BCS Data Protection Course – How I Passed

Sarah BrowBCS Logo4ne, Information Compliance and Records Management Assistant at Greater Manchester Police, recently passed the BCS (ISEB) Certificate in Data Protection exam with Act Now. These are her top tips for passing:

  • Give up any notions of a social life for 2 months – I did it – My friends and boyfriend supported my decision, because they knew how important it was to me.
  • Let the fear guide you – How many times do you really want to do the three hour exam???  Revise hard so failure isn’t an option.
  • Speak to those in the know – I’d only worked in Data Protection for six months when I began the course, so I ran anything I was unsure about by my colleagues, boss, and of course my Act Now trainer.  The more you talk to people, the more you’ll begin to understand the tricky concepts, and how they fit into the bigger picture.
  • Get your mitts on revision materials – I lent DP books from my local library (Peter Carey, Data Protection (3rd edition), and Data Protection and Compliance in Context by BCS were invaluable).
  • You can’t get around reading the Act I’m afraid – Filter your reading.  Start with maybe a text book explanation, then Act Now notes, then crack open the Act.
  • Rewrite the Act – To remember the Sections and Subsections (and very late on in my revision when I understood everything, but needed to memorise key parts), I spent one beautiful Saturday rewriting the Data Protection Act. I summarised all the key sections as an aide-memoir to the Act itself.  From then on, I had a 6 page document with the answers to pretty much any question the exam could throw at me.
  • Flash cards – A great way to punish your friends and loved ones for all their support – make them test you!!!  (They’ll hate you, my boyfriend actually said the words “I want to die” while going through my 100+ card pile, but by the same stretch he now knows the definition of consent off by heart because I do!)
  • Work in whatever way works for you – I’m a visual and kinetic learner – I learn by seeing things and doing things, so repeated copying is well up my street.  Find out what your learning style is and work with it! (Google what is my learning style, and be amazed!)
  • Mnemonics – I had one for the principles, one for Schedule 2 conditions, one for Schedule 3 conditions, one for categories of sensitive personal data, one for register-able particulars, and many to cover the various Principle 8 options.  Get creative!  Mine included names of people I know, characteristics of them, some of them were just plain bonkers.   Just come up with something memorable.
  • Basics – It sounds really obvious, but learn your basics off by heart.  Know the exact wording of the principles and the schedule 2 and 3 conditions.  They come into everything, so get them right!
  • Read before the class – You get an itinerary, so don’t go in to the class thinking you’ll learn everything there and then.  Go into the class with a broad understanding of what will be discussed, then you can build on that knowledge in class.  Plus you’ll be ready with questions which will help you, and your comrades!
  • Do the homework – End of.
  • Revision videos – When it comes to revision time, take a look at the Act Now revision videos which are available to all Act Now delegates in their online resource lab.  They cover all the nasty areas that everyone struggles with.

And finally a word for Act Now.

My Act Now Data Protection course got me more than just a certificate.  The course has given me a wealth of knowledge of Data Protection, in general, and more confidence in my current role.  My trainer, Phil Bradshaw, has a strong background in law, and is extremely experienced in the application of the Data Protection Act.  The course leaves you well prepared for the exam, but by no means do they simply train you up to pass.  They teach you everything you need to know so that you will pass! Suffice to say, I would recommend it to any Data Protection practitioner.

For more on more on how to pass the BCS (ISEB) exam see our earlier blog posts . Feel free to try the sample test.

Our next ISEB courses start in London and Manchester in December. More Information on our website or email us.

Scottish Information Commissioner’s Annual Report


The Scottish Information Commissioner has published her annual report for 2012/13.  Key facts are as follows:

  • The Office of the Scottish Information Commissioner (OSIC) received 594 FOI appeals in the year. This was an increase of 14% on last year, and an increase of 49% over the last 5 years.
  • 27% of appeals related to a failure to respond within FOI timescales.  This is the largest proportion of such appeals to date.
  • The OSIC found completely in the requesters’ favour in 37% of cases, completely in authorities’ favour in 37% and partially in favour of requesters / authorities in the remainder.
  • OSIC closed 564 cases, a 9% increase on last year.
  • OSIC has introduced new resources to advise and assist public authorities and requesters.
  • OSIC has announced its strategy for improving performance of FOI in Scotland by adding value.

FOI continues to be used predominantly by members of the public, as illustrated by the examples in report.  These show the range of important “real-life” community issues for which FOI is used on a daily basis.

During the year Act Now Training received valuable feedback from the Scottish Information Commissioner in respect of our certificated course; the Practitioner Certificate in the Freedom of Information (Scotland) Act 2002. The course is also endorsed by the Centre for FOI based at Dundee University.

