Tag: Labour

Labour Party Reprimanded for Subject Access Delays 

Last week, the Information Commissioner’s Office (ICO) issued the Labour Party with a Reprimand, under the UK GDPR, for repeatedly failing to respond to subject access requests (SARs). This is an embarrassing development for a party in government which recently announced a number of parliamentary bills in the area of information governance.   

Background 

In November 2022, the Labour Party found itself inundated with 352 SARs that required timely responses. 78% of these requests remained unanswered within the maximum compulsory time limit of three months, and more than half (56%) were significantly delayed by over one year. The backlog stemmed from a cyber-attack on the Labour Party in October 2021, which triggered a surge in SARs. 

During the ICO’s investigation, it came to light that a ‘privacy inbox’ within the Labour Party had not been monitored since November 2021. This inbox contained approximately 646 additional SARs and around 597 requests for deletion of personal data. None of these requests had been responded to.  

This reprimand comes a few months after a report by openDemocracy, an independent international media platform. The report claims that people requesting copies of their data, such as police or immigration records, have faced long delays or had their requests ignored entirely. Others have been given folders with key documents missing. Apparently this is having a knock-on effect on the justice system, with lawyers telling openDemocracy that asylum applications and claims for false imprisonment have been put on hold due to the delays. Victims of the Windrush Scandal have also struggled to obtain copies of their immigration papers in order to claim compensation. 

Since engaging with the ICO, the Labour Party has taken steps to address its backlog including assigning three temporary staff members to focus solely on handling outstanding requests and allocating  additional resources to expedite responses.  

Enjoy reading our blog? Help us reach 10,000 subscribers bysubscribing today!  

Our upcoming Handling SARs course can help you deal with complex subject access requests. Places are limited so book early to avoid disappointment. 

The King’s Speech: What now for AI regulation and Data Protection reform?

The new Labour Government’s legislative programme was outlined in the King’s Speech at the State Opening of Parliament yesterday. Here are the key Bills information governance professionals need to look out for.

An AI Bill?

Despite media reports, the King’s Speech did not include a bill to regulate artificial intelligence(AI). The King said that the government would “seek to establish the appropriate legislation to place requirements on those working to develop the most powerful artificial intelligence models”. Expect a government consultation to be announced soon.

However, it is likely that new AI requirements will be introduced in other forthcoming legislation e.g the Product Safety and Metrology Bill. The published summary of this bill states that it aims to “support growth, provide regulatory stability, and deliver greater protection for consumers by addressing new product risks and opportunities, allowing the UK to keep pace with technological advances such as AI.” Managing AI in the context of product safety aligns with certain aspects of the EU AI Act. (see below)

When an AI Bill does finally appear, it is likely to focus on the production of large language models (LLMs), the general-purpose technology that underpins AI products such as OpenAI’s ChatGPT and Microsoft’s Copilot. As the Labour election manifesto says:

“Labour will ensure the safe development and use of AI models by introducing binding regulation on the handful of companies developing the most powerful AI models and by banning the creation of sexually explicit deepfakes.”

Meanwhile Europe is going full speed ahead on AI regulation. The EU AI Act will be on the EU statute books on 1st August 2024 and then become enforceable in stages. (A useful summary has been produced by lawyers at Stephenson Harwood.)

Cyber Security and Resilience Bill

A new Cyber Security and Resilience Bill will be introduced. It will expand regulation to cover more digital services and supply chains, empower regulators to ensure cyber security measures and mandate increased incident reporting to improve the government’s response to cyber-attacks including where a company has been held to ransom.

The Bill seems to be a response to recent high profile cyber-attacks. In June on Synnovis, the NHS service provider responsible for blood tests, swabs, bowel tests, and other critical services was the target of an attack affecting NHS patients across six London boroughs. Two major London hospital trusts had to cancel all non-emergency operations and blood tests.  It later transpired that, Qilin, a Russian cyber-criminal group, shared almost 400GB of private information on their darknet site.   

