Denham Ready to Take Reins at The

ESTABLISHED 1987

‘Battle tested’ Denham ready Issue 85 May 2016 NEWS to take reins at the ICO 2- Comment Laura Linkomies reports from Parliament in Westminster on the Next steps for data protection appointment that now awaits the signature of the Queen. 13 - Royal Mail becomes certified lizabeth Denham, currently previous afternoon. online identity provider Information and Privacy “I’m battle tested as a Commis - Commissioner in British sioner,” she said. “I have never ANALYSIS EColumbia, Canada, was confirmed as shrunk away from an important 8- Legitimate interest ground the next UK Information Commis - issue. I cross swords with the largest under the GDPR: Change ahead sioner by the House of Commons tech companies – I led the first inves - 10 - Member States’ derogations Department of Culture, Media and tigation into Facebook – no other undermine the GDPR Sport (DCMS) Select Committee on 16 - Data Protection in the new 28 April after interviewing her the Continued on p.3 world of Artificial Intelligence

MANAGEMENT 7 - Do employers have the right to Get GDPR ready and update read employees’ private emails? 18 - How Transport for London your privacy policy now protects customer privacy As the ICO nudges companies to begin GDPR preparations, Lore 20 - It is time to get GDPR compliant Leitner and Calum Docherty look at the privacy policy options. 22 - Book Review: Protecting yourself recent study found that 38% protect companies rather than to in a world full of scammers of Americans are confused enlighten their users. 23 - UK sessions at Great Expectations by privacy policies. 1 This is As we wrote in last September’s PL&B’s 29th Annual Conference Anot surprising. Many Internet users issue of PL&B UK Report , Septem - and customers find the information ber 2015 pp. 7-8 ), the General Data FREEDOM OF INFORMATION provided in privacy policies notori - Protection Regulation (GDPR), 23 - Latest FOI disclosure logs ously impenetrable, and, at times, which was adopted last month after Delphic. Often, these policies are NEWS IN BRIEF drafted – by lawyers – with a view to Continued on p.4 12 - Government fights cyber crime 12 - Blacklisted construction workers Search by key word on win compensation 15 - Privacy and consumer advocacy www.privacylaws.com 15 - High Court decides on ‘abuse’ of Subscribers to paper and electronic editions can access the following: SAR process • Back Issues since 2000 • Materials from PL&B events 17 - Degradation of privacy standards • Special Reports • Videos and audio recordings ‘abuse’ under competition law ? See the back page or www.privacylaws.com/subscription_info 21 - EU DP Regulation will apply 25 May 2018 To check your type of subscription, contact [email protected] or telephone +44 (0)20 8868 9200. 22 - ICO issues Undertaking on HSCIC 22 - Around 1 in 45 patients opt-out

PL&B Services: Publications • Conferences • Consulting • Recruitment Training • Compliance Audits • Privacy Officers Networks • Roundtables • Research COMMENT

ISSUE NO 85 MAY 2016

PUBLISHER Stewart H Dresner Next steps for data [email protected] protection in the UK EDITOR Now that we have the EU Data Protection Regulation, the next thing Laura Linkomies to look out for is UK implementation, which is expected to be – again [email protected] – different from most EU Member States. The derogations obviously give all Member States some leeway ( p.10 ) but it is more than likely SUB EDITOR Tom Cooper that the UK government will continue its business-friendly manner of regulating data protection. Watch out for any announcements of a new REPORT SUBSCRIPTIONS data protection law or other type of UK regulation in the Queen’s Glenn Daif-Burns Speech on 18 May. [email protected] Whatever happens, the new EU regime will create much more work CONTRIBUTORS for the ICO, to be headed after 28 June by Elizabeth Denham, currently Information and Privacy Commissioner, British Columbia, Lore Leitner & Calum Docherty Canada. We at Privacy Laws & Business are fortunate to have had a Latham & Watkins LLP great working relationship with her for many years and look forward Merrill Dresner to seeing how she will apply her Canadian experience in the UK ( p.1 ). PL&B Correspondent The ICO is preparing guidance on the GDPR. In the meantime, read Michael D. Smith what our contributors say about revising privacy policies for the Reed Smith LLP GDPR era ( p.1 ), and how to start a successful GDPR compliance Dugie Standeford programme ( p.20 ). In the public sector, changes to the legitimate PL&B Correspondent interest ground for processing are causing extra concern ( p.8 ). William Long & Francesca Blythe Our management stories in this issue include a report on the Sidley Austin LLP experience of the Royal Mail ( p.13 ) and Transport for London ( p.18 ). Also, read on p.16 about the new world of Artificial Intelligence and Nicola Fulford & Gemma Lockyer Kemp Little LLP consequential challenges to data protection concepts. The Data Retention and Investigatory Powers Act 2013 (DRIPA) is due to expire in December 2016, and the government is therefore in a hurry to adopt the Investigatory Powers Bill. Having visited Westminster to attend Elizabeth Denham’s hearing before the Department of Culture, Media and Sport Select Committee, and PUBLISHED BY Privacy Laws & Business, 2nd Floor, having listened to the joint committee and the three witnesses on the Monument House, 215 Marsh Road, Pinner, human rights aspects of the Bill, I must say that it sounds to me that Middlesex HA5 5NE, United Kingdom the issues are still far from clear. The experts basically concluded that Tel: +44 (0)20 8868 9200 the Bill does not include proper human rights protections. The main Fax: +44 (0)20 8868 5215 Email: [email protected] issue is about proportionality. But a European court case may soon Website: www.privacylaws.com challenge the legality of UK’s surveillance laws anyway (http://bit.ly/1SZEfLx ). In the meantime, the Open Rights Group has Subscriptions: The Privacy Laws & Business United Kingdom Report is produced six times a year and is available on an published an informative comparison of changes between the first and annual subscription basis only. Subscription details are at the current version of the Bill ( http://bit.ly/1TPx88Z ). back of this report.

Whilst every care is taken to provide accurate information, the publishers cannot accept liability for errors or omissions or for any advice given. Laura Linkomies, Editor Design by ProCreative +44 (0)845 3003753 PRIvACy LAWS & BUSINESS Printed by Rapidity Communications Ltd +44 (0)20 7689 8686 ISSN 2047-1479 Contribute to PL&B reports Copyright: No part of this publication in whole or in part may Do you wish to contribute to PL&B UK Report ? Please contact be reproduced or transmitted in any form without the prior written permission of the publisher. Laura Linkomies, Editor (tel: +44 (0)20 8868 9200 or email: [email protected] ) to discuss your idea, or offer to be interviewed about your organisation’s data protec - © 2016 Privacy Laws & Business tion/Freedom of Information work.

Elizabeth Denham ... from p.1 Commissioner for British Columbia foi aspects (BC), to becoming the UK Informa - The MPs were particularly interested DPA had gone there. I knocked on tion Commissioner. in hearing how Denham would deal their door in 2008 when they had a “The Information Commissioner in with government communications mere 300 million users. This was a the United Kingdom has similar under the FOIA. Referring to use of small office in Canada investigating powers to the powers that I have as a private e-mails and social media for Facebook. The same with Google Commissioner in British Columbia, so official public sector communications, when I served at the Federal office –I I have order-making power; I have she explained that her guiding principle started an investigation into Google quasi-judicial decision making in free - is that “it is the message not the medi - Streetview because they were hoover - dom of information that is appealable um” that is important. “Even private ing up unsecured WiFi data that had to the courts on an error in law, on emails can be caught under FOIA,” she been illegally collected by the company judicial review, so that is very, very sim - said. “There should be a duty to docu - when they were collecting Streetview ilar. When it comes to data protection ment serious decisions.” images. That was a serious investigation though, I would say Canada has softer She suggested that government, the that took us down to Google’s lab so laws. The Privacy Commissioners in civil service, and MPs should use only that we could witness the destruction, Canada do not have the civil monetary government communication networks, the deletion, of the Canadian data. I penalties and powers that exist for the and use two separate mobile phones – think we might have been the only Information Commissioner on the data one for business and another one for Data Protection Authority that fol - protection side in the United private matters. lowed through to make sure that col - Kingdom.” She said she supports extending lected data was properly and securely Denham explained that Canada has FOIA to not-for-profit organisations deleted.” In 2008, Facebook had no 30 years of experience of Freedom of and companies carrying out work for privacy controls, Denham explained, Information law compared with 10 public sector bodies. She said that but its response after the investigation years in the UK. As a result of her proactive disclosures cut down the was to put controls in place worldwide. investigations, the BC government had number of FOI requests, and should Both companies are now more careful responded in a serious way making therefore be encouraged. with data and have a different infra - substantial changes. Denham has conducted some high- structure, and carry out a dialogue with Denham said that she would be level FOI investigations in Canada, DPAs. But these big companies are willing to impose large fines on compa - resulting for example in the Access becoming monopolies and we need to nies when ‘things go very wrong,’ Denied report ( PL&B UK November watch them, she said. citing the maximum fine of 4% of 2015 pp.14-16 ). Denham comes into the role with an annual global revenue included as a “The Access Denied report was an impressive privacy career already sanction in the EU Data Protection examination of two government min - behind her. Since 2010 she has been the Regulation. “Data protection is the istries and the Office of the Premier. Information and Privacy Commis - responsibility of directors to take it out My office investigated because a sioner for British Columbia, Canada, of the IT department and into the whistleblower came forward with seri - responsible for enforcing the Canadian board room,” she said. ous allegations that senior staff were Freedom of Information and Protection However, she said that her triple-deleting records and deleting of Privacy Act (FIPPA), the Personal approach as the UK Information records that were potentially respon - Information Protection Act (PIPA), Commissioner would be firstly to edu - sive to freedom of information and the Lobbyists Registration Act cate and advise organisations and con - requests. Those were very serious alle - (LRA). Previously (2007–10), she was duct audits. She said that sometimes it gations. I had written three reports the Assistant Privacy Commissioner at is the smaller companies that pose the prior to that investigation where I the federal level. Denham will start in biggest challenge as for them, reputa - found practices that were not respectful her new position as soon as possible tional impact is not as important as for of freedom of information. Those were after Christopher Graham’s term of household brands. Currently, smaller gentler reports. In the last report, we office ends on 28 June. This is the first companies that receive fines in the UK found some very, very serious contra - time that PL&B is aware that any Data sometimes go into liquidation to avoid ventions of the law. We interviewed Protection or Freedom of Information paying, and then start again with people for the first time under oath. We Commissioner anywhere has been another name. Denham suggested that removed computers and did forensic appointed from a different country. company directors should be made examinations. Unfortunately, one of personally liable for data breaches in the ministerial aides misled my staff Ready to fine bad actoRs some situations. “Sanctions for bad under oath and I turned that file over to A pre-appointment hearing by the Par - actors are necessary and healthy for a a special prosecutor that has now liamentary Committee on 27 April had digital economy.” Denham said how - charged that individual. That was a a potential veto over the appointment, ever that she would continue the very serious investigation.” and spent one and quarter hours asking approach she had in Canada of engag - She said that Section 77 of the UK’s wide-ranging questions including how ing with stakeholders, including com - FOIA has provisions that would enable she would make the transition panies, in order to be informed of what similar action in the UK. “But regular from Information and Privacy they are planning next. audits are a better way forward.”

