Welcome from Elizabeth Denham, Information Commissioner
15 January 2020
January always brings a sense of looking to the future, and resolving to make changes for the better.
It is no different at the ICO. As Elizabeth returns to the UK after a trip to see family in Canada, her mind is already looking ahead to a busy few months, and a wealth of work the office is doing to help organisations improve their data protection practices.
ICO wants your input into that work, and this month’s newsletter has details of consultations on our draft direct marketing code of practice and our consultation on explaining AI decisions.
There are details on how the ICO continue to look at the impact of technical innovation and digital developments, with a blog updating their crucial Adtech work, and another reflecting on how open banking shows the benefits of sharing personal data.
The ICO will provide updates here on our enforcement work, including recent penalties for data protection contraventions, and our role in the international access to information network of information commissioners.
Finally, the end of 2019 also marked the end of Jonathan Bamford’s distinguished ICO career, as he retired after 34 years with their office. His reflections on how the law developed across the past four decades are well worth a read!
Direct marketing code open for consultation
Direct marketing is carried out by the vast majority of organisations; as a tool to grow their business or publicise their causes and aims. But organisations must ensure their direct marketing complies with the law.
Our new draft code will help organisations ensure they meet their obligations. We want to know your thoughts. Does it contain enough information? Is it clear and easy to understand? And what kinds of examples should we consider?
The consultation is open until 4 March 2020 and you can submit your views here.
What can we learn from Open Banking?
The Regulators’ Business Innovation Privacy Hub has been looking at the data protection considerations for innovators working in the Open Banking space.
Read their three considerations for the sector and how you can work with the team here.
Adtech and data protection – where next?
In June 2019, the adtech update report was published with a clear message to industry that they had six months to act.
Simon McDougall's latest blog looks at the current progress, the lessons learned from our work so far and what's next for the industry and the ICO. Read more here.
Explaining AI decisions - your thoughts wanted
There's just two weeks left to give your thoughts on our AI guidance. It is split into three key parts and you can comment on all three sections or just the one most relevant to you.
The guidance covers:
1. The "Basics of explaining AI", which is relevant to all staff invovled in developing AI systems;
2. "Explaining AI in practice", which will be primarily helpful for the technical teams involved in AI; and
3. "What explaining AI means for your organisation". This will be useful for your senior management team.
Reflecting on four decades of data protection
Jonathan Bamford's career at the ICO has covered five commissioners, four decades and three data protection acts.
On his retirement, he reflects on the changing world of data protection and how the ICO has transformed since 1984. Read here.
ICO joins International Conference of Information Commissioners (ICIC)
2020 signals twenty years since the Freedom of Information Act became law.
Gill Bull, the ICO’s Director of Freedom of Information Complaints and Compliance, notes a further FOI milestone as the ICO is formally accepted as a member of the ICIC. Read more here.
The data protection fee: do you need to pay?
ICO are contacting all UK registered companies reminding them of their legal responsibility to pay a data protection fee.
Organisations processing personal information are required to pay a data protection fee unless they are exempt.
If you or anyone you know have received the letter you can check to find out if you need to pay or if you're exempt.
London pharmacy fined after “careless” storage of patient data
ICO issued a fine of £275,000 to a pharmacy for failing to ensure the security of special category data.
Doorstep Dispensaree Ltd left approximately 500,000 documents in unlocked containers at the back of its premises.
National retailer fined £500,000 following cyber-attack
ICO have fined DSG Retail Limited (DSG) £500,000 after a ‘point of sale’ computer system was compromised as a result of a cyber-attack, affecting at least 14 million people.
The investigation found that an attacker installed malware on 5,390 tills at DSG’s Currys PC World and Dixons Travel stores collecting the personal details of 14 million people.