On 2nd September, the instant messaging service WhatsApp was fined €225 million by the Irish Data Protection Commission (DPC) under GDPR. It is the largest fine issued by the DPC and the second highest in the EU (In July Luxembourg’s National Commission for Data Protection fined Amazon €746 million after finding that the way the e-commerce giant handles people’s personal data, especially around personalised ads, was not GDPR compliant).
The background to the WhatsApp fine is an investigation by the DPC, which started in December 2018. WhatsApp users are required to provide the company with all their contacts’ phone numbers. Some of these will inevitably belong to non-WhatsApp users. The DPC found that these numbers were also personal data because the subjects were identifiable and consequently WhatsApp was the data controller in relation to such data.
The DPC then evaluated WhatsApp’s compliance with the transparency obligations set out in Articles 14 and 12(1) of GDPR. WhatsApp argued that it took “appropriate measures” to inform non-users of the “very limited ways” in which it processed their personal data. This was supposedly done by stating users provide the company with all their contacts’ phone numbers in their privacy policy.
The DPC rejected this argument, pointing to the lack of a discoverable and accessible “public notice” that would provide non-users of WhatsApp services with the information they are entitled to under Article 14. For example, they should be provided with details about the “circumstances in which any non-user personal data is shared with any of the Facebook Companies”(Facebook bought WhatsApp in 2014). It emphasised that the burden of providing such information is outweighed by “the role and utility of the right to be informed”.
The DPC also ruled that WhatsApp had not complied with Article 13 in relation to the privacy information it provided to users. It specifically assessed the extent to which WhatsApp explained its relationship with the Facebook companies and any consequent sharing of data. It criticised the manner in which the information is spread out “across a wide range of texts”, and how a significant amount of it is so high level as to be meaningless. It pointed out how the Facebook FAQ is only linked to WhatsApp’s privacy policy in one place. The information being provided was “unnecessarily confusing and ill-defined”.
In addition to the fine, the DPC has also imposed a formal reprimand (under GDPR Art. 58(2)(b)) along with an order (under GDPR Art. 58(2)(d)) for WhatsApp to bring its processing into compliance by taking a eight specified remedial actions. WhatsApp has 3 months to comply. One of the remedial actions is to remind users of their GDPR rights which will lead to substantially more work for WhatsApp in meeting these requests.
Data Controllers need to assess how well their privacy policies and notices comply with Article 13 and 14. This cases shows that regulators are willing to enforce GDPR transparency obligations on data controllers even where the obligations are difficult to meet because, like WhatsApp, they have millions of non-service user data subjects with whom there is no direct relationship.
WhatsApp has confirmed that it will appeal the decision.
Most of our courses are now available as both classroom and online options. TheGDPR Practitioner Certificate is our most popular certificate course with may courses filling up fast. We have added more dates.
At the start of the Pandemic, we decided to offer our flagship classroom based GDPR Practitioner Certificate as an online option. We redesigned the course for the online world with even more emphasis on practical exercises and case studies to try and recreate the classroom learning environment. Delegates receive all the fantastic features of our classroom course but in a live online learning environment accessible from anywhere in the world.
The course is aimed at those undertaking the role of Data Protection Officer under GDPR whether in the public or the private sector. It teaches delegates all the essential GDPR skills and knowledge. The course takes place over four days (one day per week) and involves lectures, assessments and exercises. This is followed by a written assessment. Candidates are then required to complete a practical project (in their own time) to achieve the certificate.
In less than 18 months, 178 delegates have completed the course representing a diverse range of organisations including private companies, councils, universities and government departments. We have even had delegates from the Houses of Parliament, Gibraltar and the Isle of Man.
Read some of the delegate feedback below:
“The GDPR Practitioner Certificate course was really excellent. The content was thorough and tied in with real life situations to really embed the learning. It has really helped me in my role, even after the first week I had new practical skills I could use in my daily work life.” KL, Kent County Council
“Very useful, insightful course that provided hands on practical tips on GDPR implementation within our business.” AD, Danske Bank
“The course was delivered at a pace that suited the learners and with ample opportunities to revisit tricky topics or ask for clarification. The supplied learning materials were comprehensive and genuinely added value to the learning experience.” Nigel Leech, CEFAS
“The course was the right balance between overall guidance and detailed information presented in an easy and understandable format.” RR, Chugai Pharma Europe Ltd
“The course delivered through Act Now was not only educational but informative. The teaching skills were excellent, I felt at ease in the class and came away with a tremendous amount of knowledge that I can use in everyday situations. Thank you.” HB, Foseco International Limited
For those who have successfully completed our GDPR Practitioner Certificate, we have one place left on our Advanced Certificate in GDPR Practice course starting in October.
