Question to the Department for Science, Innovation & Technology:

To ask His Majesty's Government what steps they are taking to ensure consumers' data is protected from smart devices collecting more information than their function requires.

All organisations in the UK that process personal data already have to comply with the requirements of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA).

In addition, Regulation 6 of the Privacy and Electronic Communications Regulations 2003 (PECR) sets specific rules in relation to the placement of cookies (and similar technologies) on people’s devices.

The data protection legislation requires any company processing personal data to design their products and services with privacy in mind from the start. Providers of smart devices have to consider how their product implements the data protection principles effectively and bakes in necessary safeguards to protect people's rights. For example, they must be transparent with consumers about the data they collect and how they use it, only processing data where there are legitimate grounds to do so, only using what is necessary for their purposes, and ensuring that the data is not used or shared in ways that people would not expect.

People also have rights under the data protection legislation to access their personal data, object to its processing and rights to rectification and erasure.

The legislation is monitored and enforced independently of government by the Information Commissioner’s Office (ICO). The ICO has published a range of guidance for organisations to help them comply with their obligations, including guidance on how to design their products and services in a privacy-friendly way, available at: https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/designing-products-that-protect-privacy/privacy-in-the-product-design-lifecycle/.

The ICO has also published advice for the public on protecting themselves from security risks when using smart products here: https://ico.org.uk/for-the-public/online/smart-products/.

Anyone concerned about the handling of their personal data by any organisation can contact the ICO further advice or to make a complaint. The ICO can be contacted by telephone on 0303 123 1113. Further contact details are on the ICO website: https://ico.org.uk/for-the-public/. The ICO has a number of tools to take action against those who breach the data protection legislation, including criminal prosecution, non-criminal enforcement and the power to impose civil monetary penalties.