Category: BCS

GDPR and the Role of the Data Protection Officer

canstockphoto16242260_thumb.jpg

The clock has started on the biggest change to the European data protection regime in 20 years. After four years of negotiation, the new EU General Data Protection Regulation (GDPR) will take effect on 25th May 2018.

In the UK, it will replace the Data Protection Act 1998 (DPA). With some GDPR breaches carrying fines of up to 4% of global annual turnover or 20 million Euros, now is the time to start planning (if you have not already started!).

You might be forgiven for thinking that the Brexit vote means that there is no need to worry about GDPR (being a piece of EU legislation) or that its effect will be time limited. The Government has now confirmed that GDPR is here to stay; well beyond the date when the UK finally leaves the European Union.

Section 4 of GDPR introduces a statutory position of Data Protection Officer (DPO) who will have a key role in ensuring compliance with GDPR. But who exactly will need a DPO and what is his/her role? The Article 29 Data Protection Working Party has now clarified this in its recently published guidance (the A29 Guidance) and a useful FAQ. Technically these documents are still in draft as comments have been invited until the end of January 2017.

Who needs a DPO?

For the first time Data Controllers as well as Data Processors are required to appoint a Data Protection Officer in three situations (Article 37(1)):

  1. where the processing is carried out by a public authority or body

Public authorities and bodies are not defined within the legislation. The guidance says that this is a matter for national law. It’s fair to say that all bodies subject to the Freedom of Information Act or the Freedom of Information (Scotland) Act will be covered by this requirement e.g. councils, government departments, the health sector, schools, emergency services etc.  However it is likely to also cover private companies that carry out public functions or deliver public services in the area of water, transport, energy, housing etc. (See also the decision in Fish Legal v Information Commissioner and others [2015] UKUT 0052 (AAC) which considers the definition of public authorities under the Environmental Information Regulations 2004.)

Purely private companies not involved in public functions or delivering services will only need to appoint DPO if they engage in certain types of data processing operations explained in Article 37:

  1. where the core activities of the controller or the processor consist of processing operations, which require regular and systematic monitoring of data subjects on a large scale

Under this provision companies whose primary activities involve processing personal data on a large scale for the purposes behavioural advertising, online tracking, fraud prevention, detection of money laundering, administering loyalty programs, running CCTV systems, monitoring smart meters etc. will be caught by the DPO requirement.

c) where the core activities of the controller or the processor consist of processing on a large scale of special categories of data or personal data relating to criminal convictions and  offences

The A29 Guidance states that the “and” above should be read to say “or” (a diplomatic way of saying the proof-readers did not do their job!). Special categories of data are broadly the same as Sensitive Personal Data under the Data Protection Act 1998 e.g. ethnic origin, political opinions, religious beliefs, health data etc. This provision will cover, amongst others, polling companies, trade unions and cloud providers storing patient records.

Unless it is obvious, organisations that don’t need to appoint a DPO should keep records of their decision making process. The A29 Guidance suggests that it will be still be good practice to appoint a DPO in some cases; for example, where private organisations carry out public tasks. This could include companies delivering core public services under an outsourcing arrangement e.g. housing maintenance companies, charities delivering social services etc. A group of undertakings may appoint a single DPO provided that he/she is easily accessible and there are no conflicts of interests.

Even organisations not based in the EU may be caught by GDPR and the requirement to appoint a DPO. GDPR will apply to any entity offering goods or services (regardless of payment being taken) and any entity monitoring the behaviours of citizens residing within the EU. Companies are now directly responsible for DP compliance wherever they are based (and not just their EU based offices) as long as they are processing EU citizens’ personal data.

The DPO’s Tasks

According to Article 37(5), the DPO, who can be a staff member or contractor, shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfill the tasks referred to in Article 39. These are:

  • to inform and advise the controller or the processor and the employees who are
    processing personal data of their obligations pursuant to this Regulation;
  • to monitor compliance with this Regulation, including the assignment of responsibilities, awareness- raising and training of staff involved in the processing operations, and the related audits;
  • to provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35;
  • to cooperate with the supervisory authority (the ICO in the UK);
  • to act as the contact point for the supervisory authority on issues related to the processing of personal data

Qualities

The A29 Guidance states:

“Although Article 37 does not specify the professional qualities that should be considered when designating the DPO, it is a relevant element that DPOs should have expertise in national and European data protection laws and practices and an in depth understanding of the GDPR. It is also helpful if the supervisory authorities promote adequate and regular training for DPOs.”

The necessary level of expert knowledge should be determined according to the data processing operations carried out and the protection required for the personal data being processed. For example, where a data processing activity is particularly complex, or where a large amount of sensitive data is involved, the DPO may need a higher level of expertise and support. The necessary skills and expertise include:

  • expertise in national and European data protection laws and practices including an in depth
  • understanding of the GDPR
  • understanding of the processing operations carried out
  • understanding of information technologies and data security
  • knowledge of the business sector and the organisation
  • ability to promote a data protection culture within the organisation

Act Now has recently launched its GDPR Practitioner Certificate aimed at up skilling existing and future DPOs in both the public and private sector. To learn more please visit our website or download the flyer.

The DPO must be allowed to perform tasks in an independent manner and should not receive any instructions regarding the exercise of their tasks. He/She reports to the highest management level in the organisation and cannot be dismissed or penalised for doing their job.

Article 38(2) of GDPR requires the organisation to support its DPO by “providing resources necessary to carry out [their] tasks and access to personal data and processing operations, and to maintain his or her expert knowledge.” The A29 Guidance says that, depending on the nature of the processing operations and the activities and size of the organisation, the following resources should be provided to the DPO:

  • Active support of the DPO’s function by senior management
  • Sufficient time to for DPOs to fulfil their duties
  • Adequate support in terms of financial resources, infrastructure (premises, facilities, equipment) and staff where appropriate
  • Official communication of the designation of the DPO to all staff
  • Access to other services within the organisation so that DPOs can receive essential support, input or information from those other services
  • Continuous training

The DPO will be at the heart of the data protection framework for many organisations, facilitating compliance with the provisions of the GDPR. Now is the time to appoint one to ensure that you get the most suitably qualified. Some say 28,000 will be required in the UK and US. Others have even suggested there will be a skills shortage!

There is certainly a lot to learn and do in less than 18 months when GDPR comes into force. Training and awareness at all levels needs to start now.

Do you think mandatory Data Protection Officers under GDPR will lead to higher salaries for DPOs?
Participate in our Twitter survey:

https://twitter.com/ActNowTraining/status/816980420357132290

Make 2017 the year you get prepared for the General Data Protection Regulation (GDPR). See our full day workshops and new GDPR Practitioner Certificate.

Practitioner Certificate in FOISA: Another Successful Year

canstockphoto9203213_thumb

Act Now Training is pleased to report that it has completed another successful year of delivering the Practitioner Certificate in the Freedom of Information (Scotland) Act 2002. Now in its fourth year the course is the only certificated FOI course specifically designed for Scottish delegates.

Two courses were delivered in 2016 with 22 very strong candidates from a variety of backgrounds including the local government, education, health, government and regulatory sectors. All the delegates passed the course. Of these 3 achieved a distinction and 14 achieved a merit. The delegate feedback has been extremely positive:

“I really enjoyed the course and thought that Tim Turner really brought the subject to life.  He was an excellent tutor and made this subject both interesting and informative with amusing anecdotes throughout.  I would certainly go on another course being delivered by Tim Turner and I would recommend him to my peers.”  LC, Glasgow Kelvin College

“Tim was an excellent tutor. His knowledge of the subject was vast and impressive. I learned a lot.” JM, Fife Council

“This is the most useful course I have participated in for a long time.” JT, Crofting Commission

Read a previous successful candidate’s observations here.

The course is endorsed by the Centre for FOI based at Dundee University. The Chair of the independent Exam Board , Professor Kevin Dunion (formerly the Scottish Information Commissioner and now the Executive Director of the Centre for FOI).

The most recent course was delivered by Frank Rankin who has many years of experience working in the Scottish public sector. Frank said:

 “The Act Now certificate brings together a fantastic cross section of FOISA practitioners from a range of organisations, large and small, across all parts of the public sector. I love sharing ideas and experience with these colleagues, and learning from their campaign stories as well.”

The Act Now Practitioner Certificate in FOISA is now the qualification of choice for FOISA professionals in Scotland. The next course is in February 2017 runs over five weeks and is already filling up. For those who are time poor we also have a one-week intensive option. More details here: http://www.actnow.org.uk/content/113

Following a consultation last year, 1st September 2016 saw FOISA being extended to cover more organisations. Act Now has a full programme of FOISA workshops in Scotland.

New IRMS Certificate in Information Governance

Page 1

 

Today, the Information and Records Management Society (IRMS) and Act Now Training launched the IRMS Foundation Certificate in Information Governance. This represents the first fully online certificated course covering data protection, freedom of information and records management.

In difficult economic times, traditional face-to-face learning is often the first activity to fall victim of budget cuts. However the area of Information Governance is currently the subject of rapid change. After four years of negotiation, the new EU General Data Protection Regulation (GDPR) has now been formally adopted by the European Parliament and will come into force on 25th May 2018.  The FOI Commission’s report, published in March, will lead to additional obligations for public authorities under the Freedom of Information Act. And the list goes on…

Employees and managers, both in the public and private sector, need timely and cost effective IG training.  The IRMS Foundation Certificate in Information Governance is the solution. This is an online certificated course designed for information management professionals who need to know about the basics of information rights and information management in their job role. It is an ideal starter qualification for those who wish to then progress to more advanced qualifications such as the as our Practitioner Certificate In Data Protection and the BCS FOI and DP Certificates.

