Tag Archives: UK Information Commissioner’s Office (ICO)

GDPR Applies From Today

The much discussed and long-awaited General Data Protection Regulation (“GDPR”) applies from today, May 25, 2018.  It will update and harmonize data protection laws across the EU, and sets out comprehensive rules in relation to personal data handling, as well as the rights of individuals over their personal data. It is unclear how aggressively the … Continue Reading

GDPR Contracts and Liabilities Between Controllers and Processors

On 13 September, the Information Commissioner’s Office (ICO) published draft guidance on GDPR contracts and liabilities on contracts between controllers and processors under the GDPR (the “Guidance”).  The ICO is consulting on the Guidance until 10 October.  We summarize the key aspects of the Guidance below.… Continue Reading

UK Government Proposes Cybersecurity Law with Serious Fines

Earlier this month, the UK Government published a consultation on plans to implement the EU Directive on security of network and information systems (the “NIS Directive”, otherwise known as the Cybersecurity Directive).  The consultation includes a proposal to fine firms that fail to implement “appropriate and proportionate security measures” up to EUR 20 million or … Continue Reading

The Information Commissioner’s Office Publishes a Consultation Paper on Profiling and Automated Decision-Making under the GDPR

By Dan Cooper and Rosie Klement On April 2, 2017, the Information Commissioner’s Office (“ICO”) released a consultation paper for UK organizations to comment on how the new profiling provisions under the General Data Protection Regulation (“GDPR”) could be interpreted and applied when the GDPR comes into force in May 2018. The public consultation on … Continue Reading

UK Information Commissioner’s Office Publishes Draft Guidance on Consent under the GDPR

By Dan Cooper and Rosie Klement On March 2, 2017, the Information Commissioner’s Office (“ICO”) released draft guidance for UK organizations on how the notion of consent will be interpreted and applied when the General Data Protection Regulation (“GDPR”) comes into force in May 2018. The ICO is currently engaging in a public consultation on … Continue Reading

Inherited Infrastructure, Outdated Software, And Other Failings That Led To TalkTalk’s Record Fine

On October 5, 2016, the UK Information Commissioner’s Office (“ICO”) fined telecoms company TalkTalk a record £400,000 for failing to put in place appropriate data security measures and allowing a cyber-attacker to access TalkTalk customer data “with ease.”  The ICO highlighted several  technical and organizational deficiencies as justification for issuing its largest fine to-date.  Many … Continue Reading

UK Telco Loses Appeal; Should Have Reported Data Breach Within 24 Hours Of Customer Complaint, Not Fuller Investigation

By Phil Bradley-Schmieg and Gemma Nash On August 30, 2016, a major UK telecoms company (TalkTalk) lost its appeal against a fine imposed on it for failing to report a personal data breach to the UK national data protection authority (the Information Commissioner) within 24 hours of its receipt of a customer’s complaint. Commission Regulation … Continue Reading

ICO Publishes New Guidance On Encryption

On March 3, 2016, the UK’s Information Commissioner’s Office (“ICO”) released new guidance on encryption.  The guidance aims to provide advice to organizations on protecting personal data (such as customer and employee data) through the use of encryption.  There is no legally-binding requirement under UK data protection law to encrypt data, either when static or … Continue Reading

Company Receives Record Fine from UK Regulator For Cold Calling

The UK’s data protection regulator, the Information Commissioner’s Office (“ICO”), has imposed a fine of £350,000 on Prodial Ltd (“Prodial”) for making over 46 million unsolicited automated telephone calls to generate leads in relation to payment protection insurance refunds.  This is the highest fine issued by the ICO to date.… Continue Reading

EU DPA Enforcement Guidance Post-Schrems

Industry eagerly awaits further guidance from data protection authorities (“DPAs”) relating to the EU-U.S. Privacy Shield as well as on the validity (or otherwise) of other mechanisms for transfers to the U.S. such as standard contractual clauses (“SCCs”) and binding corporate rules (“BCRs”).  As we explained in recent posts (here and here), publication of an … Continue Reading

UK ICO Issues Largest Ever Fine In Connection With Automated Marketing Calls

The UK Information Commissioner’s Officer (“ICO”) has issued its largest fine to date in connection with using an automated calling system to make direct marketing calls.  The ICO found that Home Energy & Lifestyle Management Ltd (“HELM”), a green energy company that made millions of automated marketing calls in relation to “free” solar panels, recklessly … Continue Reading

Regulators in the U.S. and U.K. Monitoring Mobile Apps and Websites Directed at Children

By Megan L. Rodgers What information is being collected by mobile apps and websites directed at kids? With whom is that information shared? What notice is provided to parents? Regulators in the U.S. and abroad continue to focus on these issues. The FTC recently released a follow-up report on privacy notices in mobile apps directed … Continue Reading

ICO Fines Insurance Company £175k for Data Security Breach, Criticising Lack of Policies

