IRMS Certificate in Information Governance Proving Very Popular

banner

In April 2016, Act Now in partnership with the Information and Records Management Society (IRMS) launched IRMS Foundation Certificate in Information Governance. This is the first fully online certificated course on Information Governance and is proving extremely popular amongst public and private sector professionals.

In difficult economic times, traditional face-to-face learning is often the first activity to fall victim to budget cuts. However the area of Information Governance is currently the subject of rapid change. After four years of negotiation, the new General Data Protection Regulation (GDPR) has now been formally adopted by the European Parliament and will come into force on 25th May 2018. The Government recently confirmed that it will be adopting the Regulation despite the Brexit vote. The FOI Commission’s report, published in March, will lead to additional obligations for public authorities under the Freedom of Information Act. With recent high profile hacks, records management and information security are now top of the corporate risk agenda.  And the list goes on…

Employees and managers need timely and cost effective IG training.  The IRMS Foundation Certificate in Information Governance is the solution. This is an online certificated course designed for information management professionals who need to know about the basics of information rights and information management in their job role. It is an ideal starter qualification for those who wish to progress to more advanced qualifications such as the as the Act Now Practitioner Certificate In Data Protection and the BCS FOI and DP Certificates.

There are four learning modules (Records Management, Security and Information Assurance, Data Protection and Freedom of Information). Using the latest web based technology, delegates will be able to learn from the comfort of their own desk by attending four live online webinars. In addition they will be able to tailor their learning through doing four recorded modules from a choice of six. Finally they will do a short online assessment to achieve the certificate endorsed by the excellent reputation of the IRMS.

Since its in inception in April 2016, 70 delegates have successfully completed the course. They represented a diverse range of organisations from the public and private sector including,  HMRC, Prudential Regulation Authority, Ropes and Gray International LLP, 14 local councils, Scottish Government, University of the Arts London and Creative Scotland to name but a few.

Feedback from delegates has been very positive:

“The IRMS Foundation Certificate is a great way to cement a base knowledge, plus I found it useful to update some details and understand what changes may be on the horizon.” LK, Isle of Man Government

“Modules were interesting and packed full of useful content. As someone relatively new to the sector, this was the perfect course for me.” JH, Healthcare Improvement Scotland

“The course was really interesting, I have been in the profession for many years but still found a lot of new content throughout the course that built upon my existing knowledge but also explained some topics much more in depth which was very engaging. The webinars were very useful and gave a good insight into the topics as well as giving a good opportunity to ask any questions and engage with other students and tutors. The course has certainly expanded my knowledge and interest in Information Governance and is very relevant to my work. I will be taking the information I have gained on this certificate further to enhance my career.” RD, Ministry of Defence

Ibrahim Hasan, Director of Act Now Training, has developed the course with IRMS colleagues. He said:

“I am pleased that this ground breaking online qualification is proving a big hit with information governance professionals. We are committed to continuous improvement and hope to add more such qualifications to our training portfolio in the future. “

Scott Sammons, the Chair of the IRMS, recently wrote in the IRMS magazine:

“I am very pleased that the online course is proving extremely popular amongst public and private sector professionals. Bookings have been received from a diverse range of organisations including local authorities, Government departments, Academy Trusts, the NHS, universities and even overseas governments!”

The qualification is also suitable for Scottish delegates who can choose to learn about the Freedom of Information (Scotland) Act instead of the Freedom of Information Act 2000.

IRMS members receive a 10% discount off the normal price of the course (£449 plus vat).

If you would like to know more about this course please see Act Now’s dedicated IRMS Certificate webpages or e mail info@actnow.org.uk.  You can also compare all our certificated courses here.

The Right to Data Portability under GDPR

canstockphoto11651619

The new General Data Protection Regulation (GDPR) will come into force on 25th May 2018. Whilst it will replaces the UK’s Data Protection Act 1998 (DPA), it still includes the right of the Data Subject to receive a copy of his/her data, to rectify any inaccuracies and to object to direct marketing. It also introduces new rights, one of which is the right to Data Portability.

Article 20 of GDPR allows for Data Subjects to receive their personal data, which they have provided to a Data Controller, in a structured, commonly used and machine-readable format, and to transmit it to another Data Controller. The aim of this right is to support user choice, user control and consumer empowerment. It will have a big impact on all Data Controllers but particularly data driven organisations such as banks, cloud storage providers, insurance companies and social networking websites. These organisations may find that customers are encouraged to move suppliers, as they will be armed with much more information than they previously had accessed to. This in turn may lead to an increase in competition driving down prices and improving services (so the theory goes; we live in hope!).

When the Right Can Be Exercised

Unlike the subject access right, the Data Portability right does not apply to all personal data held by the Data Controller concerning the Data Subject.  Firstly it has to be automated data. Paper files are not included. Secondly the personal data has to be knowingly and actively provided by the Data Subject. For example account data (e.g. mailing address, user name, age) submitted via online forms, but also when they are generated by and collected from the activities of users, by virtue of the use of a service or device.

By contrast personal data that are derived or inferred from the data provided by the Data Subject, such as a user profile created by analysis of raw smart metering data or a website search history, are excluded from the scope of the right to Data Portability, since they are not provided by the Data Subject, but created by the Data Controller.

Thirdly the personal data has to be processed by the Data Controller with the Data Subject’s consent or pursuant to a contract with him/her. Therefore personal data processed by local authorities as part of their public functions (e.g. council tax and housing benefit data) will be excluded from the right to Data Portability.

It is important to not that this right does not require Data Controllers to keep personal data for longer than specified in their retention schedules or privacy polices. Nor is there a requirement to start storing data just to comply with a Data Portability request if received.

Main elements of Data Portability

Article 20(1) gives a Data Subject two rights:

  1. To receive personal data processed by a Data Controller, and to store it for further personal use on a private device, without transmitting it to another Data Controller.

This is similar to the subject access right. However here the data has to be received “in a structured, commonly used, machine readable format” thus making it easier to analyse and share. It could be used to receive a playlist from a music streaming service, information about online purchases or leisure pass data from a swimming pool.

  1. A right to transmit personal data from one Data Controller to another Data Controller “without hindrance”

This provides the ability for Data Subjects not just to obtain and reuse their data, but also to transmit it to another service provider e.g. social networking sites and cloud storage providers etc. It facilitates the ability of data subjects to move, copy or transmit personal data easily. In addition it provides consumer empowerment by preventing “lock-in”.

The right to Data Portability is expected to foster opportunities for innovation and sharing of personal data between Data Controllers in a safe and secure manner, under the control of the data subject.

Time Limits

Data Controllers must respond to requests for Data Portability without undue delay, and within one month. This can be extended by two months where the request is complex or a number of requests are received. Data Controllers must inform the individual within one month of receipt of the request and explain why the extension is necessary.

Information is to be provided free of charge save for some exceptions. Refusals must be explained as well as the right to complain to the Information Commissioner’s Office (ICO).

Notification Requirements

Data Controllers must inform Data Subjects of the right to Data Portability within their Privacy Notice as required by Article 13 and 14 of GDPR.  (More on Privacy Notices under GDPR here.  See also the ICO’s revised Privacy Notices Code.)

In December 2016, the Article 29 Data Protection Working Party published guidance on Data Portability and a useful FAQ. (Technically these documents are still in draft as comments have been invited until the end of January 2017). It recommends that Data Controllers clearly explain the difference between the types of data that a Data Subject can receive using the portability right or the access right, as well as to provide specific information about the right to Data Portability before any account closure, to enable the Data Subject to retrieve and store his/her personal data.

Subject to technical capabilities, Data controllers should also offer different implementations of the right to Data Portability including a direct download opportunity and allowing Data Subjects to directly transmit the data to another Data Controller.

