• 2 min read

Data protection - Quarterly News Roundup (January to March 2024)

dp qr

We have made it through winter and into spring and here is our latest quarterly update looking at our data protection news highlights for the UK between January and March 2024.

Enforcement action and biometric data 

Earlier this month the Information Commissioner’s Office (ICO)  fined Serco Leisure in respect of their use of facial recognition technology (FRT) to monitor employees. A key issue to consider when using facial recognition technology, which is considered particularly invasive, is whether it is necessary and proportionate (i.e. can you achieve the same purpose in a less invasive way). The notice required Serco to stop using FRT and to delete all related personal data.

New guidance

The ICO has issued new guidance for employers on sharing an employee’s personal data in a mental health emergency and on biometric recognition.


The ICO has continued to emphasise the need for organisations to ensure they are lawfully using cookies, focusing largely on lawful website cookie banners (banners which allow users to reject cookies with just one click on the face of the cookie banner and which are not set out so as to encourage acceptance over rejection). This follows action by the ICO in November 2023 when it wrote to the companies running 53 of the UK’s top 100 websites warning them that their use of advertising cookies was not lawful. You can read more here, including the original letter sent by the ICO to the companies.


The ICO has updated its opinion on age assurance following the coming into force of the Online Safety Act. The update focuses on the expression “likely to be accessed by children” in the context of online services and emphasises the need for all online providers to consider age verification technology. You can read more here.

PECR fine

Electronic marketing fines under PECR have continued, this time with a high profile fine of £140,000 for HelloFresh for sending over 80 million emails and texts based on “an insufficiently clear opt-in”. See here for further details.

US Transfers

Following the coming into effect of the UK-US Data Bridge, the ICO has issued updated transfer risk assessment (TRA) guidance for US transfers (which you can access here), which aims to make completing TRA’s easier.

HR and AI 

The government have released a guide to the responsible use of artificial intelligence in recruitment.


The National Institute of Standards and Technology (NIST) has updated its Landmark Security Framework, which aims to help all organisations to manage and reduce risks and  the National Cyber Security Centre has issued guidance to support CEOs in public and private sectors to manage and respond to a cyber incident.


Finally, a quick update on UK data protection reform to say that progress is being made, but it remains unclear if the Bill will pass before a general election is called and, if it doesn’t, it seems likely it will not proceed at all.

Our data protection team have many years of experience in advising organisations on their compliance with UK data protection law. To speak to one of the team you can get in touch here or call us on 0800 2800 421.

If you have not received this article directly, but would like to receive articles and data protection news alerts from Trethowans, please contact [email protected].

Answers are just a click away