Launched at the 2016 IRMS conference in Brighton, the IRMS Foundation Certificate in Information Governance is a fully online yet interactive course. There are four learning modules (Records Management, Security and Information Assurance, Data Protection and Freedom of Information). Using the latest web based technology, delegates will be able to learn from the comfort of their own desk by attending four live online webinars. In addition they will be able to tailor their learning through doing four recorded modules from a choice of six. Finally they will do a short online assessment to achieve the certificate endorsed by the excellent reputation of the IRMS.

Ibrahim Hasan, Director of Act Now Training, has developed the course with IRMS colleagues. He said:

“I am really pleased to have been involved with the development of this ground breaking new online qualification. I have used my experience in delivering Information Governance training for many years to help create a product which will hopefully meet a previously unmet demand amongst Information Management professionals.”

Meic Pierce Owen, the Chair of the IRMS said:

“I am genuinely proud to have overseen the development of this important qualification that offers all information professionals the opportunity to gain a solid grounding in contemporary Information Governance (IG). This qualification has relevance across all sectors and is equally valid for those looking to master the basics of contemporary IG as it is for those looking to progress to practitioner level study.

As a generalist practitioner who qualified from University just ahead of Data Protection, Freedom of Information and Information Security being covered in any detail on the courses, I am also delighted to put my money where my mouth is and be the first to sign up to study for this qualification- which I believe to be relevant to my CPD as well as being excellent value for money. I shall let you know how I get on…”

If you would like to know more about this exciting new course please visit us at the IRMS stand at the Brighton conference. See also our dedicated IRMS Certificate webpages or get in touch.

Be an Information Superhero and gain a Superhero Qualification!

 

 

The @BCS FOI Certificate: A Career Boost

“The course gives you a greater understanding of FOI and EIR, as well as giving you greater confidence in their application. I feel that I can now advise on FOI and EIR with more authority.”
GJ, TFL

“Excellent course materials clearly presented by a very knowledgeable and friendly teacher. Highly recommended for new and experienced FOI officers.” 
LV, Public Health England

“Excellent trainer – fantastic breadth of knowledge and expertise. Would recommend this course to anyone.” 
PG, National Archives

“A perfectly pitched course led by an extremely knowledgeable trainer. Ideal for the novice or practising FOI officer.”
GT, Department of Health

“Thorough training, to the point but not dry.”
PS, Essex CC

“This has been a brilliant course – dynamic and pacey, which is an achievement in itself for such a dry subject.”
SB, Rural Payments Agency

The British Computer Society’s (BCS) Certificate in Freedom of Information (formerly ISEB) is now firmly established as one of the premier qualifications in FOI. It is internationally recognised and increasingly mentioned as a desirable qualification in FOI Officer job vacancies. Sometimes it is even stated as a requirement.

Act Now has been running courses leading to the certificate for many years. Our team of FOI experts have helped to make us one of the most successful companies in this area with a pass rate of over 85%.

Our course is aimed at anyone working in the FOI area, such as information managers, FOI practitioners, information governance officers, data protection officers, press officers and lawyers advising on information law issues. No prior knowledge is assumed although it always helps to have some experience of dealing with FOI requests. Our course runs over several weeks (one day per week) rather than being crammed into a few days. This allows delegates to get to know each other and benefit from their respective experience and knowledge. Often friendships are forged which continue to be of mutual assistance well after the course has ended.

Online Resource Lab

What makes the Act Now BCS FOI course unique is that we have a full online Resource Lab, which compliments the face-to-face teaching and course materials. Delegates can watch over 5 hours of videos on various aspects of the syllabus. Most videos are linked to an online quiz allowing delegates to test their knowledge at the end. There are also many standalone quizzes as well as links to ICO guides and other useful reference documents in the Resource Lab. This means that candidates have a full resource library which they can access at anytime to back up what they learnt on the course or to catch up if they fell asleep in the afternoon after a good lunch! Our courses are at five star (city centre) hotels so the latter is always a possibility.

The Exam!

The course is assessed through a three hour scenario based, closed book written exam which consists of:

  • Part A: 10 multiple choice questions (1 mark each)
  • Part B: 8 compulsory short narrative questions (5 marks each)
  • Part C: 6 questions – a compulsory case study (20 marks each) plus two other essay questions (15 marks each)

The pass mark is 50% (50/100) and the distinction mark is 80% (80/100).

Passing the exam is as much about exam technique as it about knowing the law and how to apply it. Our course (and homework) contains lots of scenario-based exercises which are designed to teach delegates how to answer the key points of a question within the time available in the exam. Each exercise/homework is further discussed in a group setting before a suggested answer is agreed upon.

We also hold a live online revision session, which allows delegates to ask the trainer to go over key areas of the syllabus and/or more sample questions. There is also a test at the end.

