A New (GDPR) Data Sharing Code

The law on data sharing is a minefield clouded with myths and misunderstandings.
The Information Commissioner’s Office (ICO) recently launched a consultation on an updated draft code of practice on this subject. Before drafting the new code, the ICO launched a call for views in August 2018, seeking input from various organisations such as trade associations and those representing the interests of individuals. (Read a summary of the responses here). The revised code will eventually replace the version made under the Data Protection Act 1998, first published in 2011.

The new code does not impose any additional barriers to data sharing, but aims to help organisations comply with their legal obligations under the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA 2018).
Launching the consultation, which will close on 9th September 2019, the ICO said the code will:

“… address many aspects of the new legislation including transparency, lawful bases for processing, the new accountability principle and the requirement to record processing activities”.

Once finalised, the code will be a statutory code of practice under section 121 of the DPA 2018. Under section 127, the ICO must take account of it when considering whether a Data Controller has complied with its data protection obligations in relation to data sharing. The code can also be used in evidence in court proceedings and the courts must take its provisions into account wherever relevant.

Following the code, along with other ICO guidance, will help Data Controllers to manage risks; meet high standards; clarify any misconceptions about data sharing; and give confidence to share data appropriately and correctly. In addition to the statutory guidance, the code contains some optional good practice recommendations, which aim to help Data Controllers adopt an effective approach to data protection compliance.
It also covers some special cases, such as databases and lists, sharing information about children, data sharing in an emergency, and the ethics of data sharing.Reference is also made to the provisions of the Digital Economy Act 2017 which seeks to promote data sharing across the public sector

There is also section on sharing data for the purposes of law enforcement processing under Part 3 of the DPA 2018. This is an important area which organisations have not really understood as demonstrated by the recent High Court ruling that Sussex Police unlawfully shared personal data about a vulnerable teenager putting her “at greater risk.”

Steve Wood, the Deputy Information Commissioner for Policy, said:

“Data sharing brings many benefits to organisations and individuals, but it needs to be done in compliance with data protection law.”

“Our draft data sharing code gives practical advice and guidance on how to share data safely and fairly, and we are encouraging organisations to send us their comments before we launch the final code in the Autumn.”

You can respond to the consultation via the ICO’s online survey, or email datasharingcode@ico.org.uk until Monday 9 September 2019.

More on these and other developments in our GDPR update workshop presented by Ibrahim Hasan. Looking for a GDPR qualification? Our practitioner certificate is the best option.

Subject Access Requests for Paper Records

The old Data Protection Act 1998 not only gave Data Subjects a right to see their personal data held on computer but also that which was held on paper records which were held in a “relevant filing system”. A recent case, albeit under the DPA 1998,  has an impact on the way Data Controllers deal with subject access requests under the GDPR.

The question of what constitutes a “relevant filing system” under the DPA 1998 has always been a vexed one, particularly since the 2003 Court of Appeal ruling in Durant v Financial Services Authority [2003].  The Court of Appeal’s interpretation of this term has been criticised in various quarters for being too restrictive and particularly for focussing on the burdens and costs imposed on Data Controllers rather than the rights of the data subjects.  Therefore the recent decision by the High Court in in Dawson-Damer v Taylor Wessing LLP [2019]. May be welcomed by those who believe a more ‘rights- based’ approach is appropriate.

The case involved subject access requests made by Mrs Dawson-Damer and her two children to Taylor Wessing LLP (an English law firm). In short, the firm did not act for the Data Subjects, but it did hold personal data about them in a series of trust files in which they were potential beneficiaries. Taylor Wessing refused to provide their personal data, and this resulted in protracted litigation. One of the key questions that the High Court had to address was whether the Trust files constituted a “relevant filing system” for the purposes of the DPA 1998.  The Court also considered whether the law firm could rely on S. 8 of the DPA 1998 which removes the obligation on a  Data Controller to provide a copy of the personal data where it would involve disproportionate effort.

For further details of the Dawson-Damer request and the litigation that followed see our more detailed case note.

 The definition of relevant filing system under DPA 1998

Readers familiar with the DPA 1998 will recall that it defined:

• Data as data processed or intended to be processed by equipment operating automatically and ‘manual’ data recorded as part of a ‘relevant filing system.
• Personal as ‘data’ which relate to a living individual who can be identified from those data, or from that data and other information, which is in the possession of, or is likely to come into the possession of, the Data Controller.

