Author: actnowtraining

Act Now Training is Europe's leading provider of information governance training, serving government agencies, multinational corporations, financial institutions, and corporate law firms. Our associates have decades of information governance experience. We pride ourselves on delivering high quality training that is practical and makes the complex simple. Our extensive programme ranges from short webinars and one day workshops through to higher level practitioner certificate courses delivered online or in the classroom.

Have you stopped speeding your car? Insurance companies and data protection.

 

clip_image002I went on a Speed Awareness Course recently. I was not alone as 1,207,570 people did in 2015 and the numbers for 2016 will certainly be higher. There was a wonderful cross section of the population there and two trainers there as well. It was a good course with plenty of information about reading the road, hazards, speed limits quizzes and video.

My first reaction to the Notice of Intended Prosecution was that I’d start accumulating points and points (in car insurance terms) means price hikes so to be offered a course in lieu of points was a fantastic result. The cost of the course (£90) was irrelevant in fact I’d have paid much more to avoid the points. The cost of the Fixed penalty (£100) was also not an issue even though I didn’t pay it. It was the points on my licence that was at the forefront of my mind.

Not everyone is offered a course however

clip_image004

This says in plain English that you may be caught at 35mph but will avoid a prosecution but between 36mph & 42mph you will be offered a course. So just over the limit is OK; medium level speeding means a course but over the top speeding means a prosecution or fixed penalty. That’s why you see lines of executive cars chugging down the motorway with cruise control set at 78mph. This chart effectively raises all speed limits by 10% to 20% and could even be said to be an inducement to ignore posted speed limits but work with the generous grey area speeds the police allow.

While researching this article I found that some countries base the size of a fine for speeding on the income of the speeder. Finland fined a highly paid (£4.7m a year) businessman £50,000. See more detail here http://www.bbc.co.uk/news/blogs-news-from-elsewhere-31709454

And also there are stories of people asking other people to “take’ points in return for money. An interesting concept worth investigating…

http://www.dailymail.co.uk/femail/article-1390586/Would-ask-loved-speeding-points-I-did-I-live-consequences.html

The big question that came up halfway through the course was

“Should I tell my insurers that I’ve been on the course?”

The trainer was clear.

“Your details will be held on a database so other police forces who may catch you speeding will not offer you a course. This will last for 3 years. The Police will not pass this information to anyone else”

Searching the web will find plenty of discussion on this subject. Here’s what the AA (which provides Speed Awareness Courses) says

“Your personal details are protected by the Data Protection Act 1998. If you elect to participate, you agree to your details being checked by us against the ACPO national database to establish if you have completed a similar course within the last 3 years of this offence.

If you complete a “National” course, your details relating to the course will remain on file with the ACPO national database for road safety research purposes for a further 7 years from the date of the offence, after which any personal reference to you will be erased. These details will not be released to any other party apart from other UK Police Forces if they are considering making an offer of a course in the future.”

ACPO has disappeared and NPCC (National Police Chiefs Council) has sprung up but it’s logical to assume that the data is still there but the name of the Data Controller has changed.

Ndors is the national body that oversees the courses. They say

“Once a person has been on the course then no further action will be taken, there is no fine to pay and they will not have any points put onto their licence.”

A generally held point of view is that there is no conviction so no requirement to inform insurance companies. However some insurance companies (largely the Admiral group) have started to ask potential customers if they have been on a Speed Awareness Course as in their view that person although not convicted have shown an inclination to speed and this would affect any insurance premium.

The web has plenty of forums where this issue is discussed and opinions of insurance companies range from infuriated to incensed. A typical comment is

“Insurance companies will use any excuse to weasel out of paying a claim because they are cheating bastards.”

But who is right in this matter? Is there a data protection angle? We think so.

If anyone approached the police database and asked to see if a person was on that database because they had been on a Speed Awareness Course I would expect the answer to be no you’re not getting it – it’s confidential. Even using the Freedom of Information Act would elicit this response and it seems the right response. There are other exemptions that might apply

However the Insurance companies are not going down that route as they know they don’t have a right of access. They are asking people to voluntarily inform them that they have been on such a course so that they can increase their insurance premium. They point to a general catch-all in their small print that customers must inform them of anything that might affect their insurance. Can insurance companies ask this? Can they ask a question that they know the person doesn’t want to answer because it invades their privacy?

  • Do you have cancer?
  • Do you smoke?
  • Do you walk 5,000 steps a day
  • Have you dropped litter and been fined?
  • Have you separated from your partner?

They say that if you withhold such information it may invalidate the policy but they can’t collect it lawfully unless they obtain it from the customer as they have no lawful means of obtaining it. If you have a massive claim and they see a £25,000 payout in prospect they might just use a private investigator to look into the claim and see if they can find some fault with it. He may stray outside the law and find evidence of your course…

But if you voluntarily answer the question that they may not be able to ask you haven’t you consented to giving the answer?

Consent hits the first button in Schedule 2 so the Insurance companies are processing fairly and lawfully. Or are they? If you are asked to consent to a disclosure that will have an adverse effect on your life is that a true consent or an enforced consent?

Consent isn’t defined in the Data Protection Act so it has its ordinary meaning. A quick web search says consent is “permission for something to happen or agreement to do something”. Do you think customers are agreeing that Admiral can hold their Course attendance and increase premiums as a result? Or are they reluctantly disclosing for fear of losing their insurance?

Other parts of Schedule 2 don’t seem to apply except for old faithful paragraph 6 – the legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject. Whoever inserted the tiny word prejudice here many years ago may have done the nation an immense service. Of course it will prejudice the rights and freedoms of someone who hasn’t been convicted of a speeding offence yet is in danger of being penalised for doing so.

And if you’re thinking of diving into schedule 3 think again. It’s not sensitive data. It’s a training course not a conviction.

So on balance it’s probably unlawful for Insurance companies to ask the question as it’s not a freely given consent; they have no access to the police database of course attendees and if they do set a data hound on the case he probably can’t access the information lawfully either.

But there’s also a left field solution. All seasoned FOI professionals know that there’s a way of answering a request without actually answering it. Yes you’re remembering it now aren’t you – it’s the Neither Confirm nor Deny option.

Section 1(1)(a) of the FOI Act allows this where confirming would in itself disclose sensitive or potentially damaging information that falls under an exemption.

So when the Insurance company asks the question you Neither Confirm nor Deny that you have been on a course. They can’t make any further decisions on your premium. They can’t say “well it’s obvious that he’s done a course” as they have no evidence of it.

Good luck with that one.

Finally if you do find yourself being asked the question and any of the solutions here are a bit too drastic you can always swap insurers to one that doesn’t ask the question. But as you do remember that all the individuals who were coerced into unfairly disclosing Speed Awareness courses to Admiral may find that Admiral shares the data anyway. Big Brother (or Big Insurer) is not far away.

 In the vanguard of forced consent is Admiral. Not content with asking up about speed awareness courses you’ve been on they now want to trawl through your facebook posts to make decisions on what type of person you are so they can adjust premiums of party animals. See http://www.bbc.co.uk/news/business-37847647 Fortunately Facebook has declined to give Admiral access.  But questions have to be asked as to how far Admiral or other insurers will go to into your personal affairs to work out a suitable premium especially for you. A word trending in DP circles as GDPR approaches is Profiling. Maybe it’s time you found out what it will mean for your company in the future.

Image credit http://jimllpaintit.tumblr.com

Act Now has a full programme of Data Protection workshops including full day GDPR workshopsWe also run the Act Now Data Protection Practitioner Certificate which is ideal for those preparing for the role of Data Protection Officer under GDPR.

GDPR is here to stay but what happens next?

It’s official. The General Data Protection Regulation (GDPR) is here to stay; well beyond April 2019 when the UK is likely to finally leave the European Union.

On 24th October 2016, the Secretary of State Karen Bradley MP used her appearance before the Culture, Media and Sports Select Committee to say:

“We will be members of the EU in 2018 and therefore it would be expected and quite normal for us to opt into the GDPR and then look later at how best we might be able to help British business with data protection while maintaining high levels of protection for members of the public.”

Writing on her blog the Information Commissioner (Elizabeth Denham) welcomed this announcement. However it is technically incorrect for her to say:

“The government has now confirmed that the UK will be implementing the General Data Protection Regulation (GDPR).”keep-calm-and-prepare-for-the-gdpr

As I have explained in a previous blog post, the Government has no choice but to implement GDPR as the UK will still be a member of the EU on 25th May 2018 when it comes into force.

This announcement does though put an end to months of uncertainty as Data Controllers waited to see what the Government would do after the UK leaves the EU. Although last month’s announcement of the Great Repeal Bill meant that yesterday’s announcement was not a big surprise.

GDPR will replace the Data Protection Act 1998 (DPA) and represents the biggest change to data protection law for 20 years. With some GDPR breaches carrying fines of up to 4% of global annual turnover or 20 million Euros, now is the time to start planning (if you have not already started!).

The ICO’s overview of GDPR is a good place to start. It has also published 12 steps to take towards compliance. We would emphasise:

  1. Raising awareness of GDPR at all levels within the organisation (See our GDPR poster).
  2. Reviewing compliance with the existing law as well as the six new DP Principles.
  3. Revising privacy polices in the light of the GDPR’s more prescriptive transparency requirements. The ICO’s new privacy notices code is a very useful document for this.
  4. Considering who is going to fulfill the mandatory role of Data Protection Officer. What skills do they have and what training will they need? Our Data Protection Practitioner Certificate, with an emphasis on the practical skills requited to implement GDPR, is an ideal qualification for those aspiring for such positions.
  5. Reviewing information security polices and procedures in the light of the GDPR’s security obligations particularly breach notification.

Look out also for amendments to Section 40 of the Freedom of Information Act 2000, Section 38 of the Freedom of Information (Scotland) Act 2002, Regulation 13 of the Environmental Information Regulations 2004 and Regulation 11 of the Environmental Information (Scotland) Regulations 2004. All contain exemptions from disclosure of personal data by reference to the DPA.

The ICO will be publishing a revised timeline setting out what areas of guidance it will be prioritising over the next six months. Elisabeth Denham ends her blog with these wise words:

“I acknowledge that there may still be questions about how the GDPR would work on the UK leaving the EU but this should not distract from the important task of compliance with GDPR by 2018.”

Act Now has a series of blog posts as well as a dedicated GDPR section on its website with detailed guidance on different aspects of the Regulation.

We are running a series of GDPR webinars and workshops and our team of experts is available to come to your organisation to deliver customised workshops as well as to carry out GDPR health checks and audits. 

GDPR Practitioner Certificate (GDPR.Cert) – A 4 day certificated course aimed at those undertaking the role of Data Protection Officer under GDPR whether in the public or the private sector.

New Data Sharing Powers in the Digital Economy Bill

illust_01_e

Much has been written about the complexities of the current legal regime relating to public sector data sharing. Over the years this blog has covered many stops and starts by the government when attempting to make the law clearer.

The Digital Economy Bill is currently making its way through Parliament. It contains provisions, which will give public authorities (including councils) more power to share personal data with each other as well as in some cases the private sector.

The Bill has been a long time coming and is an attempt by the Government to restore some confidence in data sharing after the Care.Data fiasco. It follows a consultation which ended in April with the publication of the responses.

The Bill will give public authorities a legal power to share personal data for four purposes:

  1. To support the well being of individuals and households. The specific objectives for which information can be disclosed under this power will be set out in Regulations (which can be added to from time to time). The objectives in draft regulations so far include identifying and supporting troubled families, identifying vulnerable people who may need help re tuning their televisions after changes to broadcasting bands and providing direct discounts on energy bills for people living in fuel poverty.
  2. For the purpose of debt collection and fraud prevention. Public authorities will be able to set up regular data sharing arrangements for public sector debt collection and fraud prevention but only after such arrangements have been through a business case and government approval process.
  3. Enabling public authorities to access civil registration data (births, deaths and marriages) (e.g. to prevent the sending of letters to people who have died).
  4. Giving the Office for National Statistics access to detailed administrative government data to improve their statistics.

The new measures are supported by statutory Codes of Practice (currently in draft) which provide detail on auditing and enforcement processes and the limitations on how data may be used, as well as best practice in handling data received or used under the provisions relating to public service delivery, civil registration, debt, fraud, sharing for research purposes and statistics. Security and transparency are key themes in all the codes. Adherence to the 7th Data Protection Principle (under Data Protection Act 1998 (DPA)) and the ICO’s Privacy Notices Code (recently revised) will be essential.

A new criminal offence for unlawful disclosure of personal data is introduced by the Bill. Those found guilty of an offence will face imprisonment for a term up to two years, a fine or both. The prison element will be welcomed by the ICO which has for a while been calling for tougher sentences for people convicted of stealing personal data under the DPA.

The Information Commissioner was consulted over the codes so (hopefully!) there should be no conflict with the ICO Data Sharing Code. The Bill is not without its critics (including Big Brother Watch) , many of whom argue that it is too vague and does not properly safeguard individuals’ privacy.

It is also an oversight on the part of the drafters that it does not mention the new General Data Protection Regulation (GDPR) which will come into force on 25th May 2018. This is much more prescriptive in terms of Data Controllers’ obligations especially on transparency and privacy notices.

These and other Information Sharing developments will be examined in our data protection workshops and forthcoming webinar.

Illustration provided by the Office of the Privacy Commissioner of Canada (www.priv.gc.ca)

The revised ICO Privacy Notices Code and GDPR

ICO Privacy notice code (4)

Earlier this month the Information Commissioner’s Office (ICO) published its revised Privacy Notices Code of Practice.

