Issue 20


By Maureen Falconer, Regional Manager, Information Commissioner’s Office in Scotland

Maureen Falconer is the Regional Manager at the Information Commissioner’s Office in Scotland. Based in Edinburgh, Maureen manages a small team who punch well above their weight in providing advice and guidance to Scottish stakeholders. In an attempt to cover the whole of Scotland, the team has visited as far afield as the Shetland Isles in the north, Lewis and Harris in the west, Galashiels and Dumfries in the south, Aberdeenshire in the east and everywhere in between! In this article, Maureen shares some of the work that is occupying the ICO at this time, beginning with an exciting new project due to go live in April that will provide organisations with a safe space to test innovative processes in the ICO Sandbox. If your organisation is thinking about new products or processes that involve the use of personal information then read on! Maureen then goes on to help organisations understand the data protection fee and what needs to be done to ensure compliance. Finally, if your organisation shares personal information currently with Europe, then you need to know what you should be doing now to keep the data flowing in the event of a ‘no deal’ Brexit.

ICO regulatory sandbox

As you may already know, the Information Commissioner has a particular interest in innovation and technological advancement and has created a specialist team with the ICO to lead in this area. Last year we developed and published our Technology Strategy 2018-2021, and the ICO Sandbox is a key commitment in that strategy, supporting the dual aims of privacy and innovation.

The purpose of the sandbox is:

to support the use of personal data in innovative products and services that can be shown to be in the public interest;
to help develop a shared understanding of what compliance in particular innovative areas looks like; and
to support the UK in its ambition to be an innovative economy.

After an initial call for views on how the sandbox might work in practice, we have continued to develop the systems and processes necessary to launch a fully functioning beta phase of our sandbox, with the aim of opening for applications at the end of April. The ICO sandbox beta phase is a fully functioning test of the ICO’s sandbox over a defined period. If the beta phase is successful, the sandbox will then form a part of our regulatory toolkit. In this beta phase, we will aim to involve around 10 organisations of different types and sizes ideally from across from the private, public and third sectors. We will particularly welcome applications for products or services that address specific data protection challenges central to innovation. These challenges are:

  • use of personal data in emerging or developing technology such as biometrics, internet of things, wearable tech, cloud-based products;
  • complex data sharing at any and all levels;
  • building good user experience and public trust by ensuring transparency and clarity of data use;
  • perceived limitations, or lack of understanding of the GDPR and the DPA 2018 provisions on automated decision making, machine learning or AI; and
  • utilising existing data (often at scale and in linking data) for new purposes.

Whilst we will welcome applications that address these issues, they are not exclusive and we are open to other innovative ideas that are in the public interest. We’ve had lots of questions about how our sandbox might work in practice and we know that organisations will be considering whether an application will be right for them.

Of course, the thought of using the Regulator’s sandbox as a testing environment for your new innovations may fill you with apprehension: what if something goes wrong and results in a breach? Well, while we cannot set aside or relax the legal requirements set out in data protection legislation and we always reserve the right to take whatever action we deem appropriate regarding any breach, we shall be operating a flexible approach in the sandbox as an incentive for participation.

The first approach will be to provide Comfort from Enforcement. This will be an assurance that when accepting organisations into the sandbox, so long as they are taking appropriate steps to try to comply, any accidental breach of data protection legislation during the sandbox process will not lead immediately to enforcement action. So long as the organisation in the sandbox reports breaches to us immediately, the relevant processing ceases, and concerns are then addressed in a timely and satisfactory manner, then we would be very unlikely to take any action. This comfort from enforcement would be subject to organisations maintaining a productive dialogue with the ICO throughout the sandbox process.

The second approach will be to provide Letters of Negative Assurance. The rationale behind this is to provide information about the product or service in respect of its compliance with data protection legislation. So long as all conditions set out within the sandbox plan have been met, these letters would be issued to participants on exiting the sandbox and would confirm that at the point the relevant product or service transitioned out of the sandbox, we saw nothing to indicate its operation would breach data protection legislation and that any potential areas of concern or potential breaches were resolved at that time.

We aim to publish full details of our sandbox beta phase online by the end of March, and to open applications near the end of April. Read our discussion paper or contact our sandbox team, available now to discuss how it might assist an organisation’s development of innovative products and services. The team can also provide information and guidance on the application process. All queries should be sent to

Data Protection Fees action

With the introduction of the General Data Protection Regulation (GDPR) in May 2018, ICO registration changed. The Information Commissioner is no longer required to maintain a register of data controllers under GDPR but the Data Protection Act 2018 (DPA), introduced a new requirement to pay a data protection fee to the ICO. The new regime has greater stratification in the fee while ensuring that SMEs do not have an additional financial burden by enabling them to maintain the same level of fee as they would have paid under the old regime in the vast majority of cases.

