Information Commissioner's Office

We strongly support responsible data sharing, especially when it helps to safeguard vulnerable people and prevent harm. Responsible data sharing can aid the prevention of data-enabled scams and fraud that target vulnerable people online. Data protection law can act as an enabler for fair and proportionate data sharing – rather than a barrier – and we’ve developed a variety of resources to help. We stand ready to support stakeholder-led initiatives which seek to promote responsible sharing of data, and we’re also developing new resources that will empower businesses to share data appropriately to mitigate fraud and scams. Our existing resources have been created to empower people and organisations to share data responsibly: ➡️ Use our Data Sharing Code of Practice as a guide on how to share personal data in a way that complies with data protection law: https://lnkd.in/eCXnq9hk ➡️ We have sector specific guidance that offers practical advice on data protection considerations when you need to share information: https://lnkd.in/eFxpy6-w ➡️ We’ve provided real world examples and case studies of different approaches to data sharing: https://lnkd.in/egh9q-YJ We’re currently working with stakeholders to understand which types of case studies and examples will support organisations to have confidence in proactively sharing information to prevent fraud and scams harms. Stakeholders include: ➡️ Other regulators as part of the Digital Regulation Cooperation Forum (DRCF) ➡️ Government ➡️ Financial ➡️ Telecoms and social media firms ➡️ Trade and anti-fraud bodies ➡️ Consumer groups. We will hold workshops with stakeholder groups as we develop these case studies. We’re eager to hear from interested stakeholders on any ideas, suggestions for useful case studies or questions about our guidance. 📨 Send us your thoughts via email to: digitalregulationcooperation@ico.org.uk

It’s been three years since the first UK GDPR certification scheme launched. In that time, 39 businesses have gone through a rigorous certification process to demonstrate to their customers that they take data protection seriously. From technology providers for pension schemes to interactive learning providers. If you work in: ♻️IT asset disposal, 🔞age assurance, 🏫 training, education or qualifications, ⚖️ legal services 🚸 app development, 🚸 online games, 🚸 smart toys or 🚸educational websites Then you should consider the ICO-approved certification schemes: ♻️ ADISA ICT Asset Recovery Certification 8.0: https://lnkd.in/e6xiyZA4 🔞 Age Check Certification Scheme (ACCS): https://lnkd.in/gn8RefNy 🏫 Provision of Training and Qualifications Services: https://lnkd.in/dBQfe_Pt ⚖️ Legal Services Operational Privacy Certification Scheme (LOCS): https://lnkd.in/eTYYmTU5 🚸 Age Appropriate Design Certification Scheme (AADCS): https://lnkd.in/d3Nz5HUd

NEW: Deborah Clark, ICO's Upstream Regulation Manager, reflects on a year of work to support public authorities with their FOI compliance and sets out our plans for the year ahead.

NEW: We have reprimanded the Electoral Commission after hackers gained access to servers that contained the personal information of approximately 40 million people. Read on for more details. In August 2021, hackers successfully accessed their server by impersonating a user account and exploiting known software vulnerabilities in the system that had not been secured. Until October 2022 – over a year later – the attackers had access to the personal information held on the Electoral Register, including names and home addresses. The Electoral Commission did not have appropriate security measures in place to protect the personal information it held: ➡️ servers weren’t kept up to date with the latest security updates ➡️ many accounts still used passwords identical or similar to the ones originally allocated by the service desk Read more about our action: https://lnkd.in/dPR_icrb Stephen Bonner, Deputy Commissioner at the ICO, said: “The Electoral Commission handles the personal information of millions of people, all of whom expect their data to be in safe hands. “This action should serve as a reminder to all organisations that you must take proactive and preventative measures to ensure your systems are secure and up-to-date. Otherwise, you put people’s personal information at risk. “I know the headline figures of 40 million people affected caused considerable public alarm when news of this breach emerged last year. I want to reassure the public that while an unacceptably high number of people were impacted, we have no reason to believe any personal data was misused and we have found no evidence that any direct harm has been caused by this breach. The Electoral Commission has now taken the necessary steps to improve its security.” We have more security guidance for all organisations on our website: https://lnkd.in/eVSbmnRT

