Author: actnowtraining

Act Now Training is Europe's leading provider of information governance training, serving government agencies, multinational corporations, financial institutions, and corporate law firms. Our associates have decades of information governance experience. We pride ourselves on delivering high quality training that is practical and makes the complex simple. Our extensive programme ranges from short webinars and one day workshops through to higher level practitioner certificate courses delivered online or in the classroom.

GDPR and the Data Protection Bill: Myths and Misunderstandings

Man Reading Book and Sitting on Bookshelf in Library

On Monday, the Government published a Statement of Intent about the forthcoming Data Protection Bill. The idea behind the Bill is to fill in some of the gaps in the General Data Protection Regulation (GDPR), which will come into force on 25th May 2018. The full text of the Bill is likely to be published in September.

The Bill follows a consultation exercise run by the DCMS earlier this year calling for views on implementation of the “derogations” under GDPR. These are areas where EU member states are left to produce their own laws to fit their circumstances while keeping within the GDPR framework. Notable derogations, amongst others, include the minimum age at which a child can consent to data processing, when data about criminal convictions and offences can be processed and exemptions (including for freedom of expression in the media.)

That’s the real background to Monday’s statement. But this did not stop the media from peddling myths and misunderstandings. Upon reading the headlines, a layman or woman would get the impression that:

The Bill gives people new rights (No it does not, the GDPR does.)

The Bill is designed to sign European privacy rules into British law

(GDPR is a Regulation and so directly applicable. It does not need to be “signed into British law” whilst we remain members of the EU. Post Brexit it will still be applicable because of the provisions of the Great Repeal Bill (More here.))

The BBC even reported that “the new law was drafted by Digital Minister, Matt Hancock.” Yesterday the story was changed to state that it was “drafted under Digital Minister, Matt Hancock.” (I have asked them about this.)

Then again the media is not entirely at fault. The Government’s statement is drafted (or spun) in such a way as to give the impression that GDPR is all their idea rather than the EU’s. Mr. Hancock, in his foreword, even suggests that the Bill is part of the Government’s grand Brexit plan (if there is a plan!):

“Bringing EU law into our domestic law will ensure that we help to prepare the UK for the future after we have left the EU.”

All this myth peddling has led to some official myth bashing too. (See the ICO’s latest blog post.)

So what have we actually learnt about the Government’s GDPR intentions? Much of the statement explains the provisions of the GDPR or states the obvious. For example that the Data Protection Act 1998 (DPA) will be repealed. As if there was any choice!

The DCMS has today published (HT Bainsey1969 and the Open Rights Group) a list of derogation in the Bill and there proposed stance (Read here). The following stand out:

  • Children and Consent – The UK will legislate to allow a child aged 13 years or older to consent to their personal data being processed (rather than 16 which is GDPR’s default position).
  • Exemptions – The GDPR allows the UK to introduce exemptions from the transparency obligations and individuals’ rights. The Government will make the same exemptions available under GDPR as currently under the Data Protection Act (see S.29-35 and schedule 7 of the DPA).
  • New Offences – The Bill will create a number of new criminal offences:

Intentionally or recklessly re-identifying individuals from anonymised or pseudonymised data, and knowingly handling or processing such data

Altering records with intent to prevent disclosure following a Subject Access Request (just like under S.77 of FOI)

Retaining data against the wishes of the Data Controller, even where the data was originally obtained lawfully (this would constitute a widening of the current offences provided for in s. 55 DPA)

  • Journalism – There will be a journalistic exemption in GDPR similar to S.32 of the DPA (balancing data protection rights with journalistic freedoms). The Information Commissioner’s Office (ICO) will have wider powers to take enforcement action in media cases.
  • Automated Decisions – There will be an exemption from the general rules in GDPR about automated decision making and profiling where such processing is in the legitimate interests of the Data Controller.
  • Research – There will be exemptions to the general rules in GDPR about Data Subjects’ rights. Research organisations and archiving services will not have to respond to subject access requests when this would seriously impair or prevent them from fulfilling their purposes. Research organisations will not have to comply with Data Subjects’ rights to rectify, restrict further processing and, object to processing where this would seriously impede their ability to complete their work, and providing that appropriate organisational safeguards are in place to keep the data secure.

Data Controllers should not wait for the Data Protection Bill to be published before starting their GDPR preparations. There is so much to do now:

  1. Raise awareness about GDPR at all levels. (Check out our full day workshop and our GDPR poster).
  2. Consider whether you need a Data Protection Officer and if so who is going to do the job.
  3. Review compliance with the existing law as well as the six new DP Principles.
  4. Review how you address records management and information risk in your organisation.
  5. Revise your privacy polices in the light of the GDPR’s more prescriptive transparency requirements.
  6. Review your information security polices and procedures in the light of the GDPR’s more stringent security obligations particularly breach notification.
  7. Write polices and procedures to deal with new and revised Data Subject rights including Data Portability and Subject Access.
  8. Consider when you will need to do a Data Protection Impact Assessment

STOP PRESS – the Bill has now been published.  Attend our Data Protection Bill workshop.

