Personal Data

Subscribe to Personal Data via RSS

In news that is likely to concern individuals and privacy activists alike, it has been reported that the NHS booking system for COVID-19 vaccinations has led to complaints that it could be used to reveal the vaccination status of individuals through the use of simple personal information.

The website allows users to book appointments for COVID-19 vaccinations, either by means of their NHS number, or by entering certain basic personal data, (including names, dates of birth and postcodes).  The website then provides a variety of responses based on the user’s vaccination status, with different responses being provided based on whether the individual has received no vaccinations, one vaccination, or both.
Continue Reading COVID-19 Vaccination Booking Site May Reveal Vaccination Status

In encouraging news for UK-based organizations involved in the processing of personal data, the European Data Protection Board (EDPB) has adopted two Opinions on the draft UK adequacy decisions which, if approved, would allow the transfer of personal data from the European Economic Area (EEA) to the UK to continue freely.

The first Opinion (Opinion 14/2021) relates to the GDPR and considers general data protection issues and also government access to personal data transferred from the EEA for national security and law enforcement purposes set out in the draft adequacy decision. The second Opinion (Opinion 15/2021) relates to the Law Enforcement Directive (LED) and considers various issues.
Continue Reading European Data Protection Board Adopts Two Opinions on Draft UK Adequacy Decisions

remote workThe UK Information Commissioner (ICO) has launched a new toolkit for organizations which are planning to use personal data for data analytics as part of the ICO’s priority work on artificial intelligence (AI).

The toolkit outlines some important personal data protection considerations which organizations should take into account at the beginning of any scheme involving such personal data processing and follows the ICO’s recent publications ‘Explaining decisions made with AI’ and ‘Guidance on AI and data protection’.
Continue Reading UK Information Commissioner Launches Data Analytics Toolkit

The debate surrounding vaccine passports to assist with the easing of lockdown restrictions and controlling the spread of COVID-19 continues to raise a number of concerns in the UK.

Although the use of such passports is apparently under consideration, such proposals raise a number of different ethical, scientific and legal issues. A recent Royal Society report sounded a note of caution, suggesting that 12 tests should be met by any such proposal. Among other things, vaccine passports would need to meet various ethical and legal standards, including in respect of data protection.
Continue Reading Possible Use of COVID Vaccine Passports Raises Data Protection Concerns

GDPROrganizations which fail to implement appropriate technical and organizational security measures to protect personal data and suffer personal data breaches as a result, increasingly may find themselves facing the double whammy of both enforcement action by the UK Information Commissioner’s Office (ICO), (which can include significant financial penalties) and potentially also group-style legal actions brought by data subjects.

British Airways, which suffered a cyber incident that is believed to have started in June 2018 and led to a personal data breach involving almost 500,000 of its customers, has found itself on the receiving end of such an action.Continue Reading UK Group-Style Data Breach Actions Continue

Article29On 17 December 2020, the UK Information Commissioner’s Office (ICO) published its new Data Sharing Code of Practice, as required under the Data Protection Act 2018 (DPA18).

The new Code provides practical guidance for controllers that share personal data with other controllers on how to ensure that data sharing complies with applicable data protection requirements. The new Code is a statutory code and updates the ICO’s previous data sharing code, which was published in 2011. The ICO has also instigated a new data sharing information hub which provides further support for organizations involved in data sharing.
Continue Reading UK Information Commissioner Publishes New Data Sharing Code of Practice

On March 6, 2020, the China Standardization Administration and the State Administration for Market Regulation jointly released an updated version of the Personal Information Security Specification (the “Specification”) which will become effective on October 1, 2020.[1] The updated Specification updates the current Specifications[2] that have been in effect since May 1, 2018, and is the result of a revision effort by the Specification’s drafters, that included a series of interim drafts published for public comment on January 30, 2019, June 21, 2019, and most recently, on October 22, 2019, in order to address certain loopholes and practices leading to excessive collection of personal information.
Continue Reading China Updates its Personal Information Security Specification

Article29Latin American privacy laws may pose special challenges for businesses considering when and how to reopen their facilities during the coronavirus pandemic.  As elsewhere, many companies operating in Latin America may decide to screen employees for their COVID-19 risk-levels before allowing them to enter a shared workspace.  Already in place in many European and Asian countries, screening options primarily involve contact tracing or temperature checks. As they focus on health and safety, however, companies should also bear in mind a potentially competing interest: protecting employees’ privacy.
Continue Reading Returning to the Office – Data Privacy Concerns for Companies in Latin America

BillThis article appeared in Law360 on May 14, 2020.  A group of Republican senators have introduced a new privacy bill that would impose strict privacy obligations on contact tracing apps operated by entities not subject to the Health Insurance Portability and Accountability Act.

Most notably, the COVID-19 Consumer Data Protection Act would obligate such entities to obtain express affirmative consent from individual consumers before using their geolocation, proximity or personal health data.
Continue Reading Pandemic-Related Privacy Bill May Be Unconstitutional

CCPAThe California Consumer Privacy Act (CCPA) went into effect on January 1, 2020. Despite requests made by multiple trade associations for delay in the enforcement of CCPA due to COVID-19, the California Attorney General’s office has declined to delay enforcement, which is set to begin July 1, despite the AG’s failure to release final regulations.

The AG’s office first released proposed regulations in October 2019, our summary of the draft regulations can be found here. After the new year, the AG released two sets of modifications to the draft regulations on February 10 and March 11. At a privacy and data security conference last week, a staff member from the California state legislature commented that, due to the pressures and working circumstances created by COVID-19, the most recent version of the regulations, published March 11, are likely to be the version used for enforcement beginning in July. Significantly, the office rejected suggestions that the regulations be delayed because corporations are experiencing these same COVID-19 pressures.
Continue Reading CCPA Regulations Are Likely Final