norm. data protection bulletin: 08th January 2024

Norm data protection bulletin

Bank of Ireland reprimanded by ICO for inaccurate data on customers’ accounts

The Information Commissioner’s Office (ICO) has been reprimanded after it sent incorrect outstanding balances on 3,284 customers’ loan accounts to credit reference agencies. The ICO’s investigation found that, “due to the complex nature and different factors contributing to credit scoring”, it would be impossible to determine the actual damage caused to each customer. However, the ICO concluded it was reasonable to assume that the inaccurate data would have had a negative impact on the customers affected. Accordingly, Bank of Ireland was found to be in breach of data protection law by failing to ensure personal data was accurate, as required by article 5(1)(d) of GDPR.

This demonstrates that the ICO is able and willing to take enforcement action where inaccurate data has been shared between financial organisationseven when it has been unable to establish any harm has actually been caused to anyone as a consequence.

Google’s new Health App Policy

Google is adding a new Health App Policy to its set of requirements for Health Content and Services. The policy will become effective at the end of May 2024 and will apply to health apps – medical apps enhancing medical care and facilitating diagnosis and treatment, health and fitness apps enabling users to reach fitness and wellness goals and health research apps used for research studies are all classified as health apps by Google. The new Health App Policy will also apply to apps that have health-related features and access health data, but which are not primarily health apps (for example, insurance-related apps).

The new policy introduces requirements for the inclusion of comprehensive content in privacy notices describing the access, collection, use and sharing of personal data. The policy also includes requirements for the accessibility, format and location of privacy notices. Apps that access health data, but which are not primarily health apps must make clear to users the connection between the app’s core functionality and the collection of health-related data.

Other requirements introduced by the policy include:

  • Obtaining a clearance letter or other approval documentation by a regulator or other responsible body when the app is considered a medical device or SaMD (Software as a Medical Device).
  • Obtaining consent from participants (or, in the case of minors, parents or guardians) when the app is conducting health-related subject research, as well as securing approval from an Institutional Review Board or other independent ethics committee. unless exempt.
  • Submitting an eligibility form if the app is being developed under permission from the government or another healthcare organisation to develop an app in affiliation with them.

Comment: This is a reflection of the increased focus on the need for transparency via privacy notices (policies).

Get norm.’s data protection bulletin direct to your inbox

norm. tracks and monitors the latest data protection developments and collates these into a monthly data protection bulletin.

You can receive this bulletin for free, every month, by entering your business email address below: