The Information Commissioner’s Office (ICO) has issued the first fine under GDPR to a London-based pharmacy. Doorstep Dispensaree Ltd, has been issued with a Monetary Penalty Notice of £275,000 for failing to ensure the security of Special Category Data.
The company, which supplies medicines to customers and care homes, left approximately 500,000 documents in unlocked containers at the back of its premises in Edgware. The documents included names, addresses, dates of birth, NHS numbers, medical information and prescriptions belonging to an unknown number of people. The ICO held that this gave rise to infringements GDPR’s security and data retention obligations. Following a thorough investigation the ICO also concluded that the company’s privacy notices and internal policies were not up to scratch.
The ICO launched its investigation into Doorstep Dispensaree after it was alerted to the insecurely stored documents by the Medicines and Healthcare Products Regulatory Agency, which was carrying out its own separate enquiry into the pharmacy. Steve Eckersley, Director of Investigations at the ICO, said:
“The careless way Doorstep Dispensaree stored special category data failed to protect it from accidental damage or loss. This falls short of what the law expects and it falls short of what people expect.”
Training seems to feature heavily in the ICO’s Enforcement Notice. GDPR requires all organisations to ensure that their employees are aware of their role in protecting personal data. How to do this without them spending valuable time away from the office or overspending the training budget?
GDPR Essentials is a new e learning course from Act Now Training designed to teach those working on the frontline essential GDPR knowledge in an engaging, fun and interactive way. In less than one hour employees will learn about the key provisions of GDPR and how to keep personal data safe. Click here to read more and watch a demo.
After issuing Notices of Intent to two high profile companies for millions of pounds (British Airways and Marriot) the Information Commissioner has finally issued an actual fine, albeit for a much lower amount and to a less well known company. Data Controllers and Processors need to read the penalty notice carefully and ensure that are not repeating the same mistakes as Doorstep Dispensaree Ltd.
Act Now is delighted to announce that we will be exhibiting at the PrivSec London conference on the 4th and 5th of February 2020.
This conference will bring together privacy and security professionals from around the globe to address industry issues, challenges and opportunities. It will explore the inextricable link between data privacy and data security, providing attendees with access to first-rate content presented by a line-up of international experts. The five theatres at the event will feature talks on Data Protection, GDPR, privacy, security, governance and risk management.
We have 7 free delegate places to give away (worth £474 each).
If you would like a place, please get in touch using the contact form on our website. We will add your name to the draw which will take place on Tuesday 7th January at 11am. The winners will be announced shortly afterwards on our blog.
Act Now is in full conference mode at present. On 10th December our team were at DIGIT’s 3rd annual Data Protection Summit billed as “Scotland’s largest Data Protection and Privacy event for business”. The programme contextualised the changing Data Protection landscape, considering the business impact of the GDPR and DPA 2018 and how it is shaping policy and process in practice. The conference is run with assistance from the ICO, ScotlandIS and DMA. The conference was a huge success and our GDPR E-LEARNING stole the show. Follow this link to see a short demo.
In April, Ibrahim Hasan will travel to Las Vegas to address the 21st Annual NAPCP Commercial Card and Payment Conference. Ibrahim will be talking about the California Consumer Privacy Act (CCPA) which comes into force on 1st January 2020. It is sometimes known as the US equivalent of the General Data Protection Regulation (GDPR), and provides broader rights to consumers and stricter compliance requirements for businesses than any other state or federal privacy law.
If you are attending any of these conferences, come and say hello (and pick up a freebie!)
Boris Johnson’s election victory means that we are almost certainly heading for Brexit on 31st January 2020 with his version of a deal. Having won a large Conservative majority in the House of Commons, it should be relatively easy for him to pass the Withdrawal Agreement Bill which is likely to be re-introduced to Parliament this week.
With Boris’s deal likely to be approved by Parliament, the implications of the above regulations will not be felt until the end of the transition period (currently 31stDecember 2020). Until then GDPR will apply “as is”. Unless the transition period is extended (it was a Conservative manifesto pledge not to do so) a revision of GDPR, to be known as the “UK GDPR”, will come into force on 1stJanuary 2021. A brief summary of the key changes follows.
The EU version of GDPR, contains many references to EU laws, institutions, currency and powers, amongst other things, which will cease to be relevant in the UK after Brexit. The regulations amend GDPR to remove these references and replace them with British equivalents where applicable. The functions that are assigned to the European Commission will be transferred to the Secretary of State or the Information Commissioner.
The regulations also deal with post Brexit international data transfers from the UK by amending the GDPR and adding additional provisions to the DPA 2018. Broadly these mirror the current arrangements in the GDPR so that the UK will
Recognise all EEA/EU countries (and Gibraltar) as ‘adequate’ as well as those countries subject to an EU adequacy decision
Give powers to the Secretary of State to determine or revoke adequacy
Recognise current EU Standard Contractual Clauses as valid for international transfers but the ICO will have the power to issue more clauses
Recognise all Binding Corporate Rules authorised before Exit Day
Introduce an extraterritoriality into the UK data protection regime
Of course from Exit Day, the UK will become a third country for the purposes of international data transfers under GDPR. This means that after the end of the transitional period, the lawful transfer of personal data from the EU into the UK without additional safeguards being required will only be possible if the UK achieves adequacy status and join a list of 12 countries. The regulations attempt to make the UK version of GDPR as robust as the EU version and hopefully achieve an adequacy decision quickly, but this is by no means a certainty. It is very unlikely to be achieved by 1st January 2021 which means that Data Controllers and Processors have to start putting in additional safeguards now to maintain the free flow of data.
The new regulations also amend the DPA 2018 which must be alongside GDPR.
Chapter 3 of Part 2 of the DPA 2018 currently applies a broadly equivalent data protection regime to certain types of data processing to which the GDPR does not apply (“the applied GDPR”). For example, where personal data processing is related to immigration and to manual unstructured data held by a public authority covered by the Freedom of Information Act 2000 (FOI). This will become part of the UK GDPR.
More on Brexit and the new regulations here. All Data Controllers and Processors need to prepare now for the UK GDPR.
Ibrahim Hasan is presenting a webinar in January on this topic. These and other GDPR developments will be discussed in detail in our GDPR update workshop.
Act Now is pleased to announce the launch of its new e-learning course, GDPR Essentials.
Click on the video below to see a short demo trailer.
The General Data Protection Regulation (GDPR) requires all organisations to ensure that their employees are aware of their role in protecting personal data. How to do this without them spending valuable time away from the office or overspending the training budget?
GDPR Essentials is a new e learning course from Act Now Training designed to teach those working on the frontline essential GDPR knowledge in an engaging, fun and interactive way. In less than one hour employees will learn about the key provisions of GDPR and how to keep personal data safe.
GDPR Essentials contains two modules each followed by a quiz. The modules consist of an animated video, narrated by a professional voiceover artist, and contain questions to test employees’ understanding during the learning process.
The target audience for GDPR Essentials is frontline employees, both in the public and private sector, and those who handle personal data on a day-to-day basis who need a basic knowledge of how to comply with GDPR in their role.
Upon completion of GDPR Essentials employees will
Understand the importance of complying with GDPR and the consequences of not doing so
Have a good knowledge of the key provisions of GDPR
Understand what they need to do to comply with GDPR
Appreciate the importance of good data security
Know what they need to do to keep data safe
Be aware of the importance of appropriate data privacy and security policies
Be able to direct customers and colleagues to appropriate policies
Know when to ask managers and the data protection officer for advice
With full admin controls, GDPR Essentials helps you to build a data protection culture in your organisation and develop a workforce that is able to identify, manage and prevent data protection risks.
Clients who have bought our previous GDPR e learning course include retail companies, healthcare providers, local authorities, charities, schools and colleges. See the full list here.
Are you an information governance expert with a proven track record of delivering engaging training on GDPR, FOI or Cyber Security? Act Now Training is recruiting trainers to join its team of experts who deliver in-house and external training courses throughout the UK.
Despite expanding our team recently, we are facing heavy demand for our courses and consultancy services from the both the public and private sector. With more courses planned for 2020, including some new ones like Key Skills For Data Protection Officers, we need more talented trainers who enjoy the challenge of explaining difficult concepts in a practical jargon-free way.
