Photo of Laura Scanlan

The UK Information Commissioners Office (the ICO) has released an International Strategy (the Strategy) in which it outlines its plans for 2017 – 2021 to deal with the data protection challenges presented by globalism, the GDPR and Brexit. The Strategy which can be read in full here is the first with an international emphasis released by the ICO. It is described by the UK Information Commissioner, Elizabeth Denham, in a statement on 4 July, as a “blueprint” for how the ICO will deliver its international objectives.

The Strategy reiterates the ICO’s commitment to assisting with the implementation of the GDPR into UK law. Operating on the assumption that the UK will implement the provisions of the GDPR prior to leaving the EU, the ICO expresses an intention to strongly engage with the Article 29 Working Party and the European Data Protection Board up until the UK’s exit from the EU. Furthermore, it notes that it will seek to maintain working relationships with these groups post-Brexit. The ICO qualifies this by stating this will be dependent on the outcome of the Brexit negotiations.

While the Strategy encompasses a 5 year time period, the ICO envisages that it will be subject to regular review and updated to reflect any new challenges that may arise in the protection of personal data.

 

Photo of Neasa Ni Ghrada

The UK Information Commissioner’s Office (the ICO) has ruled that Virgin Trains East Coast (Virgin) did not break data protection law when it published CCTV images of the UK’s Labour party leader, Jeremy Corbyn. Virgin released the footage last year following Mr Corbyn’s comments that a Virgin train he was travelling on from London to Newcastle was “ram-packed”. The footage shows Mr Corbyn walking past empty seats.

Following its investigation, the ICO found that Virgin had a “legitimate interest” to release the footage of Mr Corbyn: “namely correcting what it deemed to be misleading news reports that were potentially damaging to its reputation and commercial interests”. The ICO acknowledged that Virgin could not have achieved this without publishing Mr Corbyn’s image.

The ICO did find, however, that Virgin breached the law when it published images of other passengers on the same service. It stated that Virgin should have taken better care to obscure the faces of other passengers on the train. Publication of their images was unfair and a breach of the first principle of the UK Data Protection Act that personal data shall be processed fairly and lawfully.

The ICO stopped short of formal regulatory action against Virgin to reflect “the exceptional circumstances of the breach”. It noted that it was “a one-off incident, and the people identified were unlikely to suffer serious distress or detriment”. However, the ICO did stress that Virgin “has not been let off the hook” and will strengthen its data protection training and policies and ensure it has easy access to pixelation services should the need arise again.

Photo of Chris Stynes

The Article 29 Working Party (WP29) has recently provided its Opinion 2/2017 on data processing at work. The Opinion, adopted on 8 June 2017, highlights the risks and challenges of processing employees’ personal data in light of new technologies. While the Opinion focuses on the current data protection regime, it also considers some of the obligations arising under the General Data Protection Regulation (GDPR) from 25 May 2018.

The Opinion emphasises that despite a proliferation of new and affordable technologies that facilitate both covert and overt surveillance, fundamental principles of data protection will continue to apply. These principles include:

  • the satisfaction of a legal basis to process under Article 7 of the DPD;
  • whether the processing activity is both necessary and fair to the employee;
  • whether the processing activity is proportionate; and
  • whether the processing activity is transparent.

The WP29 reiterate that due to the imbalance between employer and employee, consent as a legal basis of processing will not be satisfactory for the majority of data processing at work. In some cases, the employer will be able to rely on contractual necessity to process personal data (such as paying the employee). The imposition of legal obligations (such as for the purpose of tax calculation) will also constitute a valid legal basis for processing. In order to rely on legitimate interests to legitimise data processing, the technology or method utilised must be necessary, proportionate and carried out in the least intrusive manner possible.

The WP29 emphasise that regardless of the legal basis for processing, a proportionality test should be undertaken prior to its commencement to consider whether the processing is necessary to achieve a legitimate purpose, as well as ensuring that any measures infringing the right to private life and secrecy of communications are limited to a minimum. This can form part of a Data Protection Impact Assessment (DPIA).

GDPR

The WP29 comment that  the GDPR requires the most privacy friendly settings to be provided as default when an employer issues a device to an employee. The GDPR also requires a DPIA to be carried out when processing is likely to result in a high risk to the rights and freedoms of employees, particularly when using new technologies. The employer must consult the supervisory authority prior to processing if these risks cannot be adequately addressed. The WP29 Opinion considers a number of data processing at work scenarios in which new technologies have the potential to result in high risks to the privacy of employees. In all such cases the WP29 highlight that the employer must consider whether the proposed processing is: (i) necessary, and if so the legal grounds that apply; (ii) fair to employees; (iii) proportionate to the concerns raised; and (iv) transparent.

The full opinion can be read here.

Photo of Neasa Ni Ghrada

In advance of the forthcoming Dáil elections, the Office of the Data Protection Commissioner (ODPC) has issued guidance to candidates for election and their representatives on canvassing, data protection and electronic marketing (the Guidance). Publication of the Guidance follows the ODPC’s previous efforts to boost awareness of individuals’ privacy rights in this area (see previous blog here).

The Guidance includes an overview of the provisions in relation to unsolicited marketing and cookie use as contained in the EC (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011 (S.I. 336 of 2011). It also emphasises the use of clear and prominent Privacy Statements on websites and data base compliance with the 8 Data Protection Principles.

Photo of Davinia Brennan

In Barbulescu v Romania, a case concerning employees’ right to privacy, the European Court of Human Rights (ECHR) held that an employer could monitor and access personal messages sent by an employee during work hours from his Yahoo Messenger account. The decision, however, is not a precedent for unrestricted monitoring by employers of personal messages sent by employees during office hours.

Continue Reading ECHR rules employer can monitor personal messages sent by employee

Photo of Davinia Brennan

On 7 December 2015, the EU Council reached an informal agreement with the EU Parliament on the draft Network and Information Security (NIS) Directive.The draft Directive sets out cybersecurity obligations for operators of essential services in the healthcare, banking, energy and transport sectors, and also digital service providers (including e-commerce platforms, search engines, social networks, internet payment gateways, and cloud services). These operators will be required to take measures to manage cyber risks and report major security incidents.

Continue Reading Agreement reached on first EU-wide cybersecurity legislation

Photo of Neasa Ni Ghrada

In its ongoing effort to raise awareness of individuals’ privacy rights, the Office of the Data Protection Commissioner (ODPC) has published a press release on their website on the "Electoral Register and ‘Opting Out’ of the Edited Register".

Every year, the Department of the Environment, Community and Local Government encourages individuals to register to vote or to check that their details are up to date on the Electoral Register in advance of the 25 November deadline. In line with publicising such rights, the ODPC wishes to draw attention to the Edited Electoral Register and how it relates to direct marketing.

Continue Reading ODPC Raises Awareness of Right to Opt-Out of the Edited Electoral Register

Photo of Aoibheann Duffy

Unmanned Aerial Vehicles, or Drones, as they are more commonly known, have traditionally been regarded as a military tool, frequently featuring in media reports on US military action as well as TV dramas such as ‘Homeland’ and ‘House of Cards’. They are however, being increasingly put to a much broader spectrum of uses.

Drones have been used by humanitarian organisations to deliver food and medical supplies to crisis-stricken areas. Following typhoon Haiyan in the Philippines, drones were used by international relief agency Medair to map terrain and create a detailed system of 3D aerial images of the region to make relief efforts more efficient. Amazon’s Prime Air development project has also garnered a lot of attention for its goal to use drones to deliver goods to customers in 30 minutes or less. Drones are also now available to buy in electronics stores and are used to capture videos and photographs by amateur and professional photographers.

Continue Reading Drone Regulation Takes Flight

Photo of Neasa Ni Ghrada

On 14 May 2015, the Private Security (Licensing and Standards) (Private Investigator) Regulations 2015 (S.I. No 195 of 2015) were signed into law. The Regulations mark the outcome of a Private Security Authority (PSA) public consultation conducted last January following high profile prosecutions for breaches of data protection law in the Private Investigator (PI) Industry (see previous blogs here and here).

The Regulations, which come into effect on 1 November 2015, shall make it an offence for any contractor to offer a service as a PI without a licence after that date. It will also be an offence for a person to engage or employ an unlicensed PI. Only those licensed by the PSA will be able to advertise or represent themselves as a Licensed PI.

The Department of Justice and Equality has hailed the new Regulations as "a major milestone" for the PSA.

Photo of Conor McEneaney

The Data Protection Commissioner, Helen Dixon, spoke at the Society for Computers and Law’s ‘The Evolution and Reform of Data Protection’ event this morning. The Commissioner gave an overview of the activities of the Office of the Data Protection Commissioner (ODPC) in 2014 and set out the aims of the ODPC for the year ahead.

Continue Reading Data Protection Commissioner reviews 2014 and sets out plans for 2015