ico management stRuctuRe to-face bilateral meetings are very preliminary view on that, but again, I Denham was asked how she would important.” need to understand the issues and I deal with heading a very large office of Denham was asked: Would you need to get my feet under the table to more than 400 staff. She responded by work for the Government or Parlia - be able to comment on that question.” saying that at the federal level, she was ment?” In a firm declaration of princi - She thought, however, that as local responsible for 100 staff. She said that ple, she responded: “For Parliament authorities have much sensitive data, an the ICO was an important office and the people.” audit power would be a useful tool in “which casts a long shadow around the She said that the structure here was that area. world. It is a tech-savvy practical office different from Canada in that in British that I think fits with my outlook on Columbia, she reports to the legisla - otheR challenges data protection and freedom of infor - ture. Whilst the UK ICO is completely When asked if she had the determina - mation.” She said she would first have independent, it has to work with a gov - tion to deal with a potentially hostile to rely on her staff to be briefed on ernment department, the DCMS. media, she told the committee that she some UK-specific issues, such as the had conducted around 100 interviews Talk Talk breach or the Motorman eu gdpR pRospects last year with the media and civil socie - inquiry. Denham said she understood that the ty organisations in BC which are “very “I will have some studying to do to UK might opt for a more business- engaged” and “not gentle”. understand the UK environment but I friendly route via some of the exemp - She thought that the Investigatory am a fast learner.” tions available under the EU General Powers Bill would create “a honey pot She said that the future challenge Data Protection Regulation (GDPR). of data which would have to be very within the ICO is the change in man - But the Regulation will form an ade - secure.” But there is no such thing as agement. She thought that more senior quacy standard to which other coun - perfect security, she said. posts will have to be created. The ICO tries, including Canada which current - The MPs were keen to hear how she has been forward thinking under ly has an adequacy decision, will have would handle nuisance calls. She said Richard Thomas and Christopher to work towards. that she understood the DCMS had Graham, and she has had the pleasure She thought that one of her first already introduced some increased pro - of working with both of them, and jobs would be to resolve the ICO’s tections such as calling line identifica - other ICO senior staff in international future funding issue. The abolition of tion. She was keen to carry on this fora. She said she would visit the three notification fees will see the ICO’s work: “It is a complex problem as well, ICO regional offices within the first 30 funding cut by 80%. Future work will because there is a legitimate business in days of her taking office. concentrate on preparing guidance on direct marketing, so again, what you “I think that I have been a strong the GDPR, but at the same time, the are trying to do is take the bad actors leader and a manager and I have been office needs to continue to manage out of the situation and protect the successful in managing budgets, always complaints and deal with its other legitimate calls.” She said that the coming in between 95% and 99%. I existing responsibilities. DPAs Global Privacy Enforcement have been successful in recruiting The GDPR will introduce a breach Network was of great help in these excellent staff, building teams and I notification duty. Denham said on kind of cases when they have an inter - think that the Information Commis - audit powers: “The audit power of the national dimension. sioner requires the same skillset. you Information Commissioner is a patch - have a strategic plan, you make sure work right now, so there are not com - that your direct reports understand and pulsory audits for all types of organisa - information the rest of the organisation understands tions. I think Christopher Graham the vision, you check back with the made the point to this Committee that See the select committee document at http://bit.ly/1QV0ka0 and staff, you review their work. I think compulsory audit powers would be Written evidence at http://bit.ly/1TuTc5H feedback is really important and face- very helpful to him in this role. I have a

GDPR ... from p.1 constitute consent” and that “when the emphasis on simplified formats. processing has multiple purposes, con - Article 13 of the GDPR has set out over four years of debate, attempts to sent should be given for all of them”. new minimum requirements for what redress this imbalance by putting data For many data controllers, privacy needs to be provided in privacy poli - subjects’ informed choice at the fore - policies are the gateway to data subject cies: a data controller must now inform front. In addition, consent will be the consent. As this consent becomes more data subjects of: cornerstone of this new regime: a data difficult to validly attain under the 1. its identity and contact details and subject’s consent must be “freely given, GDPR, privacy policies will have to (where applicable) those of its rep - specific, informed and unambiguous” change both in terms of content and resentative; and data controllers must be able to format. Data controllers will have to 2. the contact details of its data pro - demonstrate this consent. The GDPR think carefully to navigate the potential tection officer (where applicable); is clear that “silence, pre-ticked boxes tension between Article 13’s increased 3. the purposes of the processing for or inactivity should not therefore consent requirements and Article 12’s which the personal data are intended

as well as the legal basis for the privacy policy adequately reflects a Commissioner’s Office (ICO) new processing; company’s privacy practices, these con - proposals and other solutions which 4. the legitimate interests pursued by tent requirements are not likely to are discussed in the industry, to give the controller or by a third party impose an excessive burden on data you an overview of approaches which (where applicable); controllers. In our opinion, most data may be suitable under the GDPR. 5. the recipients or categories of recip - controllers will err on the side of cau - 1. layered notices: A layered ients of the personal data (if any); tion and include more rather than less approach is not new. For a long time, it and information to ensure they meet the has been recommended by the ICO as 6. the fact that the controller intends to requirements set forth in the GDPR. best practice. Layered notices can sim - transfer personal data to a third Hence, Article 13 of the GDPR may plify complex information by high - country or international organisa - just make privacy policies (even) lighting the salient points of the privacy tion and the existence or absence of longer, and even less likely to be read policy up front. At the top level, there an adequacy decision by the Com - by data subjects. could be a clear and succinct summary mission, or reference to the appro - yet Article 12 provides that com - of the information required under the priate or suitable safeguards and the munications from data controllers to GDPR. Users would then have the means by which to obtain a copy of data subjects should be “in a concise, option of clicking through the sum - them or specify where they have transparent, intelligible and easily mary into more detail on a particular been made available (where applica - accessible form, using clear and plain point of interest (for instance, to click ble). language”. This is easier said than done. through to a detailed section on data In addition, if such information is Along with the study mentioned transfers). This approach allows the necessary to ensure fair and transparent above, CNN reported last year that user to have a high-level understanding processing, the data controller must users would need to be educated to at of the key issues (and grant consent also specify: least the level of a second-year univer - thereto), but also enables the user to 7. the period for which the personal sity student to understand the dis - delve deeper at his or her own volition. data will be stored, or if that is not claimers in the privacy policies of sev - It is important however that the high- possible, the criteria used to deter - eral large online businesses, and an level summary reflects a data con - mine that period; oft-cited Carnegie Mellon study from troller’s practices accurately (and does 8. the existence of the right to request 2008 estimated that it would take the not oversimplify important practices) from the controller access to and average person 76 working days to read or else consent may not be deemed to rectification or erasure of personal all of the privacy policies he or she be valid. data or restriction of processing encounters in a year. The layered approach will become concerning the data subject or to So what is to be done? It is unsur - particularly relevant in a mobile con - object to processing as well as the prisingly difficult for data controllers text, as often mobile screens allow for right to data portability; to distil complex technical practices less space to display privacy informa - 9. where the processing is based on into clear consumer-facing communi - tion. Therefore, data controllers will consent, the existence of the right cations – yet data subjects must under - need to experiment with click-through to withdraw consent at any time, stand what happens to their data in tabs and interactive messages to get without affecting the lawfulness of order to validly give consent to pro - their privacy messages across. processing based on consent before cessing. This is particularly important 2. “Just in time” notices: Instead its withdrawal; as non-compliance can result in hefty of relying on consent from a “one size 10. the right to lodge a complaint with fines of up to 20 million euros or 4% of fits all” privacy policy, data controllers a supervisory authority; global turnover, whichever is greater. should consider providing “just in 11. whether the provision of personal The old approach of bombarding users time” notices at critical data processing data is a statutory or contractual with dense legalese is unlikely to satisfy junctures. These notices work by requirement, or a requirement nec - the consent conditions of the user- appearing on the individual’s screen at essary to enter into a contract, as focused GDPR, and more innovative the point where he or she inputs per - well as whether the data subject is formats are required to engage and sonal data, providing a brief message obliged to provide the personal inform data subjects, so that their con - explaining how the information about data and of the possible conse - sent can be validly given. This article to be provided will be used. This will quences of failure to provide such will outline some potential solutions for enable users to have an informed data; and data controllers seeking to write better understanding of how their data will be 12. the existence of automated deci - privacy policies, first in terms of for - processed. For instance, if a user’s date sion-making, including profiling, mats and then in terms of practical tips. of birth is requested to sign up for a and meaningful information about service, a “just in time” notice should the logic involved, as well as the foRmats explain why this information is needed significance and the envisaged con - To achieve a better level of compliance and how it will be processed. This sequences of such processing for under the GDPR, data controllers will could work by generating pop-up bub - the data subject. need to make more of an effort to bles if a user hovers his or her mouse While this long list may require a engage with their users. We looked over a text input box, for example, so thoughtful internal audit to make sure a at some of the UK Information the user’s consent is more specific to

the actual processing of particular data should be able to withdraw at any time. communicate information to indi - categories. As such, these “just in time” This approach is a helpful one-stop viduals. A dense, jargon-laden notices more effectively allow data consent shop for users. It can help data policy is unlikely to meet the controllers to demonstrate that consent controllers by clearly breaking down requirements of the GDPR and, at was validly given by a data subject. On the purpose of the data processing any rate, is not within the spirit of the other hand, providing notice – and activity, its legal basis and other factors the Regulation. The choice of obtaining consent – in this way does so users can make informed judgments format will obviously be very have a risk of restricting the data con - as to consent. However, problems product and sector specific. troller in its future use of data if it has could arise where a data controller • Work with the communications not specified each purpose of process - relies on other grounds for processing team: For larger organisations ing in each “just in time” notice. (such as legitimate interests) and this especially, privacy policies should 3. icons and symbols: The GDPR could lead to users feeling somewhat not be isolated within the legal or empowers the Commission to provide disempowered as they will not be compliance functions. It would standardised icons and to develop pro - allowed to make a choice in relation to benefit consumers if data protec - cedures for implementing such icons. such purposes of processing. At any tion officers were to work with The icons are intended to give data sub - rate, privacy dashboards allow users to members of an internal communi - jects a “meaningful overview of the elect to consent or withdraw their con - cations or public relations team to intended processing” in “an easily visi - sent at any time for each processing craft clear messages for data sub - ble, intelligible and clearly legible activity, which promotes the under - jects, without losing any sub - manner.” The key to such icons is that girding purpose of the GDPR: to focus stance. This skills synthesis could users will quickly understand what the on data subjects. clarify information practices to data controller will do with their per - users and allow them to give valid sonal information – yet the icons must pRactical tips consent to data processing. themselves be intuitive. Many data con - The GDPR will enter into force in the • test the privacy policy: Before trollers have voiced concern in this first half of 2018, but data controllers launching the privacy policy, data regard, and do not wish to see any icons would be wise to update their privacy controllers should consider testing which are unclear or too detailed and policies now to ensure compliance it with a focus group of users. unwieldy to include in privacy policies and to promote clear communications Honest feedback on the policy of limited length, for example, on with their customers. The ICO is also will ensure that communications mobile screens. While the Commission weighing in on the matter – it empha - to data subjects are appropriate, refines its approach, different data con - sised the importance of communicat - and could aid a data controllers may want to consider using ing privacy information in its March troller in meeting its compliance and/or proposing graphics to better 2016 publication Preparing for the obligations. engage their data subjects and to set the GDPR: 12 Steps to Take Now 2 and it standard. has recently wrapped up a consulta - 4. interactive approaches – videos: tion on privacy policies and commu - User expectations are evolving. Rather nicating data protection information than passively reading a text-heavy to individuals. policy, users may prefer to engage In the meantime, data controllers directly by watching online videos. should consider the following: This approach has seen a marked • audit data protection practices: upswing in popularity, with sites such First and foremost, information as Google, the Guardian and Channel 4 provided to data subjects must be creating comprehensive videos to high - accurate, so that data subjects can light the information collected from make informed choices about uses authors data subjects and how this data is used. of their personal data. A data pro - These short videos can provide com - tection audit will help businesses Lore Leitner is an Associate, and Calum pelling content through both visuals understand how and why data is Docherty a Trainee Solicitor at Latham & Watkins LLP, London. and audio. Moreover, by creating a processed, and enable them to Emails: [email protected] script to follow, a data controller can explain such practices clearly to [email protected] ensure that information is clearly pre - consumers. The GDPR requires sented – if an actor says something that consent should be acquired aloud that is overly complex or for each data processing purpose, referenCes legalese, lines can be revised to better so organisations should clearly 1 http://www.pewresearch.org/fact- communicate to data subjects. break these down and seek con - tank/2015/12/30/americans- 5. privacy dashboards: Data con - sent for each. conflicted-about-sharing-personal- trollers can also consider using privacy • use new formats: Once the audit information-with-companies/ preference tools to empower users to is complete, data controllers 2 https://dpreformdotorgdotuk. manage their own consents, which should consider using a new files.wordpress.com/2016/03/ preparing-for-the-gdpr-12-steps.pdf should be freely given and which users format to more effectively

