DPO or not to DPO


By Paul Simpkins

The General Data Protection Regulation (GDPR) is nearly upon us and one of the elements is the requirement for certain organisations to have a Data Protection Officer.

This throws up some interesting issues. A qualified, experienced data protection officer is a valuable commodity. They do exist but command salaries approaching £50,000 in large organisations (stop laughing at the back) and if you’re a small organisation they’re not going to work for you for peanuts. So where do you find a qualified, experienced DPO?

Secondly will there be a requirement upon you to have one? It looks like there will be three clear cases.

  1. processing is carried out by a public authority,
  2. the core activities of the controller or processor consist of processing which, by its nature, scope or purposes, requires regular and systematic monitoring
    of data subjects on a large scale
  3. the core activities consist of processing on a large scale of special categories of data.

But to go back to the DPO what does qualified mean? Yes there are qualifications out there. The accepted gold standard in the UK is the BCS certificate which has 40 hours of training plus a testing 3 hour exam. There are other firms in the sector who offer their own versions and most of them involve significant study (30 or 40 hours) plus exam. Other qualifications exist, like our Data Protection Practitioner Certificate and CIPP certification from the International Association of Privacy Professionals – some for US and some for UK professionals – but the question everyone wants answering is which qualifications will satisfy the GDPR?

Do training providers have to apply for acceptance or endorsement from the EU or their national regulator? Will the content of these courses be examined or will a standard be set and the training providers tailor their material to a certain level or will it be a free for all with no standard to work to? Do you want a DPO who knows how to conduct a Privacy Impact Assessment or who knows about International Data Transfers or one with an understanding of the history of Data Protection? Or will there be a requirement to study a certain (large) number of hours to demonstrate competence? At the moment it looks like all the DPO will need is “sufficient expert knowledge” which doesn’t in itself mean a qualification.

Other skills required by a good DPO are those of Diplomat, Trainer; Advisor, Confidante; Interpreter; Persuader; Listener; Friend to requestors; Policy & procedures writer. They have the ability to talk to the top level of the organisation yet explain complex law in Plain English. Not your run of the mill person.

It looks like the route map will require the DPO to be an employee but one with a different type of outlook. Privacy is becoming a big vote winner; organisations who don’t respect customers privacy will feel the backlash of disgruntled consumers. It really needs someone who is part of the organisation who is present at all times and understand the data processing systems of their employer but is detached enough to be able to criticize his own organisation.

There is a way out for small organisations who think they need a DPO to ensure their organisation is fully compliant with the new regulation. Don’t give the job to an existing member of staff and expect them to learn it on the job; Don’t appoint a knowledgeable, qualified, experienced but expensive DPO – bring in an external one you can use as and when you need them.

Externals have significant benefits. They don’t work full time so the on costs disappear; You can bring them in as required for short term task and finish assignments; You can save the costs of training and continuing education for an internal data protection officer; your staff will react better to an external who appears to have the status of a “consultant”.

Externals also won’t have any political or organisational baggage and can act in an unbiased manner without fear for their job. An external data protection officer also has no worries about favouring certain departments or individuals in the company. Many organisations appoint their Head of Legal as their DPO which brings with it the ethical/legal/best course of action conflict. An external won’t need to bother with this.

You can concentrate on your core business and the external can take care of your data protection.

Once you have appointed an external DPO they will compile a detailed data protection audit on your data protection compliance. They will then identify possible data protection issues and legal risks and explain what is required to remedy them. Then you can start making the necessary changes.  Your business will soon be in full compliance with current data protection laws.

But it doesn’t stop there. The external DPO will be on call and can discuss day-to-day DP issues by phone or email for a small fee. If more detailed work is required further fees and timescales can be agreed.

Working with an external data protection officer is based on a consulting agreement. There may be a retainer fee plus an hourly or daily rate to follow. If your Data Protection needs are low you may not have to consult your EDPO too often.

Not surprisingly EDPOs are starting to appear on the web. They’re quite common in Germany and it’s likely they will become a staple in the UK. Various UK law firms advertise such a service but unsurprisingly the rates they charge are not on view. It might end up costing more than you think especially if you opt for a ’big’ name.

There’s also the scope however for sharing a DPO. This has already happened in various parts of the country as cash strapped rural councils pay for a percentage of a DPO and have them on site part of a week.

At a recent educational conference a group of 30 schools in the same region kicked around the idea of each contributing to buy a DPO for all of them who would fulfill their information law obligations. Sounds quite a good idea until you realise there’s only about 240 working days in a year so each school would have 8 of those days to themselves and the shared DPO would have a significant petrol expenses tab. A few rural councils with a shared DPO would have a much better deal.

