Category: Data Protection

Transport for London Cyber Attack 

Transport for London (TfL) is currently dealing with a cyber attack that has targeted its computer systems. Sources within TfL have revealed that staff have been encouraged to work from home where possible, as the attack primarily affects the transport provider’s back-office systems at its corporate headquarters. TfL is collaborating closely with the National Crime Agency and the National Cyber Security Centre to respond to the incident. 

Shashi Verma, TfL’s Chief Technology Officer, said: 

“We have implemented several measures to address an ongoing cybersecurity incident within our internal systems. The security of our systems and customer data is of utmost importance, and we are continuously assessing the situation throughout this incident.”  

Mr Verma emphasised that, although a complete assessment is still underway, there is no current evidence of customer data being compromised. If it turns out that any personal data has been compromised, whether employee or customer data,  of course TfL will need to consider reporting the matter to the Information Commissioner’s Office (ICO) as a personal data breach under Article 33 of the UK GDPR. As a statutory body, failure to do so could lead to TfL being fined up to £8.7 million. If the ICO investigates and finds a breach of the DP Principles (e.g. security) this could rise to £17.5 million. 

Back in the day major cyber incidents involving personal data were sure to be the subject of an ICO fine. In 2018, British Airways and  Marriott International were fined £20 million and  £18.4 million respectively. More recently the ICO has issued more reprimands in line with its policy on public sector enforcement. It recently issued a reprimand to the Electoral Commission following the discovery that unspecified “hostile actors” had managed to gain access to copies of the electoral registers, from August 2021. On 26th June 2024, the ICO announced that it will now review the two-year trial before making a decision on the public sector approach in the autumn.  

This is not the first cyber attack on a major public service provider in the capital.  Last month the ICO announced that it had issued a GDPR Notice of Intent of £6.09 million to an NHS IT supplier. This comes after its findings that the company failed to adequately protect the personal data of 82,946 individuals in breach of Article 32 of the UK GDPR.  As a key IT and software provider for the NHS and other healthcare organisations across the country, Advanced often holds role of Data Processor for many of its clients. The breach in question occurred during a ransomware attack in August 2022. Hackers exploited a vulnerability through a customer account that lacked multi-factor authentication, gaining access to multiple health and care systems operated by Advanced. The compromised data included phone numbers, medical records, and even details on how to access the homes of 890 individuals receiving at-home care. 

We have two workshops coming up (How to Increase Cyber Security in your Organisation and Cyber Security for DPOs) which are ideal for organisations who wish to up skill their employees about cyber security. See also our Managing Personal Data Breaches Workshop

A Minister for Data Protection

Data Protection Officers will need to add a question to this year’s Christmas Quiz.; “Who is the Minister for Data Protection?”

On 7th July 2024, Sir Chris Bryant was appointed Minister of State for Data Protection and Telecoms. This is the first time we have a minister specifically for this role. Alongside data protection, Sir Chris will have responsibility for:

One of the first tasks for Sir Chris will be to guide the Digital Information and Smart Data Bill through Parliament. 

This and other data protection developments will be discussed in detail on our forthcoming  GDPR Update  workshop.

The King’s Speech: What now for AI regulation and Data Protection reform?

The new Labour Government’s legislative programme was outlined in the King’s Speech at the State Opening of Parliament yesterday. Here are the key Bills information governance professionals need to look out for.

An AI Bill?

Despite media reports, the King’s Speech did not include a bill to regulate artificial intelligence(AI). The King said that the government would “seek to establish the appropriate legislation to place requirements on those working to develop the most powerful artificial intelligence models”. Expect a government consultation to be announced soon.

