UK Data (Use & Access) Bill: Key Proposals

October 2024

What DPOs and data protection teams need to know 

The Government’s Data (Use & Access) Bill was introduced to Parliament and had its first reading in the House of Lords on 23 October. This is a new name for the Digital Information and Smart Data Bill, announced in the King’s Speech back in July. With the acronym DUA, this Bill revives some, but certainly not all aspects of the previous Government’s Data Protection & Digital Information Bill (DPDI) which fell by the wayside when the general election was announced.

At 262 pages it’s a lengthy document, so we’ve provided a summary of some key proposals likely to be of interest to those working in data protection-related roles. Of course, at this stage everything is subject to change as the Bill progresses through Parliament.

DATA PROTECTION (UK GDPR & DPA 2028)

1. Accountability requirements NOT changed

The previous DPDI’s controversial plans to amend accountability obligations under UK GDPR have not been carried over into DUA. There are no plans to remove the requirement for organisations which meet certain criteria to appoint a Data Protection Officer, nor are there any planned changes relating to Data Protection Impact Assessments or Records of Processing Activities.

Some organisations may be disappointed more flexibility is not planned in these areas. However, we’d stress UK GDPR is already littered with the words ‘proportionate’ and ‘appropriate’. Small-to-medium sized businesses are not currently expected to put in place as robust measures as larger organisations, unless the nature of their business activities and the sensitivity of the personal data they handle warrants it.

2. Data Subject Access Requests (DSARs)

In the main, the proposals in relation to the Right of Access (aka Data Subject Access Requests) aim to give a statutory footing to practices already commonly applied. Such as confirming:

Organisations can ask the requestee for details of the information or activities a DSAR relates to, and to pause the time period for responding to the request while seeking this information. For example, the ability to seek clarification when the organisation “processes a large amount of information concerning the data subject”.

The time period for compliance with a DSAR does not begin until the organisation is satisfied the requestee is who they say they are; i.e., any necessary proof of identity has been received.

The search for personal data in response to a DSAR would only need to be “reasonable and proportionate”.

Making these points crystal clear in law would create certainty for organisations, who currently rely on guidance from the Information Commissioner’s Office. Many organisations may be disappointed the concept of ‘vexatious’ requests has not been revived from the abandoned DPDI bill.

3. Privacy notices & the right to be informed

The DUA Bill proposes the obligation to provide privacy information to individuals under Articles 13 and 14 (e.g. via a privacy notice) will not apply if providing this information ‘is impossible or would involve disproportionate effort‘. This move could be viewed as an attempt to water down requirements to notify individuals of the processing taking place. This was a particular point of contention in the Experian vs ICO case. In relation to its processing of the Edited Electoral Roll, Experian argued it would be disproportionate effort to notify and provide privacy information to millions of people.

4. Recognised legitimate interests

The concept of ‘recognised legitimate interests’ is revived from the DPDI Bill. It’s proposed organisations would be exempt from conducting a full Legitimate Interests Assessment (LIA) for certain specified purposes; such as national security, emergency response, and safeguarding. The DUA Bill also looks to confirm legitimate interests as an acceptable lawful basis where necessary for direct marketing purposes. Clearly, legitimate interests will only be an option when the law doesn’t require consent, for example under the Privacy and Electronic Communications Regulations (PECR).

5. Automated decision-making

Noteworthy changes are proposed aimed at making it easier for organisations to use automated decision-making more widely. For example, using artificial intelligence (AI) systems. Currently, Article 22 of UK GDPR places strict restrictions on automated decision-making (including profiling) which could produce legal or similarly significant effects. The new Bill seeks to reduce the scope of Article 22 to only cover automated decisions made using special category data. There is likely to be concern this will have a negative impact on people’s rights in relation to automated-decisions made about them using other personal data. This also may put the UK out of kilter with the EU.

6. Data protection complaints procedure

It is proposed for organisations to be obligated to make sure they have clear procedures so people can raise complaints in connection with the use of their personal data. For example, organisations would need to:

Facilitate people’s ability to make complaints (for instance by providing a complaint form).

Respond to complaints within 30 days of receipt.

Notify the Information Commissioner of the number of complaints received in specified periods.

PRIVACY & ELECTRONIC COMMUNICATIONS REGULATIONS (PECR)

The following changes to PECR are proposed:

1. PECR Fines

Significantly increasing potential fines for infringements of PECR to bring them in line with the level of fines under UK GDPR. Currently, the maximum fine under PECR is capped at £500k.

2. Analytics cookies

Permitting the use of first-party cookies and similar technologies for website analytics without a requirement to collect consent. Also included is a provision to allow for the introduction of other circumstances in which cookie consent would not be required.

3. Spam emails and texts

Expanding what constitutes ‘spam’ to include emails and text messages which are sent but not received by anyone. This will mean the ICO can consider much larger volumes in any enforcement action. In conjunction with higher fines – SPAMMERS BEWARE!

THE INFORMATION COMMISSION

The plan is for the Information Commissioner’s Office to be replaced by an Information Commission. This would be structured in a similar way to the Financial Conduct Authority and the Competitions and Markets Authority, with an appointed Chief Executive. There’s also provision for the Government to have considerable influence over the operations of the new Commission. For example, this could include determining the number of Commission members and a requirement for the Commission to consult with the Government on the appointment of a Chief Executive.

SMART DATA SCHEMES

The Government announcement states: ‘the Bill will create the right conditions to support the future of open banking and the growth of new smart data schemes, models which allow consumers and businesses who want to safely share information about them with regulated and authorised third parties, to generate personalised market comparisons and financial advice to cut costs.

The Right to Portability under UK GDPR currently allows individuals to obtain and reuse their personal data. DUA aims to expand this to allow consumers to request their data is directly shared with authorised and regulated third parties. The hope is this will allow for the growth of smart data schemes to enable data sharing in areas such as energy, telecoms, mortgages, and insurance. It’s proposed this would be underpinned by a framework with data security at its core.

HEALTHCARE INFORMATION

Ever been to hospital and found your GP has no record of your treatment, or the hospital can’t access your GP’s notes? The government is hoping proposals in the Bill will support plans for a more uniform approach to information standards and technology infrastructure, so systems can ‘talk’ to each other. For example, allowing hospitals, GP surgeries, social care services, and ambulance services to have real-time access to information such as patient appointments, tests, and pre-existing conditions.

SCIENTIFIC RESEARCH

There are proposed changes to scientific research provisions, including clarifying the definition of scientific research and amending consent for scientific research. This is in part driven by a desire to make it easier for personal data collected for specific research to be reused for other scientific research purposes.

DIGITAL VERIFICATION SERVICES

There’s an aim to create a framework for trusted identity verification services, moving the country away from paper-based and in-person tasks. For example, proposals allow for digital verification services aimed at simplifying processes such as registering births and deaths, starting a new job, and renting a home.

In summary

The DUA Bill revives some old ideas and introduces some new ones. Some proposals more controversial than others. But unlike the DPDI, it does not present any significant softening of data protection compliance obligations under UK GDPR. All proposals will be scrutinised and could be amended before the Bill is enacted. However, unlike the previous Tory bill, this Bill is highly likely to become law.

In all of this, the Government will have a close eye on EU-UK adequacy. The European Commission’s adequacy decision for the UK is up for review in 2025 and there’s a recognition losing adequacy status would have a significantly negative impact on organisations which share data between the UK and EU. It will be hoped dropping controversial plans to dilute accountability requirements under UK GDPR will mean the European Commission will find the DUA Bill more palatable and less contentious.

