Yoti blog

Stories and insights from the world of digital identity

Getting to grips with GDPR: The right to have data restricted

Getting to grips with GDPR: The right to have data restricted

The sixth article in our series on GDPR rights is about the right to have data restricted. Catch up on previous articles on your right to be informed, the access right, correction right,  deletion right, and the right to object.   Part 6: The right to have data restricted This right is not strictly new, as current law provides for a court to be able to order an organisation to restrict their processing of certain data, but GDPR makes it a right you can exercise directly with an organisation. This right is essentially like putting your personal data in limbo – the organisation can continue to store it, but they cannot actively do anything with it.   What’s new? You can ask an organisation to restrict your data in the following circumstances. Where you dispute the accuracy of the personal data you can ask the organisation to restrict it until the dispute is resolved. Where you have objected to the organisation processing your personal data (see part 5 of our blog post series for more information on the objecion right) you can ask the organisation to restrict it until the issue is resolved. When the organisation has processed your data unlawfully, you can request restriction instead of deletion. If the organisation no longer needs the personal data (and so would ordinarily delete it) but you need the data to establish, exercise or defend a legal claim. The UK’s draft Data Protection Bill to implement GDPR is currently being finalised but the current version maintains exemptions that mean that an organisation may not have to comply with your request in certain circumstances. The organisation also has to be able to verify your identity before taking action as a result of your request.   Fees and timescales Under current UK law there are no set timescales for dealing with a deletion request, but organisations usually respond without delay. There is no charge for this kind of request. Under GDPR the organisation has 30 days to respond and cannot charge a fee. However, organisations can charge for ‘manifestly unfounded or excessive’ requests. They must base the fee on the administrative cost of providing the information. The current version of the UK’s draft Data Protection Bill provides for the Government to set limits on the fees. Organisations can also extend the response time to two months depending on the complexity and number of the requests. If they need to extend the response time, they should tell you within the first month. You can make a restriction request to privacy@yoti.com.

3 min read
Getting to grips with GDPR: The right to object

Getting to grips with GDPR: The right to object

The fifth blogpost in our series on GDPR rights is about the objection right. Catch up on previous articles on your right to be informed, your access right,  your correction right, and your  deletion right.   Part 5: The right to object There is already a right to object in current UK data protection law (the right to prevent processing), but it is set out a little differently to the GDPR right. In both current law and GDPR there are two aspects to this right: The right to object to direct marketing. The right to object to other processing of your information.   Objecting to marketing The right to object to marketing is a straightforward right that always applies. This means you can say ‘no thanks’ at any time to stop getting marketing from an organisation. All e-mail marketing should have an unsubscribe link in it (or other method to say no thanks). Organisations should tell you how and make it easy to stop getting marketing. GDPR adds to your right by including any profiling that has been carried out in relation to sending you marketing.   Objecting to other processing The right to object to other processing is more complicated and only applies in certain circumstances. Under current UK data protection law, you can prevent processing of your personal information if that processing is causing, or could cause, you substantial and unwarranted damage or distress. However, this right doesn’t apply if you gave your consent to the processing, if it’s necessary to deliver the product / service, if it’s a legal obligation or if it’s in your vital interests (life or death scenarios). Under GDPR, there are similar restrictions on when the right applies, but there is no threshold of damage or distress. So you can object to processing where the lawful basis is ‘legitimate interests’ or ‘public interest’ or where the processing is for scientific / historical research purposes. (However, for research, the right doesn’t apply if the research necessary for a task that is being carried out for reasons of public interest.)   When does the right not apply? An organisation does not have to stop processing your personal information if: they can demonstrate compelling legitimate grounds for the processing, which overrides your objection; or the processing is to establish, exercise or defend legal claims. You have objected to the organisation collecting/using your information and there are no overriding legitimate grounds for them to keep it.   The UK’s draft Data Protection Bill to implement GDPR is currently being finalised but the current version maintains exemptions that mean that an organisation may not have to comply with your request in certain circumstances. The organisation also has to be able to verify your identity before taking action as a result of your request.   Fees and timescales Under current UK law there are no set timescales for dealing with a deletion request, but organisations usually respond without delay. There is no charge for this kind of request. Under GDPR the organisation has 30 days to respond and cannot charge a fee. However, organisations can charge for ‘manifestly unfounded or excessive’ requests. They must base the fee on the administrative cost of providing the information. The current version of the UK’s draft Data Protection Bill provides for the Government to set limits on the fees. Organisations can also extend the response time to two months depending on the complexity and number of the requests. If they need to extend the response time, they should tell you within the first month.   What is Yoti doing? For marketing: Yoti only has your e-mail addresses for marketing purposes if you gave it to us because you wanted to hear from us. If you want to unsubscribe from e-mail marketing, use the unsubscribe link in the e-mail. For other processing: most of the personal information processing we do in relation to our app, products and services is necessary to deliver the app, products and services. For biometric data processing as part of the app’s security, we ask for your consent, which you can withdraw in settings at any time. Therefore, for app users, the only processing we do on the basis of ‘legitimate interests’ and so that this right applies to, is our metrics to understand how our app is being used. We de-identify and aggregate that data so we have no way to connect it to an actual user.   What other obligations do organisations have? As part of our other products and services (Dashboard, if you visit our office) we may have contact details from you as part of setting up accounts or signing in. The right to object applies to this information but we have justifiable business reasons for keeping it. You can contact our Data Protection Officer on privacy@yoti.com.