The first GDPR fine issued by the Information Commissioner’s Office (ICO) has been reduced by two thirds on appeal.
In December 2019, Doorstep Dispensaree Ltd, a company which supplies medicines to customers and care homes, was the subject of a Monetary Penalty Notice of £275,000 for failing to ensure the security of Special Category Data. Following an investigation, the ICO ruled that the company had left approximately 500,000 documents in unlocked containers at the back of its premises in Edgware. The ICO launched its investigation after it was alerted by the Medicines and Healthcare Products Regulatory Agency, which was carrying out its own separate enquiry into the company.
The unsecured documents included names, addresses, dates of birth, NHS numbers, medical information and prescriptions belonging to an unknown number of people. The ICO held that this gave rise to infringements of GDPR’s security and data retention obligations. It also issued an Enforcement Notice after finding, amongst other things, that the company’s privacy notices and internal policies were not up to scratch.
On appeal, the First Tier Tribunal (Information Rights) ruled that the original fine of £275,000 should be reduced to £92,000. It concluded that 73,719 documents had been seized by the MHRA, and not approximately 500,000 as the ICO had estimated. She also held that 12,491 of those documents contained personal data and 53,871 contained Special Category Data.
A key learning point from this appeal is that data controllers cannot be absolved of responsibility for personal data simply because data processors breach contractual terms around security. The company argued that, by virtue of Article 28(1) of GDPR, its data destruction company (JPL) had become the data controller of the offending data because it was processing the data otherwise than in accordance with their instructions. In support of this argument it relied on its contractual arrangement with JPL, under which JPL was only authorised to destroy personal data in relation to DDL- sourced excess medication and equipment and must do so securely and in good time.
The judge said:
“The issue of whether a processor arrogated the role of controller in this context must be considered by reference to the Article 5(2) accountability principle. This provides the controller with retained responsibility for ensuring compliance with the Article 5(1) data processing principles, including through the provision of comprehensive data processing policies. Although it is possible that a tipping point may be reached whereby the processor’s departure from the agreed policies becomes an arrogation of the controller’s role, I am satisfied that this does not apply to the facts of this case.”
This case shows the importance of data controllers keeping a close eye on data processors especially where they have access to or are required to destroy or store sensitive data. Merely relying on the data processor contract is not enough to avoid ICO enforcement.
Our GDPR Practitioner Certificate is our most popular certificate course available both online and classroom. We have added more dates.
On 10 September 2021, the UK Government launched a consultation entitled “Data: A new direction” intended “to create an ambitious, pro-growth and innovation-friendly data protection regime that underpins the trustworthy use of data.” Cynics will say that it is an attempt to water down the UK GDPR just a few months after the UK received adequacy status from the European Union.
Back in May, the Prime Ministerial Taskforce on Innovation, Growth, and Regulatory Reform (TIGRR) published a 130-page report setting out a “new regulatory framework” for the UK. Saying that the current data protection regime contained too many onerous compliance requirements, it suggested that the government:
“Replace the UK GDPR with a new, more proportionate, UK Framework of Citizen Data Rights to give people greater control of their data while allowing data to flow more freely and drive growth across healthcare, public services and the digital economy.”
Many of the recommendations made in the TIGRR Report can be found in the latest consultation document:
Research and Re Use of Data
Consolidating and bringing together research-specific provisions in the UK GDPR, “bringing greater clarity to the range of relevant provisions and how they relate to each other.”
Incorporating a clearer definition of “scientific research” into the legislation.
Clarifying in legislation how university research projects can rely on tasks in the public interest (Article 6(1)(e) of the UK GDPR) as a lawful ground for personal data processing.
Creating a new, separate lawful ground for research, subject to suitable safeguards.
Clarifying in legislation that data subjects should be allowed to give their consent to broader areas of scientific research when it is not possible to fully identify the purpose of personal data processing at the time of data collection.
Stating explicitly that the further use of data for research purposes is both always compatible with the original purpose and lawful under Article 6(1) of the UK GDPR.
Replicating the Article 14(5)(b) exemption (disproportionate effort) in Article 13 (privacy notice), limited only to controllers processing personal data for research purposes.
Amending the law to facilitate innovative re-use of data for different purposes and by different data controllers.
Creating a limited, exhaustive list of legitimate interests for which organisations can use personal data without applying the balancing test “in order to give them more confidence to process personal data without unnecessary recourse to consent.”
AI, Machine Learning and Automated Decision Making
Stipulating that processing personal data for the purposes of ensuring bias monitoring, detection and correction in relation to AI systems constitutes a legitimate interest in the terms of Article 6(1)(f) for which the balancing test is not required.
Enabling organisations to use personal data and sensitive personal data for the purpose of managing the risk of bias in their AI systems by amending/clarifying the legitimate interests ground under Art 6 and clarifying/amending schedule 1 of the DPA 2018 (Special Category Data Processing).
Removing Article 22 of UK GDPR (the right not to be subject to a decision resulting from solely automated processing if that decision has significant effects on the individual) and permitting solely automated decision making subject to compliance with the rest of the data protection legislation.
Accountability
Allowing data controllers to implementing a more flexible and risk-based accountability framework, which is based on privacy management programmes, that reflects the volume and sensitivity of the personal information they handle, and the type(s) of data processing they carry out.
To support the implementation of the new accountability framework the government intends to remove the requirement to:
Consult the ICO in relation to high-risk personal data processing that cannot be mitigated (Article 36)
The record keeping requirements under Article 30
The need to report a data breach where the risk to individuals is “not material”
Introducing a new voluntary undertakings process.
International Transfers
Adding more countries to the adequate list by “progressing an ambitious programme of adequacy assessments.”
Adding easier and more international transfer mechanisms.
Allowing repetitive use of Article 49 derogations.
PECR and Marketing
Permitting organisations to use analytics cookies and similar technologies without the users’ consent.
Permittingorganisations to store information on, or collect information from, a user’s device without their consent for other limited purposes.
Extending “the soft opt-in” to electronic communications from organisations other than businesses where they have previously formed a relationship with the person, perhaps as a result of membership or subscription.
Making it easier for political parties to use data for “political engagement”.
Increasing the fines that can be imposed under PECR to GDPR levels.
Other Proposals
Including “a clear test for determining when data will be regarded as anonymous” within the UK GDPR.
Introducing a fee regime (similar to that in the Freedom of Information Act 2000) for access to personal data held by all data controllers.
Requiring the ICO to consider not just data protection but also “growth and innovation” as well as competition.
Businesses may welcome many of these proposals which they might see as limiting the administrative burden of the current data protection regime particularly reporting data breaches and conducting DPIAs. The Government also seems intent on liberalising access to data, to generate a broader market for it, which will suit the commercial interests of big business but at what privacy cost? The consultation runs until 19 November 2021.
What are your thoughts? Let us know in the comment field.
Our GDPR Practitioner Certificate is our most popular certificate course available both online and classroom. We have added more dates.
It has been a long time since we have delivered our much loved classroom courses. But the wait is over. As the world slowly, blinkingly, comes out in to the post pandemic dawn, Act Now has launched a curated list of Classroom courses in London and Manchester.
Many of our delegates have been requesting the return to classroom for quite some time, and now we can finally start to add some dates to our calendar.
Whether Classroom or Online, our courses deliver the same content whilst ensuring that each medium is catered for specifically resulting in trackable learning outcomes. Take your pick, Online in the comfort of your home or office, or join us in one of our premier locations.
We look forward to having you back. A list of our courses can be found below. Please also check the website for further dates and details. Places will be limited to ensure social distancing so book early to confirm your place.
To see our complete list of of Online and Classroom courses please CLICK HERE
We sold over 3000 copies of the previous edition of the EU GDPR Handbook. That was back when the UK was still part of the EU and the handbook had to reflect the UK specific provisions as set out in the Data Protection Act 2018.
As a result of Brexit, Europe now has two primary sources of data protection law.
The EU General Data Protection Regulation (EU GDPR) applies primarily to personal data processed in the European Union. Following its exit from the EU, the United Kingdom’s own version of the GDPR, known as the “UK GDPR”, came into force on 1st January 2021.
Both versions of GDPR have an extra territorial effect in that personal data processed outside their jurisdiction is still regulated by them, if the processing is related to offering goods or services or to monitoring the behaviour of EU/UK residents (Article 3).
The official publication of the EU GDPR contains 99 Articles and 173 Recitals. The Recitals further expand on the topics covered in the Articles. However, as the Recitals are placed at the start of the official publication it can be difficult to navigate the legislation.
Just like the previous version, this EU GDPR Handbook is laid out in a logical and easier to read manner by helpfully placing all the Recitals (in blue) under their corresponding Articles. This saves the reader time and effort in cross-referencing and leads to a more natural reading of the legislation. In addition, under each Article we have included updated signposts to:
Official guidance issued by the Article 29 Working Party (A29WP) and the European Data Protection Board (EDPB)
The UK Information Commissioner’s Office (ICO) guidance
Relevant UK court cases
Data protection practitioners and legal advisers working for Data Controllers and Processors within the EU as well organisations who are caught by the extra territorial provisions of the EU GDPR will find this handbook of great benefit in their day to day work. It is the perfect companion to the Act Now UK GDPR Handbook which is proving very popular amongst data protection professionals.
Like with all our handbooks, Act Now will be donating £1 for each EU GDPR Handbook sold to our chosen charity Woodgate Community Food based in Leicester.
We only have one place left on our Advanced Certificate in GDPR Practice course starting in September and onlyfour places left on our October course. Book now and reserve your place!
On 8th July 2021, the Information Commissioner’s Office (ICO) fined the transgender charity Mermaids £25,000 for failing to keep the personal data of its users secure. In particular this led to a breach of the Articles 5(l)(f) and 32(1) and (2) of the GDPR.
The ICO found that Mermaids failed to implement an appropriate level of organisational and technical security to its internal email systems, which resulted in documents or emails containing personal data, including in some cases relating to children and/or including in some cases special category data, being searchable and viewable online by third parties through internet search engine results.
The ICO’s investigation began after it received a data breach report from the charity in relation to an internal email group it set up and used from August 2016 until July 2017 when it was decommissioned. The charity only became aware of the breach in June 2019.
The ICO found that the group was created with insufficiently secure settings, leading to approximately 780 pages of confidential emails to be viewable online for nearly three years. This led to personal data, such as names and email addresses, of 550 people being searchable online. The personal data of 24 of those people was sensitive as it revealed how the person was coping and feeling, with a further 15 classified as Special Category Data as mental and physical health and sexual orientation were exposed.
The ICO’s investigation found Mermaids should have applied restricted access to its email group and could have considered pseudonymisation or encryption to add an extra layer of protection to the personal data it held.
During the investigation the ICO discovered Mermaids had a negligent approach towards data protection with inadequate policies and a lack of training for staff. Given the implementation of the UK GDPR as well as the wider discussion around gender identity, the charity should have revisited its policies and procedures to ensure appropriate measures were in place to protect people’s privacy rights.
Steve Eckersley, Director of Investigations said:
“The very nature of Mermaids’ work should have compelled the charity to impose stringent safeguards to protect the often vulnerable people it works with. Its failure to do so subjected the very people it was trying to help to potential damage and distress and possible prejudice, harassment or abuse.
“As an established charity, Mermaids should have known the importance of keeping personal data secure and, whilst we acknowledge the important work that charities undertake, they cannot be exempt from the law.”
Up to April 2021, European Data Protection regulators had issued approximately €292 million worth of fines under GDPR. The greatest number of fines have been issued by Spain (212), Italy (67) and Romania (52) (source).
Up to last week, the ICO had only issued four GDPR fines. Whilst fines are not the only GDPR enforcement tool, the ICO has faced criticism for lack of GDPR enforcement compared to PECR.
The first ICO GDPR fine was issued back in December 2019 to a London-based pharmacy. Doorstep Dispensaree Ltd, was issued with a Monetary Penalty Notice of £275,000 for failing to ensure the security of Special Category Data. In November 2020, Ticketmaster had to pay a fine of £1.25m following a cyber-attack on its website which compromised millions of customers’ personal information. Others ICO fines include British Airways and Marriott which concerned cyber security breaches.
It remains to be seen if the Mermaids fine is the start of more robust GDPR enforcement action by the ICO. It will certainly be a warning to all Data Controllers, particularly charities, to ensure that they have up to data protection data policies and procedures.
Act Now Training’s GDPR Essentials e learning course is ideal for frontline staff who need to learn about data protection in a quick and cost-effective way. You can watch the trailer here.
After 18 months of development, working with industry experts, Act Now Training is pleased to announce the completion of its first ever Advanced Certificate in GDPR Practice course. Congratulations to all the delegates who successfully completed the course. It has been a fantastic four month journey, from the first masterclass through to results day.
The Advanced Certificate in GDPR Practice course is the the first of its kind and is proving very popular amongst practitioners. It builds on the knowledge and skills of data protection practitioners by focussing on analysing and evaluating complex data protection issues. These skills are designed to help them interpret the legislation with greater understanding, equipping them with a skillset to tackle tricky data protection issues.
The first group consisted of a great set of delegates, from both the public and private sector, who were fully engaged and pushed themselves. The feedback shows that they really enjoyed the innovative format and the skills being taught:
“There is no doubt that this course has pushed me and got me out of my comfort zone, but in a very positive way, I genuinely feel I have improved both my skillset and understanding of data protection on this course.” Michael Pennington, Head of Operations & Security at Health Intelligence
“ I would wholeheartedly recommend the Advanced Certificate in GDPR Practice as it is a very different course. I definitely feel more informed and confident in my role with knowledge and techniques I have learned. But perhaps more importantly I have explored new avenues of learning with the enforcement notices and watching the training videos, whilst engaging with some industry leaders in data protection and some of my peers.” Zara Harrington, Data Protection Manager and DPO, Leaders Romans Group
“The course has reignited my passion for data-protection.” Neil Murphy, Governance and Data Protection Manager, North Star Community Trust
“The format of the learning also gave me a safe space to practice new skills, to analyse the legislation and to have robust conversations with my fellow students.” Gill Rust, People’s Postcode Lottery
“Despite the hard work, the training has been enjoyable – helped hugely by the great group of DPOs who were open to listening and challenging opinions and of course, Ibrahim and Susan who were supportive throughout.”
The syllabus has been designed in consultation with experienced data protection practitioners from both the public and private sectors. The Advanced Certificate in GDPR Practice is one of the reasons why we have been nominated for this year’s IRMS awards; Supplier of the Year and Innovation of the Year.
Ibrahim Hasan, solicitor and course director said:
“We are delighted to see the first group complete the course and with such fantastic results! They were a pleasure to teach and their enthusiasm was encouraging. I am glad that their hard work has paid off. Their feedback has really helped us to further improve the course for the next cohorts. ”
The first five courses have been fully booked. We have added more course dates in Autumn. More information here.
So much has happened in the world of data protection recently. Where to start?
International Transfers
In April, the European Data Protection Board’s (EDPB) opinions (GDPR and Law Enforcement Directive (LED)) on UK adequacy were adopted. The EDPB has looked at the draft EU adequacy decisions. It acknowledge that there is alignment between the EU and UK laws but also expressed some concerns. It has though issued a non-binding opinion recommending their acceptance. If accepted the two adequacy decisions will run for an initial period of four years. More here.
Last month saw the ICO’s annual data protection conference go online due to the pandemic. Whilst not the same as a face to face conference, it was still a good event with lots of nuggets for data protection professionals including the news that the ICO is working on bespoke UK standard contractual clauses (SCCs) for international data transfers. Deputy Commissioner Steve Wood said:
“I think we recognise that standard contractual clauses are one of the most heavily used transfer tools in the UK GDPR. We’ve always sought to help organisations use them effectively with our guidance. The ICO is working on bespoke UK standard clauses for international transfers, and we intend to go out for consultation on those in the summer. We’re also considering the value to the UK for us to recognise transfer tools from other countries, so standard data transfer agreements, so that would include the EU’s standard contractual clauses as well.”
Lloyd v Google
The much-anticipated Supreme Court hearing in the case of Lloyd v Google LLC took place at the end of April. The case concerns the legality of Google’s collection and use of browser generated data from more than 4 million+ iPhone users during 2011-12 without their consent. Following the two-day hearing, the Supreme Court will now decide, amongst other things, whether, under the DPA 1998, damages are recoverable for ‘loss of control’ of data without needing to identify any specific financial loss and whether a claimant can bring a representative action on behalf of a group on the basis that the group have the ‘same interest’ in the claim and are identifiable. The decision is likely to have wide ranging implications for representative actions, what damages can be awarded for and the level of damages in data protection cases. Watch this space!
