Act Now Training’s Data Protection Practitioner Certificate continues to go from strength to strength. In Autumn 2015, a total of 16 delegates from the local government, health, education and private sectors passed the course with flying colours. 9 delegates achieved a merit and 3 achieved a distinction.
The Information Commissioner, Christopher Graham, said:
“Congratulations to all the successful candidates. It was worth all the slog, as I am sure you will find in your future careers. And it’s good to know that there is another cohort of qualified professionals looking after our data in the increasingly competitive digital world. All organisations need to take data protection and data security seriously or risk losing their reputation – not to mention customers. The new EU data protection framework brings these issues into even sharper focus – which makes your expertise even more essential.”
Over the years this course has produced many satisfied customers:
This was an excellent course specifically designed for the day to day practical use of DP. It demystified the subject in a way which I could understand. Tim Turner is an excellent tutor with a good sound knowledge and ability to put it across. HC, West Yorkshire Police
Tim broke the course down into manageable chunks and gave useful, practical examples that illustrated his points. This course has given me not only the knowledge but also the confidence to improve at my job and make my organisation better too! Thanks Tim! DH, Cheshire West and Chester Council
This course was designed to be more learner friendly in the way it is examined. It shows your practical knowledge in the assessment along with your ability to use the legislation in your project. A worthwhile course for the modern day data protection officer. DJ, Northumberland CC
Since commencing in my role I was expected to develop a knowledge of and interpret the DPA. This course has embedded my understanding of the act and given me the confidence to challenge existing and new practices to ensure compliance. SD, NYFRS
I would thoroughly recommend the course, which has a sensible, practical focus and deals with the application of an otherwise abstract and complex piece of legislation to real life situations.
AG, Parliamentary and Health Service Ombudsman
The Data Protection Practitioner Certificate is our own qualification for those who work with Data Protection and privacy issues on a day-to-day basis. The course, designed in consultation with a panel of experts from the UK and Europe, takes place over four days (one day per week) and involves lectures, assessments and exercises. This is followed by a written assessment. Candidates are then required to complete a practical project (in their own time) to achieve the certificate.
The emphasis of the course is on practical skills which a Data protection Officer needs to do their job and raise DP standards in their organisation. The course syllabus has been recently revised to include more themes covered by the new European General Data Protection Regulation (GDPR) expected to come into force in 2018.
Candidates also now have the option to take our specially designed GDPR webinars after completion and up to 12 months in the future as part of their course. This has been included for our Certificate candidates free of charge (normally £49+Vat each) allowing them to customise their learning with the greatest flexibility and ensure their preparations for GDPR are assisted with the most up to date information.
Act Now is pleased to announce that it has won a contract to deliver consultancy services to a major organisation in the regulatory sector.
We have been asked to use our information law and security expertise to assess the content of the organisation’s mandatory e-learning modules covering the Data Protection Act, Information Security (ISO 27001:2013 certification) and the Freedom of Information Act.
The purpose of the assessment is to ensure that the training content meets the legislative and ISO 27001 (2013) requirements and meets the needs of the organisation’s staff, associates and contractors, providing them with a gap analysis report based on the current training provision, examples of best practice and legislative requirements.
This project will be led by Ibrahim Hasan and Frank Rankin who are well-known experts and trainers in this field. Commenting on the award of the contract, Ibrahim Hasan said:
“I am very pleased to have the opportunity to use our expertise on this project. This is one of many recent consultancy projects Act Now has undertaken and enhances our reputation as one of the UK’s leading providers of in house training and consultancy in information law and information management.”
Act Now is also starting to develop an international reputation. In January 2015 Ibrahim Hasan and Paul Gibbons were in the Far East to deliver data protection audit training to the Government of Brunei.
We have also developed a number of interactive e learning solutions to assist organisations comply with their legislative and regulatory requirements. With the new EU Data Protection Regulation likely to come into force in 2018, it is important that all organisations assess their staffs’ data protection awareness and compliance.
The song was written by Bob Dylan in 1962. Dylan has stated that all of the lyrics were taken from the initial lines of songs that he thought he would never have time to write. This blog has had so many working titles (see below) that it seems to fit.
My story starts when I bought a Senior rail card. I did it online. As a fully paid up member of the grumpy old men’s club and having some knowledge of Data Protection and marketing issues I made sure I opted out of any “from time to time we may pass on” and “carefully selected third parties” sneaky data collection statements. The process was easy. The card arrived; I used it frequently.
Then the mailings arrived. It’s my normal practice as a GOM and DPA nerd to contact organisations who direct market me and ask them where they obtained my name and address. I call it a Subject Access Request in my letter. Over the autumn in surge in mailings revealed that The Association of Train Operating Companies had been the originator of many mailings through their sale of my details to Medialab.
As a side issue it’s remarkable how the marketing industry reacts when I make subject access requests. Their first reaction and often their only reaction is to instantly remove me from their database and apologise profusely. To me this isn’t how to respond to a subject access request. In fact one charity when I queried this said that their industry code of practice only required them to remove my name not provide me with the normal things that SARs provide. When I replied pointing out the relevant sections of the DPA the request was escalated to the CEO who decided that Yes they would go further than the Code of Practice and give me what I asked for. Thanks Chiefie.
On to Medialab. They acknowledge on their website (which is currently being re-designed) that they have many lists including all Rail card holders. The actual phrase is We buy data and media across various channels to generate customers with real lifetime value.The blurb says that Senior rail card holder are all over 60, all opted in and are all suitable targets for offers involving wine, charities, gardening, food etc. Leaving aside the obvious fair processing and reasonable expectations it appears that Medialab and actively pushing their list obtained by ATOC for purpose a for purposes b, c, d etc. So apart from buying the lists which ATOC says are all consenting adults they are conspiring with service companies who are looking to target their marketing. You could even make a case that Senior Rail card holders are a vulnerable group. When I bought my Rail card I definitely did not consent to receiving offers about wine, charities, gardening, food. Just because I am old doesn’t mean I have to conform to my chronological stereotype. I thought buying a railcard was about cheap train travel. If some one who targets poor obtaining and re-use statements on websites has missed the fact that he has consented to his data being sold on how do ordinary people spot it. (If in fact there was a FPN – ATOC can’t prove they had one…)
Second aside. I was once engaged by a well known cuddly well respected Society with its HQ in London to deliver a training session on Data Protection. They were nice people and the Chief Exec sat supportively in the front row. When we arrived at the point of discussing whether data acquired for purpose A by Data Controller A could not be used for an incompatible purpose B by Data Controller B the chief Exec intoned “I think you’ll find that most big organisations share data to see if there are any opportunities for cross marketing”. When told that this was probably a breach of the act his support for me ended and he left the room presumably to set up another breach of Principle 2.
Back to ATOC. I kept on at them – they weren’t very punctual but I generously put this down to Xmas holidays. Eventually after me disputing my giving of consent I asked them to provide documentary evidence that I had consented to passing my data to 3rd parties. This elicited the following email.
“I am sorry to hear that you have received emails and phone calls from third parties that you were not expecting. I have reviewed your account and can verify that your name and contact information has now been removed from our supplier database and that only Medialab has access to this. You should no longer receive any emails related to your Railcard purchase.
Unfortunately we are unable to provide material confirmation as to your original acceptance of these offers as once an online application is completed this information is fed directly into our database and this live information serves as confirmation of customer opt-ins. We are able to obtain evidence of opt-ins for paper applications and the equivalent of this for online applications is the live record and your record now reflects your request to be removed from our mailing list.”
To wrap it up. The volume of mailings has slowed down. ATOC has taken me off their list but can’t prove I consented to them selling my details. Marketing companies still hold my data and are probably selling it to anyone who thinks old people are an easy touch. The mailing and marketing industry doesn’t know what a subject access request is.
So I’ll leave you guys to ‘Choose an Alternate title’ (which in itself a 1967 song…)
When is consent not consent? – When you can’t see it
When is consent not consent? – When you can’t prove it
Marketing databases are black holes. Data is irretrievable except for marketing companies.
The invisible consent mystery.
Who do you believe? A data controller who can’t prove he has consent or a data subject who knows he never gave it.
Wanted Old person who likes travel to test an online application form.
Senior Rail Cards on the wrong track.
Pssst! Wanna buy a list of old people who’ll buy anything…
Grumpy old DP expert taken for a train ride.
Charities just don’t get it. Direct marketing organisations know they’re breaking the law but hey! it adds to turnover. Everyone makes money from Senior rail cards.
Of course the new EU General Data Protection Regulation (GDPR), when it comes into force in 2018, will require a rethink of of how companies obtain and record consent to marketing.
Give your career a boost in 2016 and prepare for GDPR by gaining a qualification.
The Act Now Data Protection Practitioner Certificate is a practical qualification for Data Protection Officers and advisers both in the public and the private sector. Successful candidates will be able to demonstrate that they possess a good knowledge of the law, both the current Data Protection Act as well as the forthcoming EU Data Protection Regulation.
The Independent Commission on Freedom of Information was established by the Cabinet Office in July last year to examine the operation of the Freedom of Information Act 2000 (FOI) and whether it required any changes. In October I predicted (and I was not alone) that, bearing in mind the Commission’s restricted terms of reference as well the track record of some of its members, it was likely that sweeping restrictions would be made to the UK’s FOI regime.
Thankfully it seems that the Commission has seen sense. Its recent report says FOI is working well and does not need major changes. It does though make twenty-one recommendations, many of which would enhance the Act:
1. A time limit for public interest extensions
That the government legislates to amend section 10(3) to abolish the public interest test extension to the time limit, and replace it instead with a time limit extension for requests where the public authority reasonably believes that it will be impracticable to respond to the request on time because of the complexity or volume of the requested information, or the need to consult third parties who may be affected by the release of the requested information. This time limit extension will be limited to an additional 20 working days only.
2. A time limit for internal reviews
That the government legislates to impose a statutory time limit for internal reviews of 20 working days.
3. Change to Section 77
That the government legislates to make the offence at section 77 of the Act triable either-way.
4. FOI statistics
That the government legislates to impose a requirement on all public authorities who are subject to the Act and employ 100 or more full time equivalent employees to publish statistics on their compliance under the Act. The publication of these statistics should be co-ordinated by a central body, such as a department or the Information Commissioner (IC).
5. FOI disclosure logs
That the government legislates to impose a requirement on all public authorities who are subject to the Act and employ 100 or more full time equivalent employees to publish all requests and responses where they provide information to a requestor. This should be done as soon as the information is given out wherever practicable.
This time, in the Government’s response to the FOI Commission, Mike Hancock MP has said that the Government will issue a revised S.45 Code of Practice setting out what information public authorities with more than 100 full time employees should publish.
6. Senior employees’ information
Public bodies should be required to publish in their annual statement of accounts a breakdown of the benefits in kind and expenses of senior employees by reference to clear categories.
Local authorities already have these obligations in relation to senior staff earning more than £50,000 by virtue of the Local Government Transparency Code.
7: Information Commissioner responsibilities
The government should give the IC (Information Commissioner) responsibility for monitoring and ensuring public authorities’ compliance with their proactive publication obligations.
8. Section 35(1)(a) – Formulation of government policy
The government should legislate to replace section 35(1)(a) with an exemption which will protect information which would disclose internal communications that relate to government policy.
9. Section 35(1)(b) – Ministerial communications
The government should legislate to expand section 35(1)(b) so that, as well as protecting inter-ministerial communications, it protects any information that relates to collective Cabinet decision-making, and repeal section 36(2)(a).
10. Section 35 – Public interest
The government should legislate to amend section 35 to make clear that, in making a public interest determination under section 35(1)(a), the public interest in maintaining the exemption is not lessened merely because a decision has been taken in the matter.
11. Section 35 – Public interest (2)
The government should legislate to amend section 35 to make clear that, in making a public interest determination under section 35, regard shall be had to the particular public interest in the maintenance of the convention of the collective responsibility of Ministers of the Crown, and the need for the free and frank exchange of views or advice for the purposes of deliberation.
The above 4 recommendations are clearly designed to make it easier for the Government (and the National Assembly for Wales) to withhold information. Other bodies cannot claim this exemption anyway.
12. Section 36 – The Qualified Person’s opinion
The government should legislate to amend section 36 to remove the requirement for the reasonable opinion of a qualified person.
Some of our clients have welcomed this recommendation citing the difficulty of getting access to senior officers to make a decision about complex FOI matters.
13. The ministerial veto
The government should legislate to put beyond doubt that it has the power to exercise a veto over the release of information under the Act.
14. The veto again
The government should legislate to make clear that the power to veto is to be exercised where the accountable person takes a different view of the public interest in disclosure. This should include the ability of the accountable person to form their own opinions as to as to all the facts and circumstances of the case, including the nature and extent of any potential benefits, damage and risks arising out of the communication of the information, and of the requirements of the public interest.
15. And again…
The government should legislate so that the executive veto is available only to overturn a decision of the IC where the accountable person takes a different view of the public interest in disclosure. Where a veto is exercised, appeal rights would fall away and a challenge to the exercise of the veto would be by way of judicial review to the High Court. The government should consider whether the amended veto should make clear that the fact that the government could choose to appeal instead of issuing a veto will not be a relevant factor in determining the lawfulness of an exercise of the veto. Until legislation can be enacted, the government should only exercise the veto to overturn a decision of the IC.
16. Guess what this recommendation is about?
The government should legislate to allow the veto to confirm a decision of the IC where the IC upholds a decision of a pubic authority on the public interest in release. This would mean that the right of appeal would fall away and challenge would be instead by way of judicial review.
Strengthening the ministerial veto under section 53 seemed to be a “dead cert” (in betting parlance). In March 2015, the Guardian’s successful challenge to the application of the veto to the disclosure of Prince Charles’ letters to government departments, was confirmed by the Supreme Court. The Government seems to have accepted the Commission’s recommendations for the time being:
“In line with the Commission’s thinking, the government will in future only deploy the veto after an Information Commissioner decision. On the basis that this approach proves effective, we will not bring forward legislation at this stage.”
17. Appeal rights
That the government legislates to remove the right of appeal to the First-tier Tribunal against decisions of the IC made in respect of the Act. Where someone remained dissatisfied with the IC’s decision, an appeal would still lie to the Upper Tribunal. The Upper Tribunal appeal is not intended to replicate the full-merits appeal that currently exists before the IC and First-tier Tribunal, but is limited to a point of law.
Whilst this recommendation will save public authorities money, some commentators (especially journalists) have expressed concern that it hampers appeal rights and makes the appeal mechanism much less accessible than at present to those who do not have the money to instruct lawyers. They have a point; especially when one considers the very real possibility of the government introducing fees for tribunal appeals.
18. Format of responses
That the government legislates to clarify section 11(1)(a) and (c) of the Act so that it is clear that requestors can request information, or a digest or summary of information, be provided in a hard copy printed form, an electronic form, or orally. Where a requestor specifies a specific electronic document format, that request should be granted if the public authority already holds the information in that format, or if it can readily convert it into that format. Where the information requested is a dataset, the requirements at section 11(1A) will apply. The legislation should make clear that the obligations on public authorities to provide information in a particular format extend no further than this.
In my view this is already clear in the legislation and in ICO guidance.
19. The Section 45 code
That the government reviews section 45 of the Act to ensure that the range of issues on which guidance can be offered to public authorities under the Code is adequate. The government should also review and update the Code to take account of the ten years of operation of the Act’s information access scheme.
20. Vexatious requests
That the government provides guidance, in a revised Code of Practice issued under section 45, encouraging public authorities to use section 14(1) in appropriate cases.
21. More money for the ICO
That the government reviews whether the amount of funding provided to the IC for delivering his functions under the Act is adequate, taking into account the recommendations in this report and the wider circumstances.
Much of the above can be implemented without the need for legislation through a revised/additional Section 45 code of practice and guidance. It’s worth remember that the new EU General Data Protection Regulation (GDPR) will also require changes to FOI when it comes into force in 2018; specifically section 40 which make reference to the Data Protection Act 1998 (which the GDPR will replace).
Labour’s Tom Watson has claimed that the FOI Commission was a waste of time and money and has called on the government to publish its costs. If they don’t he will, no doubt, make an FOI request to the Cabinet Office!