The Bill as introduced can be found here. For quick reference these are the key parts of DUA:

Part 1: Access to customer data and business data
Part 2: Digital Information Services
Part 3: National underground asset register
Part 4: Registers of births and deaths
Part 5: Data Protection and Privacy
Chapter 1: Data Protection
Chapter 2: Privacy and Electronic Communications Regulations (PECR)
Part 6: The Information Commission
Part 7: Other Provisions
Part 8: Final Provisions

As a data protection consultant since 2015, Philippa advises a broad range of clients and delivers data protection training. She regularly writes GDPR guidance to support privacy teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

Data Protection and what the Labour Government should do

July 2024

What should Kier Starmer’s team do about data protection?

After the Conservative Party’s crushing defeat on July 4th, we now have a Labour administration. As the General Election was called, the Data Protection and Digital Information Bill was progressing through Parliament. Although many thought it might be just pass before an Election, the decision by Rishi Sunak to gamble everything on an early election led to the Bill’s abandonment.

The Bill itself was controversial, proposing a mixed bag of changes to data protection and ePrivacy laws. Views within the industry were, it is fair to say, divided.

I’ve asked industry insiders the question; What should the new Government do with UK GDPR, the Privacy and Electronic Communications Regulations (PECR), and AI? Here’s what they say.

Steve Wood, Founder & Director, PrivacyX Consulting and former UK Deputy Information commissioner

“The New Government should firstly take a step back to consider its approach to public engagement on data and AI, particularly with civil society. As they seek to use AI to transform the public sector, a planned and long-term approach to meaningful transparency and engagement is vital. There are good foundations to build on for AI policy and the new Government should look at options to put AI principles on a statutory footing and what additional oversight and coordination is needed to make them effective.

There is scope for a focused AI and Data Bill, learning the lessons of the complexity and confusion in the DPDI Bill and what will really improve the outcomes of the data protection regime – for people and organisations. Changes to GDPR that should remain on table include the new Information Commission reforms, the data protection test for internation transfers and an exemption for analytics cookies.”

You can read more of Steve’s thoughts in his Substack blog – A Digital Policy Memo for the Minister’s Red Box

Chris Combemale, CEO, Data & Marketing Association (DMA)

“The DMA continues to believe that reforming the data protection regime in the UK is fundamental to driving growth, innovation, and wealth creation in the country. Doing so would be a strong sign of the new Government’s commitment to the industry and business.  Amongst the most important reforms for DMA members are:

1. Reforms that establish greater certainty for the use of legitimate Interests as a lawful basis particularly attracting and retaining new customers
2. Reforms that clarify how data can be better used to support scientific research and technology development
3. Reforms that reduce bureaucracy for small business
4. Reforms that enable Smart Data schemes to be introduced in appropriate sectors
5. Reforms that reduce the consent requirements for non-intrusive cookies
6. Reforms that update the law to enable beneficial update of automated decision-making like AI while maintaining strong safeguards

These reforms are consistent with the Labour Policy Forum position and indeed were supported by Labour during scrutiny of the former government’s DPDI Bill. The DMA will work closely with the incoming government to ensure these reforms become law.”

Read Chris’ Open Letter to all political parties

Robert Bond, Senior Counsel, Privacy Partnership Law and Chair, DPN Advisory Group

“The new Government needs to ensure that any changes it makes to our data protection regime do not harm our “adequacy” with the EU. However, I would welcome a review of the reliance on Legitimate Interest as a lawful ground for processing to bolster this useful ground. I would like to see a review of PECR and a proactive focus on practical AI legislation.”

Gerald Coppin, Deputy Group Data Protection Officer, Springer Nature

“I feel a Labour government should work on an international effort to harmonise the data privacy laws across major jurisdictions, it could make it easier for businesses to manage regulatory requirements. They could recommend or mandate techniques like differential privacy, federated learning, and synthetic data generation to enable AI development without compromising individual privacy. As well as expanding regulatory sandboxes that allow companies to test innovative AI applications in a controlled environment, while ensuring privacy safeguards are in place. A reduction in paperwork to prove compliance with the different laws would be MOST welcome!!”

