ICO launches investigation into the use of private emails at the DHSC, ICO fines charity for data breach, Ofcom publishes update to open communications consultation and more in this week’s round-up of UK and EU techlaw news developments not covered elsewhere on the SCL website.
ICO launches investigation into the use of private emails at the DHSC
The ICO has launched a formal investigation into the use of private correspondence channels at the Department for Health and Social Care, and has served information notices on the department and others to preserve evidence relevant to the inquiry. The investigation will establish if private correspondence channels have been used, and if their use led to breaches of freedom of information or data protection law. The ICO says that it will publish the results of that investigation in due course. The ICO has a range of powers following the completion of an investigation, ranging from good practice recommendations and enforcement notices, up to the option of criminal prosecution of individuals where information has been deliberately destroyed, altered, or concealed after it has been requested under the Freedom of Information Act. The ICO points out that this is not a new issue. The ICO, successive governments and the National Archives have previously emphasised the important principle of transparency around government decision making, and the courts have also ruled on several specific information requests that touched on this area. The ICO has previously produced guidance on the use of private communication channels.
ICO fines charity for data protection breach exposing sensitive personal data
The ICO has fined charity Mermaids £25,000 for failing to keep the personal data of its users secure. The ICO’s investigation began after it received a data breach report from the charity in relation to an internal email group it set up and used from August 2016 until July 2017 when it was decommissioned. The charity only became aware of the breach in June 2019. The ICO found that the group was created with insufficiently secure settings, leading to approximately 780 pages of confidential emails to be viewable online for nearly three years. This led to personal information, such as names and email addresses, of 550 people being searchable online. The personal data of 24 of those people was sensitive, with a further 15 classified as special category data as mental and physical health and sexual orientation were exposed. The ICO’s investigation found Mermaids should have applied restricted access to its email group and could have considered pseudonymisation or encryption to add an extra layer of protection to the personal data it held. During the investigation the ICO discovered Mermaids had a negligent approach towards data protection with inadequate policies and a lack of training for staff. The ICO says that Mermaids should have revisited its policies and procedures to ensure appropriate measures were in place to protect people’s privacy rights. Mermaids cooperated fully with the ICO investigation and has made significant improvements to its data protection practices since becoming aware of the security breach.
Ofcom publishes update to open communications consultation
Ofcom has published an update, and summary of the responses relating, to its open communications consultation. Ofcom had asked for views about a data sharing initiative for communications services. Across the economy, better technology and the ability to gather more data are allowing companies to innovate and offer new services. Ofcom wants to stay at the forefront of these developments to make sure data and innovation work in the interest of customers in communications markets. It says that these markets offer choice for customers, but the options can be complex and difficult to navigate. The update sets out how the responses have helped Ofcom understand what data mobility could mean for telecoms and pay-TV markets. Ofcom also says that the responses have provided it with insight about whether comparison sites and other organisations would use using Open Communications data for innovation purposes. Ofcom points out that the UK government’s Smart Data Review may propose legislation to facilitate initiatives on data mobility and says that it will wait for the outcome of that review before it makes any of its own policy proposals.
Centre for Data Ethics and Innovation publishes two-year review
The CDEI has published a review of its first two years of work. The report also sets out its priorities for the next year. The CDEI’s main achievements over the past two years have been major reviews into online targeting and the risks of bias in algorithmic decision-making, analysis on data ethics, a report on public sector data sharing and an analysis of novel AI and data use cases implemented in relation to the pandemic. The CDEI highlights three recurring challenges that have emerged from its work, which government, industry and regulators need to deal with as a priority. These are developing and maintaining accountability when deploying data-driven technologies; addressing the transparency and explainability of data-driven systems; and improving access to high quality data in a way that is trustworthy. Over the next year, the CDEI will prioritise three themes in its work, to help foster responsible innovation at pace, and address the challenges highlighted above. The themes are data sharing, public sector innovation and AI assurance.
Reporting and paying VAT on distance sales of goods from Northern Ireland to the EU
HMRC has published new guidance on how to register for the One Stop Shop scheme to report and pay VAT due on distance sales of goods from Northern Ireland to consumers in the EU. The scheme allows traders to manage and report the VAT due on their EU distance sales, and make payments all in one place, instead of having to register for VAT in up to 27 EU countries.
European Parliament approves rules tackling rising child sexual abuse online
The European Parliament has approved a temporary regulation that allows web-based service providers to deal with child sexual abuse material online on a voluntary basis. The rules’ approval follows an informal agreement with the Council on 29 April 2021. The legislation will apply for a maximum of three years. The temporary rules permit the providers of web-based email, chats and messaging services to detect, remove and report child sexual abuse online, as well as allowing them to use scanning technologies to detect cyber grooming. Online material linked to child sexual abuse could be detected through so-called hashing technologies that scan content, such as images and videos, while AI could be used to analyse text or traffic data and detect online grooming. Audio communications are excluded from the rules. The material will have to be processed using technologies that are the least intrusive to privacy and will not be able to understand the substance of the content but only to detect patterns. Interactions that are covered by professional secrecy, such as between doctors and their patients are excluded. In addition, when no online child sexual abuse has been detected, all data will have to be erased immediately after processing and all data will be permanently deleted within three months. The regulation enter into force on the third day following its publication in the Official Journal but is still to be adopted by the Council.