Information Commissioner's Office

🆕 We have issued a reprimand to the London Borough of Hackney (Hackney) after hackers gained access to and encrypted files affecting at least 280,000 people, affecting at least 280,000 people. Read on for details of the incident. Hackney suffered a ransomware attack in 2020 when the attackers gained access via an account with an insecure password which had lain dormant since 2012. Hackney also failed to ensure that a security patch management system was actively applied to all devices. The cyber-attack resulted in council systems being disrupted for many months with, in some instances, services not being back to normal service until 2022. This was a clear and avoidable error from Hackney, one that has resulted in a mass loss of data and has had a severely detrimental impact on many residents. Read about the incident in full: https://lnkd.in/eQD96ruy People need to trust that local authorities will look after their data properly. Hackney residents have learnt the hard way the consequences of these errors. Councils must take preventative measures to reduce the risk and potential impact of human error and must ensure that data that is entrusted to them is protected. In a recent report we analysed the most common security mistakes and have some key tips to help organisations keep the personal information they hold secure: https://lnkd.in/ef65A-Qg

DRCF: Delivering impact through cooperation  Published today, this new article measures the DRCF’s impact and how its work benefits regulators, government, industry and the wider economy. Read in full - https://lnkd.in/eSNq9e27 Some highlights - • Stakeholders recognise the value of our joint publications on topics such as harmful online choice architecture, which provide greater clarity of regulator expectations and help improve outcomes for consumers. • Our joint work and shared expertise have supported timely and cost-effective delivery including, for example, the DRCF AI and Digital Hub. This ambitious one-year pilot service helps unlock innovation and supports UK economic growth. • Internationally, the DRCF acts as a vehicle for greater cooperation and is inspiring the adoption of similar models.       We are keen to hear from stakeholders about the impact of the DRCF’s work and the approaches we can take to assess it. Please contact drcf@ofcom.org.uk to share your views.  #digital #regulation #cooperation

NEW: We’ve taken action against Chelmer Valley High School in Essex for introducing facial recognition technology (FRT) to take cashless payments. Read on to see what you can learn from the case ⬇️ ⚖️ The case Chelmer Valley High School first started using the technology in March 2023 to take cashless canteen payments from students. However, the school failed to carry out a DPIA before using the technology. We found that the school sent a letter to parents and guardians in March 2023 if they did not want their child to take part in FRT. This means the school relied on assumed consent and affirmative 'opt-in' consent wasn't sought at this time. The law does not deem ‘opt out’ a valid form of consent and requires explicit permission The school failed to consult with parents, guardians, students or the data protection officer before implementing the technology. 💡 What schools can learn from the case 1. Ensure that your entire organisation knows to ask themselves the question whenever using personal information in a new or different way, does this need a DPIA? ➡️ See our accountability framework to help you assess your processes: https://lnkd.in/eWHiYGwb 2. If you’re considering cashless catering ensure you have given thorough consideration to it’s necessity and proportionality, and to mitigating specific, additional risks such as bias and discrimination. ➡️ See our FRT guidance: https://lnkd.in/eWvs-_th ➡️ See our case study on North Ayrshire Council schools and their use of facial recognition technology: https://lnkd.in/ePmHAw7X 4. Ensure that DPOs are closely included when considering new projects or operations using personal information. You should document their advice and any changes that are made as a result. ➡️ See our Accountability Framework for guidance on how to assess your organisation’s roles and structure: https://lnkd.in/eDbTJm3m You can read the case and reprimand in full: https://lnkd.in/ezmKm4zW

📆 Mark your calendars – October 8 is a memorable day for many reasons… If you’re not going to the birthday parties that Sigourney or Matt are throwing then #DPPC24 is where you need to be! Register for FREE here 👉 https://lnkd.in/eAAgF5aq

A good organisation will have a good privacy notice. Earlier this year we said app developers should meet their data protection obligations to be transparent with their users by being concise, clear and easily accessible. Signing up to an app often involves handing over large amounts of personal information, especially with apps that support our health and wellbeing. Users deserve peace of mind that their data is secure, and they are only expected to share information that is necessary. So, we're urging app users to check if they are clear about who the app is sharing their personal information with. We have lots of advice and guidance on our website to support your organisation get data protection right from the start: https://lnkd.in/epNsjYdA

