Tag Archives: ICO

GDPR Contracts and Liabilities Between Controllers and Processors

On 13 September, the Information Commissioner’s Office (ICO) published draft guidance on GDPR contracts and liabilities on contracts between controllers and processors under the GDPR (the “Guidance”).  The ICO is consulting on the Guidance until 10 October.  We summarize the key aspects of the Guidance below.… Continue Reading

UK Government Proposes Cybersecurity Law with Serious Fines

Earlier this month, the UK Government published a consultation on plans to implement the EU Directive on security of network and information systems (the “NIS Directive”, otherwise known as the Cybersecurity Directive).  The consultation includes a proposal to fine firms that fail to implement “appropriate and proportionate security measures” up to EUR 20 million or … Continue Reading

Inherited Infrastructure, Outdated Software, And Other Failings That Led To TalkTalk’s Record Fine

On October 5, 2016, the UK Information Commissioner’s Office (“ICO”) fined telecoms company TalkTalk a record £400,000 for failing to put in place appropriate data security measures and allowing a cyber-attacker to access TalkTalk customer data “with ease.”  The ICO highlighted several  technical and organizational deficiencies as justification for issuing its largest fine to-date.  Many … Continue Reading

UK Telco Loses Appeal; Should Have Reported Data Breach Within 24 Hours Of Customer Complaint, Not Fuller Investigation

By Phil Bradley-Schmieg and Gemma Nash On August 30, 2016, a major UK telecoms company (TalkTalk) lost its appeal against a fine imposed on it for failing to report a personal data breach to the UK national data protection authority (the Information Commissioner) within 24 hours of its receipt of a customer’s complaint. Commission Regulation … Continue Reading

ICO Publishes New Guidance On Encryption

On March 3, 2016, the UK’s Information Commissioner’s Office (“ICO”) released new guidance on encryption.  The guidance aims to provide advice to organizations on protecting personal data (such as customer and employee data) through the use of encryption.  There is no legally-binding requirement under UK data protection law to encrypt data, either when static or … Continue Reading

EU DPA Enforcement Guidance Post-Schrems

Industry eagerly awaits further guidance from data protection authorities (“DPAs”) relating to the EU-U.S. Privacy Shield as well as on the validity (or otherwise) of other mechanisms for transfers to the U.S. such as standard contractual clauses (“SCCs”) and binding corporate rules (“BCRs”).  As we explained in recent posts (here and here), publication of an … Continue Reading

Regulators in the U.S. and U.K. Monitoring Mobile Apps and Websites Directed at Children

By Megan L. Rodgers What information is being collected by mobile apps and websites directed at kids? With whom is that information shared? What notice is provided to parents? Regulators in the U.S. and abroad continue to focus on these issues. The FTC recently released a follow-up report on privacy notices in mobile apps directed … Continue Reading

ICO Fines Insurance Company £175k for Data Security Breach, Criticising Lack of Policies

By Mark Young and Tom Jackson On February 20, 2015, the Information Commissioner’s Office (“ICO”) fined Staysure.co.uk Ltd (“Staysure”), an online travel insurer, £175,000 for failing to protect its customers’ personal data.  In addition to technical vulnerabilities, the ICO took into account Staysure’s lack of security policies and practices when levying the fine. In short, … Continue Reading

UK Data Protection Regulator Surveys Use of Smart Medical Devices

By Phil Bradley-Schmieg The UK Information Commissioner’s Office (ICO) has launched an informal survey of current practices relating to the use of data-enabled medical devices and apps. The short and anonymous survey explores whether organisations have put in place specific policies and procedures, asset registers, IT security requirements for medical device procurement policies, information governance … Continue Reading

ICO Releases Concrete Guidance on Privacy Requirements When Recording Video with Drones

On October 15, 2014, the UK Information Commissioner’s Office (ICO) published an updated code of practice for surveillance cameras.  Among other topics, the ICO uses the Code to begin to address privacy practices for drones.  Drones are not new, but two factors are now making questions about drones and privacy practices more pressing.  First, many … Continue Reading

Google Fined by the CNIL for Privacy Breaches as European Regulators Continue Investigation

On January 8, 2014, the French data protection authority, the Commission nationale de l’informatique et des libertés (CNIL), announced that it was imposing a fine of €150,000 on Google, as well as a requirement that Google, within eight days of the decision, publicize the fine on its own website (at www.google.fr) for a period of … Continue Reading

Covington Helps GSK Secure BCRs

On 10 June 2013, the UK Information Commissioner’s Office authorized GlaxoSmithKline’s ‘Binding Corporate Rules‘ (BCRs) – a set of internal policies and procedures used to protect personal data across GSK’s operations globally.  Covington & Burling’s data privacy and security team, led by London partner Dan Cooper and senior associate Mark Young and including Brussels based … Continue Reading

ICO Issues Fine of £90,000 for Breach of PECR

By Oliver Grazebrook and Ezra Steinhardt On 20 March 2013, the UK Information Commissioner’s Office (ICO) announced that it had issued a fine of £90,000 against DM Design, a Glasgow-based kitchen and bedroom fitting company, for breaching the Privacy and Electronic Communications Regulations (PECR) by making thousands of unwanted direct marketing calls.  This fine, made two years … Continue Reading

New ICO Guidance Offers Employers Practical Advice on Implementing Safer “Bring Your Own Device” Policies

On 7 March 2013, the UK Information Commissioner’s Office (ICO) issued new guidance on the use of personal devices for business purposes. The guidance is largely informed by a survey commissioned by the ICO and carried out by the market research firm YouGov. According to the survey, 47% of adults in the UK use personal … Continue Reading

ICO fines Sony £250,000 following the 2011 Playstation Network Platform data breach

On 24 January 2013, the UK Information Commissioner’s Office (ICO) announced that Sony Computer Entertainment Europe Limited (Sony) would be fined £250,000 following a data breach of the Playstation Network.  The breach occurred in 2011 when hackers accessed the personal details of “millions” of Playstation Network customers, including names, dates of birth, passwords, and other … Continue Reading

The ICO Responds to the Leveson Report

By Dan Cooper, Helena Marttila & Fredericka Argent Following the 2011 News International phone-hacking scandal, the UK government commissioned an in-depth inquiry into the accusations made against the British press to be conducted by Lord Justice Leveson.  The “Leveson Inquiry” was a full-scale investigation, which culminated in an approximately 2000-page report published in November 2012.  The … Continue Reading

ICO issues £440,000 fine to telecoms company for illegal direct marketing

By Bonnie Drury and Ezra Steinhardt On 28 November 2012, following an 18-month investigation, the UK Information Commissioner’s Office (ICO) announced that it had fined the joint owners of Tetrus Telecoms (Tetrus) a total of £440,000 under the Privacy and Electronic Communications Regulations (PECR).  The fine penalized Tetrus for sending millions of unsolicited text messages … Continue Reading

Google Contacts ICO Stating That It Still Holds Some Street View Payload Data

In a surprise turn of events, Google has written today to the UK data protection authority (the “ICO”) and other regulators around the world stating that it still possesses some of the payload data collected by its Street View vehicles in 2010.  This follows the ICO re-opening its probe into Google’s Street View activity last … Continue Reading

UK Government Opens a New Consultation on Access to Public Data

On 4 August, 2011, the Cabinet Office of the UK Government opened a new public consultation on disclosure and access to public sector data.  The consultation, which seeks to “establish a culture of openness” in the public sector, comes soon after a statement from the ICO suggesting that public sector organisations should respond to Freedom of … Continue Reading

UK ICO Calls for More Privacy Audits

The U.K. Information Commissioner’s Office (ICO) issued a press release yesterday calling on companies to undergo more data protection audits.  (Currently, only some public sector entities in the UK can be made to undergo audits — the ICO can effectively only request to audit a private sector company).  The ICO issued the “warning” after releasing … Continue Reading

UK Information Commissioner Issues (Vague) Warning on Cookies

Since the 2009 amendments to Article 5(3) of the ePrivacy Directive (2002/58/EC) regarding cookies and consent, there has been considerable debate over what web sites and ad networks must do in order to deploy cookies lawfully, and over what constitutes informed consent from users (e.g., opt-in versus opt-out).  For a flavour, see the Article 29 Working Party Opinion 2/2010 on online behavioural … Continue Reading
LexBlog