If asked to summarise data protection laws in four words, the response most likely would be “don’t lose the data!”. Of course, that’s an oversimplification but it highlights the centrality of data security.
Since May 2018 it has been obligatory to notify the UK regulator, the Information Commissioner’s Office (ICO) if you suffer a data breach. You also have to tell contacts if their data has been compromised if the breach is likely to result in a high risk to them.
Data security incidents are a major concern for those affected and a key area of action for the ICO – over 25,000 data breach incidents have been reported to them since 2019.
The breach does not have to be a sophisticated hack. Data emailed to the wrong recipient is the most common incident type reported to the ICO. Unthinkingly clicking on a link in an email can trigger a phishing or ransomware attack. In such cases, the incident is often down to simple human error.
While the implementation of technology can help, many incidents reflect a lack of awareness of the risks on the part of employees. With many employees working away from the more controlled environment of the office, the risks can increase.
When reporting a data breach to the ICO, one of the questions you must answer is when employee training was last carried out. Therefore, for 2022, it will be advisable to implement employee wide training (or refresher training) on good data protection practice and cyber risk awareness. There are excellent e-learning programmes where employees can undertake the training online and in their own time, and employers can maintain an audit trail of who has / has not completed the training.
2. International data transfers
The position on international data transfers remains highly complex as a result of the perfect storm of Brexit, the CJEU Schrems II decision in 2020, new EU Standard Contractual Clauses (SCCs) and a proposed new UK international data transfer agreement (IDTA).
So far as transfers from the UK are concerned, the ICO’s consultation on its draft IDTA and guidance, which is intended to replace Standard Contractual Clauses (SCCs) for transfers from the UK, closed on 11 October 2021. We expect to see the new IDTA coming onstream in 2022. The ICO has also proposed a practical solution that the EU SCCs could be used for transfers from the UK with a short Addendum.
There is likely to be a short grace period when we can continue to use the old SCCs for new agreements, and then a 24-month period in which all existing agreements will need to be upgraded to the new format.
In the meantime, so far as transfers from the UK to countries other than in the EU (or other countries with adequacy findings) are concerned, we can continue to use the old (but not the new) EU approved SCCs, although the ICO has issued an adapted version of the EU SCCs which can be used with updated post-Brexit references.
So far as transfers from the EEA are concerned, we must now use the new (but not the old) EU SCCs. Moreover, all existing agreements based on the old EU SCCs will need to be migrated to the new EU SCCs by the end of 2022.
So, at the moment, if you have transfers from both the UK and the EEA, then a different approach is needed for each.
But it is not enough simply to sign up the IDTA / SCCs. Following Schrems II, you also need to undertake a transfer risk assessment (TRA) and, as needed, implement supplemental measures.
In this respect, the ICO has provided a draft TRA Tool as a guide to the process. This can be a relatively complex exercise but the ICO TRA Tool provides practical support. As the ICO comments, “If you can show that you have used your best efforts in completing a TRA, whether or not you use this TRA Tool, if it later turns out that your decisions were not correct, we will take this into account in our likely approach to any breach of …UK GDPR”.
3. UK data protection reform
Now it is outside the EU, the UK is free to reshape its approach to data protection regulation. Unlocking the power of data is one of the government’s 10 Tech Priorities as set out in the National Data Strategy.
In September 2021 the government launched a consultation on reforms to build “a pro-growth and innovation-friendly regime that maintains its high data protection standards”.
The consultation closed on 19 November 2021 and the responses are being analysed. Key areas being considered include the following:
One issue with making changes that depart from the EU GDPR is that it puts at risk the EU adequacy decision that allows data to flow from the EU to the UK following Brexit.
The government believes that this can reasonably be maintained on the basis that data adequacy does not mean verbatim equivalence of laws; a shared commitment to high standards of data protection is more important than a word-for-word replication of EU law. However, this will ultimately be for the EU to decide.
The object of reducing the burden of regulation will be welcomed by businesses. But for international organisations operating in the UK and EU having to comply with both EU GDPR and UK data protection laws, rather than reducing it, the proposed reforms are likely to create additional complexity.
Ahead of the introduction of mandatory vaccination and COVID status checks in Scotland and Wales, the ICO has made it clear that data protection law does not stand in the way.
Instead, it allows for responsible sharing of personal data where it is necessary to protect public health. Workplaces and venues that implement COVID status checks must ensure compliance with data protection principles, including transparency, fairness, data minimisation and storage limitation, and take a ‘data protection by design’ approach when planning the scheme.
If you are only conducting a visual check of someone’s COVID status (either a hard-copy document or a pass held on a digital device) and do not retain any personal data from it, data protection laws will not apply. However, if you are (for example) scanning a QR code displayed on a pass, this would constitute “processing” of personal data – even if you do not keep a record of it – and data protection laws will apply.
Remember that a person’s COVID status is “special category data”, as it is their private health information. This means that you need to be able to identify an additional lawful basis for the processing under Article 9. The two you could consider are: the employment condition (for employees); or the public health condition (for visitors). “Consent” as a lawful basis is rarely appropriate in an employment setting given the imbalance of power between the employer and employee.
In terms of transparency, you must make sure that people understand why you need to collect this information, what you’re using it for, how long you will keep it, with whom you will share it and how you keep it secure. This means being able to give them a privacy notice setting out your policy.
If you record the information, you must ensure that you do not hold the information for longer than is necessary, and do not use the data in ways people would not reasonably expect.
Before implementing COVID checks, it would be good practice (and if checks are carried out on a large scale will be mandatory) to conduct a data protection impact assessment.
5. A new year, a new ICO
As of 4 January, John Edwards became the new UK Information Commissioner for a five-year term. Mr. Edwards spent the past eight years as New Zealand Privacy Commissioner, and before that worked as a barrister. He succeeds Elizabeth Denham CBE.
Looking ahead to 2022, Mr Edwards will be working on the proposed reforms to the Data Protection Act and the introduction of the Online Safety Bill. He will also prioritise the protection of children online, through the Age Appropriate Design Code, which has already prompted international tech companies to make changes to better respect children’s rights online.
One little known fact: In 1986 – 1987 Mr. Edwards worked as a mountaineer in the Search and Rescue Team at Mount Cook National Park. These skills may come in handy navigating the complex data protection landscape!
If you have any questions about these issues in relation to your own organisation, please contact a member of the team or speak with your usual Fox Williams contact.
You can register online or follow us on Twitter or LinkedIn to receive our latest news, events and publications.