However, it is likely that new AI requirements will be introduced in other forthcoming legislation e.g the Product Safety and Metrology Bill. The published summary of this bill states that it aims to “support growth, provide regulatory stability, and deliver greater protection for consumers by addressing new product risks and opportunities, allowing the UK to keep pace with technological advances such as AI.” Managing AI in the context of product safety aligns with certain aspects of the EU AI Act. (see below)

When an AI Bill does finally appear, it is likely to focus on the production of large language models (LLMs), the general-purpose technology that underpins AI products such as OpenAI’s ChatGPT and Microsoft’s Copilot. As the Labour election manifesto says:

“Labour will ensure the safe development and use of AI models by introducing binding regulation on the handful of companies developing the most powerful AI models and by banning the creation of sexually explicit deepfakes.”

Meanwhile Europe is going full speed ahead on AI regulation. The EU AI Act will be on the EU statute books on 1st August 2024 and then become enforceable in stages. (A useful summary has been produced by lawyers at Stephenson Harwood.)

Cyber Security and Resilience Bill

A new Cyber Security and Resilience Bill will be introduced. It will expand regulation to cover more digital services and supply chains, empower regulators to ensure cyber security measures and mandate increased incident reporting to improve the government’s response to cyber-attacks including where a company has been held to ransom.

The Bill seems to be a response to recent high profile cyber-attacks. In June on Synnovis, the NHS service provider responsible for blood tests, swabs, bowel tests, and other critical services was the target of an attack affecting NHS patients across six London boroughs. Two major London hospital trusts had to cancel all non-emergency operations and blood tests.  It later transpired that, Qilin, a Russian cyber-criminal group, shared almost 400GB of private information on their darknet site.   

Digital Information and Smart Data Bill

No reference was made to data protection reform in the King’s Speech, but a Digital Information and Smart Data Bill was announced. The main provisions of the new Bill are:

  • Scientists will be able to ask for broad consent to use personal data for areas of scientific research, and allow legitimate researchers doing scientific research in commercial settings to make more use of personal data.
  • The Information Commissioner’s Office (ICO) will be transformed into a “more modern regulatory structure”, with a CEO, board and chair. It will also have new stronger powers.
  • The establishing of digital verification services including digital identity products to help people quickly and securely identify themselves when they use online services e.g. to help with things like moving house, pre-employment checks and buying age restricted goods and services. This is not the same as compulsory digital ID cards as some media outlets have reported.
  • The creation of a legal framework for Smart Data. This is the secure sharing of customer data, upon the customer’s (business or consumer) request, with authorised third-party providers (ATPs) who can enhance the customer data with broader, contextual ‘business’ data. These ATPs provide the customer with innovative services to improve decision making and engagement in a market. Open Banking is the only active example of a regime that is comparable to a ‘Smart Data scheme’ – but needs a legislative framework to put it on a permanent footing, from which it can grow and expand.

Most of these proposals are not particularly controversial and were in the Data Protection and Digital Information Bill  which failed to make it through Parliamentary “wash up” stage when the election was announced.

There may be more changes to come. We are told there will be “targeted reforms to some data laws that will maintain high standards of protection but where there is currently a lack of clarity impeding the safe development and deployment of some new technologies”.

There is much to chew over for IG professionals in the King’s Speech. As ever the devil will be in the detail (the Bills when published). Interesting times ahead.

This and other data protection developments will be discussed in detail on our forthcoming  GDPR Update  workshop.

London Hospitals Hit By Major Cyber Attack

The Independent reports this afternoon that two major London hospital trusts have had to cancel all non-emergency operations and blood tests due to a significant cyber attack. Both King’s College Hospital Foundation Trust and Guy’s and St Thomas’ Hospitals Foundation Trusts have seen their pathology systems compromised by malware.

Synnovis, the service provider responsible for blood tests, swabs, bowel tests, and other critical services for these hospitals, was targeted in this attack. The impact is widespread, affecting NHS patients across six London boroughs. The affected hospitals include Guy’s Hospital, which operates the Evelina children’s hospital, Harefield Hospital, King’s College Hospital, Princess Royal University Hospital, Royal Brompton Hospital, and St Thomas’ Hospital.

