Your Front Page For Information Governance News
Analysis and Commentary about Global Data Protection Laws, Including GDPR, FOI, Cyber Security and Surveillance
As we approach the end of another year, the Act Now team would like to extend our Seasons’ Greetings and best wishes for the new year. We sincerely thank all our delegates and colleagues for their ongoing support and commitment.
Please note, our office will be closed for the holiday season from Monday, 23rd December, and will reopen on Monday, 6th January 2025.
We are excited to welcome Robert Weston to our growing team of associates at Act Now Training. With extensive experience in the data protection field, Robert brings a wealth of knowledge and expertise to our clients.
Robert has previously worked at the Information Commissioner’s Office (ICO), where he conducted audits and advisory visits, guiding organisations to better compliance with their data protection responsibilities. His hands-on experience at the ICO gives him unique insight into the inner workings of regulatory compliance; knowledge that few consultants possess.
Robert is also a law graduate and a retired Chartered Accountant, specialising in forensic accounting. His strong analytical background, combined with his ability to break down complex legal and regulatory issues into clear, actionable insights, makes him an invaluable asset to any organisation looking to strengthen their data protection strategies.
In addition to his role at the ICO, Robert has served as the Data Protection Officer for a £170 million turnover not-for-profit organisation, as well as a consultant to NHS Trusts, where he advised on sensitive and high-stakes data protection matters.
This diverse background equips Robert with a deep understanding of both private and public sector challenges, helping clients navigate even the most intricate data protection landscapes.
Ibrahim Hasan, Director at Act Now Training, had this to say about Robert’s arrival:
“We’re thrilled to have Robert join the team. With his wealth of experience from both sides of the fence, regulator and practitioner, Robert is perfectly positioned to guide our clients through the complex world of DP implementation. His skill set is a rare combination, and I’m confident he’ll bring immense value to our clients.”
Tailored Data Protection Services for Your Organisation
At Act Now Training, we understand that data protection is not a one-size-fits-all approach. That’s why we offer a flexible consultancy service designed to meet the specific needs of your organisation; whether you’re looking for a light-touch review or a comprehensive audit.
Our services, led by Robert Weston, include:
Why is this important? Data protection failures can result not only in regulatory fines, but also serious reputational damage. A breach could lead to negative media coverage, eroding customer trust and impacting your brand. Our services help you avoid these risks by ensuring your data protection practices are robust and compliant with the latest legislation.
What We Offer: Tailored Solutions for Data Protection Compliance
Our consultancy services are designed to be flexible and scalable, offering the right level of support based on your needs:
During our assessments, we utilise ICO’s toolkits, which provide a structured approach to monitor ongoing compliance. These toolkits, often designed for larger organisations, include trackers to help you keep an eye on your progress. Having worked in the ICO’s assurance department, Robert is intimately familiar with these tools, and he’ll guide your team in implementing them effectively.
Next Steps: Protect Your Organisation’s Future
By working with Robert Weston and Act Now Training, you’ll gain peace of mind knowing your data protection practices are thoroughly assessed and enhanced to meet today’s rigorous compliance standards. Whether you’re looking for a quick health check or a detailed audit, we have the expertise and tools to support your organisation’s needs.
Get in touch today to find out how we can help reduce your data protection risks, protect your reputation, and secure your stakeholders’ personal data.
Enjoy reading our blog? Help us reach 10,000 subscribers by subscribing today!
Last week, the Information Commissioner’s Office (ICO) issued a reprimand to a Hampshire law firm following a data breach that affected over 8,000 individuals.
Levales Solicitors LLP, a law firm specialising in criminal and military law, was reprimanded after an unknown cyber-attacker gained access to its secure cloud-based server.
The attacker used legitimate credentials to infiltrate the system, eventually leaking personal data on the dark web including
A total of 8,234 data subjects were affected by the breach, with 863 individuals considered at high risk of harm due to the nature of the sensitive data involved.
This included data related to serious offences such as murder, terrorism, sexual offences, and matters involving vulnerable adults or children.
The ICO’s reprimand focuses on the infringement of two key articles of the UK GDPR:
What Went Wrong?