How To Pass

Don’t be too worried about the exam. You will be taught by a very experienced trainer who himself has passed the exam with a distinction. But in the end your success will depend on the hard work you are willing to put in. Timely attendance is essential as well as the doing the homework and taking an active part in discussions. We also find that candidates who pass the mock exam pass the real thing. Therefore revision for the mock is essential. Those who learn key facts as they go along rather than cram at the end inevitably tend to do well. (Read our other top tips here.)

A successful FOI candidate and a successful DP candidate have also shared their views on how to get the best out of the course on our blog.

Are you a Freedom of Information (FOI) practitioner wanting to give your career a boost? Or perhaps you are new to FOI wanting to quickly get up to speed with FOI law and practice? Now is the time to think about doing a BCS FOI course. Not only will it give you an in depth knowledge of FOI law and practice, it will allow you to prove your expertise to your colleagues through gaining an internationally recognised qualification. At Act Now we are dedicated to ensuring you get the best training and resources to help you achieve your potential. Don’t just take our word for it though.

Read what our previous delegates have said and one of the tutors. If you are feeling brave, have a go at our online BCS FOI test.

Our next BCS FOI Course starts next month in Manchester.

For Scottish colleagues we run the Act Now FOISA Practitioner Certificate which is endorsed by the Centre for Information Rights based at the University of Dundee.

The @BCS FOI Certificate Gives You Wings!

Are you a Freedom of Information (FOI) practitioner wanting to give your career a boost? Or perhaps you are new to FOI wanting to quickly get up to speed with FOI law and practice?

_DSC6317 (1)The British Computer Society’s (BCS) Certificate in Freedom of Information (formerly ISEB) is now firmly established as one of the premier qualifications in FOI. Backed by the BCS, it is internationally recognised and increasingly mentioned as a desirable qualification in FOI Officer job vacancies. Sometimes it is even stated as a requirement.

Act Now has been running the BCS FOI course for many years. I am the main FOI trainer although, the increasing popularity of our course means that, Tim Turner and Paul Gibbons also deliver this course from time to time.

Our course is aimed at anyone working in the FOI area, such as information managers, FOI practitioners, information governance officers, data protection officers, press officers and lawyers advising on information law issues. No prior knowledge is assumed although it always helps to have some experience of dealing with FOI requests. Our course runs over several weeks (one day per week) rather than being crammed into a few days. This allows delegates to get to know each other and benefit from their respective experience and knowledge. Often friendships are forged which continue to be of mutual assistance well after the course has ended.

Online Resource Lab

What makes the Act Now BCS FOI course unique is that we have a full online Resource Lab, which compliments the face-to-face teaching and course materials. Delegates can watch over 5 hours of videos on various aspects of the syllabus. Most videos are linked to an online quiz allowing delegates to test their knowledge at the end. There are also many standalone quizzes as well as links to ICO guides and other useful reference documents in the Resource Lab. This means that candidates have a full resource library which they can access at anytime to back up what they learnt on the course or to catch up if they fell asleep in the afternoon after a good lunch! Our courses are at five star (city centre) hotels so the latter is always a possibility.

The Exam!

The course is assessed through a three hour scenario based, closed book written exam which consists of:

– Part A: 10 multiple choice questions (1 mark each)
– Part B: 8 compulsory short narrative questions (5 marks each)
– Part C: 6 questions – a compulsory case study (20 marks each) plus two other essay questions (15 marks each)

The pass mark is 50% (50/100) and the distinction mark is 80% (80/100).

Passing the exam is as much about exam technique as it about knowing the law and how to apply it. Our course (and homework) contains lots of scenario-based exercises which are designed to teach delegates how to answer the key points of a question within the time available in the exam. Each exercise/homework is further discussed in a group setting before a suggested answer is agreed upon.

We also hold a live online revision session, which allows delegates to ask the trainer to go over key areas of the syllabus and/or more sample questions. There is also a test at the end.

How To Pass

Don’t be too worried about the exam. You will be taught by a very experienced trainer who himself has passed the exam with a distinction. But in the end your success will depend on the hard work you are willing to put in. Timely attendance is essential as well as the doing the homework and taking an active part in discussions. We also find that candidates who pass the mock exam pass the real thing. Therefore revision for the mock is essential. Those who learn key facts as they go along rather than cram at the end inevitably tend to do well. (Read our other top tips here.)

A successful FOI candidate and a successful DP candidate have also shared their views on how to get the best out of the course on our blog.

90% Pass Rate

2014 is on course to be our most successful year delivering the BCS FOI course. So far 52 of our delegates have sat the exam. Out of these 47 passed (of which one achieved a distinction). This gives us a pass rate thus far of just over 90%!

Now is the time to think about doing a BCS FOI course. Not only will it give you an in depth knowledge of FOI law and practice, it will allow you to prove your expertise to your colleagues through gaining an internationally recognised qualification. At Act Now we are dedicated to ensuring you get the best training and resources to help you achieve your potential. Don’t just take our word for it though. Read what our: previous delegates have said. If you are feeling brave, have a go at our online BCS FOI test.