Digital Information and Smart Data Bill

No reference was made to data protection reform in the King’s Speech, but a Digital Information and Smart Data Bill was announced. The main provisions of the new Bill are:

  • Scientists will be able to ask for broad consent to use personal data for areas of scientific research, and allow legitimate researchers doing scientific research in commercial settings to make more use of personal data.
  • The Information Commissioner’s Office (ICO) will be transformed into a “more modern regulatory structure”, with a CEO, board and chair. It will also have new stronger powers.
  • The establishing of digital verification services including digital identity products to help people quickly and securely identify themselves when they use online services e.g. to help with things like moving house, pre-employment checks and buying age restricted goods and services. This is not the same as compulsory digital ID cards as some media outlets have reported.
  • The creation of a legal framework for Smart Data. This is the secure sharing of customer data, upon the customer’s (business or consumer) request, with authorised third-party providers (ATPs) who can enhance the customer data with broader, contextual ‘business’ data. These ATPs provide the customer with innovative services to improve decision making and engagement in a market. Open Banking is the only active example of a regime that is comparable to a ‘Smart Data scheme’ – but needs a legislative framework to put it on a permanent footing, from which it can grow and expand.

Most of these proposals are not particularly controversial and were in the Data Protection and Digital Information Bill  which failed to make it through Parliamentary “wash up” stage when the election was announced.

There may be more changes to come. We are told there will be “targeted reforms to some data laws that will maintain high standards of protection but where there is currently a lack of clarity impeding the safe development and deployment of some new technologies”.

There is much to chew over for IG professionals in the King’s Speech. As ever the devil will be in the detail (the Bills when published). Interesting times ahead.

This and other data protection developments will be discussed in detail on our forthcoming  GDPR Update  workshop.

AI Bill to be included in King’s Speech

A bill to regulate Artificial Intelligence(AI) will be one of 35 bills to be included in the King’s Speech tomorrow according to the Financial Times. The Bill will seek to enhance the legal safeguards surrounding the most cutting-edge AI technologies, according to people briefed on the plans.

The 2024 Labour election manifesto contained pledges to support the development of AI. It stated Labour would ensure their “industrial strategy supports the development of the AI sector and removes planning barriers to new datacentres.”  The Bill seeks to follow through on the manifesto pledge to regulate AI but only in some cases:

“Labour will ensure the safe development and use of AI models by introducing binding regulation on the handful of companies developing the most powerful AI models and by banning the creation of sexually explicit deepfakes.”

The Bill is likely to focus on the production of large language models (LLMs), the general-purpose technology that underlies AI products such as OpenAI’s ChatGPT.
It is a departure from the previous government’s approach which was not to place AI regulation on a statutory footing but to make use of “regulators’ domain-specific expertise to tailor the implementation of the principles to the specific context in which AI is used.” 

The new Bill follows the EU’s tougher approach.  The EU AI Act was published in the Official Journal of the EU last Friday (July 12th 2024) firing the gun for the enforcement countdown. It will be on the EU statute books on 1st August 2024 and then become enforceable in stages.

The main provisions of Act can be read here. In summary, the Act sets out comprehensive rules for AI applications, including a risk-based system to address potential threats to health and safety, and human rights. The Act will ban certain AI applications that pose an “unacceptable risk,” including real-time and remote biometric identification systems such as facial recognition. Additionally, it will impose strict obligations on those considered “high risk,” encompassing AI used in EU-regulated product safety categories, for example, cars and medical devices. These obligations include adherence to data governance standards, transparency rules, and the incorporation of human oversight mechanisms.

It will be interesting to read the text of the new Bill when it is published especially how it overlaps with the provisions on the UK GDPR.

Our AI Act workshop will help you understand the new law in detail and its interaction with the UK’s objectives and strategy for AI regulation.

Information Governance: The Future

So now we have a Labour Government, what can we expect vis a vis information governance?

Data Protection

Before the snap election was announced, most information professionals were getting ready to implement the Data Protection and Digital Information Bill which was making its way through the House of Lords and was set to be passed in July. The Bill would have amended the UK GDPR to make it, according to the Government, “a tailored, business-friendly British system of data protection.” The election put an end to the Bill which failed to make it through Parliamentary “wash up” stage.

The Labour Party had nothing to say on this topic in its manifesto, apart from a pledge to “improve data sharing across services, with a single unique identifier, to better support children and families.” It also said it intends to create a “National Data Library” to bring together existing research programmes and “help deliver data-driven public services”.

It is still likely that some Data Protection law reform will be undertaken by the new Government. Some of the less controversial aspects of the Bill, such as making it easier to use personal data for research and re organisation of the ICO, could return.
But we are not going to see wholesale reform in the first few years, especially as the Government will not want to jeopardise the UK’s EU adequacy status which is due for renewal by June 2025.Thankfully the introduction of digital ID cards have also been ruled out, after Tony Blair suggested they could help control immigration.