The ICO found that Levales Solicitors LLP failed to ensure the ongoing confidentiality of its systems, making it vulnerable to the cyberattack (Article 32(1)(b)). Several critical issues were identified by the ICO:
No Multi-Factor Authentication (MFA): MFA, a basic yet crucial security measure, was not in place for the domain account affected by the breach. This allowed the attacker to access the system using stolen credentials. Despite its simplicity, MFA is considered one of the most effective ways to prevent unauthorised access.
Weak Password Management: Levales had no clear password policy in place at the time of the breach, relying instead on computer prompts to guide password strength and updates. The lack of a formalised approach to password management further exposed the firm’s systems to risk.
Unknown Point of Compromise: Levales Solicitors LLP was unable to determine how the attacker obtained the credentials, demonstrating a lack of sufficient oversight into how the breach occurred.
The ICO also criticised Levales for failing to implement appropriate technical and organisational security measures (Article 32(1)(d)). Notably:
Outsourced IT Management: Levales had outsourced its IT management but had not reviewed or updated security measures since 2012. The firm was unaware of basic security processes, such as detection, prevention, and monitoring systems in place with their third-party provider.
Inadequate Contract Reviews: The ICO expects that organisations outsourcing services conduct regular reviews to ensure security measures are up-to-date and appropriate. Levales had not reassessed their IT service contract since signing it, leaving potential vulnerabilities unchecked.
The National Cyber Security Centre (NCSC) provides a 12-step guide on supply chain security, which advises that vulnerabilities within contracts can be easily exploited if the responsibilities and security measures between the provider and controller are not clearly defined or regularly reviewed.
Despite these significant failings, the ICO did acknowledge that Levales had taken remedial steps following the breach, including:
After taking all factors into consideration, including the remedial steps taken by Levales, the ICO decided to issue a formal reprimand under Article 58(2)(b) of the UK GDPR.
Key Takeaways
The decision reflects the seriousness of the firm’s failings in securing sensitive personal data and underscores the importance of robust data security practices for all organisations, particularly those handling highly sensitive information. All businesses are advised to take the following steps to comply with GDPR requirements:
This is not the first time that a law firm has been found to be in breach of GDPR.
In 2022 fined Tuckers Solicitors LLP £98,000 for a data breach of GDPR.
The fine followed a ransomware attack on the firm’s IT systems which saw the attacker had encrypting 972,191 files, of which 24,712 related to court bundles. 60 of those were exfiltrated by the attacker and released on the dark web. Some of the files included Special Category Data. Tuckers reported the breach to the ICO as well as affected individuals through various means including social media.
The ICO concluded that were a number of areas in which Tuckers had failed to comply with, and to demonstrate that it complied, with the Security Principle. Their technical and organisational measures were, over the relevant period, inadequate.
Amongst other things the lack of Multi-Factor Authentication was highlighted by the ICO.
Data security is a cornerstone of GDPR compliance, and reprimand involving Levales Solicitors LLP highlights the potential consequences of not taking proper precautions. Organisations should treat this as a wake-up call to evaluate and strengthen their own data protection measures, particularly in areas where sensitive or high-risk data is involved.
We have two workshops coming up (How to Increase Cyber Security in your Organisation and Cyber Security for DPOs) which are ideal for organisations who wish to up skill their employees about cyber security. See also our Managing Personal Data Breaches Workshop.
Enjoy reading our blog? Help us reach 10,000 subscribers by subscribing today!
On 8th October 2024, two former RAC employees were sentenced for unlawfully copying and selling over 29,500 lines of personal information.
The two former employees worked as customer service specialists at the RAC’s call centre in Stretford. Their unlawful conduct was discovered by the RAC after it installed new security monitoring software. The software showed employee one of them had unlawfully accessed and copied personal information relating to people involved in road traffic accidents. A subsequent search of employee one’s mobile phone showed the information was shared in a WhatsApp chat with employee two. Messages indicated that a third party was paying for the information.
At a hearing at Minshull Street Crown Court on 8 October 2024, both former employees were sentenced to 6 month prison sentences, suspended for 18 months, and each were ordered to complete 150 hours of unpaid work. Both defendants had previously pleaded guilty to offences under the Computer Misuse Act 1990 and Data Protection Act 2018. Prosecution costs will be considered at a Proceeds of Crime hearing listed for 5 March 2025.
