UK: Global Data & Privacy Update - May 2019

Welcome to the May Global Data & Privacy Update. This update is dedicated to covering the latest legislative developments affecting the way data is managed and protected, as well as reporting on the most recent news governing data breaches and industry developments.

Written by Mark Williamson, Isabel Ost and Charlotte Gatland

ICO order HMRC to delete unlawfully collected voice data

The Information Commissioner's Office (ICO) has issued an enforcement notice for HMRC to delete, within 28 days, the unlawfully collected biometric data of around 5 million individuals. HMRC used a voice verification system for some of its helplines called Voice ID. The voice data was collected from individuals who had previously called and undergone a verification process in a non-automated fashion, following which some automated information about Voice ID was provided. Crucially, the automated information failed to inform individuals that sign-up was not mandatory and where further details could be found. HMRC, subsequently, contacted customers about agreeing to the Voice ID service - 20% of 7 million individuals whose data was collected responded, with 20% of those persons refusing to provide consent.

The ICO found HMRC breached the first data protection principle under the GDPR – lawful processing – from failing to have a lawful basis to process the data. The Regulator considered that of the possible lawful bases to process personal data, under Article 6, consent had not been validly obtained. Customers were not provided with appropriate information on the use of their data, with a Voice ID privacy notice being published after the data was collected. Crucially, individuals were not given the opportunity to choose or reject this use of their data. The use of voice data to identify an individual also constitutes biometric data - a type of special categories of personal data - therefore a further lawful basis is required, under Article 9. Consent as a lawful basis under Article 9 must also be explicit. On the basis consent was not deemed obtained under Article 6, a lower standard of consent, it was not possible to rely on consent to process biometric data under Article 9.

HMRC had no lawful basis to process the information and so the continued retention and use of the voice data was deemed unlawful. The notice requires HMRC, within 28 days, to delete the biometric data held without consent and procure suppliers operating Voice ID to do the same. The factors for taking such action include the large number of individuals affected, the imbalance of power between HMRC and customers (including the potential ongoing imbalance of power on requesting consent, particularly of those receiving benefits), lack of information about how not to participate and the insufficient consideration of data protection principles. The Commissioner considered the lack of damage or distress likely to have been caused not to be a barrier to issuing the enforcement notice, given the importance of Articles 6 and 9 (lawful bases for processing) as key cornerstones of the legislation.

Click here to read the enforcement notice.

High Court decision on Data Sharing Agreement

A High Court considered whether a data sharing agreement between a police force and a business crime reduction organisation (BCRP) was compliant with data protection legislation, with respect to appropriate technical and organisational measures.

The background to this case is that the claimant was excluded by BCRP from its members' commercial premises on the basis of information provided by the local police force, shared under an agreement between the two. The aim of the agreement was the prevention of crime and to assist with public protection. It was argued that the police failed to put in place appropriate safeguards within the agreement, in particular relating to technical and organisational measures and those being implemented by default. The Judge evaluated these safeguards in light of the following four areas:

"(a) the nature of the data that can be shared under the agreement;

(b) the provisions as to who it can be shared with and control over any onward sharing;

(c) the requirements for the training and vetting of recipients of the data; and

(d) the degree to which the specific interests of children are factored into the proportionality exercise [assessing the lawful basis]."

While this case is fact specific to regular disclosures by a police force under the law enforcement sections of the Data Protection Act 2018 rather than the GDPR, it is helpful in starting to gauge the level of detail that may be reviewed and considered by a Court assessing the appropriateness of data sharing arrangements.

Click here to read the case - The Queen (on the application of M by her Litigation Friend the Official Solicitor) (Claimant) and the Chief Constable of Sussex Police (Defendant) and BCRP (Interested Party) [2019] EWHC 975.

CNIL 2018 Activity Report – Statistics and Trends

The French data protection regulator (CNIL) has released a report regarding their activities during 2018 and trends for this year.

• CNIL received over 11,000 complaints last year, a 32.5% increase on 2017, with 73.8% of these complaints relating to the exercise of data subject rights.
• The top 3 areas for complaints to CNIL related to managing digital presence (35.7%), marketing/business (21%) and human resources (16.5%).
• 51,000 organisations appointed a Data Protection Officer but there are only 17,000 different officers, indicating a significant pooling of resources.
• CNIL made 310 investigations of which 204 were performed on-site and 20 of those related to CCTV systems. The Regulator noted complaints regarding remote access of CCTV as a growing trend.
• The Regulator issued 10 monetary fines, 7 of which related to security breaches. It issued 49 orders, targeting two sectors – the insurance sector (5 orders) and mobile advert targeting companies (4 orders).
• CNIL intends to investigate based on complaints including those received relating to data subject rights, because this represents such a high proportion of complaints received. It also plans to investigate the topic of shared responsibilities between processors and sub-processors and the handling of children's data (including CCTV in schools and parental consent for minors).
• CNIL's website received 8 million visits (up 80% from the previous year).

Click here to read CNIL's report summary.

ICO Public Awareness Campaign

The ICO has launched a public awareness campaign – Be Data Aware – designed to improve individuals' understanding of how their data can be used to target them and how to control this. It particularly focuses on data used by social media and political campaigning organisations.

This campaign is in response to an ICO investigation, into data analytics used for political campaigning, which recommended educating the public about how their data is used online.

The ICO has provided explanations about how targeting works and how this can be managed, particularly with respect to social media and political campaigning organisations.

Click here to view the Be Data Aware resources.

The Gift of Paper – One Year Anniversary of GDPR

The gift of paper, being the traditional first anniversary gift, seems apt as we mark a year of our relationship with the GDPR. Paper has been a key theme, having been both accumulated and destroyed, from both the paper trails of accountability created and the paper destroyed for being past its best – out with the old and in with the new. Much like the first year of a relationship, there have been highs and lows in these honeymoon days – with each other's name frequently taken in vain and error. We have learnt a lot about each other over these early times, with many skeletons of past attitudes and memories cleansed and reformed in the light of day. The trials and teething problems of a new relationship have been real but as they say – relationships take effort. We have to evolve with our environments and while the exact names (GDPR and Data Protection Act 2018) may change on leaving the EU, the same spirit will continue.

Many, before the happy day last year, pinned all their sails to the mast of that day as the pinnacle, but as any that have been wed will tell you the hard work starts from there and the journey continues. So as many reflect one year on, let us continue to strive and continue working for a better working relationship with data protection.

Even the best of friends need support and we are here to help.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.