UK Data Protection Act

Article 29Following the limited relaxation of lockdown restrictions by the UK Government and the likely return to the workplace of at least some employees, the UK Information Commissioner’s Office (ICO) has published some helpful guidance for employers on the data protection issues raised by workplace testing for coronavirus.

The guidance notes that, although data protection law does not stop employers taking measures that are required to protect their staff and the public during the coronavirus pandemic, personal data must be handled carefully.
Continue Reading UK Information Commissioner Issues New Guidance for Employers on Workplace Testing for Coronavirus

In an interesting data protection case, Elgizouli (Appellant) v Secretary of State for the Home Department (Respondent) [2020] UKSC 10, the UK Supreme Court has held that the UK Government breached data protection laws in passing information to US authorities following a mutual legal assistance (MLA) request that could involve the US seeking the death penalty for two men.  The men are alleged to have been members of a terrorist group operating in Syria involved in the torture and murder of hostages.
Continue Reading UK Held to Have Breached Data Protection Laws Over Alleged Islamic State Members

lockA landmark group claim for compensation under data protection laws in the UK between employees and employer has failed. The UK’s Supreme Court has held that a rogue employee’s activities were not sufficiently connected with his employment to make Morrison, his employer, vicariously liable for the data protection breach. If it had been held liable Morrison would have been in line to make compensation payments to nearly 10,000 employees.

The case relates to an incident in 2014 and was brought under the Data Protection Act 1998 (DPA), but it is likely that findings would be the same under the GDPR and the UK Data Protection Act 2018.
Continue Reading UK’s Landmark Group Claim for Compensation Under Data Protection Laws – Morrison’s Found Not Vicariously Liable for Actions of Rogue Employee

On 8 January 2018, the Information Commissioner launched a public consultation on a Direct Marketing Code of Practice, which she is required by Section 122 of the Data Protection Act 2018 to produce in order to provide practical guidance in relation to the carrying out of direct marketing in accordance with the requirements of the data protection legislation and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR). Accordingly, like the existing ICO Direct Marketing Guidance, which it will supersede, the proposed code sets out the law and provides examples and good practice recommendations. To a significant extent, the draft code replicates the current guidance, which was updated in 2018 to reference the General Data Protection Regulation (GDPR). When finalized, the Commissioner must take the code into account when considering whether those engaged in personal data processing for “direct marketing purposes” have complied with the GDPR and PECR. The key aspects of the draft code are summarized below, including new guidance on in-app advertising and direct marketing on social media platforms.
Continue Reading UK’s ICO Publishes Draft Direct Marketing Code of Practice