Information Commissioner's Office

🆕 We’ve issued the Labour Party with a reprimand for repeatedly failing to respond to people who asked it what personal information the party held on them – known as a subject access request (SAR). • Following a cyber-attack in October 2021, the party began to accumulate a backlog of requests. • In the year following, 78% of Labour’s 352 actionable SARs had passed their deadline. • Over half (56%) of these outstanding requests were over a year old. Our reprimand relates to the infringements of Articles 12(3), 15(1), and 17(1) of the UK GDPR. We welcome news that the Labour Party has now cleared its backlog of SARs and implemented further measures to ensure people receive a prompt response. Read more about our action on our website: https://lnkd.in/eEfe_f5p Organisations must respond to a SAR within one month of receipt of the request, however, this can be extended by up to two months if the request is complex. Looking to refresh your SAR knowledge? 👉 We’ve put together brief guidance on SARs for businesses https://lnkd.in/eBgSXTmx 👉 Our more in-depth guidance can be found : https://lnkd.in/eXEbxuz3 👉 For digestible training videos, check out our individual rights page: https://lnkd.in/eCMFFXjE 👉 At our annual conference for data protection practitioners last year, we held a workshop on SARs for employers that you can catch-up on: https://lnkd.in/e8M5tZEf

Missing the Olympics and simply can’t wait for tomorrow’s Paralympic games to start? Well, we’ve got the games for you. Years of training, dedication and practice lead up to this moment – the ICOlympics. 🏃♂️ SAR Relay It’s a team effort to make sure you can quickly and efficiently get the request around the track. You’ll need a strong start with well-trained staff who can identify a request, strong records management processes to keep a hold of that lead and then a well-informed information management team who understands the law, and what can and cannot be shared to give you that sprint finish. Don’t drop the baton – see our guidance if you think your team might fall short of a podium finish: ⚽ Boccia – the quality sport Boccia is a game of precision – and for data protection boccia players it’s no different. The quality of your data needs to be precise and accurate. To reach the jack you need to conduct regular data reviews to make sure they’re accurate, adequate and not excessive, and ensure your staff understand their responsibilities. If you’re failing to hit the target, then have a look at our accountability framework https://lnkd.in/e9fZjcgF 🥇 Access marathon The Access marathon is all about adding mile after mile of protection for your systems and giving your staff the training to breeze through, while any unwanted runners end up with a DNF. The endurance race will ensure competitors deal with minimum password complexity, access restrictions, anti-malware and anti-virus protection, firewall and vulnerability scans. See our Accountability Framework for our rundown of how to get a world record time: https://lnkd.in/eKfWWZwD

Our helpline and live chat service are now closed for the bank holiday. We will reopen at 9am on Tuesday 27 August. Some quick links here: 👉 make a complaint: https://lnkd.in/gukgZ-h8 👉 report a breach: https://lnkd.in/d6FirqSs 👉 pay your fee: https://ico.org.uk/fee

🔒 PETs – an update on our report 💻 Online webinar 📆 25 September 🎟️ Free If you work in an organisation that develops, uses or is considering using PETs, register for our free webinar on 25 September. In case you missed it, we published a new report highlighting our key findings and recommendations following our ongoing PETs work and a workshop we hosted to learn more about the barriers organisations face when deploying PETs. The webinar will include a deep-dive of our new report, recommendations to overcome barriers and a chance to ask our experts questions. Register now: https://lnkd.in/eVntmK9h

Yesterday I took part in a great debate at The Scottish Parliament Festival of Politics - part of the fabulous Edinburgh Fringe festivities! It was about how to ensure the online world is safe for young people and how we raise their information literacy and awareness. Here were my takeaways 🗣 🤝 Tackling online safety and educating and empowering young people with the information they need to make informed choices about their digital activity is a shared societal endeavour. We all play a role - the regulator, social media companies, parents, schools, young people themselves. 🛠 There isn't one way of solving this. Even with regulation - we've seen the impact we can have through different approaches. For instance: - being clear and firm in our discussions with social media firms and video streaming platforms on what we expect them to do to keep kids safe through our world-leading Children's Code has led to a raft of positive changes. Eg: Targeted advertising turned off, bedtime notifications switched off and adults blocked from messaging children on some services. - working with organisations or intervening in the early stages of new digital services can ensure we address potential safety issues before there is harm. - and of course, we are not afraid to take action and issue fines when services fail to adequately protect young people's online privacy, as seen with Tik Tok. 💡Be curious. I think we will see a generational shift in how people interact with their privacy rights, but it's something we can all do. Ask the questions ❔ - What information am I sharing about myself? Am I willing to share it? How is it going to be used? Also questioning the content we see online. I feel hope on that last point after seeing the number of high school students in the audience who were very engaged 💪 Thank you to my fellow panellists who helped bring a variety of perspectives to this big issue Jason Boxt Fiona McNeill Zoe Lambourne and to Martin Hendry who did a terrific job of chairing a hybrid discussion! #FOP2024

What do AI, healthcare and FOI requests have in common? They’re all on the workshop agenda at this year’s DPPC! Share this post with someone who needs to sign up for DPPC24. Registration is FREE so sign up now 👉 https://lnkd.in/eAAgF5aq These are just a handful of the workshops on offer, view the full list on our website: https://lnkd.in/eg4YCKXZ

📢 Who is responsible for data protection compliance across the generative AI supply chain? Accountability is one of the key principles in data protection law and there are two key elements. First, organisations are responsible for complying with data protection law and second, they need to demonstrate compliance. This applies to GenAI models as they often involve the processing of personal information. To demonstrate compliance, the following responsibilities should be identified: ➡️ A controller; ➡️ A processor; or ➡️ A joint controller. What are your views on the allocation of roles and responsibilities in the GenAI supply chain? Share your thoughts in our final call for evidence as part of our GenAI consultation series. Your responses will help us develop our final regulatory positions on GenAI, which will be reflected in upcoming work and guidance. Use our survey to submit your thoughts by September 18 👇 https://lnkd.in/e5kqCpaR Or you can submit your thoughts by email to: [email protected]

🆕 All small organisations need a privacy notice to let customers and suppliers, or staff and volunteers know how you handle their information. In just 10-15 minutes our new privacy notice generator can create tailored privacy notices relevant to small organisations in a variety of sectors of the economy, including: • finance, insurance and legal; • education and childcare; • health and social care; • charity and voluntary; and • all other small organisations in sectors such as retail and manufacturing. Save time and money and generate yours today: https://lnkd.in/eFTC3AzB Keep up-to-date with our latest resources for businesses just like yours: https://lnkd.in/ePNTcqPN #HereToHelpSMEs

NEW: We signed a memorandum of understanding (MoU) with the German Federal Commissioner for Data Protection and Freedom of Information (BfDI), which reaffirms our commitment to work together on mutual international issues. The MoU builds on the strong collaboration already established in other forums that both authorities participate in, such as the Global Privacy Assembly, the G7 Data Protection Authorities Roundtable, and the International Working Group on Data Protection in Technology, known as the Berlin Group. The MoU sets out how the authorities will continue to share experiences and best practices; cooperate on specific projects of interest; share information or intelligence to support their regulatory work; and, promote dialogue among data protection authorities and other digital regulators. View the MoU: https://lnkd.in/eS2WnTuk

*Imagine you’re looking for your life partner in the Love Is Blind pods and you hear these questions…* 💘 “What’s your name?” 💘 “Where are you from?” ⁉️ “What’s your passport number?” Love may be blind, but make sure your eyes are open to the risks of identity theft. Use the guidance on our website to protect your identity and what to do if identity theft happens to you: https://lnkd.in/egfcDmz4