ICO discusses GDPR Strategy at the third European Data Protection Board Plenary meeting
Colleagues from across the organisation share their experiences and involvement in the ICO’s ongoing contributions to the upholding of information rights across the globe.
27 September 2018 | Blandine Cassou-Mounat
ICO discusses GDPR Strategy at the third European Data Protection Board Plenary meeting
The ICO’s International Strategy highlights the priority of the EU in the international data protection context. This week the UK’s Information Commissioner and Deputy Commissioners attended the third meeting of the European Data Protection Board (EDPB). This is the board created by the GDPR, gathering together Data Protection Authorities from across the European Union. As one of the biggest data protection authorities in Europe, the ICO is comprehensively involved in discussions of the Board on how to make the GDPR’s consistent application across Europe a reality.
Identifying the priority sectors and areas for enforcement of the GDPR are at the forefront of discussions at the Plenary of the EDPB. Cross border data protection is a key element. And the role that Data Protection Authorities should play in relation to major controllers, which operate across borders, is also important and recognised in the ICO’s International Strategy.
Since 25 May, when the GDPR came into effect, people in the UK have become more aware of their rights, leading to a significant increase of complaints to the ICO. Any business that collects and makes use of personal user data is required to comply with the GDPR laws, and so, such businesses often choose to get GDPR audits (read more here) done to ensure compliance.
The ICO has been fully involved in the process leading to the adoption of the GDPR. As we draw closer to a new stage in the relations between the EU and the UK, it is worth bearing in mind that data protection concerns do not begin and end at national borders. Interactions between the ICO and EU supervisory authorities is, and will continue to be, essential.
For example, the ICO’s report Democracy disrupted? Personal information and political influence published in July, shows how data protection authorities will continue to play a key global role in democratic, social and economic governance.
The ICO will maintain the already high standards of data protection in the UK after the UK leaves the EU based on the common data protection framework it shares with the rest of the EDPB. With this in mind, the ICO is proud to be an active and energetic partner of the EDPB. Please also find more information in the EDPB’s press release.
7 September 2018
ICO Launches Consultation with Access to Information (ATI) Community on the Future of the International Conference of Information Commissioners (ICIC)
Improving standards of information rights practices and maintaining and developing influence within the global information rights community are two of the key pillars of the ICO’s Information Rights Strategic Plan. Both of these goals are currently being met by the ICO’s work with the International Conference of Information Commissioners’ (ICIC) Governance Working Group (GWG).
The GWG – consisting of Information Commissioners from the UK, Argentina, Canada, India, Mexico, Serbia and South Africa – is leading a project to develop a permanent structure for the ICIC and support the organisation of next year’s conference which will be hosted by the South African Information Regulator and for which planning is currently underway.
A crucial part of this project involves consulting with the wider access to information (ATI) community to better understand their interests and priorities and to seek their suggestions for next year’s conference. This consultation will be undertaken via a short survey and launch on Friday 7 September 2018.
The GWG invites all interested civil society organisations, academics, information rights advocates and all other organisations working to uphold access to information rights to participate in this consultation.
Please click here to access and complete the survey online.
For further information, please contact the ICIC Secretariat by email.
26 February 2018 | Alain Kapper
This winter has been a busy one for the ICO’s international team. Two highlights included being invited to speak at the Government of the Philippines’ first FOI Summit, and having the pleasure of receiving colleagues of the Information Regulator in South Africa.
Opportunities like these help us in our aim to maintain and develop influence within the global information rights regulatory community. They also allow us to continue to develop our relationships with other information rights authorities.
We were honoured to be invited to speak at the FOI Summit in Manila, held to mark the first year of implementation of the Government of the Philippines’ Executive Order on Freedom of Information. It was important to celebrate the Philippines joining the growing list of countries and jurisdictions with legislation promoting greater transparency and access to public information. We were unable to attend in person but we still wanted to contribute so Jo Pedder, our Head of Policy, and I provided pre-recorded presentations on the implementation of FOI from a regulator’s perspective and on the interaction between the Freedom of Information Act 2000 and the Data Protection Act 1998 in the UK. We were delighted to be able to share the ICO’s FOI experience with this growing regulatory community.
At the end of January, we had the pleasure of receiving colleagues from the Information Regulator of South Africa to our office in Wilmslow. This is one of the youngest data protection authorities in the world, formed just over a year ago. The regulator is currently faced with a sizeable task as they prepare for the implementation of the Protection of Personal Information Act 2013, whilst also formulating internal procedures and hiring relevant staff. We were, again, happy to share our experiences with our visitors who met with staff from across the ICO. The visit from our South African colleagues carried a real sense of optimism and reinforced the goal of our international strategy to develop stronger links with and provide support to data protection authorities, particularly from emerging countries.
24 October 2017
International enforcement operation finds website privacy notices are too vague and generally inadequate.
3-5 October 2017 | Adam Stevens
The ICO’s Intelligence and Research Group produces the intelligence needed to enable our Anti-Spam Enforcement teams to do their jobs effectively. As Group Manager, I jumped at the opportunity to join around 300 spam and cybersecurity experts in Toronto, Canada to attend the 41st General Meeting of the Messaging, Malware and Mobile Anti-Abuse Working Group.
As previously, this year’s event incorporated the annual meeting of the Unsolicited Communications Enforcement Network (UCENet), of which the ICO is a key part. I went along to update the network on our own intelligence picture, enforcement activity and to hear about the work of other authorities and the wider industry.
I took the opportunity to improve our own expertise. I attended technical training and developed our relationships with other regulatory authorities and industry. These relationships will help open up new intelligence sources, integral to our enforcement work. They will also encourage cooperation internationally, which is essential to the work of UCENet. The aim of UCENet is to tackle problems such as online fraud, spam marketing and phishing through international enforcement cooperation.
The ICO sits on the network’s Executive Committee along with organisations including the US Federal Trade Commission, the Korean Internet and Security Agency and the Canadian Radio-television and Telecommunications Commission. As well as participating in the annual Executive Committee meeting, reviewing progress against the three-year UCEnet Operational Plan, we provided updates on work including Operation HIDA, focusing on inappropriate data sharing practices. I was pleased to introduce John Hodge, Head of Enforcement at the Phone-paid Services Authority in the UK, to the event. His input on affiliate marketing and the work of the premium rate regulator was well received and extremely informative.
The trip was an excellent opportunity to build relationships, report on our own enforcement work and increase the international influence of the ICO, supporting our International Strategy and our Information Rights Strategic Plan. You can find out more about the work of the Unsolicited Communications Enforcement Network on the UCENet website.
22 September 2017
The International Conference of Information Commissioners, co-hosted by the ICO, highlighted a need for greater transparency in contracted-out public services.
11 September 2017 | Simon Entwisle
Despite being miles apart, data protection and privacy authorities from across the globe are often faced with the same challenges when it comes to information rights.
Recently, I met with over 17 Asia Pacific privacy authorities including those from New Zealand, the Philippines, Mexico, Korea, Japan, Singapore, the USA and Canada. It was not surprising to discover, like the ICO, these authorities are having to negotiate changes and developments in technology. The implications on privacy and the challenges it creates being something we can only try and predict and prepare for.
As Deputy Commissioner, I was asked to represent the ICO in Australia for this five-day meeting. During this time, I attended many presentations and discussions and delivered five presentations myself on AI, machine learning and how the GDPR will affect Asia Pacific countries.
This event gave the ICO a chance to learn from how are counterparts are approaching some of the arising challenges when dealing with technological developments. It also gave us a vital opportunity to promote a better understanding of the GDPR and the UK’s future Data Protection law.
It also gave me the chance to sample the Australian national delicacy – Tim Tam biscuits, which the Australian Commissioner, Timothy Pilgrim kindly bought for everyone.
22 August 2017
Earlier this month, the ICO signed a Memorandum of Understanding (MoU) with the Canadian Radio-television and Telecommunications Commission. The MoU is an agreement between the two organisations on mutual assistance in the enforcement of laws on commercial electronic messaging and telemarketing.
The full MoU is available to read on our website.