Ibrahim Hasan is a solicitor and director of Act Now Training. For Scottish colleagues we run the Act Now FOISA Practitioner Certificate which is endorsed by the Centre for Information Rights based at the University of Dundee.

BCS You’re Worth It

canstockphoto9203213_thumb.jpgIf you’re a Data Protection and/or Freedom of Information Practitioner you may be thinking about obtaining one or both of the BCS qualifications (previously known as ISEB) offered by Act Now Training. This was my situation just a couple of years ago. Back in January 2013 I successfully sat the Data Protection examination.

Fast forward 18 months, and not only have I now sat the FOI equivalent, but I’m also tutoring both courses. That’s a quick turnaround, which inevitably affects the way I approach the running of the course, as we’ll see.

There were a few reasons I had put off doing the BCS qualifications for so long, despite having worked as an FOI and Data Protection Officer for much of the last decade. The main one was that I already had a qualification, having completed Northumbria University’s excellent LLM distance learning programme in 2008. It was hard work and in all honesty, I was reluctant to commit to another course without good reason.

But over time, those reasons started to stack up. Job advertisements increasingly cited requirements for BCS qualifications. The LLM had been more academic in its approach, and I wanted a more practical refresher. As my profile as a blogger and commentator on information rights grew, I was concerned that people might question my expertise if I didn’t hold a qualification that was so widely recognised in the industry. And I knew that if I was going to take the leap as a full-time trainer, I would need to have both qualifications to be able to tutor them.

The latter in particular may not be relevant to you. But if you want a thorough grounding in these subjects, and a formal qualification, at a fraction of the cost of most academic courses, then a BCS programme is for you. And when I say, thorough, I mean it. Despite having completed an LLM and having years of experience in both subjects, I really did learn a lot from both programmes. In our jobs we tend to become familiar with certain aspects that are relevant to our specific organisation. So there are whole parts of the DPA and FOIA that we never have to know about. But that might change if you want another job, or the circumstances of your employer or your responsibilities change. Equally, it’s very easy to assume that you know what you should be doing, and to merrily carry on doing it that way for years in blissful ignorance…until the day you get found out. Or you take the BCS programme and the scales fall from your eyes (as they did from mine on at least one occasion).

As you would expect from such a respected qualification, it is no walkover. The exams are three hours long, and involve multiple-choice questions, but also three or four essays. In all honesty, when I did the exams, I failed to finish all the questions. If, like me, you haven’t done an exam for a decade or two, it can be a daunting prospect.

That’s why – I like to think, anyway – it can be really useful to have a tutor who’s been through the process so recently. I know the fear and sympathise. I can walk you through how I dealt with it in practice. Take essays, for example – how do you structure an essay about notification under DPA? What do you include? What do you leave out? How do you get as much down as possible in three hours? I can tell you what it’s actually like when you walk in the room, and how I coped – and passed.

As well as enhancing your knowledge and putting you in the position to pass an exam, the other benefit of the BCS programmes run by Act Now Training is that they are run over several weeks. What this means is that you have time between each group session to absorb the learning from the previous week and do the required study. It also means that you get to know your fellow delegates well over the five or six weeks, and benefit from their experience and knowledge. It’s one thing to hear what the law says, and what your tutor thinks, but it adds an entirely new dimension to your understanding when you can hear how others have dealt with issues they’ve encountered in a wide variety of organisations from across the public and private sectors (the latter more especially on the BCS DP programme). For example, you will learn about the Information Commissioner’s enforcement powers on the DP programme, but in one recent programme I tutored, we all benefitted from hearing what it was like in practice to be on the receiving end of a monetary penalty notice, and what lessons the receiving authority had learnt from that experience.

Coupled with the face-to-face learning, Act Now’s BCS courses include a live online revision session and access to an online resources lab, which contains, amongst other things, over ten hours of revision videos and over twenty quizzes (both unique to Act Now). Try the sample online test.

If you choose to do a BCS qualification, I will do my utmost to guide you and support you through to a successful conclusion. I look forward to meeting you.

Paul Gibbons is a consultant and trainer in information rights and information management. He has been working in this field for 20 years. There are a handful of places left on our BCS Courses (More here). Read successful BCS candidates’ top tips here.

The new EU Data Protection Regulation; Shoulda, Woulda, Coulda?

MC900440392

On the 13th March 2014 the European Union (EU) Parliament voted with an overwhelming majority to approve a new Data Protection Regulation within the EU. Voting on the initial text that was put forward by the Commission, and not the text put forward by the LIBE committee, the EU Parliament seem to have taken a “middle path” with regards to how this Regulation should work. Many of the Commission’s proposed appointed powers have gone, there doesn’t appear to be any “strict” provisions in there that the LIBE committee would have wanted and yet this approved draft is proposing a comprehensive and different world for Data Protection.

