Book Review: Blackstone’s’ Guide to the Investigatory Powers Act 2016 by Simon McKay (@simonmckay)

Screen Shot 2018-02-28 at 12.09.50

The Investigatory Powers Act received Royal Assent on 29 November 2016.

Nicknamed “the Snoopers’ Charter”, the Act provides that communications service providers may be required by the Secretary of State to retain communications data, for up to 12 months, where it is considered necessary and proportionate to do so and where that decision has been approved by a Judicial Commissioner.

Specified public authorities, including the police, the security and intelligence agencies as well as local authorities, may acquire communications data from a telecommunications operator or postal operator where it is both necessary and proportionate to do so, for specified purposes.

The Government says that retention of, and ability to access, communications data is an essential tool for law enforcement and national security investigations. It is used to investigate crime, keep children safe, support or disprove alibis and link a suspect to a particular crime scene, amongst many other purposes. Sometimes communications data is the only way to identify offenders, particularly where offences are committed online, such as child sexual exploitation or fraud.

However, there have been concerns around the balance between privacy and security in the Act. In January 2018 a Court of Appeal ruling found the Data Retention and Investigatory Powers Act (DRIPA) – a previous law covering state surveillance, which has been expanded upon with the Investigatory Powers Act – is unlawful.

The court ruled that the legislation violated UK citizens’ human rights (Article 8 of the European Convention on Human Rights)  by collecting internet activity and phone records and letting public bodies grant themselves access to these personal details with no suspicion of serious crime and no independent sign-off. The court said that the Act will have to be “urgently changed” as a result.

Fresh amendments were also proposed by the government in November 2017 following a European court ruling which said that the “general and indiscriminate retention” of personal communications data by police and security services “cannot be considered justified within a democratic society”.

Blackstone’s’ Guide to the Investigatory Powers Act 2016 is written by Simon Mckay, a barrister and surveillance law expert. It is is an excellent guide to this complicated piece of legislation.

It starts with a very useful chapter on the history and background to the Act, which is important to read, in order to understand where the Government is coming from with this controversial legislation. Subsequent chapters discuss in detail, amongst other things, the processes and pitfalls in relation to the interception of communications, access to communications data and retention of data and equipment interference. Each chapter does not just refer the reader to the Act but also discusses other relevant legislation as well as caselaw from UK and European courts.

Part 1, Chapter 2 of the Regulation of Investigatory Powers Act (RIPA),  provided a framework for the lawful acquisition and disclosure of communications data by law enforcement agencies as well as other public bodies including councils. This part of RIPA has now been replaced by Part 3 of the Investigatory Powers Act. Chapter 4 of the book explains the process in detail and the familiar RIPA concepts of notices and authorisations.

Section 73-75 of the Act places restrictions on local authorities’ ability to acquire communications and data. Experienced practitioners, with a knowledge of RIPA, will not be surprised by the restrictions which include a need for high-level internal authorisation and magistrates’ approval. Of course with the new Act there are now new oversight arrangements, which are explained in Chapter 9.

If you are involved in advising or training on surveillance and investigations law, this book will be a valuable addition to your library. It also contains a copy of the Act.

Posted in Investigatory powers act, Privacy, Surveillance | Leave a comment

GDPR: The New ICO Fees Regime


25th May 2018, when the General Data Protection Regulation (GDPR) comes into force, will see the end of the current Notification regime under the Data Protection Act 1998.

Until recently, Data Controllers looked set to save a little money and the Information Commissioner’s Office (ICO) a lot of money. The ICO is currently funded partly from the annual Notification fees. In 2016 it collected more than 17 million pounds.

As predicted on this blog last year, the Government has now announced a new charging structure for Data Controllers to ensure the continued funding of the ICO. The Data Protection (Charges and Information) Regulations 2018 were laid before Parliament on 20th February 2018 and will come into effect on 25 May 2018, to coincide with the GDPR. The new regulations are made under a power contained in the Digital Economy Act 2017 (which is itself a controversial piece of legislation due to the wide ranging provisions about data sharing.) Data Processors do not have to pay any fee to the ICO but then many will be Data Controllers in their own right.

In summary there are three different tiers of fee and Data Controllers are expected to pay between £40 and £2,900 depending on the number of staff they employ and their annual turnover:

Tier 1 – Micro Organisations will pay £40

Applies to Data Controllers who have a maximum turnover of £632,000 for their financial year or no more than 10 members of staff.

Tier 2 – Small and Medium Organisations will pay £60

Applies to DataControllers who have a maximum turnover of £36 million for their financial year or no more than 250 members of staff.