In Durant, the Court of Appeal interpreted the concept of a ‘relevant filing system’ as a system of files in which the files forming part of it are:

• Structured or referenced in such a way as clearly to indicate at the outset of a search whether the personal information of a person requesting the information is held within the system, and if so in which file or files it is held.
• The structuring or referencing mechanism of the filing system had to be sufficiently sophisticated and detailed to indicate whether and where the requestors information could be located.

The key feature of this interpretation is the focus on the way in which the system is structured by reference to individuals and the ease with which specific information could be accessed. Personal data held in an unstructured manual filing system did not fall within the scope of the DPA 2018 (although there was an amendment for such data held by public authorities subject to FOI).

The Trust Files: Do they form part of a relevant filing system?

The case concerned a series of paper files that were held by Taylor Wessing prior to 2005, when it moved over to an electronic filing system. The manual files  were labelled by reference to the law firm’s clients or the respective Trusts and they contained correspondence and advice that was arranged chronologically. Taylor Wessing argued that the only way it could determine if the files contained the personal data of the requestors was to go through each file page by page and therefore the any personal data was not easily accessible. On this basis the law firm argued that the files did not form part of a “relevant filing system” as interpreted by the Court of Appeal in Durant.  The requestors argued that the files did form part of  relevant filing system and that the law firm had failed to carry out a reasonable and proportionate search of them.

The 2019 High Court decision

The High Court decided that in the light of recent domestic and European case law the decision in Durant was too restrictive and the requirements of a relevant filing system are that:

1. The data must be structured by reference to specific criteria; and
2. The criteria must be “related to individuals”; and
3. The specific criteria must enable the data to be easily retrieved.

The Court decided that some 35 Trust files formed part of a relevant filing system.
They were filed under the description of the relevant Trust and the client is recorded as the Trustee. The files clearly related to Trusts in which the requestors were potential beneficiaries.  On this basis the  High Court was satisfied that this was sufficient to satisfy (a) and (b). Turning to point (c) the Court said that since the files were arranged chronologically this would of course require someone to ‘turn the pages’ of the files to locate the personal information. However, the Court did not think that this would be an onerous task and the search would enable the personal data of the requestors to be easily retrieved. In any event the Court acknowledged that the law firm must have done this exercise in order to reach its conclusion that the majority of the personal data it held was subject to legal professional privilege.

 For details about the Court’s reasoning see our more detailed case note.

The disproportionate effort issue

The High Court rejected the law firm’s arguments that a search through the files would involve a disproportionate effort. The decision makes it very clear that the onus is on the Data Controller to provide evidence about the time and cost involved in conducting searches. Taylor Wessing had failed to do this.

Implications of the decision

The case was considered under the DPA 1998. The GDPR and DPA 2018 now provide a subtly different definition of a filing system. However, the case shows that the approach of the Courts to the interpretation of data protection laws is more focussed on the rights of data subjects rather than the burdens faced by Data Controllers. It is also clear that Data Controllers need to produce clear evidence in terms of time and costs if they wish to argue it would involve disproportionate effort to supply personal data. This will impact on the way subject access requests (and other rights) are dealt with under GDPR. Article 12(5) allows Data Controllers to refuse requests where they are “manifestly unfounded or excessive.” The burden of demonstrating this is on the Data Controller.

 

Susan Wolf is a trainer with Act Now. More on these and other developments in our GDPR Update workshop. Looking for a GDPR qualification, our practitioner certificate is the best option.

Act Now launches Law Enforcement Data Processing Policy Pack (Part 3 DPA 2018)

Organisations with a role in preventing and detecting crime (e.g. councils, police, regulatory bodies etc.) not only have to comply with GDPR but also Part 3 of the Data Protection Act 2018 (DPA 2018) which applies to the processing of personal data for law enforcement purposes. This is a complex task requiring, amongst other things, a set of policies, procedures and notices; a daunting task especially for organisations “starting from scratch”.

Act Now has applied its 16 years of information governance experience to create a policy pack containing essential document templates to help you meet the requirements of the DPA 2018. It will save you hours of drafting and research time. The pack includes, amongst other things, template privacy notices as well as procedures for data security and data breach reporting. Security is a very hot topic after the recent ICO fine notices issued against British Airways and Marriott International.

We have also included template letters to deal with Data Subjects’ rights requests, including subject access. This is another hot topic. On 25^thJune 2019, Enforcement Notices (under Part 3 of the DPA) were served by the ICO on the Metropolitan Police, for sustained failures to comply with individuals’ rights in respect of subject access requests.

