GDPR for HR | ICO enforcement, DSARs, and what UK data law changes to expect

ICO enforcement action: biometric data remains at the fore

The Information Commissioner's Office (ICO) reprimanded Chelmer Valley High School in Essex for using facial recognition technology (FRT) to identify students as part of a cashless payment system for school catering. While the use of FRT itself was not deemed inappropriate, the school failed to complete an adequate data protection impact assessment (DPIA) before implementation and had relied on opt-out consent from parents (which is not valid) rather than obtain explicit consent from the students.

Key lessons for other data controllers include:

• Understand the risks. FRT enables the easy identification of individuals, but it also generates the sort of biometric data that constitutes special category data under UK GDPR. Processing of such data is likely to be a high risk due to the potential impacts on individuals' rights and freedoms, including risks of bias and discrimination.
• Conduct a DPIA. Organisations must undertake a DPIA where there is “likely to be a high risk” to individuals and this should be done before rolling out new uses of personal data.
• Consult the ICO if necessary. If the DPIA identifies high risks that cannot be mitigated, organisations must consult the ICO before proceeding.
• Opt out consent is not enough. Opt out consent is not a valid lawful basis for processing special category data. UK GDPR-compliant consent must be freely given, specific, informed, unambiguous and involve affirmative action. 

Data subject access requests: requestors entitled to identities of recipients

In the recent case of Harrison v Cameron & Another, the High Court ruled that data subjects are entitled in principle to know the specific identities of the recipients of their personal data, not just the categories.

The decision clarifies Article 15(1)(c) UK GDPR, which requires controllers to provide data subjects with details of “the recipients or categories of recipient” following a data subject access request (DSAR).

The case involved the claimant homeowner who contracted the defendant gardening company director for landscaping work. The defendant covertly recorded threats made by the claimant and shared these recordings with their employees, friends and family. Upon discovering the recordings, the claimant made DSARs both to the defendant and the defendant’s company, requesting the specific identities of the recipients. The defendant refused, claiming the data was processed in a purely personal context, thus outside the scope of UK GDPR.

Key findings included:

• Directors, acting in their capacity as a director and processing data in the course of their duties for their company, are not controllers – the company is the relevant controller.
• Data subjects have the right to know the identities of the recipients of their personal data. It is the data subject's choice to request either the specific identities or just the categories of recipients.
• However, controllers can withhold this information if the request is manifestly excessive, or disclosure would be outweighed by the recipients' privacy rights. Controllers have a wide discretion in deciding what is reasonable, including what factors are relevant in the balancing exercise. 

The judgment removes the controller’s discretion to make the decision on behalf of the data subject and will have practical implications when responding to DSARs.

The High Court notably referenced, and agreed with, the Court of Justice of the EU Austrian Post decision (C-154/21), indicating the continued relevance of EU case law to UK GDPR interpretation.

UK data protection under Labour: what changes to expect

The Data Protection and Digital Information Bill is no more – instead the government has announced plans for a Digital Information and Smart Data Bill and a Cyber Security and Resilience Bill. But little is yet known about plans for AI regulation.

Death of the Data Protection and Digital Information Bill

The Data Protection and Digital Information (DPDI) Bill did not pass during the Conservative government's "wash up" period - the period where the former government pushed through those bills it deemed essential or that were subject to minimum debate. As a result, it has lapsed.

The bill aimed to simplify obligations under the UK GDPR and was viewed by the former Conservative government as a step towards distancing the UK from what it considered  burdensome EU regulations.

Digital Information and Smart Data Bill

The King's Speech on 17 July 2024 included a surprise: the introduction of a new, standalone Digital Information and Smart Data (DISD) Bill. It had been anticipated that the new Labour government would re-introduce the smart data and digital identity verification provisions from the DPDI bill within a new AI bill. In the event, there was no AI bill (see below) and a new DISD bill instead.

The government says that the bill will put digital verification services, smart data schemes and the national underground asset register on a statutory footing.

Notably, the DISD bill will not introduce more wide-scale reforms to the UK data protection regime that were proposed under the previous government's DPDI bill. This is unsurprising, as the Labour Party opposed much of the DPDI bill, viewing it as an erosion of privacy rights. However, the government did say that there will be "targeted" reforms to certain data laws where a "lack of clarity" is currently hindering technological advances and adoption.

As a result, while the UK's data protection law regime will remain closely aligned with the EU's for now, the full extent of the government's intentions will only become clear once the new bill is published.

Cyber Security and Resilience Bill

The government also proposes to introduce a new Cyber Security and Resilience Bill aimed at strengthening the cyber defences of the country's critical infrastructure and digital services.

The bill will update the existing regulatory framework by:

• expanding the scope of the Network and Information Systems (NIS) Regulations 2018 to cover more digital services and their supply chains;
• providing regulators with greater powers and resources to ensure implementation of essential cyber safety measures and to investigate potential vulnerabilities; and 
• requiring mandatory reporting of ransomware attacks and expanding the type and nature of incidents that regulated entities must report.

Artificial intelligence

Just before the King's Speech, there was press speculation that an AI bill would be included in the government's legislative plans. However, that turned out not to be the case.

AI was mentioned only twice in the briefing notes: once in the prime minister's introduction (stating that the government will "harness the power of artificial intelligence as we look to strengthen safety frameworks") and once in the King's address, where he said that the government will "seek to establish the appropriate legislation" to regulate those developing the most powerful AI models.

This latter statement would suggest that either the legislation is not yet ready and requires further work or the government intends to hold a further period of consultation due to disagreements or a lack of direction over how to resolve some of the more complex issues. 

Please see our Insight giving an overview of the King's Speech for more. 

Upcoming events

Dipping into Data | Data Subject Access Requests

10 September | 16:00-16:30

Using a practical case study, we will look at the mechanics and tactical considerations of responding to a data subject access request and provide an update on the latest regulatory and case law developments.

Register now >

Dipping into Data | ICO data protection practitioners' conference

17 October | 16:00-16:30

In this webinar, our experts will consider the main takeaways from the UK privacy regulator's annual conference (held on 8 October) and the practical implications for business.

Register now >