A fully updated draft has not been released by the EU as yet so I went through the painstaking task of making the edits confirmed by the EU to the original commission text. I can safely say I won’t be doing that again and once the approved draft is published I highly recommend that you read through from the beginning to get a flavour of where the regulation is heading and the wording used. I have however pulled out some of the highlights below for general consumption. Before I start however, I will declare that I am from the private sector but as Data Protection & Privacy is more than just a job for me (it’s a passion) I’m not one of those people that have campaigned against it (even if I think some if it is just barmy in my humble opinion).

For those that have worked only with the UK Data Protection Act this new world comes as a bit of a shock. Instead of a principle based approach the current regulation is more of a “financial regulation” with specific stances, requirements and demonstrations that certain things are occurring within an entity. For example, Point 60 requires Data Controllers to demonstrate and ensure compliance with the regulation, with a new sentence stating “this should be verified by independent internal or external auditors”.

However having said that, the EU Parliament have edited Point 65, so that it clears up the “administrative burden” query (or tries to) by stating that yes controllers must demonstrate compliance with the regulation however “equal emphasis and significance should be placed on good practice and compliance and not just the completion of documentation”. One assumes therefore that auditing to “a check list” isn’t going to occur even though the regulation spells out some things that need to be done specifically. Interesting…

‘Data Protection Impact Assessments’ are now outlined in points 71a&b and are very similar to the commission’s proposal that assessments should be done on the lifecycle of information management for processing of personal data. Section 75 states that for public sector bodies processing sensitive personal data or data on more than 5000 data subjects in 12 months they will need to periodically monitor compliance with the regulation. Is the requirement to self-audit the same as the requirement to tick a box?

The phrase that appeared in the initial draft on ‘data portability’ has also changed. It is still there but now Point 55 changes the “right to data portability” to “controllers should be encouraged to develop interoperable formats that enable data portability”. Encouraged how and by whom still remains to be seen.

Another ‘hot phrase’ in the initial draft and current buzz word after the European Court of Justice decision is the “right to be forgotten”, and as predicted that has been changed to now Point 53 has been updated to state that “the right to be forgotten” is indeed now to be called the “right to erasure” and that this right is overwritten where processing is needed for the performance of a contract or to meet local legal requirements. Point 54 & 54a specifically make reference to “online information” and the requirement for the facilitator to block or remove such data if the data subject requests.

On that point, similar concerns around the watering down of legitimate interests have also tried to be abated in this text, and now Point 39 specifically outlines a purpose for processing personal data being a valid “legitimate interest”. Namely the processing for Information Security / Network Security purposes where strictly necessary. 39a also outlines that ‘legitimate interest’ can also include processing for the prevention or limitation of damages on the controller, providing this does not significantly go against the data subject’s rights and freedoms. 39b adds direct marketing processing as a ‘legitimate interest’ again providing this does not go against the rights and freedoms of the individual. Is it me or do some of these provisions say “You can do it, but…”.

There are some further oddities in here; for example, point 32 states that if a controller does not want to follow ‘data minimisation’ requirements there is a burden of proof to justify the processing of Personal Data for that specific purpose / scenario. Again this is nothing new as this is in line with the principles of the UK DPA but we have not seen a requirement to document and justify before. 32 also states that collecting consent on behalf of 3rd parties is no longer seen as valid consent. Therefore if a business needs 3rd party data alongside the initial data subject’s data would it need to contact said 3rd party to seek consent. But then, isn’t it processing said data in order to contact them to get the consent? How would this work I wonder… citizens aren’t going to this for controllers so what other options are there?

Talking of consent, the concern that consent becomes more specific hasn’t been removed as Point 25 clarifies that consent will require “clear affirmative action” by a data subject in order to be seen as a valid consent. Silence or simply use by the data subject of a service would not be acceptable as a valid consent to process personal data. To the above point, how would a controller get such consent from 3rd parties?

Consent has also been factored in for the use of profiling and that consent can be removed at any time. However Point 58 has been updated to state the for profiling, “Profiling which leads to measures producing legal effects concerning the data subject or does similarly significantly affect the interests, rights or freedoms of the concerned data subject should only be allowed when expressly authorised by law, carried out in the course of entering or performance of a contract, or when the data subject has given his consent”. Now here I believe that “carried out in the course of entering or performance of a contract” means that credit profiling can continue in the UK otherwise these seems to conflict with current legal requirements on Banks and Lenders to ensure that you as the customer can afford the product they offer and that you as the lender are lending responsibly – this can only be done by credit profiling surely?

Another area of concern from the initial text was around breach notification. There is still no useful outline as to what a material breach consists of however Point 67 confirms that data breach notification to the relevant authority “should be presumed to be not later than 72 hours” – somewhat better than the initial 24 hours but still something causing concern among various industries.

On the up side however, a new point specifically referencing Freedom of Information has been added. Point 18 has been updated to make reference to relevant member states Freedom of Information (FOI) legislation and how this regulation interacts with that. That’s some concerns appeased… or is it?

