New Information Commissioner Approved

On Wednesday 27 April 2016, The Culture Media and Sport Committee approved the appointment of Elizabeth Denham as the new UK Information Commissioner following a pre-appointment hearing.

Ms Denham has held the role of Information and Privacy Commissioner in British Columbia since 2010. Prior to that she served as Assistant Privacy Commissioner of Canada for three years (Full CV here).

Jesse Norman MP, Chair of the Committee, said:

“The Committee noted with interest Ms Denham’s views on a range of topics, including the possible retention of emails as official records, the extension of FOI and directors’ liability for data breaches, in particular.

We also noted Ms Denham’s track record on data protection wit Government in British Columbia, and her proactive approach to protection of privacy with major international technology companies.”

Subject to final approval from Her Majesty The Queen, Ms Denham will take over from incumbent Christopher Graham in summer 2016. Mr Graham said:

“I am delighted that Elizabeth Denham is set to take over as the next Information Commissioner. Elizabeth is an experienced information rights practitioner, essential when the ICO is busier than ever and facing the challenges of the digital age.”

Denham will have to hit the ground running when she starts. She will have just two years to ensure that UK Data Controllers are adequately prepared for the new EU General Data Protection Regulation (GDPR), which represents the biggest change to the EU data protection regime in 20 years.

She will also have to help public authorities implement any changes the Government may make to the Freedom of Information regime as a result of the FOI Commission’s recent report.

The school that ticked the box


Now and again as a trainer you know that someone is ticking a box. This happened to an Act Now trainer recently.

A meeting is held in a school somewhere in the heart of England and someone chirps up “Let’s get some Data Protection Training in school. Er.. Madge can you sort something out?  Super.” Madge has no knowledge of information law. She might be the secretary; she might be the playground supervisor but she’s been told to get on with it.

Weeks later Madge does some research on the internet; finds a company that does this and books some online training; a date is agreed and everything seems fine. Madge has opted for online training lasting an hour for a dozen or so admin staff even though for the same price she could have a real expert come to her site and give the school a 3 hour master class in DP (and throw in FOI & EIR for free).

But as the trainer asked to deliver this online training something doesn’t seem right.  You email the contact person to introduce yourself and ask for some steer on what they want and you’re met with a wall of silence. Time passes – no contact. Eventually a phone call elicits the information that they just want a general session on DP.

“How about FOI?” suggests the trainer helpfully.

“No we don’t need that.”

The trainer pulls together a general presentation and places a copy of the delegate materials in the online area alongside the link to access the training on the day where such things are held and informs the school.

Time passes.

The day before the training the school rings Act Now Office and asks how do they access the training. We refer them to the email sent a month previously. A flurry of questions are asked and answered and things finally look ready for the following day.

We start the training, Several people with young sounding names are present. They listen without saying anything. They don’t comment on the fact that their notification was a month late for renewal. They don’t find the lack of a privacy policy remarkable (despite the fact that they have a very handy Snow and Ice Policy in their list of 20 school policies). Their prospectus says nothing about any information law or rights of individuals to access information held by the school. The mini case studies towards the end are all met with the response “We’ll ask the head”. The FOI request sent to the school 6 weeks ago was denied. “No we’ve never seen it” (even though they are shown the actual email on screen).  There are no questions at all.

After 75 minutes they say thank you and leave. The automated feedback email isn’t returned. It’s as if the training session has become lost in a Sleepy Hollow style black hole.

6 weeks later the trainer has a look for their notification on the ICO site. It’s not there. The school is not listed on the Search The Register database. Presumably they let their notification lapse. The school’s website still doesn’t have a privacy policy, a data protection policy or any mention of freedom of information. Searches on the school website return nothing at all to show they have any idea about information law.

The trainer has an attack of conscience. Maybe Madge organized the training, paid the bill and ticked the box. Maybe an SMT meeting receives a note saying DP training has been done. Maybe no-one in a senior position knows how bad things are.  Should the trainer call the school and talk to senior management (if in fact he can get through to them) and say that they’re wide open to a notice being issued (and published on the web) or a prying parent with a grievance exposing their lack of compliance.

But schools like this are rare aren’t they? Schools have heard of DP and FOI and do have policies and procedures and notifications in place don’t they? Don’t they? DON’T THEY?

Are you responsible for schools and their compliance with information law? Do you know if they are aware of information law or how they are complying with it? Act Now offers online training for schools in DP & FOI and have delivered many on site half day workshops covering the subjects at schools all over the UK. Contact us to find out more. Don’t let your schools just tick a box (badly).

The new EU General Data Protection Regulation (GDPR) has now been approved and will come into force in two years time. Everyone, including schools, need to prepare now.

Let the Fun Begin! New EU Data General Protection Regulation #GDPR is Adopted

eu falg.jpg

After four years of negotiation, the new EU General Data Protection Regulation (GDPR) has today been formally adopted by the European Parliament. The Regulation will soon be available in all the official EU languages.

