Personal data privacy risks
Reputational and privacy risks associated with increased use of personal data for content personalisation.
470 items
12 sources
5 inquiries
Strongest theme matches
Mixed across source types and ranked by classifier confidence plus text match strength.
Committee recommendation
71match
#27 - BBC's increased use of personal data for personalisation poses reputational risks.
To build a more personalised experience for its users, the BBC will need to increase its use of their personal data. The BBC plans to use these data to support commissioning decisions and to make tailored content recommendations, and needs to meet best practice and transparency in data-handling. There is potential for reputational damage if the BBC does...
Matched on
terms: personal
Committee recommendation
61match
#4 - Strong privacy safeguards are vital in the fundamental design of any digital pound.
Strong privacy safeguards would be vital were a digital pound to be introduced. Although the Bank of England and Government state that it is not their intention to be able to access users’ data, it is conceivable that they may in future be tempted to try to make use of such a powerful source of information. It is...
Matched on
terms: privacy
Committee recommendation
60match
#5 - Review BBC data collection and storage policies, ensure minimum data collection and safety.
The BBC has developed its approach to data security since 2019 but is not yet doing enough to manage the risks arising from increased access to users’ personal data. The BBC needs to collect and hold some audience data to help it to compete in the digital space, and crucial to this is sign-in, where audiences register for...
Matched on
terms: personal
Committee recommendation
57match
#2 - Recommend a trial of a centralised Secure Data Environment and simplify ethical governance
Should our successor Committee wish to explore the reform of the UK health data strategy, we recommend it considers: • Investigating the replication of the academic model of open and competitive funding to solve problems and develop Privacy Enhancing technologies (PETs) and other critical pieces of data infrastructure as an alternative to internal or contracted software development work;...
Matched on
terms: privacy
Committee recommendation
57match
#15 - HMRC lags in secure digital file sharing; plans secure messaging via app and tax accounts.
HMRC said it uses email sparingly due to security concerns.42 Several organisations representing taxpayers and their agents wrote to us to highlight the need for a secure digital way to share files and correspondence with HMRC so that communication by post and phone became the exception.43 HMRC acknowledged that it is clearly behind many other 31 Customer service,...
Matched on
terms: personal
Committee recommendation
57match
#4 - Prioritise introducing systems for customers to submit files and send secure digital messages.
HMRC does not provide an efficient means for taxpayers to communicate digitally with HMRC. In 2022–23, HMRC received 22 million items of correspondence, including physical post and forms and interactive forms. Approximately 70% of this comes in through the post. Postal correspondence, as well as some electronic correspondence, requires scanning, manual entry into HMRC’s systems, or both. In...
Matched on
terms: personal
Committee recommendation
57match
#11 - February 2022 data breach caused by inappropriate systems and hidden data.
We asked the Department to outline how the February 2022 data breach had occurred. The Department told us that the systems it used to manage case work for the ARAP scheme—a Sharepoint site and Excel spreadsheets—were not appropriate for handling many thousands of lines of personal data.22 The Department said that the context for this was that it...
Matched on
terms: personal
Committee recommendation
57match
#2 - Require assurance that new casework system prevents recurrence of Afghan resettlement data breaches
The Department did not have appropriate systems and controls in place at the time of the February 2022 breach to manage personal data in a high-risk environment. The Department did not use a caseworking system designed to hold and process high volumes of sensitive personal information relating to the government’s Afghan resettlement schemes until May 2022, when it...
Matched on
terms: personal
LGO / SPSO decision
57match
25-009-787 - City of York Council
Summary: We will not investigate Mrs B’s complaint that the Council wrongly sent her sensitive personal information relating to someone else. This is because Mrs B may complain to the Information Commissioner’s Office which is in the best position to consider this complaint.
Matched on
terms: personal
Committee recommendation
57match
#2 - Introduce measures to standardise intuitive privacy interfaces for connected devices, empowering users.
The Government should introduce appropriate measures to standardise privacy interfaces for connected devices as a first step, which will help users learn how to control connected devices in their homes and exercise data rights. Privacy interfaces should be appropriately accessible, intuitive and flexible enough so users of a reasonable level of digital literacy and privacy expectations can use...
Matched on
terms: privacy
Committee recommendation
57match
#32 - Public involvement in personal data use decisions crucial; engagement risks declining with new data.
