New GDPR Practitioner Certificate Launched!



New GDPR Practitioner Certificate Launched

Act Now Training Limited is pleased to announce the launch of its new GDPR Practitioner Certificate (GDPR.Cert).

The General Data Protection Regulation (GDPR) is going to be implemented in May 2018 despite the Brexit vote. Indeed the Government has confirmed that GDPR is going to be part of UK law even after the UK leaves the EU. So say hello to Breach Notification, the Right To Be Forgotten, the joys of Privacy Impact Assessments and, in some cases, the mandatory Data Protection Officer.

The GDPR Practitioner Certificate (GDPR.Cert) is aimed at those undertaking the role of Data Protection Officer under GDPR whether in the public or the private sector. This is going to be a challenging role. In a recent conference speech, Elizabeth Denham, the new Information Commissioner said.

“I think the role of DPO can be one of the toughest jobs around. You have to help your organisations deliver, but you have to do it in a privacy responsible and transparent way. That’s really challenging in lots of varied situations.”

This course will teach delegates essential GDPR skills and knowledge. It builds on the success of the Act Now Data Protection Practitioner Certificate (launched in April 2014), which it replaces, by focussing on GDPR. The course takes place over four days (one day per week) and involves lectures, assessments and exercises. This is followed by a written assessment. Candidates are then required to complete a practical project (in their own time) to achieve the certificate.

The course tutor is Tim Turner who says:

“GDPR is the biggest change to Data Protection in a generation. I have looked at every aspect of this revised course to equip Data Protection officers with the knowledge they need to tackle GDPR in a practical way.”

Tim will share his vast experience gained through years of helping organisations comply with their DP obligations. This, together with a comprehensive set of course materials and guidance notes, will mean that delegates will not only be in a position to pass the course assessment but to learn valuable DPO skills which they will be able to apply in their workplaces for years to come.

This new course builds on Act Now’s reputation for delivering high quality practical training at an affordable price:

This new course widens the choice of qualifications for DP practitioners and advisers. Ibrahim Hasan (Director of Act Now Training) said:

“We are pleased be able to launch this new qualification with less than 18 months to go to GDPR implementation. Because of its emphasis on practical skills, we are confident that it will become the qualification of choice for current and future Data Protection Officers.”

To learn more please visit our website or download the flyer.

Posted in Brexit, Data Protection, EU DP Regulation, GDPR, ISEB, Privacy | Leave a comment

Practitioner Certificate in FOISA: Another Successful Year


Act Now Training is pleased to report that it has completed another successful year of delivering the Practitioner Certificate in the Freedom of Information (Scotland) Act 2002. Now in its fourth year the course is the only certificated FOI course specifically designed for Scottish delegates.

Two courses were delivered in 2016 with 22 very strong candidates from a variety of backgrounds including the local government, education, health, government and regulatory sectors. All the delegates passed the course. Of these 3 achieved a distinction and 14 achieved a merit. The delegate feedback has been extremely positive:

“I really enjoyed the course and thought that Tim Turner really brought the subject to life.  He was an excellent tutor and made this subject both interesting and informative with amusing anecdotes throughout.  I would certainly go on another course being delivered by Tim Turner and I would recommend him to my peers.”  LC, Glasgow Kelvin College

“Tim was an excellent tutor. His knowledge of the subject was vast and impressive. I learned a lot.” JM, Fife Council

“This is the most useful course I have participated in for a long time.” JT, Crofting Commission

Read a previous successful candidate’s observations here.

The course is endorsed by the Centre for FOI based at Dundee University. The Chair of the independent Exam Board , Professor Kevin Dunion (formerly the Scottish Information Commissioner and now the Executive Director of the Centre for FOI).

The most recent course was delivered by Frank Rankin who has many years of experience working in the Scottish public sector. Frank said:

 “The Act Now certificate brings together a fantastic cross section of FOISA practitioners from a range of organisations, large and small, across all parts of the public sector. I love sharing ideas and experience with these colleagues, and learning from their campaign stories as well.”

The Act Now Practitioner Certificate in FOISA is now the qualification of choice for FOISA professionals in Scotland. The next course is in February 2017 runs over five weeks and is already filling up. For those who are time poor we also have a one-week intensive option. More details here:

Following a consultation last year, 1st September 2016 saw FOISA being extended to cover more organisations. Act Now has a full programme of FOISA workshops in Scotland.