Under the old regime non-payment of the fee was a criminal offence. However, the new regime is a civil matter, attracting a monetary penalty for non-compliance rather than it being criminal. The new penalties range from £400 for the smallest organisations to up to £4,000 for larger organisations, both in addition to the relevant fee. In November 2018, we issued our first monetary penalties based on the fee the organisation should have paid. In total, 103 monetary penalties were issued for non-payment in 2018. Of those, 85 organisations were fined £400, 2 organisations were fined £600 and 16 organisations were fined at the highest level of £4,000.

The following table provides a breakdown by sector:

If you are not sure if you are required to be registered as a data controller with the ICO, you can use our five minute self-assessment tool on our website to decide if you – as an individual or on behalf of your business or organisation – need to pay a fee to the ICO. However, not everyone has to pay the new fee now. Controllers who have a current registration (or notification) under the old data protection regime do not have to pay the new fee until that registration has expired.

There are three different tiers of fee and controllers are expected to pay between £40 and £2,900. The fees are set by Parliament to reflect what it believes is appropriate based on the risks posed by the processing of personal data by controllers. The amount you will need to pay depends on a number of different factors, including:
how many members of staff you have;

  • your annual turnover;
  • whether you are a public authority;
  • whether you are a charity; or
  • whether you are a small occupational pension scheme.

However, not all controllers will be required to pay a fee and exemptions exist for specific circumstances. You won’t need to pay a fee if you are using personal data only for one (or more) of the following purposes:

  • Staff administration
  • Advertising, marketing and public relations
  • Accounts and records
  • Not-for-profit purposes
  • Personal, family or household affairs
  • Maintaining a public register
  • Judicial functions, or
  • Processing personal information without an automated system such as a computer.

Nevertheless, a word of caution if you are relying on one of these exemptions: even if you are exempt from having to pay a fee, you are not exempt from the rest of the data protection law! You must still ensure that you are complying with all of your other data protection obligations.

Brexit and a no deal scenario

As we get ever closer to 29 March, the uncertainties surrounding the UK leaving the European Union continue unabated. In the absence of clear direction, the void is often filled with myths and misconceptions and each new day seems to bring yet another new twist and unexpected turn. Of the many strands of negotiations that need to be agreed, data protection and the continued sharing of personal information between the UK and the EU will be fundamental to the economic wellbeing and viability of many private and public sector organisations.

While the UK continues to be a member of the EU, personal information is able to be shared between member states using the common data protection framework of the GDPR. An orderly and agreed withdrawal will ensure that the sharing of personal information continues without disruption, at least in the short term. However, if an agreed withdrawal cannot be settled by 29 March and the UK exits without a deal in place, the UK effectively becomes a ‘third country’ for the purposes of data protection and organisations currently engaged in the sharing of personal data with European Economic Area (EEA) countries must have implemented the necessary requirements to ensure continued compliance with EU law.

Earlier this year, the Information Commissioner, Elizabeth Denham, published her myth-busting blog, challenging some of the misconceptions about what an exit with no agreement in place will mean for UK organisations transferring personal information to and from the EEA. The first challenge was to the notion that a no deal outcome will result in an immediate stop to all sharing of personal information between the UK and countries within the EEA. The UK Government has provided assurances that there will be no impediment to UK organisations continuing to share personal information with EEA countries. However, additional measures will be required to allow reciprocal information sharing from EEA countries to the UK.

It is imperative, therefore, that your organisation understands the ‘journey’ that personal information goes through from the moment it is obtained until it is put beyond use. Mapping the data flows is an essential first step to ensure you understand what you may be required to do. Hopefully, this has already been carried out by most organisations as part of their preparation for GDPR so it’s just a case of reviewing an existing data flow map. For those less prepared, mapping your data flows and knowing the legal bases on which you are relying to use personal information should be your number one priority! Our guidance – Leaving the EU – six steps to take sets out a plan of action that you can follow to help you prepare for a ‘no deal’ outcome. In summary, the six steps are:

If your organisation is transferring personal information both to and from EEA countries, you will find our online interactive tool helpful in understanding how the insertion of Standard Contractual Clauses (SSCs) in contracts is one way that may help you legitimise and maintain the flow of such data. The interactive tool includes help with completing the clauses, but we will be developing the tool further to help organisations generate them automatically.

Whatever you decide to do, doing nothing is not a viable option. There are other mechanisms that might be employed to ensure continuity but they need to be acted upon now. The ICO has developed FAQs, blogs and podcasts that can be accessed from the Data protection and Brexit | ICO pages of our website.

Keep up to date with the ICO @ICONews

By Maureen Falconer, Regional Manager, Information Commissioner’s Office in Scotland

Issue 20

Issue 20


Let People Choose their GP Practice

General Practitioners are often a patient’s first and only contact with the NHS in Scotland. However, unlike hospitals which are owned and operated by the public sector, the vast majority of GP practices are actually private sector contractors to the NHS.


Looking for a previous issue? Use the menu below to select an issue.