We have opportunities for full time trainers as well as those who wish to add an extra “string to their bow” without leaving their day job. What is important is that you are enthusiastic about GDPR, FOI or Cyber Security and want to deliver innovative training (not “death by PowerPoint”) to a range of audiences.
CCPA’s impact will not just be felt by California based businesses but businesses worldwide who process personal data about Californian consumers who will need to consider their privacy practices. With 40 million Californian residents, making up 12 percent of the US population, it is likely that most big business wherever they are based will have to comply with the CCPA.
Like GDPR, CCPA is about giving people control over how their personal data is used by organisations. It requires transparency about how personal data is collected, used and shared. It gives Californian consumers various rights including the right to:
Know and access the personal being collected about them
Know whether their personal data is being sold, and to whom
Opt out of having their personal data sold
Have their personal data deleted upon request
Avoid discrimination for exercising their rights
CCPA also includes a breach notification requirement like GDPR. A security breach involving personal data, must be notified to each individual it affects. It does not matter if the data is maintained in or outside of California.
Fines and Enforcement
Fines for breaches of CCPA include:
$2,500 for unintentional and $7,500 for intentional violations of the Act. Legal action must be brought by the California Attorney General.
$100-$750 per incident, per consumer- or actual damages, if higher – for damage caused by a data breach. Legal action may be brought by consumers.
A business shall only be in breach of the CCPA if it fails to cure any alleged violation within 30 days after being notified of the same.
While these fines may appear relatively low, it is important to keep in mind they are per violation. It is not uncommon for a privacy incident to affect thousands or tens of thousands of consumers, in which case these fines could reach the hundreds of thousands or millions of dollars.
A Federal Privacy Law?
CCPA represents the first real, comprehensive privacy legislation in the U.S. It will, no doubt, form the foundation for other state privacy regulations in the future, and quite possibly a U.S federal privacy regulation. Nevada residents also now have more control over how their personal information is used. Senate Bill 220 went into law recently, giving consumers more ability to keep websites from selling their information to third-party firms. Proactive businesses are already considering CCPA as a de facto US privacy law. Recently Microsoft announced that it will apply the main CCPA rights to all its customers in the U.S.
CCPA will not just have a big impact on US businesses. UK and EU companies doing business in the States also need to understand it provisions and implications. Ibrahim Hasan will be speaking about this topic when he addresses the NAPCP Commercial Card and Payment Conference in Las Vegas in April 2020.
CCPA and GDPR
CCPA is often compared to the GDPR. Both laws give individuals rights to access and delete their personal information, require transparency about information use and necessitate contracts between businesses and their service providers. In some respects, however, the CCPA does not go as far as GDPR. For example, it does not require businesses to have a legal basis for processing personal data (Article 6 of GDPR), there are no restrictions on international transfers and no requirement to appoint a data protection officer. To learn more about the differences, have a look at this comparison chart produced by BakerHostetler LLP.
NEW CCPA Workshops
Our forthcoming CCPA workshops (in the UK and US) will cover the main obligations and rights in CCPA and practical steps to compliance. They are ideal for data protection officers and advisers in UK and US businesses.
Act Now is pleased to announce that Ibrahim Hasan has accepted an invitation to address the 21st Annual NAPCP Commercial Card and Payment Conference in Las Vegas, April 6-9 2020.
The NAPCP is a membership-based professional association committed to advancing Commercial Card and Payment professionals and industry practices globally, with timely research and resources, peer networking and events serving a community of almost 20,000 individuals worldwide. The NAPCP is a respected voice in the industry and an impartial resource for members at all experience levels in the public and private sectors.
In a session entitled “Complying with the GDPR and United States Privacy Legislation” Ibrahim will examine the impact of GDPR and the California Consumer Privacy Act (CCPA) on the Payment Card industry. He will also be presenting webinars pre and post conference on these subjects to the NAPCP community.
The NAPCP Annual Conference is the can’t-miss event for the industry, bringing together 600 professionals from around the world to share perspectives on all Commercial Card and Payment vehicles, including Purchasing Card, Travel Card, Fleet Card, Ghost Card, Declining Balance Card, ePayables and other electronic payment options. Experts and practitioners share case studies, successes and thought-provoking ideas in almost 80 breakout sessions, all with an eye for trends and innovation across sectors.
Diane McGuire, CPCP, MBA, Managing Director of the NACP, said:
“I am really pleased that Ibrahim has accepted our invitation to join us in Las Vegas. As legislators and governments globally are starting to wake up to the implications of the digital revolution on individuals’ rights, our conference delegates will benefit from his GDPR and privacy expertise in what is sure to be a thought-provoking session.”
This is one of a number of international projects that Act Now has worked on in recent years. In June 2018 we delivered a GDPR workshop in Dubai for Middle East businesses and their advisers. In 2015 Ibrahim went to Brunei to conduct data protection audit training for government staff.
Ibrahim Hasan said:
“I am really pleased to address the NACP conference in Las Vegas. Our GDPR expertise is now being recognised abroad. The United States is the latest addition to our increasing international portfolio. We hope to use the conference as a platform to showcase our expertise to the US Data Controllers.”
Regular registration is now open for the event. Head over to this link to confirm registration.
Act Now’s forthcoming live and interactive CCPA webinar will cover the main obligations and rights in CCPA and practical steps to compliance. This webinar is ideal for data protection officers and advisers in UK and US businesses.
During a recent FOI A-Z course a delegate asked me what seemed like the simplest of questions: “How do we know whether something is business as usual, or an FOI request”? Naturally enough that gave rise to an interesting short discussion in which delegates expressed different views based on their practice and organisational policies. What became clear though, was that this seemingly simple question is anything but. So, how do organisations and practitioners know whether something is ‘business as usual’ or an FOI request?
Before attempting to answer this question, it is important to remind ourselves what a valid request under the Act looks like. S. 8 of the Freedom of Information Act (FOI) states that a request for information under the Act must:
Be in writing (this must be legible and can include electronic communication)
State the name of the applicant and the address for correspondence
Describe the information requested
This means that there is a degree of legal formality about an FOI request, particularly the need for it to be in writing. However, as the ICO guidance notes, this is not a hard test to satisfy and “almost anything in writing which asks for information will count as a request under the Act”. So far so good. On this logic any communication in writing, that includes a request for information, is to be regarded as a request under the Act and must be dealt with accordingly.
Requestors do not need to mention the Act or even direct their request to a designated FOI practitioner or team. Of course, where a requestor specifically mentions the Act this makes life easier and the request should be dealt with as an FOI request.
Responding to FOIA requests: Section 1
S.1 states that on receipt of a valid FOI request public authorities must do two things:
First, they must provide a written response which either confirms or denies that they hold the information (the duty to confirm or deny) (S. 1(a)); and
They must communicate the information to the applicant (unless any exemption(s) apply). It is useful to point out that the Act does not require that the communication is in writing, albeit this is most likely particularly when requests are made by email/letter. However, S. 1(b) does allow for the oral communication of information.
However, what is perhaps less well known is that S.1(5) states that a public authority is deemed to have complied with (1)(a) where it has communicated the information to the applicant under 1(b). For instance, if a public authority receives an email request for a standard piece of information and it replies with an email attachment, or phones the applicant and tells them the information, then they are deemed to have complied with their duty to confirm or deny, without actually formally using these words. But this would still be a request under the Act and ought to be recorded as such.
So what is the problem?
The difficulty arises, in part, because of the advice given in the various guidance from the Information Commissioner’s Office and the revised S. 45 Code of Practice (see our blog on this code here which both suggest that there are some circumstances where, despite the validity of a request, it may be more appropriate to deal with it outside of the Act.
The Code of Practice advises that, “information given out as part of routine business, for example, standard responses to general enquiries” does not need to be dealt with under the Act.
The ICO Guide states that, “It will often be most sensible and provide better customer service to deal with it as a normal customer enquiry under your usual customer service procedures”. The ICO offers two examples of a normal customer enquiry; where a member of the public wants to know what date their rubbish will be collected, or whether a school has a space for their child. The ICO’s corresponding Flowchart refers to these as requests ‘in the normal course of business’.
The ICO Guide elaborates by saying that the provisions of the Act only need to come into force if a public authority “cannot provide the requested information straight away” or the requestor “makes it clear that they expect the request to be dealt with under the Act”.
All the above appear to suggest that public authorities have a degree of discretion in deciding whether a seemingly valid request for information should be treated as a formal request under the Act or whether it can simply provide the information without going through the formalities of the Act.