If you’re considering joining the course, what can you expect? Read what the tutor has to say and have a go at the FOISA test.

Forthcoming Webinars

EI(S)Rs 2004: An Introduction
18th Oct 2013  @ 10:00am | http://www.actnow.org.uk/courses/966

The FOI (Scotland) Act 2002: An Introduction
28th Nov 2013 @ 10:00am | http://www.actnow.org.uk/courses/971

FOISA 2002: An Update28th Nov 2013 @ 11:30am – http://www.actnow.org.uk/courses/972

Recordings also available – Please email info@actnow.org.uk for more details

The shortest Data Protection Policy in the world?

shortestYoungest son has been looking for work and was interviewed for some warehouse job with a big name in retail and had this thrust under his nose while being interviewed. Luckily the modern scourge of camera phone proved very useful at this point and he showed me this image when he returned home. Is it a Policy? Who is the data controller? Why do applicants have to sign to agree that their application form goes to a prospective employer? Why do they need medical details?  The questions go on and on.  Contradiction in the final paragraph.  And they’ve squeezed all this into just over 50 words. Is it possible to write a Data Protection Policy that will fit into 140 characters? Who writes this stuff?

Use of Social Media in Investigations

canstockphoto10560861All investigators, when tackling rogue traders, fraudsters or errant employees, need to make use of the Internet as an investigatory tool. Unfortunately there is a lack of knowledge of Internet investigation techniques amongst investigators especially those working in the public sector. The Internet can reveal a treasure trove of free information, which can even lead to the perpetrators’ door (literally).

Do you have a smartphone and therefore an on-line account for managing email, contacts and messages? Do you use it for accessing applications such Instagram, Flickr (for storing photographs online) and Facebook?

If these applications are used, without properly controlled account settings, then available on-line (for all to see) is your private information, your photographs and other personal data. Even information that you yourself have not uploaded or stored can be mined for more personal information. You might have had photographs taken by a professional, for example for the sale of a home, or at events or weddings, or even by friends and family. These images are then posted on web sites and/or stored on-line (perhaps on Instagram, and Flickr ) often without your knowledge. The images will retain tagging and geo data used by the photographer to catalogue their albums. This might be your postcode, email address, name, or other identifying information. Someone who knows what to look for and where to look can discover a lot about you!

Worrying! But also very useful if you are investigating an individual for criminal or civil offences (or just disciplinary matters). Here are a few examples where such information was used by investigators to find out about individuals clearly “up to no good.”

Case Study 1 – The Malicious Blogger

A Chief Executive of a public sector organisation received an email containing particularly threatening and abusive language and menacing comments. Enquiries about the routing of the email revealed it had been sent from an Internet café.

Just twenty-five minutes of open source research produced a result. The advanced search facilities within Google, and a couple of search facilities specific to social networking sites, identified the full details of the sender. Step one was to search the email address, which revealed a posting on a blog, which in turn revealed a publicly listed unique user name. This was searched and the user was found on a couple of unpleasant blogs linking with others. This in turn led to another user name which was very close to the individual’s real name. This in turn led to his Facebook account, tagged images, and other unpleasant on-line postings. A few minutes later the home address of the perpetrator together with very current photographs were discovered. He was found to be a professional working for a public authority!

Case Study 2 – The Rogue Employee

An employee was suspected of working on his own business whilst off sick from work. Resource intensive and potentially controversial covert surveillance was one of many options considered. However, from just a mobile number this individual was traced to an EBay account using the EBay advanced search facility. As well as identifying the goods for sale through this business venture, the username for this EBay account was linked to a website with a Twitter account. Tweets by this person revealed the exact times and dates when he was working on his own business. Much of what he was doing was taking place when he was at work. A web of business networking and LinkedIn activity was also unravelled detailing far more than what the investigators had imagined.

These are just a couple of examples of investigations where auditors/investigators benefitted from having a thorough knowledge of online investigation techniques. It doesn’t always work this easily but my new course explains the most effective techniques. I also provide practical guidance on how to capture online evidence to accepted national standards.

Any form of surveillance of individuals raises a lot of legal issues (see Ibrahim Hasan’s recent article on the law of employee surveillance). There are pitfalls especially relating to privacy, Data Protection and RIPA to name a few. This course will also give delegates an opportunity to network with others who face the same challenges.

Steve Morris is an ex police officer and one of our expert RIPA course trainers. Steve’s new E Crime and Social Networking Course is proving very popular amongst auditors and investigators wanting to know how to make best use of the Internet when conducting investigations.

%d bloggers like this: