Trusted Partners on your Privacy Journey
Trusted Partners on your Privacy Journey
On 18th August 2023, the UK's Information Commissioner's Office (ICO) initiated a public consultation to discuss the preliminary section of its upcoming guidelines on biometric data and related technologies. The guidelines aim to clarify the intersection between current data protection laws and the use of biometric features in identification systems. The ICO's forthcoming guidelines offer a blueprint for understanding what qualifies as biometric data and its more sensitive categories. They also lay out the legal responsibilities organizations must follow when implementing biometric systems, including when a Data Protection Impact Assessment (DPIA) is obligatory. The guidance covers, the necessity for a DPIA, identification of the controller for the biometric system, the requirement for explicit consent when handling special category biometric data, and the possibility of using biometric systems for automated decision-making. The ICO also has future plans to introduce the second segment of these guidelines, focusing on biometric classifications and data protection. A call for public contributions is expected in early 2024. The public has until 20th October 2023 to share their views through an online survey. To access the press release, click here. To complete the ICO’s consultation survey, click here.
NHS Lanarkshire Reprimanded for Unauthorised Use of WhatsApp to Share Patient Data On 1 August 2023, the Information Commissioner’s Office (ICO) issued a formal reprimand to NHS Lanarkshire for the unauthorised use of WhatsApp to share patient data. The ICO found that between April 2020 and April 2022, 26 staff members had access to a WhatsApp group where they shared names, phone numbers, and addresses of patients on more than 500 occasions. Images and videos containing clinical information were also shared. The WhatsApp group was initially set up for basic communication during the pandemic. However, it was not approved by NHS Lanarkshire for processing patient data and was used without the organisation's knowledge. A non-staff member was mistakenly added to the group, leading to the disclosure of personal information to an unauthorised individual. The ICO's investigation concluded that NHS Lanarkshire did not have appropriate policies or clear guidance in place for using WhatsApp. John Edwards, the Information Commissioner, stated, "Patient data is highly sensitive information that must be handled carefully and securely. There is no excuse for letting data protection standards slip." The ICO recommended several actions for NHS Lanarkshire to ensure compliance with data protection laws, including implementing a secure clinical image transfer system and reviewing all organisational policies relevant to the incident. The ICO has asked for an update on actions taken within six months. You can read a BBC news article here.
The European Commissioner’s decision takes effect as of 27th June which means organisations wishing to use the clauses can do so, from this date onwards. Organisations wishing to use the old clauses for new data transfers, can do so until 27th September. Any new transfers from 27th September will require use of the new clauses. Organisations have until 22nd December 2022 to replace the old clauses. These new SCCs include the Article 28(2) – 28(4), GDPR requirements therefore if the data importer is a processor or sub-processor, there would be no need to enter into two separate agreements to cover Article 28 and Article 46, GDPR requirements.
Fully outsourced Data Protection Officers and support teams. Based in London, Dublin and the Netherlands our Data Protection Officers are CIPP/E or BCS qualified Privacy Professionals with a proven track record in successfully supporting organisations worldwide.
Implementing data privacy legislation can sometimes be overwhelming. We have been delivering successful and award winning privacy transformation projects since 2000. Whether you need a gap analysis or detailed review, Data Privacy Assessments our privacy experts can help.
Smart Privacy technology simplifies complying with the new GDPR record keeping requirements for Article 30 records of processing, Data Privacy Impact Assessments (DPIAs), individual rights requests and privacy notices.
Necessary cookies enable core functionality such as security, network management, and accessibility. You may disable these by changing your browser settings, but this may affect how the website functions.
Where you select "Accept" we set Google Analytics cookies to help us to improve our website by collecting and reporting information on how you use it. The cookies collect information in a way that does not directly identify anyone. For more information on how these cookies work see https://developers.google.com/analytics/devguides/collection/analyticsjs/cookie-usage?hl=en-US