Little wonder then that FOI practitioners struggle and ask the seemingly simple question that prompted this blog! In response I would offer the following thoughts, which may be useful to bear in mind when contemplating whether a request is an FOI request or not:
The Act is legally binding, and it states that valid requests (defined in S.8) must be dealt with as requests under the Act. The guidance is not legally binding and has no legal authority.
The formalities of the Act are not onerous in circumstances where a public authority is not applying an exemption. Remember, S.1 (5) states that by communicating the information to the applicant you are deemed to have complied with your duty to confirm or deny that you hold the information.
The revised Code of Practice recommends that all public authorities with more than 100 full time equivalent employees publish their FOI compliance statistics on their publication schemes on a quarterly basis.
FOI practitioners frequently say that they are under resourced and heavily burdened. Recording all request for information as requests under the Act (as opposed to disclosing informally) will help provide a truer reflection of the volume of request made to public authorities.
Once we know what an FOI request is, the next question is who can make a request? What about Spiderman? The answer is here.
According to the report, Scottish public bodies are receiving record numbers of FOISA requests. 83,963 requests were reported by them in the year 2018/19; a rise of 8% on the year before. Three quarters of these requests led to a full or partial release of information.
The number of appeals made to the Scottish Information Commissioner alsoincreased; by 10% to 560, still just 0.7% of all requests made. Just under two thirds of the Commissioner’s appeal decisions (64%) were either fully or partially in favour of the requester.
Scottish public authorities must respond promptly to FOISA requests and no later than 20 working days.However, the report shows that they are are increasingly failing to comply with this requirement. The number of times an authority failed to respond to an FOI request rose from 601 in 2017/8 to 940 in 2018/19. 26% of valid appeals to the Commissioner were about an authority’s failure to respond.
The Commissioner has responded to this failure to comply with the FOISA time limits by making more than 250 interventions over the course of the year. A third (33%) of his basic interventions investigated authorities’ compliance with statutory timescales. Often these failures can be indications of other fundamental problems, such as FOISA management and culture issues, staff absences or procedures not working well.
A poll of Scottish adults, conducted in May 2019, found disappointing levels of confidence in public bodies’ ability to respond to requests, which were much lower than the actual performance in practice. 57% of those surveyed were “very” or “fairly confident” they would receive a response from a request to information from a public body.38% were “not very” or “not at all confident” they would receive a response.Any increases in authorities’ failures to respond are likely to feed this perception.
FOISA requires authorities to publish information as well as respond to requests. According to the above mentioned poll, 9 in 10 people in Scotland thought it was important for public bodies to publish information about the reasons for the decisions they make, information about contracts with other organisations and information about how they spend their money.
The Commissioner is using the opportunity of his annual report to emphasise the need for authorities to do more to improve their FOISA compliance. He said on his website:
“We are seeing increasing numbers of information requests being made to Scottish public authorities.
While many are performing well, there has been a concerning increase in failures to respond to requests for information on time. Such failures impact on people’s perception of both freedom of information and the authorities themselves.
Freedom of Information brings significant benefits to authorities who comply with it. Public bodies improving their Freedom of Information practice will make a real difference not only to the requester’s experience but also to the authorities themselves.”
It’s going to be a busy year ahead for FOISA. The Scottish Parliament’s is due to complete its post-legislative scrutiny of the Act soon. This may lead to legislative changes. From 11 November 2019, registered social landlords (RSLs) in Scotland will become subject to FOISA.
Act Now is pleased to announce the winners of the 5 free delegate tickets for the European Data Protection Summit taking place in Manchester on 13th and 14th November 2019. We are sponsoring this two day event which will deliver top-level strategic content, insights, networking, and discussion around data protection, privacy and security. In addition to leading content, tickets will include refreshments, lunch and access to exclusive post-event content.
Jamie Burton of Wythenshawe Community Housing Group
Kathy Fleming of The Lead Agency
Sam License of National Institute for Health and Care Excellence
Matt Stephenson of University of Bradford
Jacqueline Gillanders of HEFSTIS
All the winners will receive an e mail giving details of how they can book their free place.
Thank you to all of those who expressed an interest.