Sadly GDPR is not well understood and there are those who think Brexit will derail it (though not true) but a wise organisation should be thinking now if and when they will need a DPO, what qualification they will have and how do they find one.

An external who is called on infrequently might appear be the cheapest option but might have further hidden costs and a part share of a DPO might be a good short term solution but would they be as good as the expert knowledge and day to day hands on work of a full timer.

Good news for Data Protection Officers…

We are running a series of GDPR webinars and workshops and our team of experts are available to come to your organisation to deliver customised data protection/GDPR workshops as well as to carry out health checks and audits. Our Data Protection Practitioner Certificate, with an emphasis on the practical skills required to implement GDPR, is an ideal qualification for those aspiring for such positions.

Posted in Data Protection, EU DP Regulation, GDPR, ICO, Personal Data, personal data, Tribunal | Tagged , , | Leave a comment

Scottish Information Commissioner’s FOISA Report 2016










Last week the Scottish Information Commissioner, Rosemary Agnew, published her annual report for 2015/16.  Ms Agnew enforces the Freedom of Information (Scotland) Act 2002 (FOISA).

The report reveals that:

  • 540 appeals were made to the Commissioner in 2015/16. This is a 14% increase on last year, but is down from 578 appeals two years ago.
  • The number of “failure to respond” appeals fell significantly in 2015/16. The Commissioner accepted 61 “failure to respond” cases for investigation. This was 16% of her investigation caseload – a significant reduction on the 25% three years ago.
  • Appeals volumes fell for some sectors. Most notably for the Scottish Government and its agencies, where appeals fell from 23% of the Commissioner’s caseload in 2014/15 to 15% this year (from 111 appeals to 84).
  • Appeal volumes increased for others. Appeals in relation to non-departmental public bodies increased, from 6% of the Commissioner’s caseload in 2014/15 to 10% this year. This was largely due to an increase in Scottish Fire and Rescue Service appeals, from 1 in 2014/15 to 12 this year.There was also a significant increase in appeals about requests made to Police Scotland. They rose from 9% of appeals last year to 15% in 2015/16 (from 45 to 81 appeals). 3% of Police Scotland’s information requests resulted in an appeal, compared to a national average of 0.8%.
  • 61% of appeals came from members of the public. The media accounted for 20% of appeals, and prisoners 7%.
  • 60% of the Commissioner’s decisions found wholly or partially in the requester’s favour. If an authority has incorrectly withheld information, the Commissioner’s decision will require it to be released.
  • 73% of cases were resolved by the Commissioner within 4 months.
  • Public authorities reported receiving 68,156 information requests in 2015/16. This is a 2% increase on 2014/15. Figures are reported in a publicly available database set up by the Commissioner. The portal data also shows that 75% of requests resulted in some or all of the requested information being provided, and that public authorities themselves are reporting 35% fewer ‘failures to respond’ to information requests since 2014/15.
  • Public awareness of FOI is at its highest ever level, at 85%. This is up from 84% last year, and 78% in September 2013.
  • FOI awareness is lower amongst 16-24 year olds. Ipsos MORI polling also revealed lower awareness amongst young people. The Commissioner is working in partnership with Young Scot to address this lower awareness.

Speaking at the launch of the report Rosemary Agnew said:

“These signs of improvement in FOI performance are welcome. As my report demonstrates, the majority of information requests result in some or all of the information being disclosed. It is encouraging that only a very small proportion of requests are appealed. I’m also pleased that the number of appeals made about a failure to respond has fallen significantly following our work to tackle this issue.”

“Unfortunately, our experience is that these improvements are not universal. There is still a clear gap between the best performing authorities and those who lag behind. As you will see from my report, my focus still lies in promoting good practice and intervening when I find poor practice.”

In an excellent example of Open Data, the Commissioner has also published detailed information on the appeals received since 2005, broken down by public authority, region and sector, in Excel spreadsheets on her website.

Following a consultation last year, 1st September 2016 saw FOISA being extended to cover more organisations.

Act Now has a full programme of FOISA workshops in Scotland. If you are new to FOI in Scotland or want to boost your career through gaining a qualification, our FOISA Practitioner Certificate is ideal. The four day course is endorsed by the Centre for FOI, based at Dundee University.

The next FOISA Practitioner Certificate course in Edinburgh is starting in February 2017.

If you’re considering enrolling on the course, what can you expect? Read a successful candidate’s observations and have a go at the FOISA test.

Posted in FOISA, Scottish Information Commissioner | Leave a comment

Brexit, Article 50 and the Great Repeal Bill: GDPR means GDPR


On Sunday Theresa May finally fired the starting gun for the process for the UK to leave the European Union. Article 50 of the Lisbon Treaty will be invoked “no later than the end of March next year” she told the Tory Party conference in Birmingham. This will give negotiators two years from the date of notification to conclude trading arrangements with Europe. Unless an earlier date is negotiated (very unlikely given the scale of the task), by April 2019 the UK will be on its own and no longer subject to EU laws.

The Prime Minister also promised a “Great Repeal Bill” in the next Queen’s Speech, to remove the European Communities Act 1972 from the statute book and enshrine all existing EU law into British law on the day of exit. There will then be a process whereby the vast amount of domesticated EU legislation will be sifted. The “good laws” will be retained, some laws amended and some excised from UK law altogether.

What impact do these announcements have on UK Data Controllers who are planning for implementation of the new General Data Protection Regulation (GDPR)? The answer in a nutshell (as I said in my July GDPR and Brexit blog post) is; keep calm and carry on (preparing)!

We now know that, whatever happens, UK Data Controllers will have to comply with GDPR for at least ten months. GDPR comes into force on 25th May 2018 but the Article 50 announcement means we will be in the EU (and subject to all its laws including GDPR) until at least the end of March 2019. Article 50 (3) states:

“The Treaties shall cease to apply to the State in question from the date of entry into force of the withdrawal agreement or, failing that, two years after the notification referred to in paragraph 2, unless the European Council, in agreement with the Member State concerned, unanimously decides to extend this period.”

However it seems now much more likely that UK Data Controllers will have to comply with GDPR for much longer beyond March 2019 (perhaps even indefinitely). The Great Repeal Bill  (if it is passed by Parliament) will implement the GDPR along with other EU legislation into our law on exit day. The Government must then decide to keep GDPR, amend it or go back to the drawing board. Practically speaking, keeping GDPR is the only option. Civil servants will have their work cut out examining 80,000 pages of EU agreements. At least with GDPR there is broad agreement amongst stakeholders including the ICO (see below) that it is a force for good.

Recently, in her first speech as the new UK Information Commissioner, Elizabeth Denham extolled the virtues of GDPR and reiterated the need to prepare for it regardless of the uncertainly about what the future relationship with the EU will look like. She also said in a BBC interview:

“The UK is going to want to continue to do business with Europe”.

“In order for British businesses to share information and provide services for EU consumers, the law has to be equivalent.

“The UK was very involved in the drafting of the regulation – it will likely be in effect before the UK leaves the European Union – so I’m concerned about a start and stop regulatory environment.”

Many of GDPR’s key provisions provisions such as breach notification and the new DP Principles will require careful planning. With some GDPR breaches carrying fines of up to 4% of global annual turnover or 20 million Euros, a “wait and see” approach would be very risky. Brexit from the EU does not mean Brexit from the GDPR. 

Act Now Can Help

We are running a series of GDPR webinars and workshops and our team of experts is available to come to your organisation to deliver customised data protection/GDPR workshops as well as to carry out health checks and audits. GDPR requires many Data Controllers to appoint a dedicated Data Protection Officer. Our Data Protection Practitioner Certificate, with an emphasis on the practical skills requited to implement GDPR, is an ideal qualification for those aspiring for such positions.

Posted in Article 50, Brexit, GDPR, Privacy, Uncategorized | 3 Comments

RIPA and Communications Data: IoCCo Annual Report














In October 2015 the Prime Minister appointed Sir Stanley Burnton as the new Interception of Communications Commissioner replacing Sir Anthony May. Sir Stanley’s function is to keep under review the interception of communications and the acquisition and disclosure of communications data by public authorities under the Regulation of Investigatory Powers Act 2000 (RIPA).

Local authorities, as well as other agencies, have powers under Part I Chapter 2 of RIPA to acquire communications data from Communications Service Providers (CSPs). The definition of “communications data” includes information relating to the use of a communications service (e.g. phone, internet, post) but does not include the contents of the communication itself. It is broadly split into 3 categories: “traffic data” i.e. where a communication was made from, to whom and when; “service data” i.e. the use made of the service by any person e.g. itemised telephone records; “subscriber data” i.e. any other information that is held or obtained by a CSP on a person they provide a service to.

Some public authorities have access to all types of communications data e.g. the Police, the Ambulance Service and HM Revenues and Customs. Local authorities are restricted to subscriber and service use data and then only where it is required for the purpose of preventing or detecting crime or preventing disorder. For example, a benefit fraud investigator may be able to obtain an alleged fraudster’s mobile phone bill. As with other RIPA powers, e.g. Directed Surveillance under Part 2, there are forms to fill out and strict tests of necessity and proportionality to satisfy.

