO. The guidance confirms that what matters is whether the appointment letter reveals anything about the state of someone’s health saying, ’ a GP or hospital appointment in isolation will not tell you anything about a person’s health as it may be a check-up or screening appointment. However, you could reasonably infer health data from an individual’s list of appointments at an osteopath clinic or from an invoice for a series of physiotherapy sessions’
3. Going beyond the GDPR to the DPA 2018
The Guidance sets out in detail how to justify the processing of special category data, going beyond the provisions of the GDPR itself to the detailed requirements of the Data Protection Act 2018 (DPA 2018). In many cases, finding a lawful basis in articles 6 and 9 of the GDPR is not enough as further conditions in the DPA 2018 must also be met. This is a step which many organisations have overlooked or intentionally shelved, pending further guidance on the issue. This is a stance which, up to now, has been defended with a comment such as ‘well, nobody actually does that bit’. A fair comment as even the ICO did not appear to have gone that far. However, this stance has become significantly more risky, now that the ICO has published guidance on it and the ‘How were we supposed to know?’ excuse has evaporated.
4. An ‘ Appropriate Policy Document’ template
This links with point 3 but one of the conditions which the DPA 2018 specifies in some cases is the need for an ‘appropriate policy document’ and it was previously unclear exactly what that meant. The guidance clarifies and there is now a template
5. Guidance on what ‘Legal Claims ‘ means
One of the Article 9 bases for processing special category data is for when the purpose of the processing is to establish , exercise or defend legal claims. Until now, lawyers have been unsure of how narrowly or widely this should be construed. From the guidance, the answer seems to be very widely indeed. It says, ‘Legal Claims in this context is not limited to current legal proceedings. It includes processing necessary for:
• actual or prospective court proceedings
• obtaining legal advice; or
• establishing, exercising or defending legal rights in any other way’
The guidance goes on to give an example of a hairdresser carrying out a patch test on a client to check for an allergic reaction, stating that this is covered because the purpose is fulfilling their duty of care to the client and to defend against any potential personal injury claims.