Do employers have the right to read employees’ private emails? The Barbulescu case has been misinterpreted by many. michael D. smith explains what the decision means for companies. recent European Court of purposes. In other words, employees private communications at work. The Human Rights (ECHR) case have a reasonable expectation of pri - ECHR’s judgment is a reminder that (Barbulescu v Romania )1 has vacy at work. Nonetheless, this right any monitoring must be done in a lim - Aattracted much publicity in the UK is not absolute. The question in this ited manner and proportionately to press as giving employers the green case was whether Romania had struck the issues involved. light to read employees’ private the right balance between protecting If monitoring is to take place: emails. Is that correct and does this the right of Mr Barbulescu to privacy • Make sure that this is clearly stated case really change things? at work with that of his employer to in a policy that is brought to the Barbulescu was employed as an manage its resources effectively. attention of all affected employees. engineer in charge of sales. His The ECHR found against Mr Bar - The policy should state which employer had a strict policy of not bulescu in this regard. It noted that: communications may be moni - permitting private use by employees • the employer had a clear policy tored and in what circumstances. of its computer and telecommunica - regarding the private use of the This will set the expectations of tions systems. Barbulescu was asked employer’s telecommunications employees as to the circumstances by his employer to set up a yahoo systems; in which their communications Messenger account so that Barbulescu • it had not been unreasonable for may be monitored. could communicate with customers. the employer to want to verify that • Limit the number of individuals Sometime later, the employer noti - its employees were engaged on within your organisation who may fied Barbulescu that it had been moni - professional tasks during working undertake monitoring and set out toring his account and they believed hours; clear ground rules about the moni - that he had been using it for private • monitoring was the only effective toring that can take place which are communications. Barbulescu denied way of ensuring that telecommuni - consistent with company policy. this at which point his employer pre - cations were being used for work- • Ask yourself whether monitoring sented him with a 45-page transcript related purposes; is really required in a particular of all his yahoo Messenger communi - • when the employer accessed the situation. cations, including private communica - yahoo Messenger account, it did so • Act proportionately – if your tions with his fiancée and brother. Bar - in the belief that the account con - concern is, for example, the bulescu was dismissed for breaching tained only employment-related volume of private emails being the employer’s policy on personal use messages, this being the basis on sent, it is usually not necessary to of computer systems. which the account had been set up; read the contents of those emails to Barbulescu subsequently brought and establish the point. employment claims in the Romanian • the employer had not gone beyond courts alleging that his dismissal was examining the yahoo Messenger void since the employer had breached account to checking any other doc - his right to privacy by accessing his uments or data on his computer. private communications. He was Therefore, the employer’s moni - unsuccessful before the Romanian toring was limited in scope and pro - courts but his case was brought before portionate. the European Court of Human Rights. Mr Barbulescu’s argument was What does this mean foR employeRs in the that Romania had failed to protect uK? author properly his Article 8 right to respect Contrary to some of the more lurid for his private and family life, his headlines in the press, this case does Michael D. Smith is Counsel at Reed Smith LLP. home and correspondence. not give employers carte blanche to Email: [email protected] read their employees’ private emails. © Reed Smith LLP. the echR’ s decision In fact, it reiterates principles that The first key point made by the have long applied in the UK, namely ECHR was confirmation that Article that employees do have a right of pri - referenCes 8 is engaged to protect employees vacy at work but, notwithstanding 1 www.scribd.com/doc/295296174/ who use their employer’s telecommu - that, employers do have the right in Barbulescu-Romania nications systems for private limited circumstances to monitor

BARBULESCU Case: no reaL Change unDer uK Law Stewart Room, Partner at PWC states that controls and safeguards, and consider the public networks may be a criminal offence. the Barbulescu decision has not really ICO’s Employment Practices Code. However, interception on a private network is changed anything for the UK. However, consent is not needed. permitted if conducted by the systems He said that at the moment, the UK DP Act Under the Interception Regulation of the owner, and is conducted for a statutory means that organisations should notify Investigatory Powers Act 2000 (RIPA) and purpose. The employer has to warn employees and third parties of any Lawful Business Practice Regulations 2000, employees, but consent is not needed. monitoring, have a proper justification, apply which apply to interception, interception on Legitimate interest ground under

tThhe neew EGU DaDta PProteRction: RCeguhlatioan dnoegs noet p roavideh foer a alegidtima te interest exemption for public sector data processing. Dugie standeford looks at the implications. he EU General Data Protection public interest, she said. Lawfulness is normally not an Regulation (GDPR) may now Given that, it would seem evident issue in FOI, Cullen said; all the hun - be finalised, but questions that under the data protection regime, dreds of FOI cases fought over Tabout how it will work in practice are public bodies seeking to process per - through the years come down to the far from settled. One murky area con - sonal data would look either to the questions of whether disclosure is fair cerns whether public bodies can ever legal duty or public interest exception, to the data subject and whether it can rely on the legitimate interest excep - Jay said. The GDPR now explicitly be justified under Schedule 2 1, condi - tion to process personal data. removes the latter from consideration, tions relevant for purposes of the first “It’s a big question” because of the but the UK Information Rights Tribu - principle processing of any personal Freedom of Information (FOI) Act, nal over the years has held that when data. Condition 5 requires that the said Rosemary Jay, senior consultant public authorities seek to disclose data processing be necessary for the exer - attorney at Hunton & Williams. as a result of FOI requests, they must cise of functions conferred on an Unlike the Data Protection Directive, rely on legitimate interest rather than organisation by statute, but from early the GDPR expressly bars public legal duty, and balance the duty to dis - days, the justification for disclosures authorities from relying on a legiti - close with fairness to the data subject. by public authorities has always been mate interest when processing data “in This raises the question of how the Condition 6 (legitimate interests pur - the performance of their tasks.” The UK will deal with the GDPR legiti - sued by the data controller or by the regulation’s recitals note that, “Given mate interest exception in relation to third party to whom the data are dis - that it is for the legislator to provide FOI requests, Jay said. closed, except where the processing is by law for the legal basis for public unwarranted in any particular case by authorities to process personal data, “b usiness as usual ” reason or prejudice to the rights and that legal basis should not apply to the Under the current data protection freedoms or legitimate interests of the processing by public authorities in the regime, a public authority that is data subject). Although the tribunal performance of their tasks.” required to release personal data and the courts have applied Condition Public authorities have either legal under FOI should apply the data 6 for the past 10 years, there was always the argument that the appro - priate condition should have been The Regulation does not envisage scrapping Condition 5, Cullen said, because that the legitimate interests basis for is the condition intended for use by public authorities. Condition 6 is now essentially private activities of GDPR Article 6 (1) (f), which is not public authorities. available to public bodies processing personal data in the performance of their tasks. obligations (duties), such as emptying protection principles, said Amber - UK law in relation to public bodies bins, or discretionary powers to do hawk Training Limited Director Sue differs from that in most other EU things they’re not required to do, such Cullen, but in the context of FOI dis - Member States, Cullen said. Other as building flood defences, Jay said in closures it’s the first principle that countries have the concept of public an interview. Local authorities’ discre - counts – that the processing be fair bodies acting outside their public tionary powers have grown much and lawful – together with Schedule 2 tasks, something which would usually broader in order to ensure they are not and Schedule 3 in cases of sensitive be considered ultra vires in Britain and unduly constrained from acting in the personal data. therefore unlawful.

Public authorities were never Nothing is certain as yet, but that The Information Commissioner’s intended to use legitimate interests as a is at least one view,” Hopkins said. Office was, at the time of writing, processing justification and the under - The legitimate interests prohibi - “waiting for the final text before standing has always been that such tion should not be a problem for other making any detailed comments,” a entities should justify their processing activities of public bodies, Jay said. spokeswoman said. The office pub - under the “public functions” condi - Public authorities do carry out many lished a 14 March blog, and 12-step tion, said Cullen. Using legitimate activities on the borders of their guidance checklist to help organisa - interest under the GDPR would powers, such as fundraising, and often tions prepare for the new regime 2. breach that regulation but for the fact rely on the legitimate interest excep - One section of the guidance dis - that the UK has a carve-out for FOI tion, but they also worry when they cusses the legal bases for processing requests, she said. don’t have an explicit statutory obliga - personal data. It states in part: “Many The FOI “get out” provision tion, she noted. organisations will not have thought appears to be in Article 85 of the Reg - There is a question as to what about their legal basis for processing ulation, which addresses specific pro - extent public authorities can rely on personal data. Under the current law cessing situations, Cullen said. It other processing conditions in the this does not have many practical requires member states by law to “rec - absence of the legitimate interests pro - implications. However, this will be oncile the right to the protection of cessing condition, said Linklaters data different under the GDPR because personal data pursuant to this Regula - protection and technology lawyer some individuals’ rights will be modi - tion with the right to freedom of Peter Church. Art. 6 (1)(e) permits fied depending on your legal basis for expression and information, including processing “for the performance of a processing their personal data...” processing for journalistic purposes task carried out in the public interest “you will also have to explain and the purposes of academic, artistic or in the exercise of official authority your legal basis for processing per - or literary expression.” Cullen pre - vested in the controller.” But “this is sonal data in your privacy notice and dicted that the UK will use Art. 6 (1) pretty broad,” and leads to the ques - when you answer a subject access (f) (legitimate interests) for FOI dis - tion of how it ties into general English request. The legal bases in the GDPR closures the way it has always done. law public law concepts, he said. For are broadly the same as those in the For FOI requests, she said, the GDPR example, if a public authority acts DP Act so it should be possible to will be “business as usual.” beyond the scope of its official author - look at the various types of data pro - ity, are those actions ultra vires in any cessing you carry out and to identify many questions , feW ansWeRs event? Does that depend on the Eng - your legal basis for doing so. Again, For public authorities carrying out lish law concept of official authority you should document this in order to non-FOI activities, the picture matching with European concepts in help you comply with the GDPR’s appears unclear. the GDPR? ‘accountability’ requirements.” Local authorities do have some Art. 6 (1)(c) permits processing for wide-ranging powers, but when they compliance with a legal obligation, act, they do so for the purposes of Church said. The government could their functions and technically should pass “a whole raft of new laws to pro - not be using the legitimate interest vide a processing condition for public exception, said Chris Pounder, Direc - authorities,” but do such bodies need a tor at Amberhawk Training Limited. new law every time they want to do Public bodies should identify where something new? they use the balance of interest The second question arising from approach, he said. the legitimate interest prohibition is But 11KBW Barrister, Robin Hop - who is a public authority, said Church. kins, whose practice includes public The term as defined in recital 121 a and local government law as well as refers to bodies subject to the PSI data protection, said it is likely that the Directive 2003/98/EC, but might it be author Regulation “does not envisage scrap - broader in other cases, including for ping the legitimate interests basis for example some bodies “at the fringes, Dugie Standeford is a PL&B Correspondent essentially private activities of public such as utility companies or sub - authorities. The rationale appears to be sidiaries of public authorities?” Some that public functions and interests are public bodies spin off their commer - referenCes set out in statute, so no additional inter - cial activities into a separate operating 1 www.legislation.gov.uk/ukpga/ ests need to be catered for. But where company, he said. If that operating 1998/29/schedule/2 that does not apply, i.e. where the company loses the benefit of the legiti - 2 https://iconewsblog.wordpress.com/ public authority is lawfully pursuing mate interests conditions, “that could 2016/03/14/a-data-dozen-to-prepare- activities that are not fully governed by be awkward.” for-reform , and 12-step guide at statute, it seems to me to be likely that “As with most issues on the https:/dpreformdotorgdtuk.files.wordp ress.com/2016/03/preparing-for-the- they could still rely on the legitimate GDPR, [there are] lots of questions gdpr-12-steps.pdf interests basis for processing.” but not many answers,” Church said.

Member States’ derogations undermine the GDPR william Long and francesca Blythe explain what organisations have to look out for. he EU’s General Data Protec - ensure fair and lawful processing in if permitted under EU Member State tion Regulation (GDPR) was relation to: national law, requires the consent from adopted by the European 1. where the processing is necessary the child’s parent or legal guardian. T Parliament on 14 April 2016. The final for compliance with a legal This derogation, allowing different age step for formal adoption was publica - obligation (Article 6(1)(c)); or requirements across EU Member tion of the GDPR in the Official Jour - 2. where the processing is necessary States, could pose considerable chal - nal of the EU on 4 May which means for the performance of a task car - lenges for businesses which offer that the starting date for the two-year ried out in the public interest ecommerce or social media services, as implementation period will be 24 May (Article 6(1)(e)). the age at which a person is considered 2016. Companies and data protection As under the Directive, an addi - a child is unlikely to be consistent. We authorities (DPAs) will then have just tional legal condition such as, explicit understand, for example, that the UK 24 months from this date to implement consent, must be satisfied when pro - has indicated it will be lowering the age the new requirements under the cessing sensitive personal data, such as limit to 13 years. GDPR. data on health, trade union member - The GDPR is intended to create a ship and ethnicity. However, Article fines and sanctions single harmonised data protection law 9(2)(a) of the GDPR states that even if a The powers afforded to DPAs are sig - across the EU. However, in the text data subject explicitly consents, nificant including powers to suspend adopted by the Parliament, there are Member State law may still prohibit the data transfers to recipients in non-EU approximately 30 instances where processing of sensitive personal data countries and impose temporary or Member States have been given the despite consent. In addition, pursuant permanent bans on the processing of ability to legislate at a national level. to Article 9(4) in relation to the pro - personal data. Pursuant to Article This will result in national law differ - cessing of genetic data, biometric data 58(6), Member States are also able to ences in Member States and mean that or health data, Member States may create laws that grant additional “cor - businesses – even after the GDPR introduce further conditions, including rective” powers to their DPAs over becomes law in 2018 – will still need to limitations, on how such data can be and above those explicitly granted to consider data protection laws in differ - processed. DPAs under the GDPR. ent parts of the European Union. While The GDPR also limits the way in DPAs also have the power to some DPAs will probably take a strict which personal data relating to criminal impose fines for non-compliance of up approach, the UK’s Information Com - convictions and offences are processed. to the greater of 4% of annual world - missioner is likely to be more commer - Such personal data may be processed wide turnover or €20 million. Article cial in its approach and implement only under the control of an official 84(2) permits Member States to impose derogations which will likely assist authority (e.g. the police), or where their own rules on the penalties appli - businesses in their compliance with the authorised under Member State law. In cable to infringements of the GDPR. GDPR. Summarised below are some of both instances, appropriate safeguards These derogations will certainly lead to the key provisions in the GDPR which to protect the rights and freedoms of variations in enforcement powers for contain national law derogations. data subjects must be in place. different DPAs and inconsistent appli - These provisions mean that compa - cation of fines in different Member legal gRounds foR nies processing sensitive personal data, States as currently exists under the pRocessing for example, those in financial services Directive. In order to process personal data law - and healthcare sectors, will need to fully the processing must be based on continue to check the position in each accountability one or more of the conditions set out relevant Member State. Core to the GDPR are the enhanced in Article 6(1) of the GDPR. The con - accountability principles which require ditions specified are largely the same as childRen ’s data businesses to adopt and implement those in the current EU Data Protec - The GDPR further introduces specific policies and procedures to demonstrate tion Directive 95/46/EC (Directive) requirements for the processing of the compliance with the data protection and include, for example, where the personal data of a child. The GDPR requirements. This in part demon - processing is based on the legitimate requires that such processing in rela - strates the shift away from the more interests of the controller. However, tion to the offering of information bureaucratic approach to compliance Article 6(2) of the GDPR permits society services (e.g. through a website adopted under the Directive. For Member States to introduce additional or social media platform) directly to example, the removal of the require - requirements or specifications to children under 16 years old, or 13 years ment to notify DPAs of processing

activities other than in limited circum - different EU Member States. inteRnational data stances (e.g. where required by Mem - tRansfeRs ber State law in relation to processing data subJect Rights The GDPR maintains the current by a controller for the performance of The GDPR introduces a number of restrictions under the Directive on a task carried out in the public new rights for data subjects which are transfers of personal data from the EU interest). subject to a blanket derogation in to a third country not deemed to have A key way to demonstrate accounta - Article 23(1) which permits Member adequate levels of protection by the bility is the requirement for controllers State law to restrict the scope of these Commission. However, pursuant to to carry out data protection impact rights where such a restriction is “nec - Article 49(5), in the absence of an ade - assessments where new technologies are essary and proportionate in a demo - quacy decision, Member State law may, being used or where processing may cratic society”. Such a broad general for important reasons of public inter - pose high risks to individuals. In addi - derogation and further specific dero - est, set limits to the transfer of specific tion, pursuant to Article 35(1) proces - gations for specific rights as described categories of personal data to a third sors may be required to carry out such below, will lead to uncertainty as to country or international organisation, assessments prior to conducting their how these rights will be applied across providing the Member State notifies processing activities, if required to do so the EU. such provisions to the Commission. by Member State law, even where a data One of the more talked about new Once again, such national law limits protection impact assessment has rights is the statutory right for data and derogations on international trans - already been undertaken by a controller. subjects to have their personal data fers will require international compa - Controllers and processors are also erased without undue delay where, for nies to continue to check the national required to appoint a data protection example, the consent for the processing law position in different Member officer (DPO) if they are engaged in: is withdrawn and there is no other legal States. 1. the regular or systematic monitoring basis for the processing, or, in order to of data subjects on a large scale; comply with a legal obligation in a fuRtheR deRogations 2. the processing of sensitive personal Member State law to which the con - Chapter IX of the GDPR sets out data on a large scale; or troller is subject. However, the right to requirements for specific processing 3. the processing is carried out by a erasure will not apply where the pro - situations including, for example, in public authority. In addition, impor - cessing is necessary to comply with a relation to employee data (which will tantly a DPO may also be required legal obligation in that Member State. impact nearly all companies) and pro - pursuant to Article 37(4) if mandat - Article 14 sets out the information cessing for scientific research purpos - ed under national Member State law. to be provided to data subjects where es (which will impact companies in So again in relation to the core con - the personal data have been obtained the life sciences industry). In each of cept of accountability the principle of a other than from the data subject. These these situations as described further harmonised EU data protection law information requirements are much below, the GDPR provides that under the GDPR appears somewhat more extensive than under the Direc - Member States can provide specific undermined by national law tive and should be provided within one exemptions, derogations, conditions derogations . month of the receipt of the data, at the or rules for the processing of these time of communication with the data types of data, giving Member States pRocessoRs subject or when the data is first dis - more control over the way in which Under the GDPR, processors will, for closed to a third party. However, this such data is processed and further the first time, have specific statutory information does not need to be pro - undermining the principle of a single, obligations that they must comply vided where, for example, it is a harmonised EU data protection law. with when processing personal data. Member State legal requirement to Article 88 sets out the provisions These include a requirement only to obtain or disclose such data or the data in relation to processing in the process personal data on the instruc - must remain confidential pursuant to employment context. Member States tions of the controller, unless required an obligation of secrecy regulated by can implement (either by law or by under Member State law, in which case Member State law. collective agreements) specific rules in the processor must inform the con - The GDPR also introduces new respect of the processing of employ - troller of these legal requirements in restrictions in respect of profiling, with ees’ personal data for all key purposes advance. A further derogation specific data subjects having a right not to be from recruitment through to termina - to processors provides that where the subject to a decision based solely on tion of the employment relationship. controller requests the deletion of data automated processing, including pro - Member States must notify the Com - at the end of the provision of services, filing, which produces legal effects or mission of any such specific laws this is subject to where the processor is similarly significantly affects him or established pursuant to Article 88 required to store the data pursuant to her. This right is subject to a limited without delay and at least by 2020. Member State law. number of exemptions including, for Any subsequent amendment affecting So companies that act as data example, where the processing is such laws must also be notified. The processors, such as cloud providers, authorised by EU or national Member derogations in this Article 88 mean will also need to continue to be aware State law to which the controller is that employers of multi-national of national law requirements in subject (Article 22 (2)(b)) . companies will likely need to comply

with a myriad of inconsistent employ - legislative restrictions in respect of the reduce the cost of the administrative ment laws impacting the use of data protection principles and the data burden resulting from legal fragmen - employee data across Europe. subject rights provided that any such tation. However, the large number of Article 89(2) provides that where restriction “respects the essence of the derogations and their potential broad personal data are processed for statis - fundamental rights and freedoms and scope is likely to result in many inter - tical, scientific or historical research is a necessary and proportionate national companies having to contin - purposes, Member States may provide measure in a democratic society...” ue to deal with national data protec - derogations from certain data subject The measure must safeguard one of a tion law variations across numerous rights (including, the rights to access, limited number of factors including, Member States to ensure compliance rectification, restriction and objec - for example: with the varying EU data protection tion) where such rights are “likely to 4. national security; requirements. render impossible or seriously impair 5. the prevention, investigation or the achievement of the specific pur - detection of crime; or poses” and the derogation is necessary 6. the protection of the data subject to meet those requirements. For com - or the rights and freedoms of panies in the life sciences industry this others. Article may cause concern where, for example a company is running a clini - conclusion cal trial across multiple Member In conclusion, the numerous deroga - States and the position as to compli - tions that exist in the GDPR under - authors ance with these data subject rights mine the core principle of the may vary. GDPR – to create a single EU-wide William Long is a Partner and Francesca Additional broad derogations are law on data protection to increase Blythe an Associate at Sidley Austin LLP. Emails: [email protected] set out in Article 23(1) which permits legal certainty for all stakeholders. [email protected] Member States to implement The GDPR was also intended to

Government active in fighting cyber crime Government digital services are more Incident Response schemes which Officer or Head of Security, while less secure than ever, the government says. enable organisations to gain access to than a quarter (24%) of companies “We are building in security-by-design incident response services tailored to based their cyber risk discussion on and taking robust action against their specific needs. 31 incidents have comprehensive or robust management attempts at online fraud.” already been tackled under the information,” the government says in The government says that the UK schemes, the government says. its annual report on cyber security. will substantially increase its invest - 88% of companies now actively ment to £1.9 billion to fight cyber consider cyber security as a business crime. To support organisations which risk. “But businesses could do more to may have been the victim of a cyber deepen their understanding of the • See the annual report on cyber security attack, GCHQ and CPNI (UK’s threat: less than a third (30%) of boards strategy www.gov.uk/government/ Centre for the Protection of National received high level cyber security intel - publications/the-uk-cyber-security- Infrastructure) have established Cyber ligence from their Chief Information strategy-2011-2016-annual-report .