Section 55 of the old Data Protection Act 1998 can still be used to bring a prosecution where an offence pre-dates the current Section 170 of the Data Protection Act 2018, as in the above case. It is interesting to note that the ICO also cited section 1 of the Computer Misuse Act 1990 which carries a maximum of 2 years imprisonment on indictment.
In June 2023, the Information Commissioner’s Office (ICO) disclosed that, since 1st June 2018, 92 cases involving Section 170 offences were investigated by its Criminal Investigations Team. The most recent of these was in September 2024, when an employee pleaded guilty to retaining and selling 3,600 pieces of customer records obtained from the car leasing company he worked for. He was ordered to pay a fine of £1,200 and £300 costs.
It is important to note that, if a disgruntled or rogue employee commits a data protection offence, the employer may also be liable for the consequences. More on our recent blog on this subject.
Enjoy reading our blog? Help us reach 10,000 subscribers by subscribing today!
The Information Commissioner’s Office has issued a GDPR fine of £750,000 to the Police Service of Northern Ireland (PSNI) for a personal data breach affecting thousands of officers.
In August 2023, in response to a Freedom of Information (FoI) request, the PSNI mistakenly divulged information on “every police officer and member of police staff”, a senior officer said at the time. The FoI request, via the What Do They Know.Com website, had asked the PSNI for a breakdown of all staff rank and grades. But as well as publishing a table containing the number of people holding positions such as constable, a spreadsheet was included. This contained the surnames of more than 9,483 PSNI officers and staff, their initials and other data, but did not include any private addresses. The information was published on the WDTK website for more than two hours, leaving many fearing for their safety.
The ICO investigation found that simple-to-implement procedures could have prevented the breach. The ICO’s statement said:
“Mindful of the current financial position at PSNI and not wishing to divert public money from where it is needed, the Commissioner used his discretion to apply the public sector approach in this case. Had this not been applied, the fine would have been £5.6 million.”
On 26th June 2024, the ICO announced that it will review the two-year trial before making a decision on the public sector approach in the autumn. The Notice of Intent issued to the PSNI before this fine was issued, was also in the sum of £750,000.
In August this year, the ICO issued a Notice of Intent £6.09 million to an NHS IT supplier, Advanced Computer Software Group Ltd (Advanced), following a significant data breach in 2022. This came after the ICO found that the company failed to adequately protect the personal data of 82,946 individuals. It will be interesting to see if, here too, the actual fine will be the same as the notice.
In September the UK, EU, and US signed the Council of Europe Framework Convention on Artificial Intelligence and Human Rights, Democracy and the Rule of Law (AI Convention). It is the world’s first AI treaty including provisions to protect the public and their data, human rights, democracy and the rule of law.
The Convention requires signatory countries to monitor the development of AI and ensure any technology using AI is managed within strict parameters. It also commits countries to act against activities which fall outside of these parameters and to tackle the misuse of AI models which pose a risk to public services and the wider public.
The Convention sets out 3 over-arching safeguards:
The Convention does not apply directly; legislators in each jurisdiction have to implement it into their domestic law and there is a wide degree of freedom over how it is interpreted and applied. The European Commission has said the Convention will be implemented in the EU via the recently enacted EU AI Act which will become enforceable in stages over the next few years.
The UK Position
The UK has no AI regulation (yet). Despite media reports, the recent King’s Speech did not include a bill to regulate AI. The King said that the government would “seek to establish the appropriate legislation to place requirements on those working to develop the most powerful artificial intelligence models”. We expect a government consultation to be announced soon. However, it is likely that new AI requirements will be introduced in other forthcoming legislation e.g. the Product Safety and Metrology Bill. The published summary of this bill states that it aims to “support growth, provide regulatory stability, and deliver greater protection for consumers by addressing new product risks and opportunities, allowing the UK to keep pace with technological advances such as AI.” Managing AI in the context of product safety aligns with certain aspects of the EU AI Act.
When an AI Bill does finally appear, it is likely to focus on the production of large language models (LLMs), the general-purpose technology that underpins AI products such as OpenAI’s ChatGPT and Microsoft’s Copilot. As the Labour election manifesto stated:
“Labour will ensure the safe development and use of AI models by introducing binding regulation on the handful of companies developing the most powerful AI models and by banning the creation of sexually explicit deepfakes.”
