Your Front Page For Information Governance News

Act Now Training Wins the IRMS Supplier of the Year Award 2024

Act Now Training is proud to announce that it has won the Information and Records Management Society (IRMS) Supplier of the year award for 2024. The aim of the award is “to recognise suppliers in the IG/IM/RM world that go above and beyond normal expectations of customer service.”

The awards ceremony took place on Monday night at the IRMS Conference in Brighton where Ibrahim Hasan was also on a panel discussing the privacy implications of Generative AI and ChatGPT. This is third time in four years that Act Now Training has won this award.

Ibrahim Hasan said:

“This award will inspire us to continue to deliver practical training that meets the needs of the IG profession. It also recognises the hard work of our colleagues who are focussed on fantastic customer service as well as our associates who always go the extra mile for our delegates. We would like to thank the IRMS for another great conference and the members for voting for us.”

It has been another fantastic 12 months for Act Now Training. We launched two new certificate courses aimed at helping IG professionals develop their knowledge and skills. The  FOI Intermediate Certificate empowers FOI practitioners, by building upon the foundations established by the FOI Practitioner Certificate, delving deep into the intricacies of FOI and gaining the skills and confidence to navigate its complexities effectively. The Intermediate Certificate in GDPR Practice.  is designed to teach DPOs important DPO skills, as well as advanced knowledge, by covering more challenging topics to gain a deeper awareness of the fundamentals of data protection practice.   

We continue to encourage new entrants to the IG profession. Our development and delivery of the training materials underpinning the Data Protection and Information Governance Practitioner Level 4 Apprenticeship has helped over 100 apprentices in 2023 to join the profession; and numbers predicted to grow even further in 2024/25.  

And we are spreading the IG message beyond these shores! In November 2023, Ibrahim Hasan addressed the UAE’s first ever privacy and data protection law conference; which brought together data protection and security compliance professionals from across the world to discuss the latest developments in the Middle East data protection framework.   

In December, Act Now announced the launch of the UAE’s first Data Protection Executive training programme. This practical course focusses on developing a data protection framework and ensuring compliance with the UAE Data Protection Law’s strict requirements. This is particularly relevant given the recent advancements in Data Protection law in the Middle East, including the UAE’s first comprehensive national data protection law, Federal Decree Law No. 45/2021.  This is a real first for the IG profession. Middlesex University is the biggest international university in Dubai and this certificate is the first executive DP programme in the Middle East.  

Act Now’s programme of online workshops has been expanded to help the profession understand the hot IG topics of the day including: 

The EU AI Act
The new DP Bill 
Data flow mapping
International transfers 
Working with Children’s data 
Cybersecurity for DPOs 
Accountability and DP Audits

We have more great new courses coming up. Watch this space!

Another Conservative Party GDPR Breach

Yesterday, Rachel Cunliffe, Associate Political Editor of the New Statesman, reported that she had received an email from the Conservative Campaign Headquarters (CCHQ) about their forthcoming conference. However she could also see the other 344 recipients as they were all listed in the “To” box, along with their email addresses. CCHQ had made the classic mistake of failing to use blind carbon copy (BCC) and thus, by exposing the personal data of recipients, breached the UK GDPR.

Failure to use BCC correctly in emails is one of the top data breaches reported to the ICO every year. But this incident is not just about exposing some email addresses. Recipients of the CCHQ email will be able to make assumptions about the political affiliations of their fellow recipients. Even if these assumptions are wrong, the emails can be classed as Special Category Data under the UK GDPR and thus more sensitive than other personal data.

So can the CCHQ expect a knock on the door from the ICO? Will they be fined? Whatever your political persuasion, you may think this error from those who run the Government, deserves the strongest sanction. As Cunliffe writes:

“If you can’t trust the Conservatives with your email address, why should you trust them with anything else.”

Inadvertent disclosure of personal data email, by failing to use BCC, has been the subject of a number of GDPR enforcement actions by the ICO in the past few years. Just last December, the Ministry of Defence (MoD) was fined £350,000 for disclosing personal information of people seeking relocation to the UK shortly after the Taliban took control of Afghanistan in 2021.  In October 2021, HIV Scotland was issued with a £10,000 fine when it sent an email to 105 people which included patient advocates representing people living with HIV. From the personal data disclosed, an assumption could be made about individuals’ HIV status or risk; also Special Category Data.

The ICO could follow the above examples and issue a fine; although in two recent cases it has gone for a softer option. Last year the Patient and Client Council (PCC) and the Executive Office were the subject of ICO reprimands for disclosing personal data in the same way. 

