Author: actnowtraining

Act Now Training is Europe's leading provider of information governance training, serving government agencies, multinational corporations, financial institutions, and corporate law firms. Our associates have decades of information governance experience. We pride ourselves on delivering high quality training that is practical and makes the complex simple. Our extensive programme ranges from short webinars and one day workshops through to higher level practitioner certificate courses delivered online or in the classroom.

Freedom of Information Commission Report

 

FOI Commission photo

 

The Independent Commission on Freedom of Information was established by the Cabinet Office in July last year to examine the operation of the Freedom of Information Act 2000 (FOI) and whether it required any changes. In October I predicted (and I was not alone) that, bearing in mind the Commission’s restricted terms of reference as well the track record of some of its members, it was likely that sweeping restrictions would be made to the UK’s FOI regime.

Thankfully it seems that the Commission has seen sense. Its recent report says FOI is working well and does not need major changes. It does though make twenty-one recommendations, many of which would enhance the Act:

1. A time limit for public interest extensions

That the government legislates to amend section 10(3) to abolish the public interest test extension to the time limit, and replace it instead with a time limit extension for requests where the public authority reasonably believes that it will be impracticable to respond to the request on time because of the complexity or volume of the requested information, or the need to consult third parties who may be affected by the release of the requested information. This time limit extension will be limited to an additional 20 working days only.

2. A time limit for internal reviews

That the government legislates to impose a statutory time limit for internal reviews of 20 working days.

3. Change to Section 77

That the government legislates to make the offence at section 77 of the Act triable either-way.

4. FOI statistics

That the government legislates to impose a requirement on all public authorities who are subject to the Act and employ 100 or more full time equivalent employees to publish statistics on their compliance under the Act. The publication of these statistics should be co-ordinated by a central body, such as a department or the Information Commissioner (IC).

5. FOI disclosure logs

That the government legislates to impose a requirement on all public authorities who are subject to the Act and employ 100 or more full time equivalent employees to publish all requests and responses where they provide information to a requestor. This should be done as soon as the information is given out wherever practicable.

All the above were also recommended by the Justice Select Committee in its Report into Post-Legislative Scrutiny of the Freedom of Information Act 2000 published in July 2012. All were rejected by the Government in its response to that report.

This time, in the Government’s response to the FOI Commission, Mike Hancock MP has said that the Government will issue a revised S.45 Code of Practice setting out what information public authorities with more than 100 full time employees should publish.

6. Senior employees’ information

Public bodies should be required to publish in their annual statement of accounts a breakdown of the benefits in kind and expenses of senior employees by reference to clear categories.

Local authorities already have these obligations in relation to senior staff earning more than £50,000 by virtue of the Local Government Transparency Code.

7: Information Commissioner responsibilities

The government should give the IC (Information Commissioner) responsibility for monitoring and ensuring public authorities’ compliance with their proactive publication obligations.

8. Section 35(1)(a) – Formulation of government policy

The government should legislate to replace section 35(1)(a) with an exemption which will protect information which would disclose internal communications that relate to government policy.

9. Section 35(1)(b) – Ministerial communications

The government should legislate to expand section 35(1)(b) so that, as well as protecting inter-ministerial communications, it protects any information that relates to collective Cabinet decision-making, and repeal section 36(2)(a).

10. Section 35 – Public interest

The government should legislate to amend section 35 to make clear that, in making a public interest determination under section 35(1)(a), the public interest in maintaining the exemption is not lessened merely because a decision has been taken in the matter.

11. Section 35 – Public interest (2)

The government should legislate to amend section 35 to make clear that, in making a public interest determination under section 35, regard shall be had to the particular public interest in the maintenance of the convention of the collective responsibility of Ministers of the Crown, and the need for the free and frank exchange of views or advice for the purposes of deliberation.

The above 4 recommendations are clearly designed to make it easier for the Government (and the National Assembly for Wales) to withhold information. Other bodies cannot claim this exemption anyway.

12. Section 36 – The Qualified Person’s opinion

The government should legislate to amend section 36 to remove the requirement for the reasonable opinion of a qualified person.

Some of our clients have welcomed this recommendation citing the difficulty of getting access to senior officers to make a decision about complex FOI matters.

13. The ministerial veto

The government should legislate to put beyond doubt that it has the power to exercise a veto over the release of information under the Act.

14. The veto again

The government should legislate to make clear that the power to veto is to be exercised where the accountable person takes a different view of the public interest in disclosure. This should include the ability of the accountable person to form their own opinions as to as to all the facts and circumstances of the case, including the nature and extent of any potential benefits, damage and risks arising out of the communication of the information, and of the requirements of the public interest.

15. And again…

The government should legislate so that the executive veto is available only to overturn a decision of the IC where the accountable person takes a different view of the public interest in disclosure. Where a veto is exercised, appeal rights would fall away and a challenge to the exercise of the veto would be by way of judicial review to the High Court. The government should consider whether the amended veto should make clear that the fact that the government could choose to appeal instead of issuing a veto will not be a relevant factor in determining the lawfulness of an exercise of the veto. Until legislation can be enacted, the government should only exercise the veto to overturn a decision of the IC.

