Out-Law News 1 min. read
23 Sep 2016, 2:50 pm
The data protection authority raised its concerns about fair processing of data following a joint international study by it and 24 other privacy watchdogs in other countries.
The watchdogs looked at how companies "communicate privacy matters to their customers" when supplying devices such as smart meters, internet-connected thermostats and wearable health trackers.
Data privacy practices applicable to more than 300 different devices were assessed in the study, the ICO said. It said 59% of devices scrutinised "failed to adequately explain to customers how their personal information was collected, used and disclosed".
The UK's Data Protection Act requires that individuals' personal data is processed fairly and lawfully. Organisations processing personal data must ensure that people to whom the data relates are provided with certain information, including who the 'data controller' is, the purposes for which the data is to be processed, and any other information about the data processing circumstances that is "necessary" to ensure the processing is fair.
According to the ICO, in 68% of cases assessed in the study, consumers were not properly notified about how their data was stored, and they were not informed how they could delete their information from devices 72% of the time, the ICO said. It raised particular concern about patient data being sent from medical devices to GPs via unencrypted email too.
The watchdog also said that "easily identifiable contact details" were absent in 38% of the cases, inhibiting consumers from being able to raise "privacy concerns" with the device manufacturers.
Each authority will now consider whether individual cases merit them taking enforcement action, the ICO said.
Steve Eckersley, ICO head of enforcement, said: "This technology can improve our homes, our health and our happiness. But that shouldn’t be at the cost of our privacy. Companies making these devices need to be clear how they’re protecting customers. We would encourage companies to properly consider the privacy impact on individuals before they go to market with their product and services. If consumers are nervous that devices aren’t using their data safely and sensibly, then they won’t use them."
"By looking at this internationally, we’ve been able to get an excellent overview on this topic. We’ll now be building on that, working with the industry and looking specifically at companies who might not have done enough to comply with the law," he said.
In 2014 data privacy watchdogs from around the world signed a data protection declaration on the subject of data generated by devices, or 'internet of things' sensor data, which said that such data "should be regarded and treated as personal data".