By Faye Cheung, Researcher

Blanche, Jacques-Emile; Knightsbridge from Sloane Street, London (Fine December Morning); York Museums Trust on Art UK

Data Sharing Code of Practice in Parliament

On the 18th May the UK Government laid the Data Sharing Code of Practice before Parliament. It will be with Parliament for 40 sitting days before coming into force.[1] The Code seeks to give organisations practical steps as to how to share data whilst protecting people’s privacy. The Information Commissioner, Elizabeth Denham CBE, says that the Code ‘demonstrates that the legal framework is an enabler to responsible data sharing and busts some of the myths that currently exist’.[2] The code can be read here.

ICO Memorandum of Understanding with New Zealand

The ICO has signed a Memorandum of Understanding with the New Zealand Office of the Privacy Commissioner (OPC). The Memorandum of Understanding sets out how the UK and New Zealand will continue to share  experiences and best practice, to cooperate with projects of interest and share information to support enforcement work.[3] This comes at a time where there is increasing trade between the UK and New Zealand.[4]

Highlights from the Data Protection Practitioners’ Conference 2021

One of the headlines from this year’s Conference is that the ICO is working on bespoke UK standard contractual clauses (SCCs) for international data transfers. The ICO is also considering the value of recognising transfer tools from other countries including standard data transfer agreements and the EU’s standard contractual clauses.[5] Other highlights of the conference included the ‘Data Ethics’ seminar, which looked at the role ethics play in balancing the interests of society and data controllers.[6] Support for small and medium-sized enterprises (SMEs) was also a particular area of interest – ‘Data protection for beginners’ seminars were held and use of the SME web hub was encouraged.[7] The SME web hub, which provides data protection advice for all small organisations, is available here.

Data Protection Guidance for the Media

The ICO are developing a new code of practice for journalism. It is tasked to do this under section 124 of the Data Protection Act 2018.[8] The code of practice will help journalists, and this includes ‘citizen journalists’, to understand their legal obligations when processing personal data for the purposes of journalism.[9] 

ICO Enforcement Actions

A company who used personal data that had been provided by members of the public for Covid contact tracing purposes has been fined for using that data for marketing purposes. The personal data had been collected from QR codes placed at the entrances of businesses as per the government’s contact tracing rules. The company have been fined £8,000 by the ICO for using personal data for marketing without adequate valid consent.[10]

The ICO has also issued a fine of £90,000 to American Express Services Europe Limited (Amex) for sending marketing emails to customers without their consent. Amex incorrectly argued that these were servicing emails rather than marketing emails. In response to this the ICO’s Head of Investigation, Andy Curry, has said that he would ‘encourage all companies to revisit their procedures and familiarise themselves with the differences between a service email and a marketing email, and ensure their email communications with customers are compliant with the law’.[11] The difference between marketing and services email is explained by the ICO website here.

The Children’s Code and Data Protection Impact Assessments

A reminder from the ICO that all organisations in the scope of the Children’s Code must be compliant by 2 September 2021. All relevant organisations (those who provide online services likely to be accessed by children) are obligated to complete a Data Protection Impact Assessment (DPIA) under the Code.[12] This is both part of the Children’s Code and is it is also a requirement of the UK GDPR. Undertaking a DPIA will help organisations identify and mitigate the data protection risks of the relevant online service to the rights of any children who are likely to access it. If organisations have not already done so then they should conduct a DPIA on their relevant existing services before September 2021. Going forward organisations should conduct a DPIA during the early design phase of any new relevant service before any personal data is processed. Information on how to conduct a DPIA is available here.

Three Years of GDPR

25th May 2021 marked the 3rd anniversary of the EU GDPR. Some of the most notable enforcement actions under the GDPR’s 3 year history include a €50 million against Google by France’s regulator, €35.3 million against H&M by Germany’s regulator, €27.8m against Tim (formerly Telecom Italia) in Italy and £20 million against British Airways in the UK.[13] GDPR is currently retained in UK domestic law as the ‘UK GDPR’, which sits alongside an amended version of the Data Protection Act 2018.[14]

EU Citizens and the Right to Access Home Office Data

A recent ruling at the Court of Appeal means that EU citizens have won the right to access their personal data held by the Home Office.[15] Those who are denied settled status or future visas are now permitted to see their records that were used against them. This can include social benefits, entry to the country records, criminal and civil offence records. In a significant development the judges ruled that the immigration exemption in the Data Protection Act 2018, which has been relied upon by the home office in 59% of cases, is ‘non-compliant’ with both GDPR and the charter of fundamental rights of the EU.[16]

This article was first published on Forum Business Media’s GDPR online resource: www.gdprorb.co.uk/content-partners


[1] https://ico.org.uk/for-organisations/data-sharing-a-code-of-practice/

[2] https://ico.org.uk/for-organisations/data-sharing-a-code-of-practice/

[3] and [4] https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2021/05/ico-and-office-of-the-privacy-commissioner-new-zealand-sign-mou/

[5] and [6] https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2021/05/five-things-we-learned-from-dppc-2021/

[7] https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2021/05/five-things-we-learned-from-dppc-2021/#unlocking

[8] and [9] https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2021/05/work-on-updating-the-ico-s-journalism-code-continues/

[10] https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2021/05/ico-takes-action-against-contact-tracing-qr-code-provider/

[11] https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2021/05/amex-fined-for-sending-four-million-unlawful-emails/

[12] https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2021/05/spotlight-on-the-children-s-code-standards-data-protection-impact-assessments/

[13] https://www.bbc.co.uk/news/technology-57011639

[14] https://ico.org.uk/for-organisations/dp-at-the-end-of-the-transition-period/data-protection-now-the-transition-period-has-ended/the-gdpr/

[15] and [16] https://www.theguardian.com/uk-news/2021/may/26/eu-citizens-win-right-access-personal-data-held-home-office


© Naomi Korn Associates, 2021. Some Rights Reserved.

Disclaimer: The contents of this blog post are based on the assessment of Naomi Korn Associates Ltd at the time in which the resource was created (June 2021). The contents should not be considered legal advice. If such legal advice is required, the opinion of a suitably qualified legal professional should be sought.