5 min read
Getting to grips with GDPR: The right to request deletion

Getting to grips with GDPR: The right to request deletion

The fourth article in our series on GDPR rights is about the deletion right. Catch up on previous articles that cover your right to be informed, the access right, and the correction right.   Part 4: The right to request deletion There has been a lot of hype and misleading information about this right and it is often called ‘the right to be forgotten’. The reality is that there is no such right, and it has always been the case that your right is to request deletion, not demand it. This is a complicated right in that it only applies in certain circumstances and, even where it applies, organisations won’t have to delete your information in some scenarios. In current UK law, this right is part of the right to correct data, in that a court can also order an organisation to delete inaccurate personal data. In practice, organisations will usually consider any deletion request they receive without insisting you go to court. Most organisations in most circumstances will have legitimate reasons for having or using your information, so they will not be required to delete it. The most likely reason for needing to delete it is if they should have already done so, and are continuing to hold information they no longer need.   What’s new? GDPR provides a direct right to have an organisation delete your personal information in certain circumstances. The information is no longer necessary for the purposes for which the organisation collected/used it. The organisation collected/used the information based on your consent, and you withdraw that consent, and there is no other lawful grounds to keep it. You have objected to the organisation collecting/using your information and there are no overriding legitimate grounds for them to keep it. You object to your information being used for direct marketing purposes. The organisation has collected/used the information unlawfully. The organisation has a legal obligation to delete the information. The organisation has collected the information to offer an online service to a child.   What does this mean? The reality is that if you ask an organisation to delete your information, they will only have to do so where they have not complied with other GDPR or legal obligations. Essentially this is a ‘safety net’ right making sure that if an organisation still has information it shouldn’t, it must delete it. There are two exceptions in the list above, relating to marketing and children. The right to say ‘no thanks’ to marketing and have that respected has not changed under GDPR, so organisations will have to stop using your information for marketing if you ask them to. It is important to know that in practice the organisation will not actually delete the information, they will add your details to a suppression list. This is a list of contact details for everyone who has objected, and organisations check against this list when doing marketing, to make sure they don’t contact anyone who has said ‘no thanks’. If they deleted your data completely, they might collect it again somewhere else and not know that you have said you don’t want marketing. With regard to children, there is still uncertainty as to what the right to deletion means. The section in GDPR on offering online services to children (that this right refers to) is quite narrow, and is essentially a requirement to get parental consent, instead of the child’s consent, if the lawful grounds you are using is consent. (There are multiple lawful grounds an organisation can use, and consent isn’t always the most appropriate.) It’s not clear if the right to deletion applies only to the consent-based information collected to offer a child online services, or whether it applies to any information collected from or about a child when offering online services. In the UK the regulator (ICO) is drafting guidance on the children’s aspects of GDPR, so we hope to get clarity on this point soon.   Automatically deleting your data For the above scenarios, GDPR describes this right as both the right for you to get your data deleted, and the obligation for an organisation to delete the data without undue delay. However, automatically deleting data might not actually be the best outcome or be in individuals’ interests. As mentioned above for marketing, deleting your data rather than adding you to a suppression list might mean you get more unwanted marketing! Also, if an organisation has been doing something it shouldn’t have with personal data, deleting the data may delete the evidence and prevent a regulator investigation or the ability for individuals to take legal action.   What other obligations do organisations have? If the organisation has to delete your information, but has already made it public, they are obliged to inform other organisations who have it that you have requested its deletion. These other organisations should then delete their copy of your information or any links to it. What does that really mean though? This aspect of the right has come from court cases against Google relating to whether information they link to in search results should still be available. (See below for more information.)   When does this right not apply? As mentioned in the first paragraph, even if your request for deletion matches one of the above list of circumstances, the organisation might still not have to delete your information, if one of the following applies. The organisation needs the information to exercise their right to freedom of expression and information. (This is likely to be more relevant to news organisations and publishers.) The information is necessary to comply with a legal obligation. (This could be where organisations are required by law to keep certain data for a certain amount of time for audit, tax or other purposes.) The information is necessary for an activity the organisation is carrying out that is in the public interest or as part of their official duties. (This is likely to be relevant to public sector bodies.) The information is necessary for reasons of public interest in the area of public health. The organisation needs the information for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, if deleting the data would make those purposes impossible or seriously impair the organisation from achieving its aims. (This is most likely to be used by official archiving or research bodies.) The organisation needs the information to establish, exercise or defend legal claims.   The UK’s draft Data Protection Bill to implement GDPR is currently being finalised but the current version maintains exemptions in current law that mean that an organisation may not have to comply with your request in certain circumstances. The organisation also has to be able to verify your identity before taking action as a result of your request.   The right to be forgotten by search engines As already mentioned, some aspects of this right come from court cases against Google, where individuals requested that certain information no longer appear in searches on their name. This is really about being delisted from search results, as the original publication of the information may have to remain. The court cases have looked at the balance between privacy and freedom of expression to set the lines on when each prevails. The decision in each of the cases depends on the facts of the case, and sometimes the court has decided the information is no longer relevant and so must not be linked to, whereas in other cases they found in favour of Google.   Fees and timescales Under current UK law there are no set timescales for dealing with a deletion request, but organisations usually respond without delay. There is no charge for this kind of request. Under GDPR the organisation has 30 days to respond and cannot charge a fee. However, organisations can charge for ‘manifestly unfounded or excessive’ requests. They must base the fee on the administrative cost of providing the information. The current version of the UK’s draft Data Protection Bill provides for the Government to set limits on the fees. Organisations can also extend the response time to two months depending on the complexity and number of the requests. If they need to extend the response time, they should tell you within the first month. If an organisation decides it can’t comply with your request, they should explain why, without undue delay and at the latest within one month. They should also tell you about your right to complain to the regulator (ICO).   What is Yoti doing? You are able to delete your account at any time from within the app settings. If you delete the app before deleting your account you just lose the connection to your data, and it remains ‘orphaned’ in our system. We delete orphaned data after three years. If you use our Dashboard to create pages and applications as a way to collect personal information from others, you can also delete your account. Yoti will need to keep certain information for billing records and auditing purposes. You can make a deletion request to privacy@yoti.com