Posted in BCS, FOISA, ISEB, Uncategorized | Leave a comment

Have you stopped speeding your car? Insurance companies and data protection.


clip_image002I went on a Speed Awareness Course recently. I was not alone as 1,207,570 people did in 2015 and the numbers for 2016 will certainly be higher. There was a wonderful cross section of the population there and two trainers there as well. It was a good course with plenty of information about reading the road, hazards, speed limits quizzes and video.

My first reaction to the Notice of Intended Prosecution was that I’d start accumulating points and points (in car insurance terms) means price hikes so to be offered a course in lieu of points was a fantastic result. The cost of the course (£90) was irrelevant in fact I’d have paid much more to avoid the points. The cost of the Fixed penalty (£100) was also not an issue even though I didn’t pay it. It was the points on my licence that was at the forefront of my mind.

Not everyone is offered a course however


This says in plain English that you may be caught at 35mph but will avoid a prosecution but between 36mph & 42mph you will be offered a course. So just over the limit is OK; medium level speeding means a course but over the top speeding means a prosecution or fixed penalty. That’s why you see lines of executive cars chugging down the motorway with cruise control set at 78mph. This chart effectively raises all speed limits by 10% to 20% and could even be said to be an inducement to ignore posted speed limits but work with the generous grey area speeds the police allow.

While researching this article I found that some countries base the size of a fine for speeding on the income of the speeder. Finland fined a highly paid (£4.7m a year) businessman £50,000. See more detail here

And also there are stories of people asking other people to “take’ points in return for money. An interesting concept worth investigating…

The big question that came up halfway through the course was

“Should I tell my insurers that I’ve been on the course?”

The trainer was clear.

“Your details will be held on a database so other police forces who may catch you speeding will not offer you a course. This will last for 3 years. The Police will not pass this information to anyone else”

Searching the web will find plenty of discussion on this subject. Here’s what the AA (which provides Speed Awareness Courses) says

“Your personal details are protected by the Data Protection Act 1998. If you elect to participate, you agree to your details being checked by us against the ACPO national database to establish if you have completed a similar course within the last 3 years of this offence.

If you complete a “National” course, your details relating to the course will remain on file with the ACPO national database for road safety research purposes for a further 7 years from the date of the offence, after which any personal reference to you will be erased. These details will not be released to any other party apart from other UK Police Forces if they are considering making an offer of a course in the future.”

ACPO has disappeared and NPCC (National Police Chiefs Council) has sprung up but it’s logical to assume that the data is still there but the name of the Data Controller has changed.

Ndors is the national body that oversees the courses. They say

“Once a person has been on the course then no further action will be taken, there is no fine to pay and they will not have any points put onto their licence.”

A generally held point of view is that there is no conviction so no requirement to inform insurance companies. However some insurance companies (largely the Admiral group) have started to ask potential customers if they have been on a Speed Awareness Course as in their view that person although not convicted have shown an inclination to speed and this would affect any insurance premium.

The web has plenty of forums where this issue is discussed and opinions of insurance companies range from infuriated to incensed. A typical comment is

“Insurance companies will use any excuse to weasel out of paying a claim because they are cheating bastards.”

But who is right in this matter? Is there a data protection angle? We think so.

If anyone approached the police database and asked to see if a person was on that database because they had been on a Speed Awareness Course I would expect the answer to be no you’re not getting it – it’s confidential. Even using the Freedom of Information Act would elicit this response and it seems the right response. There are other exemptions that might apply

However the Insurance companies are not going down that route as they know they don’t have a right of access. They are asking people to voluntarily inform them that they have been on such a course so that they can increase their insurance premium. They point to a general catch-all in their small print that customers must inform them of anything that might affect their insurance. Can insurance companies ask this? Can they ask a question that they know the person doesn’t want to answer because it invades their privacy?

  • Do you have cancer?
  • Do you smoke?
  • Do you walk 5,000 steps a day
  • Have you dropped litter and been fined?
  • Have you separated from your partner?