Let Act Now help with your GDPR preparations. Our full day workshops and GDPR Practitioner Certificate (GDPR.Cert) courses are filling up fast. We also offer a GDPR health check service.

GDPR and Employee Surveillance

canstockphoto18907084

The regulatory framework around employee surveillance is complex and easy to fall foul of. A few years ago, West Yorkshire Fire Service faced criticism when a 999 operator, who was on sick leave, found a GPS tracker planted on her car by a private detective hired by her bosses.

At present all employers have to comply with the Data Protection Act 1998 (DPA) when conducting surveillance, as they will be gathering and using personal data about living identifiable individuals. Part 3 of the Information Commissioner’s Data Protection Employment Practices Code (Employment Code) is an important document to follow to avoid DPA breaches. It covers all types of employee surveillance from video monitoring and vehicle tracking to email and Internet monitoring.

When the General Data Protection Regulation (GDPR) comes into force (25th May 2018) it will replace the DPA. The general rules applicable to employee monitoring as espoused by the DPA and the Employment Code will remain the same.  However there will be more for employers to do to demonstrate GDPR compliance.

Data Protection Impact Assessment

One of the main recommendations of the Employment Code is that employers should undertake an impact assessment before undertaking surveillance. This is best done in writing and should, amongst other things, consider whether the surveillance is necessary and proportionate to what is sought to be achieved.

Article 35 of GDPR introduces the concept of a Data Protection Impact Assessment (DPIA) (also known as a Privacy Impact Assessment) as a tool, which can help Data Controllers (in this case employers) identify the most effective way to comply with their GDPR obligations. A DPIA is required when the data processing is “likely to result in a high risk to the rights and freedoms of natural persons” (Article 35(1)). Employee surveillance is likely to be high risk according to the criteria set out by the Article 29 Working Party in its recently published draft data protection impact assessment guidelines.

The GDPR sets out the minimum features which must be included in a DPIA:

  • A description of the processing operations and the purposes, including, where applicable, the legitimate interests pursued by the Data Controller.
  • An assessment of the necessity and proportionality of the processing in relation to the purpose.
  • An assessment of the risks to individuals.
  • The measures in place to address risk, including security, and to demonstrate that the Data Controller is complying with GDPR.

Before doing a DPIA, the Data Protection Officer’s advice, if one has been designated, must be sought as well as the views (if appropriate) of Data Subjects or their representatives. In some cases the views of the Information Commissioner’s Office (ICO) may have to be sought as well. In all cases the Data Controller is obliged to retain a record of the DPIA.

Failure to carry out a DPIA when one is required can result in an administrative fine of up to 10 million Euros, or in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher.

Our recent blog post and forthcoming DPIA webinar will be useful for those conducting DPIAs.

Article 6 – Lawfulness

All forms of processing of personal data (including employee surveillance) has to be lawful by reference to the conditions set out in Article 6 of GDPR (equivalent to Schedule 2 of the DPA). One of these conditions is consent. Article 4(11) states:

‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

As discussed in our previous blog post, consent will be more difficult to achieve under GDPR. This is especially so for employers conducting employee surveillance. According to the Information Commissioner’s draft guidance on consent under GDPR:

“consent will not be freely given if there is imbalance in the relationship between the individual and the controller – this will make consent particularly difficult for public authorities and for employers, who should look for an alternative lawful basis.”

Employers (and public authorities) may well need to look for another condition in Article 6 to justify the surveillance. This could include where processing is necessary:

  • for compliance with a legal obligation to which the Data Controller is subject (Article 6(1)(c));
  • for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller (Article 6(1)(e)); or
  • for the purposes of the legitimate interests pursued by the Data Controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child (Article 6(1)(f)).

Legitimate interests (Article 6(1)(f)) will be a favourite condition amongst employers as usually the surveillance will be done to prevent or detect crime or to detect or stop abuse of the employers’ resources e.g. vehicles, internet and email facilities etc.

Public Authorities

Article 6 states that the legitimate interests condition shall not apply to processing carried out by public authorities in the performance of their tasks. Herein lies a potential problem for, amongst others, local authorities, government departments, and quangos.

Such organisations will have to consider the applicability of the legal obligation and public interests/official authority conditions (Article 6(1)(c) and Article 6(1)(e)) respectively). We can expect lots of arguments about what surveillance is in the public interest and when official authority is involved. If the surveillance involves a public authority using covert techniques or equipment to conduct the surveillance, it is easy to assume that Part 2 of the Regulation of Investigatory Powers Act 2000 (“RIPA”) applies and so the latter condition is met. However, the Investigatory Powers Tribunal has ruled in the past that not all covert surveillance of employees is regulated by RIPA (See C v The Police and the Secretary of State for the Home Department (14th November 2006, No: IPT/03/32/H),).

More detail on the RIPA and human rights angle to employee surveillance can be found in our blog post here. More on the DPA angle here.

We also have a specific blog post on the legal implications of social media monitoring as well as a forthcoming webinar.

Transparency

All Data Controllers, including employers, have an obligation to ensure that they are transparent in terms of the how they use employee’s information. Consideration will also have to be given to as to what extent general information will have to be supplied to employees in respect for the employer’s surveillance activities (See our blog post on Privacy Notices).

Surveillance of employees can be a legal minefield. Our forthcoming webinar on GDPR and employee surveillance will be useful for personnel officers, lawyers, IT staff and auditors who may be conducting or advising on employee surveillance.

 

Act Now can help with your GDPR preparations. We offer a GDPR health check service and our workshops and GDPR Practitioner Certificate (GDPR.Cert) courses are filling up fast.

Data Protection Impact Assessments under GDPR

CJgbrkzUwAAJSZA

The General Data Protection Regulation (GDPR) will come into force in about 10 months. There is plenty to learn and do before then including:

  1. Raising awareness about GDPR at all levels
  2. Reviewing how you address records management and information risk in your organisation.
  3. Reviewing compliance with the existing law as well as the six new DP Principles.
  4. Revising privacy polices in the light of the GDPR’s more prescriptive transparency requirements.
  5. Reviewing information security polices and procedures in the light of the GDPR’s more stringent security obligations particularly breach notification.
  6. Writing polices and procedures to deal with new and revised Data Subject rights such as Data Portability and Subject Access.
  7. Considering whether you need a Data Protection Officer and if so who is going to do the job.
    As well as:
  8. Considering when you will need to do a Data Protection Impact Assessment (DPIA).

Article 35 of GDPR introduces this concept. DPIAs (also known as Privacy Impact Assessments) are a tool which can help Data Controllers identify the most effective way to comply with their GDPR obligations and reduce the risks of harm to individuals through the misuse of their personal information. A well-managed DPIA will allow Data Controllers to identify and fix problems at an early stage, reducing the associated costs and damage to reputation, which might otherwise occur.

DPIAs are important tools for accountability, as they help Data Controllers not only to comply with requirements of the GDPR, but also to demonstrate that appropriate measures have been taken to ensure compliance (see Article 24)4.)

When is a DPIA needed?

Carrying out a DPIA is not mandatory for every processing operation. A DPIA is only required when the processing is “likely to result in a high risk to the rights and freedoms of natural persons” (Article 35(1)).

Such processing, according to Article 35(3)), includes (but is not limited to):

  • systematic and extensive processing activities, including profiling and where decisions that have legal effects – or similarly significant effects – on individuals.
  • large scale processing of special categories of data or personal data relating to criminal convictions or offences.
  • large scale, systematic monitoring of public areas (CCTV).

So what other cases will involve “high risk” processing that may require a DPIA? In May, the Article 29 Working Party published its data protection impact assessment guidelines for comments. We are still waiting for the final version but I don’t think its is going to change much. It sets out the criteria for assessing whether processing is high risk. This includes processing involving:

  1. Evaluation or scoring, including profiling and predicting especially from aspects concerning the Data Subject’s performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements
  2. Automated decision-making with legal or similar significant effects
  3. Systematic monitoring of individuals
  4. Sensitive data
  5. Personal Data on a large scale
  6. Datasets that have been matched or combined
  7. Data concerning vulnerable Data Subjects
  8. Innovative use or application of technological or organisational solutions
  9. Data transfers across borders outside the European Union
  10. Data that Prevents Data Subjects from exercising a right or using a service or a contract

What information should the DPIA contain?

The GDPR sets out the minimum features of a DPIA (Article 35(7), and Recitals 84 and 90):

  • A description of the processing operations and the purposes, including, where applicable, the legitimate interests pursued by the Data Controller.
  • An assessment of the necessity and proportionality of the processing in relation to the purpose.
  • An assessment of the risks to individuals.
  • The measures in place to address risk, including security, and to demonstrate that the Data Controller is complying with GDPR.

A DPIA can address more than one project.

The ICO’s Code of Practice on Privacy Impact Assessments will assist as well as the Irish Data Protection Commissioner’s Guidance.