4 July 2017
The ICO has today launched its first ever International Strategy to help it meet overseas data protection challenges including increased globalism, changing technology, GDPR and Brexit.
The policy document aims to enhance privacy protection for the UK public, no matter where in the world potential threats and risks emanate from. It also commits the ICO to learning about new ideas and developments emerging from other countries.
Elizabeth Denham discussed the new strategy in a keynote speech at the Privacy Laws and Business Data Protection Conference in Cambridge. You can read the press release and the full strategy document.
25 April 2017| Carl Wiper
Staff from the ICO have been travelling to Brussels regularly to work on European-level guidance in the count down to May 2018 when the GDPR starts to apply. The trip my colleague Chris Green and I made in early April was a little different however, as we were taking part in a ‘Fab-Lab’.
The ‘Fab-Lab’ was organised by the Article 29 Working Party and consisted of stakeholder workshops, which covered a range of GDPR topics, and a report-back session. Participants included representatives of European business associations and consumer and privacy groups.
The ICO is the lead rapporteur for Article 29 on profiling. A rapporteur drafts guidance documents which are adopted by the working party, and we are currently drafting European guidance on this subject. I was one of the moderators in the profiling workshop, so was able to gather the views of stakeholders which will feed into the final version of this guidance.
One of the main issues identified was that the guidance needs to take into account the varied situations of businesses in different sectors and make realistic and workable recommendations -for example, in explaining the level of detailed information that controllers will have to give to data subjects about their profiling activities.
In another seminar room at the ‘Fab-Lab’, Chris was participating in a workshop about data breaches. The ICO will be acting as rapporteur for the Article 29 Working Party guidance on personal data breach notification as well. This will be produced later this year.
It was not surprising to find out that stakeholders wanted clarification on data breaches, as it will be a requirement under the GDPR for organisations to report most data incidents. Areas they were concerned about included when they need to report, what information should be included and what will happen after a breach is reported.
The ICO is used to carrying out consultation in the UK, but this trip to Brussels gave us the opportunity to hear feedback from European organisations that will help inform the EU-level guidance we’re leading on. We also got to hear some positive feedback from stakeholders about the high standard of ICO guidance.
2 February 2017| ICO’s International Strategy
You only need glance at your mobile phone to see how international data protection is today. Apps developed 5,000 miles away on America’s West Coast, following rules written 400 miles away in Brussels, in the palm of your hand to help you keep in touch with friends who live around the corner. Elizabeth Denham’s latest blog takes a look at the ICO’s International Strategy.
6 January 2017| Adam Stevens
Since 2004, government and public agencies from 27 countries have been working together to tackle unsolicited marketing messages. This group is now known as UCENet (Unsolicited Communications Enforcement Network) and the ICO is part of its Executive Committee.
In late 2016, Steve Eckersley Head of Enforcement, Andy Curry Enforcement Group Manager and myself, Adam Stevens Team Manager – Intelligence Hub (Enforcement) met with the members of UCENet at a four day event hosted by the Messaging Malware Mobile Anti-Abuse Working Group (M3AAWG) in Paris. There was a busy schedule of sessions during the event, including training and presentations on enforcement and intel gathering methods and enforcement activity various authorities have undertaken.
We delivered a presentation on the ICO’s Operation BOWLER, an operation that involves seeding personal data to monitor which organisations send unsolicited marketing messages. We also presented on our intel processes and procedures and our PECR enforcement approach, in order to share different methods with our UCENet colleagues. The three of us also joined M3AAWG workshop sessions in order to gain a better understanding of industry approaches to spam and current technology so we can continue to improve the practices of the ICO.
During the event, discussions were held around the networks 2016-2018 operational plan and the four key areas of work identified within it:
- training; and
We also discussed UCENet’s rebrand from the London Action Plan as well the revamp of the website (www.ucenet.org). We continued with the development of a Memorandum of Understanding between the network members to assist with information sharing and we also discussed plans for the networks first ever Sweep on affiliate marketing, which is due to take place this year. A Sweep involves multiple organisations coming together to target a particular area by gathering intelligence, developing their understanding of the issue and identifying enforcement opportunities where necessary.
The ICO’s involvement with UCENet has been very valuable to the work of the office as we have established some very useful points of contact to help support our work in relation to PECR. We have also been able to share our own knowledge and expertise to support other organisations’ investigations and the networks overall approach to tackling unsolicited marketing.
Unsolicited marketing messages are a nuisance to individuals and a persistent problem to government and public agencies across the globe. The ICO is committed to tackling this issue and trying to put a stop to it.
29 November | Katharine Hanrahan
Earlier in November, I was asked to travel to Rome for four days as part of my role as Senior Policy Officer for the
The eIDAS Regulation is an EU regulation that is in place to facilitate secure streamlined electronic transactions between businesses, individuals and public authorities in the EU. Part of the regulation sets out requirements that trust service providers must comply with. Trust service providers offer services such as e-signatures, electronic seals, electronic time stamps, electronic registered delivery services and website authentication.
The ICO is the eIDAS UK supervisory body, this means we have a number of responsibilities in relation to these providers. One of the ICO’s responsibilities is to grant ‘qualified’ status to those providers who comply with extra requirements set out in the regulation. If organisations don’t comply, the ICO is also able to take enforcement action, such as issuing 1,000 fixed monetary penalties.
During my time in Rome, I wanted to discover how other European supervisory bodies were carrying out their duties under eIDAS and compare their practices with ours. As my work under eIDAS is quite autonomous I had a number of questions I wanted answered and it was really useful to get responses from my European counterparts as I met with members of the European Union Agency for Network and Information Security (ENISA), the Forum for European Supervisory Authorities for eIDAS (FESA) and the Accredited Conformity Assessment Bodies’ Council (ACAB).
It was great to hear that all the bodies that met were doing things in a similar way and it reaffirmed that the eIDAS work being undertaken by the ICO is progressing as it should. The trip to Rome gave me an opportunity to make new contacts who I can seek support from in the future, to help ensure the ICO’s work in this area continues to develop.
Friday 11 November 2016 | Leanne Doherty
Staff from ICO have once again been sharing their knowledge and expertise with some of our international counterparts.
Earlier this month, staff from the ICO’s Good Practice Team hosted a visit from two senior investigators from the Office of the Privacy Commissioner of Canada (OPC). The OPC is considering pro-active compliance activities, such as privacy check-ups. They have been learning from the experiences of their counterparts who, like ourselves, have active programs in this area.
During their time here, the OPC met with the team managers from Good Practice to go through our established audit processes and the various audit services we currently offer. On day two, our visitors observed a pre audit meeting field visit at a local health trust. This helped them gain an oversight of one of the key stages in our audit planning process.
The visit concluded with a round table workshop, with the OPC and ICO, which gave both authorities the chance to ask questions and share experiences of both good practice and data protection compliance services.
The visit was yet another great opportunity for staff from the ICO to share their knowledge and experience, in order to help improve data protection practices around the world. These visits also allow us to learn from another authority so we can continue to develop our own services.
This visit has opened up the lines of communication between the two offices, facilitating ongoing engagements and discussions in the future.
Thursday 3 November| Sarah Meyers
In October a small ICO delegation travelled to Podgorica, Montenegro to contribute to the 28th European Case Handling Workshop. The case-handling workshop is an annual event organised by, and for, European data protection authorities. The event gives delegates a chance to share their experiences and develop their expertise in relation to unusual or significant data protection case handling issues.
This year’s event was organised by the Agency for Personal Data Protection and Free Access to Information of Montenegro and was attended by 60 participants from across the different member states. A representative of the International Committee of the Red Cross also attended to participate in discussions regarding data protection in humanitarian actions.
During the two-day workshop, authorities highlighted how they are responding to the technological challenges and the changes in the data protection landscape. One particular topic, which received a lot of attention, was the impact of the 2014 European Court of Justice’s Ryneš Ruling, which led to changes in how authorities regulate the use of domestic camera surveillance and the general consensus was that the number of domestic CCTV cases will continue to grow. For the ICO, this means we will have to be proactive in informing individuals of their obligations under the Data Protection Act. Another topic that was discussed, was the rise of new and affordable mobile recording technology, such as drones and body worn cameras, which have raised a number of new challenges for data protection organisations. The agencies at the event discussed how cases involving these new technologies could be approached and shared their experiences of notable or recurring trends in this area.
The ICO delegation joined the other authorities in thanking the Agency for Personal Data Protection and Free Access to Information of Montenegro for the warm welcome and hospitality extended throughout the workshop.
Friday 21 October 2016| Hannah McCausland
So the international conference in Marrakesh has drawn to a close and we have had a really productive time, which will contribute to the ICO’s work planning for the next year and beyond. The ICO’s resolution on International Enforcement Cooperation was adopted and we are really pleased to have received support for it from the wide base of authorities here.
Overall, the ICO has made a substantial and positive contribution to the conference. We have actively engaged in discussions on surveillance, artificial intelligence and robotics. We were also involved in another conference resolution regarding a new framework for inclusion of Data Protection in the Education Curriculum. Side events at the conference also allowed us to engage with our colleagues from data protection authorities across the Commonwealth and to discuss with others the forthcoming Global Privacy Enforcement Network Sweep cooperation initiative for 2017. This annual event is the only time in the year when so many data protection and privacy authorities are in one place and it has given us the chance to share our knowledge and learn from others. What we have learned will be useful to bring back and discuss with our colleagues in Wilmslow and will hopefully enhance both our international and domestic policy work in the coming year.
Thursday 20 October 2016 | Hannah McCausland
Since 1979, data protection authorities from across the globe have met at the International Conference of Data Protection and Privacy Commissioners. The purpose of the conference is for the authorities to discuss information rights issues, share knowledge and gain support and experience from their counterparts from around the world. This year the conference was held in Marrakesh and was attended by a number of ICO representatives including the Commissioner herself (left), Deputy Commissioner and Deputy Chief Executive Officer Simon Entwisle, interim Deputy Commissioner Steve Wood (middle), our Head of Enforcement Steve Eckersley (right), and myself, Hannah McCausland Senior International Policy Officer.
This year the ICO was pleased to have the opportunity to present our resolution on the next steps towards improved International Enforcement Cooperation, a workstream which aims to support effective enforcement action against organisations that have broken data protection and privacy laws in several jurisdictions. The work envisaged by the resolution, which was supported by a number of our international counterparts, was a significant step towards assisting those authorities in countries that do not yet have the means to share the case related data needed for effective international enforcement. It will also set in to motion the creation of practical projects, between conference members and appropriate enforcement authorities both in the data protection and in other domains such as consumer protection or competition enforcement authorities, which can begin to better coordinate the efforts towards global enforcement cooperation.
It was decided at the conference that leaders will be identified from each global region ie Europe, the Americas etc. who will promote the participation in the Enforcement Cooperation Arrangement to other authorities.
The resolution was adopted by the entire conference without any abstention, which is a great achievement for the ICO and the other authorities that supported it. The next steps of the resolution will be important to embark upon as soon as possible but we believe we will be able to deliver on the objectives of the resolution at next year’s international conference in Hong Kong.
You can read more details of the resolution on the
4 October 2016 | John-Pierre Lamb
The ICO was recently invited to Tbilisi to visit our counterparts at the Office of the Personal Data Protection Inspector (OPDPI) of Georgia, with the support of the Good Governance Fund – a DFID/FCO capacity-building programme. My colleague Vicki Heath and I, from the ICO’s Good Practice team, accepted this request.
Data protection law was enacted in Georgia in 2012, with the OPDPI only coming into existence in July 2013. They are now keen to establish an audit service, which was the reason we were invited to assist. We spent three days with our Georgian colleagues sharing our knowledge, experiences, methodologies and processes in order to help them create solutions and develop suitable audit services. We had some useful and productive discussions and were able to make a number of recommendations. The OPDPI will now be considering how best to implement these recommendations in order to support their strategic objectives.
Our hosts’ hospitality was exceptional and it was a pleasure to spend time in such a vibrant city. It was also great to be able to support the work of such a young data protection authority and there are plans to explore future cooperation between our respective offices in other areas.