AI Regulation

The rapid advancements in Artificial Intelligence (AI), and their potential to impact on people’s rights and freedoms, has led to calls for better regulation. The Labour manifesto contains pledges to support the development of AI. It says Labour will ensure their “industrial strategy supports the development of the AI sector and removes planning barriers to new datacentres.” There is also a pledge to regulate AI but only in some cases:

“Labour will ensure the safe development and use of AI models by introducing binding regulation on the handful of companies developing the most powerful AI models and by banning the creation of sexually explicit deepfakes.”

But there is no real detail about what AI regulation will look like under Labour.
Perhaps the party will take the lead from the TUC ,which produced an AI Bill in April, or the EU which recently passed the EU AI Act.

Online Safety

The Labour manifesto states that the party will “build on” on the Online Safety Act, “bringing forward provisions as quickly as possible, and explore further measures to keep everyone safe online, particularly when using social media”. Labour also intends to give coroners “more powers to access information held by technology companies after a child’s death” and to create a “Regulatory Innovation Office” which will help existing regulators “update regulation, speed up approval timelines and co-ordinate issues that span existing boundaries”.

Freedom of Information

Freedom of Information laws are always popular with opposition parties who wish to critically assess government policies or discover uncomfortable truths (at least for the Government) about their implementation. But in government such laws are often seen as an inconvenience (just ask Tony Blair). None of the parties made any specific mention of FOI in their manifestos. This is surprising; the Labour Party has been arguing for many years that private contractors delivering public services should be subject to FOI laws. Perhaps they will look again at strengthening FOI. 

This and other data protection developments will be discussed in detail on our forthcoming  GDPR Update  workshop.

The High Court on Subject Access Requests

Article 15 of the UK GDPR gives a Data Subjects, a right to receive all the information held about them by a Data Controller. In addition, they have a right to receive information on “the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations.” Does the Data Controller have a choice whether to disclose the recipients or categories of recipient? 

In a recent High Court case, Mark Harrison v Alasdair Cameron and Alasdair Cameron Limited (2024), Mrs Justice Steyn ruled that Data subjects are entitled to know the identities of the recipients of their personal data, not just the categories of recipients. Steyn J also clarified the nature and scope of the Subject Access Right (SAR).

Background

The case involved Mr. Cameron, a director of a gardening company, and Mr. Harrison, a wealthy homeowner involved in property investment. Mr. Cameron recorded threatening calls from Mr. Harrison during a dispute and shared these recordings with family members and others. These recordings eventually reached Mr. Harrison’s business peers, allegedly causing his company to lose a significant property acquisition.

Mr. Harrison submitted SARs to Mr. Cameron and his company, ACL, requesting details of who received his personal data. The requests were initially denied on several grounds:

  • Mr. Cameron argued that he was processing the data in a purely personal context, which would be outside the scope of the UK GDPR.
  • It was claimed that Mr. Cameron, as an individual, was not a Data Controller under the UK GDPR.
  • ACL invoked an exemption, arguing that disclosing the identities of recipients would involve sharing information about other individuals without their consent.

Court’s Findings

  • The court disagreed with Mr. Cameron’s assertion that the data processing was purely personal. It ruled that he acted as a director of ACL, meaning the processing was within a professional context and thus subject to the UK GDPR.
  • Despite Mr. Cameron’s role in processing the data, the court ruled that he was not a Data Controller. Following legal precedents, the court said that a company director, acting in that capacity, is not a controller but the company itself is.
  • Despite Mr. Harrison’s entitlement in principle to know the identities of recipients, the court decided against disclosing this information. Mr. Harrison had a history of making numerous SARs and exhibited intentions to pursue legal actions beyond data protection law. ACL argued that revealing the recipients would expose them to significant risks of harassment and legal threats from Mr. Harrison. The court agreed, highlighting that the potential for hostile litigation was a relevant factor in balancing interests. The motive behind a SAR can be considered, especially when there is a need to protect third parties from harm that extends beyond the scope of data protection rights.

The High Court’s judgment brings clarity to the SAR process, emphasising the Data Subject’s right to specific recipient information and reinforcing the limited purpose of SARs in protecting privacy rights. It also introduces a nuanced approach to balancing the rights of the requester against potential risks to third parties, particularly when the requester’s motives suggest potential misuse of the information.

Our upcoming Handling SARs course can help you deal with complex subject access requests. Places are limited so book early to avoid disappointment.

What does the Liberal Democrat Manifesto say about AI and Data Protection?

This morning the Liberal Democrats launched their 2024 General Election Manifesto. The 116-page document includes pledges to recruit 8,000 more GPs, give unpaid carers a right to paid carers’ leave from work, and introduce free personal care in England. But what are their plans for AI regulation and DP reform (we hear some of you ask)?

Here are our some quotes which answer the above questions (and we must admit it is our first reading of the manifesto):

AI Regulation

Create a clear, workable and well-resourced cross-sectoral regulatory framework for artificial intelligence that:   

  • Promotes innovation while creating certainty for AI users, developers and investors.
  • Establishes transparency and accountability for AI systems in the public sector.
  • Ensures the use of personal data and AI is unbiased, transparent and accurate, and respects the privacy of innocent people
  • Negotiate the UK’s participation in the Trade and Technology Council with the US and the EU, so we can play a leading role in global AI regulation, and work with international partners in agreeing common standards for AI risk and impact assessment, testing, monitoring and audit.

Surveillance and Human Rights

  • Introducing a Digital Bill of Rights to protect everyone’s rights online, including the rights to privacy, free expression, and participation without being subjected to harassment and abuse. 
  • Ending the bulk collection of communications data and internet connection records.
  • Introducing a legally binding regulatory framework for all forms of biometric surveillance.

Data Sharing

Establish a firewall to prevent public agencies from sharing personal information with the Home Office for the purposes of immigration enforcement and repeal the immigration exemption in the Data Protection Act.

Surprisingly, the manifesto does not address Freedom of Information reform or even extension. It does say: “all Ministers’ instant-messaging conversations involving government business must be placed on the departmental record”

The Conservative Party will publish its manifesto on Tuesday and Labour will do so on Thursday. Still no news from Count Binface about his plans!

This and other data protection developments will be discussed in detail on our forthcoming  GDPR Update  workshop. 

Manifesto Week: What will the parties say about DP and AI?

The UK’s two main political parties are set to publish their election manifestos this week. Information governance professionals will be keen to find out what the parties’ plans are in relation to the current hot IG topics including data protection reform, AI regulation and data sharing.

The Conservative Party will publish its manifesto on Tuesday. Penny Mordaunt said in a BBC television debate on Friday:

“You have already heard some announcements and you’ll see more in our manifesto next week. We have got to cut people’s taxes and we have got to alleviate burdens on business.” 

That’s all fine but what IG professionals will want to know is, will the Government bring back the Data Protection and Digital Information Bill which fell in the House of Lords after not making “wash up”. Could they propose to combine the Bill with AI regulation, having previously opted for a non statutory approach on the latter? We will know better on Tuesday. 

The Labour manifesto is due to be published on Thursday. Whilst it is still being finalised, clues about what IG proposals it may contain can be found in the National Policy Forum document which the party says is “set to shape the next Labour manifesto”. It states, amongst other things, that Labour will:

  • Ensure our world-class researchers and businesses have the data and computing infrastructure they need to compete internationally

  • Harness data for the public good and introduce robust regulation that opens up data while enshrining consumer rights

  • Maintain Britain’s data adequacy status meaning our data protection rules are deemed equivalent to those in the EU

  • Make it easier for public services to adopt innovative technologies by removing barriers to data-sharing and smart procurement.

  • Use new capabilities in data analysis and AI to deliver better public services and improve people’s quality of life, and ensure society is fairly rewarded for the data it generates, built on frameworks and institutions that build public trust and uphold the privacy and security rights of UK citizens, including in the workplace

  • Ensure we have cyber resilience and security against rogue states and other hostile actors

  • Harness technology for public good, ensuring the UK is the best place in the world for safe and responsible technology, building the world’s most competent regulatory environment for AI and automation and supporting a thriving and effective AI and automation assurance ecosystem

  • Ensure that the regulatory environment appropriately and proportionally mitigates the potential harms that AI could cause by taking a principles-based approach to tech and AI

  • Explore whether the companies developing the underlying ‘foundation models’ that power specific AI tools and applications should also be subject to regulation

  • Act quickly to set the standards for safe and responsible AI

  • Ensure that workers have new rights, protections and access to training to keep pace with the changing nature of work and technological advancement

The Liberal Democrats are launching their manifesto today. If you can’t wait till later, their Fair Deal for voters offers some insights on what might be included. We are still waiting for Count Binface to publish his manifesto; we could see a repeat of his London Mayoral Manifesto which promised, amongst other things, to bring back Ceefax to all households within the M25!