On 8th September 2016, Sir Stanley laid his 2015 annual report before Parliament. The report covers the period January to December 2015. Key findings around communications data powers include:

  • 761,702 items of communications data were acquired during 2015.
  • 48% of the items of communications data were traffic data, 2% service use information and 50% subscriber information.
  • 7% of the applications for communications data were made by police forces and law enforcement agencies, 5.7% by the intelligence agencies and 0.6% by local authorities and other public authorities.
  • Only 71 local authorities reported using these powers. The majority of these used them on less than 10 occasions.
  • Out of the 975 applications made by local authorities in 2015, Kent County Council made 107 of these whilst five councils made just 1 application each.

A big reason for the low use of these powers by local authorities is that, since 1st November 2012, they have had to obtain Magistrates’ approval for even the simplest communications data applications (e.g. mobile subscriber checks).

Another reason may be that since December 2015 last year, the Home Office has required councils to go through the National Anti Fraud Network to access communications data rather than make direct applications to CSPs. This has also made the internal SPoC’s (Single Point of Contact) role redundant. Consequently the Commissioner no longer conduct inspections of individual local  authorities; choosing to inspect NAFN instead.

In March 2015 a new Code of Practice for the Acquisition and Disclosure of Communications Data by public authorities came into force.  It contains several policy changes, which will require careful consideration.

When the Investigatory Powers Bill comes into force it will change the communications data access regime.  Read our blog and watch this space.

Do you make use of these powers and need refresher training? Act Now is running a live one hour webinar on this topic. We also offer a whole host of training in this area. Please visit our website to find out more!

Posted in Communications Data, Privacy, RIPA, Security | Leave a comment

Act Now DP Practitioner Certificate: Latest Results


Act Now Training’s Data Protection Practitioner Certificate continues to go from strength to strength. The two remaining courses in 2016 are fully booked and the latest set of results and delegate feedback show that it is an ideal qualification for those who work with Data Protection and privacy issues on a day-to-day basis.

In September 2016, a total of 14 delegates passed the course of which 10 achieved a distinction. As ever there was a wide range of delegates from the local government, health, education and private sectors.

Candidates were delighted with their results. They really appreciated the effort put in by our expert speaker Tim Turner:

“The course really was excellent and I would thoroughly recommend it. Data Protection can be a dry subject, but not when delivered by Tim – he kept my full attention from beginning to end with his excellent and interesting presentation, and invaluable advice.”  SB, Lancashire CC

“Tim broke the course down into manageable chunks and gave useful, practical examples that illustrated his points. This course has given me not only the knowledge but also the confidence to improve at my job and make my organisation better too!” DH, Cheshire West and Chester Council

“Tim imparts a huge amount of information in an accessible, user-friendly way that has never felt overwhelming.” SM, University of Surrey

The emphasis of the course is on practical skills which a Data protection Officers need to do their job and raise DP standards in their organisation. This is something, which was emphasised by our delegates in their feedback:

“I would thoroughly recommend the course, which has a sensible, practical focus and deals with the application of an otherwise abstract and complex piece of legislation to real life situations.”  AG, Parliamentary and Health Service Ombudsman

“The course provided useful practical examples which makes it easy to apply the DPA and identify a potential breach in a scenario – Immensely useful🙂.” BA, Nursing and Midwifery Council

“Great, thorough presentation and discussion of the practical implementations of data protection, the Act and its future developments.” PC, University of the Highlands and Islands

The course syllabus continues to be revised to include more themes covered by the General Data Protection Regulation (GDPR) which will come in force in May 2018  (and which is still relevant despite the Brexit vote).

The course, designed in consultation with a panel of experts from the UK and Europe, takes place over four days (one day per week) and involves lectures, assessments and exercises. This is followed by a written assessment. Candidates are then required to complete a practical project (in their own time) to achieve the certificate.

If you don’t have the time to attend for four consecutive weeks, why not try our intensive course in Summer 2017?

To learn more please visit our website or get in touch.

Posted in Data Protection, EU DP Regulation, GDPR | Leave a comment

IG Dates for your Diary – Let’s seize the day(s)!










By Frank Rankin

It always seems to be the national or international day of something-or-other.  As I write it is (as decreed by the United Nations) International Democracy Day. Coming soon we will have (as decreed by a couple of strange blokes in Oregon) International Talk Like A Pirate Day.

As well as providing useful space-fillers to lazy journalists on slow news days, such commemorations are often used to draw attention to serious (or silly) issues.

