Category: Audits

Former ICO Auditor Joins the Act Now Team 

We are excited to welcome Robert Weston to our growing team of associates at Act Now Training. With extensive experience in the data protection field, Robert brings a wealth of knowledge and expertise to our clients. 

Robert has previously worked at the Information Commissioner’s Office (ICO), where he conducted audits and advisory visits, guiding organisations to better compliance with their data protection responsibilities. His hands-on experience at the ICO gives him unique insight into the inner workings of regulatory compliance; knowledge that few consultants possess. 

Robert is also a law graduate and a retired Chartered Accountant, specialising in forensic accounting. His strong analytical background, combined with his ability to break down complex legal and regulatory issues into clear, actionable insights, makes him an invaluable asset to any organisation looking to strengthen their data protection strategies. 

In addition to his role at the ICO, Robert has served as the Data Protection Officer for a £170 million turnover not-for-profit organisation, as well as a consultant to NHS Trusts, where he advised on sensitive and high-stakes data protection matters.
This diverse background equips Robert with a deep understanding of both private and public sector challenges, helping clients navigate even the most intricate data protection landscapes. 

Ibrahim Hasan, Director at Act Now Training, had this to say about Robert’s arrival: 

 “We’re thrilled to have Robert join the team. With his wealth of experience from both sides of the fence, regulator and practitioner, Robert is perfectly positioned to guide our clients through the complex world of DP implementation. His skill set is a rare combination, and I’m confident he’ll bring immense value to our clients.” 

Tailored Data Protection Services for Your Organisation 

At Act Now Training, we understand that data protection is not a one-size-fits-all approach. That’s why we offer a flexible consultancy service designed to meet the specific needs of your organisation; whether you’re looking for a light-touch review or a comprehensive audit. 

Our services, led by Robert Weston, include: 

  • Desktop Reviews: A focused review of your key documents, policies, and procedures to assess data protection compliance. 
  • Onsite Audits: A deeper dive into your operations, combining desktop reviews with onsite assessments to identify risks and areas for improvement. 

Why is this important? Data protection failures can result not only in regulatory fines, but also serious reputational damage. A breach could lead to negative media coverage, eroding customer trust and impacting your brand. Our services help you avoid these risks by ensuring your data protection practices are robust and compliant with the latest legislation. 

What We Offer: Tailored Solutions for Data Protection Compliance 

Our consultancy services are designed to be flexible and scalable, offering the right level of support based on your needs: 

  • Half-Day Consultation: We’ll discuss your organisation’s approach to data protection, reviewing key documentation and ensuring compliance with legal bases for processing, data subject rights, and breach prevention. 
  • In-Depth Audit (3-4 Days): A comprehensive service where we assess your data protection practices, identify gaps, and provide practical steps to minimize risks, using a detailed review of your policies and procedures. 

During our assessments, we utilise ICO’s toolkits, which provide a structured approach to monitor ongoing compliance. These toolkits, often designed for larger organisations, include trackers to help you keep an eye on your progress. Having worked in the ICO’s assurance department, Robert is intimately familiar with these tools, and he’ll guide your team in implementing them effectively. 

Next Steps: Protect Your Organisation’s Future 

By working with Robert Weston and Act Now Training, you’ll gain peace of mind knowing your data protection practices are thoroughly assessed and enhanced to meet today’s rigorous compliance standards. Whether you’re looking for a quick health check or a detailed audit, we have the expertise and tools to support your organisation’s needs. 

Get in touch today to find out how we can help reduce your data protection risks, protect your reputation, and secure your stakeholders’ personal data. 

Enjoy reading our blog? Help us reach 10,000 subscribers by subscribing today!

  

New GDPR Health Check Service Launched!

stethoscope, computer, keyboard, data, chart.jpg

 

Act Now is pleased to announce the launch of its GDPR health check service.

GDPR represents the biggest change to the European data protection regime in 20 years. It will take effect on 25th May 2018 and the Information Commissioner’s Office (ICO) has already confirmed that there will be no grace period after that date.