This and other data protection developments will be discussed in detail on our forthcoming  GDPR Update  workshop. 

General Election: Political Parties’ Personal Data Processing

As the UK heads into a General Election, understanding how political parties collect and use personal data is crucial for voters. The UK GDPR provides protections, in the form of data subject rights, but it is up to voters to exercise their rights and stay vigilant. By doing so, they can ensure their privacy is respected and contribute to a fair and transparent electoral process.

Both Labour and the Conservatives have recently been accused of breaching the UK GDPR. Last month we wrote about The Good Law Project’s challenge to the Tory’s “data harvesting” from its online tax calculator and a data breach exposed by Rachel Cunliffe, Associate Political Editor of the New Statesman. We also reported on a case where the Labour party has been accused of failing to comply with a Subject Access Request from a Palestinian activist who was ejected by police from a fund raising event.

Data Collection Methods

Political parties utilise multiple methods to gather personal data about voters.
These include:

  1. Electoral Registers: The most straightforward source of voter data is the electoral register, which provides names and addresses of registered voters. Political parties have legal access to the full electoral register, unlike commercial entities that can only access the edited version.
  2. Canvassing and Surveys: Traditional door-to-door canvassing and telephone surveys remain essential tools. Party volunteers and staff collect information directly from voters about their political preferences and concerns.
  3. Social Media and Online Platforms: Political parties increasingly rely on social media to gather data. Platforms like Facebook and Twitter provide rich data on user preferences, interactions, and behaviours. Parties use cookies and tracking pixels on their websites to collect additional data on visitors.
  4. Data Brokers: Political parties also purchase data from commercial brokers. These brokers aggregate data from various sources, providing detailed voter profiles that include demographic and behavioural information.

Data Processing and Usage

Once collected, this data is processed to create detailed voter profiles. The aim is to tailor political messages to specific segments of the electorate, enhancing the effectiveness of campaigns. Key techniques include:

  1. Profiling: Using algorithms and machine learning, parties analyse data to identify patterns and predict voting behaviour. This helps in segmenting the electorate into various categories based on age, gender, location, interests, and past voting patterns.
  2. Micro-targeting: With profiling, parties engage in micro-targeting, delivering highly personalised messages to small groups of voters. This could mean targeted social media ads, personalised emails, or direct mail tailored to specific concerns and preferences.
  3. Campaign Strategy: Data-driven insights influence overall campaign strategy, helping parties decide where to focus their resources. For example, identifying swing voters or areas with low voter turnout allows for more efficient campaign planning.

ICO Guidance

The ICO has long been concerned about how political parties use personal data.
In July 2018 it published a report, Democracy Disrupted, which highlighted significant concerns about transparency around how people’s data was being used in political campaigning. The report revealed a complex ecosystem of digital campaigning with many actors. In 2019, the ICO issued assessment notices to seven political parties.

Last month, the ICO published a blog on handling personal information during the election campaign to ensure expectations around compliance with the law are clear. The blog sets out answers to some of the common questions that the ICO is asked during elections and explains what voters can expect from the ICO during the
pre-election period. Last week, John Edwards, the Information Commissioner, also wrote to political parties reminding them of their data protection obligations.

This and other data protection developments will be discussed in detail on our forthcoming  GDPR Update  workshop. 

Screenshot 2024-04-12 at 10.44.26

The DP Bill is Dead. Long Live the UK GDPR!

After 24 hours of speculation, it is now confirmed that the Data Protection and Digital Information Bill has fallen in the House of Lords and will proceed no further. It is now an ex-Bill!

The Bill failed to make it into the “wash-up” process following Rishi Sunak’s surprise General Election announcement. It seems that the controversial parts of the Bill, such as the DWP’s bank account snooping powers, prevented cross party agreement.

We now have to wait for publication of the political parties’ manifestos to see their plans for Data Protection reform (if any). It could be that they propose to combine DP reform with AI regulation. Watch this space!