Ghost in the machine

By Paul Simpkins

Like any normal UK male I like to watch sport on TV. As the season all over Europe comes to a conclusion the titles and cups are being decided. Exactly the wrong time to take a holiday. Why?

Because despite Sky Go and BT allowing you to watch their products on your laptop or other device while you’re away from home things stop working when you leave the UK. It’s nothing to do with Brexit. Your device works out that you’ve left and suddenly many services that you use frequently start to deny you access for the simple reason that you’re away from home. If you want to watch the destination of the titles and cups you have to hope that you can find a friendly bar with a TV and hope the locals aren’t supporting the team that is playing your team.  You may have to consume alcohol and even sing sporting anthems badly but that’s part of the fun.

If you prefer to sit in the safety of your hotel room or rural gite or caravan there is another solution. Buy a wifi session. Your venue will probably sell you one for a few euros and you can watch in peace with a steaming cappuccino. Trouble is your device may still not allow you to connect to UK channels as it will still think you’re away from home as your IP address identifies your location.

But there’s a solution for that as well. Buy an app that masks your IP address. I’ve used this one.

blg paul 1

And it’s worked well. For free it will tell your computer sitting in Bordeaux that it’s really in Manchester so it will be able to watch iPlayer, Sky & BT without a problem. Yabba dabba doo!

Until recently when I purchased a month’s wifi from the site where I am currently staying. The company concerned is called Ozmosis.

blg paul 2

It’s full of lovely pictures of people enjoying themselves on holiday (the sunglasses give it away) using their wifi on holiday parks throughout Europe. 8 million users no less. So I bought a month’s wifi from them.

When it came to Champions league semi finals I thought I’d watch. It took a while. You have to run Cyberghost and find out that only 2000 free places exist and they count down at about ten a second until wow you’re sorted and watch the IP address emigrating from south west France to Manchester via a slow moving graphic then eventually log on to BT sport. Even then it often doesn’t work.

No problem. It was worth the effort. Until the following morning when you try to log on to the internet as usual. It doesn’t work. Suddenly it dawns on you via series of messages from Ozmosis they’ve identified a streaming service on your computer which violates their terms and conditions and they have terminated your wifi (after 6 of 31 days).

You ring the help line and you have to admit that you’ve been a naughty boy using an IP masking routine; apologise, delete it from your machine and they restore your wifi.

But then you think…

Who are they to say what I can do with their product? I buy it. It connects me to the internet. Can I watch porn channels with it? Can I hack health services all over Europe with it?  If I buy product A that enables me to do many things can the provider of Product A stop  me from doing B, C and D, E and F with their enabling product? 

If I bought a Kindle and loaded it with racist literature could Amazon stop me reading it?

If I bought a car and was told by the salesman that I couldn’t drive to Chipping Sodbury because they didn’t like the name.

If I bought a mobile phone but was limited in the numbers I could call?

(other off the wall examples sought by the author)

So there you are. I can buy wifi and perform normal functions like check my email or look at my bank account or whatsapp my auntie but not watch Atletico Madrid fail to beat Real Madrid without being penalised by a faceless sysadmin near Montpellier who cuts off a service I’ve paid for because I’m doing something they don’t like.  I have no other option on my campsite. Ozmosis have a monopoly.

OK millions of people streaming a major football match might use a lot of bandwidth but that’s what most European males on a campsite want to do. Saying in the T & C that you can’t do it makes buying the wifi worthless. Increase your capability Ozmosis or get out of the sector (

but they’re making zillions of euros so they won’t do that).

I expect a torrent of abuse from normal people who live without watching big sporting events but living in France for several weeks eating quality food and drinking cheap quality wine and beer while enjoying temperatures 10 degrees higher than the UK needs some mitigation otherwise it would be Paradise Lost – buts that’s another story.

GDPR: One Year to Go! Special Offer Today Only!


Exactly one year today (on 25th May 2018), the General Data Protection Regulation (GDPR) will come into force. (***see below for a special offer)

Data Controllers and Data Processors now have just 12 months to prepare for the biggest change to the EU data protection regime in 20 years.  With some breaches carrying fines of up to 4% of global annual turnover or 20 million Euros, everyone has to take GDPR seriously.

