Who: Information Commissioner’s Office (“ICO”)
When: January 2015
Where: UK
Law stated as at: 4 February 2015
What happened:
The ICO has recently updated its Guide to Data Protection (the “Guide”). This has come about as part of the reorganisation of the ICO website. The different sections of the Guide can now be accessed from one page of the ICO’s website via the index, or can be accessed as a whole in PDF form.
In terms of content relating to the data protection principles, the updated Guide generally maintains the same wording as the previous version. Amendments to the substantive guidance are minimal, although there are a couple of additions (albeit minor) which might be of relevance to marketers holding personal information:
- the Guide now specifically acknowledges that subject access requests (requests from an individual to see what personal information about them is held by an organisation) can be validly made by means of social media (as well as by email, fax or post);
- the Guide now incorporates the checklist which was previously available on the ICO website for businesses to use when considering transferring personal data overseas in order to decide whether they are compliant with the eighth data protection principle (which states that personal data shall not be transferred to a country or territory outside the EEA unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data);
- the Guide also sets out a test for assessing the adequacy of the measures for protection of personal data being transferred outside the EEA, although the test is relatively general; and
- with regards to ensuring that relevant safeguards are in place for transfers outside the EEA, the Guide confirms that although the ICO has continued to authorise both the original 2001 version and the revised 2004 version of the European Commission’s model clauses for data controller to data controller transfers, it only authorises the revised 2010 clauses for data controller to data processor transfers.
Therefore, any new transfer agreements based on the original 2001 model clauses for data controller to data processor transfers will not be deemed as authorised by the ICO.
The updated Guide also provides links to further ICO guidance on certain matters. As such, the ICO has advised that the new version of the Guide should be used as a replacement for previous versions.
Why this matters:
Marketers who deal with personal data should be aware that the updated Guide is the first port of call in terms of the UK regulator’s views on how to comply with data protection laws. Although the content has not changed dramatically when compared to the previous version, the updated Guide should be used from this point on as it contains a few additional compliance considerations and provides links to the most recent additional ICO guidance on specific topics.