A good privacy notice shouldn't be difficult to understand, and the information you hand over to health apps is sensitive. So if you check just one thing before you sign up to an app, make it this: 🤔 Are you clear about who the app is sharing your personal information with? Earlier this year we urged app developers to meet their data protection obligations to be transparent with their users and keep their data safe, and to ensure their ‘privacy information’ and is concise, clear and easily accessible: https://lnkd.in/edX9Ysqy The privacy notice should include your information rights, such as how you can object to the way your information is being used. You should also be told how you can complain if you've got concerns about the way the app is using your information. You’re in control, so don’t press ‘agree’ unless you do. We have more guidance on your right to object to the use of your personal information: https://lnkd.in/gik7qRhM

The election is over but whether you are a political party, campaign group or candidate, it is important you carry out a review of the data you have gathered and processed during a campaign. ❓ Can we use personal data from one campaign to another? In general, it can be acceptable to keep personal data to use from one campaign to another, but you must consider: • whether the personal data is necessary for future campaigns; • whether it would be in individuals’ reasonable expectations that you keep the data; • what you told individuals at the point of collection; • whether the nature of future campaigns could amount to processing for a different purpose; • how long you have retained the data and whether it is still adequate, relevant or accurate; and • whether you are able to keep the data securely and whether keeping the data creates any unjustifiable risk of it being subject to unauthorised disclosure. You should consider carrying out a data protection impact assessment to help you identify and mitigate the risks of retaining the data as well as demonstrating your compliance: https://lnkd.in/ew6D3C2F

Our Regulatory Sandbox has all the tools you need to bring your innovative projects to life – with data protection as the foundation. NEW: We’ve published a report detailing 16 important insights into common data protection considerations that participants in our Regulatory Sandbox encountered when designing new products. The report looks at the variety of projects we’ve worked on, how they will benefit the public, and the key data protection considerations that were prominent among 14 previous participants. How has the Sandbox made a positive impact for organisations?? ➡️ They are more confident at innovating in privacy complaint ways. ➡️ It’s helped them make efficiencies and save money on legal fees. ➡️ Data protection is built into their projects from the beginning. A key entry requirement for potential Sandbox participants is they can demonstrate public benefit with their projects. For example: ➡️ A group of financial institutions’ work in the Sandbox seeks to reduce the impact of financial crime on the UK economy – and reduce the degree of harm suffered by members of the public by improving the prevention and detection of financial crime. ➡️ Our work with the Gambling Commission and Betting and Gaming Council helped gambling operators to identify and support people experiencing harm from gambling. Working with these organisations has also helped us understand where gaps in guidance exist, strength test existing guidance, and contribute to new guidance. ➡️ The Sandbox’s work with Yoti helped us refine our biometrics guidance. Specifically, it helped us amend our definition of when biometric data constitutes special category data. ➡️ FlyingBinary’s Sandbox project helped us further develop guidance aimed at keeping children safe online. This input contributed to our development of the best interests of the child framework during the early design. That feedback has helped to influence the final product that is available on our website. Learn more about the positive impact our Sandbox has made in the full report on our website 👉 https://lnkd.in/eAsKpCP8 What are the areas our Sandbox impact report focuses on? ➡️ Innovations related to our Children’s Code. ➡️ Innovations related to data sharing. ➡️ Products and services exploring the use of cutting edge, innovative technologies. We’re accepting new expressions of interest to our Sandbox. If your organisation is looking to develop a product or service that uses information in creative and innovative ways, apply on our website now 👉 https://lnkd.in/eiCcyz2F

Want to find out some of our key achievements in the past year? We’ve published our annual report for 2023/24 and here are some of our highlights 👇 🤖 On AI, we have... 🧠 warned about discrimination in neurotech: https://lnkd.in/eMxpAKeg 💻 published tips for consumers buying smart tech: https://lnkd.in/ehrYPTv2 👁️ issued Serco Leisure with an enforcement notice to stop using facial recognition tech: https://lnkd.in/exD4iFTB 👶 On children’s privacy, we have... 📱 fined TikTok £12.7m for misusing children’s data: https://lnkd.in/ec3QszJk 🔁 called for organisations to share data to protect young people at risk: https://lnkd.in/eNxUt72x 🔞 published a Commissioner’s Opinion on age assurance: https://lnkd.in/gJRBJ8GF 🛜 On adtech, we have... 🌐 called for web developers to stop using damaging web design practices: https://lnkd.in/gv3WvWCE 🍪 warned top UK websites to change their cookie practices: https://lnkd.in/e-bty_Qt ❓ asked for views on our response to “consent or pay” cookie models: https://lnkd.in/euaavNNt Our annual report covers a year where we saw AI transform our society, with inevitable questions about its regulation and development. Our mission remains the same – to empower people and organisations through information. Read our annual report here: https://lnkd.in/dxRXuQp

