Author: actnowtraining

Act Now Training is Europe's leading provider of information governance training, serving government agencies, multinational corporations, financial institutions, and corporate law firms. Our associates have decades of information governance experience. We pride ourselves on delivering high quality training that is practical and makes the complex simple. Our extensive programme ranges from short webinars and one day workshops through to higher level practitioner certificate courses delivered online or in the classroom.

Last week my Dad died…

 FullSizeRender

 I have spent four years at university, have gained two degrees and many years of experience of practicing and teaching law; yet the principles upon which I base my life were taught to me by a former taxi driver and mill worker from a poor farming village in India. He died last Tuesday.

My dad, Ismail Muhammad Hasan, was born in Gujarat in India in 1949. Like many a young man of his generation, he came to the UK in the 60’s having been encouraged by the UK government to come and fill positions in the transport and textile industries. Dad arrived in 1969, at the age of twenty, and went straight to work in the factories of West Yorkshire. His aim was not just to make a new life for himself but also to support his elderly parents who were struggling to make ends meet by farming and running a small village shop.

Dad failed Norman Tebbit’s Cricket Test and would not have been able to spell “British Values” let alone name one of them. Yet his personal values and character reflected everything we are proud of in this country; hard work, kindness, honesty, decency and a sense of humour.

Dad chose a life of hard work and sacrifice and encouraged us to do the same. I remember asking him why I did not receive free school meals. His answer was:

“It’s better to eat what you buy with hard earned money.”

Through out his working life Dad often held two jobs. By day he worked in a factory and by night and weekends as a taxi driver. As one of the most experienced taxi drivers in Dewsbury, he was known and loved by many drivers as witnessed by their attendance at his funeral. Even after his retirement he continued to keep in touch with colleagues and offer his advice and support (whether they requested it or not!).

It was not easy being a taxi driver in the 70’s and 80’s. So often Dad would come home with a black eye, a bruised arm or a sad face, having been deprived of his night’s earnings by those who saw taxi drivers as easy targets. Racist abuse and attacks on taxi drivers were very common in those days.

Despite these difficult conditions, Dad went about his business with a smile and concern for all. He would always greet his English customers and factory colleagues by raising his hand and addressing them as “my friend.” He was always willing to lend his emotional and practical support to anyone in need regardless of race and religion. So often he would waive the taxi fare for customers who were old or infirm.

Dad came from a family of farmers and had little formal education. Yet he was really determined to ensure that his five children educated themselves to the highest level. In my youth he would discourage me from taking a part time job, even during the holidays, saying:

“Concentrate on your studies now; you have your whole life to work.”

He borrowed money from friends and family to ensure that I completed my professional exams (the Legal Practice Course) and qualified as a solicitor.

Despite suffering straitened financial circumstances for much of his early family life, Dad was an exemplary father. He was a “modern dad” before the term had been coined. He understood the importance of quality family time. For us this meant regular trips to the Blackpool Illuminations, Scarborough, Knowsley Safari Park and even the odd impromptu picnic at Dewsbury Park complete with chapattis and cold chicken curry. Much to the envy of my friends, we were regular visitors to the curry houses of Bradford. Christmas was always a high point in the year as we looked forward to his factory Christmas party when, courtesy of generous factory bosses, the old toy dumper track would be replaced with a shiny new one.

Dad understood well that Islam is all about love, kindness and generosity to all; Muslims and non-Muslims alike. He believed in the importance of integration but at the same time holding on to his Islamic practices and beliefs. We were the first family to move away from our mainly Muslim neighborhood to one which was predominantly white and middle class. We have happily lived there for the past 30 years. Until his latest bout of ill health, the few remaining elderly English neighbours would often get a visit from Dad enquiring about their health and well being. When some of them entered residential homes or hospital he would regularly visit them. Dad lived the saying of the Prophet Muhammad (PBUH):

“The best amongst you is the one who is most beneficial to others.”

Dad is survived by three sons and two daughters (as well as thirteen grandchildren) all of whom are successful in their own right. All owe everything to a man who came to this country over 45 years ago with nothing. Over 500 people attended Dad’s funeral with many more visiting the family home to pay their respects. Messages of support and sympathy have been received from all over the world.

