This week’s Thursday Thoughts has a bit of a Christmas feel. Photographs in schools (I’m thinking nativity plays and concerts) will be at the forefront of school leadership teams and parents minds and there is some helpful advice from the ICO on ways to approach this thorny subject. Also I’ve seen a number of great advent themes so I’ve created a “Because it’s Christmas Soon” section this week. Also watch out for my own “advent” calendar of 24 Data protection ideas to keep you out of trouble. Days one – three are in this piece and the rest will follow day by day.
This week I’ve been listening to the online Privsec Global conference so I’ve included my key take always from that and also a great top tip about passwords and the usual summary of data protection fines. As always if you are doing what someone has been fined for – Stop it!
Blogs of the Week
Clare Paterson (Anthony Collins) - Beware the Jabberwock, my son!
Jill Bottomley - Are staff entitled to the extra bank holiday in 2022?
Photographs in Schools
As DPOs who work in schools will agree there are always A LOT of questions about pupil images. In particular the area of consent for images to be shared on social media or school websites. The advice from the ICO is that where someone can be recognised from a photograph it’s considered to be their personal data.
Photos taken by the school
There are two lawful bases that schools would use either public task or legitimate interests (the ICO expect publicly-funded schools to be looking at public task while independent and other schools can look at either public task or legitimate interests). The trick is to get the fairest outcome by balancing everyone’s interests. Tell people upfront what you’re going to do with their personal data and give them (or their parents) the chance to opt out. But remember offering an opt-out doesn’t mean you are relying on ‘consent’ as a lawful basis under data protection law.
Photos taken by the families
Data protection law does not cover personal use. So families can take photographs and video recordings for personal use, such as for a family album. There are occasions such as where it would cause disruption where a school may decide it isn’t appropriate to allow photographs and this is their choice. Similarly the school may ask parents and guardians not to post photographs on social media if they include other people’s children. But this is sensible policy, but it’s not a data protection issue because the law doesn’t cover private social media posts shared with friends and family. If you want to read more this can be found on the “Your Data Matters” part of the ICO website: https://ico.org.uk/your-data-matters/
Top Tip
This week’s top tip came from Data Security Strategist Chris Glanden – add commas to your passwords to mess with the csv file they land in if you are breached!
Key takeaways from this week’s #PrivSecGlobal Conference
This week I have been listening in to a variety of speakers on a number of diverse topics. The key takeaways I have are:
Know where you are and plan from there (don’t start half way in)
Cyber resilience s not a technical problem it is a business problem
There are loads of things you can do if your staff work overseas to keep them and your systems safe
See nothing, believe no one and trust everything – the easiest way to do this is assume you are in permanent breach and constantly monitor data patterns within the organisation.
You should include all your supply chains in your risk management program because you need that visibility amongst your suppliers or you can’t manage the risk.
Fines
Greece
The Hellenic DPA fined a company €20,000 for carrying out marketing calls without data subject consent. The company continued to send unsolicited advertising to data subjects after they had asked not to receive such material
Iceland
The Icelandic DPA fined the Ministry of Industry and Innovation €51,000 for a domestic travel campaign in the summer of 2020. They offered a digital gift voucher obtained through an app. The app collected extensive personal information and had access to users' phones. Furthermore in order to access the App users were required to agree general terms of use which failed to provide sufficient information to data subjects about processing meaning that they were unable to expressly consent to the processing.
The Icelandic DPA fined YAY €27,200 the company delivering the app mentioned above. For collecting more data than was necessary and for not providing data subjects the opportunity to expressly consent to the processing of their personal data as part of the promotion. The DPA also found that the information provided about the actual processing of personal data was insufficient and the company had failed to put in place appropriate technical and organizational measures to ensure the security of the personal data.
Spain
The Spanish DPA fine for Unión Financiera Asturiana was reduced to €9,000 (from €15000) following a voluntary payment and admission of guilt. The original fine was for carrying out a credit check on the data subject without any contractual basis for doing so.
Romania
The Romanian DPA fined Valoris Center €2,000 after a data breach in which a call centre employee sent a customer an Excel file containing data from 11169 other customers. The data compromised included personal data such as email address, username, user ID, phone number, customer name, customer code, customer PIN.
Here’s the first 3 days on our Data Protection Advent Calendar
Register with the ICO
Write your Privacy Notice
Check your Cookie Banner is Compliant
Because it’s Christmas Soon
Here are a selection of other Christmas themed items
Tash Whittaker – Daily Data Protection Christmas Crackers
Day 1 question “Can you use soft opt in to market to an individual (B2C) taking part in a free prize draw, bearing in mind there is an "agreed" set of terms and conditions for any prize draw. (This applies to UK PECR only).” The conversations that these crackers spark in the comments Linked In are well worth a read (look for Tash on Linked In)(.
Alex McCann - FIND YOUR OWN JOY ADVENT CALENDAR
I love the concept of this simple advent calendar. List 24 things you enjoy put them into a grid and cut them up, fold them like raffle tickets and put them in a bag or box. Then every day in December pull one out and do what it says you can reconnect with Favourite Movies, Music and TV shows, or Takeaways and Home Cooked Meals, or even Running Routes, walks or culture. What would be on your top 24? You can read about it here: https://altrinchamhq.co.uk/find-your-own-joy-altrincham-hq-advent-calendar/
Sara Kay - Laughter Advent
Sara’s gift to all of us every morning during advent is a little bit of laughter. Join her every day for a little bit of laughter for your mental wellbeing. You can follow along here: https://bit.ly/seriouslaughuk
Surrey Coalition of Disabled People – Christmas Day Virtual Dog Walk
A fantastic initiative from the Surrey Coalition of Disabled People- they are running a Zoom hosted virtual dog walk on Christmas Day. Where participants can have a walk and a lovely chat with each other joining by zoom, phone or SMS text relay and a BSL interpreter will be provided. I hope more groups do this kind of thing!
Blog of the Week
Clare Paterson (Anthony Collins) - Beware the Jabberwock, my son!
This is a great blog on balancing what you have been asked for in a SAR with what should be disclosed. Clare like many other DPOS reports that some SARs are used as a tool to get a particular piece of information out of an organisation. This information may or may not exist in the first place. Sometimes it is linked to a complaint or disciplinary procedure. In many cases the SARs is a shopping list of what the individual wants. Her key points when faced with the “SAR from hell”:
You don't have to carry out the search the way the Data Subject tells you to;
SARs are about data, not documents.
Use the time extension if you need it
You can read the blog here: https://www.anthonycollins.com/newsroom/ebriefings/beware-the-jabberwock-my-son-or-a-warning-about-prescriptive-subject-access-requests/
Jill Bottomley - Are staff entitled to the extra bank holiday in 2022?
It hadn’t even occurred to me to think about the changes to the late may bank holiday until I read Jill’s blog this week. I had no idea that the wording in employment contracts determines whether or not employees are entitled to the extra day or indeed if they will automatically get the Thursday instead of the Monday. If you are like me and want to know more about balancing the needs of your business, TOIL, days off in lieu and all that this is definitely the blog to read: https://www.hrdept.co.uk/trafford-and-warrington/blog/are-staff-entitled-to-the-extra-bank-holiday-in-2022