Impact on the Public Sector 

Local authorities and the wider public sector might be forgiven for thinking that the Data Portability right only applies to private sector organisations which processes a lot of personal data based on consent or a contract e.g. banks, marketing companies, leisure service providers, utilities etc. Major data processing operations in local authorities (e.g. for the purposes of housing benefit, council tax etc.) are based on carrying out public functions or statutory duties and so excluded. However a lot of other data operations will still be covered by this right e.g. data held by personnel, accounts and payroll, leisure services and even social services. An important condition is that the Data Subject must have provided the data.

The Government has confirmed that GDPR is here to stay; well beyond the date when the UK finally leaves the European Union. All Data Controllers need to assess now what impact the right to Data Portability will have on their operations. Policies and Procedures need to be put into place now.

Make 2017 the year you get prepared for the General Data Protection Regulation (GDPR). See our full day workshops and new GDPR Practitioner Certificate.

New Webinar on GDPR and the Right to Data Portability. Register onto the live session or watch the recording.

GDPR and the Role of the Data Protection Officer

canstockphoto16242260_thumb.jpg

The clock has started on the biggest change to the European data protection regime in 20 years. After four years of negotiation, the new EU General Data Protection Regulation (GDPR) will take effect on 25th May 2018.

In the UK, it will replace the Data Protection Act 1998 (DPA). With some GDPR breaches carrying fines of up to 4% of global annual turnover or 20 million Euros, now is the time to start planning (if you have not already started!).

You might be forgiven for thinking that the Brexit vote means that there is no need to worry about GDPR (being a piece of EU legislation) or that its effect will be time limited. The Government has now confirmed that GDPR is here to stay; well beyond the date when the UK finally leaves the European Union.

Section 4 of GDPR introduces a statutory position of Data Protection Officer (DPO) who will have a key role in ensuring compliance with GDPR. But who exactly will need a DPO and what is his/her role? The Article 29 Data Protection Working Party has now clarified this in its recently published guidance (the A29 Guidance) and a useful FAQ. Technically these documents are still in draft as comments have been invited until the end of January 2017.

Who needs a DPO?

For the first time Data Controllers as well as Data Processors are required to appoint a Data Protection Officer in three situations (Article 37(1)):

  1. where the processing is carried out by a public authority or body

Public authorities and bodies are not defined within the legislation. The guidance says that this is a matter for national law. It’s fair to say that all bodies subject to the Freedom of Information Act or the Freedom of Information (Scotland) Act will be covered by this requirement e.g. councils, government departments, the health sector, schools, emergency services etc.  However it is likely to also cover private companies that carry out public functions or deliver public services in the area of water, transport, energy, housing etc. (See also the decision in Fish Legal v Information Commissioner and others [2015] UKUT 0052 (AAC) which considers the definition of public authorities under the Environmental Information Regulations 2004.)

Purely private companies not involved in public functions or delivering services will only need to appoint DPO if they engage in certain types of data processing operations explained in Article 37:

  1. where the core activities of the controller or the processor consist of processing operations, which require regular and systematic monitoring of data subjects on a large scale

Under this provision companies whose primary activities involve processing personal data on a large scale for the purposes behavioural advertising, online tracking, fraud prevention, detection of money laundering, administering loyalty programs, running CCTV systems, monitoring smart meters etc. will be caught by the DPO requirement.

c) where the core activities of the controller or the processor consist of processing on a large scale of special categories of data or personal data relating to criminal convictions and  offences

The A29 Guidance states that the “and” above should be read to say “or” (a diplomatic way of saying the proof-readers did not do their job!). Special categories of data are broadly the same as Sensitive Personal Data under the Data Protection Act 1998 e.g. ethnic origin, political opinions, religious beliefs, health data etc. This provision will cover, amongst others, polling companies, trade unions and cloud providers storing patient records.