And as information governance practitioners, why should we miss out?

There are a few calendar dates which we can possibly exploit in the never-ending task of raising awareness among our managers and co-workers of some of the key messages around FOI, data protection and information security.

I plan to send some communications to my colleagues in the NHS organisation where I work, commemorating International Right to Know Day on 28 September. Initiated by FOI activists from around the world in 2002, the day seeks to celebrate successes in improving government transparency, and highlighting continuing struggles. It provides an excuse for me to gently remind colleagues that they could be the recipient of FOI requests and how they should react. I’ll also remind them of the rights that they have as citizens. (Why not put up some FOI posters Frank? Ed.)

October is National Cyber Security Awareness Month and 7 February 2017 will be Safer Internet Day. In drawing the attention of colleagues to guidance and resources to help them keep their families safe online, we also build their skills and awareness to improve security in the workplace. On the last Safer Internet Day we took the opportunity to send tips to colleagues on how to protect themselves and their children from phishing, malware and other nasties. It is the first time I have ever received notes of thanks for an information governance awareness programme!

Across Europe, Data Protection Day is marked on 28 January – the anniversary of the signing of the Council of Europe’s Convention 108 for the Protection of individuals with regard to automatic processing of personal data, ancestor to the forthcoming General Data Protection Regulation (GDPR). Although I am sure you all knew that.  (Well, Tim Turner probably did.)  (Dear reader, it is still relevant despite the Brexit vote.Ed)

While I don’t expect to see MoonPig selling cards for the occasion, again it gives us a hook to hang an awareness message on – perhaps some reminders of appropriate behaviours we expect from staff to protect the personal data we hold, as well as an update on GDPR developments. (Er why not put up some GDPR posters Frank?Ed.)

But Frank, I hear some of you object, aren’t these commemorative dates just a wee bit cheesy? Perhaps. But I am not too proud to borrow any excuse to highlight information governance messages in a way that reminds our people that these issues are universal.

Back in the 1990s, the late Declan Treacy used to champion International Clear Your Desk Day as an opportunity to declutter our work spaces, delivering benefits for ergonomics, mental health and feng shui – as well as for records management and data security. Alas, no-one seems to have picked up the mantle since his death.

So, who is with me? Let’s pick a date and I’ll see you at the confidential waste bin.

Frank Rankin is an information security, FOI and records management expert. Amongst other courses he is currently delivering our Practitioner Certificate in Freedom of Information (Scotland).

Posted in Data Protection, EU DP Regulation, GDPR, Privacy | Leave a comment

9 Tweets Long



By Paul Simpkins

I went to an AGM last night. It was an employee owned company. I wasn’t there representing anyone just observing but a DP issue cropped up. There was a roaming photographer taking pictures of all the attendees. Some naturally smiled and waved but when I asked the photographer

“What will you do with these pictures?”

the answer was staggering.

“I don’t know “.

It didn’t seem  promising but I settled down and Googled the company. The Chief Executive meanwhile made a standard speech about how good they were, being an employee owned company, just like John Lewis he chortled (but not quite as big). The company secretary told us how the Employee Trust was being set up very soon and everything looked rosy.

The results of the Google jury came in. It had a cookie policy on the front page. No privacy policy. I looked on the ICO website. They had notified so they knew something about DP. Back to their website I used their search facility and typed in Data Protection.  No results found.

It wasn’t looking good but I hit “Disclaimer and Copyright” just for fun. There it was. Halfway down the page was a Privacy Statement. Unfortunately it only had 216 words and 1,300 characters.  It didn’t give any commitment to protecting personal data; It didn’t quote the Notification number; It didn’t reference the Data Protection Act 1998; It didn’t say the purpose for which data was processed. It didn’t outline the rights of data subjects. It didn’t talk about data sharing (and it was a heath and social care employee owned company) and it didn’t offer any contact details if anyone wanted to ask anything about the policy.

In fact it was poor specimen which didn’t meet current good practice. Of course when the  General Data Protection Regulation (GDPR) comes into force the new rules on privacy notices will be much stricter.

Finally a quote from the policy.

“By continuing to use this site you are considered as understanding and agreeing to the contents of this statement.”

So they have no reference to Data Protection, the term isn’t searchable. You can find a Privacy Statement if you look under Disclaimer and Copyright button but it’s pretty poor missing out many things that the ICO code of practice recommends but whether you find it or not by continuing to use the site you understand and agree to their Privacy statement that is just 9 tweets long.

Act Now has a full programme of Data Protection workshops including “Data Protection and Social Media.” http://www.actnow.org.uk/courses/



Posted in Uncategorized | Leave a comment