Keep up to date with how the ICO is protecting your data and your data rights.
- Live facial recognition technology and personal data; what you need to know – 18 June 2021
- Political parties and personal data; what you need to know - 11 November 2020
- Coronavirus and contact tracing: your data rights - 24 September 2020
- Coronavirus and data protection - what if I become seriously unwell and I need somebody to access information about me? - 23 June 2020
- Coronavirus recovery – what are your information rights? - 11 June 2020
- Stay one step ahead of the scammers - 31 March 2020
- Coronavirus and personal data; what you need to know - 18 March 2020
- This Valentine’s day, don’t let your date steal your data! - 14 February 2020
- Safer Internet Day - 11 February 2020
- Updating WhatsApp on your device - 17 May 2019
Facial recognition technology can make many aspects of our lives easier, more efficient and more secure. Many of us use the technology every day when unlocking our mobile phones, setting up a bank account online, or when we go through passport control.
Live facial recognition (LFR) technology can be used in a more intrusive way. The technology and its algorithms can automatically identify who you are and work out sensitive details about you in real time. It can be used to instantly profile you to serve up personalised adverts or match your image against known shoplifters as you do your weekly grocery shop.
The technology relies on the fact that your facial features are unique to you, like your fingerprints and DNA. And these are considered to be biometric data, which has special protection under data protection law because of its sensitivity.
The ICO has today published a Commissioner’s Opinion on the use of LFR in public spaces by public organisations and private companies.
The Opinion explains how data protection and people’s privacy must be at the heart of any decisions to use this technology. And it explains how the law sets a high bar to justify the use of LFR and its algorithms in places where we shop, socialise or gather.
This is because the technology and its algorithms have the potential to be used in privacy intrusive ways, so we want to ensure that your personal information is handled carefully and your privacy is protected.
The ICO is here to give advice to organisations, to address your concerns, and to take action where necessary.
What are my data rights when LFR is in use?
Your facial features are unique to you and any images captured on LFR cameras are your personal data, so it is important for you to be aware of your rights.
You should be able to be confident that organisations using LFR are doing so lawfully, fairly, transparently and meeting other standards set out in data protection law.
That means that you should be able to understand how your facial image will be captured and analysed. Organisations using LFR must be clear that they are collecting your biometric data, why it is being collected and how long they will keep it.
If your biometric data is being collected through LFR, or your image is part of a ‘watchlist’, you have the right to ask an organisation for copies of the information they hold about you and why. We have detailed guidance on how you can ask an organisation for this information.
You have the right to object to an organisation collecting and using your biometric data through LFR at any time. If an organisation decides to continue using your data they must have clear and legitimate reasons for doing so. You also have the right to object to direct marketing based on the use of your personal data.
If you are unhappy with how your data is being used, we have guidance to help you raise a concern.
Infographic: use of LFR for surveillance
Infographic: use of LFR for marketing and advertising
Processing personal information is an important part of political campaigning. It allows political parties to get crucial messages to voters and helps them to understand the key issues for different people.
Political parties are entitled to receive a copy of the full electoral register, this contains information such as your name, address, nationality and age. Political parties build on this information with direct interviews with members of the public, with publicly available data such as census data and by buying data from data broking companies.
The ICO has recently assessed seven of the UK’s political parties data protection practices. We’ve set out key recommendations for how political parties should protect personal data and what you should expect.
What should I expect?
- Expect clear privacy information
It should be clear to you from the outset how a political party is using your personal information and the information should be easy to understand. Read more on your right to be informed.
- Expect to be told if a political party is using profiling techniques
If a political party combines information about you from several different sources, this is known as profiling. Political parties use this technique to learn more about voters and to send targeted marketing.
If a political party is using profiling techniques, it should be clear and you should be given the opportunity to object.
- Expect clearer information about social media advertising
Social media advertising is used by all parties to promote their work, but it’s important that it is clear to people if they are being targeted. Political parties should make it clear that people’s personal information will be used to send them specific social media advertising.
