Information Commissioner's Office

🎶We’re looking for a DPO in finance…. While the world of TikTok might be obsessed with 6”5, blue eyes finance guy – we’re more interested in speaking to the finance DPOs interested in improving their subject access request processes. We’ve seen a 15% increase in the number of SAR complaints about the finance sector and have advice for the sector on how to improve: 1) Assess your current compliance. Data protection is more than a tick box exercise, and you need to ensure that the processes and approaches you’ve put in place really work. Our Accountability Framework has a number of questions to help you assess your approach and work out where you may need to make changes. https://lnkd.in/eX3JrpcW 2) Think about records management. If you know what information your organisation holds about people, where you keep it and how you can search for it, you’ll find it easier to handle your next SAR. You should have: • a well-structured file plan; • standard file-naming conventions for electronic documents; and • a clear retention policy about when to keep and delete documents. Read our guide to finding information: https://lnkd.in/etJDnsS2 Assess your approach with our Accountability Framework: https://lnkd.in/enpZcPvd 3) Consider your company culture. Information management and successful SARs rely on the whole organisation – not just the information management team. Do your colleagues understand the role they have to play? Our accountability framework has questions to help you assess yourself and case studies to learn from others best practice: https://lnkd.in/eMFTuvdV

“Be yourself, embrace your personality and let your uniqueness spark your creativity.” Arvind, Communications Officer at the ICO. To celebrate this year’s theme of South Asian Heritage Month, ‘Free to Be Me’, we’re sharing Arvind’s story. We recently hosted an event in partnership with People Like Us to help us reach new audiences from all backgrounds. At this event Arvind spoke about his career journey and his experience as a Punjabi man: Every one of us has a unique journey filled with moments that have shaped who we are. Being a South Asian man comes with cultural expectations and pressure to be “successful”. For instance, getting top marks in school and climbing the ranks in a prestigious profession. Although my childhood dream had been to play for Man United and wear the number 7 shirt, I found myself studying computer science at university. I soon realised that I wouldn’t be happy until I pursued my own passions so I dropped out. Not knowing which career path would be the right fit for me was one of the lowest points for my mental health. When I discovered that there are careers in social media, it felt like the perfect fit. Joining the ICO’s communications team, for the first time in a while I found a job that excited me. Then something happened that I’d only dreamed of. I was lucky enough to attend the premiere of David Beckham’s Netflix documentary where I met the man who made me fall in love with football and Man United. The documentary was trending worldwide and it made me think. Could I use this opportunity and my knowledge of Beckham as part of my role at the ICO? I came up with a plan for a Beckham themed post as part of cyber security month. It was a massive hit - the most liked of the month and helped us to get our important guidance and message in front of thousands of people. The success of this post gave me the confidence to keep looking out for opportunities to bring my personality into my work. I’m proud to be Punjabi and of the path that I’ve followed. I know there are people who have the same feelings I had when struggling to find the right career. I wanted to share my experience to let people know that it’s okay to not have everything planned out, to be your authentic self and let your uniqueness spark your creativity.

Running a one-person operation might seem vastly different from a global enterprise. But the rules are the same because if personal data falls into the wrong hands, it makes no difference where the error came from. What matters is that people could be harmed. You may receive a letter from us to remind you to check if your business needs to pay the fee under the Data Protection Regulations 2018, or if you’re exempt. Data protection law (Data Protection (Charges and Information) Regulations 2018) applies to most types of workplaces, business ventures, societies, groups, clubs and enterprises of any type. It includes sole traders and the self-employed, if a business only employs a handful of staff or even no staff at all. But not everyone pays the same amount. For a small business it’s usually £40 or £60 per year. And if you pay by direct debit, you can reduce the cost by £5. Businesses, large and small, can check if they need to pay the data protection fee with our online self-assessment tool: https://lnkd.in/gtG4nJP We have more information on the data protection fee on our website: https://lnkd.in/eB9Fr_2F The fee goes towards all the guidance and support we offer businesses of all sizes to help get data protection right: https://lnkd.in/ebsneCiw

NEW: A software supplier for the NHS and social care sector could face a £6,090,000 fine following ransomware attack that disrupted NHS services. The provisional decision to issue a fine relates to a ransomware incident in August 2022. We have provisionally found that hackers initially accessed a number of Advanced’s health and care systems via a customer account that did not have multi-factor authentication. Advanced provides IT and software services to organisations on a national scale, including the NHS and other healthcare providers, and handles people’s personal information on behalf of these organisations as their data processor. We have provisionally found that personal information belonging to 82,946 people was exfiltrated during the attack. Reports at the time of the attack suggest staff were unable to access patient records and disruptions to critical services such as NHS 111. The data exfiltrated included phone numbers and medical records, as well as details of how to gain entry to the homes of 890 people who were receiving care at home. The Commissioner’s findings are provisional, and he will carefully consider any representations Advanced make before making a final decision, with the fine amount also subject to change.   💡 What can processors learn from this case? Data processors act on the instructions of their clients, the data controllers, who have overall control over how and why personal information is used. However, data processors, such as Advanced, still have their own obligations to implement appropriate technical and organisational measures to ensure personal information is kept secure. This includes taking steps to assess and mitigate risks, such as regularly checking for vulnerabilities, implementing multi-factor authentication and keeping systems up to date with the latest security patches. We have detailed guidance to support organisations to protect their systems from ransomware attacks: https://lnkd.in/eK4S_Vbu And guidance on the responsibilities and liabilities of both data processors and controllers: https://lnkd.in/dkJ8zCyd

Work in policing? Did you know our recent audit of police highlighted best practice? Read the audit report or see our summary below ⬇️ https://lnkd.in/eZBPfkZv 👉 Why weekly risk assessments can save police time and effort managing Freedom of Information requests. A weekly risk assessment meeting, or RAM, is an operational platform where all new FOI requests are reviewed and discussed by the FOI team, business area staff responsible for gathering information, and senior officers. During the meeting the team categorises each request as normal, complex or at increased risk of harm if disclosing the information publicly. The discussions provide useful context for FOI handlers and helps to determine if it’s feasible to gather the requested information within the required timeframe. The meeting also set out the FOI draft response schedule that goes to chief officers for review and sign-off. Spending time putting in place a risk assessment meeting ensures thorough risk assessment and appropriate handling of all FOI requests. This practice has proven to be effective in managing FOI requests. It underscores the importance of transparency, accountability, and risk management. We consider this proactive cross-organisation assessment of FOI requests to be a best practice and encourages its wider adoption.

NEW: We’ve taken action against a police force and an NHS trust for failing to respond to hundreds of information requests. Both Devon and Cornwall Police and Barking, Havering and Redbridge Hospitals NHS Trust have been issued with enforcement notices for their ongoing FOI failings which have seen hundreds of information requests go without a response. Our Head of FOI Complaints and Appeals, Phillip Angell, said: “Everyone should have the ability to access public information. When this information is not received or is significantly delayed, it undermines people’s fundamental rights. This lack of transparency can also create unwanted barriers and risking public trust in the organisations we turn to at our most vulnerable. “The public put trust in the NHS and Police when it comes to health and safety, so why, when those same organisations are asked to supply information, are they not met with the same trust?" Devon and Cornwall Police In 2023, as part of our routine work to monitor public authorities’ compliance with the legislation, the Information Commissioner found Devon and Cornwall Police to be performing poorly in terms of their obligation to provide responses to information requests. It was revealed that between 2022 and 2024 the percentage of requests responded to within the statutory FOI timeframe of 20 working days was consistently low (between 39% and 65%). Their rate of response to internal review requests was also poor, averaging between 0% and 22%. The Force had a backlog of older FOI requests which had increased from 77 in December 2023 to 251 in June 2024. Our enforcement notice orders the Force to devise and publish an action plan in the next 30 days which must detail how they will comply with their duties to respond to information requests in a timely manner. The Force has been given six months to clear the existing backlog. Barking, Havering and Redbridge Hospitals NHS Trust The Commissioner first contacted this authority in June 2023 due to a number of complaints received about its late compliance with FOI requests. It was revealed that, over 12 months, the Trust had only responded to 29% of requests during the statutory timeframe, with January 2024 seeing just 2.5% of requests responded to in a timely manner. The Trust had a backlog of 589 requests in April 2024, which increased to 785 by June 2024. Our enforcement notice provides the Trust with 35 days to devise and publish an action plan to clear this backlog by the end of the year. What happens next? An Enforcement Notice (EN) may be served where the Commissioner is satisfied that a public authority has failed to comply with any of the requirements of Part I of FOIA. If a public authority fails to comply with an EN the Commissioner may commence Court proceedings under section 54 of the Act, which may be dealt with as contempt of Court. We have resources and guidance to help public bodies improve their FOI compliance https://lnkd.in/eWJx9852

The law says that if your business holds or collects customer or supplier information (such as people’s names and addresses), you’ll need to pay an annual data protection fee. You may receive a letter from us to remind you to check if your business needs to pay the fee under the Data Protection Regulations 2018, or if you’re exempt. You can use our online self-assessment tool: https://lnkd.in/gtG4nJP The fee goes towards all the guidance and support we offer businesses of all sizes to help get data protection right: https://lnkd.in/ebsneCiw We have lots more information about the fee on our website: https://lnkd.in/gJGfdfE