As a family, we are grateful to friends, relatives, neighbours and well-wishers for their prayers and support during a difficult few days. We would also like to thank the brilliant staff at Pindersfields Hospital Stroke Unit for the wonderful care and support Dad received during his final days.

Despite my great loss, I am happy that I shared 44 years with such a wonderful human being and that his departure from this temporary abode was exactly the way he wanted; surrounded by his family, the Muslim attestation of faith (Kalimah) on his lips and a big smile on his face!

New Information Commissioner Approved

On Wednesday 27 April 2016, The Culture Media and Sport Committee approved the appointment of Elizabeth Denham as the new UK Information Commissioner following a pre-appointment hearing.

Ms Denham has held the role of Information and Privacy Commissioner in British Columbia since 2010. Prior to that she served as Assistant Privacy Commissioner of Canada for three years (Full CV here).

Jesse Norman MP, Chair of the Committee, said:

“The Committee noted with interest Ms Denham’s views on a range of topics, including the possible retention of emails as official records, the extension of FOI and directors’ liability for data breaches, in particular.

We also noted Ms Denham’s track record on data protection wit Government in British Columbia, and her proactive approach to protection of privacy with major international technology companies.”

Subject to final approval from Her Majesty The Queen, Ms Denham will take over from incumbent Christopher Graham in summer 2016. Mr Graham said:

“I am delighted that Elizabeth Denham is set to take over as the next Information Commissioner. Elizabeth is an experienced information rights practitioner, essential when the ICO is busier than ever and facing the challenges of the digital age.”

Denham will have to hit the ground running when she starts. She will have just two years to ensure that UK Data Controllers are adequately prepared for the new EU General Data Protection Regulation (GDPR), which represents the biggest change to the EU data protection regime in 20 years.

She will also have to help public authorities implement any changes the Government may make to the Freedom of Information regime as a result of the FOI Commission’s recent report.

The school that ticked the box

checklist-443126

Now and again as a trainer you know that someone is ticking a box. This happened to an Act Now trainer recently.

A meeting is held in a school somewhere in the heart of England and someone chirps up “Let’s get some Data Protection Training in school. Er.. Madge can you sort something out?  Super.” Madge has no knowledge of information law. She might be the secretary; she might be the playground supervisor but she’s been told to get on with it.

Weeks later Madge does some research on the internet; finds a company that does this and books some online training; a date is agreed and everything seems fine. Madge has opted for online training lasting an hour for a dozen or so admin staff even though for the same price she could have a real expert come to her site and give the school a 3 hour master class in DP (and throw in FOI & EIR for free).

But as the trainer asked to deliver this online training something doesn’t seem right.  You email the contact person to introduce yourself and ask for some steer on what they want and you’re met with a wall of silence. Time passes – no contact. Eventually a phone call elicits the information that they just want a general session on DP.

“How about FOI?” suggests the trainer helpfully.

“No we don’t need that.”

The trainer pulls together a general presentation and places a copy of the delegate materials in the online area alongside the link to access the training on the day where such things are held and informs the school.

Time passes.

The day before the training the school rings Act Now Office and asks how do they access the training. We refer them to the email sent a month previously. A flurry of questions are asked and answered and things finally look ready for the following day.

We start the training, Several people with young sounding names are present. They listen without saying anything. They don’t comment on the fact that their notification was a month late for renewal. They don’t find the lack of a privacy policy remarkable (despite the fact that they have a very handy Snow and Ice Policy in their list of 20 school policies). Their prospectus says nothing about any information law or rights of individuals to access information held by the school. The mini case studies towards the end are all met with the response “We’ll ask the head”. The FOI request sent to the school 6 weeks ago was denied. “No we’ve never seen it” (even though they are shown the actual email on screen).  There are no questions at all.

After 75 minutes they say thank you and leave. The automated feedback email isn’t returned. It’s as if the training session has become lost in a Sleepy Hollow style black hole.

6 weeks later the trainer has a look for their notification on the ICO site. It’s not there. The school is not listed on the Search The Register database. Presumably they let their notification lapse. The school’s website still doesn’t have a privacy policy, a data protection policy or any mention of freedom of information. Searches on the school website return nothing at all to show they have any idea about information law.

The trainer has an attack of conscience. Maybe Madge organized the training, paid the bill and ticked the box. Maybe an SMT meeting receives a note saying DP training has been done. Maybe no-one in a senior position knows how bad things are.  Should the trainer call the school and talk to senior management (if in fact he can get through to them) and say that they’re wide open to a notice being issued (and published on the web) or a prying parent with a grievance exposing their lack of compliance.

But schools like this are rare aren’t they? Schools have heard of DP and FOI and do have policies and procedures and notifications in place don’t they? Don’t they? DON’T THEY?

Are you responsible for schools and their compliance with information law? Do you know if they are aware of information law or how they are complying with it? Act Now offers online training for schools in DP & FOI and have delivered many on site half day workshops covering the subjects at schools all over the UK. Contact us to find out more. Don’t let your schools just tick a box (badly).

The new EU General Data Protection Regulation (GDPR) has now been approved and will come into force in two years time. Everyone, including schools, need to prepare now.

Let the Fun Begin! New EU Data General Protection Regulation #GDPR is Adopted

eu falg.jpg

After four years of negotiation, the new EU General Data Protection Regulation (GDPR) has today been formally adopted by the European Parliament. The Regulation will soon be available in all the official EU languages.

The Regulation will take effect twenty days from its post-vote publication in the Official Journal (May 2018) giving Data Controllers two years to prepare for the biggest change to the EU data protection regime in 20 years.

The Regulation will apply to any entity offering goods or services (regardless of payment being taken) and any entity monitoring the behaviours of citizens residing within the EU. Companies are now directly responsible for DP compliance wherever they are based (and not just their EU based offices) as long as they are processing EU citizens’ personal data.

For some breaches of the Regulation (e.g. failing to comply with Data Subjects’ rights or the conditions for processing) Data Controllers can receive a fine of up to 4% of global annual turnover for the preceding year (for undertakings) or 20 million Euros. For other breaches (e.g. failing to keep records or complying with security obligations) the fine can be up to 10 million Euros or 2% of global annual turnover (for undertakings).

The Regulation replaces the previous EU Data Protection Directive (95/46/EC), upon which the UK’s Data Protection Act 1998 (DPA) is based, without the need for further national legislation. It does though allow for substantial national derogations in a number of important areas, so in addition to amending or repealing their existing legislation and guidance, the Government and the Information Commissioner’s Office(ICO) will be working to finalise their positions on key issues such as exemptions, workplace privacy, healthcare services and biomedical research.

The ICO has set up a new GDPR microsite and published a 12 step guide to preparing for the Regulation. Read the Assistant Information Commissioner’s blog here about what more they are planning.

The Regulation is accompanied by the EU Policing and Criminal Justice Data Protection Directive which contains new rules for Data Protection when applied to crime and justice, but which can be implemented by each Member State through its own laws with greater flexibility.

 All Data Protection practitioners and lawyers need to read the Regulation and consider its impact on their organisation and clients. The good people at Covington & Burling LLP have published an automated comparison here to allow readers to see how the Regulation has changed from its previous version.

Training and awareness at all levels needs to start now. Here is a nice video to get you started.

Act Now has a dedicated GDPR section on its website containing articles as well as details of our GDPR webinars and workshops. If you are looking for an up to date DP qualification with a focus on GDPR, have a look at our Data Protection Practitioner Certificate.

GDPR: The Data Protection Principles (but not as you know them Jim!)

canstockphoto16138153

Having recently attended the Information Commissioner’s Office Data Protection Practitioners Conference in Manchester, I should start this blog post by echoing the words of our outgoing Commissioner, Christopher Graham, that the Regulation text is not the final version until later this year when it has been reviewed and fully translated for all 28 member states.

But as the Regulation is unlikely to change in material terms, let’s crack on!

Whenever you see blogs and articles about the new EU General Data Protection Regulation, they are often focusing on what’s new and “exciting”, be that in a good or bad context (see our summary here). But this blog post will look at some of the things that are remaining familiar, albeit in an edited ‘reshuffled’ form.

