News from the ICO: COVID-19 checks, adtech, certification, and fines

Guidance regarding COVID-19 status checks

The ICO published guidance for companies in the UK that are required to conduct COVID-19 status checks by the government. The guidance advises companies how to act before, during and after COVID-19 status checks in order to protect their customers’ personal data. Before conducting a COVID-19 status check you should inform your customers how, and for what purposes, you are using their data. This can be done by sharing your privacy notice on your website, social media profile or via e-mail. You may also display the information around your venue’s entrance. Before conducting COVID-19 status checks, you should first check the government guidance for your part of the UK to determine whether you should carry out a mere visual check, or whether a digital check of COVID-19 passes is encouraged. For the latter, you should use the official government app to scan the QR codes for the checks. As you are processing personal data by doing so, you also need to follow the ICO’s guidance note Vaccination and COVID Status Checks. It is important that you do not create any internal lists of your customers’ COVID-19 status. Moreover, your employees should be able to answer questions about what data is checked, what it will be used for and whether it is stored. They must treat the checked information confidentially. You should regularly check for updates from government on COVID-19 guidance to ensure that your checking processes stay compliant. Recent information on developments and new ICO advice and guidance can be found on the ICO’s COVID-19 hub.

Data protection standards to reduce privacy risks by new advertising technologies

An opinion published by the ICO in November 2021 sent a clear message against excessive data collection and use for online advertising purposes. It sets out data protection standards that companies must meet when developing new advertising technologies (known as adtech) in order to protect people’s privacy online. The opinion is especially directed towards big tech companies like Google. It emphasises that companies developing new digital advertising technologies should always enable data subjects to choose to receive advertising without tracking, profiling, or targeting. If data subjects decide to share their data, they should be informed about how and for what purposes their data is used. The respective company should be able to justify that the data use is necessary and proportionate. Moreover, all companies involved in data processing related to the new advertising technology must ensure that there is meaningful accountability, that data subjects remain in control of their data, and that they have the ability to effectively exercise their information rights.

Approval of certification scheme criteria

Under the UK General Data Protection Regulation (UK GDPR) certifications were introduced to provide companies with the ability to demonstrate compliance with data protection laws, and thus to give them a tool to increase user trust in their products and services. In August 2021, the ICO approved criteria for three certification schemes:

1. ADISA Certification: A standard which ensures that personal data has been treated appropriately when IT equipment is destroyed or re-used. It has been developed by ADISA, who are experts in IT asset disposal services.
2. Age Check Certification Scheme (ACCS): ACCS provides criteria for a scheme relating to age assurance.
3. Age Appropriate Design Certification Scheme (AADCS): The same provider also offers a scheme in relation to children’s online privacy.

Calculation of fines

In late 2020, the ICO provided some clarity on the calculation of fines and, in particular, set out nine steps regarding the calculation process:

1. Assessment of seriousness of the violation considering relevant factors under section 155 DPA 2018, e.g., nature, gravity and duration of the violation, the categories of personal data concerned by the violation, mitigating actions, etc.;
2. Assessment of the degree of culpability of the respective company;
3. Determination of turnover of the respective company;
4. Calculation of an appropriate starting point for the fine: A table of percentages based on the seriousness of the violation and the degree of culpability is used and the respective percentage (ranging from 0.125% to 3%) is applied to the company’s turnover;
5. Consideration of relevant aggravating and mitigating factors;
6. Consideration of financial means of the respective company to pay a fine;
7. Assessment of the wider economic impact of the penalty;
8. Assessment of effectiveness, proportionality and dissuasiveness of the penalty;
9. Early payment reduction.

The UK GDPR and DPA 2018 stipulate a maximum fine of £ 17.5 million or 4% of the annual global turnover for violations, whichever is greater. In particular, step 4 of the calculation method shows that the ICO is willing to fully utilize this fine framework in cases of serious violations.