Information Commissioner's Office

NEW: We have released a statement on Meta's ad-free subscription service Stephen Almond, ICO’s Executive Director of Regulatory Risk said: “One of our key priorities is to ensure that people’s information rights are upheld by the online advertising industry. Earlier this year we ran a call for views on ‘consent or pay’ models, in which service users pay a fee to not be tracked for online advertising. We are considering the responses received and will set out the ICO’s position later this year. "Following engagement with Meta, we are examining how UK data protection law would apply to any potential ad-free subscription service. We will expect Meta to consider any data protection concerns we raise prior to any introduction of a subscription service for its UK users.”

Recent cyber attacks on organisations highlight the need to take security of personal information seriously. In a recent case relating to a local council, one insecure password on a dormant account, still connected to active servers, enabled a hacker to encrypted council data and affect its services. From multifactor authentication to keeping your malware and anti-virus software up-to-date, we have 11 practical tips to keep personal information secure: https://lnkd.in/eF8kiwB7 You should also consider other measures, such as: • Staff training to add an extra layer of protection: https://lnkd.in/dvjdC3gY • Not holding onto data longer than you need to, which will reduce your risk exposure: https://lnkd.in/eiKT3cHm

We want to support organisations to harness the power of privacy-enhancing technologies (PETs) which can help protect people’s personal information when sharing data. 🆕 We’ve published a report highlighting our key findings and recommendations following our ongoing PETs work and a workshop we hosted to gain a deeper understanding of the barriers that exist for users and developers of PETs. 🚧 A few of the barriers we identified included: • Uncertainty on how to assess the costs against using PETs. • A lack of resources and expertise. • Concerns around the maturity of the PETs market. Here are a few of our recommendations to organisations developing, using or considering using PETs: ➡️ Developers should work closely with organsations using or considering using PETs to develop solutions which will allow seamless integration. ➡️ Pricing for PETs should be clear and straightforward for potential customers to understand. ➡️ Public sector organisations should engage with private sector organisations with experience of successfully deploying PETs. ➡️ Our Sandbox and Innovation Advice Service can help organisations understand how innovative solutions utilising PETs can help ensure data protection compliance. https://lnkd.in/e8xMTNfT 💻 If you work in an organisation that develops, uses or is considering using PETs, register for our webinar on 25 September. The virtual session will include a deep-dive of the report, recommendations for overcoming barriers and an opportunity to ask questions of our expert team: https://lnkd.in/eVntmK9h Read the report in full on our website: https://lnkd.in/enq4ykB8

"A small group of determined and like-minded people can change the course of history." Mahatma Gandhi If you work on freedom of information and you aren’t already a member of an FOI group, forum or network, you might be missing out on a useful source of advice and support. Share best practice and hot topics, discuss legislative issues or even just share your frustrations in a ‘safe space’. We’ve been speaking to FOI practitioners and they’ve told us about all the benefits  that regular meet-ups, online discussions, and sharing of resources can bring. If you have an existing group open to new members, email us and we may be able to direct interested practitioners to you. The networks are usually free to join and offer a friendly and informal environment. Email: [email protected] You might also be interested in registering for our free annual data practitioner conference #DPPC24 in October. More information on how to join on our website: https://lnkd.in/enyevG-e

🎶We’re looking for a DPO in finance…. While the world of TikTok might be obsessed with 6”5, blue eyes finance guy – we’re more interested in speaking to the finance DPOs interested in improving their subject access request processes. We’ve seen a 15% increase in the number of SAR complaints about the finance sector and have advice for the sector on how to improve: 1) Assess your current compliance. Data protection is more than a tick box exercise, and you need to ensure that the processes and approaches you’ve put in place really work. Our Accountability Framework has a number of questions to help you assess your approach and work out where you may need to make changes. https://lnkd.in/eX3JrpcW 2) Think about records management. If you know what information your organisation holds about people, where you keep it and how you can search for it, you’ll find it easier to handle your next SAR. You should have: • a well-structured file plan; • standard file-naming conventions for electronic documents; and • a clear retention policy about when to keep and delete documents. Read our guide to finding information: https://lnkd.in/etJDnsS2 Assess your approach with our Accountability Framework: https://lnkd.in/enpZcPvd 3) Consider your company culture. Information management and successful SARs rely on the whole organisation – not just the information management team. Do your colleagues understand the role they have to play? Our accountability framework has questions to help you assess yourself and case studies to learn from others best practice: https://lnkd.in/eMFTuvdV

“Be yourself, embrace your personality and let your uniqueness spark your creativity.” Arvind, Communications Officer at the ICO. To celebrate this year’s theme of South Asian Heritage Month, ‘Free to Be Me’, we’re sharing Arvind’s story. We recently hosted an event in partnership with People Like Us to help us reach new audiences from all backgrounds. At this event Arvind spoke about his career journey and his experience as a Punjabi man: Every one of us has a unique journey filled with moments that have shaped who we are. Being a South Asian man comes with cultural expectations and pressure to be “successful”. For instance, getting top marks in school and climbing the ranks in a prestigious profession. Although my childhood dream had been to play for Man United and wear the number 7 shirt, I found myself studying computer science at university. I soon realised that I wouldn’t be happy until I pursued my own passions so I dropped out. Not knowing which career path would be the right fit for me was one of the lowest points for my mental health. When I discovered that there are careers in social media, it felt like the perfect fit. Joining the ICO’s communications team, for the first time in a while I found a job that excited me. Then something happened that I’d only dreamed of. I was lucky enough to attend the premiere of David Beckham’s Netflix documentary where I met the man who made me fall in love with football and Man United. The documentary was trending worldwide and it made me think. Could I use this opportunity and my knowledge of Beckham as part of my role at the ICO? I came up with a plan for a Beckham themed post as part of cyber security month. It was a massive hit - the most liked of the month and helped us to get our important guidance and message in front of thousands of people. The success of this post gave me the confidence to keep looking out for opportunities to bring my personality into my work. I’m proud to be Punjabi and of the path that I’ve followed. I know there are people who have the same feelings I had when struggling to find the right career. I wanted to share my experience to let people know that it’s okay to not have everything planned out, to be your authentic self and let your uniqueness spark your creativity.

Running a one-person operation might seem vastly different from a global enterprise. But the rules are the same because if personal data falls into the wrong hands, it makes no difference where the error came from. What matters is that people could be harmed. You may receive a letter from us to remind you to check if your business needs to pay the fee under the Data Protection Regulations 2018, or if you’re exempt. Data protection law (Data Protection (Charges and Information) Regulations 2018) applies to most types of workplaces, business ventures, societies, groups, clubs and enterprises of any type. It includes sole traders and the self-employed, if a business only employs a handful of staff or even no staff at all. But not everyone pays the same amount. For a small business it’s usually £40 or £60 per year. And if you pay by direct debit, you can reduce the cost by £5. Businesses, large and small, can check if they need to pay the data protection fee with our online self-assessment tool: https://lnkd.in/gtG4nJP We have more information on the data protection fee on our website: https://lnkd.in/eB9Fr_2F The fee goes towards all the guidance and support we offer businesses of all sizes to help get data protection right: https://lnkd.in/ebsneCiw

NEW: A software supplier for the NHS and social care sector could face a £6,090,000 fine following ransomware attack that disrupted NHS services. The provisional decision to issue a fine relates to a ransomware incident in August 2022. We have provisionally found that hackers initially accessed a number of Advanced’s health and care systems via a customer account that did not have multi-factor authentication. Advanced provides IT and software services to organisations on a national scale, including the NHS and other healthcare providers, and handles people’s personal information on behalf of these organisations as their data processor. We have provisionally found that personal information belonging to 82,946 people was exfiltrated during the attack. Reports at the time of the attack suggest staff were unable to access patient records and disruptions to critical services such as NHS 111. The data exfiltrated included phone numbers and medical records, as well as details of how to gain entry to the homes of 890 people who were receiving care at home. The Commissioner’s findings are provisional, and he will carefully consider any representations Advanced make before making a final decision, with the fine amount also subject to change.   💡 What can processors learn from this case? Data processors act on the instructions of their clients, the data controllers, who have overall control over how and why personal information is used. However, data processors, such as Advanced, still have their own obligations to implement appropriate technical and organisational measures to ensure personal information is kept secure. This includes taking steps to assess and mitigate risks, such as regularly checking for vulnerabilities, implementing multi-factor authentication and keeping systems up to date with the latest security patches. We have detailed guidance to support organisations to protect their systems from ransomware attacks: https://lnkd.in/eK4S_Vbu And guidance on the responsibilities and liabilities of both data processors and controllers: https://lnkd.in/dkJ8zCyd