Debbie Evans, Managing Director, FTI Consulting

“I want to be optimistic about change however, it’s not going to be without challenge. Whilst I’m not proclaiming any particular political persuasion – my personal hope is that individual rights are given more visibility. Businesses consequently will need to take compliance more seriously as laws strengthen.”

Eduardo Ustaran, Partner, Hogan Lovells

“My view is that the new UK Government should aim to realise the opportunity to place the UK as a global leader in these areas. The UK is in an ideal sweet spot because it is close enough to the EU’s policy objectives of providing the highest levels of protection for personal data and human rights in the face of today’s AI revolution, but also understands the crucial importance of technological innovation for growth and prosperity. That combination is particularly attractive for responsible global businesses to model their regulatory compliance strategies for privacy, cybersecurity and AI. This is a crucial issue for the UK Government to get right and support its primary goal of growing the economy.”

Charles Ping, Managing Director, Europe, Winterberry Group

“Labour has a big task ahead, and by its own admission, limited resources. So using the eco-friendly mantra of reduce, reuse and recycle they should take all three aspects into evolving our data protection legislation. Reduce the wasted time on devising new policy objectives in this area when there was cross party consensus on the currently lifeless Data Protection of Digital Information Bill. Reuse, because the bill is pretty much “oven ready”, if that phrase hasn’t been rendered entirely valueless by a previous administration.

Recycle the old bill and ensure an expedited path through the corridors and meeting rooms of Westminster. I can’t see a new administration (or country) wanting a traditional summer recess, so this legislation should have time to whistle through and start making a difference.”

Eleonor Duhs, Partner and Head of Data & Privacy, Wells Bates LLP

“I think the new Labour Government, as a priority, should deal with the uncertainty created by the Retained EU Law (Revocation and Reform) Act 2023 (“REULA”) about how to interpret the UK’s data protection frameworks. REULA has turned the statue book on its head, with domestic law (whenever enacted) taking precedence over any law that was previously EU law (including UK GDPR). An example of the unintended consequences of this is in the area of exemptions from data subject rights. The Open Rights case (brought before REULA came into force) required the government to provide EU-standard protections for migrants when exercising data subject rights. But because of the reversal of the relationship between the UK GDPR and the Data Protection Act 2018 every other group in society now has a lower standard of protection for their data subject rights, compared with migrants.

This outcome was clearly not anticipated. In order to ensure data protection standards in the UK remain high the new Labour government should bring forward legislation. It could either use the powers in REULA to reintroduce deleted principles in order to bring clarity and legal certainty. Alternatively, the best course of action may be to enact bring forward primary legislation to ensure that the UK statute book is stabilised. Powers to update our data protection frameworks should also be considered to ensure it continues to be current and tracks accepted EU and international standards. This would support growth and avoid the risk of losing the UK’s data adequacy decision which is due to be reviewed next year.”

You can read more from Eleonor on the REULA here

While I appreciate reforming data protection law may prove not to be a high priority for the new Starmer Government, to offer my tuppence, if Labour does nothing else, I’d urge them to revise PECR. It’s desperately out of date, first introduced over 20 years ago, and then updated back in 2009 with the ‘cookie law’. The world has moved on. There were some proposed changes to PECR under the DPDI Bill which I favoured. In particular, a change allowing not-for-profits to take advantage of the so-called soft opt-in exemption to consent for marketing emails / texts. This is currently only available in a commercial context, which I feel is unfair. As others have mentioned, I’d also like to see a revision of the consent rules for website analytics cookies.

As a data protection consultant since 2015, Philippa advises a broad range of clients and delivers data protection training. She regularly writes GDPR guidance to support privacy teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

6 Steps to Manage International Data Transfers from the UK

June 2024

UK data protection law requires us to carefully consider and have specific measures in place to protect personal data and the rights of individuals when it’s transferred overseas.