It is crucial that members of the public are involved in making decisions about how the UK chooses to use personal data in the development of its public evidence base. Traditionally, statisticians have engaged with members of the public about the use of their data in the conduct of surveys, but as officials embrace new sources of data...
Matched on
terms: personal
Committee recommendation
57match
#31 - Explore options for improving personal data transparency in official analyses and publish findings.
We recommend that the analysis function explore options for improving transparency around the use of personal data in official analyses, and that this work be made publicly available.
Matched on
terms: personal
Committee recommendation
57match
#30 - Limited information provided on personal data usage in government analysis.
Although statisticians and researchers publish a wealth of information on which data sources they hold, and how they are used, very little information is made available about how personal data are being used for the purposes of government analysis.
Matched on
terms: personal
Committee recommendation
56match
#7 - Ensure transparent data collection, clear opt-outs, and robust regulation for digital pound wallet providers.
While some consumers may be content to share their personal data with payment interface providers in exchange for digital pound wallet services, there is a risk that consumers do not fully understand how their data could be used, or the implications of doing so. It is vital that it is transparent to users how their data would be...
Matched on
terms: personal
NAO recommendation
56match
A digital BBC
set out how it plans to develop its personalisation strategy, including managing potential data risks. As it moves towards greater use of personal data and sign-in, the BBC now needs to fully develop a comprehensive personalisation strategy. This should include how it will manage potential compliance risks around the capture, storage and use of personal data, as well...
Matched on
terms: personal
Committee recommendation
53match
#17 - MoD failed to notify PAC about data breach after 18-month delay and obtaining super-injunction.
The Department first became aware of the data breach on 14 August 2023, 18 months after it occurred, when personal details of 10 individuals from the dataset were posted online on Facebook.40 Following its discovery of the data breach, on 25 August 2023 the MoD decided to apply to the High Court for an injunction to prevent the...
Matched on
terms: personal
Committee recommendation
53match
#5 - Require Department to explain how Afghanistan Response Route resettlement costs are separately captured
The Department did not put in place a mechanism to accurately identify and account for the costs of resettling individuals who were at high risk due to the data breach. The Department accounted for the costs of the ARR within its total spending on Afghan resettlement schemes, rather than identifying them separately, arguing that this was necessary to...
Matched on
terms: personal
Committee recommendation
53match
#3 - Require Department to detail data protection policies, assurance, and changes made after breaches
The Department did not do enough to learn the lessons from previous data breaches. Before the February 2022 data breach, the Department had policies in place to protect against the loss of personal information. After three separate data breaches in autumn 2021 relating to the ARAP, the Department reviewed its data protection policies and guidance, and it worked...
Matched on
terms: personal
LGO / SPSO decision
53match
25-007-980 - Middlesbrough Borough Council
Summary: We will not investigate Ms X’s complaint about an alleged breach of her personal data. The Information Commissioner’s Office is better placed to consider this complaint.
Matched on
terms: personal
Inquiry recommendation
52match
L60 - ICO Public Guidance
The Information Commissioner's Office should take steps to prepare and issue guidance to the public on their individual rights in relation to the obtaining and use by the press of their personal data, and how to exercise those rights.
Matched on
terms: personal
LGO / SPSO decision
52match
22-004-393 - City of Bradford Metropolitan District Council
Summary: We will not investigate Mrs X’s complaint the Council committed a data breach by sharing her sensitive personal information with third parties. This is because complaints about data matters such as this are best considered by the Information Commissioner’s Office.
Matched on
terms: personal
LGO / SPSO decision
52match
22-009-829 - Luton Borough Council
Summary: We will not investigate this complaint about the Council disclosing the complainant’s personal details. This is because this matter is best dealt with by the Information Commissioner’s Office.
Matched on
terms: personal
LGO / SPSO decision
52match
24-021-524 - Sefton Metropolitan Borough Council
Summary: We will not investigate Mr X’s complaint about a personal data breach. This is because complaints about data matters, such as this, are best considered and decided by the Information Commissioner’s Office.
Matched on
terms: personal
LGO / SPSO decision
52match
24-020-876 - Westminster City Council
Summary: We will not investigate Mr X’s complaint that the Council unlawfully processed and shared his personal data. This is because the Information Commissioner’s Office is better placed to consider this complaint. We will not investigate Mr X’s complaint about the Council’s complaint process because it does not meet the tests in our assessment code.