8 min read
Yoti’s CEO Robin Tombs on the BBC Breakfast sofa talking biometrics

Yoti’s CEO Robin Tombs on the BBC Breakfast sofa talking biometrics

We knew something had to be done to fix the world’s broken identity system, and that the solution must put the consumer firmly in control of something as precious as their identity. It made no sense to us that while the rest of our lives were going digital, the way we proved who we are was stubbornly clinging to paper and card. We decided to use the advancements in biometrics and smartphones to develop a modern digital identity solution that gives people a simpler, faster and secure way to prove who they are. Yoti has been built using the latest technology including facial recognition, with the intention of solving the challenge of proving our identity. We use facial recognition to match people’s biometrics to their ID documents, giving them a secure digital identity they can use online and in person. This helps reduce identity theft, fraud and can help build trust online. The individual always consents to using their biometrics and knows how they will be used. Individuals also consent whenever sharing their details, and always get a receipt of what information they have shared. We believe in putting individuals in control of their data. We do not snoop on individuals using Yoti and we can’t see the details being shared. We charge a business a small fee for receiving verified details from a user. We have a simple, principled, transparent business model and an increasingly popular app with 1.1m installs and climbing. We have built Yoti in a way individuals told us they wanted digital identity to work. There are 6.3 billion smartphone users and we believe many of them will choose to create a digital identity to have an easier and safer way of proving who they are, online and in person.