Other jurisdictions have similar rules. For example, there are restrictions on personal data transfers from the European Union, Brazil, UAE, New Zealand and Singapore, to name a few.

In this article I’m focusing on UK-based organisations who a looking to transfer personal data outside the UK, and the key steps to take.

BALANCING THE RISKS

Tackling international data transfer can feel complex and overwhelming, but it really pays to make sure relevant stakeholders in your business are familiar with the requirements and understand the potential risks. Sometimes you may have limited control over the terms under which you do business with others. There will be times where there’s no room for negotiation on the terms. Where this is the case, a balance will need to be struck on the business necessity of entering the contract and the potential risks should restricted transfers not be adequately covered. Do you walk away and find a different solution, or accept the risk?

STEP 1: IDENTIFY PERSONAL DATA TRANSFERS

First you need to check if what you’re planning to do constitutes a restricted international data transfer.

🚩 Are you transferring or sharing personal data with an organisation located outside the UK? This could be a new supplier/service provider or another organisation you need to share data with.

🚩 Are you making personal data available to another entity located outside the UK? Can the data be accessed by another entity’s employees?

The receiver of the personal data could be a separate company, a public body, a sole trader or another legal entity within a group of companies. Here are some examples:

Suppliers based outside the UK

Transferring or permitted access to your personal data, when using a supplier/service provider based in US, India, France, Australia or anywhere else in the world.

Partner organisations based outside the UK

Sharing personal data with any organisation based overseas, who may be using the personal data for their own purposes. This includes sending paper or electronic documents, by email or post, or permitting another organisation to access to your systems.

Group entities based outside the UK

Sharing employee, customers or any other personal data with a separate legal entity within your corporate group which is located outside the UK. This includes employees working for an overseas entity having access to personal data on the UK organisation’s systems.

Important note: It would not constitute a restricted transfer if someone employed by a UK-based company accesses personal data from overseas. For example a colleague on a business trip can access UK systems from anywhere in the World.

STEP 2: CHECK IF AN EXCEPTION APPLIES

There are some limited exceptions, where you don’t need an adequacy decision or other safeguard mechanism. The ICO makes it clear most exceptions include the word ‘necessary’ and while this doesn’t mean the transfer has to be absolute essential, it ‘must be more than just useful and standard practice’.

To rely on an exception you need to assess whether the transfer is objectively necessary and proportionate, and can’t reasonably be achieved in another way. Exceptions are most likely to be appropriate for occasional transfers, a low volume of data and where there is a low risk of harm when personal data is transferred. Here are some of the most popular exemptions, and a full list can be found here.

📌 Explicit Consent – the transfer is done with the explicit consent of the individual whose data is being transferred, and where they are informed of possible risks.

📌 Contract – where the transfer is necessary for the performance of a contract between the individual and the organisation or for necessary pre-contractual steps.

📌 Public Interests – the transfer is necessary for important reasons of public interest.

📌 Legal Necessity – the transfer is necessary for the establishment exercise or defence of legal claims.

📌 Vital Interests – the transfer is necessary to protect people’s vital interests (i.e. in a critical life or death situation) where the individual cannot legally or physically give

STEP 3: CHECK IF DESTINATION COUNTRY HAS AN ADEQUACY DECISION

If a country has been awarded ‘adequacy’ there is no legal requirement for any further additional safeguards. Adequacy status is awarded to certain countries who have been judged to have a similar level of data protection standards within the UK. An adequacy decision essentially allows for the free flow of personal data between the UK and another country.

Adequacy decisions are kept under regular review, and can be overturned, so some organisations take a belt and braces approach and adopt additional safeguards.

European Economic Area / UK 

The European Commission has granted the UK with ‘adequacy’ for the time being, and this is reciprocated by the UK. Therefore, personal data can flow freely between the UK and countries in the EEA. This includes the EU member states and the EFTA states.
Other adequate countries. The UK adopted all EU adequacy decisions as of January 2021. Therefore personal data can flow freely between the UK and countries such as Switzerland, New Zealand, Uruguay, Israel and Japan.

See a full list of European Commission Adequacy Decisions. The UK Government has the power to make its own ‘adequacy decisions’ on countries it deems acceptable for transfers from the UK.

United States

The ‘UK-US Data Bridge’ came into play in the Autumn of 2023. This extension to the EU-US Data Privacy Framework (DPF) permits the free flow of personal data between the UK and US, but only if the US company has:

    • self-certified and meets the principles of the DPF, and
    • signed up to the UK ‘data bridge’ extension.

For a list of self-certified organisations see US Department of Commerce DPF

STEP 4: SELECT A SAFEGUARD MECHANISM (IF NECESSARY)

If there is not an adequacy decision for the destination country and you aren’t able to rely on a limited exception, there’s a requirement to make sure specific provisions are in place. Organisations have the following options in order to comply with UK GDPR.

📌 UK International Data Transfer Agreement (IDTA)

This is a standalone legal contract which has been published by the UK ICO. Its purpose is to safeguard personal data which is sent outside of the UK.

📌 EU Standard Contractual Clauses (SCCs) with UK Addendum

The EU SCCs are contracts which have been produced by the European Commission for the purpose of safeguarding personal data sent outside the EU. The ICO stresses EU SCCs are not valid for restricted transfers under UK GDPR on their own; it’s necessary to use the UK Addendum as well. It’s also worth noting new EU SCCs were published in 2021 and the old versions are no longer valid for UK organisations to use, so make sure you haven’t got any outdated SCCs lurking in existing contracts.

📌 Binding Corporate Rules (BCRs)

BCRs can be used as a safeguard for intra-group transfers. Some global organisations have gone down this route, but is onerous and takes a considerable amount of time as BCRs must be approved by a relevant data protection authority (such as the ICO). Therefore many organisations opt for EU SCCs with UK Addendum, or the IDTA.

📌 Other safeguards

Other safeguards measures include approved codes of conduct, approved certification mechanisms, or legally binding and enforcement instruments between public authorities or bodies.

STEP 5: CONDUCT TRANSFER RISK ASSESSMENT (IF NECESSARY)

If you are looking to rely on the IDTA, or EU SCCs with the UK Addendum, there’s a requirement to conduct a Transfer Risk Assessment (TRA). This is a written assessment to determine whether personal data will be adequately protected and to assess the likelihood and severity of risks to people’s fundamental rights and freedoms. A key aspect of this is assessing whether foreign Governments or public bodies could override the safeguard measures you have in place

The ICO has published TRA Guidance, which includes a TRA tool; a template document of questions and guidance to help businesses carry out a TRA. You can also use the EU alternative Transfer Impact Assessment (TIA).

STEP 6: KEEP UNDER REVIEW

The rules relating to international data transfers have been subject to a number of significant legal rulings and changes over the past decade, and it’s therefore important to keep abreast of developments; new adequacy decisions may be issued, and existing decisions could be overturned.

An area to definitely keep an eye on is the EU’s adequacy decision for the UK.  This is expected to last until June 2025, but is up for review. It could be extended, but if it isn’t it will expire on 27 June 2025.

As a data protection consultant since 2015, Philippa advises a broad range of clients and delivers data protection training. She regularly writes GDPR guidance to support privacy teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

What does the IKEA CCTV story tell us?

April 2022

Only set up video surveillance if underpinned by data protection by design and default

What happened?

Following an internal investigation, IKEA was forced to apologise for placing CCTV cameras in the ceiling voids above the staff bathroom facilities in their Peterborough depot. The cameras were discovered and removed in September 2021, but the investigation has only just concluded in late March 2022.

An IKEA spokesman said:

 “Whilst the intention at the time was to ensure the health and safety of co-workers, we understand the fact that colleagues were filmed unknowingly in these circumstances will have caused real concern, and for this we are sincerely sorry.”

The cameras were installed following “serious concerns about the use of drugs onsite, which, owing to the nature of work carried out at the site, could have very serious consequences for the safety of our co-workers”.

They had been sanctioned following “multiple attempts to address serious concerns about drug use, and the use of false urine samples as a way of disguising it”.

“The cameras placed within the voids were positioned only to record irregular activity in the ceiling voids,” he said.

“They were not intended to, and did not, record footage in the toilet cubicles themselves. However, as aresult of ceiling tiles becoming dislodged, two cameras inadvertently recorded footage of the communal areas of two bathrooms for a period of time in 2017. The footage was not viewed at the time and was only recovered as part of these investigations.”

Apology and new ICO guidance

The key question raised by this incident is where to draw the line. When is it inappropriate to set up CCTV? In this instance, the company had concerns about drug misuse – but was that a good enough reason? I think a lot of us intuitively felt the answer was no. 

This apology conveniently coincides with the recent publication of some new guidance on video surveillance from ICO regarding UK GDPR and Data Protection Act 2018.

This guidance is not based on any changes in the legislation – more an update to provide greater clarity about what you should be considering.

Video surveillance definition

The ICO guidance includes all the following in a commercial setting:

  • Traditional CCTV
  • ANPR (automatic number plate recognition)
  • Body Worn Video (BWV)
  • Facial Recognition Technology (FRT)
  • Drones
  • Commercially available technologies such as smart doorbells and dashcams (not domestic settings)

Guidance for domestic use is slightly different.

Before setting up your video surveillance activity 

As part of the system setup, it’s important to create a record of the activities taking place. This should be included in the company RoPA (Record of Processing Activities).

As part of this exercise, one needs to identify:

  • the purpose of the lawful use of surveillance
  • the appropriate lawful basis for processing
  • the necessary and proportionate justification for any processing
  • identification of any data-sharing agreements
  • the retention periods for any personal data

 As with any activity relating to the processing of personal data, the organisation should take a data protection by design and default approach when setting up the surveillance system.

Before installing anything, you should also carry out a DPIA (Data Protection Impact Assessment) for any processing that’s likely to result in a high risk for individuals. This includes:

  • Processing special category data
  • Monitoring publicly accessible places on a large scale
  • Monitoring individuals at a workplace

A DPIA means you can identify any key risks as well as potential mitigation for managing these. You should assess whether the surveillance is appropriate in the circumstances.

In an employee context it’s important to consult with the workforce, consider their reasonable expectations and the potential impact on their rights and freedoms. One could speculate that IKEA may not have gone through that exercise.

Introducing video surveillance

Once the risk assessment and RoPA are completed, other areas of consideration include:

  • Surveillance material should be securely stored – need to prevent unauthorised access
  • Any data which can be transmitted wirelessly or over the internet requires encryption to prevent interceptions
  • How easily data can be exported to fulfil DSARs
  • Ensuring adequate signage is in place to define the scope of what’s captured and used.

Additional considerations for Body Worn Video  

  • It’s more intrusive than CCTV so the privacy concerns are greater
  • Whether the data is stored centrally or on individual devices
  • What user access controls are required
  • Establishing device usage logs
  • Whether you want to have the continuous or intermittent recording
  • Whether audio and video should be treated as two separate feeds

In any instance where video surveillance is in use, it’s paramount individuals are aware of the activity and understand how that data is being used.

Julia is an experienced data protection consultant and has been advising businesses since 2016. She regularly delivers GDPR training as well as developing bespoke GDPR guidance for our clients.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

Managing data transfers from the UK

February 2022

The new International Data Transfer Agreement (IDTA) and Addendum is a sensible evolution of the old SCCs

International Data Transfers – to recap

Whenever UK-based organisations arrange the transfer of personal data to a third country outside the UK, they need to make sure the transfers are lawful, by confirming the data security and rights of individuals remain protected when data leaves the country.