Now is the time to get your GDPR house in order.  There are many practical steps that can be taken quite easily. Some sectors are getting there; recent report by the ICO shows that local government is trying its best but there is more to do.

For those who have started (and may be stalled) or need a customised GDPR action plan, our experts are at hand. Our GDPR health check service will provide your organisation with:

  • A preliminary assessment of your current level of preparedness for GDPR;
  • A prioritised and specific compliance action plan;
  • Pointers to guidance, models and good practice resources relevant to your needs.

If required, we can also discuss how Act Now can assist you with implementation, through our acclaimed training offers or expert consultancy support.

Act Now has a proven track record in this area. We have undertaken many data protection consultancy projects in the last few years. In 2016 we won a contract to deliver consultancy services to a major organisation in the regulatory sector.

Our reputation is international. In 2015 Ibrahim Hasan and Paul Gibbons delivered data protection audit training to the Government of Brunei and our forthcoming GDPR Practitioner Certificate course in London has delegates from Spain and the USA!

Feel free to get in touch to discuss your requirements.

Brunei or Bust

mosque-84493_1920

In January 2015 the Act Now team will be flying out to Brunei to deliver data protection audit training to staff working for the Government of Brunei.

Negara Brunei Darussalam, to give Brunei its full name, is a small country located in Southeast Asia. It is surrounded by Malaysia and has two parts physically separated by Malaysia. Here is the BBC’s guide to the country.

This is phase 2 of our Brunei consultancy project. Phase 1 involved developing a Data Protection Audit Manual based on the Data Protection Policy released by the Brunei Government. This included guidance on DP audit planning, preparation and the use of DP audit templates.

Ibrahim Hasan and Paul Gibbons, well known experts and trainers in this field, will lead the Brunei training project. Ibrahim said:

“I am looking forward to going out there to showcase our training expertise to an international audience. As more countries enact data protection legislation, we hope to be at the forefront of developing products and services that will enable those working in this field to develop their skills.”

This is one of many recent consultancy projects. Last year Act Now won a tender to deliver information rights consultancy services to The Rural Payments Agency. We were tasked with reviewing the RPA’s information rights handling policies and procedures in the light of best practice and legislative developments.

This latest project enhances our reputation as one of the UK’s leading providers of in-house training and consultancy in information law and information management. We pride ourselves on having the most well known experts who have all worked in the public sector for many years. We particularly specialise in:

  • Conducting information management audits
  • Writing policies, procedures and protocols
  • Conducting information risk assessments
  • Providing best practice advice on handling requests for information
  • Writing reports for senior managers and decision makers

Please take a moment to browse our in-house training and consultancy pages. Feel free to get in touch to discuss your requirements in this area.

RIPA Part 2 Inspections: Common Criticisms by the OSC

examThe Office of Surveillance Commissioners (OSC) is responsible for overseeing the use of covert surveillance by designated public authorities by carrying out regular inspections. (Appendix E of the Chief Surveillance Commissioner’s Annual Report (2012-13) lists those whom the OSC inspects and how often.) In the UK the inspections check councils’ compliance with Part 2 of the Regulation of Investigatory Powers Act 2000(RIPA) (and in Scotland The Regulation of Investigatory Powers (Scotland) Act 2000 (RIP(S)A)) for use directed surveillance, intrusive surveillance and covert human intelligence sources (CHIS).

As part of our provision of tailored in house training, we have to read OSC inspection reports. The following is a list of common mistakes highlighted by the OSC. They are not attributable to any particular organisation.

