Ibrahim Hasan examines the lessons to be learned from the first two GDPR enforcement notices.
The Information Commissioner’s Office (ICO) recently served only its second Enforcement Notice for breaches of the GDPR.
The first Enforcement Notice was issued in July 2018 against a Canadian company, AggregateIQ Data Services Ltd (AIQ). Strangely it was not published on the ICO’s website but was mentioned in the ICO’s report: “Investigation into the use of data analytics in political campaigns“. Pursuant to section 149 of the Data Protection Act 2018, the notice required AIQ to “cease processing any personal data of UK or EU citizens obtained from UK political organisations or otherwise for the purposes of data analytics, political campaigning or any other advertising purposes.”
The ICO found that AIQ had violated Article 5 and 6 of the GDPR, by processing personal data unbeknown to the data subjects, for undeclared purposes and without a lawful basis for such processing. It had also failed to provide the transparency information, as required under Article 14 of the GDPR.
On 9th May 2019, the Second Enforcement Notice was served on Her Majesty’s Revenue and Customs (HMRC) ordering it to delete personal data it collected unlawfully as part of a Voice ID system. The background to the notice is that HMRC adopted a voice authentication, in January 2017, which asked callers to some of its helplines to record their voice as their password. A complaint from Big Brother Watch to the ICO revealed that callers were not given further information or advised that they did not have to sign up to the service. There was no clear option for callers who did not wish to register. In short, HMRC did not have adequate consent from its customers to collect the data.
In the notice, the Information Commissioner says that HMRC appears to have given “little or no consideration to the data protection principles when rolling out the Voice ID service.” She highlights the scale of the data collection – seven million voice records – and that HMRC collected it in circumstances where there was a significant imbalance of power between the organisation and its customers. It did not explain to customers how they could decline to participate in the Voice ID system. It also did not explain that customers would not suffer a detrimental impact if they declined to participate.
It was also found that a data protection impact assessment (DPIA), that appropriately considered the compliance risks associated with processing biometric data, was not in place before the system was launched. The ICO plan to follow up the enforcement notice with an audit that will assess HMRC’s compliance with good practice in the processing of personal data.
- Recording voices which can be used to identify the speaker is biometric data. This is classed as Special Category Data under GDPR.
- If Data Controllers are planning to rely on consent as a legal basis to process such data, then they must remember that any consent obtained must be explicit (see the ICO guidance on informed consent).
- Large scale use of biometric data is also “high risk” processing and will require a DPIA.
- Data Controllers must be able to demonstrate their GDPR compliance by putting appropriate technical and organisational measures in place.
Steve Wood says: “With the adoption of new systems comes the responsibility to make sure that data protection obligations are fulfilled and customers’ privacy rights addressed alongside any organisational benefit. The public must be able to trust that their privacy is at the forefront of the decisions made about their personal data.”
Ibrahim Hasan is a solicitor and director of Act Now Training. This article first appeared on the Act Now Blog. Information on the company's courses can be found on Local Government Lawyer's courses and events section.
Want to know more? Ibrahim is presenting a GDPR Update webinar in July. Act Now runs a full day workshop which can teach you how to do a DPIA. For those seeking a GDPR qualification, its practitioner certificate is the best option.