On Monday, Synnovis confirmed the severity of the attack, which has disrupted services for tens of thousands of patients. As the hospitals work to mitigate the damage and restore services, the incident highlights the vulnerability of healthcare systems to cyber threats and the far-reaching consequences such attacks can have on patient care.

The Information Commissioner’s Office is yet to comment. 

We have two workshops coming up in September (Introduction to Cyber Security and Cyber Security for DPOs) which are ideal for organisations who wish to up skill their employees about data security. See also our Managing Personal Data Breaches Workshop.  

ICO Announces £750K Potential Fine for Data Breach

The Information Commissioner’s Office has today announced that it intends to fine the Police Service of Northern Ireland (PSNI) £750,000 for a personal data breach.

The proposed fine (Notice of Intent) relates to an incident  which occurred last summer. In response to a Freedom of Information (FoI) request, the PSNI mistakenly divulged information on “every police officer and member of police staff”, a senior officer said at the time. The FoI request, via the What Do They Know.Com website, had asked the PSNI for a breakdown of all staff rank and grades. But as well as publishing a table containing the number of people holding positions such as constable, a spreadsheet was included. This contained the surnames of more than 10,000 individuals, their initials and other data, but did not include any private addresses. The information was published on the WDTK website for more than two hours. At the time the breach was reported, Ibrahim Hasan gave an interview to BBC Radio Ulster (Listen here.)

The ICO says that the proposed fine could be imposed on the PSNI “for failing to protect the personal information of its entire workforce.” It has provisionally found the PSNI’s internal procedures and sign-off protocols for the safe disclosure of information were inadequate. 

The fact that the ICO is proposing a large fine is not surprising. The scale of the PSNI data breach is huge. The release of the names exposes individuals who are regularly targeted by terrorist groups. The PSNI has previously confirmed that the information was in the hands of dissident republicans, among others. 

It is important to note that this is not a fine. It is a ‘Notice of Intent’– a legal document that precedes a potential fine. Such a notice sets out the ICO’s provisional view which may of course change after PSNI makes representations. Remember we have been here before. In July 2018 British Airways was issued with a Notice of Intent, for cyber security breach, in the sum of £183 Million but the actual fine was for £20 million issued in July 2020. In November 2020 Marriott International Inc was fined £18.4 million, much lower than the £99 million set out in the original notice.

PSNI has also been issued with a preliminary Enforcement Notice, requiring the Service to improve the security of personal information when responding to FOI requests.

We have two workshops coming up in September (Introduction to Cyber Security and Cyber Security for DPOs) which are ideal for organisations who wish to up skill their employees about data security. See also our Managing Personal Data Breaches Workshop.  

image credits: visitderry.com

Navigating Turbulence: Qantas App Privacy Breach Sparks Concerns 

Today a number of news outlets are reporting that Australian airline Qantas is investigating a privacy breach on its app. Customers discovered that they had access to the personal details of other travellers, including boarding passes and frequent flyer information. This discovery has raised significant concerns about data security and privacy among Qantas app users. 

Qantas responded to the situation, acknowledging the issue and assuring customers that it was under investigation. Within three hours of the breach being detected, the airline claimed to have resolved the problem and issued a public apology for any inconvenience caused. 

Despite initial fears of a cyberattack, Qantas stated that the breach was likely due to a technology glitch, possibly linked to recent system updates. However, the extent of the breach was troubling, with some users reporting the ability to view multiple passengers’ details with just a few clicks. 

Customers shared their experiences on social media platforms, recounting instances where they were confronted with strangers’ personal information upon opening the app. Concerns were further amplified when reports emerged of individuals being able to manipulate flight bookings, raising questions about the app’s security measures. 

In response to the breach, Qantas advised affected users to log out and log back into the app to mitigate the issue. The airline reassured customers that there were no indications of travellers using incorrect boarding passes as a result of the breach. 

