IHRIM

PDP - Compliance News Updates - 9 May 2018

ICO orders Cambridge Analytica to hand over American's personal data
 
 
PDP header graphic
  Issue: 09.05.2018

News 
ICO orders Cambridge Analytica to hand over American's personal data
The UK regulator has ordered Cambridge Analytica to hand over all the personal information it holds on a US academic, confirming the right of people abroad to seek data held by a UK firm. The Information Commissioner's Office served notice to SCL Elections, Cambridge Analytica's parent, to provide the information it holds on David Carroll, saying failure to do so would be a criminal offence punishable by an unlimited fine. The order comes days after both firms filed for insolvency.

ICO launches consultation on investigatory powers

The Information Commissioner has launched a consultation on stronger powers for the UK regualtor which are written into the Data Protection Bill currently going through Parliament. In addition to the much publicised powers to levy penalties being brought in by the GDPR, the proposed new powers include no-notice inspections, compelling people and organisations to hand over information, and making it a criminal offence to destroy, falsify or conceal evidence. The consultation closes on 28th June and the revised policy will be subject to Parliamentary consideration and final approval.

Pseudonymised data in scope of portability rules, says ICO

The ICO has expanded its guidance on GDPR data portability. The GDPR requires controllers to make the personal data they possess available to consumers in "a structured, commonly used and machine-readable format" so that those consumers can share that data with rival companies "without hindrance" and to transmit that data direct to other businesses at the request of consumers where it is "technically feasible". According to the ICO's guidance, personal data that have been subjected to pseudonymisation will be in scope of new data portability rules. An article explaining the new right to data portability in depth featured in Volume 17, Issue 3 of Privacy & Data Protection

UK government told to amend communication surveillance laws

The UK government has been given until 1st November to introduce revised communication surveillance laws after existing legislation was found to be "incompatible with fundamental EU rights in the area of criminal justice". The UK High Court made its ruling after civil liberties group Liberty challenged the lawfulness of the UK's Investigatory Powers Act which came into force in November 2016. The High Court ruled the Act's communications data regime unlawful because it does not limit access to retained data to the purpose of combating 'serious crime', and because access to the data is not subject to prior review by a court or an independent administrative body.

Keynote Speech on ICO Enforcement Powers

PDP is pleased to announce that James Dipple-Johnstone, Deputy Commissioner at the UK's Information Commissioner's Office, will present the Keynote speech at the 17th Annual Data Protection Compliance Conference, taking place in London on 11th & 12th October. Mr Dipple-Johnstone will review the ICO's increased powers, including the power to audit organisations and to impose significant financial penalties, and will discuss the ICO's intentions for the use of its new powers.

Enhanced practical guidance on data protection offered in Singapore

Organisations in Singapore will be given the opportunity to obtain 'enhanced practical guidance' on data protection issues under new plans recently outlined by the country's Personal Data Protection Commission. Businesses will be able to obtain enhanced practical guidance from the Commission where the query relates to a complex or novel compliance issue, where the query cannot be addressed by PDPC's general guidance, and where the query does not amount to a request for legal advice. The Commission also published plans for new legislation on unsolicited commercial messages. The proposals are open to consultation until 7th June.

Advocate General gives key opinion in communications data case

An advisor to the EU's highest court has said that EU law permits communications data laws to be enforced by law enforcement bodies even when the crimes they are investigating are not 'serious', providing there is no serious interference with privacy rights. The non-binding view, expressed by Advocate General to the Court of Justice of the EU Henrik Saugmandsgaard Øe, could have major implications for the scope of communications data laws in place across Europe. The case before the CJEU, which is likely to be ruled on formally later this year, stems from a dispute in Spain over the scope of Spanish communications data laws.

EDPS warns businesses about GDPR privacy policies

Updated privacy policies being sent out by organisations may not be GDPR compliant, the European Data Protection Supervisor Giovanni Buttarelli has said. According to Buttarelli, some of the policies he has seen present a "take-it-or-leave-it proposition". He said that he and other DPAs were "worried that even the biggest companies may not yet understand that these manipulative approaches must change...to satisfy Article 7(4) of the GDPR" (which states that consent is not freely given if the provision of a service is made conditional on processing personal data not necessary for the performance of a contract).

Two firms fined in UK for nuisance calls and spam texts

The Information Commissioner's Office has fined two firms in Stockport for disrupting the public with nuisance marketing. IAG Nationwide Limited was fined £100,000 for making more than 69,000 "frightening" and "aggressive" calls to people registered with the Telephone Preference Service. IAG also failed to correctly identify itself in the calls, did not give people the chance to opt-out of receiving them and provided misleading information about the nature of the call. In a separate ICO investigation, Bramhall-based Costelloe and Kelly Limited was issued with a £19,000 fine for sending more than 260,000 spam texts promoting funeral plans.

