Act Now Nominated for IRMS Awards

Act Now Training is pleased to announce that it has been nominated for this year’s Information and Records Management Society (IRMS) awards in two categories. 

Each year the IRMS recognises excellence in the field of information management with their prestigious Industry Awards. These highly sought-after awards are presented at a glittering ceremony at the annual Conference following the Gala Dinner.

Act Now has been nominated for the Supplier of the Year award. In 2020, during the Coronavirus Pandemic, we have been at the forefront of helping the IG/DP community stay abreast of developments and rise to the challenges of working from home and continuing to learn. We ran a number of free webinars on a range of topics including cyber security, risk management and the CCPA. 

During the Pandemic, we developed our online courses from the ground up to ensure they provide the same interaction and quality as classroom workshops. Our flagship GDPR Practitioner Certificate course has been redesigned for the online learning environment but still maintains the focus on delegate interaction, engagement and tutor support. Since April 2020, we have run fifteen of these courses all of which have been fully booked. It is probably one of the most popular GDPR certificate courses.

Throughout 2020, Act Now has promoted information law/information governance beyond these shores. We have trained professionals in the financial sector for the NAPCP conference in Las Vegas and launched our US CCPA and Dubai privacy programmes. This has helped raise the profile of our profession.

We have also continued to raise the media profile of Information Governance in 2020. Ibrahim Hasan, director and solicitor, was interviewed twice by the BBC regarding the NHS Test and Trace app. He also worked with the BBC to help ensure that care home records were removed from a site to prevent harm to patients and relatives.  

Act Now has also been nominated for the Innovation of the Year award for our new Advanced Certificate in GDPR Practice. This course is for data protection practitioners who wish to advance their GDPR practice and knowledge. The syllabus has been designed in consultation with experienced data protection practitioners from both the public and private sectors. It consists of a series of challenging masterclasses in which delegates analyse and evaluate thought-provoking case studies designed to help them interpret complex data protection issues. 

This is the only advanced GDPR certificate course on the market and is proving very popular amongst practitioners. Our first three courses are fully booked. More information here.

All IRMS members are eligible to vote in the IRMS awards. The deadline is 2nd April 2021. Vote now for your favourite training company.

Our new UK GDPR Handbook is still available to pre order at a special discounted price. 

Covid Testing in Schools and Data Protection


By Neil Murphy

Pupils in England return to school today. Secondary schools have been given the additional task of facilitating on-site covid tests. Not only do they need to be trained, ready to supervise this testing, they also need to be up to speed with their data protection responsibilities as set out in the new UK GDPR.  

Many schools have outsourced their Data Protection Officer (DPO) role to a consultant or have bought the service from the local authority. The DPO will be well placed to advise them on what needs to be done to ensure GDPR compliance. In any event, the Department for Education guidance is a good starting point. However, with their primary focus being on the medical issues of which type, the frequency of use and how to deliver the tests, some schools may still struggle with their data protection responsibilities.

Let’s start with the legal basis of processing. The tests are not mandatory and so consent is required for both the testing and the processing of the pupils’ personal data. Head teachers are already warning of problems getting parental consent for the tests, let alone processing the data. The DfE have advised that such data can still be processed under UK GDPR Article 6(1)(e) (public task) although the legislation schools may wish to refer to will vary for each type of school (e.g. maintained school, independent school, academy etc.).
Health data is Special Category Data under GDPR and so, additional to Article 6, an Article 9 condition is required to justify the processing of such data. Explicit consent can be used or it can be argued that the processing is in the public interest on public health grounds (Article 9(2)(i)) to tackle the spread of Covid-19.

The method of gathering the initial parental consent will of course be an issue given the size of the school cohort. A clear letter which gives an overview of the type of testing to be delivered on-site, how to perform the test and how the school plans to deliver the testing (e.g. dedicated areas or times) can alleviate anxieties. There is a YouTube clip of a school that participated in the pilot testing and NHS guidance on how to take the test.
Letters could hyperlink to these and help fully inform parents what it is they are consenting to. A simple form can then be used to reiterate, not only that consent can be withdrawn at any time but, that the pupils own wishes will always be respected.
Some schools have used Google or Microsoft Forms to avoid being inundated with paper forms and emails.

privacy notice is also required to explain how the test result data will be processed by the school. This should be referenced in the above mentioned letter and should not only indicate the categories of personal data which the school needs to temporarily hold (and the legal basis etc.) but also that NHS Test and Trace will become the Data Controller once the test information is passed to them i.e. Schools are only being asked to help facilitate the tests (which would otherwise be taken directly by the pupil). Some schools have used the privacy notice and letter to parents to make it clear that the school will help speed up the testing process by pre-populating the test forms with some basic personal data they hold (e.g. name, age, gender, address, country of residence).  

Data collated will only need to be retained until the third on-site test is completed but the test results from either on-site testing or home testing (along with a log of who has been given a home-testing kit) will, in line with DfE guidance, be retained no longer than 12 months from the date of the last entry into the register which is of course dependent on the pandemic and how long the testing continues.

These testing arrangements only need to be in place for a short period until testing is undertaken at home. Schools will then need to devise a simple method of receiving the test results from pupils/parents on the morning the home test is taken. They will also need to advise them on where and how long this information is recorded. The initial privacy notice could also address this second phase.  

All personal data should be held in a secure location with password protection; accessible only to those with a need to know. A dedicated member of staff should ideally oversee the routine deletion of all personal data when it is no longer required. Staff should at the very least have a basic level of awareness of the key provisions on GDPR and how to keep data safe. Given that the shortness of this project there is no need to purchase additional software or do a full Data Protection Impact Assessment. However, the data protection implications need to be considered seriously by every school. 

Neil Murphy is a Data Protection Officer for a multi academy trust and currently studying for the Advanced Certificate in GDPR Practice. Act Now Training’s GDPR Essentials e learning course is ideal for school staff who need to learn about data protection in a quick and cost-effective way. You can watch the trailer here

Vaccine Passports and Data Protection: Ibrahim Hasan’s BBC Essex Interview


Vaccine passports are very topical at present. Our director, Ibrahim Hasan, was interviewed on BBC Essex (on 2nd March 2021) about the privacy and data protection implications. 

Listen again here:

More interviews by Ibrahim here:

%d bloggers like this: