Year: 2019

GDPR, Class Actions and the Right to Compensation

Gavel, scales of justice and law books

In November 2018 we reported the decision of the English High Court in the case of Lloyd v Google [2018] EWHC 2599 (QB). In summary, Mr Lloyd, who is a consumer protection champion, was attempting to bring a ‘class action’ (or ‘representative’ action) against Google. He brought the claim on behalf of over 4 million Apple iPhone users, alleging that Google had secretly tracked some of their internet activity, for commercial purposes, between August 2011 and February 2012.

Because Google is based in Delaware in the USA, Mr Lloyd first had to seek permission from the High Court to serve the legal action outside the jurisdiction of the English courts. To do this he had to prove that the claim had a reasonable prospect of success. The High Court decided that the claim did not have a reasonable prospect of success for two reasons.

Firstly, none of the people in the represented class had suffered damage under S. 13 Data Protection Act 1998 (DPA). This provision contained a right to compensation which is now to be found in Article 82 of the General Data Protection Regulation (GDPR). The High Court took the view that the claimants seemed to be relying on the fact that they were entitled to be compensated because of the breach alone, without showing how the breach had caused any damage, which was a necessary requirement for the class action to proceed under section 13. Secondly, the members of the ‘class’ did not share the same interest and were not identifiable, which was also a necessary requirement.

On 2ndOctober 2019 the Court of Appeal, in Lloyd v Google  [2019] EWCA Civ 1599, reversed this decision and gave Mr Lloyd the right to proceed with his representative action against Google in the English Courts. This decision is significant because it now means that the claim against Google will be considered, at some future date, in the Media and Communications Court in London. It is also significant because of the Court’s ruling on the question of damages in respect of breaches of data protection legislation.

Why did the Court of Appeal reach this different decision?

The Court had to consider the following legal questions; Could the claimants recover damages for loss of control of their personal data under S. 13 of the DPA 1998? It decided, after reviewing various authorities from earlier case law and interpreting the DPA 1998 by reference to agreed principles of European Union Law, that they could.

The Court of Appeal’s approach was quite different to that of the High Court. The latter had rejected Mr Lloyds’ argument that the claimants were entitled to compensation because of the breach alone.  It stated that it was necessary for a claimant to demonstrate a causal link between the breach of the DPA and the damage suffered, and they had not.

In reversing the decision, the Court of Appeal emphasised that S. 13 of the DPA had to be interpreted in the light of Article 13 of the Data Protection Directive 1995and Article 8 of the Charter of Fundamental Rights of the European Union.  It also referred to the General Data Protection Regulation 2016. In particular, the Court considered GDPR ***Recital 85 which supports the view that “loss of control” over personal data is an example of the kind of “physical, material or non-material damage that might be caused to natural persons as a result of a data breach”. On this basis, the Court of Appeal accepted that a claimant could claim damages in respect of ‘loss of control’ of their personal data, provide the damage was not trivial. On the facts, the Court considered that ‘browser generated information’ (BGI) was an asset that had commercial value. Consequently, a person’s control over their BGI does have a value so that the loss of control must also have a value.  Therefore, the loss of control damages claimed by the represented claimants are properly to be regarded as compensatory in nature and damages are in principle capable of being awarded for loss of control of data under Article 23 and S. 13 DPA 1998 even if there is no pecuniary loss and no distress.

(***It is interesting that the Court of Appeal considered the recitals to interpret the substantive provisions of GDPR. These recitals are often difficult to match with the latter. Our GDPR Handbook does this for you as well as cross referencing relevant ICO Guidance and the Data Protection Act 2018.)

Turning to the second legal question that had to be considered by the Court of Appeal; was the High Court judge right to hold that the members of the class did not have the same interest under and were not identifiable? According to the Civil Procedure Rules it is necessary for the claimants in a class action, to all have ‘the same interest’ in the claim. The High Court decided that the claimants did not all have the same interest; some affected individuals would be heavy internet users and ‘victims’ of multiple breaches; the extent of the loss of control across such a large group would be varied; and not all users would view the loss of control in the same way.

The Court of Appeal decided that this was the wrong approach. The claimants that Mr Lloyd seeks to represent have all had their BGI (something of value) taken and used by Google, without their consent, in the same circumstances and over the same period. Accordingly, they are all victims of the same alleged wrong, and have all sustained the same loss, namely loss of control over their BGI. The Court accepted that this means that the damages that can be claimed (if the future action is successful) will be at the lowest common denominator.

The Court of Appeal also decided that it would be possible to identify the class of people represented in this claim. It must be possible tosay of any particular person whether or not they qualify for membership of the represented class of persons by virtue of having” the same interest as Mr Lloyd” at all stages of the proceedings. The Court considered that every affected person will, in theory, know whether he or she satisfies the conditions that Mr Lloyd had specified. These included any person who between 9 August 2011 and 15 February 2013 (whilst they were present in England and Wales)

  • Had an Apple ID
  • Owned an iPhone 3G or subsequent model running iOS version 4.2.1 or later; and
  • Used the Apple Safari internet browser version 5.0 or later on that iPhone to access a website that was participating in Google’s DoubleClick advertising service

In any event, the Court recognised that Google would have the data to be able to identify every person in the class!