What should I do if I am concerned with how my data is being used?
You have the right to be confident that political parties handle your personal information responsibly and in line with good practice. If you’re unhappy with how your data is being used, we have guidance to help you raise a concern.
The UK and devolved governments have announced a number of additional measures to help stop the spread of COVID-19. Some organisations are now required by law to collect customer information to support contact tracing schemes, and there are government apps you can download so people can trace the spread of the virus.
The ICO has been supporting businesses and government to ensure that data protection and privacy is built into these new measures from the start.
Whenever an organisation uses your information, it’s important for you to be aware of your personal data rights. We’ve put together some tips on things you should expect:
Your personal data should be kept secure
Businesses collecting your information for contact tracing should do so in a secure way. This means they shouldn’t use open log books or ask you to add your name to a list. If you’re concerned an organisation isn’t keeping your data secure you should raise your concern with them first. If you’re still dissatisfied, you can complain to the ICO.
Your personal data should only be used for contact tracing
Businesses shouldn’t misuse your personal information. Organisations and their staff members have an obligation to look after your personal information. For example, businesses shouldn’t use your contact details to send you further marketing or sell it on for others to target you. And staff members shouldn’t use your phone number or other contact details to get in touch with you for personal reasons.
If you’re worried about how an organisation is handling your personal information, you have the right to raise your concerns. However, if you feel uncomfortable speaking directly to the organisation, we are here to help. You can call our helpline and our team will be able to advise on what to do, how you can make a complaint to us and what will happen next.
You should understand how your personal data will be used
Whenever you give an organisation your personal data they should tell you how your information will be used. If you download either the NHS COVID-19 app, the Protect Scotland app or the StopCOVID NI app, it should be clear what personal data is being collected, why it is being collected and how long it will keep this information.
Organisations collecting information for contact tracing should be transparent that they are only collecting the information for the purposes of contact tracing. If they want to collect information to send you updates or offers, this should be done separately and should be made clear to you.
You have the right to access your personal information
You have the right to ask an organisation for copies of the personal information it holds about you. We have detailed guidance on how you can ask an organisation for copies of your information.
What if I don’t experience this?
If you’re unhappy with how an organisation has been looking after your personal information you have the right to raise a concern. We have advice on the steps you can take here.
Coronavirus and data protection - what if I become seriously unwell and I need somebody to access information about me? - 23 June 2020
There may be times where you need a friend or relative to be able to access information about you, in order to provide care and support or to make decisions. In urgent situations, organisations can share information where necessary.
However, you can record your choices in advance.
If you live in England or Wales:
If you have appointed an Attorney, they will have the legal authority to access information about you in order to do their job.
The Office of the Public Guardian are continuing to register Powers of Attorney during the coronavirus pandemic. They aim to process these within 40 days, but this may be subject to delay due to the current circumstances.
- The Office of the Public Guardian have produced short term guidance for when there is no formal legal power in place. This details how you can make advance plans for people to do certain things on your behalf. This could include making a note of the information you want to be shared and with whom, and making those close to you aware of this.
If you live in Northern Ireland:
If you have appointed an Attorney under Enduring Powers of Attorney, and this has been registered with the Office of Care and Protection, they will have the legal authority to access data in order to manage your affairs.
- The Office of Care and Protection are processing critical work only during the pandemic. They are not registering new Enduring Powers of Attorney.
- Where there is no formal legal power in place, you could make a note of the information you want to be shared and with whom, and make those close to you aware of this.
If you live in Scotland:
- If you have appointed an Attorney, they will have the legal authority to access information about you in order to perform their role.
- The Office of the Public Guardian (Scotland) are continuing to register Powers of Attorney during the coronavirus pandemic. . The usual process takes up to 30 days. An expedited service is available for emergencies.