Sut rydyn ni'n helpu'r heddlu i gydymffurfio â Rhyddid Gwybodaeth – a'r hyn rydyn ni'n ei wneud os na wnân nhw. Bob dydd mae ein bywydau yn cael eu gwella wrth i wybodaeth gael ei rhyddhau sy’n ein grymuso i wneud dewisiadau gwybodus o edrych ar sgoriau hylendid bwytai neu gyfraddau methu gwahanol fathau o geir yn y prawf MOT. Mae’r wybodaeth yma’n cael ei chyhoeddi’n rhagweithiol ac mae’n ein helpu ni i gyd i wneud dyfarniadau a phenderfyniadau gwybodus. Ac mae gennyn ni ran i'w chwarae fel rheoleiddiwr. Rydym yn cyhoeddi gwybodaeth yn gyson sy'n tynnu sylw at arferion da a drwg mewn rhyddid gwybodaeth er mwyn i bobl eraill ddysgu a datblygu. Heddiw, hoffem dynnu sylw at enghreifftiau o'r ddau yn y sector plismona. Dangosodd ein harchwiliadau diweddar a'n gwaith ar arferion da fod tebygrwydd rhwng heddluoedd sy'n perfformio'n dda. Gwelsom fod gan wasanaethau heddlu sydd ag arferion rhagorol mewn rhyddid gwybodaeth: ➡️ Ymrwymiad gan yr uwch arweinwyr. ➡️ Perthnasoedd mewnol da. ➡️ Timau amlswyddogaeth ➡️ Templedi ar waith i sicrhau bod disgwyliadau’n cael eu bodloni. ➡️ Polisïau ar waith ar fynd ati i ddatgelu gwybodaeth. ➡️ Amser i rwydweithio a meithrin perthnasoedd â heddluoedd a gwasanaethau eraill. Gallwch ddarllen ein hadroddiad ar yr archwiliad yn llawn i ddysgu mwy am yr arferion gorau a'r argymhellion a amlinellwyd gennym: https://lnkd.in/g7_ucG9j Ond, nid addysgu yn unig yw ein rôl ni. Pan welwn ni arferion gwael, nid ydym yn ofni gweithredu. Ac felly, rydym wedi dyroddi hysbysiadau gorfodi yn erbyn tri heddlu am berfformiad gwael dan y Ddeddf Rhyddid Gwybodaeth sydd wedi arwain at dagfeydd sylweddol. ➡️ Heddlu Dyfed Powys Gostyngodd y lefelau cydymffurfio mor isel â 6% (Mehefin 2023) a chawsom 13 o gwynion yn 2023. Erbyn 9 Tachwedd 2024, mae'n ofynnol i Heddlu Dyfed-Powys ymateb i'r holl geisiadau am wybodaeth a oedd yn eu tagfa pan ddyroddwyd ein Hysbysiad Gorfodi.   ➡️ Gwasanaeth Heddlu’r Metropolitan (y Met) Mae'r Met wedi methu ymateb yn gyson i geisiadau Rhyddid Gwybodaeth yn brydlon. Rhwng Ebrill 2023 a Chwefror 2024, roedd cyfanswm yr ymatebion Rhyddid Gwybodaeth a anfonwyd yn brydlon rhwng 60% a 67%.   Erbyn 1 Tachwedd 2024, mae'n ofynnol i'r Met ymateb i'r 362 o achosion a oedd yn eu tagfa pan ddyroddwyd ein Hysbysiad Gorfodi.   ➡️ Heddlu De Cymru Gwelsom fod cydymffurfiaeth Heddlu’r De wedi gostwng yn sylweddol yn 2023 - o 74% i ddim ond 45%. Ar 31 Ebrill 2024, roedd 167 o geisiadau yn hwyr gydag un achos dros 120 diwrnod oed. Erbyn 20 Rhagfyr 2024, mae'n ofynnol i Heddlu’r De ymateb i'r holl geisiadau am wybodaeth a oedd yn eu tagfa pan ddyroddwyd ein Hysbysiad Gorfodi. Rydyn ni hefyd wedi gofyn i’r tri heddlu ddyfeisio a chyhoeddi cynlluniau gweithredu sy'n nodi’r mesurau y byddan nhw’n eu cymryd i ymateb i geisiadau mewn pryd a chlirio’u tagfeydd. Darllenwch ragor am bob un o'r achosion hyn a'n gweithredoedd ninnau: https://lnkd.in/gp3-5FG9