Beyond Consent (Part 2)

Understanding Different Lawful Bases for Data Processing.

Legitimate Interest, Government Resistance in Covid Inquiry, and More

We recently hosted the second part of our thought-provoking podcast series, delving into crucial topics such as the concept of legitimate interest, the government’s legal bid to prevent the Covid inquiry from accessing Johnson’s WhatsApp messages, and other noteworthy news. In this blog post, we will provide a summary of the key points discussed during the podcast. You can listen to the full episode on Spotify here.

Government’s Legal Bid to Block Covid Inquiry: The government has taken a highly unusual step by launching a legal bid to prevent the Covid inquiry from accessing Prime Minister Johnson’s WhatsApp messages. The Cabinet Office, responsible for supporting the prime minister in running the government, refused to disclose certain material on the grounds of relevance, privacy rights, and potential precedents hindering policy discussions. The inquiry’s chair, Baroness Hallett, maintains that she should have the authority to determine the material’s relevance. This move sets the stage for a potential legal showdown just weeks before the inquiry’s public hearings are scheduled to begin.

ICO Responds to Open Rights Group’s Report: The Information Commissioner’s Office (ICO) has defended itself against allegations made by the Open Rights Group. The group analyzed the data usage in three key Covid-19 health programs: NHS Test and Trace, NHS Contract Tracing App, and the NHS Datastore. They found that all three programs fell short of complying with the requirements of Article 35 of the GDPR for Data Protection Impact Assessments. The ICO spokesperson refuted these claims, emphasizing that the ICO prioritized ensuring organizations understood data protection laws during emergencies.

Insights from IAPP’s Privacy Professionals Salary Survey: According to the International Association of Privacy Professionals (IAPP), the average base salary for internal privacy professionals is $146,200 globally. The survey revealed that a majority of respondents expressed satisfaction with their current roles, with 86% reporting satisfaction and 61% rating their satisfaction level as eight or higher on a scale of one to ten.

NHS Breach Raises Privacy Concerns: Recent reports have exposed that 20 NHS trusts shared private patient data with Facebook without consent, despite promising not to do so. The Information Commissioner’s Office (ICO) acknowledged the findings and expressed its commitment to ensuring organizations handle information securely and for the intended purpose. Privacy experts have raised sincere concerns over the use of such data, emphasizing the need for better enforcement and protection of individuals’ rights.

Berlin Imposes Fine on Bank for Lack of Transparency: Berlin’s data protection authority has imposed a €300,000 fine on a bank for its lack of transparency regarding the automated rejection of credit card applications. The bank failed to provide concrete information on data basis, decision-making processes, and criteria for rejection. The Berlin DPA concluded that the bank violated several articles of the GDPR and stressed the importance of informing customers about reasons for rejection when making automated decisions.

Amazon Penalized for Privacy Violations: Amazon has faced penalties for privacy violations, including not deleting children’s data and failing to restrict employee and contractor access to Ring security videos. The FTC imposed separate fines amounting to $30 million. The allegations include an employee accessing thousands of video recordings belonging to female users without authorization, highlighting the need for stronger measures to monitor and detect improper access.

Housing Association Downgraded over Data Quality Issues: East End Homes, an organization operating around 3,800 homes, has been downgraded by the Housing Regulator due to concerns over governance, risk management, and control frameworks. The regulator found deficiencies in the management of data quality, including incomplete and inaccurate data records. This raises significant privacy and data protection concerns for the residents of East End Homes.

Legitimate Interest in Data Processing: The concept of legitimate interest in data processing was also discussed during the podcast. Legitimate interest is one of the legal bases under the General Data Protection Regulation (GDPR) that allows organizations to process personal data without explicit consent. However, it must be balanced against the rights and freedoms of the individuals whose data is being processed.

The podcast explored the challenges of determining legitimate interest and emphasized the importance of conducting thorough assessments to ensure compliance with data protection laws. Organisations must demonstrate a legitimate interest that is necessary and proportionate to justify the processing of personal data.

Data Breaches and Accountability: Data breaches continue to be a major concern in the realm of privacy and data protection. The podcast highlighted the need for organizations to take responsibility for data breaches and be held accountable for the mishandling of personal information. Stronger enforcement measures and penalties are essential to ensure that organizations prioritize data security and protect individuals’ privacy rights.

The Information Commissioner’s Office (ICO) has updated its guidance on responding to Subject Access Requests (SARs) for businesses and employers. The new guidance emphasizes the importance of understanding the nature of SARs and the need to respond to them in a timely manner. It clarifies that SARs can be submitted informally and without specific wording, and employers must adhere to strict response timeframes. Failure to respond appropriately may result in action from the ICO to protect individuals’ data rights.

The guidance also covers issues related to SARs in the context of ongoing tribunal or grievance processes, as well as situations where an employee offers to withdraw a SAR in exchange for a higher settlement payment. It provides guidance on handling emails containing only the employee’s name and email address, stating that the content of such emails should be assessed to determine if it qualifies as personal data.

Furthermore, the session discussed the concept of legitimate interest (LI) as a lawful basis for processing personal data under the UK GDPR. While LI is a flexible basis, controllers must consider and protect individuals’ rights and interests when relying on it. The ICO considers Legitimate Interest Assessments (LIAs) as best practice and essential for meeting accountability obligations.

The proposed Data Protection (No.2) Bill introduces the concept of “Recognised Legitimate Interest” as a new lawful basis for processing, listing specific processing activities in Annex 1. This change may require businesses to review and potentially revise their data protection documents.

The session also touched on the use of AI and scraping data from the internet as a legitimate interest and public interest concern. Additionally, it mentioned the Dutch data protection authority’s strict interpretation of legitimate interests, the Italian perspective on processing images based on consent and legitimate interest, and the limitations on processing images of data subjects without consent.

The podcast episode provided valuable insights into various privacy and data protection issues, including the government’s bid to block access to WhatsApp messages in the Covid inquiry, the ICO’s response to the Open Rights Group’s report, privacy professionals’ salaries, NHS data breaches, fines imposed on companies for privacy violations, and the importance of data quality and accountability.

These discussions shed light on the complexities and challenges surrounding privacy and data protection in today’s digital age. As technology advances and data becomes increasingly valuable, it is crucial for organizations, regulators, and individuals to remain vigilant in safeguarding privacy rights and ensuring responsible data handling practices.