- Where there is no formal legal power in place, and the situation does not qualify for the expedited service, the OPG (Scotland) suggest temporary measures. This could include making a note of what information you want to be shared and with whom, and making those close to you aware of this.
As workplaces begin to open up and lockdown restrictions start to ease, it’s important you know what your data protection rights are when it comes to your personal information.
Here’s a few things to remember or to consider if you’re going back to work or visiting places:
- If you’re asked if you have experienced coronavirus symptoms or to take a test, you have certain rights under data protection law. You’re entitled to know what personal data is being collected about you, why it’s being collected and how long it’s going to be held for.
- It should also be easy for you to request a copy of your data that has been recorded (called a subject access request or SAR). Details on what to include if you’re making a SAR are available on our website.
- You may be asked questions about your general health, and possibly the health of your family members. This information is protected under data protection law, and means that whoever is using this information must take extra care with it.
- Your employer may decide to use symptom trackers or other methods to monitor for coronavirus and social distancing rules. They should tell you if they’re considering doing this, and explain to you why they think it’s necessary. If you are concerned about how your personal data is being handled, you should raise this with the organisation involved.
Our 18 March blog post also gives more information about how you can expect organisations and the Government to use your personal data.
There’s growing evidence of a spike in email and phone scammers as criminals look to seize on people’s vulnerabilities during the current coronavirus pandemic.
Maybe you’ve received one claiming to be from organisations you would trust such as:
- the NHS asking for your bank details to register for access to the COVID-19 vaccine;
- the Government asking for your bank details so money related to free school meals can be transferred;
- HMRC offering a grant to help you through the lockdown period; or
- banks asking you to confirm your details.
Or you might receive what seems like an important message from an organisation such as:
- callers offering coronavirus testing kits and protective equipment; or
- calls telling you your internet is going to be cut off in 24 hours because you’ve been hacked.
The common factor with emails is that you can only find out more if you click on a link or open an attachment. An automated call will invariably ask you to press buttons on your phone and skilled criminals on live calls can deftly convince you of their legitimacy. And that’s when the damage starts. Either by inadvertently giving criminals access to your computer or phone or, at the extreme end of the scale, emptying your bank account.
The good news is there are some simple steps to take to ensure you stay safe and don’t fall victim to these invisible criminals. Before you take any action, pause and take a moment to consider:
- Is the email addressed to you personally or is it addressed to “Dear customer” or “Valued customer”?
- Is the spelling, punctuation and grammar correct?
- Does the email ask you to urgently verify details within a specific time limit?
- Does the sender’s email address look legitimate?
- Does the email look like previous emails you have legitimately had from the same organisation?
- Does the email ask for your bank account details, online banking passwords or your PIN number and CVC code for your debit card?
- Does the caller’s offer sound too good to be true? Then it probably is.
- Do you actually have an existing relationship with the caller?
Agencies across the UK, and beyond, are working together providing advice on how to stay safe online. The National Cyber Security Centre has an abundance of guidance including how to spot and deal with suspicious emails; top tips for staying safe online and securing your devices. The National Crime Agency is advising people to Stop, Challenge and Protect and to remain vigilant against fraud.
Action Fraud, which has reported a 400% rise in Coronavirus fraud reports, offers advice on protecting yourself from scams. The Financial Conduct Authority has published information about potential coronavirus scams, how they could affect you, and how to protect yourself.
Remember before you open that email or proceed with a call, just take a moment – now and in the future - to consider the authenticity before you continue.
Your personal information may not be your first thought when it comes to coronavirus, but if you’re worried, we’ve put together some information to help.
- Government, the NHS and other organisations will make sure you get vital public health messages via phone, email or text. You don’t need to give them your consent.
- You might be asked to give details about sensitive health conditions and recent travel that you think are excessive. Employers and organisations do have an obligation to protect their staff, so in some cases it can be reasonable for them to ask you if you have experienced coronavirus symptoms. But they shouldn’t be asking for more information than is necessary, and if you are concerned speak to the organisation involved.
