Data Protection Update – Winter 2024

It’s that time of year again with the annual Data Privacy Day falling on 28 January. First celebrated in the US, in 2008, the event has since gained international recognition as a way to educate individuals and organisations about the importance of data privacy, while encouraging organisations to ensure data protection is built into their operations ‘by design’.

In the UK, Data Privacy Day is an opportunity to reflect on how personal data is collected, protected, used and shared. With this in mind, it’s timely for us to provide an update on the latest data protection news.

New resources and guidance for employers

Helpful new guidance is available from the Information Commissioner’s Office (ICO) on how to deal with information about workers’ health, covering managing sickness and injury records, Occupational Health (OH), medical examinations, health monitoring and testing, and sharing these details. The Information Commissioner’s Office (ICO) published new guidance for employers on 3 October 2023 on monitoring workers lawfully, transparently and fairly. Although the guidance does not contain anything unexpected or unforeseen, it is worth reviewing as a reminder of how to ensure compliance with data protection legislation. Further guidance is available on employee monitoring criminal offence data, how to ensure monitoring is fair and employers are transparent, data protection impact assessments, the use of covert monitoring and individual objections.

Consultations

The ICO has launched a consultation series on generative AI looking at how data protection should apply. Looking at AI being used to create new content, the first consultation which consider when it is lawful to train AI on personal information obtained from the web and is open until 1 March 2024.

The ICO is consulting on further draft employment guidance on keeping employment records, open until 5 March 2024 and recruitment and selection, also open until 5 March 2024.

Data protection news

HelloFresh, one of the ever popular food delivery and recipe companies has been fined £140,000 for sending millions of spam emails and texts to customers. This followed an investigation in 2022 by the ICO which identified 79 million emails and one million texts over a seven month period. It was said this was a “clear breach of trust”.

In January 2024 it was reported by the ICO that financial services firm LADH had been fine £50,000 for sending over 31,000 spam text messages over a six week period in 2022, without giving the option for individuals to opt out. In a quote, the ICO said: “All organisations using direct marketing messages are responsible for ensuring they have valid consent to contact every recipient. Relying on third-party claims of consent, without undertaking checks leave organisations open to our enforcement action if it turns out that people have, in actual fact, not given valid consent to be contacted.” (Andy Currey, Head of Investigations).

One of the most high profile fines was that imposed by Irish regulators on TikTok. TikTok were fined approximately £296m for violating children’s privacy. It is understood TikTok did not agree with the decision or the size of the fine and that changes had already been made but all of these cases as a sobering reminder of the need to protect personal data particularly that relating to minors and vulnerable individuals and that concerted effort needs to be made to ensure consent to direct marketing has been given.

If you would like further guidance or advice on the above or any data protection or GDPR-related issues, please do not hesitate to get in touch.

This content is correct at time of publication