PDP header graphic

Issue: 28.01.2020

ICO publishes final version of its children's Code of Practice

The UK Information Commissioner's Office has published its final Age Appropriate Design Code, a set of 15 standards that online services should meet to protect children's privacy. The Code sets out the requirements of those responsible for designing, developing or providing online services like apps, connected toys, social media platforms, online games, educational websites and streaming services. It will require digital services to automatically provide children with a built-in baseline of data protection whenever they download a new app, game or visit a website. This means privacy settings should be set to high by default, and nudge techniques should not be used to encourage children to weaken their settings. The Code, which is the first of its kind, reflects the global direction of travel with similar reform being considered in the USA, Europe and globally by the Organisation for Economic Co-operation and Development.

Regulator reiterates call for regulation of live facial recognition
The ICO has reiterated its call for the government to introduce a statutory and binding code of practice for live facial recognition as a matter of priority. "This will ensure consistency in how police forces use this technology and to improve clarity and foreseeability in its use for the public and police officers alike. We believe it's important for government to work with regulators, law enforcement, technology providers and communities to produce [a new] code", said the ICO. Last October, the regulator concluded its investigation into how police use live facial recognition technology in public places, finding there was public support for police use of LFR, but also that there needed to be improvements in how police authorised and deployed the technology if it was to retain public confidence and address privacy concerns. It set out its views in a formal Opinion for police forces. The regulator has several ongoing investigations into the use of LFR.

250 million records exposed as part of Microsoft breach
Microsoft has announced a data breach that affected one of its customer databases. In a recent blog post, the company admitted that between 5th December 2019 and 31st December 2019, a database used for 'support case analytics' was effectively visible from the cloud to the world. Microsoft didn't give details of how big the database was. However, consumer website Comparitech, which discovered the unsecured data online, claims it was to the order of 250 million records containing logs of conversations between Microsoft support agents and customers from all over the world, spanning a 14-year period from 2005 to December 2019. Microsoft has promised to notify anyone whose data were inadvertently exposed.

Fashion retailer says data protection breaches unacceptable
Fashion retailer H&M is cooperating with the Supervisory Authority in Hamburg after discovering "unacceptable" data security breaches at its German unit. State Data Protection Commissioner in Hamburg, Johannes Caspar, has started a probe. It is understood that the company collected information on illnesses and other personal circumstances of employees at the H&M Customer Centre for Germany and Austria. "The qualitative and quantitative extent of the employee data accessible to the entire management level of the company shows a comprehensive research of the employees, which is without comparison in recent years," Mr Caspar said.

Face recognition app sued over privacy concerns
A lawsuit is taking aim at Clearview AI, a controversial facial recognition app being used by US law enforcement to identify suspects and other people. The app identifies people by comparing photos to a database of images scraped from social media and other sites, and then sells the information to law enforcement agencies. The lawsuit alleges that Clearview AI's actions are a threat to civil liberties: "Without obtaining any consent and without notice, Defendant Clearview used the internet to covertly gather information on millions of American citizens, collecting approximately three billion pictures of them, without any reason to suspect any of them of having done anything wrong, ever," the complaint alleges. The complaint is seeking damages, expungement of records and an injunction to stop Clearview from continuing its business. News of the lawsuit follows Democratic Senator Edward Markey saying Clearview's app may pose a "chilling" privacy risk.

*Clarification on handling SARs
Last week, we reported on an aspect of the UK regulator's guidance on SARs, currently out for consultation. Specifically, we reported that the start of the one or three month time period for compliance is no longer delayed until the controller receives any requested clarifying information from the data subject. We indicated this was a new change. In fact, the ICO's guidance on time for responding to an access request was changed in August 2019 before the consultation started, in line with caselaw and guidance from the European Data Protection Board. Therefore the times for responding as detailed on the ICO's website apply.

PDP Journals logo
Receive further Expert guidance and in-depth articles on data protection direct to your mailbox or home address...  
Privacy & Data Protection journal
Privacy & Data Protection Journal 

Subscribe to two or more titles at the same time and receive a 15% discount off the cheapest journal


PDP Training logo

Our professional and practical Training Courses enable delegates to understand the legal requirements in key areas of information and data protection compliance. Courses run throughout the year around the United Kingdom.
Here are a selection of courses taking place shortly:
Daniel Gibson
The day-to-day work of the DPO is critical to the smooth running of organisations and to establishing and maintaining effective and productive relationships with the organisation's customers, staff members and other relevant individuals. DPOs play a central role in ensuring that the organisation meets its data protection responsibilities and in avoiding unwanted attention from regulators.

This course analyses the role and duties of the DPO in a practical context and provides delegates with the information that they need to become more effective and efficient. Topics include:
  • mandatory and non-mandatory duties
  • relationship between the DPO and senior management
  • the organisation's obligation to involve the DPO in key decisions
  • the organisation's responsibilities to provide appropriate facilities and resources to DPOs
  • the requirement for DPOs to be "independent"
  • handling conflicts of interest
  • understanding data flows and gap analyses
  • key skills, including leadership and conflict resolution
  • the need for confidentiality
  • accessibility of the DPO
  • the requirement to keep records
  • communicating with data protection regulators
It is recommended that delegates attending this course have some existing knowledge of data protection. Those with no existing knowledge should attend Data Protection Essential Knowledge - Level 1 before attending this course.

The next dates for this training session are:
  • London           Friday, 21st February 2020
  • Manchester    Friday, 13th March 2020
  • Dublin             Thursday, 18th June 2020
For further information and to make a booking
  1. Visit PDP's website 
  2. Telephone PDP at +44 (0)207 014 3399
  3. Download the PDF Training Catalogue 

Alison Deighton_ HelloDPO
Data Protection Impact Assessments (DPIAs) enable organisations to assess potential data protection and other privacy implications at the design stage of a new system or process. Such risks can be assessed and addressed within the development of the system or process, rather than being a "bolt-on" after implementation (when it may be too late to address all the concerns, at least without significant cost implications).

DPIAs are recommended by data protection regulators, and they are a requirement in some sectors. DPIAs are an important part of the "privacy by design" culture, and they are mandatory under the General Data Protection Regulation.

Different approaches and levels of assessment can be undertaken depending on the nature of the system/process and the size of the organisation. This course gives practical guidance on conducting DPIAs, and includes:
  • what is a DPIA, and when should one be carried out
  • national regulators' recommendations and guidance
  • stages of a DPIA and what to do in practice: initial assessment, preparation, information flows, consultation with stakeholders, analysis, documentation
  • the relationship between conducting PIAs with other risk and project management activities (e.g. other risk assessments, data protection audits)
  • legal and compliance issues to consider
Attendance on this course can be used as credit towards gaining the Practitioner Certificate in Data Protection

The next dates for this training session are:
  • Bristol             Friday, 14th February 2020
  • Manchester    Friday, 6th March 2020
  • Glasgow         Friday, 20th March 2020
For further information and to make a booking
  1. Visit PDP's website 
  2. Telephone PDP at +44 (0)207 014 3399
  3. Download the PDF Training Catalogue 

Peter Given_ Womble Bond Dickinson
Peter Given
Womble Bond Dickinson
Meeting the requirements of data protection law whilst handling staff data can be particularly challenging. Holding and using staff information carries significant legal responsibilities and risks.

This invaluable one-day session is designed to meet the needs of anyone who has responsibility for the use of employee data, including Human Resources Officers and Compliance Officers. It is also useful to Employment Lawyers and companies providing outsourced HR functions to other organisations.

This course, which is fully up to date with the requirements of the General Data Protection Regulation (GDPR), the Data Protection Act 2018 and the implications of Brexit, uses case studies based on real scenarios to give delegates a practical understanding of the data protection compliance issues involved in employing and managing staff. The session lets delegates know the key areas of risk, and includes practical advice on:
  • ensuring that the recruitment and selection process meets the legal requirements, including the content of application forms, pre-employment vetting, criminal records, medical checks and the interview process
  • retaining staff records, and appropriate periods of time for keeping information
  • dealing with information requests from staff - what must be disclosed and what you can withhold
  • disclosing staff information to outside third parties - the legal requirements that must be met before staff information can be sent outside the organisation
  • references and the rights of ex-members of staff
  • monitoring staff activities and communications, including using line managers, private detectives, CCTV cameras and website monitoring technologies
  • handling sensitive information such as health and sickness records and medical data
  • how to handle mergers, acquisitions and restructuring
  • outsourcing functions to third party providers
  • how to comply with the Employment Code
  • how to handle staff complaints
  • the role of the Information Commissioner and what to do if she investigates
Attendance on this course can be used as credit towards gaining the Practitioner Certificate in Data Protection

The next available dates for this course are:
  • Bristol            Friday, 14th February 2020
  • Manchester   Friday, 6th March 202
  • Glasgow        Friday, 20th March 2020 
For further information and to make a booking,
  1. Visit PDP's website 
  2. Telephone PDP at +44 (0)207 014 3399
  3. Download the PDF Training Catalogue
Cities/dates available throughout the UK
Upcoming Bristol intensive week - Final few places remaining  
Practitioner Certificate in Data Protection _GDPR_ 
The Practitioner Certificate in Data Protection ("PC.dp.") is the practical qualification for those that work in the fields of data protection and privacy. It is fully up to date with the requirements of the General Data Protection Regulation (GDPR)
Find out more >   
Highly practical Training session taking place in February - book now to secure your place 
Role of the DPO 
This course analyses the role and duties of the DPO in a practical context and provides delegates with the information that they need to become more effective and efficient

PDP 2020 Training Catalogue  
Download our latest  
Training Catalogue for a comprehensive overview of 2020 training courses and qualifications for those working in Data Protection and Information Management
Latest edition of Privacy & Data Protection Journal 
The latest edition includes the following articles: 
Contracting under the GDPR: Five not-so-easy pieces

Joint controller relationships - more prevalent than previously thought

Why you may not be processing Special Category personal data lawfully in the UK

Confused by EU cookie rules? The ICO and CNIL are here to help (sort of) 

Qualify as a GDPR Data Protection Practitioner

Flexible training options allow you to train alongside other commitments

More information >  

"The course content was informative and well presented, with very knowledgeable trainers. The exam was challenging, so I feel a real sense of achievement in having gained this qualification."   Caroline Chalk
Head External Information Services
Civil Aviation Authority

"I found the course to be thoroughly enjoyable and enlightening in a number of areas. I have managed to apply the knowledge gained through the course already in my day to day role."
Brendan Byrne
Senior Managing Consultant Security & Privacy

"The qualification strikes the right balance of interpreting important and complicated legislation and imparting this to students with a well structured course, underpinned with simple to understand information and then a vigorous examination. Organisations should feel assured by any of its staff undertaking and passing this qualification that their information is being managed and shared securely."
Kim Bellis
Records Service Manager
Royal Cornwall Hospitals NHS Trust

"I am very pleased to have followed the Practitioner Certificate in Data Protection course and passed the examination. This will be of great benefit to my employer, as it demonstrates the value we place on this complex area of ethics and compliance."
Alan White
Data Protection Manager
Pitney Bowes

"The course which was delivered by experts in the field of Privacy and Data Protection Law was very enjoyable and engaging. The examination was based on applying legislation and knowledge to practical cases rather than a test of how much information you could remember. I am delighted that I passed the exam and to have a qualification that is very much respected, as well as letters after my name! I recommend both the course and the examination for anyone wanting to increase their knowledge of Data Protection Law."
Bleneta Carr
Pearson Education

"I am delighted to have achieved this qualification. The Certificate sets a recognised standard for data protection professionals and it has provided me with the knowledge and confidence of data protection requirements, especially in light of the impending new Regulation."
Joanne Maurizi
Assistant Manager

"Synectics Solutions recognises that compliance with data protection regulation is critical to all organisations that handle personal information. It has never had a greater focus than at the present time. Having looked at the training and professional qualifications available, we concluded that the PDP certification was the most appropriate for our business. The course was delivered by legal experts in the field. They were able to bring the events to life with real-life scenarios and case studies."
Steve Sands
Head of Security
Synectics Solutions

PDP, Canterbury Court, Kennington Park, London, SW9 6DE, United Kingdom

This email was sent by the author for the sole purpose of testing a draft message. If you believe you have received the message in error, please contact the author by replying to this message. Constant Contact takes reports of abuse very seriously. If you wish to report abuse, please forward this message to abuse@constantcontact.com.