2 min read
Yoti and CitizenCard launch new digital ID card

Yoti and CitizenCard launch new digital ID card

Everyone needs a way to prove their identity. Whether it’s to collect a parcel from the post office, buy an age restricted item, open a bank account or apply for a job. For many young people, they’re too young to have a driving licence and their parents don’t want them to carry around a £49 passport simply to prove their age to see a film, buy a game or purchase a child’s train ticket. With almost 20% of people losing an ID document at least once a year, young people need a safer and more affordable way to prove their age and identity. Introducing the Yoti CitizenCard We’ve teamed up with CitizenCard to offer young people a £9 digital ID. Unlike other ID solutions, the Yoti CitizenCard allows young people to prove their age online and in person. They’ll be able to use the Yoti CitizenCard to: Prove their age and identity when travelling on public transport, going to cinemas, on nights out, and when buying games and age restricted goods like energy drinks and alcohol. Prove their age and identity to businesses online. Log in to websites without having to remember passwords. Verify the identities of people they meet online for safer encounters. They can also share specific attributes (i.e. just their name or age) without disclosing their full identity with a paper ID document; helping to protect from the ever-growing risk of identity fraud. Yoti CitizenCards display the Home Office-endorsed PASS (Proof of Age Standards Scheme) hologram and UV mark. The logos of the National Police Chiefs’ Council (NPCC) and the Security Industry Authority (SIA) also feature. The card is accepted by retail and night economy businesses. The Yoti SmartChip in the card will, in future, allow people to simply tap on a card reader to prove their identity. It could also enable payments, where parents top up the card with their child’s pocket money to bring safer spending than carrying cash – or be used for storing tickets and travel passes. Our solution is designed to give parents peace of mind, knowing that their child has a recognised national ID that’s safer to carry than passport, which if lost or stolen contains a large volume of sensitive personal data. We believe that everyone should be able to prove who they are when they choose to – but ID should be private, secure, voluntary and controlled by the individual, not by organisations. Private – prove ‘what’ you are without necessarily revealing who you are Secure – NO big database of profiles that reveals how and where people use it Voluntary – ID should empower people not be a means of tracking people This is just the start of a great partnership with CitizenCard. We’re excited to give families around the UK a simple and secure way to prove their identity, online and in person.

3 min read
Yoti selected as the official identity provider for the Government of Jersey

Yoti selected as the official identity provider for the Government of Jersey

Today marks a landmark day for Yoti. We have been selected as the identity provider for the Government of Jersey. Securing our first government contract is a huge milestone in our journey and something all of the team are incredibly proud of. Jersey’s search for an ID solution In August 2017, Jersey’s Government issued a tender which called for a digital ID solution. This was part of the eGov initiative to get more services online, such as filing a tax return, registering to vote and accessing the citizen portal. The Government wants to offer a greater range of online services but needs to be certain that the users are who they say they are. What does this mean for Jersey citizens? Yoti will give islanders a simple, fast and secure way to prove their identity, online and in person. They’ll be able to use Yoti to: Prove who they are when dealing with the States of Jersey online and in person, making it more convenient when using digital services and reducing the risk of identity theft and fraud Log into websites more securely without having to remember usernames and passwords – helping to protect online accounts and personal information Leave valuable ID documents safe at home and prove their age with their phone Prove their identity to businesses without showing and photocopying paper documents Jersey’s visionary choice to use a digital identity system will help its government bodies, businesses and citizens to get things done in a simple and secure way, with less risk of fraud – an issue which costs the global society billions every year. By giving individuals a free digital identity which they can create in minutes, businesses across a range of sectors can begin to leverage the benefits of digital identity into their own products and services, including finance, voting, healthcare, physical asset management, and many more. Assistant Minister, Deputy Scott Wickenden, said: “One of the reasons we have chosen Yoti is that its verification system can be used by many other organisations. People are more likely to sign up with a service that they can use for a number of different purposes, and because Yoti can verify identity, and therefore age, this means that a wide range of industries – from financial services to hospitality – can use it to verify the identities of their customers.” The States of Jersey’s Chief Executive, Charlie Parker, said: “This important piece of technology is fundamental to the restructuring of our public services and the provision of integrated, online services to islanders. We have established one set of standards for all our online services and now we have a digital ID system that allows islanders to interact with government on a confidential, secure basis. This is a vital step in modernising the States of Jersey, and in developing an effective, efficient and responsive public sector, with outstanding services at its core.” This is just the start of a great partnership with Jersey. We hope that their government, businesses and citizens will benefit from a secure digital identity system for many years to come. Time to raise a glass and celebrate!?

3 min read

Essential reading

Get up to speed on what kind of company we are