Blog: Simplifying subject access requests – new detailed SARs guidance

21 October 2020 The right of access is a fundamental right under data protection law. And it has never been more necessary. In a world where personal data is used almost everywhere – by everyone – it’s vital that people have the right to be able to find out what’s happening to their information. More and more people are waking up to the power of their personal data, and are exercising their rights. That’s why, as an organisation, it’s important that you know how to deal with a subject access…

ICO fines British Airways £20m for data breach affecting more than 400,000 customers

The Information Commissioner’s Office (ICO) has fined British Airways (BA) £20m for failing to protect the personal and financial details of more than 400,000 of its customers. An ICO investigation found the airline was processing a significant amount of personal data without adequate security measures in place. This failure broke data protection law and, subsequently, BA was the subject of a cyber-attack during 2018, which it did not detect for more than two months. ICO investigators found BA ought to have identified weaknesses in its security and resolved them with…

Keynote at PDP’s 19th annual data protection conference

I began my career as an archivist, and I’ve always had a passion for records, for dusty papers tucked away in a basement. We tend to see archives as a way of reviewing the past, of being able to find a different contextual perspective on a period of history. But what always strikes me when I spend any time reading through historic documents is how much they inform contemporary challenges. The unique events we face aren’t always quite as unprecedented as we think. Everything changes and nothing changes. And so…

ICO takes action against company for sending spam emails selling face masks during pandemic

A company that sent spam emails selling face masks during the pandemic has been fined £40,000 by the ICO and issued with an enforcement notice. Studios MG Ltd, a London-based software consultancy, tried to exploit the public health emergency by sending up to 9,000 unlawful marketing emails to people without their permission. The emails were sent on 30 April in the midst of the pandemic. The ICO investigation found that the company was not involved in the business of supplying PPE, but that the director had decided to buy face masks…

Statement on the outcome of the ICO’s compulsory audit of the Department for Education

The Information Commissioner’s Office (ICO) has published the outcome of a compulsory audit of the Department for Education DFE carried out in February 2020. The audit found that data protection was not being prioritised and this had severely impacted the DfE’s ability to comply with the UK’s data protection laws. A total of 139 recommendations for improvement were found, with over 60% classified as urgent or high priority. The ICO’s primary responsibility is to ensure compliance with the law and its policy is to work alongside organisations committed to making the…

Blog: Elizabeth Denham on the conclusion of the ICO’s investigation into the use of personal data in political campaigning

06 October 2020 There can be few cases that better illustrate how mainstream data protection has become than the ICO’s investigation into the use of personal data in political campaigning, including by the now defunct Cambridge Analytica. How people’s information was being used became a dinner table topic, prompting undercover news reports, a TV dramatisation and a Netflix documentary. Our work, alongside the sustained contribution of journalists, civil society groups, researchers and parliamentarians, drew back the curtain on a world that so many people were affected by, but so few…

ICO launches consultation on draft Statutory guidance

The Information Commissioner’s Office (ICO) has launched a public consultation on its draft Statutory guidance, which details how it will regulate and enforce data protection legislation in the UK. Supporting the ICO’s primary responsibility of ensuring compliance with the law, the document explains the ICO’s powers; when it will use them and how it calculates fines. Designed to ensure the rights and freedoms of individuals are protected, the draft guidance also seeks to provide assurance to business that the ICO will use its powers proportionately and consistently. Elizabeth Denham, Information…

ICO fines company flouting the law in order to profiteer from the coronavirus pandemic

The Information Commissioner’s Office (ICO) has fined Digital Growth Experts Limited (DGEL) £60,000 for sending thousands of nuisance marketing texts at the height of the pandemic. Seeking to capitalise and profit from the pandemic DGEL sent the texts, of which 16,190 were received, between 29 February and 30 April 2020 promoting a hand sanitising product that it claimed to be “effective against coronavirus”. The messages were all sent to people who had not consented to receive them. Andy Curry, Head of Investigations at the ICO, said: “DGEL played upon people’s concerns…

Statement from Information Commissioner Elizabeth Denham on the NHS COVID-19 app

“I am pleased that the app being launched this month is supported by the necessary consideration of people’s data protection rights. “The Department for Health and Social Care has engaged with my office from the start of this project, answering our questions on transparency, legality and fairness, making changes in response to our feedback, and appreciating the value of data protection in encouraging public trust and support. “We are in unprecedented times, and as a regulator it is my responsibility to both protect people’s privacy rights and take a pragmatic…

Blog: Data protection considerations and the NHS COVID-19 app

18 September 2020 Information Commissioner Elizabeth Denham talks about the regulatory work the ICO has been involved in regarding the England and Wales NHS COVID-19 app. One of the themes of the ICO’s recent work is the use of tech innovation to respond to the challenges prompted by COVID-19. As a regulator, we have an important role to play in those projects, both by enabling progress that can help society, and by protecting the people whose data – and trust – such projects rely on. Our engagement around the England…