By Mark Young and Tom Jackson On February 20, 2015, the Information Commissioner’s Office (“ICO”) fined Staysure.co.uk Ltd (“Staysure”), an online travel insurer, £175,000 for failing to protect its customers’ personal data.  In addition to technical vulnerabilities, the ICO took into account Staysure’s lack of security policies and practices when levying the fine. In short, … Continue Reading

The UK’s Data Protection Regulator to Introduce “Privacy Seals” for Businesses

By Fredericka Argent The UK’s Information Commissioner’s Office (ICO) has announced that it is looking to introduce a system of “privacy seals” for organizations doing business in the UK.  The seal is intended to be a consumer-facing stamp of approval demonstrating that a particular organization is meeting or surpassing the compliance requirements of the UK’s Data Protection … Continue Reading

UK Data Protection Regulator Surveys Use of Smart Medical Devices

By Phil Bradley-Schmieg The UK Information Commissioner’s Office (ICO) has launched an informal survey of current practices relating to the use of data-enabled medical devices and apps. The short and anonymous survey explores whether organisations have put in place specific policies and procedures, asset registers, IT security requirements for medical device procurement policies, information governance … Continue Reading

ICO Releases Concrete Guidance on Privacy Requirements When Recording Video with Drones

On October 15, 2014, the UK Information Commissioner’s Office (ICO) published an updated code of practice for surveillance cameras.  Among other topics, the ICO uses the Code to begin to address privacy practices for drones.  Drones are not new, but two factors are now making questions about drones and privacy practices more pressing.  First, many … Continue Reading

Google Fined by the CNIL for Privacy Breaches as European Regulators Continue Investigation

On January 8, 2014, the French data protection authority, the Commission nationale de l’informatique et des libertés (CNIL), announced that it was imposing a fine of €150,000 on Google, as well as a requirement that Google, within eight days of the decision, publicize the fine on its own website (at www.google.fr) for a period of … Continue Reading

The ICO Publishes New Guidance on Direct Marketing

By Helena Marttila-Bridge and Colin Warriner On 10 September 2013, the UK’s Information Commissioner (ICO) released new guidance on direct marketing.  The paper canvasses the marketing rules found in the Data Protection Act 1998 and the Privacy and Electronic Communications (EC Directive) Regulations 2003, with the aim of helping companies to comply with the law … Continue Reading

Covington Helps GSK Secure BCRs

On 10 June 2013, the UK Information Commissioner’s Office authorized GlaxoSmithKline’s ‘Binding Corporate Rules‘ (BCRs) – a set of internal policies and procedures used to protect personal data across GSK’s operations globally.  Covington & Burling’s data privacy and security team, led by London partner Dan Cooper and senior associate Mark Young and including Brussels based … Continue Reading

ICO Issues Fine of £90,000 for Breach of PECR

By Oliver Grazebrook and Ezra Steinhardt On 20 March 2013, the UK Information Commissioner’s Office (ICO) announced that it had issued a fine of £90,000 against DM Design, a Glasgow-based kitchen and bedroom fitting company, for breaching the Privacy and Electronic Communications Regulations (PECR) by making thousands of unwanted direct marketing calls.  This fine, made two years … Continue Reading

New ICO Guidance Offers Employers Practical Advice on Implementing Safer “Bring Your Own Device” Policies

On 7 March 2013, the UK Information Commissioner’s Office (ICO) issued new guidance on the use of personal devices for business purposes. The guidance is largely informed by a survey commissioned by the ICO and carried out by the market research firm YouGov. According to the survey, 47% of adults in the UK use personal … Continue Reading

UK’s Information Commissioner’s Office Issues Consultation on Data Protection and the Press

By Fredericka Argent and Helena Marttila-Bridge On 21 February 2013, the ICO launched a consultation on its proposal for a new code of practice regulating the press in the UK.  The consultation is in response to the publication of the Leveson Report in November 2012, which recommended significant and wide-ranging changes to the structure and … Continue Reading

ICO fines Sony £250,000 following the 2011 Playstation Network Platform data breach

On 24 January 2013, the UK Information Commissioner’s Office (ICO) announced that Sony Computer Entertainment Europe Limited (Sony) would be fined £250,000 following a data breach of the Playstation Network.  The breach occurred in 2011 when hackers accessed the personal details of “millions” of Playstation Network customers, including names, dates of birth, passwords, and other … Continue Reading

The ICO Responds to the Leveson Report

By Dan Cooper, Helena Marttila & Fredericka Argent Following the 2011 News International phone-hacking scandal, the UK government commissioned an in-depth inquiry into the accusations made against the British press to be conducted by Lord Justice Leveson.  The “Leveson Inquiry” was a full-scale investigation, which culminated in an approximately 2000-page report published in November 2012.  The … Continue Reading
LexBlog