The Regulation will take effect twenty days from its post-vote publication in the Official Journal (May 2018) giving Data Controllers two years to prepare for the biggest change to the EU data protection regime in 20 years.

The Regulation will apply to any entity offering goods or services (regardless of payment being taken) and any entity monitoring the behaviours of citizens residing within the EU. Companies are now directly responsible for DP compliance wherever they are based (and not just their EU based offices) as long as they are processing EU citizens’ personal data.

For some breaches of the Regulation (e.g. failing to comply with Data Subjects’ rights or the conditions for processing) Data Controllers can receive a fine of up to 4% of global annual turnover for the preceding year (for undertakings) or 20 million Euros. For other breaches (e.g. failing to keep records or complying with security obligations) the fine can be up to 10 million Euros or 2% of global annual turnover (for undertakings).

The Regulation replaces the previous EU Data Protection Directive (95/46/EC), upon which the UK’s Data Protection Act 1998 (DPA) is based, without the need for further national legislation. It does though allow for substantial national derogations in a number of important areas, so in addition to amending or repealing their existing legislation and guidance, the Government and the Information Commissioner’s Office(ICO) will be working to finalise their positions on key issues such as exemptions, workplace privacy, healthcare services and biomedical research.

The ICO has set up a new GDPR microsite and published a 12 step guide to preparing for the Regulation. Read the Assistant Information Commissioner’s blog here about what more they are planning.

The Regulation is accompanied by the EU Policing and Criminal Justice Data Protection Directive which contains new rules for Data Protection when applied to crime and justice, but which can be implemented by each Member State through its own laws with greater flexibility.

 All Data Protection practitioners and lawyers need to read the Regulation and consider its impact on their organisation and clients. The good people at Covington & Burling LLP have published an automated comparison here to allow readers to see how the Regulation has changed from its previous version.

Training and awareness at all levels needs to start now. Here is a nice video to get you started.

Act Now has a dedicated GDPR section on its website containing articles as well as details of our GDPR webinars and workshops. If you are looking for an up to date DP qualification with a focus on GDPR, have a look at our Data Protection Practitioner Certificate.

GDPR: The Data Protection Principles (but not as you know them Jim!)


Having recently attended the Information Commissioner’s Office Data Protection Practitioners Conference in Manchester, I should start this blog post by echoing the words of our outgoing Commissioner, Christopher Graham, that the Regulation text is not the final version until later this year when it has been reviewed and fully translated for all 28 member states.

But as the Regulation is unlikely to change in material terms, let’s crack on!

Whenever you see blogs and articles about the new EU General Data Protection Regulation, they are often focusing on what’s new and “exciting”, be that in a good or bad context (see our summary here). But this blog post will look at some of the things that are remaining familiar, albeit in an edited ‘reshuffled’ form.

So let’s go back to basics – the Data Protection Principles. Now under the current Data Protection Act 1998 there are 8 principles that cover things from legitimate purpose to retention and security. Under the Regulation these are changing. Chapter 2, Article 5 (1) (a)-(f) now outlines the principles:

“Personal Data shall be;

1, processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);

2, collected for specified, explicit and legitimate purposes and not further processed in a a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes; (‘purpose limitation’);

3, adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);

4, accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);

5, kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 83(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);

6, processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’);”

Now while the Regulation text doesn’t specifically say “principle 1” etc. it does confirm these as the principles and it is logical to assign numbers (as opposed to A,B,C). Principle A just doesn’t have the same ring to it as, “the first principle”. I suspect that these will now become known by their subject matter, so for example you would have “the accuracy principle” and “the data minimisation principle.”

You will notice that we are also down to 6 principles from our current 8 under the DPA. The 2 “missing principles” have been amalgamated in to the new 6 principles. All the current requirements in the 8 principles are still here but they are now outlined in the finer detail of the text. So, for example, principle 6 in the DPA  (“processed in accordance with data subjects rights”) is not specifically called out as a principle in the Regulation but it is outlined in Ch2 Art 5 (1) (a) that information will be processed in a “fair and transparent manner”. The requirements of which, outlined in the rest of the Regulation, require Data Controllers (and indeed processors) to ensure that Data Subjects can exercise their rights as outlined in the text in Chapter 3.

The same applies to the current principle 8 of the DPA 1998 “not transferred to a country outside of the EEA without adequate protections” principle. Because the ‘protections’ are outlined in other principles (Chapter 4, section 2 (Security) for example) and the regulatory nature of the Regulation, it is expected that as part of your processing under the other principles you will share data internationally in the correct fashion.

As the saying goes, the devil is indeed in the detail with this Regulation. In this document I’ve put the relevant sections into the principles to which they relate. There is some overlap but generally if you’re talking about principle 1, then the references are all sections of the text that are relevant to some degree. This list is by no means exhaustive but it does give you a view as to how the principles are intertwined into the detailed text.

In the next few posts I’ll be exploring these principles more and some of the related requirements to see what this means in practice and what further location specific standards we should be on the watch for.

