Data protection: Tribunal decides on ICO Information Notice under DPA 2018

The First-tier Tribunal (information division) has considered an appeal against an Information Notice issued by the Information Commissioner under section 142, Data Protection Act 2018 (DPA 2018).  In its decision (issued in January 2019), the Tribunal noted that this was the first such appeal to reach final determination under the regime introduced by the DPA 2018. The Information Commissioner has power, under the DPA 2018, to issue Information Notices requiring controllers and processors to provide her with information that she ‘reasonably requires for the purposes of carrying out’ her statutory functions. In July 2018 the Information Commissioner launched an investigation into the data protection compliance of Doorstep Dispensaree Ltd (the company), a pharmacy delivery service operating in the south of England.  The investigation was prompted by a report from the Medicines and Healthcare Products Regulatory Agency concerning the manner in which the company appeared to be processing personal data.  During the investigation, the Information Commissioner initially requested that the company provide relevant information voluntarily.  The company refused to provide the requested information.  The Information Commissioner followed up with a formal Information Notice. Section 143(6) DPA 2018 provides that ‘an Information Notice does not require a person to provide the Information Commissioner with information if doing so would, by revealing evidence of the commission of an offence, expose the relevant person Read Full Article…

Data protection: ICO blog – advice for organisations in relation to a possible no-deal Brexit

In a blogpost published on 13 December 2018, the Information Commissioner Elizabeth Denham sets out information for organisations, to help them prepare for the possible event of a ‘no-deal’ Brexit. The Information Commissioner said that, in view of the UK government’s intention that the GDPR will be absorbed into UK law at the point of exit, there would be no substantive changes to the data protection rules that organisations currently need to follow. In the Information Commissioner’s view, however: organisations that ‘rely on transfers of personal data between the UK and the European Economic Area (EEA) may be affected’ if the UK leaves the EU ‘without a withdrawal agreement that specifically provides for the continued flow of personal data’ although the UK government has made clear its intention to permit data to flow from the UK to EEA countries, transfers of personal data from the EEA to the UK will be affected The Information Commissioner refers organisations to the ICO’s ‘six steps to take’ guide, broader ‘guidance on the effects of leaving the EU without a withdrawal agreement’, and a general overview in the form of ‘Frequently Asked Questions.’  She also suggests that, where relevant, organisations should consider putting in place Standard Contractual Clauses (interactive guide available here) to facilitate transfers of personal data from/to the EEA. The blogpost states Read Full Article…

GDPR: First ICO enforcement notice under GDPR and DPA 2018

On 20 September 2018 it was reported that the Information Commissioner’s Office (ICO) had issued an enforcement notice dated 6 July 2018 to AggregateIQ Data Services Ltd (AIQ), using its powers under section 149 of the Data Protection Act 2018 (DPA 2018) for the first time.   AIQ, a Canadian company located outside the EU/European Economic Area, processed personal data of UK individuals.   According to the ICO, the processing was in connection with online political messages sent by AIQ on behalf of Vote Leave, BeLeave, Veterans for Britain and DUP Vote to Leave.  As part of its contracts with the foregoing organisations, AIQ had been provided with personal data including names and email addresses of the individuals involved.  The personal data was then used by AIQ to target the data subjects with political advertising messages on social media. In correspondence with the ICO dated 31 May 2018, AIQ confirmed that personal data of UK individuals concerned were still held by them.  The data were stored on a code repository, and had been subject to unauthorised access by a third party.   According to the enforcement notice, the ICO was satisfied, having carried out an investigation, that AIQ failed to comply with GDPR requirements, including those under Article 5(1)(a), (b) and (c) (including processing personal data for purposes incompatible with Read Full Article…

IP/IT: UKIPO response to consultation on Trade Marks Directive 2015

The UK Intellectual Property Office (UKIPO) has published a response to its consultation on the implementation of the Trade Marks Directive 2015 (the Directive).  The consultation sought views on proposed wording of the  Trade Marks Regulations 2018 (the Regulations).  Further to the consultation, the Regulations have now been finalised and were laid before the UK parliament on 10 July 2018; however, they will not come into force until 14 January 2019.   The document summarises the responses received, none of which were submitted by UK HEIs, and outlines how the government intends to make the necessary amendments to UK law.  The most significant changes are:   Trade mark applications will no longer need to represent marks graphically.  The new requirement is that marks are represented in a ‘clear and precise manner’.  UKIPO has stated that it intends to facilitate the submission of applications ‘using the widest range of digital file formats that is technically possible with our current systems‘.  It is expected that relevant guidance will be published in the next few months.   Businesses will lose the ability to rely on the ‘own name’ defence against claims that they have infringed UK trade marks.  Currently, businesses can avoid liability for trade mark infringement if the trade mark concerned is for a word that matches their name, provided that their Read Full Article…

IP/IT: Updated ICO guidance

The UK Information Commissioner’s Office (ICO) has published the following guidance to help organisations comply with their relevant duties under the General Data Protection Regulation: Data Protection Impact Assessments: This replaces the previous code of practice on conducting privacy impact assessments. It explains the principles and process that form the basis of a DPIA.  It explains what a DPIA is for, and when and how it should be carried out. The right to be informed: This guidance sets out what information needs to be provided to people when their personal data is collected, when that information needs to be provided, and how it should be provided Automated decision making and profiling: This supplements the Article 29 Guidelines on Automated individual decision-making and profiling Determining what is personal data: This provides guidance on when personal data is being processed and when the obligations to comply with the provisions of the GDPR will apply Children and the GDPR: This focuses on the additional child specific considerations. Please contact a member of the HE Shared Legal team if you wish to discuss any aspect of the above guidance under the GDPR.

GDPR – ICO guidance on legitimate interests

On 22 March 2018, the Information Commissioner’s Office (ICO) published guidance titled ‘Legitimate interests’.  The guidance is intended to assist organisations to decide when to rely on ‘legitimate interests’ as a lawful basis for processing personal data, and when an alternative ground should be considered. The guidance states: ‘There are some differences in wording [between the Data Protection Act 1998 and the GDPR], but the three key elements of the concept of legitimate interests remain the same:  a legitimate interest; a necessity test; a balance with individuals’ interests, rights and freedoms.’  The concept of ‘legitimate interests’ is not new, however some changes have been introduced under the GDPR, for example: Legitimate interests are no longer limited to a processor’s own interests or those of third parties to whom data is disclosed.  The interests of any third party, including the wider benefits to society should now be considered. There are new accountability and transparency requirements requiring documentation of the decision to apply a particular ‘lawful basis’ together with the justification. The transparency requirements require individuals to be informed up front as to which lawful basis (or bases) will be relied on, and if relying on ‘legitimate interests’ as a ground the individual must be informed what the legitimate interests are. The guidance states: ‘The ability of public authorities to rely on legitimate Read Full Article…