It’s the moment you’ve been waiting for… 👀 The full list of exclusive workshops at this year’s #DPPC24 have been announced! No matter what sector you work in, we’ve got you covered on all kinds of topics – here are just a few: 🩺 Transparency in health and social care 🤖 Choosing and using AI: how to do it safely 🔓 Understanding SAR and FOI requests – a view from two perspectives ☁️ How to comply with UK GDPR when using the cloud Whether it’s your first time at the Data Protection Practitioners Conference, you haven’t been in a while or you’re a seasoned guest, you can be sure that you’ll be spoilt for choice with the workshops on offer. View the full list on our website 👉 https://ico.org.uk/dppc If you’ve not yet signed up, or know someone that would enjoy this year’s FREE event tag them in the comments and register now 👉 https://lnkd.in/eAAgF5aq

NEW: We are calling on 11 social media and video sharing platforms to improve their children’s privacy practices. Where platforms do not comply with the law, they will face enforcement action. This follows an ongoing review of social media platforms (SMPs) and video sharing platforms (VSPs) as part of our Children’s Code Strategy. Our Tech Lab reviewed 34 SMPs and VSPs, focusing on the processes young people go through to sign-up for accounts. Varying levels of adherence to our Children's code were found, with some platforms not doing enough to protect children’s privacy. Eleven of the 34 platforms are being asked about issues relating to default privacy settings, geolocation or age assurance, and to explain how their approach conforms with the code, following concerns raised by the review. We are also speaking to some of the platforms about targeted advertising to set out expectations for changes to ensure practices are in line with both the law and the code.  Emily Keaney, our Deputy Commissioner, said: “There is no excuse for online services likely to be accessed by children to have poor privacy practices. Where organisations fail to protect children’s personal information, we will step in and take action. “Online services and platforms have a duty of care to children. Poorly designed products and services can leave children at risk of serious harm from abuse, bullying and even loss of control of their personal information.” “Our world-leading Children’s code has helped stop targeted advertising at children on some of the biggest social media platforms. The code has even encouraged other areas, including tech-famous California, to create their own codes. We’re now building on the code’s achievements to gather more evidence and push for further changes.” To gather this evidence, we are launching a call for interested stakeholders including online services, academics and civil society to share their views and evidence on two areas of children’s privacy:      ➡️ How children’s personal information is currently being used in recommender systems (algorithms that use people’s details to learn their interests and preferences in order to deliver content to them); and   ➡️ Recent developments in the use of age assurance to identify children under 13 years old.   The evidence gathered will be used to inform our ongoing work to secure further improvements in how SMPs and VSPs protect children’s privacy. Read more about our review of social media and video sharing platforms: https://lnkd.in/ew6aQ43W Respond to our call for evidence: https://lnkd.in/eptWjkhk

We strongly support responsible data sharing, especially when it helps to safeguard vulnerable people and prevent harm. Responsible data sharing can aid the prevention of data-enabled scams and fraud that target vulnerable people online. Data protection law can act as an enabler for fair and proportionate data sharing – rather than a barrier – and we’ve developed a variety of resources to help. We stand ready to support stakeholder-led initiatives which seek to promote responsible sharing of data, and we’re also developing new resources that will empower businesses to share data appropriately to mitigate fraud and scams. Our existing resources have been created to empower people and organisations to share data responsibly: ➡️ Use our Data Sharing Code of Practice as a guide on how to share personal data in a way that complies with data protection law: https://lnkd.in/eCXnq9hk ➡️ We have sector specific guidance that offers practical advice on data protection considerations when you need to share information: https://lnkd.in/eFxpy6-w ➡️ We’ve provided real world examples and case studies of different approaches to data sharing: https://lnkd.in/egh9q-YJ We’re currently working with stakeholders to understand which types of case studies and examples will support organisations to have confidence in proactively sharing information to prevent fraud and scams harms. Stakeholders include: ➡️ Other regulators as part of the Digital Regulation Cooperation Forum (DRCF) ➡️ Government ➡️ Financial ➡️ Telecoms and social media firms ➡️ Trade and anti-fraud bodies ➡️ Consumer groups. We will hold workshops with stakeholder groups as we develop these case studies. We’re eager to hear from interested stakeholders on any ideas, suggestions for useful case studies or questions about our guidance. 📨 Send us your thoughts via email to: digitalregulationcooperation@ico.org.uk