Under the Data Protection Act 1998 (DPA), a Data Controller should issue a privacy notice to Data Subjects whenever personal data is gathered from them. This should be done at the point of collection or as soon as reasonably practicable after that. The notice should (at the very least) include:

  • The identity of the Data Controller
  • The purpose, or purposes, for which the information will be processed
  • Any further information necessary, in the specific circumstances, to enable the processing in respect of the individual to be ‘fair’ (in accordance with the 1st DP Principle).

The ICO says that organisations need to do more to explain to service users what they are doing with personal personal data and why. The code includes examples of compliant notices as well as suggested formats for online notices, in apps and even a sample video privacy notice.

As we know the General Data Protection Regulation (GDPR) will be in force in May 2018 (and still relevant despite the Brexit vote). The GDPR specifies further detail to be included in privacy notices. It also requires notices to be issued even where personal data is received from a third party. The code briefly explains these new requirements including a useful table. The ICO says that by following the good practice recommendations in the code, organisations will be well placed to comply with the GDPR regime. Read Scott’s blog post on the new requirements here.

This code has been issued under section 51 of the DPA. The basic legal requirement is to comply with the DPA itself. Organisations may use alternative methods to meet the DPA’s requirements, but if they do nothing then they risk breaking the law. When considering whether or not the DPA has been breached the Information Commissioner can have due regard to the code.

The code includes a helpful checklist, covering key points and tips on how to write a notice.

Privacy Notices need to be regularly reviewed and updated to reflect any changes. The ICO is considering other practical ways of supporting organisations in achieving greater transparency such as the feasibility of a privacy notice generator!

Want to know more about privacy notices under GDPR?  Attend our full day GDPR workshop

GDPR Practitioner Certificate (GDPR.Cert) – A 4 day certificated course aimed at those undertaking the role of Data Protection Officer under GDPR whether in the public or the private sector.

DPO or not to DPO: The Data Protection Officer under GDPR

clip_image002

The General Data Protection Regulation (GDPR) is nearly upon us and one of the elements is the requirement for certain organisations to have a Data Protection Officer.

This throws up some interesting issues. A qualified, experienced data protection officer is a valuable commodity. They do exist but command salaries approaching £50,000 in large organisations (stop laughing at the back) and if you’re a small organisation they’re not going to work for you for peanuts. So where do you find a qualified, experienced DPO?

Secondly will there be a requirement upon you to have one? It looks like there will be three clear cases.

  1. processing is carried out by a public authority,
  2. the core activities of the controller or processor consist of processing which, by its nature, scope or purposes, requires regular and systematic monitoring
    of data subjects on a large scale
  3. the core activities consist of processing on a large scale of special categories of data.

But to go back to the DPO what does qualified mean? Yes there are qualifications out there. The accepted gold standard in the UK is the BCS certificate which has 40 hours of training plus a testing 3 hour exam. There are other firms in the sector who offer their own versions and most of them involve significant study (30 or 40 hours) plus exam. Other qualifications exist, like our GDPR Practitioner Certificate and CIPP certification from the International Association of Privacy Professionals – some for US and some for UK professionals – but the question everyone wants answering is which qualifications will satisfy the GDPR?

Do training providers have to apply for acceptance or endorsement from the EU or their national regulator? Will the content of these courses be examined or will a standard be set and the training providers tailor their material to a certain level or will it be a free for all with no standard to work to? Do you want a DPO who knows how to conduct a Privacy Impact Assessment or who knows about International Data Transfers or one with an understanding of the history of Data Protection? Or will there be a requirement to study a certain (large) number of hours to demonstrate competence? At the moment it looks like all the DPO will need is “sufficient expert knowledge” which doesn’t in itself mean a qualification.

Other skills required by a good DPO are those of Diplomat, Trainer; Advisor, Confidante; Interpreter; Persuader; Listener; Friend to requestors; Policy & procedures writer. They have the ability to talk to the top level of the organisation yet explain complex law in Plain English. Not your run of the mill person.

It looks like the route map will require the DPO to be an employee but one with a different type of outlook. Privacy is becoming a big vote winner; organisations who don’t respect customers privacy will feel the backlash of disgruntled consumers. It really needs someone who is part of the organisation who is present at all times and understand the data processing systems of their employer but is detached enough to be able to criticize his own organisation.

There is a way out for small organisations who think they need a DPO to ensure their organisation is fully compliant with the new regulation. Don’t give the job to an existing member of staff and expect them to learn it on the job; Don’t appoint a knowledgeable, qualified, experienced but expensive DPO – bring in an external one you can use as and when you need them.