Contents

Template policies

• Data Protection Policy – providing an overarching framework for compliant processing of personal data for law enforcement purposes as required under s56 DPA 2018
• Sensitive Data Processing Policy – as required under s42 of DPA 2018

Procedures

• Data breach reporting
• Data Protection Impact Assessment template
• Data Subject rights request response templates
• System requirements specification – Summary of requirements to meet the audit and record keeping requirements of Part 3 of DPA 2018
• International transfers

Privacy Notice templates

• General (for publication)
• Specific (for tailoring privacy information to particular individuals as required by s 44(2) of DPA 2018)

Records and Tracking logs

• Information Asset Register
• Record of Processing Activity (s 61)
• Record of Sensitive Data processing
• Data Subject Rights request tracker
• Information security incident log
• Personal data breach log
• Third country transfer logs
• Data protection advice log

The above documents are inter-related and contain cross references, particularly across the various tracker logs.

The documents are designed to be as simple as possible while meeting the statutory requirements placed on Data Controllers. They are available as an instant download (in Word Format) following payment. Sequential files and names make locating each document very easy.

Click here to read sample documents.

For only £249 plus VAT (Special Introductory Price), the policy pack gives a useful starting point for organisations of all sizes who have a law enforcement function and will save hours of drafting time and research time.

This LED processing policy pack complements the Act Now GDPR Policy Pack which covers the general processing of personal data. The GDPR policy pack has been bought by public and private organisations including local authorities, utility companies, universities and charities

To learn more about Part 3 of the DPA 2018, see our full day workshop and webinar on this topic. For a full GDPR update please see our new advanced workshop.

The BA and Marriot Data Breaches: The ICO takes its gloves off!

This week we saw the Information Commissioner’s Office (ICO) finally signal its intention to use its powers to issue to issue Monetary Penalty Notices (fines) under the General Data Protection Regulation (GDPR).  Two Notices of Intent have been issued.  Both relate to cyber security incidents but are for different reasons and amounts.

Under the GDPR, supplemented by the Data Protection Act 2018 (DPA18), the ICO has a number of statutory duties and powers with regards to regulating Controllers’ and Processors’ obligations. Article 58 gives the ICO its powers. Article 83(2) sets out the criteria that have to be taken into account by the ICO when issuing fines. These include the nature, gravity and duration of the breach, the number of data subjects affected, level of damage and action taken to mitigate the damage. All this is outlined in the ICO’s Enforcement Policy.

British Airways Notice of Intent – £183 Million

According to the statement from the ICO:

“The proposed fine relates to a cyber incident notified to the ICO by British Airways in September 2018. This incident in part involved user traffic to the British Airways website being diverted to a fraudulent site. Through this false site, customer details were harvested by the attackers. Personal data of approximately 500,000 customers were compromised in this incident, which is believed to have begun in June 2018.

The ICO’s investigation has found that a variety of information was compromised by poor security arrangements at the company, including log in, payment card, and travel booking details as well name and address information.”

According to various sources at the time, for a period of two weeks BA’s systems were compromised. Hackers took the personal and financial details of customers who made, or changed, flight bookings on www.BA.com or its app during that time. Names, email addresses and credit card information were stolen – including card numbers, expiration dates and the three-digit CVC code required to authorise payments.

According to an article from wired.co.uk, the BA vulnerability was a well-known one and could have been prevented with a simple fix. While we don’t know the exact details yet, perhaps that is why the ICO wants to fine BA a whopping £183 Million!

What this also appears to show is that because the BA breach resulted in customers of BA being stuck in various holiday locations unable to get home the effect on “the rights and freedoms of individuals” was certainly far more concrete (and some could say worse) than what we currently know about the Marriott data breach (see below). Perhaps this is why the fine amount is so high.

As soon as the notice of intent was filed BA announced they were going to appeal, either because they see themselves as the victim here (as stated in various press statements about the incident) or they believe that the ICO has acted disproportionately. We shall see…

Marriott Hotels Notice of Intent – £99 Million

According to the statement from the ICO:

“The proposed fine relates to a cyber incident which was notified to the ICO by Marriott in November 2018. A variety of personal data contained in approximately 339 million guest records globally were exposed by the incident, of which around 30 million related to residents of 31 countries in the European Economic Area (EEA). Seven million related to UK residents.

It is believed the vulnerability began when the systems of the Starwood hotels group were compromised in 2014. Marriott subsequently acquired Starwood in 2016, but the exposure of customer information was not discovered until 2018. The ICO’s investigation found that Marriott failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems.”