For those who are still yet to start their GDPR implementation programme, the ICO’s 12 steps to take towards compliance is a good place to start. We would emphasise:

  1. Keeping up to date with all the guidance coming out of the ICO and the Article 29 Working Party.
  2. Raising awareness about GDPR at all levels. We are running a series of GDPR webinars and workshops and our team of experts is available to come to your organisation to deliver customised data protection/GDPR workshops.
  3. Reviewing how you address records management and information risk in your organisation.
  4. Reviewing compliance with the existing law as well as the six new DP Principles.
  5. Revising privacy polices in the light of the GDPR’s more prescriptive transparency requirements. The ICO’s new privacy notices code is a very useful document for this.
  6. Reviewing information security polices and procedures in the light of the GDPR’s more stringent security obligations particularly breach notification.
  7. Writing polices and procedures to deal with new and revised data subject rights such as Data Portability and Subject Access.
  8. Considering who is going to fulfill the mandatory role of Data Protection Officer. What skills do they have and what training will they need?

Our GDPR Practitioner Certificate, with an emphasis on the practical skills required to implement GDPR, is an ideal qualification for those aspiring for such positions.  

The next 12 months need to be spent wisely. As well as training, Act Now can deliver GDPR health checks to assess where you are and guide you to where you need to be.

And as if there isn’t enough to do, the EU Policing and Criminal Justice Data Protection Directive which contains new rules for Data Protection for law enforcement agencies (as well as others) when processing personal data relating to crime and justice has to be implemented by 6th May 2018. Oh and a new Regulation on Privacy and Electronic Communications covering, amongst other things, direct electronic marketing will come into force on 25th May 2018.

An exciting time to be involved in privacy and data protection!

*** To mark the occasion and help you prepare for GDPR coming into force, Act Now will apply a 25%  (see what we did there?) discount to all bookings for our GDPR one day workshops received today (25th May 2017).

* Please note the full  booking details have to be received by us. Offer applies to new bookings only which are received today only.

GDPR Practitioner Certificate: First set of Results

accomplishment, certificate, degree, successful, diploma, graduates, achievement, celebration

Act Now Training Limited is pleased to announce the successful completion of its first two courses leading to the GDPR Practitioner Certificate.

Congratulations to all 19 delegates who successfully completed the course in London and Manchester in May 2017 (with 5 achieving a distinction).  They represented a diverse range of organisations including British Airways, insurance companies, councils, universities and housing associations.

Steve Wood, Head of International Strategy and Intelligence, at the Information Commissioner’s Office said:

“Congratulations to all the successful candidates on the Act Now GDPR Certificate.  As we near 25th May 2018, it is good to know that organisations are taking steps to ensure they have staff with the knowledge and skills to take up the GDPR implementation challenge”

The GDPR Practitioner Certificate is aimed at those undertaking the role of Data Protection Officer under GDPR whether in the public or the private sector.

This course will teach delegates essential GDPR skills and knowledge. It builds on the success of the Act Now Data Protection Practitioner Certificate, which it replaces, by focussing on GDPR. The course takes place over four days (one day per week) and involves lectures, assessments and exercises. This is followed by a written assessment. Candidates are then required to complete a practical project (in their own time) to achieve the certificate.

Feedback from delegates has been very positive:

An excellent course presented with flair that explained the transition from DP Act to EU-GDPR with emphasis on both the law and real world examples. PG, Somerset County Council

Excellent course. Tim was extremely knowledgeable and helped set out clearly what needs to be done to prepare for the GDPR. ES, Together Trust

I enjoyed every minute of this course. CA, Nursing and Midwifery Council

A really enjoyable and practical course. Informative in terms of learning and it also helped to put into context my own reading and work around GDPR. Tim is a great presenter and the course was delivered at a good pace. Questions and discussions raised by other delegates were interesting and informative too. SB, The Riverside Group Limited

Data Protection is made enjoyable and is brought to life by the quality of the trainer who has obviously experienced it in the live environment and who absolutely loves the subject. AH, SCLL

The course tutor was Tim Tuner who shared his vast experience gained through years of helping organisations comply with their DP obligations. This, together with a comprehensive set of course materials and guidance notes, meant that delegates were not only in a position to pass the course assessment but to learn valuable DPO skills which they will be able to apply in their workplaces for years to come.

Tim said:

“I have really enjoyed teaching these delegates. Their enthusiasm and ability to challenge themselves bodes well for the future of GDPR compliance in the UK. I am on a mission to continuously improve this course so that it becomes the premier GDPR qualification.”

This course is filling up fast. Five out of the next seven courses are fully booked. We are adding more dates. Please check our website for a course near you.

Councillors, council tax arrears and FOI


Some council chiefs, as well as some councillors, do not like the Freedom of Information Act 2000(FOI) claiming, amongst other things, that it costs too much and is used to request trivial information. Against this backdrop, how do council FOI officers deal with requests (often from journalists) for the names of councillors who are in arrears or have defaulted on their council tax bills?

Some councils have refused such requests citing the section 40(2) exemption for third party personal data. For this exemption to be engaged a public authority must show that disclosure of the name(s) would breach one of the Data Protection Principles. Most cases in this area focus on First Principle and so public authorities have to ask, would disclosure be fair and lawful? They also have to justify the disclosure by reference to one of the conditions in Schedule 2 of the DPA (as well as Schedule 3  in the case of sensitive personal data). In the absence of consent, most authorities end up considering whether disclosure is necessary for the applicant to pursue a legitimate interest and, even if it is, whether the disclosure is unwarranted due to the harm caused to the subject(s) (condition 6 of Schedule 2)? Of course when the new General Data Protection Regulation (GDPR) comes into force on 25th May 2018 the disclosure of the data will have to be justified by reference to Article 6 of GDPR.

A 2016 Upper Tribunal decision sheds light on this difficult issue. Haslam v Information Commissioner and Bolton Council [2016] UKUT 0139 (AAC) (10 March 2016) concerned a request by a journalist (Mr Haslam) for disclosure of information about councillors who had received reminders for non-payment of council tax since May 2011.  The Council told the appellant that there were six such councillors and informed him which political party they were members of, how much had been owed, how much was outstanding, and that two had been summoned to court.  The Appellant asked for the names of the individual councillors.  The Council refused stating that the names were exempt from disclosure under section 40(2) FOI.  The Appellant appealed to the First-tier Tribunal, against the decision of the Information Commissioner to uphold the Refusal Notice, in relation to the two councillors who had been summoned to court. The First-tier Tribunal dismissed the appeal.  Subsequently one councillor voluntarily identified himself, so that there was only an issue regarding one councillor before the Upper Tribunal.

The Upper Tribunal allowed the appeal concluding that releasing the name would not contravene the data protection principles, because processing was necessary for the purposes of legitimate interests pursued by the Appellant, and was not unwarranted because of prejudice to the councillor’s rights/legitimate interests.  This was a public matter in which the councilor could not have a reasonable expectation of privacy. Judge Markus in her judgment said:

“40. But, in the case of a councillor, it is not only a private matter. A councillor is a public official with public responsibilities to which non-payment of council tax is directly and significantly relevant.  A number of specific features of this were advanced in submissions to the First-tier Tribunal.  In particular, section 106 of the Local Government Finance Act 1992 bars a councillor from voting on the Council’s budget if he or she has an outstanding council tax debt of over two months.  If a councillor is present at any meeting at which relevant matters are discussed, he or she must disclose that section 106 applies and may not vote.  Failure to comply is a criminal offence. Thus council tax default strikes at the heart of the performance of a councillor’s functions. It is evident that setting the council’s budget is one of the most important roles undertaken by councillors.  The loss of one vote could make a fundamental difference to the outcome. This adds a significant public dimension to the non-payment of council tax.  The very fact that Parliament has legislated in this way reflects the connection between non-payment and the councillor’s public functions.  Moreover, as the Commissioner observed in his decision notice, recent failure to pay council tax is likely to impact on public perceptions and confidence in a councillor as a public figure.

  1. These factors are of critical relevance to expectation.  As the Commissioner  had observed, those who have taken public office should expect to be subject to a higher degree of scrutiny and that information which impinges on their public office might be disclosed.  More specifically, unless the local electorate know the identity of a councillor to whom section 106 applies, they cannot discover that that councillor is failing to fulfil his functions.  Nor can they know that the process of declarations under section 106 is being adhered to. In addition the electorate may wish to know whether they can trust a councillor properly to discharge his functions if he stands for office again.” 

So there we have it. Councillors can normally expect to have their names disclosed if they default on council tax. However this is not an absolute rule. In the words of Judge Markus (at paragraph 56):

“There may be exceptional cases in which the personal circumstances of a councillor are so compelling that a councillor should be protected from such exposure.”

The Bolton News, where the Appellant works, finally named the councillor who is the subject of this case (Click here if interested). By the way, I may share a name with him but I can assure you that I am up to date with my council tax bill payments!

We will be discussing this and other recent FOI decisions in our forthcoming FOI workshops and webinars.

How would you do on the BCS Certificate in Freedom of Information exam? Have a go at our test.

%d bloggers like this: