Information Commissioner's Office

🆕 “Put transparency first.” The UK Information Commissioner, John Edwards, has written to the CEOs of 12 water companies urging them to be more open when releasing information about sewage discharges. In the letter, the Commissioner writes that “openness is the default position” under the Environmental Information Regulations 2004 (EIR). The letter encourages water companies to proactively publish regular information about sewage discharges. This will provide more efficient and timely details to the public, as well as being more cost effective for the water companies. The EIR treats information about ‘emissions’ - which includes sewage discharges – as a special category of information in that several exceptions to disclosure cannot apply. This reflects the importance of providing timely responses to information requests from the public. Transparency should be the default position and the ICO will continue to work closely with Ofwat and UREG NI to ensure the right information is being released at the right time. David Black, Chief Executive at Ofwat, said: "As trust in the water sector is falling, that tells us companies have more to do. They should move to embrace open data as a matter of course, and they should be more open in sharing their plans and progress. And they should not wait to be pushed. Customers have paid companies to install monitors and collect their data. They have a right to see what it says." Barbara Cantley, Director of Consumer Protection and Enforcement at UREGNI added: “The Utility Regulator encourages all regulated companies to adhere to the highest levels of transparency and accountability. We continue to work with all licensees and other regulatory bodies to ensure the highest standards are upheld.”  Read the letter in full: https://lnkd.in/erRt69fg

Sut rydyn ni'n helpu'r heddlu i gydymffurfio â Rhyddid Gwybodaeth – a'r hyn rydyn ni'n ei wneud os na wnân nhw. Bob dydd mae ein bywydau yn cael eu gwella wrth i wybodaeth gael ei rhyddhau sy’n ein grymuso i wneud dewisiadau gwybodus o edrych ar sgoriau hylendid bwytai neu gyfraddau methu gwahanol fathau o geir yn y prawf MOT. Mae’r wybodaeth yma’n cael ei chyhoeddi’n rhagweithiol ac mae’n ein helpu ni i gyd i wneud dyfarniadau a phenderfyniadau gwybodus. Ac mae gennyn ni ran i'w chwarae fel rheoleiddiwr. Rydym yn cyhoeddi gwybodaeth yn gyson sy'n tynnu sylw at arferion da a drwg mewn rhyddid gwybodaeth er mwyn i bobl eraill ddysgu a datblygu. Heddiw, hoffem dynnu sylw at enghreifftiau o'r ddau yn y sector plismona. Dangosodd ein harchwiliadau diweddar a'n gwaith ar arferion da fod tebygrwydd rhwng heddluoedd sy'n perfformio'n dda. Gwelsom fod gan wasanaethau heddlu sydd ag arferion rhagorol mewn rhyddid gwybodaeth: ➡️ Ymrwymiad gan yr uwch arweinwyr. ➡️ Perthnasoedd mewnol da. ➡️ Timau amlswyddogaeth ➡️ Templedi ar waith i sicrhau bod disgwyliadau’n cael eu bodloni. ➡️ Polisïau ar waith ar fynd ati i ddatgelu gwybodaeth. ➡️ Amser i rwydweithio a meithrin perthnasoedd â heddluoedd a gwasanaethau eraill. Gallwch ddarllen ein hadroddiad ar yr archwiliad yn llawn i ddysgu mwy am yr arferion gorau a'r argymhellion a amlinellwyd gennym: https://lnkd.in/g7_ucG9j Ond, nid addysgu yn unig yw ein rôl ni. Pan welwn ni arferion gwael, nid ydym yn ofni gweithredu. Ac felly, rydym wedi dyroddi hysbysiadau gorfodi yn erbyn tri heddlu am berfformiad gwael dan y Ddeddf Rhyddid Gwybodaeth sydd wedi arwain at dagfeydd sylweddol. ➡️ Heddlu Dyfed Powys Gostyngodd y lefelau cydymffurfio mor isel â 6% (Mehefin 2023) a chawsom 13 o gwynion yn 2023. Erbyn 9 Tachwedd 2024, mae'n ofynnol i Heddlu Dyfed-Powys ymateb i'r holl geisiadau am wybodaeth a oedd yn eu tagfa pan ddyroddwyd ein Hysbysiad Gorfodi.   ➡️ Gwasanaeth Heddlu’r Metropolitan (y Met) Mae'r Met wedi methu ymateb yn gyson i geisiadau Rhyddid Gwybodaeth yn brydlon. Rhwng Ebrill 2023 a Chwefror 2024, roedd cyfanswm yr ymatebion Rhyddid Gwybodaeth a anfonwyd yn brydlon rhwng 60% a 67%.   Erbyn 1 Tachwedd 2024, mae'n ofynnol i'r Met ymateb i'r 362 o achosion a oedd yn eu tagfa pan ddyroddwyd ein Hysbysiad Gorfodi.   ➡️ Heddlu De Cymru Gwelsom fod cydymffurfiaeth Heddlu’r De wedi gostwng yn sylweddol yn 2023 - o 74% i ddim ond 45%. Ar 31 Ebrill 2024, roedd 167 o geisiadau yn hwyr gydag un achos dros 120 diwrnod oed. Erbyn 20 Rhagfyr 2024, mae'n ofynnol i Heddlu’r De ymateb i'r holl geisiadau am wybodaeth a oedd yn eu tagfa pan ddyroddwyd ein Hysbysiad Gorfodi. Rydyn ni hefyd wedi gofyn i’r tri heddlu ddyfeisio a chyhoeddi cynlluniau gweithredu sy'n nodi’r mesurau y byddan nhw’n eu cymryd i ymateb i geisiadau mewn pryd a chlirio’u tagfeydd. Darllenwch ragor am bob un o'r achosion hyn a'n gweithredoedd ninnau: https://lnkd.in/gp3-5FG9

Did you know that if you're an innovator developing new AI and digital products or services you can seek advice from two or more regulators at once? Read on to learn how 👇 We're part of the Digital Regulation Cooperation Forum (DRCF)’s AI and Digital Hub - a free service that will provide advice to help unlock innovation and support UK economic growth. So if you’re developing a new AI or digital product that will benefit consumers, watch the DRCF's video to learn more and apply to the hub on the DRCF's website: https://lnkd.in/e6SuBkKC

You can no longer just rely on your own internal cyber security controls to secure information. Third parties are now processing more sensitive information on behalf of other organisations than ever before. Your organisation may have great internal cyber security protections, but have you conducted a risk assessment on your supply chain? What is a supply chain attack? A supply chain attack is when products, services, or technology you’re supplied with have been breached or compromised and are used to infiltrate and compromise your own systems. Supply chain attacks are more complicated than many other attacks and your recovery may depend much more heavily on your third-party supplier. Here are a few things you can do to reduce the risk: • Have a robust supply chain risk management process in place. • Document, evaluate and regularly review risks in your supply chain. • Conduct thorough due diligence with any potential suppliers. • Have assurances from your processors before sharing any information with them and have documented service level and security agreements. Read more about supply chain attacks in our cyber report and learn from the mistakes of others 👉 https://lnkd.in/eJ2cs424

It’s championship weekend in Wimbledon and we have some Grand Slam tips for you to make sure you ace your data protection practice 👇 🥎 Be wary of suspicious emails. Keep an eye out for phishing emails and train your staff on how to spot them. Just how every player is wary of Roger Federer’s drop shots. 🥎 Manage who has access. Think about who really needs to access information. Queueing from early in the morning doesn’t guarantee you access in every situation. 🥎 Keep your software updated to the latest version and patch potential weak points faster than Serena Williams’ forehand. 🥎 Create a strong password using three random words on every account. ‘EmmaRaducanu’ is a weak password and is easy to guess if it doesn’t require much research to find out you’re a huge tennis fan. 🥎 Back up your information regularly in a second location. Then you can relax on Murray Mound and enjoy your strawberries and cream worry free. Read more tips on our website to become a Grand Slam champion of securing people’s information: https://lnkd.in/eF8kiwB7

There is some form of harmful design found in more than 75% of websites and apps. We’re part of the Global Privacy Enforcement Network (GPEN) which published the results of our sweep which examined 1,000+ websites and mobile apps. The sweep found that above 75% of them contained deceptive design patterns that made it difficult for users to make privacy-protective decisions. Deceptive design patterns are when websites use techniques which means people give up more of their personal information than they want to. Collectively, we’re calling for businesses to stop using design practices that could undermine people’s control over their personal information. Here are some of the key findings from the GPEN sweep: • The most common types of deceptive design patterns were obstruction/interface interference. Last year we published a joint paper with the Competitions and Markets Authority that set out the pitfalls of harmful design and advise what organisations should do: https://lnkd.in/gv3WvWCE • More than 25% of the websites and apps examined forced users to accept cookies if they wanted to access the website/app. Our cookies project addresses problems with website’s cookies https://lnkd.in/e-bty_Qt • 75% of privacy policies were difficult, very difficult, or extremely difficult to read. Privacy notices are important to let people know how you are handling their personal information. Our privacy notice generator will create one for your organisation that is easy for people to understand: https://lnkd.in/eFTC3AzB • More than 50% of apps and websites had no clear option for people to delete their account. It is important that people are aware of and have control over how their information is being used. Read the Sweep report in full on the GPEN website: https://lnkd.in/gazeG7Mt