Ticketmaster Appeal
In November 2020, the ICO fined Ticketmaster £1.25m for a breach of Articles 5(1)(f) and 32 GPDR (security). Ticketmaster appealed the penalty notice on the basis that there had been no breach of the GDPR; alternatively that it was inappropriate to impose a penalty, and that in any event the sum was excessive. The appeal has now been stayed by the First-Tier Tribunal until 28 days after the pending judgment in a damages claim brought against Ticketmaster by 795 customers: Collins & Others v Ticketmaster UK Ltd (BL-2019-LIV-000007).
Age Appropriate Design Code
This code came into force on 2 September 2020, with a 12 month transition period. The Code sets out 15 standards organisations must meet to ensure that children’s data is protected online. It applies to all the major online services used by children in the UK and includes measures such as providing default settings which ensure that children have the best possible access to online services whilst minimising data collection and use.
With less than four months to go (2 September 2021) the ICO is urging organisations and businesses to make the necessary changes to their online services and products. We are planning a webinar on the code. Get in touch if interested.
AI and Automated Decision Making
Article 22 of GDPR provides protection for individuals against purely automated decisions with a legal or significant impact. In February, the Court of Amsterdam ordered Uber, the ride-hailing app, to reinstate six drivers who it was claimed were unfairly dismissed “by algorithmic means.” The court also ordered Uber to pay the compensation to the sacked drivers.
In April EU Commission published a proposal for a harmonised framework on AI. The framework seeks to impose obligations on both providers and users of AI. Like the GDPR the proposal includes fine levels and an extra-territorial effect. (Readers may be interested in our new webinar on AI and Machine Learning.)
Publicly Available Information
Just because information is publicly available it does not provide a free pass for companies to use it without consequences. Data protection laws have to be complied with. In November 2020, the ICO ordered the credit reference agency Experian Limited to make fundamental changes to how it handles personal data within its direct marketing services. The ICO found that significant ‘invisible’ processing took place, likely affecting millions of adults in the UK. It is ‘invisible’ because the individual is not aware that the organisation is collecting and using their personal data. Experian has lodged an appeal against the Enforcement Notice.
Interesting that recently the Spanish regulator has fined another credit reference agency, Equifax, €1m for several failures under the GDPR. Individuals complained about Equifax’s use of their personal data which was publicly available. Equifax had also failed to provide the individuals with a privacy notice.
Data Protection by Design
The Irish data protection regulator issued its largest domestic fine recently. Irish Credit Bureau (ICB) was fined €90,000 following a change in the ICB’s computer code in 2018 resulted in 15,000 accounts having incorrect details recorded about their loans before the mistake was noticed. Amongst other things, the decision found that the ICB infringed Article 25(1) of the GDPR by failing to implement appropriate technical and organisational measures designed to implement the principle of accuracy in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of the GDPR and protect the rights of data subjects (aka DP by design and by default).
Data Sharing
The ICO’s Data Sharing Code of Practice provides organisations with a practical guide on how to share personal data in line with data protection law. Building on the code, the ICO recently outlined its plans to update its guidance on anonymisation and pseudonymisation, and to explore the role that privacy enhancing technologies might play in enabling safe and lawful data sharing.
UK GDPR Handbook
The UK GDPR Handbook is proving very popular among data protection professionals.
It sets out the full text of the UK GDPR laid out in a clear and easy to read format. It cross references the EU GDPR recitals, which also now form part of the UK GDPR, allowing for a more logical reading. The handbook uses a unique colour coding system that allows users to easily identify amendments, insertions and deletions from the EU GDPR. Relevant provisions of the amended DPA 2018 have been included where they supplement the UK GDPR. To assist users in interpreting the legislation, guidance from the Information Commissioner’s Office, Article 29 Working Party and the European Data Protection Board is also signposted. Read what others have said:
“A very useful, timely, and professional handbook. Highly recommended.”
“What I’m liking so far is that this is “just” the text (beautifully collated together and cross-referenced Articles / Recital etc.), rather than a pundits interpretation of it (useful as those interpretations are on many occasions in other books).”
“Great resource, love the tabs. Logical and easy to follow.”