Externals have significant benefits. They don’t work full time so the on costs disappear; You can bring them in as required for short term task and finish assignments; You can save the costs of training and continuing education for an internal data protection officer; your staff will react better to an external who appears to have the status of a “consultant”.

Externals also won’t have any political or organisational baggage and can act in an unbiased manner without fear for their job. An external data protection officer also has no worries about favouring certain departments or individuals in the company. Many organisations appoint their Head of Legal as their DPO which brings with it the ethical/legal/best course of action conflict. An external won’t need to bother with this.

You can concentrate on your core business and the external can take care of your data protection.

Once you have appointed an external DPO they will compile a detailed data protection audit on your data protection compliance. They will then identify possible data protection issues and legal risks and explain what is required to remedy them. Then you can start making the necessary changes.  Your business will soon be in full compliance with current data protection laws.

But it doesn’t stop there. The external DPO will be on call and can discuss day-to-day DP issues by phone or email for a small fee. If more detailed work is required further fees and timescales can be agreed.

Working with an external data protection officer is based on a consulting agreement. There may be a retainer fee plus an hourly or daily rate to follow. If your Data Protection needs are low you may not have to consult your EDPO too often.

Not surprisingly EDPOs are starting to appear on the web. They’re quite common in Germany and it’s likely they will become a staple in the UK. Various UK law firms advertise such a service but unsurprisingly the rates they charge are not on view. It might end up costing more than you think especially if you opt for a ’big’ name.

There’s also the scope however for sharing a DPO. This has already happened in various parts of the country as cash strapped rural councils pay for a percentage of a DPO and have them on site part of a week.

At a recent educational conference a group of 30 schools in the same region kicked around the idea of each contributing to buy a DPO for all of them who would fulfill their information law obligations. Sounds quite a good idea until you realise there’s only about 240 working days in a year so each school would have 8 of those days to themselves and the shared DPO would have a significant petrol expenses tab. A few rural councils with a shared DPO would have a much better deal.

Sadly GDPR is not well understood and there are those who think Brexit will derail it (though not true) but a wise organisation should be thinking now if and when they will need a DPO, what qualification they will have and how do they find one.

An external who is called on infrequently might appear be the cheapest option but might have further hidden costs and a part share of a DPO might be a good short term solution but would they be as good as the expert knowledge and day to day hands on work of a full timer.

Good news for Data Protection Officers…

We are running a series of GDPR webinars and workshops and our team of experts are available to come to your organisation to deliver customised data protection/GDPR workshops as well as to carry out health checks and audits. Our GDPR Practitioner Certificate (GDPR.Cert), with an emphasis on the practical skills required to implement GDPR, is an ideal qualification for those aspiring for such positions.

Scottish Information Commissioner’s FOISA Report 2016

canstockphoto21500008

 

 

 

 

 

 

 

 

Last week the Scottish Information Commissioner, Rosemary Agnew, published her annual report for 2015/16.  Ms Agnew enforces the Freedom of Information (Scotland) Act 2002 (FOISA).

The report reveals that:

  • 540 appeals were made to the Commissioner in 2015/16. This is a 14% increase on last year, but is down from 578 appeals two years ago.
  • The number of “failure to respond” appeals fell significantly in 2015/16. The Commissioner accepted 61 “failure to respond” cases for investigation. This was 16% of her investigation caseload – a significant reduction on the 25% three years ago.
  • Appeals volumes fell for some sectors. Most notably for the Scottish Government and its agencies, where appeals fell from 23% of the Commissioner’s caseload in 2014/15 to 15% this year (from 111 appeals to 84).
  • Appeal volumes increased for others. Appeals in relation to non-departmental public bodies increased, from 6% of the Commissioner’s caseload in 2014/15 to 10% this year. This was largely due to an increase in Scottish Fire and Rescue Service appeals, from 1 in 2014/15 to 12 this year.There was also a significant increase in appeals about requests made to Police Scotland. They rose from 9% of appeals last year to 15% in 2015/16 (from 45 to 81 appeals). 3% of Police Scotland’s information requests resulted in an appeal, compared to a national average of 0.8%.
  • 61% of appeals came from members of the public. The media accounted for 20% of appeals, and prisoners 7%.
  • 60% of the Commissioner’s decisions found wholly or partially in the requester’s favour. If an authority has incorrectly withheld information, the Commissioner’s decision will require it to be released.
  • 73% of cases were resolved by the Commissioner within 4 months.
  • Public authorities reported receiving 68,156 information requests in 2015/16. This is a 2% increase on 2014/15. Figures are reported in a publicly available database set up by the Commissioner. The portal data also shows that 75% of requests resulted in some or all of the requested information being provided, and that public authorities themselves are reporting 35% fewer ‘failures to respond’ to information requests since 2014/15.
  • Public awareness of FOI is at its highest ever level, at 85%. This is up from 84% last year, and 78% in September 2013.
  • FOI awareness is lower amongst 16-24 year olds. Ipsos MORI polling also revealed lower awareness amongst young people. The Commissioner is working in partnership with Young Scot to address this lower awareness.