Whatever shape the UK’s AI regulation takes, the government will have to ensure that the AI Convention is implemented. Shabana Mahmood, Lord Chancellor and Justice Secretary, said:
“Artificial intelligence has the capacity to radically improve the responsiveness and effectiveness of public services, and turbocharge economic growth. However, we must not let AI shape us – we must shape AI. This convention is a major step to ensuring that these new technologies can be harnessed without eroding our oldest values, like human rights and the rule of law.”
If you are a DPO needing to stay abreast of the latest developments and best practices in AI implementation, join our Artificial Intelligence and Machine Learning, How to Implement Good Information Governance workshop.
Act Now Training is delighted to announce the launch of the Information and Records Management Practitioner Certificate.
Effective information and records management is vital for all organisations. It ensures compliance with legal requirements, enhances decision-making, mitigates risks, preserves institutional memory, supports accountability and facilitates efficiency.
This new certificate programme meets the need of information management professionals to equip themselves with practical skills to navigate the full information and records lifecycle. The course is one of the outcomes of our work to develop a comprehensive IG skills and competency framework.
Course Content and Format
Our comprehensive course syllabus has been designed by leading records management specialists. By the end of the course, delegates will gain skills in, amongst other things, legal frameworks and terminology to data auditing, retention schedules, and digital preservation.
Scott Sammons will be teaching the first course starting in November. Scott is a recognised expert on records management. He was previously the Chair of the Information and Records Management Society (2016-2020) and now leads the IRMS work on accreditation. Scott said:
“Records management is essential good business practice as well as a key component of compliance with IG legislation such as GDPR and FOI. Using practical hands on teaching methods, I aim to inspire delegates to implement records management best practice in their workplace.”
The course is structured over four days, approximately one day per month, and can be undertaken online or in the classroom. Each day includes engaging discussions, exercises and case studies. Upon completion, delegates must submit a practical assessment within 30 days. Personal tutor support is provided, throughout the course, together with comprehensive training materials.
Special Introductory Price
Whether you are a records manager, Freedom of Information Officer or Data Protection Officer this practitioner level certificate will teach you the theory of records management alongside practical hands-on application. The first course starts in October with a special introductory price. Places are limited, so please book now to avoid disappointment.
In June 2023, the Information Commissioner’s Office (ICO) disclosed that, since 1st June 2018, 92 cases involving S.170 offences (Data Protection Act 2018) were investigated by its Criminal Investigations Team. Section 170 makes it a criminal offence for a person to knowingly or recklessly:
(a) obtain or disclose personal data without the consent of the controller,
(b) procure the disclosure of personal data to another person without the consent of the controller, or
(c) after obtaining personal data, to retain it without the consent of the person who was the controller in relation to the personal data when it was obtained.
Rogue workers accessing and abusing personal data for their own gain is a real risk for organisations with vast customer databases that have commercial value. There have been a number of S.170 prosecutions by the ICO recently. The latest involves a sales consultant at a car leasing company.
On 17th September 2024, Alexander Doré pleaded guilty to retaining and selling 3,600 pieces of customer records obtained from the car leasing company he worked for.
The information had been taken shortly before Doré resigned . He approached multiple competitor companies with this information, whilst claiming that it belonged to him. Doré was ordered to pay a fine of £1,200 and £300 costs.
The Head of Investigations at the ICO, Andy Curry, said:
“Customers put their trust in any number of organisations on a daily basis to use and store their data in a legal and appropriate way. Mr Doré took advantage of that trust, as well as the trust of his employers, by taking customer information that he then passed on to other companies, purely for his own financial gain.
“It is with great thanks to Leaseline Vehicle Management Ltd that they brought Mr Doré’s wrongdoing to our attention, and we were able to investigate.
“We hope this successful prosecution shows we will work with companies to bring those committing crimes to justice.”
If a disgruntled or rogue employee commits an offence under section 170, might their employer also be liable for the consequences? The answer is in our recent blog which can be read here.
Enjoy reading our blog? Help us reach 10,000 subscribers by subscribing today!
