The DPIA is a bitesize assessment of the impact of the most significant, interesting and important-to-know data protection issues.
The DPIA newsletter is a round-up of the most interesting and need-to-know privacy issues from the past two weeks. A quick 3-minute read to keep you on top of the news.
Knowledge nuggets for busy privacy professionals
Subject Access Request exemptions: When can information be withheld?
Also known as Data Subject Access Requests (DSARs), these can often be complex and a challenge for organisations to manage. This blog explores the frequently asked question of what should be included in a DSAR and what can be withheld? We discuss the background of DSARs in relation to the GDPR, why these subject access requests are so important, timeframes and deadlines, and what should be included in a DSAR response.
The ICO publishes new guidance on lawful monitoring in the workplace
On 3 October 2023, the Information Commissioner’s Office (ICO) published guidance for employers on monitoring workers lawfully, transparently, and fairly. In light of the increase in remote working since the pandemic, the guidance offers clarity about data protection laws should organisations wish to monitor their workers. Following research commissioned by the ICO, 70% of the public stated they would find it intrusive to be monitored by an employer. The guidance covers how organisations can monitor staff lawfully, including the importance of identifying the most appropriate lawful basis for the type of processing intended. Review the new guidance
MPs and Lords call for pause in police use of facial recognition tech
A cross-party coalition of 65 UK MPs and Lords and 31 groups, including Liberty and Amnesty International, have called for a pause in the police’s use of live facial recognition surveillance. Demanding a full-scale parliamentary and public debate take place, the campaigners seek the implementation of appropriate safeguards. In contrast to the draft EU AI Act, which bans police use of facial recognition technology in public places, the campaigners are not currently calling for a ban. Big Brother Watch director Silkie Carlo said, ‘The UK’s reckless approach to face surveillance makes us a total outlier in the democratic world, especially against the backdrop of the EU’s proposed ban.’
EU-US DPF survives first challenge
On 12 October 2023, the Court of Justice of the European Union (CJEU) gave its interim ruling on French MP Phillipe Latcombe’s challenge to the EU-US Data Privacy Framework (DPF). The challenge had included an application to annul the adequacy decision and questioned the text of the agreement. For interim relief to be granted and to justify an urgent suspension, Latcombe needed to establish that he would suffer ‘serious and irreparable harm’. The CJEU found there were insufficient grounds for urgency and rejected the request. However, the application hasn’t been concluded yet. A full hearing and final decision are still to be made, although this does bring into question the strength of Latcombe's case. Read the interim case proceedings
Netherlands’ NCSC launches one-stop shop for cyber breach reporting
On 3 October 2023, the National Cyber Security Centre (NCSC) of the Netherlands announced the opening of a unified platform for reporting cyber threats and vulnerabilities, established in collaboration with the Computer Security Incident Response Team for Digital Services (CSIRT-DSP) and the Digital Trust Centre (DTC). The one-stop shop is a centralised hub where security researchers, ethical hackers, and domestic and international partners can exchange information on cyber threats and incidents, with the goal of ensuring victims are properly informed. This initiative is part of a broader plan to integrate the NCSE, CSIRT-DSP, and DTC into one cyber organisation by 2025.
Stockholm’s Board of Education fined for unlawful surveillance
On 5 October 2023, the Swedish Authority for Privacy Protection (IMY) imposed a fine of SEK 800,000 (approx. €69,200) on Stockholm’s Board of Education for GDPR violations. The penalty followed investigations initiated by complaints about Aspudden School’s extensive use of camera surveillance to prevent arson without notifying staff, students, or guardians. The school, under the jurisdiction of the Board of Education, was found to be in violation of several GDPR principles, including lawfulness and data minimisation. The IMY stated the school must limit camera surveillance to problem areas only and agreed it was important to prevent arson incidents.
US biotech company confirms user data stolen in credential-stuffing attack
The US genetic testing company 23andMe confirmed on 6 October 2023 that data from a subset of its users had been compromised and was circulating on hacker platforms. Although they suggest systems were not breached, threat actors have used stolen account credentials to obtain unlawful access and scrape further data on DNA relatives for those users who opted into the DNA Relatives feature. The company has encouraged all users to enable the two-factor authentication offered and refrain from reusing passwords.
South Korea’s MSIT unveils Digital Bill of Rights at cabinet meeting
The Ministry of Science and ICT (MSIT) announced the ‘Digital Bill of Rights’ at a cabinet meeting chaired by President Yoon Suk Yeol on 25 September 2023. The Bill is a charter codifying principles and standards for a unified global approach to digital order. With 6 chapters and 28 articles, the document aims to create a blueprint for digital societies. The government plans to use the Digital Bill of Rights as a standard in addressing key challenges such as AI and revising specific existing laws and regulations.
FTC’s recent report highlights consumer concerns over AI
On 3 October 2023, the Federal Trade Commission (FTC) published a technology blog about consumer concerns over AI. The US’s independent agency cited key concerns, including the massive amounts of data required for training AI models, the inaccuracies and inbuilt biases, and the implications for both consumer protection and marketplace competition. Scams, frauds, and malicious use were cited as a particular challenge, with phishing emails becoming harder to spot as grammar and spelling mistakes can now be resolved by using generative AI. Read the FTC's blog
We are recruiting!
To support our ongoing requirement to continuously grow our remarkable and extraordinary #oneteam, we are seeking candidates for the following positions:
Data Protection Officers (based in the United Kingdom or The Netherlands)
Data Protection Officer (German Speaking)
Data Subject Access Rights (DSAR) Officers to join our #oneteam
If you are looking for a new and exciting challenge, and the opportunity to work for a Great Place to Work-Certified™ company, apply today!
You have been sent this newsletter under legitimate interest, for more information please read our Privacy Notice
The DPO Centre is a limited company registered in England and Wales (Company Number: 10874595) Registered Office: Suffolk Enterprise Centre, Felaw Street, Ipswich, IP2 8SJ, United Kingdom
The DPO Centre, 50 Liverpool Street, London, Greater London EC2M 7PR, United Kingdom