The EU Parliament have also updated what is expected of us DPOs and point 75a states that DPOs should have the following experience / qualifications;

  • extensive knowledge of the substance and application of data protection law, including technical and organisational measures and procedures;
  • mastery of technical requirements for privacy by design, privacy by default and data security;
  • industry-specific knowledge in accordance with the size of the controller or processor and the sensitivity of the data to be processed;
  • the ability to carry out inspections, consultation, documentation, and log file analysis;
  • and the ability to work with employee representation.

The controller should enable the data protection officer to take part in advanced training measures to maintain the specialized knowledge required to perform his or her duties.

Overall the current draft regulation has either been improved from what it was, stayed the same, or gotten worse in some places.

There are some ups and downs, and a few more changes that have been made that I have not referenced here (as I could be here all day). As for next steps for the Regulation I really don’t know who to believe. The ICO in a recent statement stated that they don’t believe there will be a tangible regulation until 2017 at the earliest. But in the same breath they also said (they being David Smith the Deputy ICO) that you should get your house in order now with current requirements as this puts you in a good place ready for the Regulation in 2017. Given how the Parliament approved the text way ahead of schedule and that this piece of legislation is the “most lobbied and campaigned on” in the EU’s history I am inclined to believe that all bets are off. I can see the case that it will come through quickly, especially as the EU is very defensive of Data Protection and Privacy of late. But then I also see the argument and stance from the European Council that they don’t want to rush this and instead want to take their time. As this Regulation would need agreement from the Council, the Parliament and the Commission I can see it rattling on for a while. But, as my favourite TV programme as a child used to say “Stand by for action; anything can happen in the next half an hour”. (For those that don’t know, that was from Stingray – and yes, I am a Geek that needs to get out more).

I have my word document unofficial text which I am happy to share on request but it is very much unofficial and really isn’t to be considered “official” in any capacity. Well worth a read though, and again I recommend that when the official text is finally updated and released (the EU moves at its own pace on such things) that you have it as some bed time reading to fill you with hope (and possibly nightmares).

Nighty night.

Scott Sammons is currently a European Data Protection Officer within the Finance Industry and blogs under the name @privacyminion . Scott is on the Exam Board for the Act Now Data Protection Practitioner Certificate which is a qualification designed to give candidates a head start in understanding and implementing the proposed EU Data Protection Regulation.

New Data Protection Qualification Syllabus Receives Endorsement

Act Now Training is pleased to announce that the syllabus for its new Data Protection Practitioner Certificate has been endorsed by the Centre for Information Rights.

DPP FlyerThe Data Protection Practitioner Certificate is a new qualification for those who work with Data Protection and privacy issues on a day-to-day basis. The course syllabus has been designed in consultation with an independent exam board of well-known data protection experts from the public and private sectors in the UK and Europe. It is intended to give candidates a balanced view and understanding of data protection law and everything they need to know to manage the Data Protection Life Cycle. Candidates will also gain a head start in understanding and implementing the proposed EU Data Protection Regulation (expected to be finalised in 2015).

The Centre for Information Rights is one of the University of Winchester’s Research Centres and is established within the Department of Law. It aims to:

  • Provide a focus for research in Information Rights;
  • Contribute to developing policy and practice;
  • Explore ways of exchanging knowledge with subject matter experts, practitioners, students and other academics;
  • Contribute to training and educational activities;
  • Engage with the local and wider community to provide opportunities for information issues to be debated.

Marion Oswald, Solicitor and Head of the Centre, said:

“The Centre for Information Rights is pleased to endorse the syllabus of Act Now’s Data Protection Practitioner Certificate. The syllabus is focused on providing practitioners with a practical understanding of data protection and knowledge of how the law may change in the future.”

The course takes place over four days (one day per week) and involves lectures, assessments and exercises. This is followed by some online training sessions and a written assessment. Candidates are then required to complete a practical project (in their own time) to achieve the certificate. Commenting on the syllabus endorsement, Ibrahim Hasan (Solicitor and Director of Act Now Training) said:

“We are very pleased that the quality of our new course syllabus has been recognised by the Centre for Information Rights. We are confident that by undertaking the course, delegates will achieve a truly practical understanding of data protection law and will be prepared for the big changes on the horizon in the shape of the proposed EU Data Protection Regulation.”

This new course builds on Act Now’s reputation for delivering practical training at an affordable price. We were the first company in the UK to launch a dedicated Freedom of Information qualification for the Scottish public sector. The Act Now Practitioner Certificate in Freedom of Information (Scotland) is endorsed by the Centre for FOI based at the University of Dundee. Professor Kevin Dunion (formerly the Scottish Information Commissioner) is the Executive Director of the Centre for FOI and has recently chaired a review of our first year.

To learn more about the Act Now Practitioner Certificate in Data Protection please see our website or download the flyer.

Practitioner Certificate in FOISA: Review of First Year

canstockphoto9203213_thumb.jpg

Act Now Training is pleased to report that it has completed a very successful first year of delivering the Practitioner Certificate in the Freedom of Information (Scotland) Act 2002. Four courses were delivered in 2013 with very strong candidates from a variety of backgrounds:

clip_image002

The overall pass rate was 94% with over a third of delegates obtaining a distinction (over 80%). 72% of delegates scored above 65% in the final assessment. The delegate feedback has been extremely positive. All said they enjoyed the course and felt that they would be able to apply the skills learnt on the course in the workplace to improve their efficiency in dealing with FOISA requests. (Read a successful candidate’s observations here.)

Commenting on the first year of delivering the course, Tim Turner said:

“I’ve enjoyed writing and delivering this course. The results have been encouraging and also demonstrate clearly the high level of expertise in Scottish Public bodies. I am also pleased that the course project element has enabled individuals to achieve very high marks and well deserved distinctions. I think that this style of qualification is better suited to the way of working within Scottish Public Bodies managing Freedom of Information.”

More of Tim’s views on the course can be read here.

The course is endorsed by the Centre for FOI based at Dundee University. The Chair of the independent Exam Board , Professor Kevin Dunion (formerly the Scottish Information Commissioner and now the Executive Director of the Centre for FOI) says in the course review report:

“I’m pleased to be able to participate in the review of the first year of this groundbreaking new course designed for Scottish FOI practitioners. Having reviewed the syllabus, the examination process and the first year’s results I am happy to continue to endorse Act Now’s Practitioner Certificate in FOISA for another year. The quality of the delegates, as evidenced by the high grades, augurs well for FOI in Scotland. In particular, I am pleased at Act Now’s initiative to include practical elements in the course. This clearly provides direct benefits for  public authorities,  by improving the ability of practitioners to deal with complex information requests.”

With more bodies being made subject to FOISA on 1st April 2014, we are confident that the Act Now Practitioner Certificate in FOISA will soon become the qualification of choice for FOISA professionals in Scotland.

Our next course is in May in Edinburgh. Interested? Have a go at the FOISA test.

Act Now Launches NEW Practical Data Protection Qualification

dpp_thumb.jpg

Act Now Training Limited is pleased to announce the launch of the Act Now Data Protection Practitioner Certificate.

This is a new qualification for those who work with Data Protection and privacy issues on a day-to-day basis. With an emphasis on practical DP issues and looking ahead to the proposed EU Data Protection Regulation, we are confident that this certificate will become the qualification of choice for those new to Data Protection as well as experienced practitioners who wish to have their expertise recognised through a formal qualification.

The course syllabus has been designed in consultation with an independent exam board of well-known data protection experts from the public and the private sector in the UK and Europe. It is intended to give candidates a balanced view and understanding of data protection law and everything they need to know to manage the Data Protection Life Cycle. Candidates will also gain a head start in understanding and implementing the proposed EU Data Protection Regulation (expected to be finalised in 2015).

WHY THIS COURSE IS DIFFERENT

  • Emphasis on practical application of DP law
  • Teaches practical skills to manage the DP lifecycle including
    DP Audits and Privacy Impact Assessments
  • Online resource lab with videos, quizzes and additional resources
  • Choice of online seminars in addition to face to face learning
  • Assessments testing practical knowledge not rote learning
  • Covers proposed EU Data Protection Regulation
  • Materials include a free DP Template Policy Pack (normally £99 plus vat)

Our expert speakers will share their practical experience gained through years of helping organisations comply with their DP obligations. This, together with exclusive access to our online resource lab, will mean that candidates will not only be in a position to pass the assessments but to learn valuable skills which they will be able to apply in their workplace for years to come.

The course takes place over four days (one day per week) and involves lectures, assessments and exercises. This is followed by some online training sessions and a written assessment. Candidates are then required to complete a practical project (in their own time) to achieve the certificate.

This new course builds on Act Now’s reputation for delivering practical training at an affordable price. We were the first company in the UK to launch a dedicated Freedom of Information qualification for the Scottish public sector. The Act Now Practitioner Certificate in Freedom of Information (Scotland) is endorsed by the Centre for FOI. Professor Kevin Dunion is Executive Director of the Centre. He was previously the Scottish Information Commissioner.

Act Now Training will continue to deliver the BCS Certificate in Data Protection of which it is one of the leading providers. This new course widens the choice for DP practitioners and advisers. Commenting on the launch, Paul Simpkins (Director of Act Now Training) said:

“I am pleased be able to launch this new practical DP qualification which will also prepare delegates for the big changes in the future in the shape of the proposed EU Data Protection Regulation. Act Now will continue to watch developments in Europe with a view to updating the course syllabus. In time we hope to establish this qualification’s reputation throughout Europe.”

To learn more about this new qualification please see our website or download the flyer.