Unless it is obvious, organisations that don’t need to appoint a DPO should keep records of their decision making process. The A29 Guidance suggests that it will be still be good practice to appoint a DPO in some cases; for example, where private organisations carry out public tasks. This could include companies delivering core public services under an outsourcing arrangement e.g. housing maintenance companies, charities delivering social services etc. A group of undertakings may appoint a single DPO provided that he/she is easily accessible and there are no conflicts of interests.

Even organisations not based in the EU may be caught by GDPR and the requirement to appoint a DPO. GDPR will apply to any entity offering goods or services (regardless of payment being taken) and any entity monitoring the behaviours of citizens residing within the EU. Companies are now directly responsible for DP compliance wherever they are based (and not just their EU based offices) as long as they are processing EU citizens’ personal data.

The DPO’s Tasks

According to Article 37(5), the DPO, who can be a staff member or contractor, shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfill the tasks referred to in Article 39. These are:

  • to inform and advise the controller or the processor and the employees who are
    processing personal data of their obligations pursuant to this Regulation;
  • to monitor compliance with this Regulation, including the assignment of responsibilities, awareness- raising and training of staff involved in the processing operations, and the related audits;
  • to provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35;
  • to cooperate with the supervisory authority (the ICO in the UK);
  • to act as the contact point for the supervisory authority on issues related to the processing of personal data

Qualities

The A29 Guidance states:

“Although Article 37 does not specify the professional qualities that should be considered when designating the DPO, it is a relevant element that DPOs should have expertise in national and European data protection laws and practices and an in depth understanding of the GDPR. It is also helpful if the supervisory authorities promote adequate and regular training for DPOs.”

The necessary level of expert knowledge should be determined according to the data processing operations carried out and the protection required for the personal data being processed. For example, where a data processing activity is particularly complex, or where a large amount of sensitive data is involved, the DPO may need a higher level of expertise and support. The necessary skills and expertise include:

  • expertise in national and European data protection laws and practices including an in depth
  • understanding of the GDPR
  • understanding of the processing operations carried out
  • understanding of information technologies and data security
  • knowledge of the business sector and the organisation
  • ability to promote a data protection culture within the organisation

Act Now has recently launched its GDPR Practitioner Certificate aimed at up skilling existing and future DPOs in both the public and private sector. To learn more please visit our website or download the flyer.

The DPO must be allowed to perform tasks in an independent manner and should not receive any instructions regarding the exercise of their tasks. He/She reports to the highest management level in the organisation and cannot be dismissed or penalised for doing their job.

Article 38(2) of GDPR requires the organisation to support its DPO by “providing resources necessary to carry out [their] tasks and access to personal data and processing operations, and to maintain his or her expert knowledge.” The A29 Guidance says that, depending on the nature of the processing operations and the activities and size of the organisation, the following resources should be provided to the DPO:

  • Active support of the DPO’s function by senior management
  • Sufficient time to for DPOs to fulfil their duties
  • Adequate support in terms of financial resources, infrastructure (premises, facilities, equipment) and staff where appropriate
  • Official communication of the designation of the DPO to all staff
  • Access to other services within the organisation so that DPOs can receive essential support, input or information from those other services
  • Continuous training

The DPO will be at the heart of the data protection framework for many organisations, facilitating compliance with the provisions of the GDPR. Now is the time to appoint one to ensure that you get the most suitably qualified. Some say 28,000 will be required in the UK and US. Others have even suggested there will be a skills shortage!

There is certainly a lot to learn and do in less than 18 months when GDPR comes into force. Training and awareness at all levels needs to start now.

Do you think mandatory Data Protection Officers under GDPR will lead to higher salaries for DPOs?
Participate in our Twitter survey:

https://twitter.com/ActNowTraining/status/816980420357132290

Make 2017 the year you get prepared for the General Data Protection Regulation (GDPR). See our full day workshops and new GDPR Practitioner Certificate.

%d bloggers like this: