Calling all Information Governance Experts: We are Hiring

We Are Hiring

Are you an information governance expert with a proven track record of delivering engaging training on GDPR, FOI or Cyber Security? Act Now Training is recruiting trainers to join its team of experts who deliver in-house and external training courses throughout the UK.

Despite expanding our team recently, we are facing heavy demand for our courses and consultancy services from the both the public and private sector. With more courses planned for 2020, including some new ones like Key Skills For Data Protection Officers, we need more talented trainers who enjoy the challenge of explaining difficult concepts in a practical jargon-free way.

We have opportunities for full time trainers as well as those who wish to add an extra “string to their bow” without leaving their day job. What is important is that you are enthusiastic about GDPR, FOI or Cyber Security and want to deliver innovative training (not “death by PowerPoint”) to a range of audiences.

We are particularly interested in experienced Cyber Security trainers where we are facing a lot of demand after launching our Introduction to Cyber Security workshop. The health sector is also a focus area for us in 2020. Our workshops on GDPR, the role of SIROs and Caldicott Guardians have led to more interest in this area.

If you think you have what it takes to become an Act Now trainer, please get in touch with your CV explaining your knowledge and experience of delivering training and consultancy services in GDPR, FOI or Cyber Security. A full privacy policy can be read on our website.

E Learning Banner 0.0.0

Posted in cyber security, FOI, GDPR, Uncategorized | Tagged , , | Leave a comment

The California Consumer Privacy Act

Golden Gate, San Francisco, California, USA.

The California Consumer Privacy Act (CCPA) comes into force on 1st January 2020. It is sometimes known as the US equivalent of the General Data Protection Regulation (GDPR), it provides broader rights to consumers and stricter compliance requirements for businesses than any other state or federal privacy law.

CCPA’s impact will not just be felt by California based businesses but businesses worldwide who process personal data about Californian consumers who will need to consider their privacy practices. With 40 million Californian residents, making up 12 percent of the US population, it is likely that most big business wherever they are based will have to comply with the CCPA.

Like GDPR, CCPA is about giving people control over how their personal data is used by organisations. It requires transparency about how personal data is collected, used and shared. It gives Californian consumers various rights including the right to:

  • Know and access the personal being collected about them
  • Know whether their personal data is being sold, and to whom
  • Opt out of having their personal data sold
  • Have their personal data deleted upon request
  • Avoid discrimination for exercising their rights

CCPA also includes a breach notification requirement like GDPR. A security breach involving personal data, must be notified to each individual it affects. It does not matter if the data is maintained in or outside of California.

Fines and Enforcement

Fines for breaches of CCPA include:

  • $2,500 for unintentional and $7,500 for intentional violations of the Act. Legal action must be brought by the California Attorney General.
  • $100-$750 per incident, per consumer- or actual damages, if higher – for damage caused by a data breach. Legal action may be brought by consumers.

A business shall only be in breach of the CCPA if it fails to cure any alleged violation within 30 days after being notified of the same.

While these fines may appear relatively low, it is important to keep in mind they are per violation. It is not uncommon for a privacy incident to affect thousands or tens of thousands of consumers, in which case these fines could reach the hundreds of thousands or millions of dollars.

A Federal Privacy Law?

CCPA represents the first real, comprehensive privacy legislation in the U.S. It will, no doubt, form the foundation for other state privacy regulations in the future, and quite possibly a U.S federal privacy regulation. Nevada residents also now have more control over how their personal information is used. Senate Bill 220 went into law recently, giving consumers more ability to keep websites from selling their information to third-party firms. Proactive businesses are already considering CCPA as a de facto US privacy law. Recently Microsoft announced that it will apply the main CCPA rights to all its customers in the U.S.

CCPA will not just have a big impact on US businesses. UK and EU companies doing business in the States also need to understand it provisions and implications. Ibrahim Hasan will be speaking about this topic when he addresses the NAPCP Commercial Card and Payment Conference in Las Vegas in April 2020.

CCPA and GDPR

CCPA is often compared to the GDPR.  Both laws give individuals rights to access and delete their personal information, require transparency about information use and necessitate contracts between businesses and their service providers. In some respects, however, the CCPA does not go as far as GDPR. For example, it does not require businesses to have a legal basis for processing personal data (Article 6 of GDPR), there are no restrictions on international transfers and no requirement to appoint a data protection officer. To learn more about the differences, have a look at this comparison chart produced by BakerHostetler LLP.

CCPA Webinar

Our forthcoming live and interactive CCPA webinar will cover the main obligations and rights in CCPA and practical steps to compliance. This webinar is ideal for data protection officers and advisers in UK and US businesses.

Posted in CC, CCPA, GDPR, Uncategorized | Tagged , , , | 2 Comments

Viva Las Vegas

Welcome to fabulous Las Vegas sign

Act Now is pleased to announce that Ibrahim Hasan has accepted an invitation to address the 21st Annual NAPCP Commercial Card and Payment Conference in Las Vegas, April 6-9 2020.

high_rez_NAPCP all black with url

The NAPCP is a membership-based professional association committed to advancing Commercial Card and Payment professionals and industry practices globally, with timely research and resources, peer networking and events serving a community of almost 20,000 individuals worldwide. The NAPCP is a respected voice in the industry and an impartial resource for members at all experience levels in the public and private sectors.

In a session entitled “Complying with the GDPR and United States Privacy Legislation” Ibrahim will examine the impact of GDPR and the California Consumer Privacy Act (CCPA) on the Payment Card industry. He will also be presenting webinars pre and post conference on these subjects to the NAPCP community.

The NAPCP Annual Conference is the can’t-miss event for the industry, bringing together 600 professionals from around the world to share perspectives on all Commercial Card and Payment vehicles, including Purchasing Card, Travel Card, Fleet Card, Ghost Card, Declining Balance Card, ePayables and other electronic payment options. Experts and practitioners share case studies, successes and thought-provoking ideas in almost 80 breakout sessions, all with an eye for trends and innovation across sectors.

Diane McGuire, CPCP, MBA, Managing Director of the NACP, said:

“I am really pleased that Ibrahim has accepted our invitation to join us in Las Vegas. As legislators and governments globally are starting to wake up to the implications of the digital revolution on individuals’ rights, our conference delegates will benefit from his GDPR and privacy expertise in what is sure to be a thought-provoking session.”

This is one of a number of international projects that Act Now has worked on in recent years. In June 2018 we delivered a GDPR workshop in Dubai for Middle East businesses and their advisers. In 2015 Ibrahim went to Brunei to conduct data protection audit training for government staff.

Ibrahim Hasan said:

“I am really pleased to address the NACP conference in Las Vegas. Our GDPR expertise is now being recognised abroad. The United States is the latest addition to our increasing international portfolio. We hope to use the conference as a platform to showcase our expertise to the US Data Controllers.”

Regular registration is now open for the event. Head over to this link to confirm registration.

NAPCPConferenceLogo_2020-high rez

Act Now’s forthcoming live and interactive CCPA webinar will cover the main obligations and rights in CCPA and practical steps to compliance. This webinar is ideal for data protection officers and advisers in UK and US businesses.

Posted in biometric data, Brunei, cyber security, Data Protection, Data Sharing, GDPR, ICO, International, USA | 2 Comments

FOI Reflections Series Part 1: When is an FOI request not an FOI request?

adobestock_97175293.jpeg

During a recent FOI A-Z course a delegate asked me what seemed like the simplest of questions: “How do we know whether something is business as usual, or an FOI request”? Naturally enough that gave rise to an interesting short discussion in which delegates expressed different views based on their practice and organisational policies. What became clear though, was that this seemingly simple question is anything but. So, how do organisations and practitioners know whether something is ‘business as usual’ or an FOI request?

Before attempting to answer this question, it is important to remind ourselves what a valid request under the Act looks like. S. 8 of the Freedom of Information Act (FOI) states that a request for information under the Act must:

  • Be in writing (this must be legible and can include electronic communication)
  • State the name of the applicant and the address for correspondence
  • Describe the information requested

This means that there is a degree of legal formality about an FOI request, particularly the need for it to be in writing. However, as the ICO guidance notes, this is not a hard test to satisfy and “almost anything in writing which asks for information will count as a request under the Act”.  So far so good. On this logic any communication in writing, that includes a request for information, is to be regarded as a request under the Act and must be dealt with accordingly.

Requestors do not need to mention the Act or even direct their request to a designated FOI practitioner or team. Of course, where a requestor specifically mentions the Act this makes life easier and the request should be dealt with as an FOI request.

Responding to FOIA requests: Section 1

 S.1 states that on receipt of a valid FOI request public authorities must do two things:

  • First, they must provide a written response which either confirms or denies that they hold the information (the duty to confirm or deny) (S. 1(a)); and
  • They must communicate the information to the applicant (unless any exemption(s) apply). It is useful to point out that the Act does not require that the communication is in writing, albeit this is most likely particularly when requests are made by email/letter. However, S. 1(b) does allow for the oral communication of information.

However, what is perhaps less well known is that S.1(5) states that a public authority is deemed to have complied with (1)(a) where it has communicated the information to the applicant under 1(b). For instance, if a public authority receives an email request for a standard piece of information and it replies with an email attachment, or phones the applicant and tells them the information, then they are deemed to have complied with their duty to confirm or deny, without actually formally using these words. But this would still be a request under the Act and ought to be recorded as such.

So what is the problem?

The difficulty arises, in part, because of the advice given in the various guidance from the Information Commissioner’s Office and the revised S. 45 Code of Practice (see our blog on this code here which both suggest that there are some circumstances where, despite the validity of a request, it may be more appropriate to deal with it outside of the Act.

  • The Code of Practice advises that, “information given out as part of routine business, for example, standard responses to general enquiries” does not need to be dealt with under the Act.
  • The ICO Guide states that, “It will often be most sensible and provide better customer service to deal with it as a normal customer enquiry under your usual customer service procedures”. The ICO offers two examples of a normal customer enquiry; where a member of the public wants to know what date their rubbish will be collected, or whether a school has a space for their child. The ICO’s corresponding Flowchart refers to these as requests ‘in the normal course of business’.
  • The ICO’s Guidance on Recognising a Request under the FOA states that If the requested information can be quickly and easily sent to the requester then it may be better dealt with in ‘the normal course of business’; for example, a request for a current leaflet.
  • The ICO Guide elaborates by saying that the provisions of the Act only need to come into force if a public authority “cannot provide the requested information straight away” or the requestor “makes it clear that they expect the request to be dealt with under the Act”.

All the above appear to suggest that public authorities have a degree of discretion in deciding whether a seemingly valid request for information should be treated as a formal request under the Act or whether it can simply provide the information without going through the formalities of the Act.

Little wonder then that FOI practitioners struggle and ask the seemingly simple question that prompted this blog! In response I would offer the following thoughts, which may be useful to bear in mind when contemplating whether a request is an FOI request or not:

  1. The Act is legally binding, and it states that valid requests (defined in S.8) must be dealt with as requests under the Act. The guidance is not legally binding and has no legal authority.
  2. The formalities of the Act are not onerous in circumstances where a public authority is not applying an exemption. Remember, S.1 (5) states that by communicating the information to the applicant you are deemed to have complied with your duty to confirm or deny that you hold the information.
  3. The revised Code of Practice recommends that all public authorities with more than 100 full time equivalent employees publish their FOI compliance statistics on their publication schemes on a quarterly basis.
  4. FOI practitioners frequently say that they are under resourced and heavily burdened. Recording all request for information as requests under the Act (as opposed to disclosing informally) will help provide a truer reflection of the volume of request made to public authorities.

Once we know what an FOI request is, the next question is who can make a request? What about Spiderman? The answer is here.

We have a series of FOI workshops covering the basics as well as more advanced topics such as exemptions. Our FOI Practitioner Certificate is popular with FOI officers seeking a formal qualification. Our trainers are available to deliver customised in house training, health checks and audits. Please read the testimonials from satisfied clients and get in touch if you would like a no obligation quote.

Posted in Uncategorized | Leave a comment

The Scottish Information Commissioner’s Annual (FOISA) Report

Scotland Edinburgh Calton Hill

The Scottish Information Commissioner, Daren Fitzhenry, recently published his  annual report  for 2018/19.  Mr Fitzhenry enforces the Freedom of Information (Scotland) Act 2002  (FOISA) as well as the Environmental Information (Scotland) Regulations 2004 

According to the report, Scottish public bodies are receiving record numbers of FOISA requests83,963 requests were reported by them in the year 2018/19a rise of 8% on the year before. Three quarters of these requests led to a full or partial release of information.  

The number of appeals made to the Scottish Information Commissioner also increased; by 10% to 560still just 0.7% of all requests made. Just under two thirds of the Commissioner’s appeal decisions (64%) were either fully or partially in favour of the requester. 

Scottish public authorities must respond promptly to FOISA requests and no later than 20 working days. However, the report shows that they are are increasingly failing to comply with this requirement.  The number of times an authority failed to respond to an FOI request rose from 601 in 2017/8 to 940 in 2018/1926% of valid appeals to the Commissioner were about an authority’s failure to respond. 

The Commissioner has responded to this failure to comply with the FOISA time limits by making more than 250 interventions over the course of the year. A third (33%) of his basic interventions investigated authorities’ compliance with statutory timescales. Often these failures can be indications of other fundamental problems, such as FOISA management and culture issues, staff absences or procedures not working well.  

A poll of Scottish adults, conducted in May 2019found disappointing levels of confidence in public bodies’ ability to respond to requests, which were much lower than the actual performance in practice. 57% of those surveyed were “very” or “fairly confident” they would receive a response from a request to information from a public body. 38% were “not very” or “not at all confident” they would receive a response. Any increases in authorities’ failures to respond are likely to feed this perception. 

FOISA requires authorities to publish information as well as respond to requests. According to the above mentioned poll, 9 in 10 people in Scotland thought it was important for public bodies to publish information about the reasons for the decisions they make, information about contracts with other organisations and information about how they spend their money. 

The Commissioner is using the opportunity of his annual report to emphasise the need for authorities to do more to improve their FOISA compliance. He said on his website: 

“We are seeing increasing numbers of information requests being made to Scottish public authorities. 

While many are performing well, there has been a concerning increase in failures to respond to requests for information on time.  Such failures impact on people’s perception of both freedom of information and the authorities themselves.  

Freedom of Information brings significant benefits to authorities who comply with it. Public bodies improving their Freedom of Information practice will make a real difference not only to the requester’s experience but also to the authorities themselves.” 

It’s going to be a busy year ahead for FOISA. The Scottish Parliament’s is due to complete its post-legislative scrutiny of the Act soon. This may lead to legislative changes. From  11 November 2019, registered social landlords (RSLs) in Scotland will become subject to FOISA. 

Act Now has a full programme of FOISA workshops in  Scotland. If you are new to FOI in Scotland or want to boost your career through gaining a qualification, our  FOISA Practitioner Certificate is ideal. Read a successful candidate’s observations.

Posted in FOISA, Uncategorized | Tagged , , | Leave a comment

European Data Protection Summit: Act Now Announces Winners of Free Tickets

DPWF Signed copy

Act Now is pleased to announce the winners of the 5 free delegate tickets for the European Data Protection Summit taking place in Manchester on 13th and 14th November 2019. We are sponsoring this two day event which will deliver  top-level strategic content, insights, networking, and discussion around data protection, privacy and security. In addition to leading content, tickets will include refreshments, lunch and access to exclusive post-event content.

Congratulations to:

  1. Jamie Burton of Wythenshawe Community Housing Group
  2. Kathy Fleming of The Lead Agency
  3. Sam License of National Institute for Health and Care Excellence
  4. Matt Stephenson of University of Bradford
  5. Jacqueline Gillanders of HEFSTIS

All the winners will receive an e mail giving details of how they can book their free place.

Thank you to all of those who expressed an interest.

We will be exhibiting at this event. Come and say hello on our stand and talk to us about our range of  GDPR Update Workshops,  E learning and Certificate Courses (Oh and collect some freebies!)

Posted in GDPR, Uncategorized | Tagged , | Leave a comment

GDPR, Class Actions and the Right to Compensation

Gavel, scales of justice and law books

In November 2018 we reported the decision of the English High Court in the case of Lloyd v Google [2018] EWHC 2599 (QB). In summary, Mr Lloyd, who is a consumer protection champion, was attempting to bring a ‘class action’ (or ‘representative’ action) against Google. He brought the claim on behalf of over 4 million Apple iPhone users, alleging that Google had secretly tracked some of their internet activity, for commercial purposes, between August 2011 and February 2012.

Because Google is based in Delaware in the USA, Mr Lloyd first had to seek permission from the High Court to serve the legal action outside the jurisdiction of the English courts. To do this he had to prove that the claim had a reasonable prospect of success. The High Court decided that the claim did not have a reasonable prospect of success for two reasons.

Firstly, none of the people in the represented class had suffered damage under S. 13 Data Protection Act 1998 (DPA). This provision contained a right to compensation which is now to be found in Article 82 of the General Data Protection Regulation (GDPR). The High Court took the view that the claimants seemed to be relying on the fact that they were entitled to be compensated because of the breach alone, without showing how the breach had caused any damage, which was a necessary requirement for the class action to proceed under section 13. Secondly, the members of the ‘class’ did not share the same interest and were not identifiable, which was also a necessary requirement.

On 2ndOctober 2019 the Court of Appeal, in Lloyd v Google  [2019] EWCA Civ 1599, reversed this decision and gave Mr Lloyd the right to proceed with his representative action against Google in the English Courts. This decision is significant because it now means that the claim against Google will be considered, at some future date, in the Media and Communications Court in London. It is also significant because of the Court’s ruling on the question of damages in respect of breaches of data protection legislation.

Why did the Court of Appeal reach this different decision?

The Court had to consider the following legal questions; Could the claimants recover damages for loss of control of their personal data under S. 13 of the DPA 1998? It decided, after reviewing various authorities from earlier case law and interpreting the DPA 1998 by reference to agreed principles of European Union Law, that they could.

The Court of Appeal’s approach was quite different to that of the High Court. The latter had rejected Mr Lloyds’ argument that the claimants were entitled to compensation because of the breach alone.  It stated that it was necessary for a claimant to demonstrate a causal link between the breach of the DPA and the damage suffered, and they had not.

In reversing the decision, the Court of Appeal emphasised that S. 13 of the DPA had to be interpreted in the light of Article 13 of the Data Protection Directive 1995and Article 8 of the Charter of Fundamental Rights of the European Union.  It also referred to the General Data Protection Regulation 2016. In particular, the Court considered GDPR ***Recital 85 which supports the view that “loss of control” over personal data is an example of the kind of “physical, material or non-material damage that might be caused to natural persons as a result of a data breach”. On this basis, the Court of Appeal accepted that a claimant could claim damages in respect of ‘loss of control’ of their personal data, provide the damage was not trivial. On the facts, the Court considered that ‘browser generated information’ (BGI) was an asset that had commercial value. Consequently, a person’s control over their BGI does have a value so that the loss of control must also have a value.  Therefore, the loss of control damages claimed by the represented claimants are properly to be regarded as compensatory in nature and damages are in principle capable of being awarded for loss of control of data under Article 23 and S. 13 DPA 1998 even if there is no pecuniary loss and no distress.

(***It is interesting that the Court of Appeal considered the recitals to interpret the substantive provisions of GDPR. These recitals are often difficult to match with the latter. Our GDPR Handbook does this for you as well as cross referencing relevant ICO Guidance and the Data Protection Act 2018.)

Turning to the second legal question that had to be considered by the Court of Appeal; was the High Court judge right to hold that the members of the class did not have the same interest under and were not identifiable? According to the Civil Procedure Rules it is necessary for the claimants in a class action, to all have ‘the same interest’ in the claim. The High Court decided that the claimants did not all have the same interest; some affected individuals would be heavy internet users and ‘victims’ of multiple breaches; the extent of the loss of control across such a large group would be varied; and not all users would view the loss of control in the same way.

The Court of Appeal decided that this was the wrong approach. The claimants that Mr Lloyd seeks to represent have all had their BGI (something of value) taken and used by Google, without their consent, in the same circumstances and over the same period. Accordingly, they are all victims of the same alleged wrong, and have all sustained the same loss, namely loss of control over their BGI. The Court accepted that this means that the damages that can be claimed (if the future action is successful) will be at the lowest common denominator.

The Court of Appeal also decided that it would be possible to identify the class of people represented in this claim. It must be possible tosay of any particular person whether or not they qualify for membership of the represented class of persons by virtue of having” the same interest as Mr Lloyd” at all stages of the proceedings. The Court considered that every affected person will, in theory, know whether he or she satisfies the conditions that Mr Lloyd had specified. These included any person who between 9 August 2011 and 15 February 2013 (whilst they were present in England and Wales)

  • Had an Apple ID
  • Owned an iPhone 3G or subsequent model running iOS version 4.2.1 or later; and
  • Used the Apple Safari internet browser version 5.0 or later on that iPhone to access a website that was participating in Google’s DoubleClick advertising service

In any event, the Court recognised that Google would have the data to be able to identify every person in the class!

Conclusion

In this case the Court of Appeal reversed the High Court’s decision that Mr Lloyd could not serve an out of jurisdiction action against Google. It approached the case by interpreting the now repealed Data Protection Act, in the light of principles of EU Law. The way is now clear for this class action to proceed before the Media and Communications Court in London. It of course remains to be seen how the case will proceed and no doubt it will be fought hard by Google, given the size of the class.  It is also difficult to predict how the Media and Communications Court will approach the case if it takes place post Brexit.

Readers may also wonder why the case is relevant given that the applicable law is now the GDPR. However, the Court of Appeal seemed to be at pains to point out that the GDPR supports its interpretation in this case. The significance lies in the fact that the Court of Appeal has made it clear, that in its view, it is possible to claim damages for loss of control of personal data (including BGI data) without having to prove financial loss or distress.

You can find more on these and other developments in our GDPR update workshop running in Leeds and London in November.

Posted in Data Protection, GDPR, Google, Uncategorized | Tagged , , , | 3 Comments