Conclusion

In this case the Court of Appeal reversed the High Court’s decision that Mr Lloyd could not serve an out of jurisdiction action against Google. It approached the case by interpreting the now repealed Data Protection Act, in the light of principles of EU Law. The way is now clear for this class action to proceed before the Media and Communications Court in London. It of course remains to be seen how the case will proceed and no doubt it will be fought hard by Google, given the size of the class.  It is also difficult to predict how the Media and Communications Court will approach the case if it takes place post Brexit.

Readers may also wonder why the case is relevant given that the applicable law is now the GDPR. However, the Court of Appeal seemed to be at pains to point out that the GDPR supports its interpretation in this case. The significance lies in the fact that the Court of Appeal has made it clear, that in its view, it is possible to claim damages for loss of control of personal data (including BGI data) without having to prove financial loss or distress.

You can find more on these and other developments in our GDPR update workshop running in Leeds and London in November.

Reflections of an Act Now FOI Trainer

People in a meeting

Susan Wolf writes…

They say time flies when you are having fun. Well, I must have been having fun because I can’t quite believe I have been training with Act Now for over 12 months. Really where has the time gone? During my time at the University of Northumbria I developed the habit of keeping a journal in which I reflected on my teaching. Old habits die hard and I have continued this practice now that I am a regular Act Now training consultant. Looking back over my journal for the last 12 months a number of common themes became apparent. I thought it might be interesting to share these. However before I do, I just want to thank all the delegates I have met for challenging me, keeping me on my toes and reminding me how interesting life can be in Freedom of Information Land.

Training practitioners is not something new to me. For over 11 years I taught FOI practitioners on the Northumbria University LLM in Information Rights Law & Practice Degree. However, the Act Now courses, with their focus on practical training have exposed me to a wider range of people, from a wide range of public sector organisations, all trying to get to grips with broadly similar issues. From the most experienced practitioner who wants a ‘top up course’ to the absolute beginner who has just landed their first job in information rights, all practitioners appear to share some common concerns and worries.

There are also some widely shared misconceptions which still seem to cause the odd debate, despite the Freedom of Information Act 2000 being almost 15 years old. For instance, I have heard some delegates say that the ‘clock start’s ticking’ on a FOI request on the day it is received by a public authority. I have also heard delegates talk about fines that the ICO can impose for breaches of the Freedom of Information Act. Those are always good to correct, and it is nice to hear the sigh of relief when they are advised correctly on these points.

However, I also frequently get asked questions that there are, quite simply, no definitive answers to. In good ‘lawyer’ tradition I could say ‘well that depends’ but that isn’t always what people want to hear. For example, I have been asked questions about how far a public authority must go in advising and assisting an applicant, or how many times they need to go back to the applicant to clarify a tricky request. Another question that taxes people is how long it is reasonable to wait between requests before engaging S. 14 (2) for repeated requests. These are always good for some discussion, but often time is limited on a one-day course, particularly when delegates quite rightly expect we cover all the course content.

Other misconceptions or worries centre on issues relating to the redaction of staff names in email correspondence; how to distinguish between ‘business as usual’ questions and FOI requests; or the significance of ‘confidentiality’ markings on information provided by third party contractors. The ‘new’ Freedom of Information 2018 Code of Practice addresses some of these issues. However not all FOI practitioners are necessarily aware of the provisions of the new Code. Of course, it is difficult for practitioners, who are undoubtedly over-burdened, to keep up to date and on top of things, or indeed for us to cover these issues in detail in a one-day course. One way of keeping up to date is to read our Act Now blogs, which are all written by Act Now consultants and which deal with new developments and case law. However, this journey of reflection has made me realise that it would be useful to write some ‘Back to Basics’ blogs that address some of the issues and concerns that I know FOI practitioners share. Over the coming months we will be publishing a series of ‘FOI Basics Blogs’ on the issues raised during our one-day FOI courses starting with a blog on ‘Business as Usual or FOI Request’?

For those FOI practitioners who want to take their training and understanding to the next level, Act Now Training now offer a 4-day FOI Practitioner Certificate this course is modelled on the highly successful GDPR Practitioner Certificate and was launched in May 2019. We have now delivered it seven times and it is absolutely clear this model enables FOI practitioners to develop a more detailed knowledge and understanding of the FOI in practice. It gives delegates the chance to explore the exemptions in far more detail over two days, with Day 3 focussing on the most frequently used exemptions, including Sections 40 and 43. The course also prepares delegates for writing a Refusal Notice which forms part of the final assessment.