Scott Sammons is an Information Risk and Security Officer in the Medico-Legal Sector and blogs under the name @privacyminion. Scott is on the Exam Board for the Act Now Data Protection Practitioner Certificate.

Read more about the EU Data Protection Regulation and attend our full day workshop.

New Data Sharing Consultation


In February the Government launched a consultation on introducing laws to allow more citizens’ data to be used for ancillary purposes by the public sector. It says:

“Proportionate, secure and well-governed information sharing between public authorities can improve the lives of citizens. It can also support decisions on the economy which allow businesses to flourish, and improve the efficiency and effectiveness of the public sector. The government aims to do more to unlock the power of data.

The consultation runs till 22nd April 2016. It looks at enabling information sharing between public authorities to improve the lives of citizens and support decisions on the economy and society.” 

The proposals fall into 3 categories:

Improving public services

  • allowing public authorities to share personal data in specific contexts to improve the welfare of a specific person (e.g. automatically providing direct discounts on energy bills of people living in fuel poverty)
  • enabling public authorities to access civil registration data (births, deaths and marriages) (e.g. to prevent the sending of letters to people who have died)

Addressing fraud and debt

  • helping citizens manage their debt more effectively and reduce the overdue debt that they owe to government (i.e. allowing sharing of information for public sector debt collection)
  • helping detect and prevent the losses government currently experiences due to fraudulent activity

Allowing use of data for research and official statistics

  • giving the Office for National Statistics access to detailed administrative government data to improve their statistics
  • using de-identified data in secure facilities to carry out research for public benefit

Cynics may say that the proposals are really about allaying public sector fears that Government initiatives such as the Troubled Families Programme, require them to share personal data which may well breach the Data Protection Act 1998 (DPA).

A new criminal offence for unlawful disclosure of personal data is proposed to be introduced. Those found guilty of an offence will face imprisonment for a term up to two years, a fine or both. Certainly the prison element will be welcomed by the Information Commissioner who has recently reiterated his call for stronger sentencing powers for people convicted of stealing personal data under the DPA.

It is proposed that the new measures will be supported by a statutory Code of Practice, which will set out if, how and when data can be disclosed under each power. Primary legislation will set out the requirement to consult the Information Commissioner, and where appropriate Ministers in the Devolved Administrations and other relevant experts before issuing or revising  these Codes. Compliance with these Codes would be a requirement for any public authority seeking to participate under the proposals; failure to abide by the Codes may result in a public authority being removed from the relevant schedule and losing the ability to disclose or receive data under the power.

The whole law on information sharing needs examining. To echo the words of the Government:

We need to go further and update the legal regime to provide simple and flexible legal gateways to improve public sector access to information in key areas which impact the whole public sector in a systematic and consistent way so that citizens can have confidence that their data is being used for the right purposes and remains securely held.”

In 2014 the Law Commission reported on the outcome of a consultation on the law around sharing of personal information between public sector organisations.  It set out its recommendations, which included a full law reform project to be carried out in order to create a principled and clear legal structure for data sharing, which will meet the needs of society. I have not come across the Government’s response to the recommendations. May be this latest consultation is it!

Of course any new laws will have to be consistent with the new EU General Data Protection Regulation (GDPR), expected to come into force in 2018 and, which will replace the DPA.

These and other Information Sharing developments will be examined in our forthcoming full day workshops and webinars. 

Illustration provided by the Office of the Privacy Commissioner of Canada (

Extension of Freedom of Information in Scotland


Following a consultation last year by the Scottish Government, the Freedom of Information (Scotland) Act 2002 (FOISA) was recently extended to cover more organisations.

The Freedom of Information (Scotland) Act 2002 (Designation of Persons as Scottish Public Authorities) Order 2016, S.I. 2016/139, came into force on 2nd March 2016. It is made under Section 5 of FOISA. It comes into force on 1st September 2016.

The Order extends coverage of FOISA to contractors overseeing and managing private prisons, bodies providing secure accommodation for children and young people, grant-aided schools, independent special schools and Scottish Health Innovations Limited. These bodies also become subject to the Environmental Information (Scotland) Regulations 2004 in relation to any requests they receive for environmental information.

This is the second order brought forward under Section 5 of FOISA; the first came into force on 1 April 2014 and covers arms-length culture, sport and leisure trusts established by local authorities.

Freedom of Information in Scotland seems to sail in much more calmer waters than in the rest of the UK where the FOI Act comes under intense scrutiny (some say “attack’) from politicians from time to time. The Independent Commission on Freedom of Information was established by the Cabinet Office in July last year to examine the operation of the FOI Act and whether it required any changes. Its recent report says FOI is working well and does not need major changes. However, it does make twenty-one recommendations.

Think you know about FOISA? Have a go at the FOISA test.

 Looking for a FOISA qualification? Our Practitioner Certificate in the Freedom of Information (Scotland) Act 2002 is the only certificated course specially designed for FOI practitioners in Scotland. It is endorsed by the Centre for FOI based at Dundee University

%d bloggers like this: