Blog Archives

Even though celebrations to welcome in 2021 were rather muted in light of the ongoing pandemic, the New Year did bring some good news to businesses in the United Kingdom and the European Economic Area (EEA) in respect of personal data transfers.Prior to the end of the Brexit transition period, the issue of how to ensure ongoing personal data transfers from the EEA to the UK in 2021 was causing a headache for many businesses. Although the UK’s position was that transfers of personal data to the EEA could continue as usual without any additional legal hurdles after Brexit, this position was not mirrored by the European Union in respect of flows of personal data from the EEA to the UK.While the last-minute post-Brexit Trade and Co-operation Agreement between the EU and the UK does not grant an adequacy decision to the UK in respect of transfers of personal data, Article FINPROV.10A does provide for a grace period for transfers of personal data from the EEA to the UK. Initially this grace period will last for four months, unless in that time the UK has obtained an adequacy decision from the EU in respect of data protection. If it hasn’t, then the grace period will be extended by a further two months (provided both the UK and the EU agree) to allow further time to finalise an adequacy agreement.This is welcome news to businesses, who can now continue to transfer personal data between the UK and the EU for the next four to six months without requiring additional measures as a result of the UK having become a ‘third country’. The fact this has been agreed gives a positive indication that both sides are serious about reaching an adequacy decision as soon as possible. However, there is no guarantee an adequacy decision will be reached, and the grace period will only continue as long as the UK does not amend its own data protection legislation to diverge from rules applicable in the EU. Organisations for whom such data transfers are critical would therefore be well advised to consider alternative arrangements in case no such adequacy decision materialises by the end of the grace period.

This month has seen a flurry of activity amongst European authorities and regulators in the data protection sphere.The European Data Protection Board (EDPB), which includes representatives from the data protection regulators of each EU member state, has published a number of recommendations that businesses should take note of in order to comply with the General Data Protection Regulation (GDPR).Firstly, in the wake of the much-publicised Schrems II case this summer, the EDPB has endeavoured to give some much-needed clarity on what organisations need to do if they want to transfer personal data outside of the European Economic Area (EEA). Assuming that other routes to achieving this in compliance with the GDPR (such as sending personal data to a country that has received an adequacy decision from the EU) are unavailable, where organisations wish to rely on the EU Commission’s standard contractual clauses (SCCs), the recommendations confirm that they must verify on a case-by-case basis whether the destination country affords equivalent levels of protection as within the EEA. In addition, they must supplement the SCCs with additional measures, ranging from technical and organisational to contractual. Whichever steps are taken must be documented to comply with the GDPR’s accountability duty.The recommendations also stress the need to consider whether access to transferred personal data by government or surveillance authorities in the destination country is likely. If so, exporting organisations will need to consider whether this access may undermine the SCCs. A second set of recommendations sets out four criteria, known as ‘essential guarantees’, against which to determine whether the interference of the destination country’s surveillance laws with individuals’ data protection and privacy rights is acceptable by EU standards. These are as follows:Is the processing is based on clear, precise, and accessible rules?Is the processing is necessary and proportionate to the legitimate objectives pursued?Is there is an independent oversight mechanism?Are effective remedies available to individuals concerned?In addition, the European Commission has at last published its draft set of revised standard contractual clauses, which are currently open for consultation and are expected to be formally adopted early next year. Happily, these include processor-to-controller standard contractual clauses, which, in the event the UK receives no adequacy decision from the EU before the end of the Brexit transition period, could be the lifeline businesses need to establish compliant personal data flows from the EEA to a UK that will soon be a ‘third country’.Raj Shah and Howard Ricklow from Collyer Bristow’s data privacy team will be discussing all of the above and more in a live interactive webinar on Thursday 26 November 2020 at 11am GMT. To register your interest, please click here.

The BBC reported this week that the UK Department of Health and Social Care could share contact-tracing information with police in England, given there is a legal requirement to isolate after a positive test. The news of this practice quickly prompted a flurry of concerned commentary from public health officials and privacy campaigners, with the British Medical Association warning that police involvement could be counterproductive, insofar as it could deter individuals from testing for COVID-19.Though this news concerns the public sector, the public reaction to it serves as a useful reminder of the importance of transparency to private-sector organisations who process personal data. If you collect individuals’ personal data and share that data with third parties, even if only occasionally, the GDPR requires that you give clear information about these data sharing practices to those individuals at the time when you collect their personal data. This should ideally be communicated via your privacy notice, which must state the recipients of the shared personal data.Provided your lawful basis for processing the shared personal data is not consent, it is possible for only ‘categories of recipients’ to identified rather than named, individual recipients, but if you opt to take this less specific approach, you will need to be able to demonstrate why it is fair to do so and endeavour to be as specific as possible about the type of recipient (such as what industry or sector it belongs to) and its location. If, however, you are relying on consent as your lawful basis, then your privacy notice should specifically identify the recipients of the personal data, especially if they are third-party independent or joint controllers. Otherwise, there is a risk that the GDPR’s requirement for the consent to be specific will not be met.As this news story illustrates, the more upfront with individuals you are at the outset about the way you handle their personal data, the more confidence they will have in your organisation. It is more difficult to gain back trust once lost than it is to lose it in the first place.

In July 2019 the Information Commissioners Office announced an intention to fine BA £183M for infringements of the GDPR. Around 400,000 users of the BA website had been diverted to a fraudulent site where the customers’ login, payment and travel details were harvested. The breach was not discovered until 2 months later. The ICO considered that BA’s security measures were inadequate and proposed the largest ever fine, albeit well below the maximum fine that could have been imposed. It not only reflected the seriousness of the specific breach but sent a message to large corporates that, unless they paid close attention to data privacy, they could expect very tough enforcement measures for breaches.Since then, BA has taken steps to improve the security of the data obtained via its website and has cooperated with the ICO, while challenging the size of the proposed fine.The ICO has today announced that the fine actually imposed is £20M. This is obviously a very welcome reduction in BA’s liability at a time when its business has been decimated by the coronavirus. It also reflects the benefit of swift action to remedy a breach (so far as possible) and close cooperation with the ICO. Nevertheless, it is still the largest fine confirmed by the ICO, reinforcing the fundamental importance of GDPR compliance.  

The European Data Protection Board (EDPB) has published a set of draft guidelines clarifying the key GDPR concepts of controllers and processors by providing specific examples and helpful flowcharts to help apply these concepts in practice. Buried within these guidelines is the paragraph quoted below, which has significant implications for day-to-day commercial contracts.Under Article 28 of the GDPR, where one party (Party B) is appointed by another (Party A) to provide certain services that requires Party B to process personal data on behalf of Party A (which is the data controller), certain clauses are mandatory in the commercial contract between those parties (or in a separate data processing agreement).Where Party A’s processing activities are minimal and are considered low-risk, it is common for the relevant agreement simply to repeat the provisions of Article 28 without further elaboration.However, the EDPB states in the guidelines that simply restating the provisions of Article 28 without any additional detail is not sufficient. In particular, the EDPB states that the contract or separate data processing agreement required by Article 28 also needs to include information regarding the security measures to be adopted by the processor (Party B in the example above), as well as providing for a regular review of these measures.The level of detail required is ‘such as to enable the controller to assess the appropriateness of the measures pursuant to Article 32(1) of the GDPR’. This requires both the controller (Party A) and the processor (Party B) to take into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of the processing, as well as the risk of varying likelihood and severity for the rights and freedoms of those individuals whose data is processed.The draft guidelines remain open to public consultation until 19 October 2020. Any interested parties are encouraged to contribute to the consultation by providing comments on the guidelines via the link below.

Earlier today, the BBC reported the latest in an increasingly long line of problems to have plagued the country’s COVID-19 ‘Test and Trace’ programme: it has not complied with the General Data Protection Regulation (GDPR).Following a legal challenge from privacy campaigners, the Department of Health has admitted that the programme, which aims to trace contacts of those infected with COVID-19 in order to prevent further spreading of the virus, was launched without any Data Protection Impact Assessment (DPIA) having been undertaken.But what exactly is a DPIA and when is one needed?A DPIA is a process designed to assess whether a proposed activity that involves processing personal data is necessary and proportionate. It should be used to assess and manage any risks to the rights and freedoms of individuals that might result from that processing activity by determining ways of addressing them. DPIAs are key tools in demonstrating a business’s compliance with its accountability obligations under the GDPR.The GDPR requires that DPIAs be carried out if any processing of personal data is “likely to result in a high risk to the rights and freedoms of natural persons”. Guidance on the matter recommends considering the need for a DPIA if a business plans to:process any ‘special category’ personal data on a large scale, as is the case with the ‘Test and Trace’ programme (health data constitutes ‘special category’ personal data);implement any automatic decision making or profiling that significantly affects the person whose data is processed (for example, to provide or refuse a service to that person);systematically monitor individuals (for example, via CCTV);deploy innovative technology that uses personal data (for example, facial recognition software implemented at offices to enable access to certain areas); and/orprocess personal data of vulnerable individuals (which might include employees) where there is an imbalance of power in the relationship and, consequently, those individuals have no genuine option to object.DPIAs should be considered at the start of any new project that fits one or more of the above criteria, so that potential risks to the relevant personal data are addressed in advance of implementation (which is what the Department of Health failed to do in this case).If your business has already undertaken a DPIA in respect of a processing activity, it will need to review that DPIA periodically (and ideally at least once every 2 to 3 years), particularly if there is any change in the context or nature of the processing.Undertaking a DPIA will not only help your business demonstrate accountability and compliance with a GDPR, but will also build trust amongst those whose personal data is processed. This is much easier to lose than it is to gain. The risk to the UK government posed by this latest development is that fewer UK citizens, having lost confidence in its handling of their personal data, may participate in the Test and Trace scheme. Without significant participation across the population, the country is unlikely to have an effective contact tracing system.