Blacklisted workers win compensation from big construction firms Around 700 workers who were black - The construction firms had been to an ICO investigation, and fined listed in the construction industry have checking employees against the black - £5,000 for a data protection offence. secured damages ranging from £25,000 list before they were hired. The per - to £200,000 per claimant in out of court sonal data collected included details of • For background information, see settlements, the Guardian reports. The trade union membership and activities PL&B enews from 2009 www.privacy - total payout could be as high as £75m. and employment history. The informa - laws.com/Publications/enews/UK-E- Allegedly a number of companies have tion was often incorrect and employers news/Dates/2009/8/PLB-UK-E-news- also apologised to the workers for the were denied employment without any Issue-93/ anxiety and stress they caused. reason. See www.theguardian.com/business/ The blacklisting was revealed by a The blacklist was kept by the Con - 2016/apr/29/blacklisted-workers- whistle-blower in 2006. sulting Association, which was subject secure-compensation-construction-firms

Royal Mail becomes certified

oThen uselri-cnenetric priodgraemmne betnietfitys fr opm hravoingv priivadcy ebuirlt in from the start. Laura Linkomies finds out how Royal Mail prepared for its role as an identity provider. he government has now million UK addresses and thus has ceRtification pRocess appointed eight certified exter - expertise in how to deal with complex tScheme is an independent, non-profit nal identity providers, including data, and manage a secure redirection making, industry-led body set up to TRoyal Mail, who make it easier and service. Citizens can now interact with approve identity services. tScheme more convenient for individuals to the government in the way that is con - requires all certified companies to meet access public services. It takes only 10 venient for them. Trust is the key.” a number of requirements – which minutes to verify identity online using Royal Mail is the lead in consortia include the security standard GOv.UK verify. An individual’s iden - where Royal Mail is the Identity ISO27001. McCartney said that they tity is verified by a certified company Provider and uses two technology part - cannot reveal details of the security each time he or she wants to access a ners to provide different parts of the policy or type of encryption used, but service. Individuals may choose one process – the GB Group for the verifi - Royal Mail is meeting more than the certified company, or use several. The cation process and Avoco for access. It baseline industry standard. system, which is free of charge, does received the certification as identity McCartney: “We are constantly not create a centralised database, but is provider mid-March, and the take-up measured against our performance as based on data matching and user-cen - has been good. So far, half a million part of the tScheme certification – I am tric identity management. user identities have been verified not aware of any plans for an audit just Stephen McCartney, Director of through GOv.UK verify 1. yet. But it was an absolute requirement Information Governance and DPO at There are currently seven other cer - to conduct a Privacy Impact Assess - the Royal Mail Group told PL&B that tified companies; Barclays, Citizen - ment (PIA) for becoming a certified the system strictly limits the amount of Safe, Digidentity, Experian, Post provider. The PIA has not been made information that is collected, and its Office, SecureIdentity and verizon. public because it focuses on security use. Royal Mail is not allowed to use Before they could join GOv.UK and our security protections. When we the data for its own purposes – so what verify, they needed to go through receive information from individuals to was the motivation to join the scheme? formal processes with the Cabinet identify them, we only keep a certain “It is part of Royal Mail’s continu - Office. The government required the proportion of that information. We ing development on how we have pro - companies to meet industry standards cannot use it for any other purpose tected individuals’ privacy and confi - for information security, and to be cer - than identity assurance, and audit. So dentiality for the last 500 years. The tified by an independent body (such as the PIA as such was therefore quite mail service was set up to be a secure tScheme) to confirm that they meet limited in scope.” communications channel and again government standards for identity The government requires certified today we have a responsibility to pro - assurance, are compliant with the companies to be clear and transparent tect privacy, security and integrity of requirements in their contracts with about how they process personal data submitted during the identification process. The companies’ privacy poli - “We are constantly measured against cies must comply with relevant legisla - tion and regulations in their sector. our performance as part of the McCartney said that Royal Mail did tScheme certification.” not, however, have to make any changes to its privacy programme – the privacy statement for Royal Mail is the universal service we provide. How - the Cabinet Office, and are compliant very specific for the activities of Royal ever, we are witnessing a move to a with data protection law. Mail as a whole. The information col - more digitally enabled environment The nine services currently avail - lected under the identity assurance and Royal Mail also provides services able for access on GOv.UK verify scheme will never fall under Royal in that environment. So it is a natural platform range from getting a pension Mail’s privacy policy because it is used evolution,” McCartney said. statement or filing a tax return to view - purely for the purposes of processing Jim Conning, Managing Director of ing your driver’s licence information. It the ID validation. Royal Mail Data Services added: “This is expected that another 15 services – enables much easier interaction such as a possibility to view health identity checKing pRocess between the citizen and government. records or sign mortgage deeds – will When an individual seeks to have their Royal Mail currently delivers to 29 be added in the next 18 months. identity verified online, the platform

will request users to first provide thiRd paRty access and McCartney said that there have basic personal details. Each provider dispute Resolution been very few privacy challenges with has a slightly different set of require - If individuals have complaints during this programme. The past government ments. In order to use Royal Mail the process, they can raise the issue policy on ID was very different – Identity verification an individual online at the time of the verification GOv.UK verify benefits from user- will need: A UK driving licence or process. centric identity management, which UK passport (ideally both), and bank Conning: “If someone has a general means that the user is able to control account or credit card details (ideally data protection complaint they would their identity and have choice between both). After these basic questions, the go to the ICO. Other issues to do with the identity providers. programme asks individual additional the verification process can be sorted in “When we did the PIA it was evi - security questions about statements, real time online. Our call centres have a dent that there was so little scope for online accounts, mortgage payments, process geared up to helping individu - the identity providers to use the data in or utilities/mobile phone contracts. als. We are responsible in helping them other ways as the scheme has been McCartney: “you will perhaps be through the process but ultimately designed so comprehensively around asked questions about your current their issue would be resolved by the the individual. The area where we credit or similar that verifies your government department in question.” needed to do some work was the secu - identity. There is no credit reference McCartney: “Third-party access is rity architecture. The government check involved and the process does allowed only in exceptional circum - stated what standard was needed and not affect the credit score.” stances and with parliament’s approval. we worked towards that so it was a The data is matched with authori - We would need to have a basis in statu - fairly simple process.” ties such as the DvLA but with the tory law for any third party to access full knowledge of the individual. If the information that we hold. I can futuRe pRospects : p Rivate the information given matches suc - only see that happening in circum - sectoR and nhs taKe -up ? cessfully with the agencies in ques - stances where a crime is suspected and No legislative changes were needed to tion, users will be given a unique there is evidence – but these are really run this programme but the EU Gener - online identity. limited circumstances. We do not pro - al Data Protection Regulation (GDPR) McCartney: “The data that we use vide any access to the data we hold.” will soon set a new data protection for data matching is retained for a standard in the UK. However, maximum of 180 days as required by pRivacy has been built in McCartney thinks that the system has auditing standards. We retain the GOv.UK verify is a replacement for been designed so that it goes beyond information of the applicant’s actual the unpopular ID card scheme. The compliance with the current UK Data identity for as long as 30 days if data is Privacy and Consumer Advocacy Protection Act. not successfully matched, and we then Group 2, set up by the Cabinet Office “We will not have to change very delete it.” in 2011 specifically to advise on identi - much to fit in with the GDPR. People Conning explained that the gov - ty assurance, defined the standards of choose the provider, and can stop pro - ernment does not know which iden - the programme. Participants include cessing any time – individual rights are tity provider is verifying the identity representatives from No2ID and Big very much at the core of the pro - of an individual, and Royal Mail does Brother Watch, consumer champions gramme. Looking at the GDPR, I not know which government depart - like Which? and leading academics struggle to see how this programme ment has access to the information – from the LSE, UCL and the Oxford would fall behind the new law.” the citizen is in charge. There is full Internet Institute. Some of these peo - The GDPR will introduce the con - transparency and individual control. ple were previously opposed to the ID cept of data portability – individuals Individuals can use any identity scheme, McCartney said. can transfer all of their data to another provider, or indeed the existing “It has been a joy, as a privacy pro - provider. “In this programme, you government gateway. fessional, to work on a project that has would just provide the same data again. The government information on been designed so well in terms of pri - Individuals can easily choose another GOv.UK verify says that the Identity vacy. For example, PIA was built into identity provider. We do not have to Provider (IDP) Picker Service asks the the design of the whole programme.” worry about implementing this user a few simple questions to recom - “I have been working in privacy for provision as it is already there.” mend the most appropriate identity 15 years and during that time govern - McCartney said that while there providers for their needs. ment policy has grown with the growth may not have been a conscious choice The service does not gather suffi - of the digital environment. The govern - to fit in with the GDPR and future cient information to identify the user, ment departments that are now driving proof against it, choosing a very high nor is that information retained in a this user-centric model are the same standard of user-centric identity man - form that could be used to render it that were behind the national identity agement has effectively ensured that identifiable at a later date. The infor - scheme. The government’s understand - this is the case. mation is dropped one hour after the ing of the digital marketplace has As to the future of online identity session, but aggregated results are grown, people are digital natives and verification, the government says that used in anonymous form for user the digital market works a bit there are some plans to extend the pro - experience analysis. differently.” gramme to the private sector; it is

working with industry to consider the information referenCes practicalities of private sector re-use. In the first instance, it is planned to extend www.royalmail.com/personal/identity- 1 As of 22 April – information from the the programme to the NHS. The Cabi - verification/faqs Cabinet Office. Performance data is https://gds.blog.gov.uk/2014/01/23/what- published at www.gov.uk/ net Office is currently working with is-identity-assurance/ performance/govuk-verify/total- the Liverpool Clinical Commissioning www.gov.uk/government/publications/intr authentications Group to understand how GOv.UK oducing-govuk-verify/introducing-govuk- 2 www.gov.uk/government/uploads/ verify could meet their needs. “We are verify system/uploads/attachment_data/file/ not at the stage of reporting outcomes 448101/IDA_Privacy_and_Consumer _Advisory_Group_-_ToR_PDF.pdf yet,” the Cabinet Office said.

PrivaCy anD Consumer aDvoCaCy grouP Continues its worK

Jerry Fishenden, Chair of the Privacy and services becoming increasingly digital, (PCAG) has a wider remit than purely Consumer Advocacy Group provided an fraud will increase not decrease. identity assurance. The Minister for the insight into GOV.UK Verify and an update Cabinet Office (MCO) tasked it with of the group’s work: PL&B : Do you think the identity advising the government on how to assurance principles address all provide users with a simple, trusted and PL&B : there seems to have been a relevant privacy issues relating to this secure means of accessing public huge change in the government’s programme? services. The group’s overall remit is to approach to privacy in identity Fishenden: The principles relate ensure best practice in identity, privacy, assurance. why do you think that is? specifically to aspects of privacy security and technology to protect Fishenden: I think a lot was learned associated with the identity assurance citizens’ interests, with a particular focus from the experience of trying to impose programme, which is only a subset of on ensuring data and personal a flawed national identity card and its overall privacy issues. The principles are information, and the technology used to associated honeypot register based on also intended to evolve and improve as manage it, is well designed, engineered simplistic ideas from the 1940s. On the the programme develops rather than be and implemented. For example, the back of this, there was a recognition of chiselled in stone for all time. The nine group will be calling in the ‘Better use of the need to regain and improve trust principles “assume that an Identity data’ proposals for review 1. with the general public, and to apply Assurance Service is mature and well better computer security engineering. established”, which is clearly not yet the PL&B : Can you comment on the With the increase in cyber-crime and case. The principles also explicitly relationship between gov.uK verify online fraud, there has been a growing acknowledge that “in the early stages of its and the investigatory Powers Bill – is recognition of the need to better secure development there may well be a phasing- there a clash with the Bill’s personal data, including the in period in relation to each Principle, or requirement on data retention? government commitment to place that in some cases a Principle might need Fishenden: The IP Bill contains citizen data under citizen control. a degree of initial flexibility”. numerous areas of concern. The Group Ensuring online, trusted identities is a is currently discussing its response. precursor to being able to deliver any PL&B : as the scheme is up and secure, trusted services online – if not running, what is the role of the Privacy 1 www.gov.uk/government/groups/ well designed, the move to digital public and Consumer advocacy group now? privacy-and-consumer-advisory- services will fail. Fishenden: The group will continue to group and https:// Worse, if our personal data and identity- monitor and review the operation of identityassurance.blog.gov.uk/ related data is not better protected and Verify as it develops. However, the 2015/09/11/gov-uk-verify-identity- continues to be shared around as Privacy and Consumer Advisory Group assurance-principles/

High Court decides on ‘abuse’ of SAR process A High Court case, Gurieva & Anor v against the claimants. The defendant, privilege, but it has not been proved Community Safety Development (UK) Community Safety Development that all of it is so protected. The reason Ltd [2016] EWHC 643 (QB) of 6 April (CSD), argued that the SAR repre - for that is that CSD has not carried out 2016, shows some emerging trends in sented a misuse of the information the necessary analysis. I am not satis - subject access litigation. The judge said rights conferred by the DP Act. fied that enforcement would be dispro - “I have difficulty with the notion that The judge ruled that the claimants’ portionate, or that the SAR or these the use of a SAR for the purpose of SAR is and was valid. “There was never proceedings represent an abuse of the obtaining early access to information any proper basis for questioning its claimant’s rights or an abuse of process. that might otherwise be obtained via validity. CSD’s failure to disclose any It would be wrong for me to carry out disclosure in pending or contemplated personal data at all represents a breach the analysis in place of CSD. There is litigation is inherently improper.” of the claimants’ rights. The personal no good reason not to exercise my dis - The claimants allegedly used the data held by CSD that relates to the cretion in favour of enforcing the Data Protection Act to gain an illegiti - claimants may include some that is pro - duties imposed by the Act.” mate procedural advantage in criminal tected by the crime exemption, and • See www.bailii.org/ew/cases/EWHC/ proceedings which have been brought some that is protected by litigation QB/2016/643.html

Data Protection in the new world of Artificial Intelligence Artificial Intelligence may pose new challenges that do not fit in under the EU Data Protection Regulation. nicola fulford and gemma Lockyer explore the issues. quick online search of “what is intelligence and should be classed as an the processing is necessary? Similarly, AI?” does not provide you “individual”, and therefore a data sub - without understanding the processing with an easy answer and this is ject, would we be able to go as far as to and what the privacy implications may Abecause artificial intelligence can have describe it as living? And, perhaps be, how can that balance be understood different meanings to different people. more importantly, should we? Given and documented? For our purposes, it is a computer the new definition under the EU Gen - system which is able to perform tasks eral Data Protection Regulation impact of the gdpR which would normally require human (GDPR) changes this to a “natural The current EU data protection regime intelligence. person”, that does not seem to be the is due to be replaced by the GDPR. To date, as lawyers, we have needed direction of travel. There are several key changes in the to deal with computers and machines GDPR which will affect those working which are capable of numerous and pRocessing data using within the sphere of AI. speedy computations and calculations – a Rtificial intelligence The first is the requirement to but these actions have all been gov - A much more real concern for busi - implement Privacy by Design and by erned by the direction of the program - nesses is the use of AI in the processing default. Businesses will be required to mer. Artificial intelligence, on the other of personal data. Processing is very take data protection requirements into hand, is the machine intelligently broadly defined and includes “obtain - account from the inception of any new thinking, learning and making deci - ing, recording or holding information technology that involves the processing sions and actions based on this thought or data or carrying out any operation of personal data. An AI works because and knowledge. From a legal perspec - or set of operations on the information of its ability to process large volumes of tive this phenomenon challenges many or data”. The first data protection prin - data and quickly. IBM’s Watson –a key legal concepts and means that we ciple, which requires fair and lawful computer capable of answering ques - need to address how we apply core processing, is often met through the tions framed in natural language thanks principles of personality and liability use of consent. The individual will to the vast database of information it onto something the law is not yet ready consent to the processing of their per - has access to – is an example of this. If to deal with. sonal data and this will enable the pro - the AI is given access to personal data cessing to be fair. as part of that database, then the AI will could an ai be a data How can we obtain informed con - be processing personal data and data subJect ? sent when the processing of the data is protection requirements will need to be A data subject is defined as any indi - no longer a predictable response to a set taken into account as part of its design. vidual who is the subject of personal of pre-defined instructions given to a This may not always be possible when data. Typically we think of data sub - computer programme by a programmer the machine itself is evolving as it jects as employees, contractors, cus - but is now the result of an autonomous thinks and learns for itself. tomers or individuals on a marketing machine which is learning and thinking Thanks to the increased computing database etc. A limited liability compa - for itself? The programmer no longer power of AI it may be possible that ny is not a data subject for the purpos - knows what the next processing opera - data which might previously not have es of the Data Protection Act 1998 (the tion might be because that is a decision been considered personal data, because DP Act) and neither is a computer sys - taken by the AI. Consent is not manda - from the data alone you could not iden - tem. An AI is capable of performing tory in the UK for the processing of tify a living individual, might become tasks which would normally require personal data, although it is often the personal data because the AI has access human intelligence and so could it be easiest way to justify the processing. to other information which, when argued that an AI should be given Without consent the data controller will processed together with that data, some of the same protections given to (generally) need to show that the pro - could be used to identify a living indi - humans? cessing is necessary for a contract or is vidual. This potentially increases the The current DP Act’s definitions for legitimate reasons, provided these scope of personal data which might be means that there is not going to be any reasons are not outweighed by the pri - available relating to a data subject. personal data recorded in relation to an vacy implications for the individuals The GDPR also restricts profiling AI data subject because personal data concerned. However, given that we which is the automated processing of relates to “a living individual” who can don’t know exactly what processing the personal data and the use of personal be identified from the data. Even if we AI might undertake in relation to the data to evaluate certain personal aspects can acknowledge that an AI has human data it is given, how can we know that relating to a natural person, for

example analysing or predicting aRe We Ready ? whether the AI is capable of being a aspects concerning a natural person’s Artificial Intelligence is a reality and data controller itself, making its own economic situation or personal prefer - with “big data” becoming “bigger decisions in relation to the processing ences. Pursuant to Article 14(1) of the data” all the time, is the legal data pro - of the data, or how we might impose GDPR, data subjects have a right not tection landscape ready for AI any liability on the AI for anything it necessarily to avoid profiling itself, machines? The emphasis, we believe is did in breach of the DP Act or the but rather to avoid being “subject to a going to be on ensuring the data con - GDPR. Given the power of the tech - decision based solely on automated trollers are able to build in parameters nology, this is a field likely to see an processing, including profiling, which around privacy into the AI, and also in emphasis on ethics as well as law. produces legal effects concerning him trying to obtain the necessary consents or her or similarly significantly affects before transferring data to an AI. Con - him or her.” Recital 58 provides as sent can be tricky today, but with the examples the “automatic refusal of an GDPR, consent will become even on-line credit application or e-recruit - harder to obtain. authors ing practices without any human inter - As with other new technologies, the Nicola Fulford is Data Protection Partner vention”. Consent to this profiling will law inevitably plays catch-up and AI and Gemma Lockyer is Commercial need to be obtained and this will need will surely throw up new situations Technology Associate at Kemp Little LLP. to be considered well in advance of that do not “fit” what was in contem - Emails: [email protected] [email protected] implementing these kinds of AI. plation for the GDPR. For example,

Degradation of privacy standards could be deemed abuse under competition law The UK Parliament’s European Union tion will apply to them and will be European Union’s Internal Market Committee, in its report issued on 20 enforced, and prepare to make the nec - Sub-Committee, that the existing e- April – titled “Online Platforms and essary adaptations, the committee says. Privacy Directive focused “more on the Digital Single Market, (HL Paper The new data portability provision will standard telecom providers and elec - 129 – says that online platforms are a be a significant change. It could pro - tronic communication services”, and prime example of tension between DP mote quality-based competition and was hard to apply to platforms. The and competition law. The House of innovation by making it easier for con - ICO said the extent to which the e-Pri - Lords committee stresses that domi - sumers to switch platforms. vacy and Data Protection Directive nant online platforms could poten - The EU Committee is concerned applied to online platforms had “been tially abuse their market position by that the principle of data portability in a contentious issue for many years and degrading privacy standards and the GDPR may unravel in practice. “If some online platform providers have increasing the volume of data collected applied too rigidly, it could place oner - argued that they are only processing from their users. If one provider has ous obligations on emerging busi - ‘pseudonymous personal data’—and multiple sources of user data, it may nesses; however, unless it is more should be subject to light touch regula - prove to have an unmatchable advan - clearly defined, it is unlikely that it will tion.” However, the ICO considered tage over individual online platforms, be implemented by many online “that search engines are data con - making it difficult for rival platforms platforms.” trollers and are processing personal to compete. The EU Committee urges the EU data when, for example, they deliver The committee criticises large Commission to publish guidelines name-based search results.” The ICO online companies for not fully explain - explaining how data portability agreed that “passively-collected infor - ing to consumers how their personal requirements apply to different types mation can identify data subjects”. data may be used. As a result, trust in of online platforms. The EU Commis - how online platforms collect and use sion, the UK government, regulators • European Data Protection Supervisor, consumers’ data is worryingly low and and industry should use the following Giovanni Buttarelli, will speak about there is little incentive for online plat - two years - the time before the Regula - “How data protection rules should be forms to compete on privacy stan - tion enters fully into force - to ensure enforced in tandem with competition dards, the Lords say. “We believe this that its terms are well understood and and consumer policy” at Great Expecta - presents a barrier to future growth of effectively implemented. tions, the Privacy Laws & Business 29th the digital economy. Online platforms In addition to the GDPR, the EU Annual International Conference, 4-6 must be more effective in explaining e-Privacy Directive will be relevant. July 2016. See www.privacylaws.com/ the terms of such agreements to The European Data Protection Super - annualconference . consumers.” visor, Giovanni Buttarelli said on 9 See the Lords report at www. Online platforms must accept that November 2015, when providing evi - publications.parliament.uk/pa/ld20151 the new EU Data Protection Regula - dence to the Select Committee on the 6/ldselect/ldeucom/129/12902.htm

How Transport for London

pWithr aoroutned 4 cbilltiosn jo ucrneuys pser tyeoar,m 26 meilliorn Opysterr icavrdsa in cusey, a nd 21,000 CCTV cameras, Transport for London (TfL) has to sustain public trust during 31 million daily journeys. stewart Dresner finds out how TfL’s privacy and transparency processes work. fL is in charge of London’s buses, tfl’ s Website as the pRimaRy • TfL will be open and transparent Underground trains, Over - communication medium about how personal information is ground trains, the Docklands James Newman explained that process - used, requiring customers to opt-in TLight Railway, Tramlink, River piers, ing standard subject access requests is to receive marketing communications main roads, traffic signals and the cable managed by providing on TfL’s website • any actual or suspected incident car across the River Thames. James clearly written and designed subject involving the loss, theft, unautho - Newman, TfL’s Privacy and Data Pro - access forms to help requesters submit rised disclosure, accidental destruc - tection Manager told PL&B in an inter - the information needed to speed the tion, or other compromise of per - view that the scope of personal data response process. sonal information should be processed by the organisation is In a model of layered privacy reported to [the] Cyber Security and immense. It includes: notices, there is a substantial section of Incident Response Team. 1. 26 million Oyster cards used per the TfL website on Privacy & Cookies 1 Newman explained “Customers year of which 4 million are “regis - which currently has 16 sub-sections, for place a huge amount of trust in TfL tered” cards example, on access your data, CCTv, when they provide us with their per - 2. 8 million contacts in TfL’s cus - contactless payment, Oyster Card, and sonal information, so it’s really impor - tomer database, including 4.5 mil - Santander Cycles, the bicycle hire tant for all of us to treat it with respect lion e-mail addresses – 300 million scheme. Each of them opens to reveal and comply with our own policy as well service information emails were several sub-sections, all written in plain as privacy and data protection sent in 2015 language and in short sections so anyone legislation.” 3. 1.7 million active Congestion can find their way to the information Charge/Low Emission Zone they want – see the Santander Cycles pRioRity aReas customer records box ( p.19 ). Newman has selected several priority 4. 200,000 registered Santander When there have been updates, there areas. While the EU General Data Pro - Cycles customers is a statement, such as “A number of tection Regulation and the companion 5. 100,000 licensed taxi/private hire updates to the policy were approved by EU Directive on police and criminal drivers the Commissioner and TfL Executive justice now demand attention, TfL has 6. 47,000 registered Dial-a-Ride users Committee on 17 March 2016” but already adopted some of their 7. Images from 21,000 CCTv cam - there is no indication what has provisions. eras changed. 2 However, Newman explained For example, there was a two month 8. Data from 1,400 Automated Num - to PL&B examples of these changes: exercise conducting a Privacy Impact ber Plate Recognition (ANPR) • ‘Privacy Impact Assessments’ must Assessment (PIA) on body worn CCTv cameras directed at vehicles be carried out as part of the develop - which is used by Revenue Control 9. Mobile device WiFi and Bluetooth ment of any new business process or Inspectors (ticket inspection) staff and connection data IT system, which will be used to others who might be vulnerable to hos - 10. Penalty Fares and associated process personal information tile action from the travelling public. prosecutions for failing to pay • all employees directly involved in Images collected have evidential value in for travel processing personal information are the event of a legal dispute. The website 11. Penalty Charge Notices and to complete privacy awareness train - statement shows the results of this PIA: associated prosecutions for vehi - ing every year “Some TfL employees are issued cles committing traffic contraven - • responsibilities of ‘Personal Infor - with body worn cameras, for example, tions. mation Custodians’ (a group of Revenue Control Inspectors on the Therefore, TfL has access to vast around 60 Heads of Department or London Underground network. These information resources both in real time Directors responsible for devices are able to capture audio record - and for planning purposes. Protecting business/operational activities ings as well as images. The cameras are personal information is essential to involving the processing of personal clearly visible and only switched on in assure the individuals whose data is data) need to be stated the event of an incident (for example the processed that it is being held securely • serious or repeated breaches of the member of staff being subjected to and used only for the purposes for policy may be treated as misconduct verbal abuse or threats of violence).” 3 which it was collected and properly in accordance with the TfL Code of TfL has several contracts with exter - related purposes . Conduct and relevant HR policies nal organisations to manage parts of

sharing santanDer CyCLes Data example of a tfL Privacy notice: we will, on request, share relevant account or by telephone on 0845 026 3630. We share information only in very limited information with the insurance provider or We may also disclose personal data if circumstances. We share users’ personal their agent for the purposes of verifying and required to do so by law. The Data data with our subsidiaries and service processing your claim. Protection Act allows us to do this where providers for the purposes of customer TfL will share your personal information the request is supported by evidence of the services and administration, to provide with the scheme’s sponsor for marketing relevant legislation which requires the travel-related information and for customer purposes where you have explicitly agreed disclosure, or a court order. research and fraud prevention. that we can do so. You can opt out from In the event that you make a claim on the receiving marketing information from the https://tfl.gov.uk/corporate/privacy-and- scheme’s Public Liability Insurance for Scheme Sponsor at any time by amending cookies/santander-cycles yourself or on behalf of an additional user your marketing preferences via your online

their personal data responsibilities, for particular, Facebook and Twitter and tRanspaRency and foi example, with: explains its monitoring policies. 5 These TfL has a detailed Transparency Strategy • Experian to handle the consequences policies deal with both operational issues and is subject to the Freedom of Infor - of data breaches, including the provi - and analysis of trending sentiment by mation Act. 8 Changes in recent years sion of ID theft protection and credit social media users on their experience of include publishing much more informa - monitoring services to affected cus - TfL services. Such service feedback tion, such as lowering the amount cov - tomers could cover anything, such as poor stan - ered by its policy on releasing informa - • Capita to process road user charging dards on stations, late trains, accidents, tion on contracts and tenders with a data faulty traffic lights, or good customer value of over £5,000. All expenditure of • Cubic Transportation Systems to service by TfL staff. more than £250 is now published. Infor - process electronic ticketing data mation is available every quarter on • SAP to process TfL’s human When things go WRong internal audits carried out, for example, resources data, partly via a cloud- The Information Commissioner’s on data centres which included a line on based service to map the skills avail - 2014/2015 Annual Report said that “response to access requests.” able against work force planning for “An employee of Transport for Lon - TfL publishes information proac - future needs. don was prosecuted [by the Informa - tively on the subjects on which it In every case, TfL will ensure they tion Commissioner] for unlawfully receives frequent FoI requests. 9 TfL know exactly where the personal data is accessing Oyster card records of fami - receives around 2,500 Freedom of Infor - to be processed and include comprehen - ly members and neighbours.” 6 New - mation (FOI) and Environmental Infor - sive privacy and data protection contract man explained that this case, heard at mation Regulations (EIR) requests terms. the Westminster Court in early 2015, every year. TfL currently provides a full TfL is often approached by organisa - involved a TfL employee who stalked response to 85% of them within the tions to buy its personal data but so far it an individual by illegally accessing statutory time limit, for which there is a has refused. The sponsorship arrange - their Oyster Card use and tracking standard time limit of 20 days. 10 ment with Santander for London’s bike their journeys. Following the termina - hire scheme means that Santander does tion of their employment with TfL, referenCes have access to user contact details, but the individual was convicted and fined this only extends to customers who £1,000 plus costs, by the court. TfL 1 See www.tfl.gov.uk/privacy explicitly opt-in to this use of their data worked closely with the ICO prose - 2 https://tfl.gov.uk/corporate/privacy- for marketing purposes and they can opt cutions team to ensure that the appro - and-cookies/privacy-and-data- protection-policy out at any time (see box). An app is avail - priate evidence, including detailed 3 https://tfl.gov.uk/corporate/privacy- able – developed by Serco, the out - system access logs, was made available and-cookies/cctv sourced service provider which manages to the cour t. 4 https://itunes.apple.com/gb/ the bike hire scheme – that shows users app/santander- cycles/id974792287?mt=8 where to find available hire bikes and open data 4 5 https://tfl.gov.uk/corporate/ makes payment easy. TfL has a policy to encourage software terms-and-conditions/social-media Use of contactless payment cards is developers to use transport data feeds “to 6 https://ico.org.uk/about-the-ico/our- rapidly increasing. TfL is the fastest present customer travel information in information/annual-reports/ See growing contactless merchant in innovative ways.” However, the compul - 2014/15 Annual Report, p.25 Europe. One in seven contactless trans - sory terms and conditions include the 7 https://tfl.gov.uk/corporate/terms-and- conditions/transport-data-service actions in the UK takes place on TfL’s requirement that “This Licence does 8 https://tfl.gov.uk/corporate/ network which is managed and pro - not……include personal data in the transparency/ tected in accordance with the PCI DSS Information” [provided to users]. Anoth - 9 https://tfl.gov.uk/corporate/ data security protocol. er condition is “TfL’s Privacy Policy will transparency/#finance-operations- TfL draws together a vast array of apply to all personal information collect - performance 10 https://tfl.gov.uk/corporate/ data sources into its Big Data pro - ed in con nection with your use of the transparency/foi-performance gramme. It tracks social media, in Service” 7

It is time to get GDPR compliant The EU General Data Protection Regulation is now here to stay and will form the new DP regime in the UK from 25 May 2018 onwards. Laura Linkomies reports. he EU General Data Protec - responsible for everything. DPOs need uncertainty – especially on the tion Regulation’s (GDPR) to have a team and it might make sense employee side. “We have been making accountability requirements to have the statutory DPO and in addi - step changes for example to our pri - Tmean that organisations have to tion another person who is more of a vacy policy. The ICO’s 12 points on demonstrate the steps which they privacy strategist. GDPR are useful but we have also put have taken to comply with the provi - Nina Barakzai, Group Head Data in specific requests for further guid - sions – effectively this means having a Protection & Privacy, Sky UK Limited ance on issues such as breach manage - trail to show the measures which they said that her company already has this ment. What kind of filing will be have taken. For multinational compa - model. She reports to the audit com - needed? What about cyber breach nies, many of these steps may already mittee, and data protection is treated as notification?” be in place but the Regulation also a board-level issue. William Malcolm, Senior Privacy brings completely new aspects such as “People come to me with their ideas Counsel at Google, said that in most the Right to be Forgotten and data and suggestions on how to include pri - cases Google already has a mature pri - portability. All organisations will vacy in business. It is quicker for them vacy programme but now it needs to need the next two years to get their to have new products approved this demonstrate accountability to Data house in order, and should start work way. Privacy is already on people’s Protection Authorities and users, also now. radar. Each business area is empowered to users. The GDPR is only one facet Speaking at a conference in April to be responsible for privacy work and in the Google privacy programme, he in London, Nicola McKilligan-Regan implement data protection.” said. He thought that many issues in from Privacy Partnership said that She said that in their preparation for the GDPR are very clear and they can organisations should start seeking the GDPR, they went through all the start the work now. approval for their project budget now, articles and identified some 45 issues “Harmonisation is the key. The if they have not already done so. that needed to be dealt with. They then DPAs are to define high risk process - She said that a key mistake is to identified the most important ones in ing – there is a responsibility on the fail to plan properly and kick off a any business area depending on which European Data Protection Board project prematurely – “there is no issues were critical or involved the (EDPB) to issue guidance. Organisa - point running in the wrong direc - most personal data. tions and DPAs must start a dialogue tion,” she said. “Things may change She said that the five-year business on this and also on the scope of dele - during implementation as require - plan includes an assessment of risk and gated acts. We want a world-class pri - ments become clearer but these must a timetable for issues that take the most vacy programme but need clarity in be covered by a change management time and money. regulatory expectation.” process not just added in.” “We focus on assurance, not com - Treacy observed that there are pliance. Business moves forward fast – competing regulatory frameworks. tRanslating the gdpR into sometimes the Regulation is already Also the GDPR includes some 40 pRactical actions behind business developments.” exemptions that provide a ‘margin of Organisations could start by identify - Helen Gourdin, Senior Counsel, manoeuvre’ for Member States, the ing which aspects of the GDPR will Global Compliance at Diageo plc said EU Commission or the EDPB. have most impact on their business. A that her company has a steering com - It has to be noted that the EDPB is empowered to take legal action and challenge DPA decisions. The recitals “Google: We want world-class privacy in the GDPR explicitly say that there is this “margin of manoeuvre for programme but need clarity in Member States to specify its rules” regulatory expectation.” (for the processing of personal data). Barakzai noted that they are con - centrating on the clear areas. But there risk assessment and gap analysis can mittee to work on these issues. GDPR is no point in stopping and waiting for be a start to identifying how to use can be divided into specific areas. Doc - guidance as certain things need to be sometimes scarce resources. umentation is required on any action done. Bridget Treacy, Partner at Hunton taken. A good starting point is to look “We have created a set of guiding & Williams, speaking at the same at the Article 29 Working Party work principles that will work in the GDPR event, said that in the UK, a DPO has programme to see which issues they context. We are mainly looking at traditionally worn many hats and now prioritise. concepts, not the individual GDPR this person will suddenly be She said there was still a lot of articles.”