They say that if you withhold such information it may invalidate the policy but they can’t collect it lawfully unless they obtain it from the customer as they have no lawful means of obtaining it. If you have a massive claim and they see a £25,000 payout in prospect they might just use a private investigator to look into the claim and see if they can find some fault with it. He may stray outside the law and find evidence of your course…

But if you voluntarily answer the question that they may not be able to ask you haven’t you consented to giving the answer?

Consent hits the first button in Schedule 2 so the Insurance companies are processing fairly and lawfully. Or are they? If you are asked to consent to a disclosure that will have an adverse effect on your life is that a true consent or an enforced consent?

Consent isn’t defined in the Data Protection Act so it has its ordinary meaning. A quick web search says consent is “permission for something to happen or agreement to do something”. Do you think customers are agreeing that Admiral can hold their Course attendance and increase premiums as a result? Or are they reluctantly disclosing for fear of losing their insurance?

Other parts of Schedule 2 don’t seem to apply except for old faithful paragraph 6 – the legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject. Whoever inserted the tiny word prejudice here many years ago may have done the nation an immense service. Of course it will prejudice the rights and freedoms of someone who hasn’t been convicted of a speeding offence yet is in danger of being penalised for doing so.

And if you’re thinking of diving into schedule 3 think again. It’s not sensitive data. It’s a training course not a conviction.

So on balance it’s probably unlawful for Insurance companies to ask the question as it’s not a freely given consent; they have no access to the police database of course attendees and if they do set a data hound on the case he probably can’t access the information lawfully either.

But there’s also a left field solution. All seasoned FOI professionals know that there’s a way of answering a request without actually answering it. Yes you’re remembering it now aren’t you – it’s the Neither Confirm nor Deny option.

Section 1(1)(a) of the FOI Act allows this where confirming would in itself disclose sensitive or potentially damaging information that falls under an exemption.

So when the Insurance company asks the question you Neither Confirm nor Deny that you have been on a course. They can’t make any further decisions on your premium. They can’t say “well it’s obvious that he’s done a course” as they have no evidence of it.

Good luck with that one.

Finally if you do find yourself being asked the question and any of the solutions here are a bit too drastic you can always swap insurers to one that doesn’t ask the question. But as you do remember that all the individuals who were coerced into unfairly disclosing Speed Awareness courses to Admiral may find that Admiral shares the data anyway. Big Brother (or Big Insurer) is not far away.

 In the vanguard of forced consent is Admiral. Not content with asking up about speed awareness courses you’ve been on they now want to trawl through your facebook posts to make decisions on what type of person you are so they can adjust premiums of party animals. See Fortunately Facebook has declined to give Admiral access.  But questions have to be asked as to how far Admiral or other insurers will go to into your personal affairs to work out a suitable premium especially for you. A word trending in DP circles as GDPR approaches is Profiling. Maybe it’s time you found out what it will mean for your company in the future.

Image credit

Act Now has a full programme of Data Protection workshops including full day GDPR workshopsWe also run the Act Now Data Protection Practitioner Certificate which is ideal for those preparing for the role of Data Protection Officer under GDPR.

Posted in Data Protection, Privacy | Tagged , | 1 Comment

GDPR is here to stay but what happens next?

It’s official. The General Data Protection Regulation (GDPR) is here to stay; well beyond April 2019 when the UK is likely to finally leave the European Union.

On 24th October 2016, the Secretary of State Karen Bradley MP used her appearance before the Culture, Media and Sports Select Committee to say:

“We will be members of the EU in 2018 and therefore it would be expected and quite normal for us to opt into the GDPR and then look later at how best we might be able to help British business with data protection while maintaining high levels of protection for members of the public.”

Writing on her blog the Information Commissioner (Elizabeth Denham) welcomed this announcement. However it is technically incorrect for her to say:

“The government has now confirmed that the UK will be implementing the General Data Protection Regulation (GDPR).”keep-calm-and-prepare-for-the-gdpr

As I have explained in a previous blog post, the Government has no choice but to implement GDPR as the UK will still be a member of the EU on 25th May 2018 when it comes into force.

This announcement does though put an end to months of uncertainty as Data Controllers waited to see what the Government would do after the UK leaves the EU. Although last month’s announcement of the Great Repeal Bill meant that yesterday’s announcement was not a big surprise.