FORMS

  • Use of out of date forms
  • No Unique Reference Number (URN)
  • Not amending forms so that only those grounds are present which are available to the public authority e.g. councils – preventing or detecting crime
  • Pre completed forms
  • Use of cut and paste in boxes/repetitive narrative

AUTHORISATION PROCESS

  • Rubber stamping – no real thought given to authorisation
  • Necessity, proportionality and collateral intrusion not fully understood/considered by investigators and authorisers
  • Likelihood of obtaining Confidential Information not fully considered
  • Some ‘open source’ internet research is being conducted which may actually meet the criteria of Directed Surveillance and therefore require authorisation
  • Confusion re: reviews and renewals
  • Lack of understanding of when a person is a CHIS
  • Two many Authorising Officers
  • Authorising Officers are not making adequate provision for destruction of product that is collateral intrusion or of no value to the operation
  • Several authorities are pooling resources but then not obtaining authorisations and keeping records in relation to a proper designated authority
  • Confusion about interference with property powers under Police Act 
1997
  • NB councils cannot do this
  • More robust management and quality assurance procedures required 


RECORD KEEPING

  • Central records not compliant with the Code of Practice
  • Inadequate monitoring, recording and audit of surveillance equipment
  • Inadequate handling and storage of surveillance product/evidence 


POLICIES AND PROCEDURE DOCUMENTS

  • Inadequate/no RIPA policy
  • In adequate guidance document (or out of date)
  • No CCTV protocol/procedure
  • OSC may wish to visit your CCTV control room

TRAINING AND AWARENESS

  • Inadequate training
  • Lack of regular training/refresher trainer
  • Inadequate record of those who have been trained
  • OSC may ask to see recent training materials

If you are considering refresher training for RIPA investigators and authorisers, please see our full program of RIPA Courses and our online webinars. We can also deliver tailored in house training at your premises.

Ever since the changes to the council surveillance regime, which came into force on 1st November 2012, the OSC has taken an interest in ensuring councils do not authorise surveillance under RIPA for “minor offences.” In addition they have been keen to ensure that council’s have an agreed protocol and procedure for presenting authorisation applications to the Magistrates’ Courts. Finally where surveillance needs to be done outside the scope of RIPA then a Non RIPA authorisation policy should be implemented and followed.

Do your RIPA documents need revision? Avoid re inventing the wheel! Our RIPA Policy and Procedures Toolkit gives you a standard policy as well as forms (with detailed notes to assist completion) for authorising RIPA and non-RIPA surveillance. Over 200 different organisations have bought this document (available on CD as well).

Act Now Appointed to Deliver Information Rights Consultancy Project

Act Now Training is pleased to announce that it has won a tender to deliver information rights consultancy services to an executive agency of a UK Government Department.

FOI1

The Rural Payments Agency (RPA) is an executive agency of Defra, and operates as the single accredited CAP paying agency in England on behalf of Defra and the Devolved Administrations. It delivers £2.3 billion of CAP payments each year to the businesses and organisations which supply our food, maintain our rural economy, cultural heritage and environmental landscapes. In total, it is responsible for over 40 EU CAP schemes, some of which apply across GB and the UK.

RPA is subject to the full range of information access legislation including the Data Protection Act, Freedom of Information Act and the Environmental Information Regulations. Act Now has been tasked with reviewing the RPA’s information rights handling policies and procedures in the light of best practice and legislative developments. By the end of March we will be delivering a report setting out our recommendations.

Paul Simpkins and Tim Turner, well known experts and trainers in this field, will lead this project. Commenting on the award of the contract, Ibrahim Hasan (director of Act Now Training) said:

“I am very pleased that we have won yet another consultancy project for a major government agency. Our services will contribute to the good work already being done in the RPA to ensure that information governance processes and procedures follow industry best practice. ”

This is one of many recent consultancy projects Act Now has undertaken and enhances our reputation as one of the UK’s leading providers of in house training and consultancy in information law and information management. We pride ourselves on having the most well known experts who have all worked in the public sector for many years. We particularly specialise in:

  • Conducting information management audits
  • Writing policies, procedures and protocols
  • Conducting information risk assessments
  • Providing best practice advice on handling requests for information
  • Writing reports for senior managers and decision makers

We are also starting to develop an international reputation. In January 2014 we won a contract to deliver data protection consultancy services to the Government of Brunei.

Please take a moment to browse our in house training and consultancy pages. Feel free to get in touch to discuss your requirements in this area.