individual Rights “Our governance structure will “There is a huge opportunity in the Google has done much work in this have to be revamped: how we do things digital space. One of the best examples area. It is important to be transparent and when. A carrot and stick approach of layering is the DMA [Direct Mar - and build practical tools, Malcolm said. to enforcement will work – telling keting Association] code of practice.” He said Google can use its existing senior officers of the culture change Chris Combemale, Executive tools and design controls for data needed but also of the large fines. In Director at the DMA, said that now is portability. Individuals can control this respect the GDPR helps me.” the time to embed the right privacy cul - their data and search histories. She said that for the DWP, some of ture in organisations. Consumer atti - “We are committed to Privacy by the most important compliance issues tudes to privacy are increasingly criti - Design. We have invested in a privacy are profiling – what does that mean – cal, he said. In a DMA survey, 58% of engineering team for many years now and automated processing – what does those interviewed said that trust is the but there is more work to do.” that mean under the new definitions? most important issue when they decide Gourdin said that they are working Additional aspects that need careful whether to share their personal data on Diageo’s digital transformation pro - consideration are data portability and with businesses. People would like gramme – a very ambitious programme how to provide a fair processing notice more control over their data – 81% to ensure transparency and control. that can be understood by everyone, believe that data is theirs to exchange “We work hard to fit privacy into but at the same time satisfy the legal for value. Only 7% believed that they our strategy.” requirements. She said that they are obtained the most benefit from the data using the layered approach. exchange with a company. The DMA public -sectoR issues She said that there was no decision has a specific GDPR section on its “Better use of information is central to yet on whether there would be a single website. The main issue is to put the delivering our services more efficient - government model for compliance – customer first. ly,” Amanda Hillman, Team Leader, they are waiting for news from the Simon Rogers, UK Privacy Lead at Data Sharing and Data Protection Poli - Department of Culture, Media IBM, said that they need to act now to cy Team at the Department of Work and Sport. structure the company response to and Pensions (DWP) said at the West - GDPR. minster eForum. “Privacy by Design is coopeRation needed “you need to focus on the gains, not essential to gain customer confidence.” Fedelma Good, Director, Information just the compliance. So how can we Most government offices do not have Policy & Business Controls, Personal better leverage technology? Do not just a DPO, she said, but a Senior Informa - & Corporate Banking, Barclays, said talk about the fines but think about this tion Risk Officer, or similar. “Now we that consumer trust will equate with in a wider holistic scope.” have to change the culture so that the commercial benefit. “Global large organisations need person doing the job will have reassur - “Commercial opportunities will someone who takes responsibility and ances that we are doing the right thing. come to those who are working on acts as a lead in GDPR preparations. I We have to address individual rights.” GDPR implementation now.” Barclays suggest starting this as a project and She said that the DWP receives worked together with different sectors pulling in other parts of the business. It more Subject Access Requests (SARs) at the time of the e-privacy Directive’s is not just about privacy but a larger than all other government departments drafting and the troublesome question question of information governance put together. The data they hold is of cookie compliance. “We decided to and security.” incredibly sensitive. The GDPR will aim for a consistent version of “Make sure you break the law into require a quicker turnaround in cookie compliance.” bite-sized chunks, conduct a gap responding to SARs – a month instead We now need to achieve consis - analysis and a Privacy Impact Assess - of the 40-day period that currently tency in how privacy policies are pre - ment,” he said. applies in the UK. sented to the individual, she said.

EU DP Regulation will apply on 25 May 2018 The EU Data Protection Regulation submit a report on the evaluation and The full conference programme has was published in the European Union’s review of Regulation 2016/679 to the now been published at www.privacy - Official Journal on 4 May. It will start European Parliament and to the Coun - laws.com/ac29 to enter into force on 24 May this year, cil. These reports will be made public. and will apply from 25 May 2018. Businesses now have two years to Together with EU Regulation start their preparation process. Join the • The text of the Regulation – in all lan - 2016/679, the European Commission main players with 40+ speakers from 16 guages – is available at has published the text of the so-called countries at Great Expectations, PL&B’s http://bit.ly/1T5Y5s3 Police Directive and the Passenger 29th Annual International Conference, The ‘Police Directive’ is at Name Record Directive. 4-6 July at St. John’s College, Cambridge http://bit.ly/1T5Y5s3 and the By 25 May 2020 and every four to learn how to work towards your ‘Passenger Name Directive’ at years thereafter, the Commission will organisation’s compliance. http://bit.ly/1VONjqB

ICO issues Undertaking on HSCIC The ICO has issued an Undertaking – decided to apply the Type 2 objection approximately 700,000 patients, the ICO a written commitment to take action – to their own personal confidential data. says. on the Health and Social Care Informa - HSCIC has a duty to share some By not being able to collect, record tion Centre (HSCIC) which adminis - patient information with third parties and apply the Type 2 objections it ters the opt-outs from Care.data. The for the purposes of direct care. For appears that the HSCIC has shared ICO says that data subjects’ personal example, HSCIC may share informa - patients’ data with other organisations data has been processed unfairly, out - tion to aid nationally approved screen - against their wishes. The ICO is also side of their reasonable expectations. ing programmes, such as NHS breast concerned about the way in which In January 2014 a leaflet was sent to screening, and so the Type 2 objection HSCIC has communicated with the all households in England offering will not be applied in these cases. general public about this matter. patients the chance to opt out of their However, for legal and technological personal confidential information reasons HSCIC was not able to collect, being shared by HSCIC for purposes record or implement the Type 2 objec - • See the Undertaking at other than direct care, known as the tions registered by patients with their https://ico.org.uk/media/action-weve- ‘Type 2 objection’. Patients were GPs. This has resulted in Type 2 objec - taken/undertakings/1623957/hscic- instructed to inform their GP if they tions not being implemented for undertaking-20160419.pdf

Around 1 in 45 patients opt-out from Care.data More than one million patient opt-outs Since early 2014 patients have been ‘Type 2’ opt-outs. Care.data has been have been received for the NHS able to register two types of opt-out criticised for not organising a patient Care.data scheme, the Health and Social with their GP practice in order to consultation over how their personal Care and Information Centre (HSCIC) express preferences about the way their data could be shared with the private says. The individuals have opted out personal confidential information sector organisations. from sharing the information that iden - should be used for purposes beyond tifies them outside of the HSCIC for their direct care. These have been more • See http://www.hscic.gov.uk/ purposes beyond direct care. commonly known as ‘Type 1’ and catalogue/PUB20527

Culture eats Strategy” is particularly requires the small print of credit card interesting. Levin cites many examples of agreements, to appear in easy to institutions’ failures to grasp the way that understand format on every agreement. identity thieves work in their hunt for Levin suggests that a “data breach SWIPED – How to protect vulnerabilities. Levin quotes the FBI that disclosure box” would encourage yourself in a world full of there were probably fewer than 10% of organisations to improve their breach- scammers, phishers, and identity companies which could have prevented preparedness plans so that they can an attack like the one on Sony. The notify consumers sooner and provide a thieves lesson Sony was forced to learn was that more transparent and empathetic by Adam Levin security had to be practised at the level of response. A company can demonstrate, each individual employee, including what in this way, that it is aiming to do Adam Levin, a long-time consumer you can and cannot say in an email, everything it can to help consumers, advocate and ID fraud expert, describes when to use encryption, how to handle strengthen its defences and maintain in this book how to keep hackers, files of former employees and so on. data according to cutting edge standards. phishers and spammers from becoming Levin cites with approval Dr Ann A thoughtful book for the general reader, your problem. Cavoukian’s “7 Principles for Privacy by consumer-orientated, covering the basics Swiped is a story about surviving the Design” which can easily be adapted for in an easy to read style, with a identity-theft epidemic. This is not a book his “Security by Design concept of three comprehensive index, a glossary of for lawyers, but it is a practical guide to M’s: Minimize your Risk of Exposure, scams and useful tips to avoid becoming keeping data safe, and a reminder of why Monitor your Security, Manage the a victim. we need to do this at all. There is an Damage”. overview at the beginning which should The chapter on legal initiatives in the US be required reading for anyone handling criticises lack of federal oversight when it Reviewed by Merrill Dresner data, either their own or their company’s. comes to consumer-related security. If every employee were to read the case Levin searches for a solution that could studies of lives ruined by criminals, or by benefit business, consumers and the carelessness, the need for security government, and finds one in legislation Published by www.publicaffairsbooks.com , training would be entirely obvious. that has been on the statute books since £16.99 ($24.99), ISBN: 9781610395878. The chapter “Business Considerations 1988 – the Schumer Box. This legislation Publication date: 24 November 2015.

Latest FOI disclosure logs now available The Department for Culture, Media & publication schemes. The seven classes plans and policies. Public information Sport has published disclosure logs for of information that are recommended should be made available unless there is Freedom of Information releases are broad and include headings like good reason to withhold it, and the Act between October and December 2015. ‘Who we are and what we do’ and ‘The allows it, the ICO says. They reveal which cases have been services we offer’. The classes cover all refused in part, and which have been the more formal types of information • See www.gov.uk/government/ responded to in full. organisations hold, such as information publications/disclosure-logs-for-free - The ICO recommends publishing as about the structure of the organisation, dom-of-information-releases-between- much information as possible through minutes of meetings, contracts, reports, october-december-2015

Annual th International 29 Conference great exPeCtations st John’s College, Cambridge 4-6 July 2016 highlights for organisations in the united Kingdom include: • The EU Data Protection Regulation package: The UK government’s perspective – Baroness Neville-Rolfe DBE CMG, Minister responsible for Data Protection Policy, UK

• National discretion: How Data Protection Authorities will interpret the recitals in the EU DP Regulation – Willem Debeuckelaere, President, Data Protection Commission, Belgium; Iain Bourne, Data Protection Policy Delivery Group Manager, ICO, UK; Dr. David Erdos, University Lecturer in Law and the Open Society, Trinity Hall, University of Cambridge (Chair)

• How the police and companies can work together to investigate and prosecute personal data theft and related crimes – Detective Inspector Deborah Donaghy, Cyber Crime Unit, Metropolitan Police

• Every step you take, the media will be watching you: Protecting reputation whilst managing a data breach crisis – Magnus Boyd, Partner, Schillings, London

• RNLI leads in building on supporters' loyalty by moving to opt-in – Jayne Clarke, Head of Marketing, Royal National Lifeboat Institution, Poole, Dorset, UK

• Preparing for explicit consent: Testing wording for each channel and winning better response – David Cole, Managing Director, fast-MAP, London

• Mapping the privacy litigation landscape – John Benjamin, Partner, DWF, London, Timothy Pitt- Payne QC 11KBW Chambers, London

• How to win your case before the Information Rights Tribunal – Dr. Robin Callender Smith, Professor of Media Law, Centre for Commercial Law Studies QMUL, London, Barrister and Information Rights Judge

• Expectations of stronger international enforcement via the Global Privacy Enforcement Network – speakers include privacy commissioners from Belgium and Canada and Hannah McCausland, Senior International Policy Officer, Information Commissioner’s Office, UK

www.privacylaws.com/ac29

© 2016 PRIVACY LAWS & BUSINESS PRIVACY LAWS & BUSINESS UNITED KINGDOM REPORT j^v=OMNS OP *HEADER* Join the Privacy Laws & Business community The PL&B United Kingdom Report , published six times a year, covers the Data Protection Act 1998, the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003. PL&B’s United Kingdom Report will help you to: Stay informed of data protection Learn about future government/ICO plans. legislative developments. Understand laws, regulations, court Learn from others’ experience and tribunal decisions and what they through case studies and analysis. will mean to you. Incorporate compliance solutions Be alert to future privacy and data into your business strategy. protection law issues that will affect your organisation’s compliance.

Included in your subscription: 1. online search functionality you may choose to receive one 5. events documentation Search for the most relevant content printed copy of each Report. Access UK events documentation from all PL&B publications and such as Roundtables with the UK events. you can then click straight 3. e-mail updates Information Commissioner and through from the search results into E-mail updates keep you regularly PL&B Annual International the PDF documents. informed of the latest developments Conferences , in July, Cambridge. in Data Protection, Freedom of 2. electronic access Information and related laws. 6. helpline enquiry service you will be sent the PDF version Contact the PL&B team with of the new issue on the day of 4. back issues questions such as the current status publication. you will also be able Access all the PL&B UK Report of legislation, and sources for specific to access the issue via the website. back issues since the year 2000. texts. This service does not offer legal advice or provide consultancy. To Subscribe: www.privacylaws.com/subscribe

I particularly like the short and concise nature of the Privacy Laws & Business Reports . I never leave home without a copy, and value the printed copies, as I like to read them whilst on my daily train journey into work. Steve Wright, Chief Privacy Officer, Unilever

Subscription Fees Single User Access International Postage (outside UK): UK Edition £400 + VAT* Individual International or UK Edition International Edition £500 + VAT* Rest of Europe = £22, Outside Europe = £30 UK & International Combined Edition £800 + VAT* Combined International and UK Editions Rest of Europe = £44, Outside Europe = £60 * VAT only applies to UK based subscribers

Multi User Access Discounts for 2-4 or 5-25 users – see website for details. Satisfaction Guarantee If you are dissatisfied with the Report in any way, the Subscription Discounts unexpired portion of your subscription will be repaid. Special charity and academic rate: 50% discount on all prices. Use HPSUB when subscribing. Number of years: 2 (10% discount) or 3 (15% discount) year subscriptions. Privacy Laws & Business also publishes the International Report. www.privacylaws.com/int