Each year the IRMS recognises excellence in the field of information management with their prestigious Industry Awards. These highly sought-after awards are presented at a glittering ceremony at the annual Conference following the Gala Dinner. In 2021 Act Now won the Supplier of the Year award.
For 2022 Act Now has been nominated for the following awards.
Team of the Year
Supplier of the Year
Innovation of the Year
All IRMS members are eligible to vote in the IRMS awards. The deadline is Monday 18th April 2022. Vote now for your favourite training company.
On 25th March 2022, the European Commission and the United States announced that they have agreed in principle on a new Trans-Atlantic Data Privacy Framework. The final agreement will replace the Privacy Shield Framework as a mechanism for lawfully transferring personal data from the EEA to the US in compliance with Article 44 of the GDPR. As for UK/US data transfers and compliance with the UK GDPR is concerned, it is expected that the UK Government will strike a similar deal once the EU/US one is finalised.
The need for a “Privacy Shield 2.0” arose two years ago, following the judgment of the European Court of Justice (ECJ) in “Schrems II” which stated that organisations that transfer personal data to the US can no longer rely on the Privacy Shield Framework as a legal transfer tool. They must consider using the Article 49 derogations or standard contractual clauses (SCCs). If using the latter, whether for transfers to the USA or other countries, the ECJ placed the onus on the data exporters to make a complex assessment about the recipient country’s data protection legislation (a Transfer Impact Assessment or TIA), and to put in place “additional measures” to those included in the SCCs. The problem with the US is that it has stringent surveillance laws which give law enforcement agencies access to personal data without adequate safeguards (according to the ECJ in Schrems).
Despite the Schrems II judgment, many organisations have continued to transfer personal data to the US hoping that regulators will wait for a new deal before enforcing Article 44. Whilst the UK Information Commissioner’s Office (ICO) seems to still have a “wait and see” approach, others have started to enforce. In February 2022, the French Data Protection Regulator, CNIL, ruled that use of Google Analytics was a breach of GDPR due to the data being transferred to the US without appropriate safeguards. This followed a similar decision by Austrian Data Protection Authority in January.
Personal data transfers are also a live issue for most UK Data Controllers including public authorities. Whether using an online meeting app, cloud storage solution or a simple text messaging service, which one does not involve a transfer of personal data to the US? At present use of such services usually involves a complicated TRA and execution of standard contractual clauses. In the UK, a new international data transfer agreement (IDTA) came into force on 21st March 2022 but it still requires a TRA as well as supplementary measures where privacy risks are identified.
Has the Trans-Atlantic Data Privacy Framework saved DPOs hours of work? But before you break open the bubbly, it is important to understand that this is just an agreement in principle. The parties will now need to draft legal documents to reflect the agreed principles. This will take at least a few months and will then have to be reviewed by the European Data Protection Board (EDPB) adding more time. And of course there is the strong possibility of a legal challenge especially if the ECJ’s concerns about US surveillance laws are not addressed. Max Schrems said in a statement:
“We already had a purely political deal in 2015 that had no legal basis. From what you hear we could play the same game a third time now. The deal was apparently a symbol that von der Leyen wanted, but does not have support among experts in Brussels, as the US did not move. It is especially appalling that the US has allegedly used the war on Ukraine to push the EU on this economic matter.”
“The final text will need more time, once this arrives we will analyze it in depth, together with our US legal experts. If it is not in line with EU law, we or another group will likely challenge it. In the end, the Court of Justice will decide a third time. We expect this to be back at the Court within months from a final decision.“
“It is regrettable that the EU and US have not used this situation to come to a ‘no spy’ agreement, with baseline guarantees among like-minded democracies. Customers and businesses face more years of legal uncertainty.”
What should organisations do in the meantime? Our view is, if you have any choice in the matter, stick to personal data transfers to adequate countries i.e. those which have been deemed adequate by the UK/EU under Article 45. This will save a lot of time and head scratching conducting TRAs and executing SCCs. Where a US/non-adequate country transfer is unavoidable, a suitable transfer mechanisms has to be used as per Article 45. Of course for genuine one-off transfers the provisions of Article 49 derogations are worth considering.