Social media channels buzzed with criticism of Qantas, with users sharing screenshots of the glitch and raising awareness of potential phishing attempts. Allegations surfaced of fake Qantas customer care accounts soliciting personal information from users under the guise of assistance. 

Does the UK GDPR apply here? 

In October 2020, the UK Information Commissioner’s Office fined British Airways £20million, under the GDPR, for a cyber security breach which saw the personal and financial details of more than 400,000 customers being accessed by attackers.   

Whilst Qantas has said that this incident was not due to a cyber-attack, it will certainly face questions about its handling of customer data under Australian data protection laws. It is also possible that Qantas, an Australian company,  is the subject of a probe by the UK Information Commissioner’s Office under the UK GDPR if, as is likely, UK data subjects are affected by the incident.  

Article 3(2) of the UK GDPR gives it an extra territorial effect. It states:  

“This Regulation applies to the relevant processing of personal data of data subjects who are in the United Kingdom by a controller or processor not established in the United Kingdom where the processing activities are related to: 

(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the United Kingdom; or 

(b) the monitoring of their behaviour as far as their behaviour takes place within the United Kingdom.” 

Applying this principle, On 4th April 2023, the ICO issued a £12.7 million fine to TikTok, a US company owned whose parent company is owned by Beijing based ByteDance, for a number of breaches of the UK GDPR, including failing to use children’s personal data lawfully.   

As Qantas works to address the fallout from this breach and restore trust among its customer base, the incident serves as a stark reminder of the importance of robust data security measures in the digital age. It highlights the vulnerability of personal data in online platforms and underscores the need for companies to prioritise the protection of customer data. 

We have two workshops coming up (How to Increase Cyber Security and Cyber Security for DPOs) which are ideal for organisations who wish to upskill their employees about data security. We have also just launched our new workshop, Understanding GDPR Accountability and Conducting Data Protection Audits.  

YMCA Fined for HIV Email Data Breach 

Another day and another ICO fine for a data breach involving email! The Central Young Men’s Christian Association (the Central YMCA) of London has been issued with a Monetary Penalty Notice of £7,500 for a data breach when emails intended for those on a HIV support programme were sent to 264 email addresses using CC instead of BCC, revealing the email addresses to all recipients. This resulted in 166 people being identifiable or potentially identifiable. A formal reprimand has also been issued

Failure to use blind carbon copy (BCC) correctly in emails is one of the top data breaches reported to the ICO every year. In December 2023, the ICO fined the Ministry of Defence (MoD) £350,000 for disclosing personal information of people seeking relocation to the UK shortly after the Taliban took control of Afghanistan in 2021. Again the failure to use blind copy when using e mail was a central cause of the data breach. 

Last year the Patient and Client Council (PCC) and the Executive Office were the subject of ICO reprimands for disclosing personal data in this way. In October 2021, HIV Scotland was issued with a £10,000 GDPR fine when it sent an email to 105 people which included patient advocates representing people living with HIV. All the email addresses were visible to all recipients, and 65 of the addresses identified people by name. From the personal data disclosed, an assumption could be made about individuals’ HIV status or risk.  

Organisations must have appropriate policies and training in place to minimise the risks of personal data being inappropriately disclosed via email. To avoid similar incidents, the ICO recommends that organisations should: 

  1. Consider using other secure means to send communications that involve large amounts of data or sensitive information. This could include using bulk email services, mail merge, or secure data transfer services, so information is not shared with people by mistake.  
  1. Consider having appropriate policies in place and training for staff in relation to email communications.  
  1. For non-sensitive communications, organisations that choose to use BCC should do so carefully to ensure personal email addresses are not shared inappropriately with other customers, clients, or other organisations. 

More on email best practice in the ICO’s email and security guidance

We have two workshops coming up (How to Increase Cyber Security and Cyber Security for DPOs) which are ideal for organisations who wish to upskill their employees about data security. We have also just launched our new workshop, Understanding GDPR Accountability and Conducting Data Protection Audits. 

The Data Protection and Digital Information Bill: Where are we now? 

The Data Protection and Digital Information Bill is currently in the Committee stage of the House of Lords. It will make changes to the UK GDPR, the Data Protection Act 2018 and Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”). It is expected to be passed in May and will probably come into force after a short transitional period.  

The current Bill is not substantially different to the previous version whose passage through Parliament was paused in September 2022 so ministers could engage in “a co-design process with business leaders and data experts” and move away from the “one-size-fits-all’ approach of the European Union’s GDPR.”  

The Same 

Many of the proposals in the new Bill are the same as contained in the previous Bill. These include: 

  • Amended Definition of Personal Data: This proposed change would limit the assessment of identifiability of data to the controller or processor, and persons who are likely to receive the information, rather than anyone in the world.

  • Vexatious Data Subject Requests: The terms “manifestly unfounded” or “excessive” requests, in Article 12 of the UK GDPR, will be replaced with “vexatious” or “excessive” requests. Explanation and examples of such requests will also be included. 

  • Data Subject Complaints: Data Controllers will be required to acknowledge receipt of Data Subject complaints within 30 days and respond substantively “without undue delay”. The ICO will be entitled not to accept a complaint if a Data Subject has not made a complaint to the controller first. 

  • Data Protection Officer: The obligation for some controllers and processors to appoint a Data Protection Officer (DPO) will be removed. However, public bodies and those who carry out processing likely to result in a “high risk” to individuals will be required to designate a senior manager as a “Senior Responsible Individual”.  

  • Data Protection Impact Assessments: These will be replaced by leaner and less prescriptive “Assessments of High-Risk Processing.”  

  • International Transfers: There will be a new approach to the test for adequacy applied by the UK Government to countries (and international organisations) and when Data Controllers are carrying out a Transfer Impact Assessment or TIA. The threshold for this new “data protection test” will be whether a jurisdiction offers protection that is “not materially lower” than under the UK GDPR. (For more detail see also our forthcoming International Transfers webinar). 
  • The Information Commission: The Information Commissioner’s Office will transform into the Information Commission; a corporate body with a chief executive. 

  • PECR: Cookies will be allowed to be used without consent for the purposes of web analytics and to install automatic software updates. Furthermore, non-commercial organisations (e.g. charities and political parties) will be able to rely on the “soft opt-in” for direct marketing purposes, if they have obtained contact details from an individual expressing interest. Finally, there will be an increase to the fines from the current maximum of £500,000 to UK GDPR levels i.e. up to £17.5m of 4% of global annual turnover (whichever is higher).  

The Changes 

The main changes are summarised below: 

  • Scientific Research: The definition of scientific research is amended so that it now includes research for the purposes of commercial activity. This expands the circumstances in which processing for research purposes may be undertaken, providing a broader consent mechanism and exemption to the fair processing requirement. 
  • Legitimate Interests: The Previous Bill proposed that businesses could rely on legitimate interests (Article 6 lawful basis) without the requirement to conduct a balancing test against the rights and freedoms of data subjects where those legitimate interests are “recognised”. These “recognised” legitimate interests cover purposes for processing such as national security, public security, defence, emergencies, preventing crime, safeguarding and democratic engagement.  The new Bill, whilst keeping the above changes, introduces a non-exhaustive list of cases where organisations may rely on the “legitimate interests” legal basis, including for the purposes of direct marketing, transferring data within the organisation for administrative purposes and for the purposes of ensuring the security of network and information systems; although a balancing exercise still needs to be conducted in these cases.  
  • Automated Decision Making: The Previous Bill clarified that its proposed restrictions on automated decision-making under Article 22 UK GDPR should only apply to decisions that are a result of automated processing without “meaningful human involvement”. The new Bill states that profiling will be a relevant factor in the assessment as to whether there has been meaningful human involvement in a decision.  
  • Records of Processing Activities (ROPA): The Previous Bill streamlined the required content of ROPAs. The new Bill exempts all controllers and processors from the duty to maintain a ROPA unless they are carrying out high risk processing activities.  
  • Subject Access: Clause 12 of the Bill introduced at the House of Commons Report Stage amends Article 12 of UK GDPR (and the DPA 2018) so that Data Controllers are only obliged to undertake a reasonable and proportionate search for information request under the right of access.  

Adequacy 

Although the Government states that the new Bill is “a new system of data protection”, it still retains the UK GDPR’s structure and fundamental obligations. Organisations that are already compliant with the UK GDPR will not be required to make any major changes to their systems and processes.  

The EU conducts a review of adequacy with the UK every four years; the next adequacy decision is due on 27th June 2025. Some commentators have suggested that the changes may jeopardise the UK’s adequate status and so impact the free flow of data between the UK and EU. Defend Digital Me, a civil liberties organisation, has claimed that the Bill would, among other things, weaken data subjects’ rights, water down accountability requirements, and reduce the independence of the ICO.  

Other Parts of the Bill 

The Bill would also: 

  • establish a framework for the provision of digital verification services to enable digital identities to be used with the same confidence as paper documents. 
     
  • increase fines for nuisance calls and texts under PECR. 

  • update the PECR to cut down on ‘user consent’ pop-ups and banners. 

  • allow for the sharing of customer data, through smart data schemes, to provide services such as personalised market comparisons and account management. 
  • reform the way births and deaths are registered in England and Wales, enabling the move from a paper-based system to registration in an electronic register.
  • facilitate the flow and use of personal data for law enforcement and national security purposes. 

  • create a clearer legal basis for political parties and elected representatives to process personal data for the purposes of democratic engagement. 

Reading the Parliamentary debates on the Bill, it seems that the Labour party have no great desire to table substantial amendments to be the Bill. Consequently, it is expected that the Bill will be passed in a form similar to the one now published.  

Learn more about the updated bill with our Data Protection and Digital Information Bill: Preparing for GDPR and PECR Reforms workshop. Dive into the issues discussed in this blog and secure your spot now. 

Data Protection Bill Faces Scrutiny:
Commissioner Calls for Tighter Safeguards 

In a recent development, the Information Commissioner has weighed in on the debate surrounding the Data Protection and Digital Information Bill (DPDI Bill), legislation aimed at modernising data protection in the UK. While acknowledging the government’s efforts to strengthen the independence of the Information Commissioner’s Office (ICO) and update data protection practices, the Commissioner’s response highlights significant concerns, particularly around the use of personal data in social security contexts. We wrote a detailed breakdown on our blog here

The response, detailed and thorough, applauds the government’s amendments to the bill, recognising their potential to enhance ICO’s autonomy and bring data protection practices up to date with the digital age. However, the Commissioner expresses reservations about the adequacy of safeguards in the current draft of the bill, especially in terms of personal data handling for social security purposes. 

The Commissioner’s concern primarily revolves around the need for more precise language in the bill. This is to ensure that its provisions are fully aligned with established data protection principles, thereby safeguarding individual rights.
The response suggests that the current wording might be too broad or vague, potentially leading to misuse or overreach in the handling of personal data. 

Importantly, the Commissioner has provided detailed technical feedback for further improvements to the bill. It indicates a need for scrutiny and adjustments to the bill to ensure that it not only meets its intended purpose but also robustly protects the rights of individuals. 

While the Commissioner supports the bill’s overarching aim to enhance the UK’s data protection regime, the emphasis is clearly on the necessity of refining the bill.
This is to ensure it strikes the right balance between enabling data use for public and economic benefits and protecting individual privacy rights. 