When should a DPIA be conducted?

DPIA’s should be conducted prior to the processing operation commencing. DPIAs are an integral part of taking a Privacy by Design approach which is emphasised in Article 25. The DPIA should be treated as a continual process, not a one-time exercise. Data Controllers should start it early and update it throughout the lifecycle of the project.

The GDPR comes into force on 25th May 2018, and DPIAs are legally mandatory only for processing operations that are initiated after this date. Nevertheless, the Article 29 Working Party strongly recommends carrying out DPIAs for all high-risk operations prior to this date.

Who should conduct the DPIA?

A DPIA may be conducted by the Data Controller’s own staff or an external consultant. Of course the Data Controller remains liable for ensuring it is done correctly. The Data Protection Officer’s advice, if one has been designated, must also be sought as well as the views (if appropriate) of Data Subjects or their representatives.

If the DPIA suggests that any identified risks cannot be managed and the residual risk remains high, the Data Controller must consult with the Information Commissioner before moving forward with the project. Regardless of whether or not consultation with the ICO is required, the Data Controller’s obligations of retaining a record of the DPIA and updating the DPIA in due course remain.

Even if ICO consultation is not required, the DPIA may be reviewed by the ICO at a later date in the event of an audit or investigation arising from the Data Controller’s use of personal data.

What are the risks of non-compliance?

Failure to carry out a DPIA when the processing is subject to a DPIA (Article 35(1) and (3)), carrying out a DPIA in an incorrect way (Article 35(2) and (7) to (9)), or failing to consult the ICO where required (Article 36(3)(e)), can each result in an administrative fine of up to 10 million Euros, or in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher.

More about Data Protection Impact Assesments in our forthcoming webinar.

Let Act Now help with your GDPR preparations. Our full day workshops and GDPR Practitioner Certificate (GDPR.Cert) courses are filling up fast. We also offer a GDPR health check service in which we can come carry out an audit and help you prepare and fill any weaknesses.

 

Image credits: https://privacy.org.nz/blog/toolkit-helps-assess-your-privacy-impact/

 

Ghost in the machine

By Paul Simpkins

Like any normal UK male I like to watch sport on TV. As the season all over Europe comes to a conclusion the titles and cups are being decided. Exactly the wrong time to take a holiday. Why?

Because despite Sky Go and BT allowing you to watch their products on your laptop or other device while you’re away from home things stop working when you leave the UK. It’s nothing to do with Brexit. Your device works out that you’ve left and suddenly many services that you use frequently start to deny you access for the simple reason that you’re away from home. If you want to watch the destination of the titles and cups you have to hope that you can find a friendly bar with a TV and hope the locals aren’t supporting the team that is playing your team.  You may have to consume alcohol and even sing sporting anthems badly but that’s part of the fun.

If you prefer to sit in the safety of your hotel room or rural gite or caravan there is another solution. Buy a wifi session. Your venue will probably sell you one for a few euros and you can watch in peace with a steaming cappuccino. Trouble is your device may still not allow you to connect to UK channels as it will still think you’re away from home as your IP address identifies your location.

But there’s a solution for that as well. Buy an app that masks your IP address. I’ve used this one.

blg paul 1

And it’s worked well. For free it will tell your computer sitting in Bordeaux that it’s really in Manchester so it will be able to watch iPlayer, Sky & BT without a problem. Yabba dabba doo!

Until recently when I purchased a month’s wifi from the site where I am currently staying. The company concerned is called Ozmosis.

blg paul 2

It’s full of lovely pictures of people enjoying themselves on holiday (the sunglasses give it away) using their wifi on holiday parks throughout Europe. 8 million users no less. So I bought a month’s wifi from them.

When it came to Champions league semi finals I thought I’d watch. It took a while. You have to run Cyberghost and find out that only 2000 free places exist and they count down at about ten a second until wow you’re sorted and watch the IP address emigrating from south west France to Manchester via a slow moving graphic then eventually log on to BT sport. Even then it often doesn’t work.

No problem. It was worth the effort. Until the following morning when you try to log on to the internet as usual. It doesn’t work. Suddenly it dawns on you via series of messages from Ozmosis they’ve identified a streaming service on your computer which violates their terms and conditions and they have terminated your wifi (after 6 of 31 days).

You ring the help line and you have to admit that you’ve been a naughty boy using an IP masking routine; apologise, delete it from your machine and they restore your wifi.

But then you think…

Who are they to say what I can do with their product? I buy it. It connects me to the internet. Can I watch porn channels with it? Can I hack health services all over Europe with it?  If I buy product A that enables me to do many things can the provider of Product A stop  me from doing B, C and D, E and F with their enabling product? 