In statement issued on X, the ICO said:

“The Conservative Party has made us aware of this incident and we are assessing the information provided.”

The Conservative Party has form when it comes to GDPR non-compliance.
Recently we wrote about The Good Law Project’s challenge to the Tory’s “data harvesting” from users of its online tax calculator. But this latest data breach is about more than GDPR compliance. To quote Rachel Cunliffe again:

“This is such a basic error, so easily avoided, it inevitably sets alarm bells ringing. If CCHQ doesn’t have the staff and training procedures to prevent a classic email-sharing error, what does that say about their resilience as a whole? How are their cybersecurity defences? What else is getting missed?”

The breach came on the day Rishi Sunak gave a speech to the Policy Exchange about the transformative power of technology and how he, rather than Keir Starmer, could keep the country safe.

Lessons On Transparency: The ICO Experian Appeal

The Information Commissioner’s Office recently lost its appeal in the Upper Tribunal in relation to an Enforcement Notice issued to Experian.

The concerned Experian’s marketing arm, Experian Marketing Services (EMS) which provides analytics services for direct mail marketing companies. It obtains personal data from three types of sources; publicly available sources, third parties and Experian’s credit reference agency (CRA) business. The company processes this personal data to build profiles about nearly every UK adult. An individual profile can contain over 400 data points. The company sells access to this data to marketing companies that wish to improve the targeting of their postal direct marketing communications

On 20^th February 2023, the First-Tier (Information Rights) Tribunal (FTT) overturned an ICO Enforcement Notice issued to Experian. The notice alleged several GDPR violations namely; Art. 5(1)(a) (Principle 1, Lawfulness, fairness, and transparency), Art. 6(1) (Lawfulness of processing) and Art. 14 (Information to be provided where personal data have not been obtained from the data subject). For more detail of the FTT judgement read our earlier blog here.

On 23^rd April 2024, the Upper Tribunal dismissed the ICO’s appeal against the FTT’s judgment. This can be read here along with a useful press summary. The Upper Tribunal backed the FTT’s conclusions while repeatedly criticising its unclear reasoning.

The broader value of the judgment lies in its guidance, for the first time at this level, of what the transparency requirement under the UK GDPR involves (see paragraph 95). It also sets out its views on the current data protection landscape more generally. 5 Essex Court have a good summary of the judgement on their website.

The ICO’s has issued a (“Let’s look on the bright side”) statement stating that:

“The ICO will take stock of today’s judgment and carefully consider our next steps, including whether to appeal.”

This and other data protection developments will be discussed in detail on our forthcoming  GDPR Update  workshop.

Stolen NHS Data Published on Dark Web

A large volume of NHS data has been published by a ransomware group on the dark web. This follows the recent cyber attack on NHS Dumfries and Galloway, when cyber criminals were able to access a significant amount of data including patient and
staff-identifiable information. Data relating to a small number of patients was released in March, and the cyber criminals had threatened that more would follow.

Reacting to the latest publication of data, NHS Dumfries and Galloway Chief Executive Julie White said: “This is an utterly abhorrent criminal act by cyber criminals who had threatened to release more data.

“We should not be surprised at this outcome, as this is in line with the way these criminal groups operate.

“Work is beginning to take place with partner agencies to assess the data which has been published. This very much remains a live criminal matter, and we are continuing to work with national agencies including Police Scotland, the National Cyber Security Centre and the Scottish Government.”

Mrs White added: “NHS Dumfries and Galloway is conscious that this may cause increased anxiety and concern for patients and staff, with a telephone helpline sharing the information hosted at our website available from tomorrow.

“Data accessed by the cyber criminals has now been published onto the
dark web – which is not readily accessible to most people.”

“Recognising that this is a live criminal matter, we continue to follow the very clear guidance being provided to us by national law enforcement agencies.”

NHS Dumfries and Galloway advised people to be alert for any attempts to access their work and personal data. It has also set up a helpline for anyone concerned about the attack and is working with police and other agencies as investigations continue.

In December last year, NHS Fife was formally reprimanded by the Information Commissioner’s Office (ICO) following an incident where an unauthorised individual accessed sensitive patient information.

We have two workshops coming up (How to Increase Cyber Security and Cyber Security for DPOs) which are ideal for organisations who wish to upskill their employees about data security.

MOD Payroll Data Hacked

The government has raised concerns about a cyber attack on an armed forces payroll system, with indications pointing towards China as the suspected perpetrator. Defence Secretary Grant Shapps is set to address Members of Parliament today, although he is not expected to directly attribute blame to any specific party.
Instead, he is likely to emphasise the threat posed by cyber espionage activities conducted by hostile states.