So let’s go back to basics – the Data Protection Principles. Now under the current Data Protection Act 1998 there are 8 principles that cover things from legitimate purpose to retention and security. Under the Regulation these are changing. Chapter 2, Article 5 (1) (a)-(f) now outlines the principles:

“Personal Data shall be;

1, processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);

2, collected for specified, explicit and legitimate purposes and not further processed in a a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes; (‘purpose limitation’);

3, adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);

4, accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);

5, kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 83(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);

6, processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’);”

Now while the Regulation text doesn’t specifically say “principle 1” etc. it does confirm these as the principles and it is logical to assign numbers (as opposed to A,B,C). Principle A just doesn’t have the same ring to it as, “the first principle”. I suspect that these will now become known by their subject matter, so for example you would have “the accuracy principle” and “the data minimisation principle.”

You will notice that we are also down to 6 principles from our current 8 under the DPA. The 2 “missing principles” have been amalgamated in to the new 6 principles. All the current requirements in the 8 principles are still here but they are now outlined in the finer detail of the text. So, for example, principle 6 in the DPA  (“processed in accordance with data subjects rights”) is not specifically called out as a principle in the Regulation but it is outlined in Ch2 Art 5 (1) (a) that information will be processed in a “fair and transparent manner”. The requirements of which, outlined in the rest of the Regulation, require Data Controllers (and indeed processors) to ensure that Data Subjects can exercise their rights as outlined in the text in Chapter 3.

The same applies to the current principle 8 of the DPA 1998 “not transferred to a country outside of the EEA without adequate protections” principle. Because the ‘protections’ are outlined in other principles (Chapter 4, section 2 (Security) for example) and the regulatory nature of the Regulation, it is expected that as part of your processing under the other principles you will share data internationally in the correct fashion.

As the saying goes, the devil is indeed in the detail with this Regulation. In this document I’ve put the relevant sections into the principles to which they relate. There is some overlap but generally if you’re talking about principle 1, then the references are all sections of the text that are relevant to some degree. This list is by no means exhaustive but it does give you a view as to how the principles are intertwined into the detailed text.

In the next few posts I’ll be exploring these principles more and some of the related requirements to see what this means in practice and what further location specific standards we should be on the watch for.

Scott Sammons is an Information Risk and Security Officer in the Medico-Legal Sector and blogs under the name @privacyminion. Scott is on the Exam Board for the Act Now Data Protection Practitioner Certificate.

Read more about the EU Data Protection Regulation and attend our full day workshop.

New Data Sharing Consultation

illust_33_e

In February the Government launched a consultation on introducing laws to allow more citizens’ data to be used for ancillary purposes by the public sector. It says:

“Proportionate, secure and well-governed information sharing between public authorities can improve the lives of citizens. It can also support decisions on the economy which allow businesses to flourish, and improve the efficiency and effectiveness of the public sector. The government aims to do more to unlock the power of data.

The consultation runs till 22nd April 2016. It looks at enabling information sharing between public authorities to improve the lives of citizens and support decisions on the economy and society.” 

The proposals fall into 3 categories:

Improving public services

  • allowing public authorities to share personal data in specific contexts to improve the welfare of a specific person (e.g. automatically providing direct discounts on energy bills of people living in fuel poverty)
  • enabling public authorities to access civil registration data (births, deaths and marriages) (e.g. to prevent the sending of letters to people who have died)

Addressing fraud and debt

  • helping citizens manage their debt more effectively and reduce the overdue debt that they owe to government (i.e. allowing sharing of information for public sector debt collection)
  • helping detect and prevent the losses government currently experiences due to fraudulent activity

Allowing use of data for research and official statistics

  • giving the Office for National Statistics access to detailed administrative government data to improve their statistics
  • using de-identified data in secure facilities to carry out research for public benefit

Cynics may say that the proposals are really about allaying public sector fears that Government initiatives such as the Troubled Families Programme, require them to share personal data which may well breach the Data Protection Act 1998 (DPA).

A new criminal offence for unlawful disclosure of personal data is proposed to be introduced. Those found guilty of an offence will face imprisonment for a term up to two years, a fine or both. Certainly the prison element will be welcomed by the Information Commissioner who has recently reiterated his call for stronger sentencing powers for people convicted of stealing personal data under the DPA.

It is proposed that the new measures will be supported by a statutory Code of Practice, which will set out if, how and when data can be disclosed under each power. Primary legislation will set out the requirement to consult the Information Commissioner, and where appropriate Ministers in the Devolved Administrations and other relevant experts before issuing or revising  these Codes. Compliance with these Codes would be a requirement for any public authority seeking to participate under the proposals; failure to abide by the Codes may result in a public authority being removed from the relevant schedule and losing the ability to disclose or receive data under the power.

The whole law on information sharing needs examining. To echo the words of the Government:

We need to go further and update the legal regime to provide simple and flexible legal gateways to improve public sector access to information in key areas which impact the whole public sector in a systematic and consistent way so that citizens can have confidence that their data is being used for the right purposes and remains securely held.”

In 2014 the Law Commission reported on the outcome of a consultation on the law around sharing of personal information between public sector organisations.  It set out its recommendations, which included a full law reform project to be carried out in order to create a principled and clear legal structure for data sharing, which will meet the needs of society. I have not come across the Government’s response to the recommendations. May be this latest consultation is it!

Of course any new laws will have to be consistent with the new EU General Data Protection Regulation (GDPR), expected to come into force in 2018 and, which will replace the DPA.

These and other Information Sharing developments will be examined in our forthcoming full day workshops and webinars. 

Illustration provided by the Office of the Privacy Commissioner of Canada (www.priv.gc.ca)

Extension of Freedom of Information in Scotland

file351272130459

Following a consultation last year by the Scottish Government, the Freedom of Information (Scotland) Act 2002 (FOISA) was recently extended to cover more organisations.

The Freedom of Information (Scotland) Act 2002 (Designation of Persons as Scottish Public Authorities) Order 2016, S.I. 2016/139, came into force on 2nd March 2016. It is made under Section 5 of FOISA. It comes into force on 1st September 2016.

The Order extends coverage of FOISA to contractors overseeing and managing private prisons, bodies providing secure accommodation for children and young people, grant-aided schools, independent special schools and Scottish Health Innovations Limited. These bodies also become subject to the Environmental Information (Scotland) Regulations 2004 in relation to any requests they receive for environmental information.

This is the second order brought forward under Section 5 of FOISA; the first came into force on 1 April 2014 and covers arms-length culture, sport and leisure trusts established by local authorities.

Freedom of Information in Scotland seems to sail in much more calmer waters than in the rest of the UK where the FOI Act comes under intense scrutiny (some say “attack’) from politicians from time to time. The Independent Commission on Freedom of Information was established by the Cabinet Office in July last year to examine the operation of the FOI Act and whether it required any changes. Its recent report says FOI is working well and does not need major changes. However, it does make twenty-one recommendations.

Think you know about FOISA? Have a go at the FOISA test.

 Looking for a FOISA qualification? Our Practitioner Certificate in the Freedom of Information (Scotland) Act 2002 is the only certificated course specially designed for FOI practitioners in Scotland. It is endorsed by the Centre for FOI based at Dundee University

Information Commissioner Congratulates Act Now DP Practitioner Certificate Candidates

ChristopherGraham_1546629c

 

 

 

 

Act Now Training’s Data Protection Practitioner Certificate continues to go from strength to strength. In Autumn 2015, a total of 16 delegates from the local government, health, education and private sectors passed the course with flying colours. 9 delegates achieved a merit and 3 achieved a distinction.

The Information Commissioner, Christopher Graham, said:

“Congratulations to all the successful candidates. It was worth all the slog, as I am sure you will find in your future careers. And it’s good to know that there is another cohort of qualified professionals looking after our data in the increasingly competitive digital world. All organisations need to take data protection and data security seriously or risk losing their reputation – not to mention customers. The new EU data protection framework brings these issues into even sharper focus – which makes your expertise even more essential.”

Over the years this course has produced many satisfied customers:

This was an excellent course specifically designed for the day to day practical use of DP. It demystified the subject in a way which I could understand. Tim Turner is an excellent tutor with a good sound knowledge and ability to put it across. HC, West Yorkshire Police

Tim broke the course down into manageable chunks and gave useful, practical examples that illustrated his points. This course has given me not only the knowledge but also the confidence to improve at my job and make my organisation better too! Thanks Tim! DH, Cheshire West and Chester Council

This course was designed to be more learner friendly in the way it is examined. It shows your practical knowledge in the assessment along with your ability to use the legislation in your project. A worthwhile course for the modern day data protection officer. DJ, Northumberland CC

Since commencing in my role I was expected to develop a knowledge of and interpret the DPA. This course has embedded my understanding of the act and given me the confidence to challenge existing and new practices to ensure compliance.  SD, NYFRS

I would thoroughly recommend the course, which has a sensible, practical focus and deals with the application of an otherwise abstract and complex piece of legislation to real life situations.
AG, Parliamentary and Health Service Ombudsman

The Data Protection Practitioner Certificate is our own qualification for those who work with Data Protection and privacy issues on a day-to-day basis. The course, designed in consultation with a panel of experts from the UK and Europe, takes place over four days (one day per week) and involves lectures, assessments and exercises. This is followed by a written assessment. Candidates are then required to complete a practical project (in their own time) to achieve the certificate.

The emphasis of the course is on practical skills which a Data protection Officer needs to do their job and raise DP standards in their organisation. The course syllabus has been recently revised to include more themes covered by the new European General Data Protection Regulation (GDPR) expected to come into force in 2018.

Candidates also now have the option to take our specially designed GDPR webinars after completion and up to 12 months in the future as part of their course. This has been included for our Certificate candidates free of charge (normally £49+Vat each) allowing them to customise their learning with the greatest flexibility and ensure their preparations for GDPR are assisted with the most up to date information.

To learn more please visit our website or get in touch.

 

Act Now Wins E-Learning Gap Analysis Tender

canstockphoto19900785

 

Act Now is pleased to announce that it has won a contract to deliver consultancy services to a major organisation in the regulatory sector.

We have been asked to use our information law and security expertise to assess the content of the organisation’s mandatory e-learning modules covering the Data Protection Act, Information Security (ISO 27001:2013 certification) and the Freedom of Information Act.

The purpose of the assessment is to ensure that the training content meets the legislative and ISO 27001 (2013) requirements and meets the needs of the organisation’s staff, associates and contractors, providing them with a gap analysis report based on the current training provision, examples of best practice and legislative requirements.

This project will be led by Ibrahim Hasan and Frank Rankin who are well-known experts and trainers in this field. Commenting on the award of the contract, Ibrahim Hasan said:

“I am very pleased to have the opportunity to use our expertise on this project. This is one of many recent consultancy projects Act Now has undertaken and enhances our reputation as one of the UK’s leading providers of in house training and consultancy in information law and information management.”

Act Now is also starting to develop an international reputation. In January 2015 Ibrahim Hasan and Paul Gibbons were in the Far East to deliver data protection audit training to the Government of Brunei.

We have also developed a number of interactive e learning solutions to assist organisations comply with their legislative and regulatory requirements.  With the new EU Data Protection Regulation likely to come into force in 2018, it is important that all organisations assess their staffs’ data protection awareness and compliance.

Please take a moment to browse our in house training and consultancy pages. Feel free to get in touch to discuss your requirements in this area.

A Hard Rain’s a-Gonna Fall

 

clip_image001_thumb.png

 

 

 

 

 

 

 

 

 

 

 

 

The song was written by Bob Dylan in 1962. Dylan has stated that all of the lyrics were taken from the initial lines of songs that he thought he would never have time to write. This blog has had so many working titles (see below) that it seems to fit.

My story starts when I bought a Senior rail card. I did it online. As a fully paid up member of the grumpy old men’s club and having some knowledge of Data Protection and marketing issues I made sure I opted out of any “from time to time we may pass on” and “carefully selected third parties” sneaky data collection statements. The process was easy. The card arrived; I used it frequently.

Then the mailings arrived. It’s my normal practice as a GOM and DPA nerd to contact organisations who direct market me and ask them where they obtained my name and address. I  call it a Subject Access Request in my letter. Over the autumn in surge in mailings revealed that The Association of Train Operating Companies had been the originator of many mailings through their sale of my details to Medialab.

As a side issue it’s remarkable how the marketing industry reacts when I make subject access requests. Their first reaction and often their only reaction is to instantly remove me from their database and apologise profusely. To me this isn’t how to respond to a subject access request. In fact one charity when I queried this said that their industry code of practice only required them to remove my name not provide me with the normal things that SARs provide. When I replied pointing out the relevant sections of the DPA the request was escalated to the CEO who decided that Yes they would go further than the Code of Practice and give me what I asked for. Thanks Chiefie.