If I bought a Kindle and loaded it with racist literature could Amazon stop me reading it?

If I bought a car and was told by the salesman that I couldn’t drive to Chipping Sodbury because they didn’t like the name.

If I bought a mobile phone but was limited in the numbers I could call?

(other off the wall examples sought by the author)

So there you are. I can buy wifi and perform normal functions like check my email or look at my bank account or whatsapp my auntie but not watch Atletico Madrid fail to beat Real Madrid without being penalised by a faceless sysadmin near Montpellier who cuts off a service I’ve paid for because I’m doing something they don’t like.  I have no other option on my campsite. Ozmosis have a monopoly.

OK millions of people streaming a major football match might use a lot of bandwidth but that’s what most European males on a campsite want to do. Saying in the T & C that you can’t do it makes buying the wifi worthless. Increase your capability Ozmosis or get out of the sector (

but they’re making zillions of euros so they won’t do that).

I expect a torrent of abuse from normal people who live without watching big sporting events but living in France for several weeks eating quality food and drinking cheap quality wine and beer while enjoying temperatures 10 degrees higher than the UK needs some mitigation otherwise it would be Paradise Lost – buts that’s another story.

GDPR: One Year to Go! Special Offer Today Only!

canstockphoto45001453

Exactly one year today (on 25th May 2018), the General Data Protection Regulation (GDPR) will come into force. (***see below for a special offer)

Data Controllers and Data Processors now have just 12 months to prepare for the biggest change to the EU data protection regime in 20 years.  With some breaches carrying fines of up to 4% of global annual turnover or 20 million Euros, everyone has to take GDPR seriously.

For those who are still yet to start their GDPR implementation programme, the ICO’s 12 steps to take towards compliance is a good place to start. We would emphasise:

  1. Keeping up to date with all the guidance coming out of the ICO and the Article 29 Working Party.
  2. Raising awareness about GDPR at all levels. We are running a series of GDPR webinars and workshops and our team of experts is available to come to your organisation to deliver customised data protection/GDPR workshops.
  3. Reviewing how you address records management and information risk in your organisation.
  4. Reviewing compliance with the existing law as well as the six new DP Principles.
  5. Revising privacy polices in the light of the GDPR’s more prescriptive transparency requirements. The ICO’s new privacy notices code is a very useful document for this.
  6. Reviewing information security polices and procedures in the light of the GDPR’s more stringent security obligations particularly breach notification.
  7. Writing polices and procedures to deal with new and revised data subject rights such as Data Portability and Subject Access.
  8. Considering who is going to fulfill the mandatory role of Data Protection Officer. What skills do they have and what training will they need?

Our GDPR Practitioner Certificate, with an emphasis on the practical skills required to implement GDPR, is an ideal qualification for those aspiring for such positions.  

The next 12 months need to be spent wisely. As well as training, Act Now can deliver GDPR health checks to assess where you are and guide you to where you need to be.

And as if there isn’t enough to do, the EU Policing and Criminal Justice Data Protection Directive which contains new rules for Data Protection for law enforcement agencies (as well as others) when processing personal data relating to crime and justice has to be implemented by 6th May 2018. Oh and a new Regulation on Privacy and Electronic Communications covering, amongst other things, direct electronic marketing will come into force on 25th May 2018.

An exciting time to be involved in privacy and data protection!

*** To mark the occasion and help you prepare for GDPR coming into force, Act Now will apply a 25%  (see what we did there?) discount to all bookings for our GDPR one day workshops received today (25th May 2017).

* Please note the full  booking details have to be received by us. Offer applies to new bookings only which are received today only.

GDPR Practitioner Certificate: First set of Results

accomplishment, certificate, degree, successful, diploma, graduates, achievement, celebration

Act Now Training Limited is pleased to announce the successful completion of its first two courses leading to the GDPR Practitioner Certificate.

Congratulations to all 19 delegates who successfully completed the course in London and Manchester in May 2017 (with 5 achieving a distinction).  They represented a diverse range of organisations including British Airways, insurance companies, councils, universities and housing associations.

Steve Wood, Head of International Strategy and Intelligence, at the Information Commissioner’s Office said:

“Congratulations to all the successful candidates on the Act Now GDPR Certificate.  As we near 25th May 2018, it is good to know that organisations are taking steps to ensure they have staff with the knowledge and skills to take up the GDPR implementation challenge”

The GDPR Practitioner Certificate is aimed at those undertaking the role of Data Protection Officer under GDPR whether in the public or the private sector.

This course will teach delegates essential GDPR skills and knowledge. It builds on the success of the Act Now Data Protection Practitioner Certificate, which it replaces, by focussing on GDPR. The course takes place over four days (one day per week) and involves lectures, assessments and exercises. This is followed by a written assessment. Candidates are then required to complete a practical project (in their own time) to achieve the certificate.

Feedback from delegates has been very positive:

An excellent course presented with flair that explained the transition from DP Act to EU-GDPR with emphasis on both the law and real world examples. PG, Somerset County Council

Excellent course. Tim was extremely knowledgeable and helped set out clearly what needs to be done to prepare for the GDPR. ES, Together Trust

I enjoyed every minute of this course. CA, Nursing and Midwifery Council

A really enjoyable and practical course. Informative in terms of learning and it also helped to put into context my own reading and work around GDPR. Tim is a great presenter and the course was delivered at a good pace. Questions and discussions raised by other delegates were interesting and informative too. SB, The Riverside Group Limited

Data Protection is made enjoyable and is brought to life by the quality of the trainer who has obviously experienced it in the live environment and who absolutely loves the subject. AH, SCLL

The course tutor was Tim Tuner who shared his vast experience gained through years of helping organisations comply with their DP obligations. This, together with a comprehensive set of course materials and guidance notes, meant that delegates were not only in a position to pass the course assessment but to learn valuable DPO skills which they will be able to apply in their workplaces for years to come.

Tim said:

“I have really enjoyed teaching these delegates. Their enthusiasm and ability to challenge themselves bodes well for the future of GDPR compliance in the UK. I am on a mission to continuously improve this course so that it becomes the premier GDPR qualification.”

This course is filling up fast. Five out of the next seven courses are fully booked. We are adding more dates. Please check our website for a course near you.

Councillors, council tax arrears and FOI

POUNDLAND

Some council chiefs, as well as some councillors, do not like the Freedom of Information Act 2000(FOI) claiming, amongst other things, that it costs too much and is used to request trivial information. Against this backdrop, how do council FOI officers deal with requests (often from journalists) for the names of councillors who are in arrears or have defaulted on their council tax bills?

Some councils have refused such requests citing the section 40(2) exemption for third party personal data. For this exemption to be engaged a public authority must show that disclosure of the name(s) would breach one of the Data Protection Principles. Most cases in this area focus on First Principle and so public authorities have to ask, would disclosure be fair and lawful? They also have to justify the disclosure by reference to one of the conditions in Schedule 2 of the DPA (as well as Schedule 3  in the case of sensitive personal data). In the absence of consent, most authorities end up considering whether disclosure is necessary for the applicant to pursue a legitimate interest and, even if it is, whether the disclosure is unwarranted due to the harm caused to the subject(s) (condition 6 of Schedule 2)? Of course when the new General Data Protection Regulation (GDPR) comes into force on 25th May 2018 the disclosure of the data will have to be justified by reference to Article 6 of GDPR.

A 2016 Upper Tribunal decision sheds light on this difficult issue. Haslam v Information Commissioner and Bolton Council [2016] UKUT 0139 (AAC) (10 March 2016) concerned a request by a journalist (Mr Haslam) for disclosure of information about councillors who had received reminders for non-payment of council tax since May 2011.  The Council told the appellant that there were six such councillors and informed him which political party they were members of, how much had been owed, how much was outstanding, and that two had been summoned to court.  The Appellant asked for the names of the individual councillors.  The Council refused stating that the names were exempt from disclosure under section 40(2) FOI.  The Appellant appealed to the First-tier Tribunal, against the decision of the Information Commissioner to uphold the Refusal Notice, in relation to the two councillors who had been summoned to court. The First-tier Tribunal dismissed the appeal.  Subsequently one councillor voluntarily identified himself, so that there was only an issue regarding one councillor before the Upper Tribunal.

The Upper Tribunal allowed the appeal concluding that releasing the name would not contravene the data protection principles, because processing was necessary for the purposes of legitimate interests pursued by the Appellant, and was not unwarranted because of prejudice to the councillor’s rights/legitimate interests.  This was a public matter in which the councilor could not have a reasonable expectation of privacy. Judge Markus in her judgment said:

“40. But, in the case of a councillor, it is not only a private matter. A councillor is a public official with public responsibilities to which non-payment of council tax is directly and significantly relevant.  A number of specific features of this were advanced in submissions to the First-tier Tribunal.  In particular, section 106 of the Local Government Finance Act 1992 bars a councillor from voting on the Council’s budget if he or she has an outstanding council tax debt of over two months.  If a councillor is present at any meeting at which relevant matters are discussed, he or she must disclose that section 106 applies and may not vote.  Failure to comply is a criminal offence. Thus council tax default strikes at the heart of the performance of a councillor’s functions. It is evident that setting the council’s budget is one of the most important roles undertaken by councillors.  The loss of one vote could make a fundamental difference to the outcome. This adds a significant public dimension to the non-payment of council tax.  The very fact that Parliament has legislated in this way reflects the connection between non-payment and the councillor’s public functions.  Moreover, as the Commissioner observed in his decision notice, recent failure to pay council tax is likely to impact on public perceptions and confidence in a councillor as a public figure.

  1. These factors are of critical relevance to expectation.  As the Commissioner  had observed, those who have taken public office should expect to be subject to a higher degree of scrutiny and that information which impinges on their public office might be disclosed.  More specifically, unless the local electorate know the identity of a councillor to whom section 106 applies, they cannot discover that that councillor is failing to fulfil his functions.  Nor can they know that the process of declarations under section 106 is being adhered to. In addition the electorate may wish to know whether they can trust a councillor properly to discharge his functions if he stands for office again.” 

So there we have it. Councillors can normally expect to have their names disclosed if they default on council tax. However this is not an absolute rule. In the words of Judge Markus (at paragraph 56):

“There may be exceptional cases in which the personal circumstances of a councillor are so compelling that a councillor should be protected from such exposure.”

The Bolton News, where the Appellant works, finally named the councillor who is the subject of this case (Click here if interested). By the way, I may share a name with him but I can assure you that I am up to date with my council tax bill payments!

We will be discussing this and other recent FOI decisions in our forthcoming FOI workshops and webinars.

How would you do on the BCS Certificate in Freedom of Information exam? Have a go at our test.

New GDPR Health Check Service Launched!

stethoscope, computer, keyboard, data, chart.jpg

 

Act Now is pleased to announce the launch of its GDPR health check service.

GDPR represents the biggest change to the European data protection regime in 20 years. It will take effect on 25th May 2018 and the Information Commissioner’s Office (ICO) has already confirmed that there will be no grace period after that date.

Now is the time to get your GDPR house in order.  There are many practical steps that can be taken quite easily. Some sectors are getting there; recent report by the ICO shows that local government is trying its best but there is more to do.

For those who have started (and may be stalled) or need a customised GDPR action plan, our experts are at hand. Our GDPR health check service will provide your organisation with:

  • A preliminary assessment of your current level of preparedness for GDPR;
  • A prioritised and specific compliance action plan;
  • Pointers to guidance, models and good practice resources relevant to your needs.

If required, we can also discuss how Act Now can assist you with implementation, through our acclaimed training offers or expert consultancy support.

Act Now has a proven track record in this area. We have undertaken many data protection consultancy projects in the last few years. In 2016 we won a contract to deliver consultancy services to a major organisation in the regulatory sector.

Our reputation is international. In 2015 Ibrahim Hasan and Paul Gibbons delivered data protection audit training to the Government of Brunei and our forthcoming GDPR Practitioner Certificate course in London has delegates from Spain and the USA!

Feel free to get in touch to discuss your requirements.

GDPR Guidance finalised and more published

Stack of Files and Papers

Unless you live on the planet Zog, you will be aware that the General Data Protection Regulation (GDPR) will come into force on 25th May 2018. Neither Brexit nor the recently announced General Election will have an impact on this date; GDPR is here to stay. There has been a flurry of activity from the Information Commissioner’s Office (ICO) and the Article 29 Working Party (A29WP) on the GDPR front of late.

Consent

Consent under GDPR is a thorny issue. Compare the old and the new definitions below:

Using opt out boxes and inaction as proof of individuals’ consent to processing will no longer be allowed (if indeed they ever were!). Last month the ICO launched its GDPR consent consultation. The deadline for responses has now passed but the document is still worth reading to understand how the landscape is changing.

Profiling

GDPR introduces stricter provisions to protect individuals from a type of data processing known as “profiling”. This is defined in Article 4:

“Any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.”

The GDPR gives individuals a right to know profiling is taking place and in some cases allows them to object to it or require human intervention.

The ICO’s discussion paper on this topic highlights the key areas it feels need further consideration. This includes subjects like marketing, the right to object and data minimisation. The deadline for feedback is 28th April 2017. The A29WP guidelines on profiling are due to be published later this year and any feedback the ICO receives will inform that work.

Data Portability

Article 20 of GDPR gives individuals the right to receive their personal data, which they have provided to a Data Controller, in a structured, commonly used and machine-readable format, and to transmit it to another Data Controller. This is known as the right to data portability.

In December 2016, the A29WP published draft guidance on this right and a useful FAQ. The final version was published on 5th April 2017. The key themes are the same but the latest version does clarify a few points and gives better examples. Here are the two documents compared.

Data Protection Officer

Section 4 of GDPR introduces a statutory position of Data Protection Officer (DPO) who will have a key role in ensuring compliance with GDPR. But who exactly will need a DPO and what is his/her role? The A29WP has now produced the final version of its DPO guidance, which was published for comments in December. Here are the two documents compared. Again the main themes of the documents are the same with some welcome clarifications in the final version.

Lead Supervisory Authority

Companies will be directly responsible for GDPR compliance wherever they are based (and not just their EU based offices) as long as they are processing EU citizens’ personal data. For those that have multiple processing operations in the EU or where a breach occurs in many countries there will be a need to identify a lead supervisory authority, which will be charged with investigating the breach. The A29WP has now finalised its guidance on this topic.

Data Protection Impact Assessments

Article 35 of GDPR introduces the concept of a Data Protection Impact Assessment (DPIA). In some cases Data Controllers will be required to do a DPIA in relation to one or more data processing operations. It will help them assess necessity and proportionality and to manage the risks to the rights and freedoms of natural persons resulting from the processing of personal data (by assessing them and determining the measures to address them).

Carrying out a DPIA is not mandatory for every processing operation. A DPIA is only required when the processing is “likely to result in a high risk to the rights and freedoms of natural persons” (Article 35(1)). In certain situations a DPIA will be mandatory (see Article 35(3)).

The A29WP is requesting comments on the data protection impact assessment guidelines it recently published. The deadline is 23rd May 2017. Even if you don’t want to comment its still a useful document to read to understand what steps need to be taken to raise awareness of the DPIA processes and what training will be required for those undertaking this task.

Finally, the A29WP recently published its work programme for 2016 – 2018 accompanied by a supplementary statement explaining GDPR specific priorities.  As from 2018 it will become the European Data Protection Board.

 

Our full day workshops and new GDPR Practitioner Certificate courses are filling up fast. We also offer a GDPR health check service.

Local Government GDPR Readiness: Good and will get better!

canstockphoto28466384

The Good Practice department at the Information Commissioner’s Office (ICO) conducted a survey on information governance practices in local government. In particular it was designed to ascertain what progress councils had made in preparing for the General Data Protection Regulation (GDPR), which comes into force on 25th May 2018. The survey received 173 responses. The full results were published on 20th March 2016.

There have been a number of negative headlines (or at least “glass half empty’ style headlines) about the ICO’s conclusion:

Many UK local councils still unprepared for GDPR

Local councils are underprepared for GDPR rules

UK Councils Lagging on GDPR Compliance

The actual ICO conclusion was:

“The overarching conclusion from our analysis of the survey results was that, although there is good practice out there, with GDPR coming in May 2018, many councils have work to do. Adhering to good practice measures under the Data Protection Act (DPA) will stand organisations in good stead for the new regulations.”

So more like “trying but need to do more.” But who doesn’t? I wonder if the same survey was conducted in the private sector would things be any different? Not according to various stories appearing on the web:

Half of businesses still not ready for GDPR

Every fourth company not ready for GDPR

Over half of the businesses are not ready for GDPR compliance

According to a recent survey, many UK businesses mistakenly think that GDPR will not apply to them as a consequence of the UK moving towards Brexit. This is despite the fact that the Government has confirmed that GDPR is here to stay.

Let’s go back to the results of the ICO survey (and let’s be positive):

  • 75% of councils have appointed a Data Protection Officer. Okay 25% have not but there is still plenty of time. Remember this is a compulsory requirement for all public authorities and public bodies. However Data Controllers can share a DPO or buy in the service provided there is no conflict of interest.  (More on the role of the DPO here.)
  • 85% of councils have data protection training for employees processing personal data. Okay 15% don’t but this is easily put right. We have a range of DPA and GDPR courses to suit a variety of budgets. These can be delivered face to face, online or at your premises.
  • Most councils carry out privacy impact assessments (PIAs) but 34% still do not. GDPR makes it a legal requirement for all Data Controllers to conduct data protection impact assessments in certain circumstances. The ICO’s Privacy Impact Assessment Code of Practice provides more advice and will be reissued for GDPR in due course. See also our PIA webinar. 
  • 93% of councils have a data protection and information security policy in place. This is good to see with the additional importance placed on security in GDPR especially breach notification.
  • 90% of councils have created a role of  Senior Information Risk Owner (SIRO) to help manage information risk.

So local government is not in such a bad state, when it comes to GDPR preparations, as some are saying. The messages to local government colleagues should be, “Full steam ahead but don’t panic!”

Who knows the name and place of the above building? Tweet your answers to @actnowtraining

We have a range of GDPR resources to help you including our GDPR Practitioner Certificate, GDPR posters and GDPR legislation booklet. We have also just launched our GDPR health check service.