The UK’s Data Protection and Digital Information (No 2) Bill passed its second reading in the House of Commons on 17 April 2023. Completion of that formal stage in Parliamentary proceedings confirms approval of the Bill in principle. From there, the Bill moves into its committee stage for more detailed scrutiny. The second reading debate
The new UK International Data Transfer Agreement (“IDTA”) and Addendum to the new 2021 EU Standard Contract Clauses (“New EU SCCs”) are now in force (as of the 21 March 2022), providing much needed certainty for UK organisations transferring personal data to service providers and group companies based outside of the UK/EEA.
The IDTA and
The UK data protection regulator, the Information Commissioner’s Office (the “ICO”) has finalised its new UK data transfer agreement and addendum to the new EU Standard Contractual Clauses (EU SCCs) following its consultation last year. From 21 March 2022, (subject to Parliamentary approval) organisations in the UK will be able to choose whether to use
The Information Commissioner’s Office (“ICO”) has, for only the second time in its history, successfully prosecuted individuals under the Computer Misuse Act 1990 (the “Act”) in order to impose harsher criminal penalties for unauthorised access to personal data, (including prison sentences and confiscation orders), than are available under the Data Protection Act 2018 (the “DPA 2018”).
Continue Reading ICO Utilises the Computer Misuse Act to Impose Tougher Penalties for Unauthorised Access to Data
With the end of the Brexit transition period fast approaching, we have examined the potential impact on data privacy compliance in the UK and the EU/EEA and prepared a guide which provides practical advice on how to prepare to ensure that your organization is in the best position possible to deal with the outcome of the current UK/EU negotiations on 31 December 2020.
Organisations are advised to identify personal data flows between the EEA and the UK and to devise a plan to ensure that these data transfers will be able to lawfully continue from 1 January 2021, in the event that the UK does not obtain an adequacy decision from the European Commission (and no alternative agreement is reached) in advance of that date. Priority should be given to business-critical data flows and transfers of large volumes of personal data, special category data or criminal data.
Continue Reading The Brexit Transition Period: Are You Ready?
On 16 July 2020, the Court of Justice of the EU (“CJEU” or the “Court”) delivered another landmark decision on international data transfers – the so-called Schrems II judgment. In its decision, the CJEU invalidated the EU Commission’s adequacy decision on the EU-US Privacy Shield Framework (“Privacy Shield”), on which thousands of US companies have been relying to lawfully transfer personal data from the EU to the US. In the same decision, the CJEU confirmed the validity of the Standard Contractual Clauses (“SCCs” or “Clauses”) in principle, but made clear that their legality must considered on a case-by-case basis in light of the circumstances of the particular transfer.
US companies currently relying on Privacy Shield will need to move quickly to evaluate their ability to make use of alternative data transfer mechanism such as the SCCs, Binding Corporate Rules (“BCRs”) or, where applicable, one of the specific transfer-related derogations provided for in the EU General Data Protection Regulation (“GDPR”).
Continue Reading CJEU Invalidates the EU-US Privacy Shield Framework but Leaves the Standard Contractual Clauses Intact, Subject to Major Caveats
As businesses in the hospitality and leisure industries are permitted to re-open in England, the Government is asking them to keep a temporary record of their customers and visitors, in order to support NHS Test and Trace. This information will be requested by NHS Test and Trace in the event that someone who has tested positive for COVID-19 lists the business’s premises as a place that they visited recently, or because the premises has been identified as the location of a potential outbreak. This is viewed by the UK Government as a key part of their ongoing response to the virus, as the lockdown is lifted.
Continue Reading The UK Government and the Information Commissioner Provide Guidance on the Collection of Contact-Tracing Information by Hospitality & Leisure Businesses
The use of data is a critical tool in the fight against COVID-19. In some cases, this will necessarily involve the use of personal data, which relates to identified individuals and of course, due to the nature of the current crisis, sensitive health data. The UK data protection regulator, the ICO, has made it clear that data protection laws do not seek to prevent the use of data in order to combat the spread of this dreadful disease, but are intended to work in the public interest and enable health and safety to be prioritised where necessary. However, there remains a need to ensure that personal data is used in a proportionate manner with due respect to privacy rights, wherever possible.
Continue Reading Data Privacy & COVID-19 in the UK: Q&A on Key Privacy Issues
On 23 April, the Department for Health & Social Care (DHSC) announced that, as part of its 5-pillar strategy, testing for Covid-19 has now been extended to all ‘essential workers’ in England and Scotland who exhibit symptoms. A new online portal now enables employers to refer self-isolating staff and members of their household for testing, and employees to book a test directly for themselves or any member of their household who is self-isolating due to coronavirus symptoms.
Continue Reading UK Government Rolls Out New Essential Worker Online Testing Portal
The ongoing Coronavirus pandemic and related Government guidance, requiring social distancing and individuals to work from home where possible, has resulted in many organisations rapidly having to adapt the way in which they operate.
Despite the unprecedented challenges that will need to be faced over the coming weeks, including in many cases significantly reduced resources (both in terms of staff and funds), it is important that organisations do what they can to try to maintain data security protections whilst taking the actions necessary to deal with this crisis. This may include the need to send unusual and sometimes urgent communications to individuals, which can increase the risk of breaching data protection laws.
Continue Reading A Timely Reminder: Maintain Data Security in the Face of the Pandemic