Information Commissioner's Office

NEW: We’ve fined Coastal Windows and Conservatories UK Limited (CWC), a home improvement company, £40,000 for calling thousands of people registered with the TPS. ➡️ The case We received a number of complaints from the public about unsolicited marketing calls – even though people had registered with the TPS. Our investigation found that Coastal Windows and Conservatories UK Limited: - didn’t screen against the TPS. - had no PECR policies or training in place. - relied on consent that was up to 13 years old. - had no evidence that third party partners asked people for consent to receive calls from Coastal Windows and Conservatories UK Limited. ✅ Lessons you can learn from this case It’s important to respect people’s preferences about direct marketing. People can object to you using their information for direct marketing and you must stop or not start using their information for this purpose. Our direct marketing guidance has a section that runs through suppression lists and how to manage opt outs: https://lnkd.in/eHnr43KA CWC used third parties that collected potential customers details with an option to pass these details on to “approved installers”. However, CWC did not undertake their own checks prior to making calls. If you use a third party to buy in or rent information, you must remember that you are responsible for compliance with data protection law and PECR: https://lnkd.in/eG9Y_yrs CWC didn’t provide the ICO with any examples of training guides for their staff. It’s crucial that your staff have specialised training based on their job roles and the types of personal information they’ll be handling. See our Accountability Framework guidance – this will give you practical steps for assessing your own training: https://lnkd.in/ev3ny_Wf Read more about the case: https://lnkd.in/ea3MSj_8

No more scratching your head about what to put in your privacy notice - our new privacy notice generator will automatically generate one that is bespoke to your organisation and tailored to your sector, in about 10-15 minutes. Suitable for all types of small businesses , sole traders, small charities, clubs and groups, the tool will help you tell people outside your organisation how you use their information. Head to our new privacy notice generator to create a privacy notice just for your organisation: https://lnkd.in/eFTC3AzB #HereToHelpSMEs

Supporting Scottish innovators with regulatory clarification Would you like free informal regulatory advice on bringing your digital or AI driven product to market? Join us for breakfast on 18 September at Ofcom offices in Edinburgh to learn more about the DRCF AI and Digital Hub, a free informal advice service to provide innovators tailored answers to their most pressing cross-regulatory questions. Meet with Kate Jones, DRCF CEO, and Hub representatives to get an overview of the Hub, its benefits, and address your questions. Sign-up for the event below or register here -https://lnkd.in/ezxia82j We look forward to seeing you there! #AI #digital #AIDigHub #innovation

Oasis aren’t the only thing that’s back 👀 Register for #DPPC24 our website now 👉 https://lnkd.in/enyevG-e

Myth or fact: You can’t share personal information in emergencies? This is a myth – if you need to share personal information in an emergency to save a life, you should do whatever is necessary and proportionate. Data protection law doesn’t stop this: https://lnkd.in/ec59Faiu Password attacks spiked in 2023, according to Microsoft’s recent digital defence report. Do you have steps in place to protect your systems? In general, good practice cyber security guidance applies, but since brute force attacks specifically target access credentials, you should also take the following actions to protect yourself from these types of attacks: • Use two-step or multi-factor authentication. Note that some options are more resilient to attacks than others (eg SMS based ones are exposed to SIM swap attacks), so consider carefully which option to choose. Depending on the risk, you may decide to use hardware-based tokens. • Use strong passwords, ideally using the ‘three random words’ approach. • Avoid passwords which contain information about you which is easy to guess. • Use unique passwords for different accounts and do not reuse passwords. • Protect passwords at rest, eg by hashing and salting (adding extra random characters to the plaintext password, before hashing it) them, and in transit by using secure transport mechanisms. • Consider the use of a password manager. • Reduce reliance on passwords by considering single sign-on (SSO), hardware tokens and biometric options. • Disable unused accounts.

Have you heard? Our new privacy notice generator is available and now includes sections for organisations in different sectors of the economy. The tool is easy to use and will create a bespoke privacy notice tailored to your organisation sector, in just 10-15 minutes. Almost every small organisation has people's information, whether it's contact or payment details, CCTV footage or other types of personal information. Your privacy notice lets your customers and suppliers, or your staff and volunteers know what details you have and what you do with them. As well as being a legal requirement, a privacy notice shows people you respect their information rights. Use our privacy notice generator today: https://lnkd.in/eFTC3AzB #HereToHelpSMEs

You've got your bucket hat and Fred Perry out of retirement and had (What's the Story) Morning Glory? on repeat since Monday. But while you wait in line for the tickets of a lifetime, maybe listen a little closer to Oasis' lyrics and some might say you'll find some data protection tips... 😇 You and I are going to live forever? Unfortunately the Gallaghers got this one wrong - at least in terms of records management. It's important to consider how long you need to keep personal data and ensure you're not holding on to things just in case: https://lnkd.in/diZYezMc 😡 Don't Look Back In Anger You don't want to Look Back In Anger at a data breach - our checklist will help to assess the areas you need to improve on to keep people's info secure: https://lnkd.in/dqieaZDG 🌟 All of the SARs have faded away You've had a flurry of subject access requests. It was a nightmare to deal with and now you're thinking where did it all go wrong? Now is a great time to assess your processes to plan for how you'll deal with this in the future. Our Accountability Framework will help you assess your plans https://lnkd.in/dkiS5R-Y ☎️ Someday you will fine me, caught ringing the landlines Some might say you should acquiesce to marketing calls. We don't roll with it and you can face serious consequences for making nuisance calls. We have helpful guidance to make sure you understand your responsibilities and can call with confidence https://lnkd.in/ewShc7pB ⏱️ Today is gonna be the day that they're gonna throw it back to you Remember, if someone has submitted a SAR and you've asked for clarification on the subject matter then you can stop the clocks. As soon as they throw it back to you - the timer re-starts. We have detailed guidance on lots of different scenarios to help you understand https://lnkd.in/d5D5DZGS 🧑🏫 I've got a lot of things to learn Finally - a crucial part of your role as a data protection officer is helping to embed a data protection culture, train your staff on the importance of the law and highlight that data protection is not black and white. Sometimes the answer is it depends (or definitely, maybe), but encouraging staff to think data protection and ask the questions will help improve your organisation's compliance. See our training guides for more advice https://lnkd.in/eMFTuvdV

Public authorities publish a lot of information and you may find what you’re looking for by searching online. NEW: We want to help you find information held by public authorities more efficiently and more effectively. We’ve launched a new checklist to help you search for information first so that you may not even need to make an FOI request. The information you’re looking for could already be available: 🔍 Publication schemes, annual reports, policies and data-sets are published on public authorities’ websites. These kinds of documents explain who the organisation is, what they do, how they do it, and how they are performing. 🔍 Disclosure logs allow you to read responses to previous information requests. 🔍 WhatDoTheyKnow is a public register of over 1 million information requests, and responses from thousands of public authorities. 🔍 Try running advanced searches of an organisation’s website. 🔍 Snapshots of previous versions of an organisation’s website may help you retrieve information which is no longer current. View the checklist in full on our website and learn more about submitting an effective information request: https://lnkd.in/ekZ-UDTR

🆕 We’ve issued the Labour Party with a reprimand for repeatedly failing to respond to people who asked it what personal information the party held on them – known as a subject access request (SAR). • Following a cyber-attack in October 2021, the party began to accumulate a backlog of requests. • In the year following, 78% of Labour’s 352 actionable SARs had passed their deadline. • Over half (56%) of these outstanding requests were over a year old. Our reprimand relates to the infringements of Articles 12(3), 15(1), and 17(1) of the UK GDPR. We welcome news that the Labour Party has now cleared its backlog of SARs and implemented further measures to ensure people receive a prompt response. Read more about our action on our website: https://lnkd.in/eEfe_f5p Organisations must respond to a SAR within one month of receipt of the request, however, this can be extended by up to two months if the request is complex. Looking to refresh your SAR knowledge? 👉 We’ve put together brief guidance on SARs for businesses https://lnkd.in/eBgSXTmx 👉 Our more in-depth guidance can be found : https://lnkd.in/eXEbxuz3 👉 For digestible training videos, check out our individual rights page: https://lnkd.in/eCMFFXjE 👉 At our annual conference for data protection practitioners last year, we held a workshop on SARs for employers that you can catch-up on: https://lnkd.in/e8M5tZEf

Missing the Olympics and simply can’t wait for tomorrow’s Paralympic games to start? Well, we’ve got the games for you. Years of training, dedication and practice lead up to this moment – the ICOlympics. 🏃♂️ SAR Relay It’s a team effort to make sure you can quickly and efficiently get the request around the track. You’ll need a strong start with well-trained staff who can identify a request, strong records management processes to keep a hold of that lead and then a well-informed information management team who understands the law, and what can and cannot be shared to give you that sprint finish. Don’t drop the baton – see our guidance if you think your team might fall short of a podium finish: ⚽ Boccia – the quality sport Boccia is a game of precision – and for data protection boccia players it’s no different. The quality of your data needs to be precise and accurate. To reach the jack you need to conduct regular data reviews to make sure they’re accurate, adequate and not excessive, and ensure your staff understand their responsibilities. If you’re failing to hit the target, then have a look at our accountability framework https://lnkd.in/e9fZjcgF 🥇 Access marathon The Access marathon is all about adding mile after mile of protection for your systems and giving your staff the training to breeze through, while any unwanted runners end up with a DNF. The endurance race will ensure competitors deal with minimum password complexity, access restrictions, anti-malware and anti-virus protection, firewall and vulnerability scans. See our Accountability Framework for our rundown of how to get a world record time: https://lnkd.in/eKfWWZwD