ICO updates, anonymisation guidance and cyber security

In this month’s Data Protection Round-Up: key takeaways from the ICO Data Protection Practitioners Conference, guidance on anonymisation, and a government response to new cyber security legislation.

ICO’s data Protection Conference key takeaways

Last week I attended the ICO’s annual Data Protection Practitioners Conference. The conference, usually held in Manchester, was instead delivered online. The all-day conference covered myriad of topics, below I have summarised my two key takeaways:

1. The ICO has confirmed that it will be updating their “Employment Practices Code”. Whilst this code is now very much out of date, published in 2011 before the Data Protection Act update and GDPR, it does contain relevant and useful information, particularly regarding employee personal data. Despite being a query I heard raised in more than one of the seminars and panel sessions, the ICO did not give a timeline as to when this update might be released. It is, however, expected that this code will be released in stages, with the ICO inviting consultation on each chapter/section.
2. The ICO are currently working on UK specific Standard Contractual Clauses for international transfers, this has been subsequently confirmed in an ICO announcement on their website (Five things we learned from DPPC 2021 | ICO). Speaking at the “Ask the ICO” Q&A, the Deputy Commissioner confirmed that “[they] intend to go out for consultation on those in the summer. We’re also considering the value to the UK for us to recognise transfer tools from other countries, so standard data transfer agreements, so that would include the EU’s standard contractual clauses as well.”

European Data Protection Supervisor publishes anonymisation misunderstandings guidance

In partnership with the Spanish Data Protection Agency the EDPS have sought to address the 10 biggest misunderstandings that relate to the process and results of anonymising data. Seeking to raise public awareness and debunk any myths associated with anonymisation, the guidance lists 10 common misunderstandings and details techniques for ensuring GDPR compliance. Whilst this guidance is primarily focused on the processing of personal data by the EU administration, the advice is likely to be applicable to UK organisations too as the principles and observations remain the same.

The guidance notes that there have been several major examples of poor anonymisation by major organisations, actions that have led to serious data breaches. The guidance sites the publishing of a data sheet by the New York City Taxi and Commissioner of 173 million taxi trips that supposedly anonymised the taxis’ license numbers. Due to poor anonymisation practices, it was quickly established that not only where the license numbers easy to identify but so were the individual drivers of those taxis.

Amongst the misunderstandings listed are:

• “Anonymisation is forever” – this is incorrect as there is a risk that some anonymisation processes could be reverted in the future as technology changes.
• Pseudonymisation is the same as anonymisation” – this is incorrect, they have very different uses and definitions.
• “There is no risk and no interest in finding out to whom this data refers to“ – this is incorrect and the guidance states: “personal data has a value in itself, for the individuals themselves and for third parties. Re-identification of an individual could have a serious impact for his rights and freedoms.”

The full guidance can be found here: 10 Misunderstandings related to anonymisation

Government publishes next steps on consumer connected product cyber security legislation.

Between 16 July 2020 and 6 September 2020, the government ran a ‘call for views’ on new proposals for UK domestic cyber security legislation. Specifically, this new legislation will seek to ensure appropriate measures are in place to protect consumers whose devices, such as televisions, smart speakers, connected doorbells, cameras and household appliances, that connect to the internet are safe and secure. The security of smart speakers, for example, has long been criticised; there is an endless array of horror stories of inadvertent data sharing or inappropriate access.

The Government have now published their response to the ‘call for views’ recognising that such legalisation will become increasingly important in the wake of ever-integrated 5G- households becoming the new normal. Whilst laptops will be exempt (due to their sophisticated construction and sophisticated security integration, any regulations will apply to all consumer connected products including smartphones.

The Government hopes to legislate as soon as possible, although there is no telling when any parliamentary time will be allotted. It is anticipated that the new security requirements will align with international standards and the Government will set up a specific enforcement body equipped with the necessary powers to investigate allegations of non-compliance. Read the Government’s full proposals