GDPR will replace the Data Protection Act 1998 (DPA) and represents the biggest change to data protection law for 20 years. With some GDPR breaches carrying fines of up to 4% of global annual turnover or 20 million Euros, now is the time to start planning (if you have not already started!).

The ICO’s overview of GDPR is a good place to start. It has also published 12 steps to take towards compliance. We would emphasise:

  1. Raising awareness of GDPR at all levels within the organisation (See our GDPR poster).
  2. Reviewing compliance with the existing law as well as the six new DP Principles.
  3. Revising privacy polices in the light of the GDPR’s more prescriptive transparency requirements. The ICO’s new privacy notices code is a very useful document for this.
  4. Considering who is going to fulfill the mandatory role of Data Protection Officer. What skills do they have and what training will they need? Our Data Protection Practitioner Certificate, with an emphasis on the practical skills requited to implement GDPR, is an ideal qualification for those aspiring for such positions.
  5. Reviewing information security polices and procedures in the light of the GDPR’s security obligations particularly breach notification.

Look out also for amendments to Section 40 of the Freedom of Information Act 2000, Section 38 of the Freedom of Information (Scotland) Act 2002, Regulation 13 of the Environmental Information Regulations 2004 and Regulation 11 of the Environmental Information (Scotland) Regulations 2004. All contain exemptions from disclosure of personal data by reference to the DPA.

The ICO will be publishing a revised timeline setting out what areas of guidance it will be prioritising over the next six months. Elisabeth Denham ends her blog with these wise words:

“I acknowledge that there may still be questions about how the GDPR would work on the UK leaving the EU but this should not distract from the important task of compliance with GDPR by 2018.”

Act Now has a series of blog posts as well as a dedicated GDPR section on its website with detailed guidance on different aspects of the Regulation.

We are running a series of GDPR webinars and workshops and our team of experts is available to come to your organisation to deliver customised workshops as well as to carry out GDPR health checks and audits.

Posted in Data Protection, EU DP Regulation, GDPR, ICO, personal data, Privacy | Tagged , , , , | 1 Comment

New Data Sharing Powers in the Digital Economy Bill


Much has been written about the complexities of the current legal regime relating to public sector data sharing. Over the years this blog has covered many stops and starts by the government when attempting to make the law clearer.

The Digital Economy Bill is currently making its way through Parliament. It contains provisions, which will give public authorities (including councils) more power to share personal data with each other as well as in some cases the private sector.

The Bill has been a long time coming and is an attempt by the Government to restore some confidence in data sharing after the Care.Data fiasco. It follows a consultation which ended in April with the publication of the responses.

The Bill will give public authorities a legal power to share personal data for four purposes:

  1. To support the well being of individuals and households. The specific objectives for which information can be disclosed under this power will be set out in Regulations (which can be added to from time to time). The objectives in draft regulations so far include identifying and supporting troubled families, identifying vulnerable people who may need help re tuning their televisions after changes to broadcasting bands and providing direct discounts on energy bills for people living in fuel poverty.
  2. For the purpose of debt collection and fraud prevention. Public authorities will be able to set up regular data sharing arrangements for public sector debt collection and fraud prevention but only after such arrangements have been through a business case and government approval process.
  3. Enabling public authorities to access civil registration data (births, deaths and marriages) (e.g. to prevent the sending of letters to people who have died).
  4. Giving the Office for National Statistics access to detailed administrative government data to improve their statistics.

The new measures are supported by statutory Codes of Practice (currently in draft) which provide detail on auditing and enforcement processes and the limitations on how data may be used, as well as best practice in handling data received or used under the provisions relating to public service delivery, civil registration, debt, fraud, sharing for research purposes and statistics. Security and transparency are key themes in all the codes. Adherence to the 7th Data Protection Principle (under Data Protection Act 1998 (DPA)) and the ICO’s Privacy Notices Code (recently revised) will be essential.

A new criminal offence for unlawful disclosure of personal data is introduced by the Bill. Those found guilty of an offence will face imprisonment for a term up to two years, a fine or both. The prison element will be welcomed by the ICO which has for a while been calling for tougher sentences for people convicted of stealing personal data under the DPA.

The Information Commissioner was consulted over the codes so (hopefully!) there should be no conflict with the ICO Data Sharing Code. The Bill is not without its critics (including Big Brother Watch) , many of whom argue that it is too vague and does not properly safeguard individuals’ privacy.

It is also an oversight on the part of the drafters that it does not mention the new General Data Protection Regulation (GDPR) which will come into force on 25th May 2018. This is much more prescriptive in terms of Data Controllers’ obligations especially on transparency and privacy notices.

These and other Information Sharing developments will be examined in our data protection workshops and forthcoming webinar.

Illustration provided by the Office of the Privacy Commissioner of Canada (

Posted in Data Protection, Data Sharing, Personal Data | Tagged , , , | Leave a comment

The revised ICO Privacy Notices Code and GDPR

ICO Privacy notice code (4)

Earlier this month the Information Commissioner’s Office (ICO) published its revised Privacy Notices Code of Practice.

Under the Data Protection Act 1998 (DPA), a Data Controller should issue a privacy notice to Data Subjects whenever personal data is gathered from them. This should be done at the point of collection or as soon as reasonably practicable after that. The notice should (at the very least) include:

  • The identity of the Data Controller
  • The purpose, or purposes, for which the information will be processed
  • Any further information necessary, in the specific circumstances, to enable the processing in respect of the individual to be ‘fair’ (in accordance with the 1st DP Principle).

The ICO says that organisations need to do more to explain to service users what they are doing with personal personal data and why. The code includes examples of compliant notices as well as suggested formats for online notices, in apps and even a sample video privacy notice.

As we know the General Data Protection Regulation (GDPR) will be in force in May 2018 (and still relevant despite the Brexit vote). The GDPR specifies further detail to be included in privacy notices. It also requires notices to be issued even where personal data is received from a third party. The code briefly explains these new requirements including a useful table. The ICO says that by following the good practice recommendations in the code, organisations will be well placed to comply with the GDPR regime. Read Scott’s blog post on the new requirements here.

This code has been issued under section 51 of the DPA. The basic legal requirement is to comply with the DPA itself. Organisations may use alternative methods to meet the DPA’s requirements, but if they do nothing then they risk breaking the law. When considering whether or not the DPA has been breached the Information Commissioner can have due regard to the code.

The code includes a helpful checklist, covering key points and tips on how to write a notice.

Privacy Notices need to be regularly reviewed and updated to reflect any changes. The ICO is considering other practical ways of supporting organisations in achieving greater transparency such as the feasibility of a privacy notice generator!

Want to know more about privacy notices under GDPR?  Attend our full day GDPR workshopThe Act Now Data Protection Practitioner Certificate is ideal for those preparing for the role of Data Protection Officer under GDPR.

Posted in Data Protection, Data Sharing, EU DP Regulation, Privacy | Tagged , , , | 2 Comments

DPO or not to DPO: The Data Protection Officer under GDPR


The General Data Protection Regulation (GDPR) is nearly upon us and one of the elements is the requirement for certain organisations to have a Data Protection Officer.

This throws up some interesting issues. A qualified, experienced data protection officer is a valuable commodity. They do exist but command salaries approaching £50,000 in large organisations (stop laughing at the back) and if you’re a small organisation they’re not going to work for you for peanuts. So where do you find a qualified, experienced DPO?

Secondly will there be a requirement upon you to have one? It looks like there will be three clear cases.

  1. processing is carried out by a public authority,
  2. the core activities of the controller or processor consist of processing which, by its nature, scope or purposes, requires regular and systematic monitoring
    of data subjects on a large scale
  3. the core activities consist of processing on a large scale of special categories of data.

But to go back to the DPO what does qualified mean? Yes there are qualifications out there. The accepted gold standard in the UK is the BCS certificate which has 40 hours of training plus a testing 3 hour exam. There are other firms in the sector who offer their own versions and most of them involve significant study (30 or 40 hours) plus exam. Other qualifications exist, like our Data Protection Practitioner Certificate and CIPP certification from the International Association of Privacy Professionals – some for US and some for UK professionals – but the question everyone wants answering is which qualifications will satisfy the GDPR?