The affected system, utilised by the Ministry of Defence (MoD), contains sensitive information such as names and bank details of armed forces personnel, with a few instances where personal addresses may also be included. Managed by an external contractor, the breach came to light in recent days, prompting government action, although there’s no evidence suggesting data was actually extracted from the system.

The investigation into the breach is still in its early stages and attributing responsibility can be a complex and time-consuming process. While official accusations may not be made immediately, suspicions are reportedly pointing towards China, given its history of targeting similar datasets.

Those impacted by the breach will receive communication from the government regarding the incident, with a focus on addressing potential fraud risks rather than immediate personal safety concerns.

At the time of writing it is not clear if the MoD has reported the data breach to the ICO as required by the UK GDPR. In December 2023, the MoD was fined £350,000 for disclosing personal information of people seeking relocation to the UK shortly after the Taliban took control of Afghanistan in 2021.

Navigating Turbulence: Qantas App Privacy Breach Sparks Concerns

Today a number of news outlets are reporting that Australian airline Qantas is investigating a privacy breach on its app. Customers discovered that they had access to the personal details of other travellers, including boarding passes and frequent flyer information. This discovery has raised significant concerns about data security and privacy among Qantas app users.

Qantas responded to the situation, acknowledging the issue and assuring customers that it was under investigation. Within three hours of the breach being detected, the airline claimed to have resolved the problem and issued a public apology for any inconvenience caused.

Despite initial fears of a cyberattack, Qantas stated that the breach was likely due to a technology glitch, possibly linked to recent system updates. However, the extent of the breach was troubling, with some users reporting the ability to view multiple passengers’ details with just a few clicks.

Customers shared their experiences on social media platforms, recounting instances where they were confronted with strangers’ personal information upon opening the app. Concerns were further amplified when reports emerged of individuals being able to manipulate flight bookings, raising questions about the app’s security measures.

In response to the breach, Qantas advised affected users to log out and log back into the app to mitigate the issue. The airline reassured customers that there were no indications of travellers using incorrect boarding passes as a result of the breach.

Social media channels buzzed with criticism of Qantas, with users sharing screenshots of the glitch and raising awareness of potential phishing attempts. Allegations surfaced of fake Qantas customer care accounts soliciting personal information from users under the guise of assistance.

Does the UK GDPR apply here?

In October 2020, the UK Information Commissioner’s Office fined British Airways £20million, under the GDPR, for a cyber security breach which saw the personal and financial details of more than 400,000 customers being accessed by attackers.  

Whilst Qantas has said that this incident was not due to a cyber-attack, it will certainly face questions about its handling of customer data under Australian data protection laws. It is also possible that Qantas, an Australian company, is the subject of a probe by the UK Information Commissioner’s Office under the UK GDPR if, as is likely, UK data subjects are affected by the incident.

Article 3(2) of the UK GDPR gives it an extra territorial effect. It states:

“This Regulation applies to the relevant processing of personal data of data subjects who are in the United Kingdom by a controller or processor not established in the United Kingdom where the processing activities are related to:

(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the United Kingdom; or

(b) the monitoring of their behaviour as far as their behaviour takes place within the United Kingdom.”

Applying this principle, On 4^th April 2023, the ICO issued a £12.7 million fine to TikTok, a US company owned whose parent company is owned by Beijing based ByteDance, for a number of breaches of the UK GDPR, including failing to use children’s personal data lawfully. 

As Qantas works to address the fallout from this breach and restore trust among its customer base, the incident serves as a stark reminder of the importance of robust data security measures in the digital age. It highlights the vulnerability of personal data in online platforms and underscores the need for companies to prioritise the protection of customer data.

We have two workshops coming up (How to Increase Cyber Security and Cyber Security for DPOs) which are ideal for organisations who wish to upskill their employees about data security. We have also just launched our new workshop, Understanding GDPR Accountability and Conducting Data Protection Audits. 

YMCA Fined for HIV Email Data Breach

Another day and another ICO fine for a data breach involving email! The Central Young Men’s Christian Association (the Central YMCA) of London has been issued with a Monetary Penalty Notice of £7,500 for a data breach when emails intended for those on a HIV support programme were sent to 264 email addresses using CC instead of BCC, revealing the email addresses to all recipients. This resulted in 166 people being identifiable or potentially identifiable. A formal reprimand has also been issued.