Act Now Training welcomes solicitor and surveillance law expert, Naomi Mathews, to its team of associates. Naomi is a Senior Solicitor and a co-ordinating officer for RIPA at a large local authority in the Midlands. She is also the authority’s Data Protection Officer and Senior Responsible Officer for CCTV.
Naomi has extensive experience in all areas of information compliance and has helped prepare for RIPA inspections both for the Office of Surveillance Commissioners and Investigatory Powers Commissioner’s Office (IPCO). She has worked as a defence solicitor in private practice and as a prosecutor for the local authority in a range of regulatory matters including Trading Standards, Health and Safety and Environmental prosecutions. Naomi has higher rights of audience to present cases in the Crown Court.
Naomi has many years of practical knowledge of RIPA and how to prepare for a successful prosecution/inspection. Her training has been commended by RIPA inspectors and she has also trained nationally. Naomi’s advice has helped Authorising Officers, Senior Responsible Officers and applicants understand the law and practicalities of covert surveillance.
Like our other associates, Susan Wolf and Kate Grimley Evans, Naomi is a fee paid member of the Upper Tribunal assigned to the Administrative Appeals Chamber (Information Rights Jurisdiction and First Tier Tribunal General Regulatory Chamber (Information Rights Jurisdiction).
Ibrahim Hasan, director of Act Now Training, said:
“ I am pleased that Naomi has joined our team. We are impressed with her experience of RIPA and her practical approach to training which focuses on real life scenarios as opposed to just the law and guidance.”
Naomi will be delivering our full range of RIPA workshops as well developing new ones. She is also presenting a series of one hour webinars on RIPA and Social Media. If you would like Naomi to deliver customised in house training for your organisation, please get in touch for a quote.
Act Now Training is pleased to announce the launch of the new Isle of Man GDPR Handbook. The handbook is designed for data protection practitioners and legal advisers who require a reference guide to the Isle of Man Data Protection regime. It has been published following the success of the Act Now UK GDPR and EU GDPR handbooks.
The IoM GDPR handbook sets out the full text of the EU GDPR as it applies to the Isle of the Man (Applied GDPR) together with cross referenced recitals. Isle of Man specific amendments, insertions and deletions are clearly indicated to allow users to easily identify what has been changed from the original EU text. Relevant provisions of the Implementing Regulations have been included where they contribute to the further understanding of the Applied GDPR. Guidance from the Isle of Man Information Commissioner and the European Data Protection Board is also signposted to assist users when interpreting the legislation.
“I am really pleased with the publication of the Isle of Man GDPR Handbook. We wanted to fulfil the need of data protection practitioners in the Ise of Man to have access to a clear and easy to follow publication to help them navigate their way around this complex legislation.”
Isle of Man delegates who book our new IoM GDPR Practitioner Certificate course will receive a complimentary copy of this handbook as part of their course materials.
EARLY BIRD DISCOUNT
The RRP of the Isle of Man GDPR handbook is £54.99 (plus postage and packing). There is an early bird discount of 15% off the RRP until 3pm on 17th March 2022. Please quote the discount code “IoM15” when placing your order here.
The Data Protection Act 2018 (Amendment of Schedule 2 Exemptions) Regulations 2022 came into force on 26th January 2022. It amends Schedule 2 of the DPA 2018 to include a revised “immigration exemption”. The exemption disapplies many data subject rights in the GDPR (now UK GDPR), such as subject access and the right to erasure, where personal data is processed for “the maintenance of effective immigration control” or “the investigation or detection of activities that would undermine the maintenance of effective immigration control”.
Article 23 of the EU GDPR allows Member States to create exemptions to restrict data subjects’ rights in certain circumstances (e.g. for the purposes of crime prevention). Such exemptions must respect the “essence of the fundamental rights and freedoms” and be “necessary and proportionate… in a democratic society”. Article 23(2) also includes a list of “specific provisions” that any legislative measure creating a restriction to data subjects’ rights must contain e.g. the purpose of the processing, the relevant categories of personal data, the scope of the restriction introduced and details of the accompanying safeguards. The Court of Appeal found that the immigration exemption, as originally drafted, did not contain any of these provisions; nor were they covered in any separate legally binding legislation.
The 2022 regulations amend the immigration exemption to make clear that it may only be relied on by the Secretary of State and only if the Secretary of State has in place an immigration exemption policy document. This is a document which explains the Secretary of State’s polices and processes for determining whether, and the extent to which, the exemption applies in any particular case, and for ensuring that any personal data covered by the exemption is not abused or accessed or transferred in a manner contrary to the UK GDPR. Additional safeguards are also added to the exemption to require the Secretary of State:
(a) to decide whether the immigration exemption applies on a case by case basis, and to have regard to the immigration exemption policy document when making such decisions;
(b) to keep a record of any decision that the immigration exemption applies and the reasons for that decision;
(c) to inform a data subject of any such decision, unless doing so may be prejudicial to any of the matters mentioned in paragraph 4(1)(a) and (b) of Schedule 2 to the 2018 Act.
Following the Court of Appeal judgement, questions now arise (though not specifically addressed by the court) about the legality of other GDPR exemptions set out in the DPA 2018. Many of them also appear not to have the “specific provisions” required under Article 23(2).
Last week the Act Now team returned from a trip to the United Arab Emirates to promote our Middle East training programme. It was a great opportunity to better understand the UAE privacy framework and the needs of businesses faced with the challenge of implementing new laws (as well as get some sun!)
The Middle East is fast catching up with Europe when it comes to data protection law. The UAE recently enacted a federal law to comprehensively regulate the processing of personal data in all seven emirates. This will sit alongside current data protection laws regulating businesses in the various financial districts such as the Dubai International Financial Centre (DIFC) Data Protection Law No. 5 of 2020 and the Abu Dhabi Global Market (ADGM) Data Protection Regulations 2021. In addition there are a number of sector specific laws in the UAE which address personal privacy and data security. Saudi Arabia, Bahrain and Qatar also now have comprehensive data protection laws.
Whilst in Dubai we met with a number of potential clients, consultancies and law firms specialising in data protection. It was a great opportunity to discuss the changing privacy landscape and how Act Now can assist in developing the understanding of the legislation and its practical implementation. We had some interesting discussions about the changing privacy attitudes around the world, the power of Big Tech and increasing use of AI.
We also had meetings with data protection regulators in Dubai and Abu Dhabi. We were impressed by their commitment to educating businesses about the new laws and their practical advice to reduce the burden of implementation. They emphasised the importance of embedding a privacy culture in organisations and an understanding of the UAE laws as standalone privacy laws and not just “importing of GDPR”. A special thank you to Lori Baker at the DIFC and Sayid Madar at the ADGM for taking time out of their busy schedules to meet us.
During our last trip to Dubai in 2018 there was very little awareness of data protection law amongst businesses and compliance seemed to be geared around GDPR. This time on our travels (and shopping trips) we certainly noticed a more serious attitude amongst larger businesses to try and get data protection right. We saw privacy notices in most official forms, CCTV signs in malls and even a privacy notice recording when ringing our hotel.
The introduction and/or revision of privacy law in the Middle East is an important development which further proves that data protection is a truly global issue. Many organisations may need to appoint a Data Protection Officer as part of the new legal framework. Even where they do not need a DPO they will certainly need someone to drive forward compliance and liaise with regulators. This opens up opportunities for UK and EU Data Protection professionals especially as the new laws have some alignment with the EU General Data Protection Regulation (GDPR) and the UK GDPR.
These are exciting times for data protection professionals. For those seeking a fresh new challenge and the opportunity to spread the data protection message to new jurisdictions, now is the time to brush up on Middle East data protection laws. See photos of our trip below. Sun, sea and subject access awaits!
As we come to the end of another year, the Act Now team would like to thank all our delegates for their continued support and our associates for their hard work. It has been a challenging year but we have all taken the opportunity to learn and grow.
Much happened in 2021 in the privacy arena. We had the first GDPR fine Issued to a charity as well as the Cabinet Office finally being fined for the 2020 New Year’s Honours List data breach. In September, the Government launched a consultation entitled “Data: A new direction” intended “to create an ambitious, pro-growth and innovation-friendly data protection regime that underpins the trustworthy use of data.” Cynics will say that it is an attempt to water down the UK GDPR just a few months after the UK received adequacy status from the European Union. Time will tell! We predict that 2022 is going to be the year of AI and Data Ethics. We are planning some workshops to help you navigate through the thorny issues.
It wasn’t all about GDPR. At the end of the year, it seemed like the Government was ready to launch another attack on freedom of information. At present they are distracted by other troubles (unauthorised Christmas parties) but it will be interesting to see if the threat of FOI reform rears its head in 2022.
In 2021 Act Now has been at the forefront of helping the IG/DP community stay abreast of developments and rise to the challenges of working from home and continuing to learn. We have delivered over 250 online workshops and launched some great new courses and products including our Advanced Certificate in GDPR Practice. We intended to run 3 of these certificate courses in 2021. Such was the demand that we ran a total of 8, all of which were fully booked. With some great reviews, we will continue to improve this course. Watch this space for some exciting and challenging new courses in 2022. Alongside our usual training programme, we ran a number of free webinars on a range of topics including cyber security, risk management and the CCPA.
Act Now has also continued to raise the media profile of Information Governance in 2021. Ibrahim Hasan was interviewed twice by the BBC on a variety of topics including footballers’ data, data breaches and vaccine passports. He was also on RT News talking about FOI.
Data Protection is going global. With laws being passed in the Middle East, Africa and North America, we are now looking to spread the information privacy message further afield by promoting our US CCPA and Dubaiprivacy programmes. We have exciting announcements planned in 2022.
2021 ended with some great news. Act Now Training won the Information and Records Management Society (IRMS) Supplier of the year award at the IRMS conference in Birmingham. We were also delighted to welcome solicitor and information law expert, Kate Grimley Evans, to our team of associates. Kate is a Fee Paid Member of the Upper Tribunal.
These are exciting times for information governance professionals. Act Now is committed to raising awareness and the importance of Information Rights. We want to continue to support IG professionals with their professional development by developing training that helps them to navigate this often complex but interesting area.
The Act Now office will be closed for the holiday season from Thursday the 23rd December. We will be back in the office from the 5th January 2021.
Wishing you all a safe and enjoyable Christmas and a successful new year.
Last week, a government minister called the Freedom of Information Act (FOI) a “truly malign piece of legislation”. Lord Callanan, a minister at the Department for Business, Energy & Industrial Strategy, made the comments during a parliamentary debate. He was defending the government’s decision that FOI should not apply to a new Defence research agency.
It is not surprising that a government minister has expressed his dislike of FOI. The Act is very popular amongst politicians but only when they are in opposition. This view rapidly changes when they take up government positions and are on the receiving end of FOI requests. Tony Blair introduced the Act but regretted it in his memoirs, calling himself “a naive, foolish, irresponsible nincompoop”.
This new attack on FOI is not just about the Advanced Research and Invention Agency (ARIA) and whether it should be subject to FOI. This a minister expressing his frustrations about legislation which has no doubt made the Government’s life more difficult especially during the Pandemic. Information requests have been made about key government decisions, the actions of advisers in allegedly breaking lockdown rules (Barnard Castle) and the award of lucrative PPE supplies contracts to companies who seemingly have little experience of the health sector. In July, the Information Commissioner launched an investigation into reports that ministers and senior officials have been using private correspondence channels, such as Whatsapp and private email accounts, to conduct sensitive official business.
FOI allows the public to see how their money is being spent. It is extraordinary that a body like ARIA, which is responsible for spending £800 million of public funds over four years, should be free from the scrutiny that applies to the whole public sector including small parish councils. ARIA will be tasked with handing out lucrative research contracts and so the public have a right to know how their money will be spent.
Lord Callanan also said that charging the public fees for requesting government information was an “excellent idea”. This idea has also been backed by the incoming Information Commissioner, John Edwards. He told a committee of MPs in September that it was “legitimate” to ask the public to meet the cost of digging out the relevant information.
One of the governments arguments for introducing fees is that it costs money to deal with complex freedom of information request. However the current legislation already allows for fees to be charged if a request takes more than 18 hours to deal with or 24 hours if made to a government department.
Introducing a flat fee or fees for all requests, will undermine the public’s trust in government. At a time when the economy is weak and the cost of living is going up, why should the public have to pay for information that has been gathered by public bodies using public funds? In a sense they would be asked to pay for it twice. Fees also mean that only the rich would be able to scrutinise and challenge decisions made by public bodies which affect their lives.
It could be that Lord Callanan’s comments signal the start of a government attempt to weaken FOI. If this is the case, bearing in mind Boris Johnson’s parliamentary majority, we should all be concerned. The Government must lead by example and not weaken FOI because it is a hindrance.
Watch Ibrahim Hasan’s interview with RT News here.
Act Now Training welcomes solicitor and information law expert, Kate Grimley Evans, to its team of associates. Kate specialises in helping clients with all aspects of data protection and freedom of information. She was formerly the Head of Information Law at Stone King LLP. She has also worked for other top law firms including Eversheds and Mills & Reeve. Kate is currently a Consultant Solicitor for Bates Wells and Kesteven Partners Limited.
Kate is an expert in her field and has specialist knowledge of data protection compliance in the education and charity law sectors. She is the author of the leading guidance on data protection and information law matters for the museums’ sector and is currently writing a chapter (on schools) for an Oxford University Press book on data protection.
Kate has spoken at high profile conferences such as the Grammar School Heads’ Association Conference, Institute of School Business Leaders Conference and the Optimus Education Conference. Like our other associate Susan Wolf, Kate is a Fee Paid Member of the Upper Tribunal assigned to the Administrative Appeals Chamber (Information Rights Jurisdiction) and First Tier Tribunal General Regulatory Chamber (Information Rights Jurisdiction).
Ibrahim Hasan, director of Act Now Training, said:
“I am delighted that Kate has joined our team. Her wealth of experience in the education and charity sectors, will help us develop further our training and consultancy offerings to these important sectors.”
In time Kate will be delivering all the workshops on our current programme as well as developing new ones. She will also be available to conduct audits and health checks and deliver in house training particularly for charities and schools.
The Honours List file contained the details of 1097 people, including the singer Sir Elton John, cricketer Ben Stokes, the politician Iain Duncan Smith and the TV cook Nadiya Hussain. More than a dozen MoD employees and senior counter-terrorism officers as well as holocaust survivors were also on the list which was published online at 10.30pm on Friday 26th December 2019. After becoming aware of the data breach, the Cabinet Office removed the weblink to the file. However, the file was still cached and accessible online to people who had the exact webpage address.
The personal data was available online for a period of two hours and 21 minutes and it was accessed 3,872 times. The vast majority of people on the list had their house numbers, street names and postcodes published with their name. One of the lessons here is, always have a second person check the data before pressing “publish”.
This is the first ever GDPR fine issued by the ICO to a public sector organisation. A stark contrast to the ICO’s fines under the DPA 1998 where they started with a local authority. Article 82(1) sets out the right to compensation:
“Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.”
It will be interesting to see how many of the affected individuals pursue a civil claim.
(See also our blog post from the time the breach was reported.)