Do training providers have to apply for acceptance or endorsement from the EU or their national regulator? Will the content of these courses be examined or will a standard be set and the training providers tailor their material to a certain level or will it be a free for all with no standard to work to? Do you want a DPO who knows how to conduct a Privacy Impact Assessment or who knows about International Data Transfers or one with an understanding of the history of Data Protection? Or will there be a requirement to study a certain (large) number of hours to demonstrate competence? At the moment it looks like all the DPO will need is “sufficient expert knowledge” which doesn’t in itself mean a qualification.

Other skills required by a good DPO are those of Diplomat, Trainer; Advisor, Confidante; Interpreter; Persuader; Listener; Friend to requestors; Policy & procedures writer. They have the ability to talk to the top level of the organisation yet explain complex law in Plain English. Not your run of the mill person.

It looks like the route map will require the DPO to be an employee but one with a different type of outlook. Privacy is becoming a big vote winner; organisations who don’t respect customers privacy will feel the backlash of disgruntled consumers. It really needs someone who is part of the organisation who is present at all times and understand the data processing systems of their employer but is detached enough to be able to criticize his own organisation.

There is a way out for small organisations who think they need a DPO to ensure their organisation is fully compliant with the new regulation. Don’t give the job to an existing member of staff and expect them to learn it on the job; Don’t appoint a knowledgeable, qualified, experienced but expensive DPO – bring in an external one you can use as and when you need them.

Externals have significant benefits. They don’t work full time so the on costs disappear; You can bring them in as required for short term task and finish assignments; You can save the costs of training and continuing education for an internal data protection officer; your staff will react better to an external who appears to have the status of a “consultant”.

Externals also won’t have any political or organisational baggage and can act in an unbiased manner without fear for their job. An external data protection officer also has no worries about favouring certain departments or individuals in the company. Many organisations appoint their Head of Legal as their DPO which brings with it the ethical/legal/best course of action conflict. An external won’t need to bother with this.

You can concentrate on your core business and the external can take care of your data protection.

Once you have appointed an external DPO they will compile a detailed data protection audit on your data protection compliance. They will then identify possible data protection issues and legal risks and explain what is required to remedy them. Then you can start making the necessary changes.  Your business will soon be in full compliance with current data protection laws.

But it doesn’t stop there. The external DPO will be on call and can discuss day-to-day DP issues by phone or email for a small fee. If more detailed work is required further fees and timescales can be agreed.

Working with an external data protection officer is based on a consulting agreement. There may be a retainer fee plus an hourly or daily rate to follow. If your Data Protection needs are low you may not have to consult your EDPO too often.

Not surprisingly EDPOs are starting to appear on the web. They’re quite common in Germany and it’s likely they will become a staple in the UK. Various UK law firms advertise such a service but unsurprisingly the rates they charge are not on view. It might end up costing more than you think especially if you opt for a ’big’ name.

There’s also the scope however for sharing a DPO. This has already happened in various parts of the country as cash strapped rural councils pay for a percentage of a DPO and have them on site part of a week.

At a recent educational conference a group of 30 schools in the same region kicked around the idea of each contributing to buy a DPO for all of them who would fulfill their information law obligations. Sounds quite a good idea until you realise there’s only about 240 working days in a year so each school would have 8 of those days to themselves and the shared DPO would have a significant petrol expenses tab. A few rural councils with a shared DPO would have a much better deal.

Sadly GDPR is not well understood and there are those who think Brexit will derail it (though not true) but a wise organisation should be thinking now if and when they will need a DPO, what qualification they will have and how do they find one.

An external who is called on infrequently might appear be the cheapest option but might have further hidden costs and a part share of a DPO might be a good short term solution but would they be as good as the expert knowledge and day to day hands on work of a full timer.

Good news for Data Protection Officers…

We are running a series of GDPR webinars and workshops and our team of experts are available to come to your organisation to deliver customised data protection/GDPR workshops as well as to carry out health checks and audits. Our Data Protection Practitioner Certificate, with an emphasis on the practical skills required to implement GDPR, is an ideal qualification for those aspiring for such positions.

Posted in Data Protection, EU DP Regulation, GDPR, ICO, Personal Data, personal data, Tribunal | Tagged , , | 2 Comments