Tier 3 – Large organisations will pay £2900

Applies to Data Controllers who do not meet the criteria for tier 1 or tier 2 above.

Data Controllers who currently have a registration (or notification) under the 1998 Act,  will not need to pay the new data protection fee until their registration expires. The ICO will write to them before this happens to explain what they need to do next. With regards to Data Controllers who are already registered, the ICO will decide what tier they come under based on the information it has but Controllers will always be able to challenge this. The good news is that Data Controllers choosing to pay the fee by direct debit, will receive an automatic discount of £5 at the point of payment. Every little helps!

The 2018 regulations make it clear that public authorities (e.g. councils) should categorise themselves according to staff numbers only. They do not need to take turnover into account. Furthermore, charities that are not otherwise subject to an exemption, will only be liable to pay the tier 1 fee, regardless of size or turnover.

A Data Controller processing personal data only for one or more of the following purposes is not required to pay a fee:

  • Staff administration
  • Advertising, marketing and public relations
  • Accounts and records
  • Not for profit purposes
  • Personal, family or household affairs
  • Maintaining a public register
  • Judicial functions
  • Processing personal information without an automated system such as a computer

To help Data Controllers understand the new fee regime, the ICO has produced a Guide to the Data Protection Fee.

Act Now can help you prepare for GDPR. Our 2018 course programme contains many more GDPR workshops and live webinars.

 Our GDPR Practitioner Certificate is proving very popular with those who need to get up to speed with GDPR as well as budding Data Protection Officers.  If you require these courses delivered at your premises, tailored to your needs, please get in touch.

Finally for frontline staff our one hour GDPR E Learning Course is ideal.

Posted in Fees, GDPR, ICO, Information Security | 2 Comments

Act Now Launches New Certificate in IG for Health and Social Care

Act Now Certificate in Information Governance

Today ANT launched a new style of certificate course. It’s not a one day course, it’s not a practitioner certificate – it fits in between the two and is intended as a primer in all aspects of information law for the Health and Social Care sector.

The course runs for a period 3 months and uses blended learning. Students can work online and in their own time (either at home or at work) by submitting written assignments and doing online tests. There is no final exam. The course uses continuous assessment to determine the award.

There are 3 teaching days which are each followed by an online knowledge check and an assignment. Subjects covered include Data Protection (GDPR), Freedom of Information, Records Management, Cyber Security, Incident Management, Training in IG and demonstrating compliance. A detailed course structure is available on our website.

The course was developed after consultation with Blackpool Victoria Hospital and a well known NHS expert and consultant, Paul Couldrey, who will be delivering the training. Victoria Hospital have made a significant contribution to the syllabus from a user perspective.

Paul is seen as an NHS leader in Information Governance compliance.  He is the former Head of IG for NHS Central Midlands Commissioning Support Unit (CMCSU), which supports over 10 CCG and overseas health authorities to comply with legislation. He is qualified in information law at Masters level, and has spoken at numerous national conferences about information governance.  He was also the Black Country contributor to the Caldicott Review published in June 2013.

We expect demand for this course to be high. IG in the health sector places a heavy workload on IG teams. Newcomers in the sector need to be brought up to speed as quickly and effectively as possible. This course provides that opportunity and also a certificate to demonstrate competence. The first public course starts in late April with the teaching days in Manchester in May, June and July. The course can also be delivered in house.

Take a look at the new IG cert on our website.

Act Now Training runs many courses in all aspects Information Governance. With courses starting from as little as £20, we have a range to suit all requirements. From e-learning, full hour webinars, all the way up to expert level Practitioner courses that are accredited, we have something to suit your requirements. All our courses are flexible and can be delivered in house at your premises. Please get in touch for a bespoke quote.


Posted in GDPR, IG Health, Local Authorities | Leave a comment

Act Now Launches New GDPR E-Learning Course

Screen Shot 2018-02-13 at 10.33.40

In December, a nursing auxiliary was fined for accessing a patient’s medical records without a valid legal reason.  In November a charity employee was prosecuted after he sent spreadsheets containing the information of vulnerable clients to his personal email address without the knowledge of his employer, the Rochdale Connections Trust.

Staff are often a key risk area when it comes to data protection compliance. GDPR will replace the DPA on 25th May 2018. Failure to comply with it could lead to fines of up to 20 million Euros or 4% of global annual turnover (which ever is higher).

All staff need to know about how the law will change and how personal data should be handled. But how do employers do this without staff leaving the office or overspending the training budget?

Enter the Act Now GDPR E Learning Course.This new online training course will give staff basic GDPR knowledge in 1 hour. The target audience is frontline staff, both in the public and private sector, and those who handle personal data on a day-to-day basis who need a basic knowledge of how to comply with GDPR in their role. This includes receptionists, clerical workers, school staff, call handlers, healthcare workers, bank staff etc. etc.

The course consists of two modules in which our data protection experts explain the key messages of GDPR in a simple and jargon free way including:

  • The main GDPR obligations and the new Data Subject rights
  • How to keep personal data safe and secure

Each module is accompanied by a multiple-choice quiz containing 10 randomly generated questions based on the contents of the module. The pass mark is 60% on each quiz. A certificate of successful completion is issued to each participant.

In producing these modules we have had regard to the Information Commissioner’s data protection training checklist.

Screen Shot 2018-02-13 at 10.32.10

With the costs from as little as £20 +vat per user for up to 25 users, the Act Now GDPR E Learning Course is the most cost effective GDPR training solution. We can also cater for larger numbers, please get in touch for a personalised quote.

To find out more see our website or Contact Us to arrange a free demo.

And Finally…

  • Our 2018 course programme contains many more GDPR courses including workshops and live webinars.
  • Our GDPR Practitioner Certificate is proving very popular with those who need to get up to speed with GDPR as well as budding Data Protection Officers. Read about the last set of results. Two out of the next Five courses in 2018 are fully booked.
  • If you require tailored GDPR training delivered at your premises, please get in touch.
  • We have sold over 400 copies of our GDPR handbook. We are donating £1 from each sale the DEC Rohingya Crisis Appeal.

Download our e-learning  flyer here


Posted in Data Protection, e-learning, GDPR, Privacy, Training | Leave a comment

Freedom of Information: New Draft S.45 Code of Practice


Amongst all the hype about GDPR it is easy to miss developments in other areas of information law.  In November 2017, the Cabinet Office published the revised code of practice (under section 45 of the Freedom of Information Act 2000) for consultation.

In July 2015 the Independent Commission on Freedom of Information was established by the Cabinet Office to examine FOI’s operation. In its report the Commission concluded that FOI was working well. It did though make twenty-one recommendations to enhance the Act and further the aims of transparency and openness.

In its response to the Commission’s report, the government agreed to update the S.45 Code of Practice. The draft code provides new, updated or expanded guidance on a variety of issues, including:

  • Transparency about public authorities’ FOI performance and senior pay and benefits, to mandate FOI Commission recommendations for greater openness in both areas.
  • The handling of vexatious and repeated requests. The FOI Commission specifically recommended the inclusion of guidance on vexatious requests.
  • Fundamental principles of FOI not currently included in the Code, e.g. generalprinciples about how to define “information” and that which is “held” for the purposes of the Act.

The code is not law but the Information Commissioner can issue Practice Recommendations where she considers that public authorities have not complied with the guidance set out in this Code. The Commissioner can also refer to non -compliance with the Code in Decision and Enforcement Notices.

As well as giving more guidance on advice ad assistance, costs, vexatious requests and consultation the code places new “burdens” on public authorities including the following:

  • Public authorities should produce a guide to their Publication Scheme.
  • Those authorities with over 100 Full Time Equivalent (FTE) employees should, as a matter of best practice, publish details of their performance on handling FOI requests.
  • Pay (salaries over £90,000), expenses and benefits of senior staff at director level and equivalents should be published at regular intervals. Of course local authorities are already required to publish some of this information by the Local Government Transparency Code.

  • The public interest test extension to the time limit for responding to an FOI request should normally be no more than 20 working days.
  • Internal reviews should normally be completed within 20 working days.

Furthermore, the other S.45 Code covering datasets will be merged with the main section 45 Code so that statutory guidance under section 45 can be found in one place. There will also be an annex explaining the link between the FOI dataset provisions and the Re-use of Public Sector Information Regulations 2015.

Public authorities need to consider the draft code carefully and decide whether the additional obligations are workable given pressures on resources, especially due to GDPR’s pending implementation.

The deadline for consultation responses is 2nd February 2018.


We will be discussing this and other recent FOI decisions in our forthcoming FOI workshops and webinars. For those wanting an internationally recognised qualification the BCS Certificate in Freedom of Information  starts in February 2018 in Manchester and London.

Posted in Freedom of Information, Section 45, Transparency | Leave a comment

GDPR Training Courses in Dubai


Act Now Training is pleased to announce two forthcoming GDPR training workshops in Dubai (UAE).

