The UK’s Data Protection and Digital Information (No 2) Bill passed its second reading in the House of Commons on 17 April 2023. Completion of that formal stage in Parliamentary proceedings confirms approval of the Bill in principle. From there, the Bill moves into its committee stage for more detailed scrutiny. The second reading debate
The new UK International Data Transfer Agreement (“IDTA”) and Addendum to the new 2021 EU Standard Contract Clauses (“New EU SCCs”) are now in force (as of the 21 March 2022), providing much needed certainty for UK organisations transferring personal data to service providers and group companies based outside of the UK/EEA.
The IDTA and
The UK data protection regulator, the Information Commissioner’s Office (the “ICO”) has finalised its new UK data transfer agreement and addendum to the new EU Standard Contractual Clauses (EU SCCs) following its consultation last year. From 21 March 2022, (subject to Parliamentary approval) organisations in the UK will be able to choose whether to use
In this case, on the 8th January 2021, a former employee (“D”) of the RAC, (a well-known breakdown and recovery service in the UK and Europe) pleaded guilty to charges of conspiracy to secure unauthorised access to computer data and to selling unlawfully obtained personal data. The ICO investigation had found that
On 16 July 2020, the Court of Justice of the EU (“CJEU” or the “Court”) delivered another landmark decision on international data transfers – the so-called Schrems II judgment. In its decision, the CJEU invalidated the EU Commission’s adequacy decision on the EU-US Privacy Shield Framework (“Privacy Shield”), on which thousands of US companies have been relying to lawfully transfer personal data from the EU to the US. In the same decision, the CJEU confirmed the validity of the Standard Contractual Clauses (“SCCs” or “Clauses”) in principle, but made clear that their legality must considered on a case-by-case basis in light of the circumstances of the particular transfer.
US companies currently relying on Privacy Shield will need to move quickly to evaluate their ability to make use of alternative data transfer mechanism such as the SCCs, Binding Corporate Rules (“BCRs”) or, where applicable, one of the specific transfer-related derogations provided for in the EU General Data Protection Regulation (“GDPR”).
Continue Reading CJEU Invalidates the EU-US Privacy Shield Framework but Leaves the Standard Contractual Clauses Intact, Subject to Major Caveats
As businesses in the hospitality and leisure industries are permitted to re-open in England, the Government is asking them to keep a temporary record of their customers and visitors, in order to support NHS Test and Trace. This information will be requested by NHS Test and Trace in the event that someone who has tested positive for COVID-19 lists the business’s premises as a place that they visited recently, or because the premises has been identified as the location of a potential outbreak. This is viewed by the UK Government as a key part of their ongoing response to the virus, as the lockdown is lifted.
Continue Reading The UK Government and the Information Commissioner Provide Guidance on the Collection of Contact-Tracing Information by Hospitality & Leisure Businesses
The use of data is a critical tool in the fight against COVID-19. In some cases, this will necessarily involve the use of personal data, which relates to identified individuals and of course, due to the nature of the current crisis, sensitive health data. The UK data protection regulator, the ICO, has made it clear that data protection laws do not seek to prevent the use of data in order to combat the spread of this dreadful disease, but are intended to work in the public interest and enable health and safety to be prioritised where necessary. However, there remains a need to ensure that personal data is used in a proportionate manner with due respect to privacy rights, wherever possible.
Continue Reading Data Privacy & COVID-19 in the UK: Q&A on Key Privacy Issues
On 23 April, the Department for Health & Social Care (DHSC) announced that, as part of its 5-pillar strategy, testing for Covid-19 has now been extended to all ‘essential workers’ in England and Scotland who exhibit symptoms. A new online portal now enables employers to refer self-isolating staff and members of their household for testing, and employees to book a test directly for themselves or any member of their household who is self-isolating due to coronavirus symptoms.
Continue Reading UK Government Rolls Out New Essential Worker Online Testing Portal
The ongoing Coronavirus pandemic and related Government guidance, requiring social distancing and individuals to work from home where possible, has resulted in many organisations rapidly having to adapt the way in which they operate.
Despite the unprecedented challenges that will need to be faced over the coming weeks, including in many cases significantly reduced resources (both in terms of staff and funds), it is important that organisations do what they can to try to maintain data security protections whilst taking the actions necessary to deal with this crisis. This may include the need to send unusual and sometimes urgent communications to individuals, which can increase the risk of breaching data protection laws.
Continue Reading A Timely Reminder: Maintain Data Security in the Face of the Pandemic
The Covid-19 virus has forced substantially increased numbers of employees to work from home, potentially for an extended period of time. Against an already cluttered landscape of other business-critical issues they have to deal with, businesses also need to be mindful of the increased risk to cyber, and other types of data security, that this presents. This risk is amplified where employees are required to use personal devices to access business information, due to the limited supply of work devices.
Continue Reading Protecting Data During the Covid-19 Crisis