According to various sources (see the BBC article at the time) this specific cyber security breach related to one of the booking databases belonging to Starwood hotels. A vulnerability in the database was exploited in 2014 and has been exploited ever since then until an internal security tool detected suspicious activity in 2018. The database in question contained records of up to 500 million customers of which 339 million were compromised including names, addresses and encrypted payment card information.

In  2016 Starwood (and all its assets and liabilities) were bought by Marriott. Part of the ICO statement accuses Marriott of not completing effective due diligence on Starwood and that appears to be the main reason for the intention to fine. One would conclude therefore that when purchasing a company a full security assessment and penetration test on the IT network and systems should be completed.  Marriott have also announced their intention to appeal the notice of intent. Not surprising when it is £99 Million!

What does this mean?

As with the Metropolitan Police announcement a few weeks ago, I’m sure these announcements will go down in Data Protection history but until the action is confirmed and the money exchanges accounts, what it exactly means for the regulatory landscape is yet to be seen. These are just intentions to fine, not the actual fine itself. The press (and some people that still don’t understand Data Protection when they claim to) got all excited about it at the time (and were corrected by many on social media). I think someone used the phrase (which I now cannot find so I can’t credit you – sorry!) “it’s basically like me saying I have an intention to buy my lunch”. But your lunch currently isn’t bought, and you are, indeed, still hungry!

What it means in terms of what you can practically do in your day jobs however is quite clear. GDPR emphasises the need to have ‘effective organisational and technical measures’. So, if you are going to buy a business (or just build a new system) ensure you have done your due diligence and testing on it to help mitigate any potential risks. You can’t catch everything (especially in a cyber security context) but at the very least you must be seen to be trying. Doing nothing, or ‘ignorance is bliss’, will ultimately land you in trouble.

Secure systems, privacy by design, effective cyber security and a half decent data culture will help you on your path and is a fair size more beneficial than the world of ignorance.

Scott Sammons is a trainer with Act Now. More on these and other developments will be in our GDPR Update webinar and full day workshop presented by Ibrahim Hasan. Looking for a GDPR qualification, our practitioner certificate is the best option.

Photo: Thanks to Sam Truong Dan for making this photo available freely on @unsplash 🎁 https://unsplash.com/photos/-rF4kuvgHhU 

Act Now’s FOI Practitioner Certificate: The Story So Far

At the end of 2018 Act Now announced the launch of its new FOI Practitioner Certificate. In keeping with the company’s ethos of delivering on the ground practical training, the new course is designed to meet the needs of practitioners and to enable them to fulfil their roles as FOI Officers.

Act Now is pleased to inform readers that in May and June the first two cohorts of delegates attended our fully booked courses in London and Manchester respectively.
The courses were designed and delivered by Susan Wolf, formerly a senior lecturer on the University of Northumbria’s LLM in Information Rights Law.

The course has so far attracted delegates from a range of public authorities, including the Crown Prosecution Service, Department for Environment, Food and Rural Affairs (Defra), Maritime and Coastguard Agency (MCGA), Nursing and Midwifery Council, University of West London, Dudley CCG, Land Registry, Lancashire Council, Cheshire Police and St Leger Homes,

Susan says:

 “I have looked at every aspect of this revised course to ensure it equips FOI officers with the knowledge they need to tackle FOI in a practical way.”

The course uses the same format as our very successful GDPR Practitioner Certificate.
It takes place over four days (one day per week) and involves lectures, discussion and practical drafting exercises. All delegates are encouraged to actively participate and share their experiences, in order to create an inclusive environment.  Over the coming months, further courses will be delivered by Susan, Ibrahim Hasan and Philip Jones.

What’s new?

The new course offers several innovations, which Act Now believes makes the it distinctive and highly relevant to FOI Officers and other practitioners with responsibility for providing access to public information. One innovation is that time is made available each day for delegates to reflect on what they have learned and how it will inform their practice. From her experience of delivering of training the first two cohorts, Susan noted:

“Delegates were able to share their experiences and problems, and more importantly offer suggestions for tackling problems.  This was particularly useful for delegates with limited FOI experience, or from smaller organisations, who were able to take away practical suggestions about how to handle requests and deal with the exemptions.”

The course also encourages delegates to become independent learners and provides guidance on ‘keeping up to date’ and understanding how cases are handled by the First Tier Information Rights Tribunal.  Susan says:

“The law isn’t static; we keep getting new ICO guidance, based on Tribunal and Court decisions. It is important that FOI practitioners understand the importance of keeping up to date, and how to do this.”

