Information Commissioner's Office

NEW: Online surveys, postal vote applications and social media adverts – what you should expect from political parties using personal data during the election period. A general election is set to take place this July and we know many people have questions about how their data may be used during the election period. Personal information is an important part of campaigning and allows political parties to get crucial messages to voters to help them understand the key issues for different people. We understand how important it is for the public to trust in how their personal information is used during elections. And so, we have been working with fellow regulators, with organisations and people who will be handling your personal information during the upcoming election campaign to ensure expectations around compliance with the law are clear. To help we’ve set out some of the common questions people have around data use and elections and what you can expect if: 👉 Political parties use online petitions. 👉 You’re targeted with social media advertising. 👉 You’re sent a letter from a party you’ve not signed up to. 👉 You raise a concern. Read more about what you should expect in our blog: https://lnkd.in/dW7ea3Sp

We’re seeing more cyber breaches – and your settings could need a double check. Security settings that aren’t correctly configured and maintained put your systems and people’s information at risk. 74% of all breaches include the human element, and 21% of these are due to misconfigured settings. This is usually because of settings that have been set up poorly, haven’t been changed from the default, or haven’t been maintained. You can reduce the risk of errors by: • Changing all default accounts, usernames and passwords. • Embedding security through all stages of processes. • Having security as a core component (e.g. ‘security by design’ principles). • Educating your staff on how mistakes occur and why controls are important. • Establishing baseline configurations and guardrails. • Monitoring for any unauthorised changes. It’s never too late to look for security misconfigurations in your systems. Read our report for more tips and to learn from the mistakes of others: https://lnkd.in/eSwqjdCk

Got a long list of ex conferences, that’ll tell you DPPC is insane… Taylor Swift’s Eras Tour is sweeping across the UK and we’re taking inspiration by celebrating the fact we’re in our #DPPC24 era. Looking back to last year’s conference we found out that: 🧑🤝🧑 5,396 people attended 🧠 82% of delegates learned something new and 72% put what they learned into practice 🎙️ 74 different speakers hosted the sessions 🌍 People joined from around the world and our most distant delegate joined us from 9,703 miles away 🐕 Even pets love DPPC! We had 23 pets join in on the fun If the numbers aren’t enough, then see what last year’s delegates had to say: “DPPC is the best organised, interactive event I have been to” “Captured my interest all day which is hard to achieve” As a free, virtual event, there's something for everyone – whichever sector you work in. … and #DPPC24 has a blank space for everyone baby, come write your name! https://lnkd.in/eAAgF5aq

🆕 We’re publishing our Enterprise Data Strategy (EDS). Your invaluable insight has helped us shape and align our data-driven activity to the challenges and opportunities facing the UK. Our data strategy defines how we collect and use data, and how we share that data with industry and other public bodies. It covers not just personal information, but all the data that we could potentially publish. Our data on security incident trends provides valuable information to industry on emerging threats and vulnerabilities and helps in areas such as risk mitigation planning. As part of our consultation earlier this year, we asked you for your views on our strategy. This valuable feedback has helped to inform our updated strategy, which we are sharing for the first time today. You can read the full strategy on our website: https://lnkd.in/excj-Wic This represents the start of our data strategy journey, and we look forward to sharing updates on how we are doing throughout the year. Additionally, we want to keeping hearing your thoughts - our survey will remain open for you to share your perspectives on our strategy and priorities: https://lnkd.in/e_zW_FuM

If you use or are considering using content moderation processes, then we want to hear from you. Content moderation systems involve processing people’s personal information at all stages of the content moderation workflow, which means services must consider data protection at each stage. Read more about content moderation on our website: https://lnkd.in/eEuB9Ndg Your feedback on this guidance will help to ensure that it is meaningful for all organisations. Complete the survey now 👉 https://lnkd.in/eUPx6_9u

Do you manufacture smart devices that connect and share information over the internet? Do you face challenges when designing products in a privacy preserving way? 📆 11 July 2024 📌 London We’re organising a roundtable for Internet of Things (IoT) manufacturers aimed at building a shared understanding of how data protection legislation applies to consumer IoT. We want to gain insights into the challenges IoT manufacturers face. Register your interest to our roundtable on our website 👉 https://lnkd.in/eyg62bzc