There will be some respite from life under lockdown in England on 4 July, when pubs, bars, cafés, takeaway services, and restaurants will be able to re-open, subject to high-level guidance issued by the UK government in this last week, and which is linked to below.Under the guidance, operators of the above-mentioned businesses are asked to keep a temporary record of customers’ contact details for 21 days in order to support the NHS’s Test and Trace response (see the extract quoted below).Contact details such as names, phone numbers, and email addresses constitute personal data under the GDPR and Data Protection Act 2018. That means these businesses will need to ensure that their collation and retention of these contact details comply with this legislation. The guidance says little as to what exactly is expected of these businesses in terms of compliance. In the extract quoted below, the government has stated that it will announce further details “shortly”, but adds that it does expect these businesses to collect customer data “to help fight the virus”.Although there is little time for these businesses to prepare and implement detailed data collection and retention procedures before Saturday, there are some key steps that businesses can take before collecting customers’ contact details. These include:Informing customers that their contact details will be collected and letting them know how it will be processed and who it might be shared with (e.g. NHS contract tracers). Privacy notices ought to be updated if necessary and made available to view wherever bookings are made, whether online or at the premises.Ascertaining the correct lawful basis or bases for the collection of customer data and stating this in the privacy notice. Relying on consent as the lawful basis in this scenario may be problematic, since this can be withdrawn by customers at any time, and it may not satisfy the requirement of having been “freely given” if access to the premises is made conditional upon customers disclosing their contact details.Ensuring customers’ contact details are used only for the purposes for which they were collected. That means those details can be used to support the Test and Trace operation, but cannot be used for marketing or other purposes (unless another lawful basis for those other purposes has been established).Training staff to keep customers’ contact details confidential. Businesses must have appropriate technical and organisational measures in place to prevent any misuse or unlawful access of this personal data.Putting in place procedures to delete customers’ contact details after the 21-day period is over, unless there is another lawful basis established for the continued processing of that personal data.The UK’s privacy regulator, the Information Commissioner’s Office (ICO), is unlikely to impose heavy fines on these already-challenged businesses in the leisure and hospitality sector for failure to achieve full compliance in such a short space of time. However, as the pandemic rages on and businesses continue to collect customers’ details, expectations of compliance will mount, not just from the ICO, but from the population at large.

Alongside all the other practical challenges of the easing of lockdown restrictions is the question of what additional requests organisations may need to make of their employees to provide a safe working environment.  This may include asking employees if they are experiencing any COVID-19 symptoms, requiring them to undergo testing in certain circumstances, and requiring them to provide for details of other employees, clients and suppliers with whom they may have been in contact. Requests such as these will necessarily involve processing personal data and employees will perfectly reasonably want to be reassured that the protections and requirements of the GDPR and Data Protection Act 2018 are being observed.It is therefore timely that the ICO has issued a 6 step guide to employers on these issues, as part of a toolkit of advice to businesses dealing with data protection during the Coronavirus lockdown.In brief, the 6 steps are:1.  Only collect and use what personal data is necessary;2.  Keep it to a minimum;3.  Be clear, open and honest with staff about their data4.  Treat people fairly, to avoid discrimination;5.  Keep people’s information secure; and6.  Staff must be able to exercise their information rights.While much of this may seem like a statement of the obvious, it is exactly these basic messages that need to be restated and reinforced at a time when a disorganised unlocking of lockdown can result in serious harm to individuals if sensitive health data is treated in a cavalier fashion.  The ICO has behaved exactly as we should wish a responsible regulator to behave: no scaremongering, no heavy handed application of rules or guidance, just reassuring common sense advice and policies that should not cause any difficulty to any business.

Babylon Health is one of the largest and most successful players in the rapidly growing telemedicine sector, having secured funding last year to expand into the US and across Asia. However, they are now under scrutiny after their GP video appointment app suffered a data breach. The breach has resulted in video recordings of some patients’ consultations with doctors being accessible by other patients. One user noticed this and immediately alerted Babylon Health of this issue.Although Babylon Health has said that only a small number of users could see other users’ consultations, the full extent of the data breach will only be known after there has been a complete investigation. The severity of a data breach does not only depend on the volume but also on the categories of data that have been compromised. In this case, it relates to patient information including data relating to health, which is treated as sensitive by the GDPR and the Data Protection Act and hence requires a higher degree of protection. One would therefore expect that Babylon Health has implemented enhanced security measures for the provision of their services. Instead, the breach, which resulted from a software error as opposed to a malicious cyber-attack, demonstrates that this may not be the case which is all the more worrying.Babylon Health’s quick response might plead in their favour, but they are nonetheless at risk of a significant fine issued against them by the ICO, given the sensitive nature of the personal data that has been compromised. If it turns out however to be a minor breach, there is still reputational damage as some users will now be reluctant to use Babylon Health’s GP video appointment app, as is highlighted in the article.