Delegates have given very positive feedback:

“The course was very well structured and well timed. The length of the course was ideal as this gave sufficient time to discuss all areas relating to FOI and also gave candidates ample time for discussion and study. The trainer was very supportive and the knowledge that has been imparted has enabled me to develop the FOI function with our organisation. Highly Recommended.”
JW, Heywood Middleton and Rochdale NHS

“The course was excellent and really sets you up for the exam, I would recommend it to others working in the field. I have put what I learned on the course to good use as I am a FOI and DPA Manager in a very busy post with lots of business each and every day; many of the requests are unusual. The course and now passing the exam have given me the confidence to do my job.”
JH, NI Courts and Tribunals Service

“Thank you for a great course – as always all the trainers at Act Now are extremely knowledgeable, approachable and make the learning experience really enjoyable.”
KF, St Helens Council

As you can see Delegates are enjoying the course content and delivery style. Most importantly they are able to take away their gained knowledge and apply it to their everyday role with confidence. After all, that is the purpose and objective of a course such as this. It makes me immensely proud and pleased to be able to be a part of the team that helps delegates in this way everyday and I look forward to the next 12 months.

Susan Wolf is a trainer for Act Now Training. She has over ten years experience teaching information rights practitioners on the LLM Information Rights Law & Practice at Northumbria University. All our trainers are available to deliver customised in house training, health checks and audits. Please read the testimonials from satisfied clients and get in touch for a quote.

Google v CNIL and the Right to be Forgotten

AdobeStock_283633546_Editorial_Use_Only.jpeg

24th September 2019 is most likely to be remembered as the day the UK Supreme Court unanimously ruled that the Prime Minister, Boris Johnson, had unlawfully prorogued Parliament. As media attention focussed on the constitutional implications of this landmark judgment, you might be forgiven for not noticing another very important legal judgment delivered by the Court of Justice of the European Union (CJEU) in (Google LLC v CNIL (Case C-507/17). In contrast to the Prime Minister, the case went in favour of Google and provided clarification regarding the extent of its obligations to erase personal data under Article 17 of GDPR, the so called “Right to be Forgotten.”

This decision is, in many senses, a continuation of the Court’s landmark judgment in 2014 (Google v Spain (Case C-131/12) in which the CJEU ruled that Google, as a Data Controller, had to give effect to the data protection right of erasure provided in Article 12(b) and the right of objection under Article 14 of the EU Data Protection Directive 1995 (the 1995 Directive). Readers will know that the Directive has been repealed and replaced by the GDPR. Although, at the time of the case the operative law was the Directive, the Court decided that it would consider the questions raised in the light of both the Directive and the GDPR to ensure that its answers would be of relevance now that the GDPR is in force.

The Right to be Forgotten (or the right to erasure) is now found in Article 17 and the right to object to processing in Article 21 of GDPR. In Google v Spain the Court held that where a search engine operator received a request under Article 12 (b) of the 1995 Directive then it would have to take steps to remove those links to third party web sites that were displayed in a list in a search conducted against the Data Subject’s name (provided the conditions of Article 12 (b) were met). This meant that a Data Subject would have the right to request Google to ‘de-reference’ certain links to information held on third party web sites. This has been referred to as the “right to
de-referencing”. This right was not absolute.

Turning to the corresponding provisions of the GDPR (Article 17), the Court also notes that the Right to be Forgotten under Article 17 (3) of the GDPR is also not absolute.
A search engine operator may refuse the request if one of the conditions in Article 17(3) applies. Article 17 (3) specifically states that the Right to be Forgotten does not apply where processing is necessary for exercising the right of freedom of expression and information. Therefore consideration needs to be given to the specific circumstances of the case, the sensitivity of the personal data, and the interests of the public in having that information, which may vary depending on the public role played by the Data Subject.

What happened in the latest case?

In 2015 the French Data Protection Authority (the Commission National De l’informatique Et Des Libertés) instructed Google that when it received a request from a person to remove links to web pages about them, from the list of results displayed following a search conducted on the basis of that person’s name, it must apply that removal to all its search engine’s domain name extensions.

Google responded by removing the links in question but only from the results displayed following searches conducted from the Google domain names in the Member States. It also implemented so called ‘geo-blocking’ measures that meant if an internet user in the EU switched to a non-EU version of Google it would automatically be re-routed to an EU version of Google (which would not display the ‘disputed’ links). Despite this the French Data Protection Authority, using its powers under the French law that implemented the Data Protection Directive, imposed a fine of €100,000 on Google. Google challenged this decision. The French Court considered that the case raised difficult legal issues regarding the interpretation of the Right to be Forgotten and the territorial scope of the Data Controller’s obligation.

The Issues

The issue in this case was about what steps Google had to take in response to a request to de-reference links. Did it have to ensure that the link was removed from all the domain names used by its search engine so that the links no longer appear, irrespective of the place where the search is initiated or whether it is conducted from a place outside the European Union? In other words the issue was about the territorial scope of Google’s obligations to de-reference links when a Data Subject makes a valid request under Article 17.

The Court deals with this as follows:

  • It begins by stating that the objective of the GDPR is to provide a high level of protection of personal data throughout the European Union, and a
    de-referencing of all versions of a such engine would achieve that objective.
  • But it recognises the ‘ubiquitous’ nature of the internet that is global in reach and without borders.
  • And it also acknowledges that not all States that host the Google search engine recognise the right of de-referencing.
  • Article 17 (3) strikes a balance between the rights of the Data Subject and the right of information, but does not strike such a balance as regards the scope of de-referencing outside the EU.
  • There is nothing in Article 17 of the GDPR that suggests that the EU intended that the scope of the Right to be Forgotten would extend beyond the territory of the Member States of the EU.
  • Consequently there is no obligation under EU Law, for a search engine operator, who grants a request for de-referencing, under Article 17, to carry out a de-referencing on all the versions of its search engine. It is only required to implement de-referencing in all the EU Member State versions of its search engine.
  • However, where necessary the search engine operator is obliged to use measures which prevent, or at the very least, seriously discourage internet users in the EU from gaining access to the ‘offending’ links in question.