On to Medialab. They acknowledge on their website (which is currently being re-designed) that they have many lists including all Rail card holders. The actual phrase is We buy data and media across various channels to generate customers with real lifetime value. The blurb says that Senior rail card holder are all over 60, all opted in and are all suitable targets for offers involving wine, charities, gardening, food etc. Leaving aside the obvious fair processing and reasonable expectations it appears that Medialab and actively pushing their list obtained by ATOC for purpose a for purposes b, c, d  etc. So apart from buying the lists which ATOC says are all consenting adults they are conspiring with service companies who are looking to target their marketing. You could even make a case that Senior Rail card holders are a vulnerable group. When I bought my Rail card I definitely did not consent to receiving offers about wine, charities, gardening, food. Just because I am old doesn’t mean I have to conform to my chronological stereotype. I thought buying a railcard was about cheap train travel. If some one who targets poor obtaining and re-use statements on websites has missed the fact that he has consented to his data being sold on how do ordinary people spot it. (If in fact there was a FPN – ATOC can’t prove they had one…)

Second aside. I was once engaged by a well known cuddly well respected Society with its HQ in London to deliver a training session on Data Protection. They were nice people and the Chief Exec sat supportively in the front row. When we arrived at the point of discussing whether data acquired for purpose A by Data Controller A could not be used for an incompatible purpose B by Data Controller B the chief Exec intoned  “I think you’ll find that most big organisations share data to see if there are any opportunities for cross marketing”. When told that this was probably a breach of the act his support for me ended and he left the room presumably to set up another breach of Principle 2.

Back to ATOC. I kept on at them – they weren’t very punctual but I generously put this down to Xmas holidays. Eventually after me disputing my giving of consent I asked them to provide documentary evidence that I had consented to passing my data to 3rd parties. This elicited the following email.

“I am sorry to hear that you have received emails and phone calls from third parties that you were not expecting. I have reviewed your account and can verify that your name and contact information has now been removed from our supplier database and that only Medialab has access to this. You should no longer receive any emails related to your Railcard purchase.

Unfortunately we are unable to provide material confirmation as to your original acceptance of these offers as once an online application is completed this information is fed directly into our database and this live information serves as confirmation of customer opt-ins. We are able to obtain evidence of opt-ins for paper applications and the equivalent of this for online applications is the live record and your record now reflects your request to be removed from our mailing list.”

To wrap it up. The volume of mailings has slowed down. ATOC has taken me off their list but can’t prove I consented to them selling my details. Marketing companies still hold my data and are probably selling it to anyone who thinks old people are an easy touch. The mailing and marketing industry doesn’t know what a subject access request is.

So I’ll leave you guys to ‘Choose an Alternate title’ (which in itself a 1967 song…)

When is consent not consent? – When you can’t see it

When is consent not consent? – When you can’t prove it

Marketing databases are black holes. Data is irretrievable except for marketing companies.

The invisible consent mystery.

Who do you believe? A data controller who can’t prove he has consent or a data subject who knows he never gave it.

Wanted Old person who likes travel to test an online application form.

Senior Rail Cards on the wrong track.

Pssst! Wanna buy a list of old people who’ll buy anything…

Grumpy old DP expert taken for a train ride.

Charities just don’t get it. Direct marketing organisations know they’re breaking the law but hey! it adds to turnover. Everyone makes money from Senior rail cards.

Of course the new  EU General Data Protection Regulation (GDPR), when it comes into force in 2018, will require a rethink of of how companies obtain and record consent to marketing.

Give your career a boost in 2016 and prepare for GDPR by gaining a qualification.

The Act Now Data Protection Practitioner Certificate is a practical qualification for Data Protection Officers and advisers both in the public and the private sector. Successful candidates will be able to demonstrate that they possess a good knowledge of the law, both the current Data Protection Act as well as the forthcoming EU Data Protection Regulation.

See http://www.actnow.org.uk/dpp

Image credit: http://www.pophistorydig.com/wp-content/uploads/2012/03/Hard-Rain-art-2-280.jpg