First Two GDPR Enforcement Notices – Lessons Learnt

Fingerprint scanning provides security access biometrics identification with Business Technology Safety Internet Network Ui.

The Information Commissioner’s Office (ICO) recently served only its second Enforcement Notice for breaches of the GDPR.

The first Enforcement Notice was issued in July 2018 against a Canadian company, AggregateIQ Data Services Ltd (AIQ). Strangely it was not published on the ICO’s website but was mentioned in the ICO’s report: “Investigation into the use of data analytics in political campaigns“. Pursuant to section 149 of the Data Protection Act 2018, the notice required AIQ to “cease processing any personal data of UK or EU citizens obtained from UK political organisations or otherwise for the purposes of data analytics, political campaigning or any other advertising purposes.”

The ICO found that AIQ had violated Article 5 and 6 of the GDPR, by processing personal data unbeknown to the data subjects, for undeclared purposes and without a lawful basis for such processing. It had also failed to provide the transparency information, as required under Article 14 of the GDPR.

On 9thMay 2019, the Second Enforcement Notice was served on Her Majesty’s Revenue and Customs (HMRC) ordering it to delete personal data it collected unlawfully as part of a Voice ID system. The background to the notice is thatHMRC adopted a voice authentication, in January 2017, which asked callers to some of its helplines to record their voice as their password. A complaint from Big Brother Watch to the ICO revealed that callers were not given further information or advised that they did not have to sign up to the service. There was no clear option for callers who did not wish to register. In short, HMRC did not have adequate consent  from its customers to collect the data.

In the notice, the Information Commissioner says that HMRC appears to have given “little or no consideration to the data protection principles when rolling out the Voice ID service.” She highlights the scale of the data collection – seven million voice records – and that HMRC collected it in circumstances where there was a significant imbalance of power between the organisation and its customers. It did not explain to customers how they could decline to participate in the Voice ID system. It also did not explain that customers would not suffer a detrimental impact if they declined to participate.

It was also found that a data protection impact assessment (DPIA), that appropriately considered the compliance risks associated with processing biometric data, was not in place before the system was launched. The ICO plan to follow up the enforcement notice with an audit that will assess HMRC’s compliance with good practice in the processing of personal data.

  • Recording voices which can be used to identify the speaker is biometric data. This is classed as Special Category Data under GDPR.
  • If Data Controllers are planning to rely on consent as a legal basis to process such data, then they must remember that any consent obtained must be explicit (see the ICO guidance on informed consent).
  • Large scale use of biometric data is also “high risk” processing and will require a DPIA.
  • Data Controllers must be able to demonstrate their GDPR compliance by putting appropriate technical and organisational measures in place.

Steve Wood says:

“With the adoption of new systems comes the responsibility to make sure that data protection obligations are fulfilled and customers’ privacy rights addressed alongside any organisational benefit. The public must be able to trust that their privacy is at the forefront of the decisions made about their personal data.”

Act Now runs a full day workshop which can teach you how to do a DPIA. For those seeking a GDPR qualification, our practitioner certificate is the best option.

 

Posted in GDPR, ICO, personal data, Privacy | Leave a comment

The Data Protection Act 2018 – Pre and Post Brexit

adobestock_85090086.jpeg

The Data Protection Act 2018 (DPA 2018) came into force on 25th May 2018, alongside the General Data Protection Regulation (GDPR). Much has been written about it, both right and wrong.

The purpose of the DPA 2018 is nicely summarised by the Information Commissioner in her blog:

“The new Act updates data protection laws in the UK, and sits alongside the General Data Protection Regulation (GDPR) … The Act implements the EU Law Enforcement Directive, as well as extending domestic data protection laws to areas which are not covered by the GDPR.”

Part 2 of the Act supplements the GDPR i.e. it fills in some of the gaps by enacting “derogations”; where Members states are allowed to make their own rules e.g. about exemptions. This part has to be read alongside the GDPR.