The CJEU then referred the matter back to the French Courts for them to determine whether the measures taken by Google (the geo-blocking measures) or proposed by Google meet these requirements. However, what is clear is that the ‘Right to be Forgotten’ in the context of Google searches has its limits. The extent to which Google, and other search engine operators, can prevent or discourage determined internet users from gaining access to ‘de-referenced’ personal data remains to be seen.

More on these and other developments in our GDPR update workshop presented by Ibrahim Hasan. Looking for a GDPR qualification? Our practitioner certificate is the best option.

Cyber Security Month is Here!

Cyber security concept, authentication screen on computer, confidential business data

October is European Cyber Security Month. This is the EU’s annual awareness campaign that takes place each October across Europe. The aim is to raise awareness of cybersecurity threats, promote cybersecurity among citizens and organisations; and provide resources for online protection, through education and sharing of good practice.

Every single day the cyber security landscape becomes more complicated. Criminals are continually inventing new ways to carry out cyber-attacks. A Freedom of Information  request by insurance broker Gallagher, recently revealed that UK councils were fending off an average of 800 cyber attacks per hour.

Organisations that do not take appropriate action are at grave risk of business disruption, reputational damage and regulatory action. In July we saw the Information Commissioner’s Office (ICO) signal its intention to use its powers to issue Monetary Penalty Notices (fines) under the General Data Protection Regulation (GDPR). Two Notices of Intent were issued against British Airways and Marriot International respectively.  Both relate to cyber security incidents but for different reasons and amounts. (More here.)

Cyber security needs to become a top priority for organisations and individuals. Training and awareness is crucial. The National Cyber Security Centre publishes a regular report on cyber incident trends in the UK with guidance on how to defend against and recover from them. Act Now is running a series of  Cyber Security workshops led by cyber expert, Steven Cockcroft. The first one was in London last week and attracted delegates from both the public and private sectors. Habib Khatib, Head of Operations at Talk Direct Talk Direct (Leeds) Ltd, said:

“This was an excellent workshop which really opened my eyes to the threats that organisations face from cyber criminals. Steve’s expert knowledge will help me to implement a cyber action plan within my company.”

To celebrate Cyber Security month, all new delegates booking on a Cyber Security workshop will received a discount of 10% if they quote the reference “OCTOBER10%”. This offer applies until 11.59pm on 31st October 2019. A day to remember for more than one reason!

More on these and other developments in our GDPR update workshop presented by Ibrahim Hasan. Looking for a GDPR qualification? Our practitioner certificate is the best option.

Records Management in Scottish Public Authorities is Changing

backgrounds-building-exterior-builtstructure-calton-hill-edinburgh-castle-scotland-1

The Public Records (Scotland) Act 2011 (PRSA 2011) requires public bodies in Scotland to develop a Records Management Plan and submit it for the approval of the Keeper of the Records of Scotland. Many of these plans, usually approved on a five year basis, are now approaching the time when they will need to be revised and put through the approval process once again. Moreover, the Keeper’s team have been actively revising their “Model Plan” and will be expecting more from authorities on the submission of their new plans over the next couple of years.

Background

The PRSA 2011 received Royal Assent on 20 April 2011, aiming to fill a gap in information governance which had long existed. Although there had been some sector specific records requirements there was no overall legislative framework guiding the creation, management or retention of information in the Scottish public sector.

The Act came in on the back of the 2007 Shaw Report which blamed poor record keeping for many of the difficulties faced by former residents of residential schools and children’s homes. The Scottish Government took  a broad view of the implications of Shaw; this in turn led to the PRSA covering a broad range of named public authorities including the Scottish Government and Parliament, local authorities, NHS, police and the courts.

Despite concerns, strongly expressed at the time by COSLA among others, that the Act would present yet another onerous burden during a period of particularly harsh austerity, it is probably fair to say that the PRSA has been a success, giving Scotland a solid statutory basis for its record keeping for the first time.

Records Management Plans

The core of the Act is the requirement to develop and maintain a Records Management Plan. This, in theory, can take any form but in practice authorities have tended to closely follow the Keeper’s “Model” comprising (originally) 14 elements:

  1. Senior management responsibility 
  2. Records manager responsibility 
  3. Records management policy statement 
  4. Business classification 
  5. Retention schedules 
  6. Destruction arrangements 
  7. Archiving and transfer arrangements 
  8. Information security 
  9. Data protection 
  10. Business continuity and vital records
  11. Audit trail 
  12. Competency framework for records management staff 
  13. Assessment and review 
  14. Shared information

Changes 

One significant change to the way that the Keeper will be assessing authorities’ Records Management Plans is that there is now an “Element 15” in the Model Plan, covering third party records. S2 and S3 of the Public Records (Scotland) Act always defined the scope of the legislation broadly so as to cover the records of external agencies carrying out functions on behalf of the public authority, but that is now going to be more explicitly defined and the Keeper will expect to see evidence of policies and procedures under this “Element 15”.

The Keeper is currently undertaking a review of these requirements so it is as yet unclear exactly what will be required. The issue was covered in some detail at the Stakeholders’ forums which the Keeper hosted last year, and there is some guidance and model contractual clauses available from the National Records of Scotland, and from the Scottish Council on Archives and Quality Scotland.

Another significant change in the Keeper’s approach to what will be required from Records Management Plans is a general refocussing on data protection. This had always featured in the Model Plan with element 9 dedicated to the appropriate management of personal data but now data protection runs through the Keeper’s guidance like the writing through a stick of rock. As well as beefing up element 9, each section of the Keeper’s guidance now includes a data protection theme as an example of good practice.

The scope of the PRSA continues to broaden. The Keeper is currently going through the approval process of the Integrated Joint Boards, and (as with Freedom of Information?) there will be pressure to extend the list of bodies covered by the Act. The position of Trusts and some other arms-length authorities remains unclear but all organisations of a public nature would be well advised to get up to speed with the requirements of the Public Records (Scotland) Act 2011.

Throughout the process of the passage of the Bill, the Keeper always made a commitment to use the carrot rather than the stick. This has worked well, with the very helpful team at the NRS providing support and guidance on a range of records issues. As the records environment matures, however, and as more is expected of authorities, might we see a more robust approach from the regulator? In retrospect, some of the early schemes which the Keeper approved now look somewhat thin; it may be unlikely that these would have passed had they been submitted today.

Act Now has arranged a series of webinars and full day workshops on the themes raised by the developments within the PRSA. Among other issues, we will be looking at:

  • Records Management Policies. Some authorities conflate “policy” and “Plan”.
    I’d suggest a clear separation, with the Policy simply summarising the case for records management, allocating responsibilities, defining terms and setting out key principles. This element of the plan can also be used to include area-specific policies and procedures which perhaps don’t fit neatly elsewhere.
  • We’ll consider the standards and resources available. What are the standards that you need to know about? In developing or amending your plan, how far can you rely on off-the-shelf resources such as business classification schemes and retention schedules? What do you have to do to make these really work for you?
  • The Keeper has a self-review mechanism for already established Records Management Plans. The “Progress Update Review” mechanism is available and the Keeper has suggested that completing this process will delay the requirement for a full resubmission of your Plan. But what factors should be considered in deciding when to use the PUR and when to complete a full resubmission? 
  • Links to other relevant legislation. In particular, the GDPR, the Data Protection Act 2018 and the Freedom of Information (Scotland) Act 2004. As noted above, the start of the review of the model scheme was at the same time as the implementation of the GDPR and this seems to have very much focussed the Keeper’s attention on data protection. What will authorities need to do to ensure that their RMPs are up to speed with the new DP requirements?
  • Electronic Records Management. In theory, records principles are blind to the media by which the information is created, stored and managed. In practice, however, the Records Management Plan can be an excellent focus to develop and promote policies and practical guidance which relates specifically to information in alternative media.
  • Getting “buy in”. We will consider the best ways to get support for the Records Management Plan within your organisation. It is important that you are able to show the benefits of good records management – and not just in terms of statutory compliance or improved efficiency. By developing a culture of regarding information as a corporate asset you be able to demonstrate that records management is vital in evidencing the rights and responsibilities of the organisation and in maintaining a high quality corporate memory through the development of a proper archive service. 
  • Making it real. The RMP should not just be a paper exercise but should be a functioning set of tools which ensure that the organisation derives maximum value from its information resources. To be of real value, the Plan needs to be embedded throughout the organisation, rather than just a neat stack of policies on a corner of the Chief Executive’s desk. 

Craig Geddes is a qualified archivist and records manager, with 28 years’ experience working across the range of information governance activities. He has recently joined the Act Now team to deliver freedom of information and records management courses in Scotland

Blog Footer Blue and White 2

Information Governance Experts Join the Act Now Team

Steven CockcroftCraig Geddesbarry moult

(From Left to Right: Steven Cockcroft, Craig Geddes, Barry Moult.)

Act Now Training is pleased to announce that three new highly regarded information governance experts have joined its team of consultants.

Cyber security is one of the Information Commissioner’s regulatory priorities for the coming year. This is not surprising when you consider the recent Notices of Intent (to fine) issued by the ICO. We are developing a range of cyber security courses for the coming year. First off we have launched an Introduction to Cyber Security workshop led by our new consultant Steven Cockcroft.

Steven holds accredited trainer status from the British Computer Society, PECB and APMG. He is also accredited under the GCHQ Certified Trainer scheme, delivering training in the areas of Cyber Security, Information Security, Data Protection, Business Continuity Management, Audit, Risk Management and Business Continuity Management. Steven has assisted over 30 organisations to become certified to international best practice information security frameworks including the UK Government Cyber Essentials Scheme, ISO 27001 and ISO 22301.