16. Guess what this recommendation is about?

The government should legislate to allow the veto to confirm a decision of the IC where the IC upholds a decision of a pubic authority on the public interest in release. This would mean that the right of appeal would fall away and challenge would be instead by way of judicial review.

Strengthening the ministerial veto under section 53 seemed to be a “dead cert” (in betting parlance). In March 2015, the Guardian’s successful challenge to the application of the veto to the disclosure of Prince Charles’ letters to government departments, was confirmed by the Supreme Court. The Government seems to have accepted the Commission’s recommendations for the time being:

“In line with the Commission’s thinking, the government will in future only deploy the veto after an Information Commissioner decision. On the basis that this approach proves effective, we will not bring forward legislation at this stage.”

17. Appeal rights

That the government legislates to remove the right of appeal to the First-tier Tribunal against decisions of the IC made in respect of the Act. Where someone remained dissatisfied with the IC’s decision, an appeal would still lie to the Upper Tribunal. The Upper Tribunal appeal is not intended to replicate the full-merits appeal that currently exists before the IC and First-tier Tribunal, but is limited to a point of law.

Whilst this recommendation will save public authorities money, some commentators (especially journalists) have expressed concern that it hampers appeal rights and makes the appeal mechanism much less accessible than at present to those who do not have the money to instruct lawyers. They have a point; especially when one considers the very real possibility of the government introducing fees for tribunal appeals.

18. Format of responses

That the government legislates to clarify section 11(1)(a) and (c) of the Act so that it is clear that requestors can request information, or a digest or summary of information, be provided in a hard copy printed form, an electronic form, or orally. Where a requestor specifies a specific electronic document format, that request should be granted if the public authority already holds the information in that format, or if it can readily convert it into that format. Where the information requested is a dataset, the requirements at section 11(1A) will apply. The legislation should make clear that the obligations on public authorities to provide information in a particular format extend no further than this.

In my view this is already clear in the legislation and in ICO guidance.

19. The Section 45 code

That the government reviews section 45 of the Act to ensure that the range of issues on which guidance can be offered to public authorities under the Code is adequate. The government should also review and update the Code to take account of the ten years of operation of the Act’s information access scheme.

20. Vexatious requests

That the government provides guidance, in a revised Code of Practice issued under section 45, encouraging public authorities to use section 14(1) in appropriate cases.

21. More money for the ICO

That the government reviews whether the amount of funding provided to the IC for delivering his functions under the Act is adequate, taking into account the recommendations in this report and the wider circumstances.

Much of the above can be implemented without the need for legislation through a revised/additional Section 45 code of practice and guidance. It’s worth remember that the new EU General Data Protection Regulation (GDPR) will also require changes to FOI when it comes into force in 2018; specifically section 40 which make reference to the Data Protection Act 1998 (which the GDPR will replace).

Labour’s Tom Watson has claimed that the FOI Commission was a waste of time and money and has called on the government to publish its costs. If they don’t he will, no doubt, make an FOI request to the Cabinet Office!

We will be discussing this and other recent FOI decisions in our forthcoming FOI workshops and webinars. For those wanting an internationally recognised qualification the BCS Certificate in Freedom of Information starts on 13th April.

Public Health Funerals, Heir Hunters and Freedom of Information

canstockphoto15719562

 

Local authorities are seeing a substantial increase in the number of Freedom of Information (FOI) requests from heir tracing companies for information about those who have had public health funerals. Recent appeal decisions from the Information Commissioner’s Office (ICO) may help to stem the tide.

UK intestacy law states that when someone dies with no will or known family, everything they own passes to the Crown as ownerless property (or ‘Bona Vacantia’). This includes their house, money and personal possessions. Companies who find missing heirs are in a very lucrative business (watch “Heir Hunters” on the BBC). Some require beneficiaries to enter into an agreement to share up to 40% of their inheritance.

In England and Wales, the Bona Vacantia Division (BVD) of the Treasury Solicitor’s Department is responsible for dealing with bona vacantia assets. Everyday BVD publishes an Unclaimed Asset List setting out unclaimed estates which have been recently referred, but not yet administered, and historic cases which have not yet been claimed by entitled relatives. Included in the list is the deceased name, area of death, marital status, place of birth and local authority informant. Sometimes other details will be given (if known) such as spouse’s name, place of marriage and nationality. The list is updated every working day and newly advertised estates appear at the top of the list.

This list is a good starting point for probate researchers but the competition to trace beneficiaries is very fierce and often a number of companies will be trying to trace the same person. That is why such companies often make FOI requests to councils to try and get hold of the information before any of it is passed on to the BVD to publish. If they can identify deceased individuals who may have left a substantial estate, they will have a head start (in tracing the beneficiaries) against their rivals who will not yet be privy to such information.

Many councils have chosen to put a lot of this information on their website; Redbridge, Northampton, Knowsley to name a few. This then allows them to claim the exemption under section 21 of FOI (information is reasonably accessible by other means). Often though the researchers want more than the basic information, which is published by councils.

Of course, where the requested information has been disclosed to the BVD (or is about to be disclosed) and it will appear on the published BVD list, it is open to the council to claim the exemption under section 22 (information intended for future publication). It does not matter that the council will not be publishing the information itself as long as there is a settled intention to publish it on the part of another (in this case the BVD). Section 22 is a qualified exemption and so subject to the public interest test.

Where the information requested by probate researchers is not published, many councils have claimed the exemption in section 31 arguing that disclosure would prejudice the prevention of crime. Some recent ICO appeal decisions lend support to this approach. In a decision involving Barnsley Metropolitan Borough Council (FS50586033) the complainant requested, amongst other things, details of deceased people who had had public health funerals (including names, last known address, date of birth, date of death, date of funeral, and whether the case has been/will be/or even might be referred to the Treasury Solicitor).

The ICO agreed with the council that section 31 applied and it was not in the public interest to disclose the information. Release of personal details of a deceased individual with no known relatives, and no will, may make the assets of that person vulnerable. The assets of the deceased need to be secured and disclosure of the information may lead to the commission of offences (e.g. arson, identity theft etc.) and cause loss to the unsecured estates. In terms of the public interest the Commissioner states (paragraph 38):

“The Commissioner recognises that there is an inherently strong public interest in avoiding likely prejudice to the prevention of crime. The crime in this case would be likely to include a diverse range from anti-social behaviour, criminal damage, arson, organised groups stripping empty properties to identity fraud and the crimes that can be committed using false documents. The Commissioner accepts that tackling issues like these would involve significant public expense and believes it is in the public interest to protect property and to ensure that public resources are used efficiently. He also accepts that there is a strong public interest in avoiding personal distress to the direct victims of the crime and, in the case of crime related to empty properties, to those in the wider neighbourhood who may be affected.”

Similar decisions were made in complaints involving Birmingham City Council (FS50584670) and the London Borough of Bexley FS50583220. I have still not come across a First Tier Tribunal decision on such requests and so the exemptions, especially section 31, have yet to be comprehensively explored.

Some councils have argued that section 41 (Breach of Confidence) may apply to some of the information requested about the deceased. This can only be the case if the information has come from another party and is highly confidential. Section 41 is unlikely to apply to most requests from probate researchers. For a detailed discussion on access to information about the deceased under FOI, read my article and blog post.

Give your career a boost in 2016 by gaining an internationally recognised qualification in FOI. Keep up to date with all the latest FOI decisions by attending our live webinars and FOI workshops.

Monitoring Staff Use of Social Networks: The Human Rights Implications

canstockphoto9076695

According to a recent FOI request made by BBC Radio 5 live, last year there was a rise in the number of UK council staff suspended after being accused of breaking social media rules. Many employers, both in the public and the private sector, now monitor staff use of social media within the office environment. The possibilities are endless but care must be taken not to overstep the legal limits.

All employers have to respect their employees’ right to privacy under Article 8 of the European Convention on Human Rights (ECHR).  This means that any surveillance or monitoring must be carried out in a manner that is in accordance with the law and is necessary and proportionate (see Copland v UK (3rd April 2007 ECHR))

A January 2016 judgment of the European Court of Human Rights show that a careful balancing exercise needs to be undertaken when applying the law (Barbulescu v Romania (application 61496/08). In this case, the employer had asked employees such as the applicant to set up Yahoo! messenger accounts for work purposes. Its policies clearly prohibited the use of such work accounts for personal matters. The employer suspected the applicant of misusing his account, so it monitored his messages for a period during July 2007 without his knowledge.

The employer accused the applicant of using his messenger account for personal purposes; he denied this until he was presented with a 45-page printout of his messages with various people, some of which were of an intimate nature. The employer had also accessed his private messenger account (though it did not make use of the contents).

The applicant was sacked for breach of company policy. When he challenged his dismissal before the courts, his employer relied on the print out of his messages as evidence. He argued that, in accessing and using those personal messages, the employer had breached his right to privacy under Article 8 ECHR.

The Court accepted the applicant’s privacy rights were engaged in this case. However the employer’s monitoring was limited in scope and proportionate. It is reasonable for an employer to verify that employees are completing their professional tasks during working hours. Key considerations were:

  • The emails at the centre of the debate had been sent via a Yahoo Messenger account that was created, at the employer’s request, for the specific purpose of responding to client enquiries.
  • The employee’s personal communications came to light only as a result of the employer accessing communications that were expected to contain only business related materials and had therefore been accessed legitimately.
  • The employer operated a clear internal policy prohibiting employees from using the internet for personal and non-business related reasons.
  • The case highlights the need for companies to have a clear internet and electronic communications policy and the importance of such a policy being communicated to employees.

When monitoring employees, the employer will inevitably be gathering personal data about employees and so consideration also has to be given to the provisions of the Data Protection Act 1998 (DPA). The Information Commissioner’s Office’s (ICO) Employment Practices Code, includes a section on surveillance of employees at work. In December 2014, Caerphilly County Borough Council signed an undertaking after an ICO investigation found that the Council’s surveillance of an employee, suspected of fraudulently claiming to be sick, had breached the DPA.

Compliance with the DPA will also help demonstrate that the surveillance is human rights compliant since protection of individuals’ privacy is a cornerstone of the DPA. Of course the data protection angle will bite harder when the new EU Data Protection Regulation comes into force in 2018. Failure to comply could lead to a fine of up to 20 million Euros or 4% of global annual turnover.

Act Now has a range of workshops relating to surveillance and monitoring both within and outside the workplace. Our products include a RIPA polices and procedures toolkit and e-learning modules.

Data Breach Notification and the New EU Data Protection Regulation

 

DPA20The new EU General Data Protection Regulation contains an obligation on Data Controllers to notify supervisory authorities of personal data breaches. In some cases this extends to the Data Subjects as well.

Article 4 of the Regulation defines a personal data breach:

“a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”

Under the Data Protection Act 1998 (DPA) there is currently no legal obligation to report such breaches to anyone. However the Information Commissioner’s Office (ICO) guidance recommends that serious breaches should be brought to its attention. Last year telecoms company Talk Talk was the subject of a cyber attack in which almost 157,000 customers’ personal details were hacked. The company was criticised for its slow response especially the time it took to inform the ICO and customers.

Article 31 of the Regulation states that as the Data Controller becomes aware that a personal data breach has occurred it should without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the competent supervisory authority (in the UK the ICO). There is no need to do this where the controller is able to demonstrate that the breach is unlikely to result in a risk for the rights and freedoms of individuals. For example a very minor data breach involving innocuous information about a few individuals. Where the 72 hour deadline cannot be achieved, an explanation of the reasons for the delay should accompany the notification.

Notification Contents

The notification must contain the following minimum information:

  • a description of the nature of the personal data breach including where possible, the categories and approximate number of data subjects data records concerned;
  • the name and contact details of the Data Controller’s Data Protection Officer (now a statutory position) or other contact point where more information can be obtained;
  • a description of the likely consequences of the personal data breach;
  • a description of the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, to mitigate its possible adverse effects.

Where it is not possible to provide the above information at the same time, the information may be provided in phases without undue further delay.

The new Regulation will require all personal data breaches, no matter how insignificant, to be documented by Data Controllers. This should include the facts surrounding the breach, its effects and the remedial action taken. This documentation must enable the supervisory authority to verify compliance with Article 31. Some, if not all of it, will also be accessible via Freedom of Information requests, as many local authorities have already found.

Individuals’ Rights

Article 32 of the new Regulation states that Data Subjects should be notified without undue delay if the personal data breach is likely to result in a high risk to their rights and freedoms (e.g. fraud or identity theft), in order to allow them to take the necessary precautions. The notification will be similar to the one to the supervisory authority (discussed above) and should describe, in clear and plain language, the nature of the personal data breach as well as recommendations for the individuals concerned to mitigate potential adverse effects.

Notifications to individuals should be made as soon as reasonably feasible, and in close cooperation with the supervisory authority and respecting guidance provided by it or other relevant authorities (e.g. law enforcement authorities). For example, the need to mitigate an immediate risk of damage would call for a prompt notification whereas the need to implement appropriate measures against continuing or similar data breaches may justify a longer delay.

There is no need to communicate a personal data breach to individuals if:

(a) the Data Controller has implemented appropriate technical and organisational protection 
measures, and that those measures were applied to the data affected by the personal data breach, in particular those that render the data unintelligible to any person who is not authorised to access it, such as encryption; or

(b) the controller has taken subsequent measures which ensure that the high risk for the rights and freedoms of data subjects is no longer likely to materialise; or

(c) it would involve disproportionate effort. In such case, there will instead have to be a public communication (e.g. press release) or similar measure whereby the Data Subjects are informed in an equally effective manner.

Even where a Data Controller has chosen not to information Data Subjects, the supervisory authority can instruct it to do so. No doubt there will be more detailed rules setting out what kinds of breaches require notification and to whom.

Compensation

Article 77 states that:

“Any person who has suffered material or immaterial damage as a result of an infringement of the Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.”

This together with the new breach notification provisions (discussed above) will no doubt see an increase in Data Subjects taking legal action against Data Controllers as a result of data breaches. There may even be more class actions like the one against the London Borough of Islington in 2013 when 14 individuals settled for £43,000 in compensation after their personal data was disclosed without their authority. This action followed an ICO investigation which resulted in the council being fined £70,000.

Currently the ICO can issue fines (Monetary Penalty Notice’s) of up to £500,000 for serious breaches of the DPA. When the Regulation comes into force, this will be increased to 4% of global annual turnover for the preceding year (for businesses) or 20 million Euros.

The Regulation will have a big impact on all sectors. Whilst it is unlikely to come into force until the middle of 2018, all Data Controllers should be examining their approach to data breaches now and be putting into place processes to comply with the new rules.

Act Now Training can help. Please see our one-day EU DP Regulation workshops and our 1 hour webinars. We can also conduct DP audits and assessments.

New EU Data Protection Regulation. Are you ready for the biggest change to data protection in 20 years?

eu

The text of the new EU Data Protection Regulation has now been finalised.

But we’re not quite at the finish line yet. You can even choose whether you think the finish line is when the Regulation gets its rubber-stamped approval (which is imminent), or when it is finally implemented (which is probably two years away).

Nevertheless, the notorious Trilogue negotiations are over. The EU Council and Parliament have agreed a compromise text. Years of uncertainty about whether there would be a new EU law, and what it would look like, are over.

What should you make of it? First, we did mean ‘texts’, as the Regulation (a new Data Protection law applying equally across all EU member states) is accompanied by a Directive (new rules for Data Protection when applied to crime and justice, implemented by each state with greater flexibility). Second, many of the headline-grabbers survive intact – many organisations will require a Data Protection Officer, mandatory breach reporting is coming, and the maximum monetary penalties are 4% of an organisation’s annual turnover, which represents something of a defeat for the EU Council, who aimed much lower.

Proposals to remove charges for subject access may make many organisations wince. Even at first glance, there are some surprises; most notably a requirement for parents to consent for their children to access some web services if under 16 – although this age can be lowered by national governments to 13. This proposal surfaced late in the negotiations, and its implications still need to be unpicked.

The Regulation is about identifying and dealing with risk, about building structures within your organisation, and taking a more organised, more proactive approach to Data Protection. The fundamentals remain largely unchanged; what the Regulation does is build a whole new set of structures and routines on top of those foundations.

The final texts will be formally adopted by the European Parliament and Council at the beginning 2016. The new rules will become applicable two years thereafter.

Now is the time to Act!

There is a lot to learn and a lot to do in the next few years. Firstly, all Data Protection Officers and information professionals need to read the Regulation and consider its impact on their organisation. Here are the key points of the Regulation to get you started.

Secondly training and awareness at all levels needs to start now. This is where Act Now can help. Whether you want a relevant DP qualification or a short briefing on the Regulation to kick-start your preparation.

For Data Protection Officers (new and old), who need to get a formal qualification, our Data Protection Practitioner Certificate is ideal. The course looks at the current law as well as the forthcoming changes set out in the Regulation particularly the issues of consent, privacy impact assessments and data subjects’ rights. The syllabus is endorsed by the Centre for Information Rights based at the University of Winchester.

We are also running a series of full day workshops throughout the UK which are filling up fast. More dates will be added soon. We can also offer full or half-day in-house briefings on the Regulation from the middle of January 2016.

Finally, for those whose budgets were depleted by the Christmas party or may just not have the time, we have planned a series of one hour webinars looking at various aspects of the Regulation in detail.

2015 in review

The WordPress.com stats helper monkeys prepared a 2015 annual report for this blog.

Here’s an excerpt:

The concert hall at the Sydney Opera House holds 2,700 people. This blog was viewed about 37,000 times in 2015. If it were a concert at Sydney Opera House, it would take about 14 sold-out performances for that many people to see it.

Click here to see the complete report.

The New EU Data Protection Regulation: Key Points

canstockphotoeditedThe future of Data Protection throughout the EU has now been decided. The text of the new EU Data Protection Regulation has been finalised. This will be formally adopted by the European Parliament and Council at the beginning of 2016. It will come into force two years thereafter.

Most of the big talking points over the last few years have been survived in one form or another but with some surprises. In this blog post I’ll give you and overview of some of these, then over the next few months we’ll start looking at individual areas in subsequent posts and see what this means for us here in the UK.

Scope:

The Regulation does indeed apply to any entity offering goods or services (regardless of payment being taken) and entity monitoring the behaviours of citizens residing within the EU. There is still the requirement to establish a representative within the EU but it means that entities are now directly responsible for compliance with this regulation (and not just their EU based entity) if they are processing in any way EU citizen personal data.

Definitions:

Pseudonymisation, Profiling, Genetic Data, Biometric Data are all specifically defined in the regulation and very much as you would expect. There is however a new definition for health data that now outlines not only that health data is anything relating to the mental or physical health of a person but also any information that can reveal information about their health status. This means that it is very clear that, for example, if a list of email addresses on a mailing list for people who receive HIV treatment is disclosed that is a definite and clear disclosure of health data and not just personal data.

Principles:

There are now six Data Protection principles which broadly cover the same themes as previously. Personal data must be:

1. Processed fairly, lawfully and in a transparent manner. Now as previously discussed this transparent manner now requires controllers to provide more information to the data subject at point of collection but also when any changes to that processing occurs as well. For example, if the information is used for a purpose other than that for which it was originally collected (which doesn’t go against other rules of the regulation of course)?

2. Collected for specified, explicit and legitimate purposes and not further processed for other purposes incompatible with the original purpose. Which some exceptions for further processing for archiving, public interest or research purposes.