To BCC or CC that is the question. We’ve seen hundreds of personal data breach reports where a sender has accidentally hit CC instead of BCC. While BCC can be a useful function, it's not enough on its own to properly protect people's personal information. If you are sending any sensitive personal information, you should use alternatives to BCC. ✅ When might we use BCC? You might use BCC with other measures if the personal information you’re sharing isn’t sensitive and there’s little risk. For example, if you have general information, such as an internal newsletter, and you wish to avoid ‘Reply all’ responses. However, it is important to remember that depending on the nature of the organisation or the newsletter, knowing who has received it may reveal sensitive information about the recipients – for example a newsletter aimed at people with a specific health condition. ❔ What are the alternatives? You must assess which appropriate measures to put in place. You could: set rules within your email system to provide alerts and warn email senders when they use the CC field; set a delay, allowing time for you to correct errors before the emails leave the organisation’s system; turn off the auto-complete email function to prevent the system suggesting email addresses in the recipient's box; and use the National Cyber Security Centre (NCSC) email security check tool: https://lnkd.in/eipYgnN2 Ultimately, it is your responsibility to determine what technical and organisational measures are appropriate, taking into the account the nature of personal information you are communicating and the risks involved. Our BCC guidance has lots more tips, a checklist and case studies to help you get to grips with when to BCC and when not: https://lnkd.in/e2uA5927

Have you thought about developing a certification scheme? Certification can help demonstrate data protection in a practical way to businesses, people and regulators. UK GDPR certification is different from many data protection certification products currently available. The focus is less on the governance and management arrangements around personal data and more an in-depth assessment of specific processing. Certification schemes can be specific or more general. A specific scheme might only be aimed at a particular sector for a specific type of product or service, for example online banking portals, and the criteria will specifically relate to the processing operations commonly found in such portals. But a general scheme would cover all aspects of UK GDPR. If you’re in the initial stages of developing or thinking about a certification scheme, you should consider: ➡️ Are there any sector or industry issues you want to address through your scheme? ➡️ Could you carry out research with your proposed target market to ensure that your scheme meets a need and will have market viability? ➡️ Could your certification scheme help people understand or lessen the impact of a particular processing activity? ➡️ Will your certification scheme (including any logo, seal or mark) ensure that people can easily and immediately understand what is being certified and what that means for them? ➡️ What schemes are already available? ➡️ The name of the scheme – does it accurately reflect the scope, and will it be understandable to users? For more guidance on certification schemes, see our detailed guidance: https://lnkd.in/eD2ZTfjv

✅ Researched best CCTV brands ✅ Ordered extra-long ladders ❔ Considered data protection? If you’re thinking about installing CCTV or similar technology, whether you’re recording footage or just live-streaming, you’ll need to think about data protection too. People care about how you treat their personal information and that includes footage of them captured by your CCTV. 1️⃣ Think about how you’ll respect people’s privacy and uphold their rights. When you’re using CCTV, you need to be aware of people’s information rights and your responsibilities in relation to those rights. One of the most common rights you’re likely to come across is the right of access. This means people can ask you for copies of their own personal data, including video recordings you hold. The CCTV system you choose therefore needs to allow you to retrieve stored footage so this right can be upheld. You must also be able to redact or remove third party data from the footage where necessary. 2️⃣ Consider if you need to use audio Many cameras can record sound – but this doesn’t mean you should. You should consider whether it’s necessary in the situation you want to use it in. 3️⃣ Create a document which explains your decision and update any policies Set out why you need CCTV and how you plan to minimise the impact on people’s privacy. Include which areas the CCTV will cover, and how long you’ll keep the footage for. 4️⃣ Pay attention to your CCTV setup. Before you start using your CCTV, you need to check the camera angle and put up signs to tell people it’s there. When your CCTV system is being installed, make sure it only captures what you need it to – and nothing more. A slight adjustment of the camera angle could make a big difference to what’s included in the shot. Read more CCTV tips including case studies: https://lnkd.in/eEzBRCWq #HereToHelpSMEs

NEW: Work in Freedom of Information (FOI)? We’ve developed a new tool to help you track and manage information requests. If you don’t have a case management system our new template provides a centralised place to track your requests, helping you to: ➡️ track your requests so that none are lost or forgotten ➡️ stay on top of deadlines ➡️ monitor your FOI performance as it will be easier to spot delays in your processes or spot trends in how teams deal with their requests ➡️ identify themes in your requests, which could influence what you proactively publish ➡️ keep a comprehensive record of the original request, which is helpful if you need to conduct an internal review. It’s all part of our work to create resources, support and share best practice to help FOI practitioners in their role and make organisations more open, transparent, and accountable. Try it out here and learn how you can join our pilot review panel for the resources: https://lnkd.in/d_2TBpcj And to keep up-to-date with all our latest FOI work: ✅ sign up to our newsletter: https://lnkd.in/et9fgpq8 ✅ register for our FREE information rights conference: https://ico.org.uk/dppc