Act Now has been running a full programme of information governance workshops in Scotland for many years. We have boosted our team of Scottish consultants by engaging Craig Geddes who is a qualified archivist and records manager, with 28 years of experience working across the range of information governance activities. He has worked for several Scottish local authorities as Archivist, Records Manager, and Senior Information and Improvement Officer. Craig has developed and delivered training on records management, freedom of information and data protection for a number of years, and is an engaging and entertaining speaker. Craig will help deliver our current Scottish courses, both in house and external, and develop new ones such as the recently launched Public Records (Scotland) Act Now workshop.

Act Now’s portfolio of clients includes many health organisations. With a view to delivering more health focused information governance courses, Barry Moult has joined our team. Barry is a well know IG expert with many years of experience working with and advising NHS organisations. He founded and has chaired the Eastern Region IG Forum since 2003. Until August 2018, Barry was the Chair of the NHS National Strategical Information Governance Network (SIGN) group and continues to sit on the NHS GDPR working group. Prior to that, he was Head of IG and Health Records at two large NHS Acute Trusts and was recently on a secondment to a local STP looking at information sharing and GDPR for Health and Social Care.

Barry will be delivering our health focused workshops on GDPR and the role of SIROs. Barry has also developed a new workshop for Caldicott Guardians to help them understand and apply the Caldicott Principles and the common law duty of confidentiality in a Health and Social Care setting. He will also look at the legislative requirements (e.g. GDPR) how they apply to patients’ records and what to consider when making moral and ethical decisions. There will also be discussion around how the Caldicott Guardian interacts with the Information Governance Lead, the Data Protection Officer and the Senior Information Risk Owner (SIRO).

The latest recruits boost the number of Act Now consultants to thirteen. Ibrahim Hasan, solicitor and director of Act Now Training,  said:

“I am pleased that Steven, Craig and Barry have joined our wonderful team of consultants who all have a reputation for explaining difficult subjects in a simple jargon-free way. Their knowledge of information rights coupled with real world experience will help us expand our services and deliver even more courses to our rapidly expanding client base.”

Act Now Training is now one of the largest information governance training and consultancy companies in the UK with over 17 years of experience in the sector.  Our trainers are available to deliver customised in house training, health checks and audits. Please read the testimonials from satisfied clients and get in touch for a quote.

Blog Footer Blue and White 2

GDPR Subject Access Time Limits Reconsidered

Keeping paper records on the shelves.

Just like its predecessor (DPA 2018), the General Data Protection Regulation (GDPR) gives Data Subjects a right to make a Subject Access Request (SAR) to a Data Controller. This means that they can obtain:

  • Confirmation that their data is being processed
  • Access to their personal data
  • Other supplementary information

The supplementary information mentioned above is the same as under section 7 of the DPA (e.g. information about the source and recipients of the data) but now also includes, amongst other things, details of international transfers, other Data Subject rights, the right to lodge a complaint with the ICO and the envisaged retention period for the data.

Time Limit

The DPA allowed Data Controllers 40 calendar days to respond to a SAR. Under GDPR Article 12, the requested information must be provided “without undue delay and in any event within one month of receipt of the request”. This can be extended by a further two months where the request is complex or where there are numerous requests. If this is the case, the Data Subject must be contacted within one month of the receipt of the request with an explanation of why the extension is necessary.

When does the one month to respond start from?

Previously the ICO guidance stated that the day after receipt counted as ‘day one’. This has now been revised following a Court of Justice of the European Union (CJEU) ruling.
It says that Data Controllers should calculate the time limit from the day they receive the request (whether it is a working day or not) until the corresponding calendar date in the next month. For example, a Data Controller receives a request on 3rd September. The time limit will start from the same day. This gives the Data Controller until 3rd October to comply with the request.

If this is not possible because the following month is shorter (and there is no corresponding calendar date), the date for response is the last day of the following month. If the corresponding date falls on a weekend or a public holiday, Data Controllers have until the next working day to respond.

This means that the exact number of days Data Controllers have to comply with a request varies, depending on the month in which the request was made. For example, an organisation receives a request on 31st March. The time limit starts from the same day.
As there is no equivalent date in April, the Data Controller has until 30th April to comply with the request. If 30th April falls on a weekend, or is a public holiday, the Data Controller has until the end of the next working day to comply.

The ICO says that, for practical purposes, if a consistent number of days is required (e.g. for operational or system purposes), it may be helpful to adopt a 28-day period to ensure compliance is always within a calendar month.

Data Controllers need to consider the implications of the revised ICO guidance on their SAR procedures and standard response letters.

You may also be interested in Susan’s Wolf’s blog on the latest case on subject access for paper records.

 

More on these and other developments in our GDPR update workshop presented by Ibrahim Hasan. Looking for a GDPR qualification? Our practitioner certificate is the best option.

GDPR and Brexit: What next?

canstockphoto15551787-1

We are heading for a No Deal Brexit it seems (at least today!). What are the implications for the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA2018)?  Can we bin them on the 31st October with our red EU passports? The answer is no. GDPR and the DPA are here to stay albeit there will be immediate amendments coming into force if Boris does not “pull a rabbit out of the hat.”

The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 were made earlier this year. Some of the sixty one pages of regulations (dealing with minor issues) came into force on 29thMarch 2019, with the rest coming into force on exit day (currently 31stOctober unless something happens in the next few weeks like a General Election!).

The new regulations will only apply if we crash out of the EU without a deal. If Boris gets a deal then GDPR will apply “as is” until the end of the transitional period (currently December 2020). But no deal will mean no transitional period and changes to GDPR as we know it.

The current (EU) version of GDPR, contains many references to EU laws, institutions, currency and powers, amongst other things, which will cease to be relevant in the UK after Brexit. The new regulations amend GDPR to remove these references and replace them with British equivalents where applicable. The functions that are assigned to the European Commission will be transferred to the Secretary of State or the Information Commissioner. From exit day this new amended version of GDPR will be imaginatively titled, the “UK GDPR”.

In a no deal scenario, the UK will immediately become a third country under GDPR and so EU Data Controllers will not be able to transfer data to the UK unless additional safeguards are in place. The regulations deal with post Brexit international data transfers from the UK by amending the GDPR and adding additional provisions to the DPA 2018. Broadly these mirror the current arrangements in the GDPR. However for the lawful transfer of personal data from the EU into the UK without additional safeguards being required, the UK will need to apply to the EU for adequacy status and join a list of 12 countries. The regulations attempt to make the UK version of GDPR as robust as the EU version and hopefully achieve an adequacy decision quickly. However the UK government has acknowledged that there would be no prospect of a positive adequacy decision in the foreseeable future.

The new regulations also amend the Data Protection Act 2018 (DPA 2018) which must be read alongside GDPR. Chapter 3 of Part 2 of the DPA 2018 currently applies a broadly equivalent data protection regime to certain types of data processing to which the GDPR does not apply (“the applied GDPR”). For example, where personal data processing is related to immigration and to manual unstructured data held by a public authority covered by the Freedom of Information Act 2000 (FOI). The DPA 2018 applies GDPR standards to such data whilst adjusting those that would not work in the national context.Amongst other things, the new regulations merge this part into the UK GDPR.

All Data Controllers and Processors need to assess their EU/UK data flows and think what measures they can put into place to ensure continuity post No Deal Brexit.

The uncertainty around Brexit means that it is an interesting time for Data Protection Officers and advisers. Watch this space!

More on these and other developments in our GDPR update workshop presented by Ibrahim Hasan. Looking for a GDPR qualification? Our practitioner certificate is the best option.

A New (GDPR) Data Sharing Code

Copy files, data exchange. Files transfer. Fast file transfer management

The law on data sharing is a minefield clouded with myths and misunderstandings.
The Information Commissioner’s Office (ICO) recently launched a consultation on an updated draft code of practice on this subject. Before drafting the new code, the ICO launched a call for views in August 2018, seeking input from various organisations such as trade associations and those representing the interests of individuals. (Read a summary of the responses here). The revised code will eventually replace the version made under the Data Protection Act 1998, first published in 2011.

The new code does not impose any additional barriers to data sharing, but aims to help organisations comply with their legal obligations under the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA 2018).
Launching the consultation, which will close on 9th September 2019, the ICO said the code will:

“… address many aspects of the new legislation including transparency, lawful bases for processing, the new accountability principle and the requirement to record processing activities”.

Once finalised, the code will be a statutory code of practice under section 121 of the DPA 2018. Under section 127, the ICO must take account of it when considering whether a Data Controller has complied with its data protection obligations in relation to data sharing. The code can also be used in evidence in court proceedings and the courts must take its provisions into account wherever relevant.

Following the code, along with other ICO guidance, will help Data Controllers to manage risks; meet high standards; clarify any misconceptions about data sharing; and give confidence to share data appropriately and correctly. In addition to the statutory guidance, the code contains some optional good practice recommendations, which aim to help Data Controllers adopt an effective approach to data protection compliance.
It also covers some special cases, such as databases and lists, sharing information about children, data sharing in an emergency, and the ethics of data sharing.Reference is also made to the provisions of the Digital Economy Act 2017 which seeks to promote data sharing across the public sector

There is also section on sharing data for the purposes of law enforcement processing under Part 3 of the DPA 2018. This is an important area which organisations have not really understood as demonstrated by the recent High Court ruling that Sussex Police unlawfully shared personal data about a vulnerable teenager putting her “at greater risk.”

Steve Wood, the Deputy Information Commissioner for Policy, said:

“Data sharing brings many benefits to organisations and individuals, but it needs to be done in compliance with data protection law.”

“Our draft data sharing code gives practical advice and guidance on how to share data safely and fairly, and we are encouraging organisations to send us their comments before we launch the final code in the Autumn.”

You can respond to the consultation via the ICO’s online survey, or email datasharingcode@ico.org.uk until Monday 9 September 2019.

More on these and other developments in our GDPR update workshop presented by Ibrahim Hasan. Looking for a GDPR qualification? Our practitioner certificate is the best option.

Subject Access Requests for Paper Records

shelves full of files in an old archive

The old Data Protection Act 1998 not only gave Data Subjects a right to see their personal data held on computer but also that which was held on paper records which were held in a “relevant filing system”. A recent case, albeit under the DPA 1998,  has an impact on the way Data Controllers deal with subject access requests under the GDPR.

The question of what constitutes a “relevant filing system” under the DPA 1998 has always been a vexed one, particularly since the 2003 Court of Appeal ruling in Durant v Financial Services Authority [2003].  The Court of Appeal’s interpretation of this term has been criticised in various quarters for being too restrictive and particularly for focussing on the burdens and costs imposed on Data Controllers rather than the rights of the data subjects.  Therefore the recent decision by the High Court in in Dawson-Damer v Taylor Wessing LLP [2019]. May be welcomed by those who believe a more ‘rights- based’ approach is appropriate.

The case involved subject access requests made by Mrs Dawson-Damer and her two children to Taylor Wessing LLP (an English law firm). In short, the firm did not act for the Data Subjects, but it did hold personal data about them in a series of trust files in which they were potential beneficiaries. Taylor Wessing refused to provide their personal data, and this resulted in protracted litigation. One of the key questions that the High Court had to address was whether the Trust files constituted a “relevant filing system” for the purposes of the DPA 1998.  The Court also considered whether the law firm could rely on S. 8 of the DPA 1998 which removes the obligation on a  Data Controller to provide a copy of the personal data where it would involve disproportionate effort.

For further details of the Dawson-Damer request and the litigation that followed see our more detailed case note.

 The definition of relevant filing system under DPA 1998

Readers familiar with the DPA 1998 will recall that it defined:

  • Data as data processed or intended to be processed by equipment operating automatically and ‘manual’ data recorded as part of a ‘relevant filing system.
  • Personal as ‘data’ which relate to a living individual who can be identified from those data, or from that data and other information, which is in the possession of, or is likely to come into the possession of, the Data Controller.

In Durant, the Court of Appeal interpreted the concept of a ‘relevant filing system’ as a system of files in which the files forming part of it are:

  • Structured or referenced in such a way as clearly to indicate at the outset of a search whether the personal information of a person requesting the information is held within the system, and if so in which file or files it is held.
  • The structuring or referencing mechanism of the filing system had to be sufficiently sophisticated and detailed to indicate whether and where the requestors information could be located.

The key feature of this interpretation is the focus on the way in which the system is structured by reference to individuals and the ease with which specific information could be accessed. Personal data held in an unstructured manual filing system did not fall within the scope of the DPA 2018 (although there was an amendment for such data held by public authorities subject to FOI).

The Trust Files: Do they form part of a relevant filing system?

The case concerned a series of paper files that were held by Taylor Wessing prior to 2005, when it moved over to an electronic filing system. The manual files  were labelled by reference to the law firm’s clients or the respective Trusts and they contained correspondence and advice that was arranged chronologically. Taylor Wessing argued that the only way it could determine if the files contained the personal data of the requestors was to go through each file page by page and therefore the any personal data was not easily accessible. On this basis the law firm argued that the files did not form part of a “relevant filing system” as interpreted by the Court of Appeal in Durant.  The requestors argued that the files did form part of  relevant filing system and that the law firm had failed to carry out a reasonable and proportionate search of them.

The 2019 High Court decision

The High Court decided that in the light of recent domestic and European case law the decision in Durant was too restrictive and the requirements of a relevant filing system are that:

  1. The data must be structured by reference to specific criteria; and
  2. The criteria must be “related to individuals”; and
  3. The specific criteria must enable the data to be easily retrieved.

The Court decided that some 35 Trust files formed part of a relevant filing system.
They were filed under the description of the relevant Trust and the client is recorded as the Trustee. The files clearly related to Trusts in which the requestors were potential beneficiaries.  On this basis the  High Court was satisfied that this was sufficient to satisfy (a) and (b). Turning to point (c) the Court said that since the files were arranged chronologically this would of course require someone to ‘turn the pages’ of the files to locate the personal information. However, the Court did not think that this would be an onerous task and the search would enable the personal data of the requestors to be easily retrieved. In any event the Court acknowledged that the law firm must have done this exercise in order to reach its conclusion that the majority of the personal data it held was subject to legal professional privilege.

 For details about the Court’s reasoning see our more detailed case note.

The disproportionate effort issue

The High Court rejected the law firm’s arguments that a search through the files would involve a disproportionate effort. The decision makes it very clear that the onus is on the Data Controller to provide evidence about the time and cost involved in conducting searches. Taylor Wessing had failed to do this.

Implications of the decision

The case was considered under the DPA 1998. The GDPR and DPA 2018 now provide a subtly different definition of a filing system. However, the case shows that the approach of the Courts to the interpretation of data protection laws is more focussed on the rights of data subjects rather than the burdens faced by Data Controllers. It is also clear that Data Controllers need to produce clear evidence in terms of time and costs if they wish to argue it would involve disproportionate effort to supply personal data. This will impact on the way subject access requests (and other rights) are dealt with under GDPR. Article 12(5) allows Data Controllers to refuse requests where they are “manifestly unfounded or excessive.” The burden of demonstrating this is on the Data Controller.

 

Susan Wolf is a trainer with Act Now. More on these and other developments in our GDPR Update workshop. Looking for a GDPR qualification, our practitioner certificate is the best option.