Since the famous “Schrems II” ruling by the European Court of Justice in 2020, this activity has been thrown into disarray. To remind you, this is the ruling which invalidated the EU-US Privacy Shield and raised concerns about the use of EU Standard Contractual Clauses (SCCs) to protect the data. 

Soon after, the European Commission set to work to update the EU SCCs. These were drafted and enacted fairly swiftly taking effect on 27th June 2021. 

What are the new EU SCCs?

The new EU SCCs were expanded to introduce more flexible scenarios: 

  • SCCs are now modular meaning that they can accommodate different scenarios, where you can pick the parts which relate to your particular situation.
  • The SCCs cover four different transfer scenarios, including processors:
    • Controller to controller
    • Controller to processor
    • Processor to controller
    • Processor to processor
  • More than two parties can accede to the SCCs, meaning additional controllers and processors can be added through the lifetime of the contract. This potentially reduces the administrative burden.

How did this affect the UK? 

On 28th June the UK’s adequacy decision was adopted.  On September 27th 2021, the prior version of the SCCs expired. 

In our webinar last year, it was obvious that everyone was confused. The situation caused by the “Schrems” ruling was compounded by the fact that Brexit had been completed. This meant we could no longer apply the SCCs approved in Europe. The UK needed its own SCCs, but they did not exist. 

The ICO consultation

From August to October 2021, the ICO conducted a consultation to understand how a UK version of these rules should be enacted. Since we had been granted an adequacy agreement by the EU, we all hoped it would be possible to mirror the SCCs arrangements in UK law thus re-instating the means by which we can lawfully export data to places such as the US. 

Anecdotally the resounding view was not to mess with the principles enshrined in the EU SCCs as it would simply add complexity to an already complex situation.

The ICO conclusion

In January, the ICO published the International Data Transfer Agreement (IDTA) and the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses. To the layperson, the EU’s standards have been adopted. 

What’s included in the Agreement and Addendum? 

    1. The International Data Transfer Agreement (IDTA) replaces the old EU SCCs which were relied upon to provide the appropriate safeguards required under the UK GDPR for international data transfers from the UK. There are differences to the new EU SCCs – it is a single all-encompassing agreement that incorporates all the scenarios identified in EU SCCs. One can omit sections and there is no requirement for it to be signed. This is most useful for those creating new data transfer agreements.
    2. The UK Addendum is a far simpler document. It is an addendum to the EU SCCs where references to EU laws are replaced by references to UK laws. It allows businesses to use the EU SCCs for international data transfers from the EU but also from the UK. These are useful for those already using the EU SCCs who want a simple addendum to update the legal context. 

When does this come into force?

The IDTA was laid before Parliament on 2nd February 2022. It comes into force on 21st March if there are no objections. To all intents and purposes, it’s in force now. The Information Commissioner Office (ICO) has stated the IDTA and UK Addendum:

“are immediately of use to organisations transferring personal data outside of the UK, subject to the caveat that they come into force on 21 March 2022 and are awaiting Parliamentary approval“.

What does this all mean?

In practice, UK businesses can breathe a sigh of relief and get on with their lives. There is clarity at last. Existing agreements need to be updated with the UK Addendum and new ones can be put in place with the International Data Transfer Agreement. There will be an administrative burden, but businesses now know what they need to do.  Good sense has prevailed. 

 

Julia is an experienced data protection consultant and has been advising businesses since 2016. She regularly delivers GDPR training as well as developing bespoke GDPR guidance for our clients.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

SIGN UP FOR OUR NEWSLETTER

Get DPN updates direct to your inbox. Insight, free resources, guides, events & services from DPN Associates (publishers of DPN). All our emails have an opt-out. For more information see our Privacy Statement.