Photo of Clare Sellars

The United Kingdom and the United States joined forces last week in an initiative to combat ransomware attacks by sanctioning seven Russian nationals believed to be members of a hacking network.  Together with U.S. authorities, the UK’s Foreign Office has reportedly identified the individuals in question, frozen their assets and imposed travel bans in respect of them.

Ransomware is a type of malware that typically renders systems or data inaccessible, often due to the encryption of files.  Devices are often locked, and data may be leaked, in addition to being encrypted or deleted, unless and until the victim pays a “ransom” to the actors who deployed the ransomware in return for decryption. 

Continue Reading UK Takes Action Over Cybercrime

The new approach to regulatory and enforcement action adopted by the UK Information Commissioner’s office (ICO) looks set to continue in 2023. The ICO has indicated recently that it is modifying its attitude towards regulatory action in respect of public sector organisations. It has also noted that enforcement does not necessarily equate to fines, but includes various other “corrective powers,” including warnings, reprimands, compliance orders, limitation orders, erasure of data and suspension of data flows.

Going forward, the ICO intends to regulate for outcomes rather than outputs, observing that the number or level of fines should not be used as a yardstick by which to judge the ICO’s success and that achieving preferential outcomes and publicising these may have a more significant impact on UK citizens’ rights than monetary penalties might achieve.


Continue Reading UK Information Commissioner’s Office Highlights New Strategic Approach to Regulatory Action

In news that is likely to concern individuals and privacy activists alike, it has been reported that the NHS booking system for COVID-19 vaccinations has led to complaints that it could be used to reveal the vaccination status of individuals through the use of simple personal information.

The website allows users to book appointments for COVID-19 vaccinations, either by means of their NHS number, or by entering certain basic personal data, (including names, dates of birth and postcodes).  The website then provides a variety of responses based on the user’s vaccination status, with different responses being provided based on whether the individual has received no vaccinations, one vaccination, or both.
Continue Reading COVID-19 Vaccination Booking Site May Reveal Vaccination Status

The European Commission (EC) may be set to propose extensive new legislation – potentially later this week – which, among other things, would ban the use of facial recognition technology for surveillance purposes and the use of algorithms that influence human behavior, according to recently leaked draft documents. The proposals would also introduce new rules regarding high-risk artificial intelligence (AI).

Although the use of AI systems is regarded as beneficial in many areas of society, use of AI in some contexts can be controversial. For example, the use of algorithms in the context of employment-related decision-making, allegedly based solely on automated personal data processing, including profiling, has recently been challenged under the GDPR in the Dutch courts, although this decision is likely to be contested.
Continue Reading EU Proposals May Limit the Use of Artificial Intelligence

In encouraging news for UK-based organizations involved in the processing of personal data, the European Data Protection Board (EDPB) has adopted two Opinions on the draft UK adequacy decisions which, if approved, would allow the transfer of personal data from the European Economic Area (EEA) to the UK to continue freely.

The first Opinion (Opinion 14/2021) relates to the GDPR and considers general data protection issues and also government access to personal data transferred from the EEA for national security and law enforcement purposes set out in the draft adequacy decision. The second Opinion (Opinion 15/2021) relates to the Law Enforcement Directive (LED) and considers various issues.
Continue Reading European Data Protection Board Adopts Two Opinions on Draft UK Adequacy Decisions

remote workThe UK Information Commissioner (ICO) has launched a new toolkit for organizations which are planning to use personal data for data analytics as part of the ICO’s priority work on artificial intelligence (AI).

The toolkit outlines some important personal data protection considerations which organizations should take into account at the beginning of any scheme involving such personal data processing and follows the ICO’s recent publications ‘Explaining decisions made with AI’ and ‘Guidance on AI and data protection’.
Continue Reading UK Information Commissioner Launches Data Analytics Toolkit

The debate surrounding vaccine passports to assist with the easing of lockdown restrictions and controlling the spread of COVID-19 continues to raise a number of concerns in the UK.

Although the use of such passports is apparently under consideration, such proposals raise a number of different ethical, scientific and legal issues. A recent Royal Society report sounded a note of caution, suggesting that 12 tests should be met by any such proposal. Among other things, vaccine passports would need to meet various ethical and legal standards, including in respect of data protection.
Continue Reading Possible Use of COVID Vaccine Passports Raises Data Protection Concerns

GDPROrganizations which fail to implement appropriate technical and organizational security measures to protect personal data and suffer personal data breaches as a result, increasingly may find themselves facing the double whammy of both enforcement action by the UK Information Commissioner’s Office (ICO), (which can include significant financial penalties) and potentially also group-style legal actions brought by data subjects.

British Airways, which suffered a cyber incident that is believed to have started in June 2018 and led to a personal data breach involving almost 500,000 of its customers, has found itself on the receiving end of such an action.

Continue Reading UK Group-Style Data Breach Actions Continue

Article29On 17 December 2020, the UK Information Commissioner’s Office (ICO) published its new Data Sharing Code of Practice, as required under the Data Protection Act 2018 (DPA18).

The new Code provides practical guidance for controllers that share personal data with other controllers on how to ensure that data sharing complies with applicable data protection requirements. The new Code is a statutory code and updates the ICO’s previous data sharing code, which was published in 2011. The ICO has also instigated a new data sharing information hub which provides further support for organizations involved in data sharing.
Continue Reading UK Information Commissioner Publishes New Data Sharing Code of Practice

Despite concerns expressed by regulators and privacy activists, the use of facial recognition technology appears to be on the rise and is becoming increasingly common in everyday life as a result of various different issues.

One recent example of the use of such technology involves the Southern Cooperative, which has reportedly trialed certain facial recognition technology in a number of Co-op stores over the last few months.  The technology, developed by Facewatch, notifies staff of the presence in stores of individuals with past records of “theft or anti-social behaviour” and apparently has been implemented to try to combat a recent significant increase in attacks on employees by shoplifters.
Continue Reading Use of Facial Recognition Technology Increasing