The assessment of the course is innovative and modern. The assessment model will be very familiar to people who have undertaken our GDPR Practitioner Certificate. First delegates must complete a one-hour MCQ test. This is  worth 30% of the overall assessment. The remaining 70% involves a written project.  Delegates are given a practical scenario which requires them to draft a Refusal Notice and explain how they would handle the request and their selection of exemptions. All delegates receive detailed feedback on their written projects. Our Scottish FOISA course also now follows the same format.

Susan says:

“The assessment has been designed to be relevant and useful; I can see little point in giving delegates a task that has no meaning to their practice.  Instead we want our delegates to feel like the assessment will inform their practice and enable them to enhance and develop their skills. Writing a robust refusal notice is an essential skill for FOI practitioners and lies at the heart of our assessment on this course.”

The delegate feedback so far has been excellent and it seems that this course has plugged a gap in the market:

An excellent course taught by someone with all the relevant knowledge and experience to impart to the delegates. Also very useful course materials which have proved to be helpful to me on a day to day basis in my job. I would really recommend this course to anyone who is dealing with FOI’s in their job.
JC, Department for Environment, Food and Rural Affairs (Defra)

Ibrahim Hasan (Director of Act Now Training) says:

“We are pleased that this new FOI certificate course is meeting the training needs of FOI officers. Because of its emphasis on practical skills, we are confident that it will become the qualification of choice for current and future FOI Officers and advisers.”

More venues have been added for this course including Belfast. All our courses can be delivered at your premises at a substantially reduced cost.

Contact us for more information.

Freedom of Information comes to Scottish Registered Social Landlords

The social housing sector already prides itself on being open and accountable to tenants. But from  11 November 2019, registered social landlords (RSLs) in Scotland will acquire new transparency obligations under the Freedom of Information (Scotland) Act 2002 (FOISA).

After years of debate and the robust recommendation of successive Scottish Information Commissioners, that housing associations should be in scope of FOISA, a designation order (under Section 5) adds RSLs to the list of public authorities in Schedule 1 of FOISA. The last such order  (S.I. 2016/139) came into force on 2^ndMarch 2016and extended coverage of FOISA to contractors overseeing and managing private prisons, bodies providing secure accommodation for children and young people, grant-aided schools, independent special schools and Scottish Health Innovations Limited.

Housing associations are already subject to the Environmental Information (Scotland) Regulations 2004 (EISR) as their scope is broader than FOISA. However, awareness of the EISR is low among the public, and even some housing associations were probably unaware of them. Many of the types of requests which RSLs are likely to receive – around construction and repairs for example – will continue to fall under the EISRs.

Unlike other Scottish public authorities, the scope of FOISA does not apply to all the activities that an RSL may undertake. The designation order only extends FOISA to “housing services” as defined in the Housing (Scotland) Act 2010, which would include activities in support of:

• the prevention and alleviation of homelessness,
• the management of housing accommodation (but only where RSL has issued a Scottish secure tenancy or short SST)
• the provision and management of sites for gypsies and travellers

Other activities undertaken by RSLs – such as factoring for owner-occupiers, repairs and maintenance for non-tenants and care services – would not be in scope. Identifying how much of the organisation is subject to FOISA will be an ongoing challenge for RSLs.

GDPR Implications

And there is a double whammy for RSLs. Under section 7 of the Data Protection Act 2018, schedule 1 of FOISA is the basis in Scotland for designating public authorities under GDPR. Therefore, from November, RSLs will be subject to the obligation, under Article 38 and 39 of GDPR, to designate and provide appropriate support for a Data Protection Officer. While many larger RSLs have already done so, this is going to be a challenge to resource for smaller associations.

So, in preparation for November, RSLs should “Act Now” to:

• Gain senior management support and buy-in for the compliance tasks;
• Identify and designate a Data Protection Officer if they haven’t already done so;
• Designate a lead officer for FOISA compliance;
• Develop procedures and guidance for staff, including a log for tracking requests and templates for responses;
• Ensure training is in place: Specific compliance training for DPOs and FOI leads and awareness training for all staff;
• Review records management procedures to ensure appropriate retention periods are applied and records are retrievable;
• Inform tenants and the wider public of their rights, including having a guide to information on their website.

FREE WEBINAR

Our FOISA expert, Frank Rankin, is delivering a free webinar for RSLs in Scotland to bring them up to speed with FOISA and what they need to do now before the implementation date. Book now as places are limited.

Act Now can support RSLs with our range of public training courses, including the only FOISA practitioner certificate course and our GDPR practitioner course, geared towards supporting DPOs. We can also provide in-house training and consultancy support.