- If you become ill with coronavirus, your employer might need to tell your colleagues. But that doesn’t mean they need to give out your name.
- If you’ve made a Freedom of Information request from a public body or made a subject access request (SAR) for your own information, you should expect delays in response. That’s because organisations are diverting their resources to help with other challenges.
Online dating has never been more popular, with half of 16-34-year-olds using dating apps and new sites popping up all the time. Whilst its now easier than ever to find the love of your life, online dating is not without its pitfalls, particularly where your personal data is concerned.
Some romance scammers can use online dating sites to gather personal data and steal your identity. Your name, address and date of birth provide enough information to create another ‘you’. An identity thief can use a number of tactics to find your personal information and can then use it to open bank accounts, take out credit cards and apply for state benefits in your name.
How can I protect myself from dating scams?
Keep the mystery alive
Think carefully when picking your user name – MancBen93 would give scammers a good idea of where you live and your date of birth. Avoid putting too much information on your profile.
Don’t overshare too soon
Romance scammers might ask for your address to send you gifts or your phone number so they can contact you. Always wait until you feel comfortable and have met in person before sending over any personal information.
Make sure your dating app is the one
Different dating apps will ask for different levels of personal information and some will connect with other social media apps. Make sure you know exactly how much of your personal information other users can see and that you’re happy with how much is being given away.
I think I’ve been a victim of a romance scam – what can I do?
Our guide to identity theft has more information on some of the signs to look out for and what you can do if you’ve been a victim.
You can also get more advice at:
- Action Fraud (England, Wales and Northern Ireland) or Police Scotland (as Action Fraud do not deal with people who live in Scotland).
- Bank Safe Online
- Financial Ombudsman Service
- CardWatch c/o APACS
14 Finsbury Square
Happy Safer Internet Day!
This year’s theme is Free to Be, discussing how young people manage their online identity, and how the internet changes how they think of themselves and others. The day aims to highlight the fact that the internet is a great place for children and young people to express themselves. It’s also somewhere to find out more about other people who may have different views.
But it’s important that people are aware of the issues that children and young people face online. We can all play a part in making sure the internet is a safe area for everybody of whatever age to share their views.
Lots of children can download apps, play online games and use social media sites. Most of the time they are better at this than their parents! Current research suggests that children make up a fifth of all internet users in the UK.
However, they’re using an internet that wasn’t designed with them in mind. That’s why the area of children’s privacy has become a priority area of work for us.
We have recently published our Children’s Code. The aim of this code is to protect children’s privacy online by making it clear to designers and developers they must put the best interests of their child users first
How do we expect them to do this?
The code sets out 15 standards that online services like websites, apps and games, that are likely to be used by children should meet to protect children’s privacy.
The code, which is rooted in data protection law, says that whenever children access a new website or app, baseline privacy standards should be in place to protect their personal data and privacy by default.
The code is making its way through the Parliamentary process and we expect organisations to start implementing the standards after that. Once the code takes full effect, we’ll be able to take enforcement action against companies that fail to put our children first.
Safer Internet Day strives to make sure our children can enjoy the benefits of the internet and stay safe. And our code is a concrete step in the right direction.
In a generation from now, we will find it astonishing that children weren’t always protected in this way.
We have a section on our Online Safety pages offering practical tips about how you can help to keep your children safe online.
On 14 May, WhatsApp announced an incident involving a spyware vulnerability on WhatsApp.
There are currently two agencies dealing with the incident, the National Cyber Security Centre (NCSC) on behalf of UK consumers and the Irish Data Protection Commission (IDPC) as the lead authority for WhatsApp under the EU GDPR.
We are currently liaising with the Irish Data Protection Commissioner to determine whether any UK users have been affected.
For anyone concerned about using WhatsApp the advice is to update your apps using standard updates from the app store as a precaution.