On July 23, 2020, the UK Information Commissioner’s Office (the “ICO”) published the first two reports of its Data Protection Regulatory Sandbox Beta phase (the “Beta phase”) involving projects by Jisc (a not-for-profit organization serving the higher and further education and skills sectors) and Heathrow Airport Ltd.
The ICO introduced the Regulatory Sandbox service with the goal of demonstrating that data protection can be combined with real world innovative solutions. The Beta phase of the Regulatory Sandbox was launched in September 2019 as a pilot and involves the assessment of ten products and services that use personal data in innovative ways.
As we previously reported, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth has supported the ICO’s Regulatory Sandbox initiative by responding to the ICO’s public consultation on the creation of a Data Protection Sandbox in October 2018 and by publishing a March 2019 white paper entitled Regulatory Sandboxes in Data Protection – Constructive Engagement and Innovative Regulation in Practice following a joint roundtable with the ICO and industry on the same topic.
The ICO announced that the work undertaken as part of the Beta phase has pushed it to consider where additional guidance may help organizations with compliance, for instance, in the areas of assessing suitable legal bases for processing, identifying data protection risks and implementing the purpose limitation principle. According to the ICO, “[b]y applying the legislation to new and emerging situations, we are also developing our understanding and we are already using this to inform our wider guidance and regulatory approaches.”
The two newly published reports reveal the outcomes of collaboration between the ICO and the two organizations. Key takeaways from each report are outlined below:
- Jisc—Wellbeing Code of Practice: Jisc has developed a Wellbeing Code of Practice (“Code of Practice”) with universities and colleges who want to investigate the use of student activity data to improve the provision of student support services, including those related to mental health wellbeing. Two key tools were developed for the Code of Practice during the Sandbox service:
- a Purpose Compatibility Matrix, which enables universities to assess whether the data they intend to use would not be incompatible with the original purposes for which data were collected; and
- a Data Protection Impact Assessment (“DPIA”) template with guidance for universities and pre-defined risk mitigation measures.
The Code of Practice also includes best practices on how universities can demonstrate compliance with the accountability principle under the EU General Data Protection Regulation (“GDPR”), including performing DPIAs and identifying the most appropriate lawful bases and conditions for processing, as well as guidance on how to provide privacy notices to students, including those under 18 years old.
Jisc and the ICO agreed that the most appropriate legal bases for universities to rely upon under Article 6 of the GDPR were either public task or legitimate interests, and, for the processing of special categories of personal data, the substantial public interest condition for safeguarding children and individuals at risk (DPA 2018 Schedule 1 paragraph 18).
It is generally accepted in the UK and by the ICO that universities are likely to fall under the definition of “public authorities” in relation to the performance of some of their tasks. Public authorities can only rely on legitimate interests if they are processing for a legitimate reason other than performing their tasks as a public authority and, in this case, they must undertake legitimate interest assessments.
One of the objectives of this Sandbox project could not be met due to COVID-19-related delays—a commissioned report to evidence that the interventions resulting from Jisc’s proposed mental health analytics would be strictly necessary. Jisc agreed with the ICO that this report will take place outside of the Sandbox process.
- Heathrow Airport Ltd.—Automation of the Passenger Journey program: Heathrow Airport’s Automation of the Passenger Journey program aimed to streamline the passenger journey by using biometrics. Facial recognition technology would be offered at check-in, self-service bag drops and boarding gates to create a seamless experience for passengers travelling through the airport. Passengers would no longer have to present different forms of documentation, such as boarding cards and passports, at different points in their journey to prove their identity and show that they are authorized to travel. The following data protection issues were considered:
- Complex data controllership issues, as Heathrow would be considered a joint-controller for certain data processing activities and a processor for others; and
- Legal bases for processing, as Heathrow would be unable to rely on compliance with a legal obligation, and would therefore have to seek explicit consent during the passenger journey in the airports. Heathrow and the ICO jointly agreed that layered communications and an affirmative action being completed by the passenger would not be compliant means of showing an express statement of explicit consent.
After consideration of the feedback concerning the method for obtaining explicit consent, Heathrow notified the ICO on March 10, 2020 that it intended to postpone plans to undertake further evaluation of its process. Heathrow will use the recommendations provided to them during their time in the Sandbox to, in conjunction with airline and technology providers, design a suitable GDPR-compliant process for automating passenger journeys in the airport.
The ICO has encouraged Heathrow and other stakeholders in the airline sector to collaborate on the development of a code of conduct for the processing of personal data in the operation of automated passenger journeys.
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- Iowa
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott H. Kimpel
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code