Year: 2024

Tory Party Data Sharing Revealed

We recently wrote about the The Good Law Project (GLP) challenging one aspect of the Conservative Party’s data collection practices. The party’s website contains an online tool which allows an individual to calculate the effect on them of recent changes to National Insurance contributions. However GLP claims this tool is “a simple data-harvesting exercise” which breaches UK data protection laws in a number of ways. It says that a visit to the website automatically leads to the placement of
non-essential cookies (related to marketing, analysis and browser tracking), on the visitor’s machine without consent. This is a breach of Regulation 6 of PECR. GLP also challenges the gathering and use of website visitors’ personal data on the site claiming that (amongst other things) it is neither fair, lawful nor transparent and thus a breach of the UK GDPR.

Director of GLP, Jo Maugham, has taken the first formal step in legal proceedings against the Conservative Party. The full proposed claim is set out in the GLP’s Letter Before Action. The Conservative Party has issued a response arguing that they have acted lawfully and that: 

  • They did obtain consent for the placement of cookies. (GLP disagrees and has now made a 15-page complaint to the ICO.) 
  • They have agreed to change their privacy notice. (GLP is considering whether to ask the court to make a declaration of illegality, claiming that the Tories “have stated publicly that it was lawful while tacitly admitting in private that it is not.”) 
  • They have agreed to the request by GLP to stop processing Jo Maugham’s personal data where that processing reveals his political opinions.  

Following a subject access request, Mr Maugham received 1,384 pages of personal data held about him. GLP claim he is being profiled and believe that such profiling is unlawful. However the Conservative’s would not say who Mr Maugham’s personal data was being shared with. Following a threat of legal action, the party has now disclosed that it shared the data with PR companies and media companies all with links to the Tory Party. According to GLP the disclosure  throws “some light on the type of grubby tactics we can likely expect to see in the upcoming general election.”

As an election draws nearer, expect the spotlight will be on all political parties’ data processing activities. 

Our upcoming Handling SARs course can help you deal with complex subject access requests. Places are limited so book early to avoid disappointment.

DP Bill Set to be Passed by 23rd July 2024

The Data Protection and Digital Information Bill, which makes changes to the UK GDPR, the Data Protection Act 2018 and Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”), will enter the Report stage in the House of Lords on 10th June (scheduled for two days). Whilst amendments can still be made, none have been tabled so far.

The Bill as amended by the Grand Committee can be read here. The Keeling Schedules, showing changes to the UK GDPR, might be more useful, though they were published in March before the Grand Committee stage.

The Bill still needs to go through the Third Reading stage in the House of Lords but it now seems very likely that it will receive Royal Assent before the Parliamentary Summer Recess begins on 23rd July 2024. Some of the provisions of the Bill will come into force as soon as it is passed. Most others will require regulations to be bring them into force which could also include a transition phase.

Next week Robert Bateman will be delivering our workshop: Data Protection and Digital Information Bill: Preparing for GDPR and PECR Reforms.

ICO Reprimand for Children’s Services 

Yesterday, the ICO issued a reprimand to Birmingham Children’s Trust Community Interest Company after the personal information of a child was inappropriately disclosed to another family. 

The child protection and review department at Birmingham Children’s Trust Community Interest Company, which is owned by Birmingham City Council, was working with two neighbouring families when the data breach occurred. A child protection plan was disclosed to one family that contained both personal information and criminal allegations relating to a child from the neighbouring family. This information was included in error after being copied across from meeting minutes. 

The ICO investigation found that Birmingham Children’s Trust Community Interest Company did not have appropriate policies or sufficient practical guidance in place to ensure the security of personal information. This is a breach of Article 5(1)(f) and 32(1)(b) and 2 of the UK GDPR. 

The ICO has recommended that Birmingham Children’s Trust Community Interest Company should take further steps to ensure its compliance with data protection law, including: 

  • Implement a more granular approach to data protection and create a Standard Operating Procedure with regards to producing social care documents. 
  • Include a process for any social care product to be independently checked by someone other than the author prior to disclosure. 
  • Create and implement a corporate redaction policy, which ensures staff have the knowledge and tools, to redact the product if necessary. 

Our GDPR Essentials e learning course is ideal for organisations who wish to upskill their employees about data protection and data security. 

Act Now Training Wins the IRMS Supplier of the Year Award 2024 

Act Now Training is proud to announce that it has won the Information and Records Management Society (IRMS) Supplier of the year award for 2024. The aim of the award is “to recognise suppliers in the IG/IM/RM world that go above and beyond normal expectations of customer service.”  

The awards ceremony took place on Monday night at the IRMS Conference in Brighton where Ibrahim Hasan was also on a panel discussing the privacy implications of Generative AI and ChatGPT. This is third time in four years that Act Now Training has won this award. 

Ibrahim Hasan said: 

“This award will inspire us to continue to deliver practical training that meets the needs of the IG profession. It also recognises the hard work of our colleagues who are focussed on fantastic customer service as well as our associates who always go the extra mile for our delegates. We would like to thank the IRMS for another great conference and the members for voting for us.” 

It has been another fantastic 12 months for Act Now Training. We launched two new certificate courses aimed at helping IG professionals develop their knowledge and skills. The  FOI Intermediate Certificate empowers FOI practitioners, by building upon the foundations established by the FOI Practitioner Certificate, delving deep into the intricacies of FOI and gaining the skills and confidence to navigate its complexities effectively. The Intermediate Certificate in GDPR Practice.  is designed to teach DPOs important DPO skills, as well as advanced knowledge, by covering more challenging topics to gain a deeper awareness of the fundamentals of data protection practice.    

We continue to encourage new entrants to the IG profession. Our development and delivery of the training materials underpinning the Data Protection and Information Governance Practitioner Level 4 Apprenticeship has helped over 100 apprentices in 2023 to join the profession; and numbers predicted to grow even further in 2024/25.   

And we are spreading the IG message beyond these shores! In November 2023, Ibrahim Hasan addressed the UAE’s first ever privacy and data protection law conference; which brought together data protection and security compliance professionals from across the world to discuss the latest developments in the Middle East data protection framework.    

In December, Act Now announced the launch of the UAE’s first Data Protection Executive training programme. This practical course focusses on developing a data protection framework and ensuring compliance with the UAE Data Protection Law’s strict requirements. This is particularly relevant given the recent advancements in Data Protection law in the Middle East, including the UAE’s first comprehensive national data protection law, Federal Decree Law No. 45/2021.  This is a real first for the IG profession. Middlesex University is the biggest international university in Dubai and this certificate is the first executive DP programme in the Middle East.   

Act Now’s programme of online workshops has been expanded to help the profession understand the hot IG topics of the day including:  

  • The EU AI Act 
  • The new DP Bill  
  • Data flow mapping
  • International transfers  
  • Working with Children’s data  
  • Cybersecurity for DPOs  
  • Accountability and DP Audits 

We have more great new courses coming up. Watch this space! 

Another Conservative Party GDPR Breach 

Yesterday, Rachel Cunliffe, Associate Political Editor of the New Statesman, reported that she had received an email from the Conservative Campaign Headquarters (CCHQ) about their forthcoming conference. However she could also see the other 344 recipients as they were all listed in the “To” box, along with their email addresses. CCHQ had made the classic mistake of failing to use blind carbon copy (BCC) and thus, by exposing the personal data of recipients, breached the UK GDPR. 

Failure to use BCC correctly in emails is one of the top data breaches reported to the ICO every year. But this incident is not just about exposing some email addresses. Recipients of the CCHQ email will be able to make assumptions about the political affiliations of their fellow recipients. Even if these assumptions are wrong, the emails can be classed as Special Category Data under the UK GDPR and thus more sensitive than other personal data. 

So can the CCHQ expect a knock on the door from the ICO? Will they be fined? Whatever your political persuasion, you may think this error from those who run the Government, deserves the strongest sanction. As Cunliffe writes: 

“If you can’t trust the Conservatives with your email address, why should you trust them with anything else.”  

Inadvertent disclosure of personal data email, by failing to use BCC, has been the subject of a number of GDPR enforcement actions by the ICO in the past few years. Just last December, the Ministry of Defence (MoD) was fined £350,000 for disclosing personal information of people seeking relocation to the UK shortly after the Taliban took control of Afghanistan in 2021.  In October 2021, HIV Scotland was issued with a £10,000 fine when it sent an email to 105 people which included patient advocates representing people living with HIV. From the personal data disclosed, an assumption could be made about individuals’ HIV status or risk; also Special Category Data.  

The ICO could follow the above examples and issue a fine; although in two recent cases it has gone for a softer option. Last year the Patient and Client Council (PCC) and the Executive Office were the subject of ICO reprimands for disclosing personal data in the same way.   

In statement issued on X, the ICO said: 

“The Conservative Party has made us aware of this incident and we are assessing the information provided.” 

The Conservative Party has form when it comes to GDPR non-compliance. 
Recently we wrote about The Good Law Project’s challenge to the Tory’s “data harvesting” from users of its online tax calculator. But this latest data breach is about more than GDPR compliance. To quote Rachel Cunliffe again: 

“This is such a basic error, so easily avoided, it inevitably sets alarm bells ringing. If CCHQ doesn’t have the staff and training procedures to prevent a classic email-sharing error, what does that say about their resilience as a whole? How are their cybersecurity defences? What else is getting missed?” 

The breach came on the day Rishi Sunakgave a speech to the Policy Exchange about the power of technology and how he, rather than Keir Starmer, could keep us safe.  You can watch Sunak’s speech here although we prefer comedian Matt Green’s brilliant satirical take on it here.

We have two workshops coming up (How to Increase Cyber Security and Cyber Security for DPOs) which are ideal for organisations who wish to upskill their employees about data security.

DP Bill Moves Closer to Royal Assent

The Data Protection and Digital Information Bill has now completed the Grand Committee stage in the House of Lords. It will now enter Report stage in the House of Lords. Whilst amendments can still be made, the Bill as amended by the Grand Committee can be read here.

The Bill will make changes to the UK GDPR, the Data Protection Act 2018 and Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”). The Keeling Schedules, showing changes to the UK GDPR, might be more useful, though they were published in March before the Grand Committee stage.

Subject to an early General Election being called, the Bill will receive Royal Assent before the Parliamentary Summer Recess begins on 23rd July 2024.

Learn more about the updated bill with our Data Protection and Digital Information Bill: Preparing for GDPR and PECR Reforms workshop.

Lessons On Transparency: The ICO Experian Appeal

The Information Commissioner’s Office recently lost its appeal in the Upper Tribunal in relation to an Enforcement Notice issued to Experian.  

The concerned Experian’s marketing arm, Experian Marketing Services (EMS) which provides analytics services for direct mail marketing companies. It obtains personal data from three types of sources; publicly available sources, third parties and Experian’s credit reference agency (CRA) business. The company processes this personal data to build profiles about nearly every UK adult. An individual profile can contain over 400 data points. The company sells access to this data to marketing companies that wish to improve the targeting of their postal direct marketing communications 

On 20th February 2023, the First-Tier (Information Rights) Tribunal (FTT) overturned an ICO Enforcement Notice issued to Experian. The notice alleged several GDPR violations namely; Art. 5(1)(a) (Principle 1, Lawfulness, fairness, and transparency), Art. 6(1) (Lawfulness of processing) and Art. 14 (Information to be provided where personal data have not been obtained from the data subject). For more detail of the FTT judgement read our earlier blog here

On 23rd April 2024, the Upper Tribunal dismissed the ICO’s appeal against the FTT’s judgment. This can be read here along with a useful press summary. The Upper Tribunal backed the FTT’s conclusions while repeatedly criticising its unclear reasoning. 

The broader value of the judgment lies in its guidance, for the first time at this level, of what the transparency requirement under the UK GDPR involves (see paragraph 95). It also sets out its views on the current data protection landscape more generally. 5 Essex Court have a good summary of the judgement on their website.  

The ICO’s has issued a (“Let’s look on the bright side”) statement stating that: 

“The ICO will take stock of today’s judgment and carefully consider our next steps, including whether to appeal.” 

This and other data protection developments will be discussed in detail on our forthcoming  GDPR Update  workshop. 

Stolen NHS Data Published on Dark Web

A large volume of NHS data has been published by a ransomware group on the dark web. This follows the recent cyber attack on NHS Dumfries and Galloway, when cyber criminals were able to access a significant amount of data including patient and
staff-identifiable information. Data relating to a small number of patients was released in March, and the cyber criminals had threatened that more would follow.

Reacting to the latest publication of data, NHS Dumfries and Galloway Chief Executive Julie White said: “This is an utterly abhorrent criminal act by cyber criminals who had threatened to release more data.

“We should not be surprised at this outcome, as this is in line with the way these criminal groups operate.

“Work is beginning to take place with partner agencies to assess the data which has been published. This very much remains a live criminal matter, and we are continuing to work with national agencies including Police Scotland, the National Cyber Security Centre and the Scottish Government.”

Mrs White added: “NHS Dumfries and Galloway is conscious that this may cause increased anxiety and concern for patients and staff, with a telephone helpline sharing the information hosted at our website available from tomorrow.

“Data accessed by the cyber criminals has now been published onto the
dark web – which is not readily accessible to most people.”

“Recognising that this is a live criminal matter, we continue to follow the very clear guidance being provided to us by national law enforcement agencies.”

NHS Dumfries and Galloway advised people to be alert for any attempts to access their work and personal data. It has also set up a helpline for anyone concerned about the attack and is working with police and other agencies as investigations continue.

In December last year, NHS Fife was formally reprimanded by the Information Commissioner’s Office (ICO) following an incident where an unauthorised individual accessed sensitive patient information.

We have two workshops coming up (How to Increase Cyber Security and Cyber Security for DPOs) which are ideal for organisations who wish to upskill their employees about data security. 

MOD Payroll Data Hacked

The government has raised concerns about a cyber attack on an armed forces payroll system, with indications pointing towards China as the suspected perpetrator. Defence Secretary Grant Shapps is set to address Members of Parliament today, although he is not expected to directly attribute blame to any specific party.
Instead, he is likely to emphasise the threat posed by cyber espionage activities conducted by hostile states.

The affected system, utilised by the Ministry of Defence (MoD), contains sensitive information such as names and bank details of armed forces personnel, with a few instances where personal addresses may also be included. Managed by an external contractor, the breach came to light in recent days, prompting government action, although there’s no evidence suggesting data was actually extracted from the system.

The investigation into the breach is still in its early stages and attributing responsibility can be a complex and time-consuming process. While official accusations may not be made immediately, suspicions are reportedly pointing towards China, given its history of targeting similar datasets.

Those impacted by the breach will receive communication from the government regarding the incident, with a focus on addressing potential fraud risks rather than immediate personal safety concerns.

At the time of writing it is not clear if the MoD has reported the data breach to the ICO as required by the UK GDPR. In December 2023, the MoD was fined £350,000 for disclosing personal information of people seeking relocation to the UK shortly after the Taliban took control of Afghanistan in 2021. 

We have two workshops coming up (How to Increase Cyber Security and Cyber Security for DPOs) which are ideal for organisations who wish to upskill their employees about data security. 

The Computer Says “No (you are dead)!” 

Yesterday the BBC reported that a Scarborough woman attended a hospital for a scan only to be told she had already died. Data Protection professionals will know that Article 5(1)(d) of the UK GDPR states personal data must be: 

“accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’)” 

In a shocking breach of this principle, Bridlington Hospital staff told Susan Johnson that, according to their records, she had been dead for four months. This led to her carer’s allowance, paid for looking after her disabled husband, being briefly suspended. 

What is also concerning is the lack of accountability. Neither Mrs Johnson’s GP Practice, the DWP, NHS England and Primary Care Support England (PCSE) have taken responsibility for the error.  

This case shows that data protection compliance is not a tick box exercise. Failure to comply sometimes has severe consequences for individuals.  

This and other GDPR developments will be discussed by Robert Bateman in our forthcoming GDPR Update workshop. We have also just launched our new workshop, on the EU AI Act and the UK Approach to AI Regulation.