Speaking at the launch of the report Rosemary Agnew said:

“These signs of improvement in FOI performance are welcome. As my report demonstrates, the majority of information requests result in some or all of the information being disclosed. It is encouraging that only a very small proportion of requests are appealed. I’m also pleased that the number of appeals made about a failure to respond has fallen significantly following our work to tackle this issue.”

“Unfortunately, our experience is that these improvements are not universal. There is still a clear gap between the best performing authorities and those who lag behind. As you will see from my report, my focus still lies in promoting good practice and intervening when I find poor practice.”

In an excellent example of Open Data, the Commissioner has also published detailed information on the appeals received since 2005, broken down by public authority, region and sector, in Excel spreadsheets on her website.

Following a consultation last year, 1st September 2016 saw FOISA being extended to cover more organisations.

Act Now has a full programme of FOISA workshops in Scotland. If you are new to FOI in Scotland or want to boost your career through gaining a qualification, our FOISA Practitioner Certificate is ideal. The four day course is endorsed by the Centre for FOI, based at Dundee University.

The next FOISA Practitioner Certificate course in Edinburgh is starting in February 2017.

If you’re considering enrolling on the course, what can you expect? Read a successful candidate’s observations and have a go at the FOISA test.

Brexit, Article 50 and the Great Repeal Bill: GDPR means GDPR

canstockphoto16138153

On Sunday Theresa May finally fired the starting gun for the process for the UK to leave the European Union. Article 50 of the Lisbon Treaty will be invoked “no later than the end of March next year” she told the Tory Party conference in Birmingham. This will give negotiators two years from the date of notification to conclude trading arrangements with Europe. Unless an earlier date is negotiated (very unlikely given the scale of the task), by April 2019 the UK will be on its own and no longer subject to EU laws.

The Prime Minister also promised a “Great Repeal Bill” in the next Queen’s Speech, to remove the European Communities Act 1972 from the statute book and enshrine all existing EU law into British law on the day of exit. There will then be a process whereby the vast amount of domesticated EU legislation will be sifted. The “good laws” will be retained, some laws amended and some excised from UK law altogether.

What impact do these announcements have on UK Data Controllers who are planning for implementation of the new General Data Protection Regulation (GDPR)? The answer in a nutshell (as I said in my July GDPR and Brexit blog post) is; keep calm and carry on (preparing)!

We now know that, whatever happens, UK Data Controllers will have to comply with GDPR for at least ten months. GDPR comes into force on 25th May 2018 but the Article 50 announcement means we will be in the EU (and subject to all its laws including GDPR) until at least the end of March 2019. Article 50 (3) states:

“The Treaties shall cease to apply to the State in question from the date of entry into force of the withdrawal agreement or, failing that, two years after the notification referred to in paragraph 2, unless the European Council, in agreement with the Member State concerned, unanimously decides to extend this period.”

However it seems now much more likely that UK Data Controllers will have to comply with GDPR for much longer beyond March 2019 (perhaps even indefinitely). The Great Repeal Bill  (if it is passed by Parliament) will implement the GDPR along with other EU legislation into our law on exit day. The Government must then decide to keep GDPR, amend it or go back to the drawing board. Practically speaking, keeping GDPR is the only option. Civil servants will have their work cut out examining 80,000 pages of EU agreements. At least with GDPR there is broad agreement amongst stakeholders including the ICO (see below) that it is a force for good.

Recently, in her first speech as the new UK Information Commissioner, Elizabeth Denham extolled the virtues of GDPR and reiterated the need to prepare for it regardless of the uncertainly about what the future relationship with the EU will look like. She also said in a BBC interview:

“The UK is going to want to continue to do business with Europe”.

“In order for British businesses to share information and provide services for EU consumers, the law has to be equivalent.

“The UK was very involved in the drafting of the regulation – it will likely be in effect before the UK leaves the European Union – so I’m concerned about a start and stop regulatory environment.”

Many of GDPR’s key provisions provisions such as breach notification and the new DP Principles will require careful planning. With some GDPR breaches carrying fines of up to 4% of global annual turnover or 20 million Euros, a “wait and see” approach would be very risky. Brexit from the EU does not mean Brexit from the GDPR. 

Act Now Can Help

We are running a series of GDPR webinars and workshops and our team of experts is available to come to your organisation to deliver customised data protection/GDPR workshops as well as to carry out health checks and audits. GDPR requires many Data Controllers to appoint a dedicated Data Protection Officer. Our GDPR Practitioner Certificate (GDPR.Cert), with an emphasis on the practical skills requited to implement GDPR, is an ideal qualification for those aspiring for such positions.

RIPA and Communications Data: IoCCo Annual Report

ripa24

 

 

 

 

 

 

 

 

 

 

 

 

In October 2015 the Prime Minister appointed Sir Stanley Burnton as the new Interception of Communications Commissioner replacing Sir Anthony May. Sir Stanley’s function is to keep under review the interception of communications and the acquisition and disclosure of communications data by public authorities under the Regulation of Investigatory Powers Act 2000 (RIPA).

Local authorities, as well as other agencies, have powers under Part I Chapter 2 of RIPA to acquire communications data from Communications Service Providers (CSPs). The definition of “communications data” includes information relating to the use of a communications service (e.g. phone, internet, post) but does not include the contents of the communication itself. It is broadly split into 3 categories: “traffic data” i.e. where a communication was made from, to whom and when; “service data” i.e. the use made of the service by any person e.g. itemised telephone records; “subscriber data” i.e. any other information that is held or obtained by a CSP on a person they provide a service to.

Some public authorities have access to all types of communications data e.g. the Police, the Ambulance Service and HM Revenues and Customs. Local authorities are restricted to subscriber and service use data and then only where it is required for the purpose of preventing or detecting crime or preventing disorder. For example, a benefit fraud investigator may be able to obtain an alleged fraudster’s mobile phone bill. As with other RIPA powers, e.g. Directed Surveillance under Part 2, there are forms to fill out and strict tests of necessity and proportionality to satisfy.

On 8th September 2016, Sir Stanley laid his 2015 annual report before Parliament. The report covers the period January to December 2015. Key findings around communications data powers include:

  • 761,702 items of communications data were acquired during 2015.
  • 48% of the items of communications data were traffic data, 2% service use information and 50% subscriber information.
  • 7% of the applications for communications data were made by police forces and law enforcement agencies, 5.7% by the intelligence agencies and 0.6% by local authorities and other public authorities.
  • Only 71 local authorities reported using these powers. The majority of these used them on less than 10 occasions.
  • Out of the 975 applications made by local authorities in 2015, Kent County Council made 107 of these whilst five councils made just 1 application each.

A big reason for the low use of these powers by local authorities is that, since 1st November 2012, they have had to obtain Magistrates’ approval for even the simplest communications data applications (e.g. mobile subscriber checks).

Another reason may be that since December 2015 last year, the Home Office has required councils to go through the National Anti Fraud Network to access communications data rather than make direct applications to CSPs. This has also made the internal SPoC’s (Single Point of Contact) role redundant. Consequently the Commissioner no longer conduct inspections of individual local  authorities; choosing to inspect NAFN instead.

In March 2015 a new Code of Practice for the Acquisition and Disclosure of Communications Data by public authorities came into force.  It contains several policy changes, which will require careful consideration.

When the Investigatory Powers Bill comes into force it will change the communications data access regime.  Read our blog and watch this space.

Do you make use of these powers and need refresher training? Act Now is running a live one hour webinar on this topic. We also offer a whole host of training in this area. Please visit our website to find out more!

Act Now DP Practitioner Certificate: Latest Results

2016dpp-page-001

Act Now Training’s Data Protection Practitioner Certificate continues to go from strength to strength. The two remaining courses in 2016 are fully booked and the latest set of results and delegate feedback show that it is an ideal qualification for those who work with Data Protection and privacy issues on a day-to-day basis.

In September 2016, a total of 14 delegates passed the course of which 10 achieved a distinction. As ever there was a wide range of delegates from the local government, health, education and private sectors.

Candidates were delighted with their results. They really appreciated the effort put in by our expert speaker Tim Turner:

“The course really was excellent and I would thoroughly recommend it. Data Protection can be a dry subject, but not when delivered by Tim – he kept my full attention from beginning to end with his excellent and interesting presentation, and invaluable advice.”  SB, Lancashire CC

“Tim broke the course down into manageable chunks and gave useful, practical examples that illustrated his points. This course has given me not only the knowledge but also the confidence to improve at my job and make my organisation better too!” DH, Cheshire West and Chester Council

“Tim imparts a huge amount of information in an accessible, user-friendly way that has never felt overwhelming.” SM, University of Surrey

The emphasis of the course is on practical skills which a Data protection Officers need to do their job and raise DP standards in their organisation. This is something, which was emphasised by our delegates in their feedback:

“I would thoroughly recommend the course, which has a sensible, practical focus and deals with the application of an otherwise abstract and complex piece of legislation to real life situations.”  AG, Parliamentary and Health Service Ombudsman

“The course provided useful practical examples which makes it easy to apply the DPA and identify a potential breach in a scenario – Immensely useful :).” BA, Nursing and Midwifery Council

“Great, thorough presentation and discussion of the practical implementations of data protection, the Act and its future developments.” PC, University of the Highlands and Islands

The course syllabus continues to be revised to include more themes covered by the General Data Protection Regulation (GDPR) which will come in force in May 2018  (and which is still relevant despite the Brexit vote).

The course, designed in consultation with a panel of experts from the UK and Europe, takes place over four days (one day per week) and involves lectures, assessments and exercises. This is followed by a written assessment. Candidates are then required to complete a practical project (in their own time) to achieve the certificate.

If you don’t have the time to attend for four consecutive weeks, why not try our intensive course in Summer 2017?

To learn more please visit our website or get in touch.

GDPR Practitioner Certificate (GDPR.Cert) – A 4 day certificated course aimed at those undertaking the role of Data Protection Officer under GDPR whether in the public or the private sector. It builds on the success of the Act Now Data Protection Practitioner Certificate (launched in April 2014), which it replaces, by focussing on GDPR.

IG Dates for your Diary – Let’s seize the day(s)!

canstockphoto15551787-1

 

 

 

 

 

 

 

 

By Frank Rankin

It always seems to be the national or international day of something-or-other.  As I write it is (as decreed by the United Nations) International Democracy Day. Coming soon we will have (as decreed by a couple of strange blokes in Oregon) International Talk Like A Pirate Day.

As well as providing useful space-fillers to lazy journalists on slow news days, such commemorations are often used to draw attention to serious (or silly) issues.

And as information governance practitioners, why should we miss out?

There are a few calendar dates which we can possibly exploit in the never-ending task of raising awareness among our managers and co-workers of some of the key messages around FOI, data protection and information security.

I plan to send some communications to my colleagues in the NHS organisation where I work, commemorating International Right to Know Day on 28 September. Initiated by FOI activists from around the world in 2002, the day seeks to celebrate successes in improving government transparency, and highlighting continuing struggles. It provides an excuse for me to gently remind colleagues that they could be the recipient of FOI requests and how they should react. I’ll also remind them of the rights that they have as citizens. (Why not put up some FOI posters Frank? Ed.)

October is National Cyber Security Awareness Month and 7 February 2017 will be Safer Internet Day. In drawing the attention of colleagues to guidance and resources to help them keep their families safe online, we also build their skills and awareness to improve security in the workplace. On the last Safer Internet Day we took the opportunity to send tips to colleagues on how to protect themselves and their children from phishing, malware and other nasties. It is the first time I have ever received notes of thanks for an information governance awareness programme!

Across Europe, Data Protection Day is marked on 28 January – the anniversary of the signing of the Council of Europe’s Convention 108 for the Protection of individuals with regard to automatic processing of personal data, ancestor to the forthcoming General Data Protection Regulation (GDPR). Although I am sure you all knew that.  (Well, Tim Turner probably did.)  (Dear reader, it is still relevant despite the Brexit vote.Ed)

While I don’t expect to see MoonPig selling cards for the occasion, again it gives us a hook to hang an awareness message on – perhaps some reminders of appropriate behaviours we expect from staff to protect the personal data we hold, as well as an update on GDPR developments. (Er why not put up some GDPR posters Frank?Ed.)

But Frank, I hear some of you object, aren’t these commemorative dates just a wee bit cheesy? Perhaps. But I am not too proud to borrow any excuse to highlight information governance messages in a way that reminds our people that these issues are universal.

Back in the 1990s, the late Declan Treacy used to champion International Clear Your Desk Day as an opportunity to declutter our work spaces, delivering benefits for ergonomics, mental health and feng shui – as well as for records management and data security. Alas, no-one seems to have picked up the mantle since his death.

So, who is with me? Let’s pick a date and I’ll see you at the confidential waste bin.

Frank Rankin is an information security, FOI and records management expert. Amongst other courses he is currently delivering our Practitioner Certificate in Freedom of Information (Scotland).