🏰 Sturdy castles (sand or stone) are built upon strong foundations - just as innovative projects should have strong foundations of data protection. Our Regulatory Sandbox is now open for expressions of interest! What is the Sandbox? The Sandbox is a free service we developed to support organisations that are creating products and services that use data in innovative and safe ways. We work with participants by offering our expertise and advice on building privacy in mind from the beginning of their projects. What are the benefits of joining? • You’ll have free access to our expertise and support. • You’ll leave with increased confidence in the compliance of your finished product or service. • Support the UK in its ambition to be an innovative economy. • You’ll have the opportunity to develop products and services that can be shown to be of value to the public. We’ve worked with organisations developing products and services on a wide range of topics. Here are just a few: • Yoti explored age estimation technology to ensure that providers of children’s only services, such as gaming websites, can create a safe virtual environment. • FlyingBinary entered the Sandbox to develop an online service which seeks to assist with the traditional mental healthcare of patients with pathologies such as eating disorders. • Eclipse Digital Solutions and Geutebruck (UK) are currently working on their project to create an AI driven platform to help predict and prevent falls in NHS sites and care home settings. • Kestrix entered our Sandbox to get our support on a project focused on reducing heat loss from buildings, using mass thermal image capture and AI to help housing providers create more energy-efficient homes in the future. If you’re looking to use information in an innovative way, take inspiration from the previous entrants and register your interest to the Sandbox now 👉 https://lnkd.in/eiCcyz2F

Our world-leading Children’s code means young people are better protected online than they’ve ever been. Bringing in the code has led to changes by social media platforms, gaming websites and streaming services, which now need to provide better privacy protections for children. Websites and products affected by the code need to provide additional layers of protection for children’s data. This might involve restricting or removing certain features to children if they’re under 18. Some of the things you might see are: • privacy settings being automatically set to very high; • children and their parents/carers being given more control of the privacy settings; • non-essential location tracking being switched off; • children no longer being ‘nudged’ by sites through notifications to lower their privacy settings; and • clearer and more accessible tools being in place to help children exercise their data protection rights (including parental consent tools). UK Information Commissioner, John Edwards, was in Cambridge to talk to industry, academia and regulators from across Europe to make sure that progress continues. Read more about the code: https://lnkd.in/eSHXHpzG

NEW: How we help police to comply with FOI – and what we do if they don’t. Every day our lives are enhanced because public bodies release information that empowers us to make more informed choices – from looking at restaurant hygiene ratings to car make and model MOT failure rates. This information is proactively published and helps us all to make judgements and decisions. And we have a role to play as regulator. We regularly publish information that highlights both good and bad FOI practice so that others can learn and develop. Today we want to highlight examples of both in the policing sector. Our recent audits and upstream good practice work showed there are similarities between high performing police forces. We found that the police services with excellent FOI practices had: - Senior leadership buy-in. - Good internal relationships. - Multi-functional teams - Templates in place to ensure expectations are met. - Proactive disclosure policies in place. - Time to network and build relationships with other police and services. You can read our audit report in full to learn more about the best practice and recommendations we outlined: https://lnkd.in/ejAifcee However, our role is not just to educate. Where we see poor practice, we are not afraid to take action. And so, we have issued enforcement notices against three police forces for poor FOI performance which has led to significant backlogs. • Dyfed Powys Police (DPP) Compliance levels fell as low as 6% (June 2023) and we received 13 complaints in 2023. By 9 November 2024, DPP is required to respond to all the information requests in their backlog when we issued our Enforcement Notice. • Metropolitan Police Service (The Met) The Met have consistently failed to respond to FOI requests on time. From April 2023 to February 2024, the amount of FOI responses sent on time was between 60% to 67%. By 1 November 2024, the Met is required to respond to the 362 cases that were in their backlog when we issued our Enforcement Notice.    • South Wales Police (SWP) We found South Wales Police compliance significantly dropped in 2023 – from 74% to just 45%. As of 31 April 2024, 167 requests were overdue with one case over 120 days old. By 20 December 2024, SWP is required to respond to all the information requests that were in their backlog when we issued our Enforcement Notice. We’ve also asked each force to devise and publish action plans setting out measures they will take to respond to requests in time and clear their backlogs.   Read more about each of these cases and our action: https://lnkd.in/e6Dsm6J5

If you check just one thing before you sign up to an app, make it this. 🤔 Have they made the privacy notice clear and easy for you to understand? The privacy notice should include your information rights, things such as the right to withdraw consent. You should also be told how you can complain if you've got concerns about the way the app is using your information. You’re in control, so don’t press ‘agree’ unless you do. You can read more about your rights over your personal information on our website: https://lnkd.in/e2pVd4EA