Work in policing? Did you know our recent audit of police highlighted best practice? Read the audit report or see our summary below ⬇️ https://lnkd.in/eZBPfkZv 👉 Why weekly risk assessments can save police time and effort managing Freedom of Information requests. A weekly risk assessment meeting, or RAM, is an operational platform where all new FOI requests are reviewed and discussed by the FOI team, business area staff responsible for gathering information, and senior officers. During the meeting the team categorises each request as normal, complex or at increased risk of harm if disclosing the information publicly. The discussions provide useful context for FOI handlers and helps to determine if it’s feasible to gather the requested information within the required timeframe. The meeting also set out the FOI draft response schedule that goes to chief officers for review and sign-off. Spending time putting in place a risk assessment meeting ensures thorough risk assessment and appropriate handling of all FOI requests. This practice has proven to be effective in managing FOI requests. It underscores the importance of transparency, accountability, and risk management. We consider this proactive cross-organisation assessment of FOI requests to be a best practice and encourages its wider adoption.

NEW: We’ve taken action against a police force and an NHS trust for failing to respond to hundreds of information requests. Both Devon and Cornwall Police and Barking, Havering and Redbridge Hospitals NHS Trust have been issued with enforcement notices for their ongoing FOI failings which have seen hundreds of information requests go without a response. Our Head of FOI Complaints and Appeals, Phillip Angell, said: “Everyone should have the ability to access public information. When this information is not received or is significantly delayed, it undermines people’s fundamental rights. This lack of transparency can also create unwanted barriers and risking public trust in the organisations we turn to at our most vulnerable. “The public put trust in the NHS and Police when it comes to health and safety, so why, when those same organisations are asked to supply information, are they not met with the same trust?" Devon and Cornwall Police In 2023, as part of our routine work to monitor public authorities’ compliance with the legislation, the Information Commissioner found Devon and Cornwall Police to be performing poorly in terms of their obligation to provide responses to information requests. It was revealed that between 2022 and 2024 the percentage of requests responded to within the statutory FOI timeframe of 20 working days was consistently low (between 39% and 65%). Their rate of response to internal review requests was also poor, averaging between 0% and 22%. The Force had a backlog of older FOI requests which had increased from 77 in December 2023 to 251 in June 2024. Our enforcement notice orders the Force to devise and publish an action plan in the next 30 days which must detail how they will comply with their duties to respond to information requests in a timely manner. The Force has been given six months to clear the existing backlog. Barking, Havering and Redbridge Hospitals NHS Trust The Commissioner first contacted this authority in June 2023 due to a number of complaints received about its late compliance with FOI requests. It was revealed that, over 12 months, the Trust had only responded to 29% of requests during the statutory timeframe, with January 2024 seeing just 2.5% of requests responded to in a timely manner. The Trust had a backlog of 589 requests in April 2024, which increased to 785 by June 2024. Our enforcement notice provides the Trust with 35 days to devise and publish an action plan to clear this backlog by the end of the year. What happens next? An Enforcement Notice (EN) may be served where the Commissioner is satisfied that a public authority has failed to comply with any of the requirements of Part I of FOIA. If a public authority fails to comply with an EN the Commissioner may commence Court proceedings under section 54 of the Act, which may be dealt with as contempt of Court. We have resources and guidance to help public bodies improve their FOI compliance https://lnkd.in/eWJx9852