Colleagues from across the organisation share their experiences and involvement in the ICO’s ongoing contributions to the upholding of information rights across the globe.
25 April 2017| Carl Wiper
Staff from the ICO have been travelling to Brussels regularly to work on European-level guidance in the count down to May 2018 when the GDPR starts to apply. The trip my colleague Chris Green and I made in early April was a little different however, as we were taking part in a ‘Fab-Lab’.
The ‘Fab-Lab’ was organised by the Article 29 Working Party and consisted of stakeholder workshops, which covered a range of GDPR topics, and a report-back session. Participants included representatives of European business associations and consumer and privacy groups.
The ICO is the lead rapporteur for Article 29 on profiling. A rapporteur drafts guidance documents which are adopted by the party, and we are currently drafting European guidance on this subject. I was one of the moderators in the profiling workshop, so was able to gather the views of stakeholders which will feed into the final version of this guidance.
One of the main issues identified was that the guidance needs to take into account the varied situations of businesses in different sectors and make realistic and workable recommendations -for example, in explaining the level of detailed information that controllers will have to give to data subjects about their profiling activities.
In another seminar room at the ‘Fab-Lab’, Chris was participating in a workshop about data breaches. The ICO will be acting as rapporteur for the Article 29 Working Party guidance on personal data breach notification as well. This will be produced later this year.
It was not surprising to find out that stakeholders wanted clarification on data breaches, as it will be a requirement under the GDPR for organisations to report most data incidents. Areas they were concerned about included when they need to report, what information should be included and what will happen after a breach is reported.
The ICO is used to carrying out consultation in the UK, but this trip to Brussels gave us the opportunity to hear feedback from European organisations that will help inform the EU-level guidance we’re leading on. We also got to hear some positive feedback from stakeholders about the high standard of ICO guidance.
2 February 2017| ICO’s International Strategy
You only need glance at your mobile phone to see how international data protection is today. Apps developed 5,000 miles away on America’s West Coast, following rules written 400 miles away in Brussels, in the palm of your hand to help you keep in touch with friends who live around the corner. Elizabeth Denham’s latest blog takes a look at the ICO’s International Strategy.
6 January 2017| Adam Stevens
Since 2004, government and public agencies from 27 countries have been working together to tackle unsolicited marketing messages. This group is now known as UCENet (Unsolicited Communications Enforcement Network) and the ICO is part of its Executive Committee.
In late 2016, Steve Eckersley Head of Enforcement, Andy Curry Enforcement Group Manager and myself, Adam Stevens Team Manager – Intelligence Hub (Enforcement) met with the members of UCENet at a four day event hosted by the Messaging Malware Mobile Anti-Abuse Working Group (M3AAWG) in Paris. There was a busy schedule of sessions during the event, including training and presentations on enforcement and intel gathering methods and enforcement activity various authorities have undertaken.
We delivered a presentation on the ICO’s Operation BOWLER, an operation that involves seeding personal data to monitor which organisations send unsolicited marketing messages. We also presented on our intel processes and procedures and our PECR enforcement approach, in order to share different methods with our UCENet colleagues. The three of us also joined M3AAWG workshop sessions in order to gain a better understanding of industry approaches to spam and current technology so we can continue to improve the practices of the ICO.
During the event, discussions were held around the networks 2016-2018 operational plan and the four key areas of work identified within it:
- training; and
We also discussed UCENet’s rebrand from the London Action Plan as well the revamp of the website (www.ucenet.org). We continued with the development of a Memorandum of Understanding between the network members to assist with information sharing and we also discussed plans for the networks first ever Sweep on affiliate marketing, which is due to take place this year. A Sweep involves multiple organisations coming together to target a particular area by gathering intelligence, developing their understanding of the issue and identifying enforcement opportunities where necessary.
The ICO’s involvement with UCENet has been very valuable to the work of the office as we have established some very useful points of contact to help support our work in relation to PECR. We have also been able to share our own knowledge and expertise to support other organisations’ investigations and the networks overall approach to tackling unsolicited marketing.
Unsolicited marketing messages are a nuisance to individuals and a persistent problem to government and public agencies across the globe. The ICO is committed to tackling this issue and trying to put a stop to it.
29 November | Katharine Hanrahan
Earlier in November, I was asked to travel to Rome for four days as part of my role as Senior Policy Officer for the eIDAS Regulation.
The eIDAS Regulation is an EU regulation that is in place to facilitate secure streamlined electronic transactions between businesses, individuals and public authorities in the EU. Part of the regulation sets out requirements that trust service providers must comply with. Trust service providers offer services such as e-signatures, electronic seals, electronic time stamps, electronic registered delivery services and website authentication.
The ICO is the eIDAS UK supervisory body, this means we have a number of responsibilities in relation to these providers. One of the ICO’s responsibilities is to grant ‘qualified’ status to those providers who comply with extra requirements set out in the regulation. If organisations don’t comply, the ICO is also able to take enforcement action, such as issuing £1,000 fixed monetary penalties.
During my time in Rome, I wanted to discover how other European supervisory bodies were carrying out their duties under eIDAS and compare their practices with ours. As my work under eIDAS is quite autonomous I had a number of questions I wanted answered and it was really useful to get responses from my European counterparts as I met with members of the European Union Agency for Network and Information Security (ENISA), the Forum for European Supervisory Authorities for eIDAS (FESA) and the Accredited Conformity Assessment Bodies’ Council (ACAB).
It was great to hear that all the bodies that met were doing things in a similar way and it reaffirmed that the eIDAS work being undertaken by the ICO is progressing as it should. The trip to Rome gave me an opportunity to make new contacts who I can seek support from in the future, to help ensure the ICO’s work in this area continues to develop.
Friday 11 November 2016 | Leanne Doherty
Staff from ICO have once again been sharing their knowledge and expertise with some of our international counterparts.
Earlier this month, staff from the ICO’s Good Practice Team hosted a visit from two senior investigators from the Office of the Privacy Commissioner of Canada (OPC). The OPC is considering pro-active compliance activities, such as privacy check-ups. They have been learning from the experiences of their counterparts who, like ourselves, have active programs in this area.
During their time here, the OPC met with the team managers from Good Practice to go through our established audit processes and the various audit services we currently offer. On day two, our visitors observed a pre audit meeting field visit at a local health trust. This helped them gain an oversight of one of the key stages in our audit planning process.
The visit concluded with a round table workshop, with the OPC and ICO, which gave both authorities the chance to ask questions and share experiences of both good practice and data protection compliance services.
The visit was yet another great opportunity for staff from the ICO to share their knowledge and experience, in order to help improve data protection practices around the world. These visits also allow us to learn from another authority so we can continue to develop our own services.
This visit has opened up the lines of communication between the two offices, facilitating ongoing engagements and discussions in the future.
Thursday 3 November| Sarah Meyers
In October a small ICO delegation travelled to Podgorica, Montenegro to contribute to the 28th European Case Handling Workshop. The case-handling workshop is an annual event organised by, and for, European data protection authorities. The event gives delegates a chance to share their experiences and develop their expertise in relation to unusual or significant data protection case handling issues.
This year’s event was organised by the Agency for Personal Data Protection and Free Access to Information of Montenegro and was attended by 60 participants from across the different member states. A representative of the International Committee of the Red Cross also attended to participate in discussions regarding data protection in humanitarian actions.
During the two-day workshop, authorities highlighted how they are responding to the technological challenges and the changes in the data protection landscape. One particular topic, which received a lot of attention, was the impact of the 2014 European Court of Justice’s Ryneš Ruling, which led to changes in how authorities regulate the use of domestic camera surveillance and the general consensus was that the number of domestic CCTV cases will continue to grow. For the ICO, this means we will have to be proactive in informing individuals of their obligations under the Data Protection Act. Another topic that was discussed, was the rise of new and affordable mobile recording technology, such as drones and body worn cameras, which have raised a number of new challenges for data protection organisations. The agencies at the event discussed how cases involving these new technologies could be approached and shared their experiences of notable or recurring trends in this area.