Chapter 3 of Part 2 applies a broadly equivalent regime to certain types of processing to which the GDPR does not apply. For example, where personal data processing is related to immigration and to manual unstructured data (held by a public authority covered by FOI). The Act applies GDPR standards to such data whilst adjusting those that would not work in the national context.

Part 3 of the Act regulates the processing of personal data for law enforcement purposes implementing the Law Enforcement Directive (EU) 2016/680. The provisions here are a cut down version of GDPR. This part will only apply to competent authorities i.e. those that process personal data for the purposes of criminal offences or threats to public security e.g. the police, trading standards departments etc.

Read a full summary of the Act here.

What will happen to the Act and indeed GDPR post Brexit? Well this depends on whether we have a deal or no deal! More on our blog post here.

Act Now’s series of workshops on the DPA 2018 are proving very popular amongst GDPR practitioners. The next course in Belfast is fully booked. Forthcoming venues include London, Edinburgh, Leeds and Manchester. Our experts will explain the Act in detail in plain English busting some myths on the way and discussing what lies ahead in the post Brexit situation.

Book early to avoid disappointment. Click on the flyer below to see what we cover on the course.

DPA Image for Blog

Ibrahim Hasan is a solicitor and director of Act Now Training (www.actnow.org.uk)

Posted in Brexit, Data Protection, DP ACT 2018, EU DP Regulation, GDPR | Tagged , , | Leave a comment

GDPR Practitioner Certificate: New Course For London

Act Now The GDPR Programme Mailing 250219_Page_4

By popular demand Act Now Training has added an extra course in London for its GDPR Practitioner CertificateThis course is aimed at those undertaking the role of Data Protection Officer under GDPR whether in the public or the private sector.It will teach delegates essential GDPR skills and knowledge.

The course takes place over four days (one day per week) and involves lectures, assessments and exercises. This is followed by a written assessment. Candidates are then required to complete a practical project (in their own time) to achieve the certificate.

The new London course starts on 1st April 2019. Subsequent dates are 8th April, 15th April and 29th April.

This course has been super successful since launch. We ran it over 60 times in 2018 alone with over 900 delegates being trained. You can read some of the feedback here.

Make 2019 the year you achieve a GDPR qualification. Book early to avoid disappointment. 

BREXIT UPDATE: If you want to know more about how a No Deal Scenario will impact on GDPR and the DPA 2018, Ibrahim Hasan is presenting a webinar on 18th March 2019. We also have a new webinar on international transfers pre and post Brexit.

 

 

Posted in DP Bill, EU DP Regulation, GDPR | Leave a comment

Lessons from the Google GDPR Fine

person holding white ipad

Photo by Pixabay on Pexels.com

On 21st January 2019, theFrench National Data Protection Commission (CNIL) fined Google 50 million euros for breaches of the General Data Protection Regulation (GDPR). This is the biggest financial penalty issued so far by any European regulator under the new law. But the decision goes far beyond Google or even the tech sector.

In May 2018 CNIL received complaints from two privacy groups;  None Of Your Business and La Quadrature du Net. They argued, amongst other things, that Google did not have a valid legal basis to process the personal data of the users of its services, particularly for ads personalisation purposes, as they were in effect forcing users to consent.

CNIL agreed citing a “lack of transparency, inadequate information and lack of valid consent” regarding ad personalisation for users. It said users were “not sufficiently informed” about what they were agreeing to. Google made it too difficult for users to find essential information, “such as the data-processing purposes, the data storage periods or the categories of personal data used for the ads personalisation”, by splitting them across multiple documents, help pages and settings screens. That lack of clarity meant that users were effectively unable to exercise their right to opt out of data-processing for personalisation of ads.

GDPR (Article 4) standard consent must be, amongst other things, “specific” and “unambiguous”. Google consent failed as users were not asked specifically to opt in to ad targeting but were asked simply to agree to Google’s terms and privacy policy bundled together.

Google is appealing the decision. Meanwhile the Swedish data protection the Swedish Data Protection Authority (Datainspektionen) has also announced an investigation Google’s slurping of location and web histories.

This decision requires all Data Controllers to think carefully how they go about obtaining consent for personal data processing. Article 7 and 8 of GDPR must be considered as well as the Article 29 Working Party guidance.