The General Data Protection Regulation (GDPR) will not just have an impact on Data Controllers and Data Processors in the European Union (EU). It will also apply to organisations in the rest of world that are:

  • processing personal data of individuals living in the EU;
  • offering goods or services to individuals in the EU, even if there is no charge for such goods or services; or
  • engaging in monitoring or profiling activities of individuals in the EU (for example, the use of cookies/behavioural advertising).

Failure to comply with GDPR could lead to massive reputational damage and a fine of up to 20 million Euros or 4% of global annual turnover (whichever is higher).

Our Dubai workshops will examine the legal and practical impact of GDPR on Middle East/GCC based organisations. All the key issues for Data Controllers as well as Data Processors will be discussed including international transfers, contract clauses and guarantees, security and breach notification and when a Data Protection Officer needs to be appointed. Crucially we will discuss how GDPR is a business opportunity rather than a threat. By the end of the workshop delegates will be able to write their own action plan for GDPR compliance.

Ibrahim Hasan, solicitor and Director of Act Now Training, will deliver the first two workshops in Dubai. He said:

“I am really pleased to design and deliver this new GDPR workshop in Dubai. It will add to our growing experience of delivering data protection training abroad. Dubai is the latest addition to our increasing international portfolio. We plan to use it as a platform to showcase our other GDPR courses and consultancy services.”

More details and a course outline here

Our 2018 course programme contains many more GDPR courses and live webinars which are held in locations throughout the UK. Our GDPR Practitioner Certificate is proving very popular with those who need to get up to speed with GDPR as well as budding Data Protection Officers.  If you require these courses delivered at your premises, tailored to your needs, please get in touch.

Finally, we have sold over 350 copies of our GDPR handbook. We are donating £1 from each sale to the  DEC Rohingya Crisis Appeal.

Happy New Year!

Posted in Dubai, GDPR, Privacy, Training | Leave a comment

RIPA Surveillance Oversight and Inspection Regime Changes


By Steve Morris

On 1st September 2017 Lord Justice Fulford commenced his new role as the Investigatory Powers Commissioner. Assisted by the Investigatory Powers Commissioner’s Office (IPCO), he will undertake the oversight functions of three previous Commissioners under the Regulation of Investigatory Powers Act 2000 namely the Chief Surveillance Commissioner, Interception of Communications Commissioner and the Intelligence Services Commissioner.

This marks a major milestone in establishing a new oversight regime set out in the Investigatory Powers Act, which was given Royal Assent in 2016. The Act, amongst other things, provides new powers for the police to access communications data e.g. telephone records, internet usage information etc. More on the Act in further blog posts.

Not only does the new commissioner take over the inspection and oversight functions carried out by the previous commissioners, he takes on responsibility for the pre-approval of certain police activities authorised under the Police Act 1997.

The Investigatory Powers Commissioner’s Office will consist of around 70 staff. This will be made up of:

  • Around 15 Judicial Commissioners, current and recently retired High Court, Court of Appeal and Supreme Court Judges;
  • A Technical Advisory Panel, of scientific experts; and
  • Almost 50 official staff, including inspectors, lawyers and communications experts.

Over the next 12 months Judicial Commissioners will start to take on their prior approval functions relating to the Investigatory Powers Act 2016, including interception, equipment interference, bulk personal datasets, bulk acquisition of communications data, national security notices, technical capability notices and communications data retention notices. The Judicial Commissioners will be supported in this work by the Technology Advisory Panel.

What impact will this new commissioner have on local authority inspections under Part 2 of RIPA carried out previously by the Office of the Surveillance Commissioners (OSC)? I suspect not a lot. The same issues will be considered as previously. The final OSC annual report once again highlights the recurring issue of investigations using social networks e.g. Facebook.

If you have an inspection coming up read our guide here.

Steve Morris is a former police officer who delivers our RIPA Courses as well as a course on Internet Investigations.

Now is the time to consider refresher training for RIPA investigators and authorisers. Please see our full program of RIPA Courses which have been revised to take account of all the latest developments. We can also deliver these courses at your premises, tailored to the audience. Finally, if you want to avoid re inventing the wheel, our RIPA Policy and Procedures Toolkit gives you a standard policy as well as forms (with detailed notes to assist completion) for authorising RIPA and non-RIPA surveillance. Over 200 different organisations have bought this document (available on CD as well).

Posted in CCTV, OSC, RIPA, Surveillance | 1 Comment