Act Now Training is pleased to announce that Ibrahim Hasan, has accepted an invitation to become an adjunct lecturer at Middlesex University Dubai (MDX Dubai).
Ibrahim will be lecturing on the University’s new MSC in Legal Technology.
This innovative new programme offers a unique perspective on how to integrate and enhance legal theory with technological applications. It aims to educate law graduates, legal professionals and IT/computing graduates on legal technology innovations transforming legal practice today and in the future.
This course recognises the developing intersection between law and technology and the increase of artificial intelligent (AI) being implemented within all sectors.
It covers key technical aspects of cybersecurity, AI, privacy, and data protection in the legal realm. Students will gain a comprehensive understanding of how technology is innovatively applied across various areas of legal practice, along with a theoretical foundation of its core principles. They will also develop practical skills and expertise, equipping them to pursue successful careers in law with a strong emphasis on the integration of technology.
MDX Dubai was recognised by KHDA as Dubai’s largest UK university for a fourth consecutive year as of 2024, with over 5,600 students from over 120 nationalities.
It received a 5-Star KHDA rating for the quality of its education and overall student experience in 2020, followed by a second in 2022.
This appointment acknowledges Ibrahim’s expertise in global information laws.
With over 20 years of experience in training and consultancy, he has been invited to speak at conferences and conduct training sessions worldwide, including in the Middle East and Southeast Asia. Ibrahim’s publications include the Act Now GDPR Handbook, currently in its second edition, and he frequently contributes information law articles to the Law Society Gazette. He is also regularly interviewed as an expert on information law by various media outlets, including the BBC.
Professor Tenia Kyriazi, Head of Law and Politics Programmes at MDX Dubai said:
“I am delighted that Ibrahim has accepted our offer to become an adjunct lecturer on the new MSc in Legal Technology. This is an innovative new programme about a rapidly advancing field. I am sure that, with his global information law expertise, Ibrahim will be able to enhance our students’ understanding and appreciation for the interaction between law and technology.”
Ibrahim Hasan said:
“I am honoured to accept this position at Middlesex University Dubai. The interaction between information law and advances in technology is a fast-developing area. It gives me immense pleasure to be able to develop the profession further by working with new entrants to this field. I am looking forward to some interesting discussions and debates with the students.”
Act Now Training continues to invest in the emerging Middle East Data Protection scene. Last year we launched, in collaboration with Middlesex University Dubai, the UAE’s first Data Protection Executive training programme. This practical course focusses on developing a data protection framework and ensuring compliance with the UAE Data Protection Law’s strict requirements. This is particularly relevant given the recent advancements in Data Protection law in the Middle East, including the UAE’s first comprehensive national data protection law, Federal Decree Law No. 45/2021. We have also launched our KSA privacy programme to help train new DPOs in Saudi Arabia’s first ever comprehensive Personal Data Protection Law (PDPL) which became fully enforceable on 14th September 2024.
If you are interested in learning more about the new MSC in Legal Technology. Please click on the link here and you can arrange a call back.
The Department for Science, Innovation and Technology (DSIT) recently launched a consultation on a proposal to increase the annual data protection fees payable by Data Controllers to the Information Commissioner’s Office (ICO). This follows a statutory review in 2023 of the Charges Regulations 2018, mandated by section 138(3)(a) of the Data Protection Act 2018. The review found that the current fee levels are no longer sufficient to cover the ICO’s operational costs.
The proposed increase of 37.2%, distributed evenly across the tiers, aims to ensure that the ICO has the necessary funding to carry out its statutory duties effectively and provide support to data controllers. Here is a breakdown of the proposed changes:
The DSIT has confirmed that there will be no changes to the tiering structure, exemptions, or direct debit discounts.
The aim of these proposals is to secure the resources needed for the ICO to provide guidance, advice, and support to organisations for compliance with data protection obligations. This is also in line with HM Treasury’s principles on Managing Public Money, ensuring full cost recovery. The ICO’s response to the consultation can be read here. Nobody will be surprised to learn that it is in favour of the fee increase.
The consultation is open until 26 September 2024.
Enjoy reading our blog? Help us reach 10,000 subscribers by subscribing today!
This and other data protection developments will be discussed in detail on our forthcoming GDPR Update workshop.
