Privacy & Information Security Law Blog

On July 23, 2020, the UK Information Commissioner’s Office (the “ICO”) published the first two reports of its Data Protection Regulatory Sandbox Beta phase (the “Beta phase”) involving projects by Jisc (a not-for-profit organization serving the higher and further education and skills sectors) and Heathrow Airport Ltd.

The ICO introduced the Regulatory Sandbox service with the goal of demonstrating that data protection can be combined with real world innovative solutions. The Beta phase of the Regulatory Sandbox was launched in September 2019 as a pilot and involves the assessment of ten products and services that use personal data in innovative ways.

As we previously reported, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth has supported the ICO’s Regulatory Sandbox initiative by responding to the ICO’s public consultation on the creation of a Data Protection Sandbox in October 2018 and by publishing a March 2019 white paper entitled Regulatory Sandboxes in Data Protection – Constructive Engagement and Innovative Regulation in Practice following a joint roundtable with the ICO and industry on the same topic.

The ICO announced that the work undertaken as part of the Beta phase has pushed it to consider where additional guidance may help organizations with compliance, for instance, in the areas of assessing suitable legal bases for processing, identifying data protection risks and implementing the purpose limitation principle. According to the ICO, “[b]y applying the legislation to new and emerging situations, we are also developing our understanding and we are already using this to inform our wider guidance and regulatory approaches.”

The two newly published reports reveal the outcomes of collaboration between the ICO and the two organizations. Key takeaways from each report are outlined below:

• Jisc—Wellbeing Code of Practice: Jisc has developed a Wellbeing Code of Practice (“Code of Practice”) with universities and colleges who want to investigate the use of student activity data to improve the provision of student support services, including those related to mental health wellbeing. Two key tools were developed for the Code of Practice during the Sandbox service:
  • a Purpose Compatibility Matrix, which enables universities to assess whether the data they intend to use would not be incompatible with the original purposes for which data were collected; and
  • a Data Protection Impact Assessment (“DPIA”) template with guidance for universities and pre-defined risk mitigation measures.

The Code of Practice also includes best practices on how universities can demonstrate compliance with the accountability principle under the EU General Data Protection Regulation (“GDPR”), including performing DPIAs and identifying the most appropriate lawful bases and conditions for processing, as well as guidance on how to provide privacy notices to students, including those under 18 years old.

Jisc and the ICO agreed that the most appropriate legal bases for universities to rely upon under Article 6 of the GDPR were either public task or legitimate interests, and, for the processing of special categories of personal data, the substantial public interest condition for safeguarding children and individuals at risk (DPA 2018 Schedule 1 paragraph 18).

It is generally accepted in the UK and by the ICO that universities are likely to fall under the definition of “public authorities” in relation to the performance of some of their tasks. Public authorities can only rely on legitimate interests if they are processing for a legitimate reason other than performing their tasks as a public authority and, in this case, they must undertake legitimate interest assessments.

One of the objectives of this Sandbox project could not be met due to COVID-19-related delays—a commissioned report to evidence that the interventions resulting from Jisc’s proposed mental health analytics would be strictly necessary. Jisc agreed with the ICO that this report will take place outside of the Sandbox process.

• Heathrow Airport Ltd.—Automation of the Passenger Journey program: Heathrow Airport’s Automation of the Passenger Journey program aimed to streamline the passenger journey by using biometrics. Facial recognition technology would be offered at check-in, self-service bag drops and boarding gates to create a seamless experience for passengers travelling through the airport. Passengers would no longer have to present different forms of documentation, such as boarding cards and passports, at different points in their journey to prove their identity and show that they are authorized to travel. The following data protection issues were considered:
  • Complex data controllership issues, as Heathrow would be considered a joint-controller for certain data processing activities and a processor for others; and
  • Legal bases for processing, as Heathrow would be unable to rely on compliance with a legal obligation, and would therefore have to seek explicit consent during the passenger journey in the airports. Heathrow and the ICO jointly agreed that layered communications and an affirmative action being completed by the passenger would not be compliant means of showing an express statement of explicit consent.

After consideration of the feedback concerning the method for obtaining explicit consent, Heathrow notified the ICO on March 10, 2020 that it intended to postpone plans to undertake further evaluation of its process. Heathrow will use the recommendations provided to them during their time in the Sandbox to, in conjunction with airline and technology providers, design a suitable GDPR-compliant process for automating passenger journeys in the airport.

The ICO has encouraged Heathrow and other stakeholders in the airline sector to collaborate on the development of a code of conduct for the processing of personal data in the operation of automated passenger journeys.