The ICO delegation joined the other authorities in thanking the Agency for Personal Data Protection and Free Access to Information of Montenegro for the warm welcome and hospitality extended throughout the workshop.
Friday 21 October 2016| Hannah McCausland
So the international conference in Marrakesh has drawn to a close and we have had a really productive time, which will contribute to the ICO’s work planning for the next year and beyond. The ICO’s resolution on International Enforcement Cooperation was adopted and we are really pleased to have received support for it from the wide base of authorities here.
Overall, the ICO has made a substantial and positive contribution to the conference. We have actively engaged in discussions on surveillance, artificial intelligence and robotics. We were also involved in another conference resolution regarding a new framework for inclusion of Data Protection in the Education Curriculum. Side events at the conference also allowed us to engage with our colleagues from data protection authorities across the Commonwealth and to discuss with others the forthcoming Global Privacy Enforcement Network Sweep cooperation initiative for 2017. This annual event is the only time in the year when so many data protection and privacy authorities are in one place and it has given us the chance to share our knowledge and learn from others. What we have learned will be useful to bring back and discuss with our colleagues in Wilmslow and will hopefully enhance both our international and domestic policy work in the coming year.
Thursday 20 October 2016 | Hannah McCausland
Since 1979, data protection authorities from across the globe have met at the International Conference of Data Protection and Privacy Commissioners. The purpose of the conference is for the authorities to discuss information rights issues, share knowledge and gain support and experience from their counterparts from around the world. This year the conference was held in Marrakesh and was attended by a number of ICO representatives including the Commissioner herself (left), Deputy Commissioner and Deputy Chief Executive Officer Simon Entwisle, interim Deputy Commissioner Steve Wood (middle), our Head of Enforcement Steve Eckersley (right), and myself, Hannah McCausland Senior International Policy Officer.
This year the ICO was pleased to have the opportunity to present our resolution on the next steps towards improved International Enforcement Cooperation, a workstream which aims to support effective enforcement action against organisations that have broken data protection and privacy laws in several jurisdictions. The work envisaged by the resolution, which was supported by a number of our international counterparts, was a significant step towards assisting those authorities in countries that do not yet have the means to share the case related data needed for effective international enforcement. It will also set in to motion the creation of practical projects, between conference members and appropriate enforcement authorities both in the data protection and in other domains such as consumer protection or competition enforcement authorities, which can begin to better coordinate the efforts towards global enforcement cooperation.
It was decided at the conference that leaders will be identified from each global region ie Europe, the Americas etc. who will promote the participation in the Enforcement Cooperation Arrangement to other authorities.
The resolution was adopted by the entire conference without any abstention, which is a great achievement for the ICO and the other authorities that supported it. The next steps of the resolution will be important to embark upon as soon as possible but we believe we will be able to deliver on the objectives of the resolution at next year’s international conference in Hong Kong.
You can read more details of the resolution on the IDCPPC website.
4 October 2016 | John-Pierre Lamb
The ICO was recently invited to Tbilisi to visit our counterparts at the Office of the Personal Data Protection Inspector (OPDPI) of Georgia, with the support of the Good Governance Fund – a DFID/FCO capacity-building programme. My colleague Vicki Heath and I, from the ICO’s Good Practice team, accepted this request.
Data protection law was enacted in Georgia in 2012, with the OPDPI only coming into existence in July 2013. They are now keen to establish an audit service, which was the reason we were invited to assist. We spent three days with our Georgian colleagues sharing our knowledge, experiences, methodologies and processes in order to help them create solutions and develop suitable audit services. We had some useful and productive discussions and were able to make a number of recommendations. The OPDPI will now be considering how best to implement these recommendations in order to support their strategic objectives.
Our hosts’ hospitality was exceptional and it was a pleasure to spend time in such a vibrant city. It was also great to be able to support the work of such a young data protection authority and there are plans to explore future cooperation between our respective offices in other areas.