Failure to use blind carbon copy (BCC) correctly in emails is one of the top data breaches reported to the ICO every year. In December 2023, the ICO fined the Ministry of Defence (MoD) £350,000 for disclosing personal information of people seeking relocation to the UK shortly after the Taliban took control of Afghanistan in 2021. Again the failure to use blind copy when using e mail was a central cause of the data breach.

Last year the Patient and Client Council (PCC) and the Executive Office were the subject of ICO reprimands for disclosing personal data in this way. In October 2021, HIV Scotland was issued with a £10,000 GDPR fine when it sent an email to 105 people which included patient advocates representing people living with HIV. All the email addresses were visible to all recipients, and 65 of the addresses identified people by name. From the personal data disclosed, an assumption could be made about individuals’ HIV status or risk. 

Organisations must have appropriate policies and training in place to minimise the risks of personal data being inappropriately disclosed via email. To avoid similar incidents, the ICO recommends that organisations should:

Consider using other secure means to send communications that involve large amounts of data or sensitive information. This could include using bulk email services, mail merge, or secure data transfer services, so information is not shared with people by mistake.

Consider having appropriate policies in place and training for staff in relation to email communications.

For non-sensitive communications, organisations that choose to use BCC should do so carefully to ensure personal email addresses are not shared inappropriately with other customers, clients, or other organisations.

More on email best practice in the ICO’s email and security guidance.

We have two workshops coming up (How to Increase Cyber Security and Cyber Security for DPOs) which are ideal for organisations who wish to upskill their employees about data security. We have also just launched our new workshop, Understanding GDPR Accountability and Conducting Data Protection Audits.

Apprentice Case Study – Meet Evie

In 2022, Act Now Training teamed up with Damar Training to support their delivery of the new Data Protection and Information Governance Practitioner Apprenticeship. The aim is to develop individuals into accomplished data protection and information governance practitioners with the knowledge, skills and competencies to address future IG challenges. Two years on, over 130 apprentices are currently on the programme with the first group of apprentices due to undertake the endpoint assessment and so we caught up with Manchester Airport Group apprentice Evie Scott and her manager to get their thoughts on the programme so far.

Evie left college in summer 2022 after A Levels and a BTEC. She wanted to continue learning but in a more hands-on environment:

“In my final year of college, my tutor helped me create a LinkedIn account and I found the Data Protection and Information Governance Practitioner apprenticeship opportunity at Manchester Airport Group. Having previously visited the airport on a school trip I found the range of jobs there fascinating, so I started looking into their apprenticeship opportunities and how they could benefit my career.”

Evie applied successfully for the role of apprentice Data Protection and Information Governance Practitioner at Manchester Airport Group (MAG). Over a year into her job, she is finding the programme engaging and is developing new skills and perspectives that she can apply at work:

“I really enjoy the fact that the apprenticeship programme is challenging yet engaging. I enjoy the further reading aspect as it allows me to gain a greater insight into topics and offers different viewpoints and perspectives which I try adopting into my work.”

Charlotte Lewendon-Jones, Head of Data Protection and Privacy at MAG, has over 30 years’ experience in Information Governance. She was part of the trailblazer group of employers that helped develop the Data Protection and Information Governance Practitioner apprenticeship.

Charlotte manages the Data Protection and Compliance Team at MAG.
When MAG advertised their data protection apprenticeship opportunities in summer 2022, they were overwhelmed by the level of interest. This was testament, Charlotte believes, to the quality of the apprenticeship itself and to MAG’s commitment to its wider apprenticeship programme. On the impact of apprentices so far, she comments:

“The apprentices are confident and bring a fresh viewpoint to the team which brings huge improvements. When the apprentices go on training sessions, I challenge them on some of our processes to see what they have learnt, find ways in which we can do better and support their learning journey.”

About Evie, Charlotte adds:

“Considering Evie didn’t have any experience in data protection and information governance, I feel she’s done really well. Her training started in September 2022 and I’ve seen her confidence grow. Her approach and attitude to work are excellent, she’s gaining great experience, asking fewer questions and making more informed decisions based on her experience and what she’s learnt.”

Finally, we asked Evie how she feels the apprenticeship will impact her moving forward:

“When I apply what I have learnt so far to my workload or tasks I have an appreciation for why things are done in a certain way. I feel the further I get into my apprenticeship more it will continue to influence my everyday tasks, benefit the organisation and help me in my job role.”

“At Damar, we believe in the power of apprenticeships to benefit business and transform lives. We see it every day across the thousands of supportive employers, apprentices and workplace supervisors that we are proud to partner with.”

You can read about the experience of another apprentice (Natasha) here.

If you are interested in the DP and IG Apprenticeship, please see our website for more details and get in touch to discuss further.

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this: