UK Information Commissioner Explains New Privacy Laws

Elizabeth Denham was speaking ahead of the announcement of a major new public awareness campaign which will seek to improve people’s trust and confidence in how organisations handle their personal information.

In a keynote speech at the ICO’s 11^th annual Data Protection Practitioners’ Conferencein Manchester on April 9th, Ms Denham told more than 800 delegates:

“It has been hard to miss the exposé of Cambridge Analytica’s alleged use of personal data in election campaigns, including information gathered from Facebook.

“Our ongoing investigation into the use of personal data analytics for political purposes by campaigns, parties, social media companies and others will be measured, thorough and independent. Only when we reach our conclusions based on the evidence will we decide if enforcement action is warranted.

“The dramatic revelations of the last few weeks can be seen as a game changer in data protection. Suddenly, everyone is paying attention.

“Our public information campaign, Your Data Matters, will help raise awareness but also, I hope, increase trust in our data-driven world.”

Hosted by journalist and broadcaster Kate Bevan, other speakers at the DPPC event will include Margot James, Minister for Digital and the Creative Industries, along with experts and innovators from the public, private and academic sectors.

ICO staff will be outlining the regulator’s current and future work in areas including enforcement and regulatory action, technology policy and international engagement. Drop-in centres will offer one-to-one advice on various areas of data protection law, particularly aspects of the General Data Protection Regulation (GDPR), which applies from 25 May.

Ms Denham added:

“The proper use of personal data can achieve remarkable things. It can improve, ease and enrich our lives. Now, more than ever, the role of data protection practitioner is not just as a guardian of privacy but as an ambassador for the appropriate use of personal data in line with the law.”

Jon Baines, chair of the National Association of Data Protection Officers and data protection adviser at Mishcon de Reya LLP, said:

“The DPO is recognised as a cornerstone of accountability. The protection of personal data is recognised as a fundamental right and the DPO will be crucial to ensuring that this right is respected, and also in allowing data subjects to understand and exercise that right.”

Ashley Winton, information rights lawyer and chairman of trade association the Data Protection Forum, said:

“Unsurprisingly, the GDPR is bringing the importance of an effective DPO into sharp relief, a welcome systemic change for our profession.”

The DPPC event, taking place at the Manchester Central Conference Centre, can be watched on our live stream from 9.40am to 4.20pm on Monday, 9 April.

Background:

1. The Information Commissioner’s Office upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

2. The ICO has specific responsibilities set out in the Data Protection Act 1998, the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003.

3. The ICO can take action to change the behaviour of organisations and individuals that collect, use and keep personal information. This includes criminal prosecution, non-criminal enforcement and audit. The ICO has the power to impose a monetary penalty on a data controller of up to £500,000.

4. The European Union’s General Data Protection Regulation (GDPR) is a new law which will apply in the UK from 25 May 2018. The Government has confirmed the UK’s decision to leave the EU will not affect the commencement of the GDPR. The Government is introducing measures related to this and wider data protection reforms in a Data Protection Bill.

5. Anyone who processes personal information must comply with eight principles of the Data Protection Act, which make sure that personal information is:

• fairly and lawfully processed;
• processed for limited purposes;
• adequate, relevant and not excessive;
• accurate and up to date;
• not kept for longer than is necessary;
• processed in line with your rights;
• secure; and
• not transferred to other countries without adequate protection.

6. Civil Monetary Penalties (CMPs) are subject to a right of appeal to the (First-tier Tribunal) General Regulatory Chamber against the imposition of the monetary penalty and/or the amount of the penalty specified in the monetary penalty notice.

7. Any monetary penalty is paid into the Treasury’s Consolidated Fund and is not kept by the Information Commissioner’s Office (ICO).

8. To report a concern to the ICO telephone our helpline 0303 123 1113 or go to ico.org.uk/concerns