ICO calls for views on data protection and employment practices, ICO fines company for illegal pensions calls, CMA calls for stronger laws to tackle illegal ticket resale, UK government consults on surveillance camera code of practice and more in this week’s round-up of UK and EU techlaw news developments not covered elsewhere on the SCL website.
ICO calls for views on data protection and employment practices
The ICO has issued a call for views with the aim of helping it to create practical employment guidance where personal data is used, that supports both employers and staff. Artificial intelligence and machine learning are affecting the ways decisions are made about workers; monitoring technologies are more varied and widespread in use; and the COVID-19 pandemic has accelerated the trend for remote working and for obtaining health data. The ICO says that so that the guidance is pragmatic, it needs to address key issues, concerns and problems so the final guidance applies to as many real-life situations as possible. The guidance is intended to cover topics including recruitment and selection, employment records, monitoring of workers, and information about workers’ health. The consultation ends on 21 October 2021.
ICO fines company £50,000 for illegal pensions calls
The ICO has fined Halifax-based company Parkin Beacher Ltd (PBL) £50,000 for making illegal marketing calls to people about their pensions. PBL telephoned people about their pensions despite not having to authorisation to do so. Since 2019, there has been a ban on pensions cold-calling. This makes it illegal for companies to make nuisance calls to people about their pension schemes except where the caller is authorised by the Financial Conduct Authority, or is the trustee or manager of an occupational or personal pension scheme, and the recipient of the call consents to calls, or has an existing relationship with the caller. The ICO’s investigation found that PBL made calls to people relating to possible pension reviews, with a view to arranging an introduction to an adviser. The company admitted to making 96,817 calls and the ICO received 16 complaints from people about the company’s activities. The ICO’s investigation found that that PBL sourced the data for its calls from a third-party data supplier which obtained the data from various websites. These sites required those signing up to them to agree to possible marketing from long lists of sectors and organisations. People appeared unable to select to whom, if anyone, they were happy to have their details passed on, or from whom to receive marketing material. Consequently, PBL did not have informed consent from the people it called. The ICO has also issued PBL with an enforcement notice requiring PBL to stop making further calls.
CMA calls for stronger laws to tackle illegal ticket resale
As live events such as music festivals and large sporting events resume over the coming months, the Competition and Markets Authority has set out several recommended changes to the law and existing system of regulation, which are intended to protect consumers. The recommendations include a ban on platforms allowing resellers to sell more tickets for an event than they can legally buy from the primary market; ensuring platforms are fully responsible for incorrect information about tickets that are listed for sale on their websites; a new system of licensing for platforms that sell secondary tickets that would enable an authority to act quickly and issue sanctions such as taking down websites, withdrawing a business’s right to operate in the sector, and the imposition of substantial fines. The CMA says that although the bulk-buying of tickets ahead of real fans by professional resellers – who then sell them at inflated prices – may be illegal, swift and effective action by authorities is not possible under the current law. Similar issues arise in relation to laws which prevent resellers advertising tickets using incorrect information, or ‘speculatively selling’ tickets that they do not own. Over recent years the CMA has taken action against secondary ticketing websites to tackle non-compliance in the sector, including the failure to provide important and accurate information to consumers. This has included requiring viagogo and StubHub to remove misleading messaging about ticket availability and to tell customers where the tickets they buy might lead to them being turned away at the door.
UK government consults on Surveillance camera code of practice
The government is consulting on revisions to the code of practice to reflect changes in legislation. This is the first revision to the code since its introduction in June 2013. The code, issued under section 30 of the Protection of Freedoms Act 2012, provides guidance on the appropriate use of surveillance camera systems by local authorities and the police. The proposed draft updates references to recent legislation, in particular data protection legislation, and the judgment in Bridges v South Wales Police. There is also some rationalising of the text to make it easier for the user to follow. The government says that the amended code does not place any additional burden on those authorities who should have regard to it, and the list of relevant authorities is not being extended at present. Subject to the comments received, the government’s intention is to lay the draft code before parliament in late autumn. The consultation ends on 8 September 2021.
EDPS issues return to work guidance
The European Data Protection Supervisor has issued return to work guidance. Several EU institutions are considering return to workplace strategies, which includes screening the COVID immunity or infection status of staff, contractors or visitors to mitigate the risk of workplace transmission. Such measures may mean verifying EU digital COVID certificates using antigen tests, or recording stuff vaccination status. The EDPS considers that the use of such measures requires caution and very careful assessment to ensure compliance with data protection rules and to minimise the impact on individuals’ rights and freedoms. The EDPS further urges EU institutions to ensure that their actions comply with national legislation. Manual verification of covid status would not fall within the GDPR. However, verification involving the scanning of a QR code would be subject to the restrictions under Article 10. Institutions must undertake a careful necessity and proportionality assessment to justify the implied interference with individuals’ fundamental rights to a person’s private life and data protection. Processing of data related to antigen testing would only be justified in specific high risk employment settings. In general, verification procedures which record or retain personal data should be avoided. The EDPS says that mandatory verification certificates for granting access to the workplace should not be based solely on automated processing and should allow for meaningful human involvement during the verification process.