The response from the Information Commissioner is a significant moment in the ongoing development of the DPDI Bill. It underscores the complexity and importance of legislating in the digital age, where data plays a crucial role in both the economy and personal privacy. 

As the bill progresses, the government and legislators should consider the Commissioner’s input. The balance they strike in the final version of the bill will be a key indicator of the UK’s approach to data protection in a rapidly evolving digital landscape. 

Learn more about the updated bill with our Data Protection and Digital Information Bill: Preparing for GDPR and PECR Reforms workshop. Dive into the issues discussed in this blog and secure your spot now.

The Hidden Reach of the Prevent Strategy:
Beyond Counter-Terrorism Units

The UK government’s anti-radicalisation program, Prevent, is reportedly sharing the personal details of thousands of individuals more extensively than previously known. This sharing includes not just counter-terrorism units, but also airports, ports, immigration services, and officials at the Home Office and the Foreign, Commonwealth and Development Office (FCDO). Critics argue that such widespread data sharing could be illegal, as it involves moving sensitive personal data between databases without the consent of the individuals. 

A Metropolitan police document titled “Prevent case management guidance” indicates that Prevent details are also shared with the ports authority watchlist. This raises concerns that individuals may face increased scrutiny at airports or be subjected to counter-terrorism powers without reasonable suspicion. The document also mentions that foreign nationals may have their backgrounds checked by the FCDO and immigration services for any overseas convictions or intelligence. 

Furthermore, the Acro Criminal Records Office, which manages UK criminal records, is notified about individuals referred to Prevent, despite the program dealing with individuals who haven’t necessarily engaged in criminal behaviour.
Counter-terror police emphasise their careful approach to data sharing, which aims to protect vulnerable individuals. 

Prevent’s goal is to divert people from terrorism before they offend, and most people are unaware of their referral to the program. 95% of referrals result in no further action. A secret database, the National Police Prevent Case Management database, was previously disclosed in 2019, revealing the storage of details of those referred to Prevent. 

Newly disclosed information, obtained through a freedom of information request by the Open Rights Group (ORG), reveals that Prevent data is shared across various police databases, including the Police National Computer, specialised counter-terrorism and local intelligence systems, and the National Crime Agency. 

The sharing of this data was accidentally revealed due to a redaction error in a heavily edited Met document. Despite its sensitive nature, the ORG decided to make the document public. Sophia Akram of the ORG expressed concerns over the extent of the data sharing and potential harms, suggesting that it could be unfair and possibly unlawful. 

The guidance also indicates that data is retained and used even in cases where no further action is taken. There are concerns about the impact on young people’s educational opportunities, as Prevent requires public bodies like schools and the police to identify individuals at risk of extremism. 

Recent figures show thousands of referrals to Prevent, predominantly from educational institutions. From April 2022 to March 2023, a total of 6,817 individuals were directed to the Prevent program. Within this group, educational institutions were responsible for 2,684 referrals. Breaking down the referrals by age, there were 2,203 adolescents between the ages of 15 and 20, and 2,119 referrals involved children aged 14 or younger.

There are worries about the long-term consequences for children and young people referred to the program. Several cases have highlighted the intrusive nature of this data sharing and its potential impact on individuals’ lives. Cases in which students have missed gaining a place at a sixth form college and other cases involving children as young as four years old.  

Prevent Watch, an organisation monitoring the program, has raised alarms about the data sharing, particularly its effect on young children. The FoI disclosures challenge the notion that Prevent is non-criminalising, as data on individuals, even those marked as ‘no further action’, can be stored on criminal databases and flagged on watchlists. 

Counter-terrorism policing spokespeople defend the program, emphasising its
multi-agency nature and focus on protecting people from harm. They assert that data sharing is carefully managed and legally compliant, aiming to safeguard vulnerable individuals from joining terror groups or entering conflict zones. 

Learn more about data sharing with our UK GDPR Practitioner Certificate. Dive into the issues discussed in this blog and secure your spot now.