Article 13 and 14 set out what information should be given to data subjects when processing their personal data. This is a stand-alone right but it also helps to ensure that the processing is fair and transparent as per Article 5(1)(a). Our blog on what to include in a privacy notice (including examples) will help those revising their notices in the light of this decision.

BREXIT UPDATE: Draft regulations have been laid before Parliament to amend GDPR and the Data Protection Act 2018 will change as a result of Brexit. If you want to know more, Ibrahim Hasan is presenting a webinar on 12th and 21st February 2019 at 10am.

Make 2019 the year you achieve a GDPR qualification. Our GDPR Practitioner Certificate courses are filling up fast.

Posted in GDPR, ICO | Tagged , , | Leave a comment

Making GDPR British: New Regulations set out the UK’s post Brexit DP landscape

robert-tudor-704838-unsplash

On 19th December 2018, just when you thought that you have finally made sense of the UK’s data protection regime, the government published new regulations with the catchy title, “The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019.” There are sixty one pages of regulations to navigate, before 29th March 2019, with only one page of explanatory notes. And you thought Theresa May had problems!

Before you start reaching for the highlighters, marker pens and sticky notes (and maybe even smelling salts) it is important to bear in mind that the primary aim of the new regulations is “to make GDPR British” (my phrase). Yes dear readers, we will soon have our own (red, white and blue) version of GDPR. All the pain and cost of Brexit will have been worth it!

To understand the new regulations, we have to go “back to basics” (not my phrase). The General Data Protection Regulation (GDPR) came into force on 25th May 2018. Despite the UK leaving the EU on 29th March (or later – you never know! – or never, in which case ignore everything and wait for more blog posts!!!!), all EU laws, including GDPR, will automatically become part of UK domestic law due to the provisions of the European Union (Withdrawal) Act 2018.

The EU version of GDPR, which the UK is bound by until exit day, contains many references to EU laws, institutions, currency and powers, amongst other things, which will cease to be relevant in the UK after Brexit. The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 amend GDPR to remove these references and replace them with British equivalents where applicable. From exit day this new amended version of GDPR will be imaginatively titled, the “UK GDPR”.

The new regulations also amend the Data Protection Act 2018 (DPA 2018) which must be read alongside GDPR. (Read our summary and blog post busting some of the myths).

Chapter 3 of Part 2 of the DPA 2018 currently applies a broadly equivalent data protection regime to certain types of data processing to which the GDPR does not apply (“the applied GDPR”). For example, where personal data processing is related to immigration and to manual unstructured data held by a public authority covered by the Freedom of Information Act 2000 (FOI). The DPA 2018 applies GDPR standards to such data whilst adjusting those that would not work in the national context. Amongst other things, the new regulations merge this part into the UK GDPR.

Other provisions to note include:

  • Regulation 5 makes provision concerning interpretation in relation to processing that prior to exit day was subject to the applied GDPR.
  • Regulation 6 introduces Schedule 3, which makes consequential amendments to other legislation.
  • Regulation 8 makes amendments to the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) in light of provision made by the GDPR relating to the meaning of “consent”.

Part 3 of the DPA 2018 regulates the processing of personal data for law enforcement purposes implementing the Law Enforcement Directive (EU) 2016/680. This part will continue to apply, even after exit day, to competent authorities i.e. those that process personal data for the purposes of criminal offences or threats to public security e.g. the police, trading standards departments etc. Some minor amendments will be made to reflect the UK GDPR. Similarly Part 4 of the Act (processing of personal data by the Intelligence Services) and Parts 5 and 6 (Information Commissioner Powers and Enforcement) will remain in force.

The new regulations also deal with post Brexit international data transfers from the UK by amending the GDPR and adding additional provisions to the DPA 2018. However for the lawful transfer of personal data from the EU into the UK without additional safeguards being required, the UK will need to apply to the EU for adequacy status and join a list of 12 countries. These regulations attempt to make the UK version of GDPR as robust as the EU version. We will have to wait and see if the EU agrees.

The new regulations are currently in draft (you can follow their progress here). If approved they come into force on exit day, which is currently scheduled to be 29th March 2019, although it could be later. With all the uncertainties over the Brexit deal, I would not get the markers out just yet nor tear up your Act Now GDPR handbook!

STOP PRESS – The Regulations were made on 28th February 2018 and will come into force as set out in Regulation 1.

If you want to know more about the new regulations, Ibrahim Hasan is presenting a on international transfers.

Make 2019 the year you achieve a GDPR qualification. Our next few GDPR Practitioner Certificate courses are almost fully booked!

Posted in DP ACT 2018, GDPR | Tagged , | 3 Comments

Seasons Greetings

Seasons Greetings Banner - No Text

Act Now Training would like to wish everyone all of the seasons greetings and we wish you a happy and prosperous 2019.

The office will be shut from Friday 21st December until the 2nd January 2019.

We look forward to seeing you all in the new year!

Posted in Marketing, Uncategorized | Leave a comment

Act Now Launches New FOI Practitioner Certificate

 

FOI Certificate Banner

Act Now is pleased to announce the launch of its brand new FOI Practitioner Certificate.

This course is one of the first of its kind, in a way that only Act Now delivers – practical, on the ground skills to help you fulfil your role as an FOI Officer.

This new certificate course is ideal for those wishing to acquire detailed knowledge of FOI and related information access legislation (including EIR) in a practical context. It has been designed by leading FOI experts including Ibrahim Hasan and Susan Wolf – formerly a senior lecturer on the University of Northumbria’s LLM in Information
Rights Law.

The course uses the same format as our very successful GDPR Practitioner Certificate. It takes place over four days (one day per week) and involves lectures, discussion and practical drafting exercises. This format has been extremely well received by over 1000  delegates who have completed the course. Time will also be spent at the end of each day discussing what issues delegates may face when implementing/advising on the FOI topics of the day.

The four teaching days are followed by an online assessment and a practical project to be completed within 30 days.

Why is this course different?

  • An emphasis on practical application of FOI rather than rote learning
  • Lots of real life case studies and exercises
  • An emphasis on drafting Refusal Notices
  • An online Resource Lab with links, guidance and over 5 hours of videos
  • Modern assessment methods rather than a closed book exam

 Who should attend?

This course is suitable for anyone working within the public sector who needs to learn about FOI and related legislation in a practical context, as well as those with the requisite knowledge wishing to have it recognised through a formal qualification. It is most suitable for:

  • FOI Officers
  • Data Protection Officers
  • Compliance Officers
  • Auditors
  • Legal Advisers

Susan, says:

“FOI and EIR are almost 14 years old. Since the Act and Regulations came into force there have been many legal developments and court decisions that have given practitioners a much greater understanding of the legal provisions and how they should be applied in practice. With this in mind, we have written this course to ensure that it equips public sector officers with all the necessary knowledge and skills they need to respond to freedom of information requests accurately and efficiently. This course, with its emphasis on the law in practice, will enable trainees to become more accomplished and confident FOI practitioners”

Susan will share her vast experience gained through years of helping organisations comply with their information rights legislation obligations. This, together with a comprehensive set of course materials and guidance notes, will mean that delegates will not only be in a position to pass the course assessment but to learn valuable skills which they will be able to apply in their workplaces for years to come.

This new course builds on Act Now’s reputation for delivering practical training at an affordable price:

This new course widens the choice of qualifications for IG practitioners and advisers. Ibrahim Hasan (Director of Act Now Training) commented:

“We are pleased be able to launch this new qualification. Because of its emphasis on practical skills, we are confident that it will become the qualification of choice for current and future FOI Officers and advisers.”

To learn more please visit our website.

All our courses can be delivered at your premises at a substantially reduced cost.
Contact us for more information.

Posted in BCS, Certificated course, EIR, FOI caselaw, FOI caselaw, Section 5, FOI Fees, salaries, personal data, FOI Fees, FOI Veto, FOISA, Freedom of Information | Leave a comment