3. Adequate, relevant and limited to what is necessary in relation to the purposes. This now brings in the talked about “data minimisation” principle which we have already seen, but not quite as explicit as this new regulation lays out.

4. Accurate & kept up to date. No real changes here, this remains the same.

5. Kept in a form that permits identification no longer than is necessary. Again with exceptions for archiving and research purposes.

6. Processed in a way that ensure appropriate security of the personal data. So no major change here except an explicit reference to “integrity and confidentiality” of the personal data.

Consent:

Where consent is required in order to legitimise the processing (which is limited under the regulation) then the controller must be able to demonstrate clearly that he has clear & unambiguous consent for each purpose that consent is required.

The regulation now also states that for “Information Services” if information is to be processed on a child of under 16 years of age then consent must be obtained from the parent. The regulation does however allow member state laws to lower this threshold where appropriate but not below the age of 13 years.

Special Categories of Personal Data:

So the “Sensitive Personal Data” as known under the Data Protection Act as a term has now gone and instead been replaced with the term that a few EU countries use which is “special categories”. These are broadly similar to the current list however the definition is now any data “revealing” racial or ethnic origin, political opinions, religions or philosophical beliefs, trade-union membership, genetic or biometric data (processed for the purpose of identifying someone), data concerning health or sex life and sexual orientation.

Data Subjects Rights:

The list of rights that a Data Subject can exercise has been widened (sort of). There are some new things in here but most of this is a reshuffling of existing rights. It’s also worth noting that controller must also provide clear, transparent and electronic methods of the data subject exercising said rights. The list now includes;

Access,

Rectification,

Erasure,

Restriction of processing,

Data Portability

Right to object (to marketing, profiling, research)

Right to object to automated individual decision marking (including profiling).

Right to lodge a complaint with a supervisory authority

Data Protection by design & Data Protection Impact Assessments:

Data Controllers are expected to include data protection controls at the design stage and can certify that they have such controls via approved certification schemes.

Where a new technology etc is looking to collect personal data that poses potentially high risks to personal data the controller shall, prior to the processing, carry out a Data Protection Impact Assessment. Supervisory Authorities can then also produce lists as to what sort of processing would warrant such an assessment and what ones would not. These assessments, where appropriate, may also need the input from Data Subjects and indeed the supervisory authority.

Notification:

While notification to a regulator has gone Article 28 now requires controllers to keep a similar record of all purposes, joint controllers, data categories, recipients (can be categories), transfers to third countries, time limits for erasure and a general description of the technical & organisational measures in place protecting this data.

Breaches:

That highly discussed breach notification point has finally come down to 72 hours. So the regulation now outlines that controllers have 72 hours from being made aware of the breach to notify the supervisory authority. You can however notify later providing you have a “reasoned justification”.

And now the really juicy stuff. Fine amounts. As predicted these are “staggered” so that not all breaches will result in 20 million Euros.

For breaches / non-compliance of the following you can receive a fine of up to 2% of global annual turnover (for undertakings) or 10 million euros. The regulation doesn’t outline automatic fines for single breaches but instead allows supervisory authorities (through their cooperation mechanism) to agree a framework for ‘qualification’ for fine amounts based on the extent of the non-compliance.

  • Consent for children’s data (article 8)
  • Processing not requiring identification (article 10)
  • Data Protection by Design (article 23)
  • Joint Controllers (article 24)
  • Representatives of the controller within the EU (article 25)
  • Processors (article 26)
  • Processing under the authority of the controller and processor (article 27)
  • Records of processing activities (article 28)
  • Co-operation with the supervisory authority (article 29)
  • Security of processing (article 30)
  • Notification of the breach (article 31)
  • Communication to data subject of the breach (article 32)
  • Data Protection Impact Assessment (article 33)
  • Prior consultation (article 34)
  • Designation of the Data Protection Officer (article 35)
  • Position of the Data Protection Officer (article 36)
  • Tasks of the Data Protection Officer (article 37)
  • Certification (article 39)

For breaches of the following you can receive a fine of up to 4% of global annual turnover for undertakings or 20 million euros.

  • Principles of Data Protection (article 5)
  • Lawfulness of processing (article 6)
  • Conditions for Consent (article 7)
  • Processing special categories of personal data (article 9)
  • Rights of the Data Subject (articles 12-20)
  • Transfer of personal data to third countries (article 40-44)
  • Powers of the Supervisory Authority (article 53)

Data Protection Officer:

Good news DPOs we have a future! Our future isn’t as “all powerful” as the first text but it does pretty much cement the Data Protection Officer as a key role within a public body and medium to large private enterprises. Key points are;

  • Controllers can have 1 appointed to multiple entities taking into account their structure and size.
  • Officer shall have expert knowledge in Data Protection law & practices.
  • Can be a staff member or contractor.
  • Their contact details must be published to data subjects and the supervisory authority.
  • Should be involved in all matters affecting personal data.
  • Shall be protected from being dismissed / coerced while performing their duties under the regulation.
  • DPOs are to inform staff of the controller of their responsibilities under the regulation & monitor the controller’s compliance with its responsibilities.

International Data Transfers:

So, no major changes here but some key emphasis that is worthy of being aware of. The Commission retains the right to decide on the “adequacy” of third countries and will continue to publish and control the safe list. Standard Model Contract Clauses are also a viable method for transfer and now Binding Corporate Rules are explicitly outlined as a method of transfer too.

Supervisory Authority:

The bulk of the wording here is nothing new. They need to be independent, monitor compliance, and be proactive in producing guidance and standards etc. but there are some subtle changes. The authority has the powers to;

  • Order the controller, processor or representatives of either to provide information in relation to its objective.
  • Carry out investigations in the form of audits.
  • Review certifications
  • Notify of infringements
  • Obtain from the controller / processor access to any personal data in relation to its objective
  • Obtain access to premises including access to equipment (in line with local law)
  • Issue warnings, reprimands, orders to comply, order controller to inform a subject of a breach, impose a ban on processing, order a rectification, issue a fine and order a suspension of international data flows

That’s it for this post but there is a lot more content in the DP regulation and I should imagine a few more discussions and blogs to come looking at specific areas and what this means for the future. As always it will be a practical discussion on what this means in real terms.

All that’s left is to wish you a peaceful and restful festive period and I very much look forward to discussions and working with you as we go into 2016 and ever closer to the regulation being here!

Scott Sammons is an Information Risk and Security Officer in the Medico-Legal Sector and blogs under the name @privacyminion. Scott is on the Exam Board for the Act Now Data Protection Practitioner Certificate.

Read more about the EU Data Protection Regulation. Attend our full day workshop.

We don’t hold your data! (well… not for long anyway).

temp pic

 

 

 

 

 

 

 

 

Dear Sir or Madam:

I recently received a mailing from you.

I’d like you to send me a copy of the personal data you hold on me.

I am particularly interested in where you obtained my name and address from.

The numbers on your mailing are

8666U501J01101

XA4416175

I’d like you to explain what these mean.

Regards etc

Dear Mr xxxx

Thank you for your email. Firstly, we can confirm that we do not have any of your personal data on our records of any kind.

The recent Christmas appeal which you received, was sent out as part of our Christmas campaign. During this campaign, we purchased some contact details from a third party supplier for temporary use – these details are not stored on our database and are no longer in our possession.

In this instance, your details were selected for The Christmas Appeal – which also includes a Christmas appeal reminder which you are likely to receive in the next 2-3 weeks, and, unfortunately, as the mailings are selected far in advance, it is not currently possible to prevent this mailing from being sent. Please accept our sincere apologies for any inconvenience this may cause you. However, we confirm that we do not hold any of your data on our database.

The DM code you have listed below indicates that your details were temporarily given to us for a one-off use.

The XA code you supplied is your reference number is not stored on our own system in any way.

What a great reply! We don’t have any data on you; we did have a while ago to send you an unsolicited letter but it was only held temporarily and besides we bought it from someone else. We’ve checked the reference numbers you gave us even though we don’t have them on our systems.

 And we won’t be processing your data while we hang onto it for 2 to 3 weeks so we can send you a reminder about the unsolicited begging letter we just sent.

Am I the only person who finds this unacceptable? Or is this the norm for the charity sector?  Just for clarity the ICO says

“Processing in relation to information or data, means obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data”

So that’s 3 processing operations at least – obtaining, mailing and holding. Maybe even destruction if in fact they do delete it. (Next Xmas will tell me this). The ICO doesn’t give an exemption for ‘temporarily” processing it.

When Christmas (the season of good cheer and peace to all data subjects) arrives, is it part of the festive spirit (or even lawful?!) to buy a wodge of names and addresses that you have no relationship with and then mail them two (count them) begging letters; and when someone makes a subject access request say, “We do not hold any data on you – we did last week but it’s disappeared. We might hold it again in a week or two but only for a short time and then it will disappear again.”

This organisation is a good organisation. I support their aims and like listening to their brass bands outside supermarkets in the run up to Christmas, but I find their marketing activities dubious. It may just affect my giving to them this year.

The Investigatory Powers Bill: Implications for Local Authorities

 

canstockphoto17336195

 

 

 

 

 

 

 

 

 

 

The government’s controversial Draft Investigatory Powers Bill was published in early November. Amongst other things, the Bill:

  • Requires web and phone companies to store records of websites visited by every citizen for 12 months for access by police, security services and some public bodies.
  • Makes explicit in law for the first time the Security Services’ powers for the bulk collection of large volumes of personal communications data.
  • Makes explicit in law for the first time the powers of the Security Services and police to hack into and bug computers and phones. It also places new legal obligation on companies to assist in these operations to bypass encryption.
  • Requires internet and phone companies to maintain “permanent capabilities” to intercept and collect the personal data passing over their networks. They will also be under a wider power to assist the security services and the police in the interests of national security.

Much has been written about the civil liberties implications of the new Bill, dubbed “the Snoopers’ Charter.” It has been criticised by the United Nations, the Opposition and civil liberties groups.

A Committee has been formed to consider the key issues raised by the Bill, including whether the powers sought are necessary, whether they are legal and whether they are workable and clearly defined. The Committee is now inviting written evidence to be received by 21st  December 2015 (call for evidence).

Some of the questions the Committee are inviting evidence on include:

  • To what extent is it necessary for the security and intelligence services and law enforcement to have access to investigatory powers such as those contained in the draft Bill?
  • Are there sufficient operational justifications for undertaking targeted and bulk interception, and are the proposed authorisation processes for such interception activities appropriate and workable?
  • Should the security and intelligence services have access to powers that allow them to undertake targeted and bulk equipment interference? Should law enforcement also have access to such powers?

The Committee is due to report back by February 2016.

What will the effect be of the Investigatory Powers Bill on local authorities? Is it true that councils will be given powers to view citizens’ internet history (according to the Telegraph)? The answer is no.

Sam Lincoln has written an in-depth analysis of the bill, detailing and dissecting its various points. Please take a look here.

Sam has designed our RIPA E-Learning Package which is an interactive online learning tool, ideal for those who need a RIPA refresher before an OSC inspection. Our 2016 RIPA workshops will include an update on the Bill.

SMILE! You’re on our Mailing List!

world map

Charity envelope time again.  And yet again another organisation I had no relationship with at all. This time it was a big one with offices in…are you ready…

UK, USA, India, China, Philippines, Latin America, Mexico, Brazil, Africa, Indonesia, Vietnam, Middle East & North Africa and Bangladesh.

Surprisingly in all these locations they couldn’t find a data protection expert to run his eye over their Privacy Policy. This is puzzling as you can find good information about their accounts and activities quite easily on the web. (£7m donations in 2014 and over 125,000 children helped all over the world). They look like they’re doing a good job except for the unsolicited mailing that dropped through my door today.

They sent 2 full colour glossy A4 double sided leaflets. 10 sticky gift tags to attach to Xmas presents, an A5 double sided full colour leaflet, an eight page A6 booklet about their work, a donation form to return and an envelope. If they’d not spent their money on these pieces of coloured paper, 2 of which were customised to say my name and address they might have had more in the kitty to help the children they featured in their leaflets. Nowhere on any of these pieces of paper is there a mention of the Data Protection Act. Nor is there a phone number so I could tell them quickly I didn’t want their unsolicited mailing. Presumably their marketing expert advised them not to offer this simple mechanism of objecting as it might result in people using it. So I found their website and had a look.

After a while I found their Privacy Policy. It was extensive and told me a lot about the cookies it used. No mention of the Data Protection Act again. Some of the interesting sections were

  1. Your acceptance of this policyBy using our site, you consent to the collection and use of information by XXXXXXX  in accordance with our Privacy Policy.  If you do not agree to this Policy, please do not use our site. In order to fully understand your rights we encourage you to read this Privacy Policy.

(Mmm a good one to start with. You have to use the site to find the policy before you can read it, but by using the site you have already agreed with their policy even though you haven’t read it, which they want you to do).

  1. Changes to this privacy policyXXXXXXXX  reserves the right at any time and without notice to change this Privacy Policy simply by posting such changes on our site. Any such change will be effective immediately upon posting.  Your subsequent use of this website after we have made changes to this policy (including the submission of information on our donation form) will be deemed to signify your acceptance of any variations that we make.

(So when they change something and before you find out about the changes by reading their policy you have already agreed to the changes you haven’t yet read about).

3. Sharing your information with third parties

From time to time, XXXXXX allows other worthy organisations to send communications to our donors via direct mail.  We carefully screen these organisations to ensure their services may be of interest to our supporters. If you do not wish to hear from these organisations, please let us know by contacting us. 

(Wow what a good one. Firstly that great phrase “from time to time” I thought this had died out but here it is again and what it really means is whenever we feel like it…”. The following few words shows the staggering arrogance of the organisation. We ALLOW other worthy organisations to send communications to OUR donors. Despite the fact that there is a law that prohibits this they ALLOW it and the donors aren’t any free thinking individuals  – they belong to the organisation and the organisation can do with their personal data what they want. Did the Slavery Abolition Act of 1833 have a clause in it exempting charities. Er… no  And there’s more – what is a worthy organisation? One that helps children? One that  only uses recycled paper? One that pays their directors in bit coins? We have no idea what this cute little phrase means. It implies that Data Controllers don’t have to bother with Principle 2 if you’re passing data to ‘worthy’ organisations. 

It gets worse. The last element is giving you the right to write to them and object to receiving communications from what they think are worthy organisations that have been through a screening process although you don’t know much about their screening methods if they do in fact exist, and ended up on a list of organisations they sell your data to but which they may not keep).

It seems they are relying on the mythical but desirable exemption in the Act that says Charities are completely exempt from the DPA and also it seems exempt from writing simple Privacy Policies in Plain English.

Read more about how EU Data Protection Regulation will change the DP landscape. Attend our full day workshop.