Matched on
terms: personal
LGO / SPSO decision
52match
24-022-928 - London Borough of Newham
Summary: We will not investigate this complaint about the Council sharing confidential information with a third party or the complainant’s concerns about a penalty charge notice. This is because the complainant has not suffered significant personal injustice and parts of the complaint are best dealt with by the Information Commissioner’s Office.
Matched on
terms: personal
LGO / SPSO decision
52match
25-010-838 - Liverpool City Council
Summary: We will not investigate this complaint about the Council’s failure to comply with a ruling made by the Information Commissioner’s Office. This is because this complaint relates to personal data and is a matter best dealt with by the Information Commissioner’s Office.
Matched on
terms: personal
LGO / SPSO decision
52match
24-011-715 - London Borough of Barnet
Summary: We will not investigate this complaint about the Council’s response to Ms X’s subject access requests under the GDPR legislation and its use of her personal data. This is because the Information Commissioner’s Office is best placed to deal with such issues.
Matched on
terms: personal
PFD report
49match
Donna Constantine
Police encouraging vulnerable individuals to use unmonitored work mobile phones creates risks due to a lack of off-duty response, clear escalation procedures, and proper audit trails for communication.
Matched on
classifier match
Committee recommendation
49match
#28 - Require tech companies to cleanse datasets of NCII and source data responsibly.
The private sector has innovated to create AI technology. It does not need to wait for legislation to catch up in order to safeguard individuals from harmful AI-generated content. As a starting point tech companies involved in AI content creation should cleanse their datasets of NCII content and commit to responsible sourcing of data to safeguard those datasets...
Matched on
classifier match
Inquiry recommendation
48match
L74 - Qualified One Way Costs Shifting
In the absence of the provision of an approved mechanism for dispute resolution, available through an independent regulator without cost to the complainant, together with an adjustment to the Civil Procedure Rules to require or permit the court take account of the availability of cost free arbitration as an alternative to court proceedings, qualified one way costs shifting...
Matched on
terms: privacy
Inquiry recommendation
48match
L72 - Exemplary Damages for Media Torts
Exemplary damages (whether so described or renamed as punitive damages) should be available for actions for breach of privacy, breach of confidence and similar media torts, as well as for libel and slander. The application to a defendant of any relevant system of regulation of standards enforcement which is contained in or recognised by statute and good internal...
Matched on
terms: privacy
Inquiry recommendation
48match
L70 - Civil Justice Council Damages Review
The Civil Justice Council should consider the level of damages in privacy, breach of confidence and data protection cases, being prepared to take evidence (from the Information Commissioner, the media and others) and thereafter to make recommendations on the appropriate level of damages for distress in such cases. How the matter is then taken forward will ultimately be...
Matched on
terms: privacy
Inquiry recommendation
48match
L69 - Review of Damages for Media Torts
There should be a review of damages generally available for breach of data protection, privacy, breach of confidence or any other media-related torts, to ensure proportionate compensation including for non-pecuniary loss (all referable to the duration, extent and gravity of the contravention).
Matched on
terms: privacy
Inquiry recommendation
48match
L66 - ICO Organisation Review
The Information Commissioner's Office should take the opportunity to review its organisation and decision-making processes to ensure that large-scale issues, with both strategic and operational dimensions (including the relationship between the culture, practices and ethics of the press in relation to personal information on the one hand, and the application of the data protection regime to the press...
Matched on
terms: personal
Inquiry recommendation
48match
L62 - ICO Annual Report on Press
The Information Commissioner's Office, in the Annual Report to Parliament which it is required to make by virtue of section 52(1) of the Act, should include regular updates on the effectiveness of the foregoing measures, and on the culture, practices and ethics of the press in relation to the processing of personal data.
Matched on
terms: personal
Inquiry recommendation
48match
L59 - ICO Good Practice Guidelines
In discharge of its functions and duties to promote good practice in areas of public concern, the Information Commissioner's Office should take immediate steps, in consultation with the industry, to prepare and issue comprehensive good practice guidelines and advice on appropriate principles and standards to be observed by the press in the processing of personal data. This should...
Matched on
terms: personal
Inquiry recommendation
48match
L49 - Narrow Section 32 Exemption Scope
The exemption in section 32 of the Data Protection Act 1998 should be narrowed in scope, so that it no longer allows, by itself, for exemption from: (a) the requirement of the first data protection principle to process personal data fairly (except in relation to the provision of information to the data subject under paragraph 2(1)(a) of Part...
Matched on
terms: personal
Inquiry recommendation
48match
L48 - Section 32 DPA Amendment
The exemption in section 32 of the Data Protection Act 1998 should be amended so as to make it available only where: (a) the processing of data is necessary for publication, rather than simply being in fact undertaken with a view to publication; (b) the data controller reasonably believes that the relevant publication would be or is in...
Matched on
terms: privacy
IOPC learning recommendation
48match
Recommendation - Durham Constabulary, July 2024
The IOPC recommends that Durham Constabulary should conduct a review into the way it shares people's personal and sensitive information with a view to ensuring relevant staff are appropriately trained and understand the powers they are using, and that processes comply with legislation and ICO expectations. This recommendation has arisen following an IOPC review into a complaint where...
Matched on
terms: personal
PHSO casework decision
48match
P-002878 - HM Courts and Tribunals Service
Mr W complains that HM Courts and Tribunal Service sent an Attachment of Earnings Order (AoE) sharing his personal data with a company he has never worked for.
Matched on
terms: personal
PHSO casework decision
48match
P-002301 - A practice in the Brighton and Hove area
Ms G complains the Practice inappropriately disclosed personal and sensitive historical information to a fostering agency without her knowledge and consent. She also says some of the information was not relevant or correct.
Matched on
terms: personal
PHSO casework decision
48match
P-002661 - Derbyshire Healthcare NHS Foundation Trust
Mr P complains the Trust shared his personal and medical information with the local council without his consent.
Matched on
terms: personal
LGO / SPSO decision
48match
21-015-453 - Bracknell Forest Council
Summary: We will not investigate this complaint that the Council wrongly shared Mr X’s personal information with third parties as this is a matter for the Information Commissioner’s Office.
Matched on
terms: personal
LGO / SPSO decision
48match
25-003-662 - Stoke-on-Trent City Council
Summary: We will not investigate this complaint about the Council allegedly sharing Mr X’s personal and business information with a third party. The Information Commissioner is best placed to consider how the Council handled Mr X’s data, and the county court is best placed to consider his claim for compensation.
Matched on
terms: personal
IOPC learning recommendation
48match
Recommendation - Metropolitan Police Service, January 2021
The IOPC recommends that the Metropolitan Police Service (MPS) should make their Information Code of Conduct and MPS Security Code policies clear that officers should not use their personal phones to contact members of the public unless there are no alternative options. The policies should also remind police officers and staff that those without a MPS issued mobile...
Matched on
terms: personal
LGO / SPSO decision
48match
22-002-272 - North Lincolnshire Council
Summary: We will not investigate this complaint about the Council disclosing personal details. This is because this matter is best dealt with by the Information Commissioner’s Office.
Matched on
terms: personal
LGO / SPSO decision
48match
22-007-062 - Chorley Borough Council
Summary: We will not investigate this complaint about the Council publishing the complainant’s personal information on its website. This is because this matter is best dealt with by the Information Commissioner’s Office.
Matched on
terms: personal
LGO / SPSO decision
48match
22-007-021 - Charnwood Borough Council
Summary: We will not investigate this complaint about the Council publishing the complainant’s personal information on its website. This is because the complainant has already complained to the Information Commissioner, who is best placed to deal with these matters. It would be reasonable for the complainant to pursue his claim for compensation through the courts. We cannot investigate...
Matched on
terms: personal
LGO / SPSO decision
48match
22-010-474 - Barnsley Metropolitan Borough Council
Mr X complains about the Council breaching his personal data to a third party without seeking his consent. We will not investigate this complaint. This is because it is reasonable for Mr X to complain to the Information Commissioner’s Office as the most appropriate body.
Matched on
terms: personal
LGO / SPSO decision
48match
22-009-289 - Ashfield District Council
Summary: We will not investigate this complaint that a visit by the Council to check Mr X’s welfare was a breach of his personal data. That is because there is not enough evidence of fault to justify our involvement.
Matched on
terms: personal