NEW: Meta Platforms Inc. (Meta) has entered our Sandbox with a project to explore online ad measurement using privacy enhancing technologies (PETs). 💭 The project Meta is researching a system utilising Secure Multiparty Computation (MPC) that aims to enable accurate ad measurement while ensuring user privacy. How will the Sandbox work in this case? Our Sandbox will ensure Meta considers the impact data protection laws have on its project. The results will be published at the conclusion of the project, benefitting wider industry as we assess how PETs can be rolled out in an online advertising measurement context. Read more on our website: https://lnkd.in/e_hHxsqC We’re committed to supporting the creation of a more privacy friendly internet for UK consumers and we’re pushing companies to consider new approaches. It's part of our broader work to ensure that people’s rights are upheld by the online advertising industry. We’re also encouraging the use of PETs as they help organisations unlock the potential of data while keeping people’s personal information private. Find out more in our PETs guidance: https://lnkd.in/eZvPVDTx Our Sandbox is a place for organisations looking to use information in innovative ways to test and ensure their approach has data protection built in. Register interest to our Sandbox today to get our support on your innovative projects: https://lnkd.in/eiCcyz2F

How would your organisation react to a ransomware attack on the personal information you need to run your business? Our recent reprimand for the London Borough of Hackney underlines the importance of having robust security measures in place to protect the personal information of residents. Hackers were able to encrypt 440,000 files. Read about the incident in full: https://lnkd.in/eQD96ruy Ransomware and cyber-attacks use flaws in information security to allow hackers to gain control of information in an attempt to extort money for its return. Over the past few years, we’ve seen the rise in the number and severity of ransomware attacks. In this case, Hackney did do some things well after they found out about the attack: • It let the people impacted know about the attack: • it sent out information and advice to 100,000 homes; • it updated its website informing those affected about the attack; and • it emailed everyone who had consented to receiving marketing information from Hackney. Hackney notified and engaged with the National Crime Agency, the National Cyber Security Centre and the Metropolitan Police to create contingency plans to remove any unlawfully published data. The council created risk assessments to identify people at high risk and had put plans in place in case any more sensitive data exfiltrated by the hacker. And it created emergency business processes in response to the attack. For more information on what your organisation should do in case of a breach, read our guidance: https://lnkd.in/exJWCCsC

Good luck to all our fellow shortlisters! We're in the running for two PRWeek UK awards this year: ✨ In-House Team of the Year (Public Sector) as we work to bring the importance of data protection to as many people as possible; and ✨ Public Sector Campaign for our Help Gran, Stop Spam work to protect the public against predatory marketing calls, encouraging people to protect their family and friends by reporting cold callers and helping them register with the Telephone Preference Service (the UK’s ‘do not call’ list). We'll find out the eventual winners in October but, win or lose, we won't stop working as hard as we can to ensure personal information is treated fairly and securely. Fingers crossed!

How personal data is processed within digital identity systems is a key consideration, as significant harms may arise from misuse of that data, for example, in the event of a personal data breach. We'll continue working closely with our DRCF colleagues, industry and Government departments to ensure privacy is at the heart of the design in order to build and maintain the trust of people using the systems. We've got more information in our Digital Identity Position Paper: https://lnkd.in/gda5QaXG

NEW: We’re working with the Metropolitan Police Service who are trialling the potential use of investigative genetic genealogy, including genetic databases, to investigate the unidentified human remains of missing people, and potentially to help solve ‘cold cases’. ⏳ The project Investigative Genetic Genealogy (IGG is an approach for identifying family relations using genetic testing and genetic databases. The Met are looking at how they could use IGG in the investigation of unidentified human remains to help bring closure to families of missing individuals. IGG is currently used in other countries, where it has been successfully used in many high-profile missing persons cases and ‘cold’ cases, some of which date back decades. The project will: ➡️ assess the available technologies ➡️ explore the potential applications, limitations and ethical impact of IGG in a criminal justice setting. ➡️ identify data protection responsibilities and risks. ➡️ identify relevant data processing regimes. Our Sandbox is a place for organisations developing innovative projects with a real public benefit to test and ensure their approach has data protection built in. If you’d like our support apply to our Sandbox today: https://lnkd.in/eiCcyz2F

DRCF: Delivering impact through cooperation  Published today, this new article measures the DRCF’s impact and how its work benefits regulators, government, industry and the wider economy. Read in full - https://lnkd.in/eSNq9e27 Some highlights - • Stakeholders recognise the value of our joint publications on topics such as harmful online choice architecture, which provide greater clarity of regulator expectations and help improve outcomes for consumers. • Our joint work and shared expertise have supported timely and cost-effective delivery including, for example, the DRCF AI and Digital Hub. This ambitious one-year pilot service helps unlock innovation and supports UK economic growth. • Internationally, the DRCF acts as a vehicle for greater cooperation and is inspiring the adoption of similar models.       We are keen to hear from stakeholders about the impact of the DRCF’s work and the approaches we can take to assess it. Please contact drcf@ofcom.org.uk to share your views.  #digital #regulation #cooperation