Australia's Commonwealth bank lost data of 20 million accounts

As part of the latest scandal involving Australia's largest lender, the country's Commonwealth Bank has admitted losing the bank records of almost 20 million people. Names, addresses, account numbers and statements were stored on two magnetic tapes which were meant to be destroyed by a subcontractor in 2016. Despite not receiving evidence the tapes had been destroyed, the bank did not alert customers there was a potential problem.

Data Protection Bill reaches Report stage

The UK House of Commons will vote on proposed changes to the Data Protection Bill today (9th) which would impose financial penalties on the media for being involved in data protection disputes. Tom Watson, Labour's Deputy Leader, intends to introduce sanctions on newspapers for data protection complaints, compelling them to pay court costs even if the case is thrown out. Bosses of regional and local newspapers have condemned the "draconian measures" that will cause "irreparable damage to the sector if enacted".

WhatsApp Co-Founder quits, possibly due to data protection rift

WhatsApp Chief Executive Jan Koum has quit the popular messaging service he co-founded saying he was "taking some time off to do things I enjoy outside of technology". Although it is not the stated reason for his departure, a Washington Post report said that Mr Koum had clashed with parent company Facebook over WhatsApp's strategy. It is understood that he also objected to Facebook attempts to use WhatsApp's personal data and weaken its encryption standards.

Election regulator faces probe over data gaffe

The UK Electoral Commission has apologised after mistakenly releasing details of donors to a pro-Union campaign group. The regulator attempted to redact details of 168 individuals who had donated to Scotland in Union following a FOI request, but a "technical issue" meant the full names could be seen simply by cutting and pasting the spreadsheet. The body now faces investigation by the Information Commissioner's Office.
 

More in depth data protection news and articles... 

PDP Journals logo
 
 
New GDPR Article Series 

Privacy & Data Protection journalIntroducing a special series of articles on the practical changes that organisations need to implement in order to prepare for the GDPR

Visit the
Privacy & Data Protection for a Free Sample and to Subscribe
 

Subscribe to two or more titles at the same time and receive a 15% discount off the cheapest journal.
 

 
PDP Training logo


Our professional and practical Training Courses enable delegates to understand the legal requirements in key areas of information and data protection compliance. Courses run throughout the year around the United Kingdom.
 
Here is a selection of courses taking place shortly:   
 
Alison Deighton_ TLT Solicitors
Alison Deighton
TLT Solicitors
All organisations are required to observe the rights of individuals under data protection law. A key objective of the GDPR is to strengthen and extend those rights. Additionally, individuals have a right to claim compensation from both controllers and processors where financial loss or other damage occurs as a result of processing operations which breach the requirements of the GDPR.This training session looks at the new rights under the GDPR in detail, and also considers the changes to the pre-existing rights, including updates to time limits and new requirements for documentation. The session covers:
  • the right to be informed
  • requirements for handling subject access requests
  • profiling and automated decision taking
  • the right to data deletion
  • the right to restriction of processing
  • the right to object to processing
  • the right to data portability
  • compensation
  • the right to cessation of direct marketing
  • exemptions for organisations
  • changes that should be made to organisations' privacy policies 
Delegates attending this session must have a basic knowledge of current data protection legal requirements in order to be able to understand the material in this session. Delegates with little no existing knowledge should attend Data Protection Essential Knowledge Level 1 before attending this training course. The course is taking place on the following dates:
  • Belfast             Thursday, 7th June 2018
  • Glasgow          Monday, 24th September 2018
  • London            Monday, 12 November 2018 
For further information and to make a booking,
  1. Visit PDP's website 
  2. Telephone PDP at +44 (0)207 014 3399
  3. Download the PDF Training Catalogue
 
Fedelma Good
Fedelma Good
PwC
Big Data is big business, and the technology that gives rise to the activity known as profiling has multiple benefits for both organisations and individuals. However, these benefits come with risks, and it is these risks that the General Data Protection Regulation ('GDPR') seeks to mitigate against.This practical session considers how organisations can reap the benefits of Big Data whilst minimising the risks of falling foul of the legal provisions, including:
  • how data protection law applies to profiling and Big Data
  • how the extended territorial scope of the GDPR catches ever more profiling activities
  • the rights individuals have under the GDPR, including transparency, control, data minimisation and data portability
  • controllers' increased accountability to individuals and the remedies available to individuals
  • the circumstances in which profiling is acceptable
  • how to reduce the risks of 'discriminatory' decision-making
  • the relevance of the privacy by design and default regime
  • the GDPR position on profiling and special category personal data
  • practical guidance on what information must be supplied to customers and others
  • how to obtain explicit consent, where required.
The course is taking place on the following dates:
  • London    Tuesday, 12th June 2018
  • Belfast     Thursday, 6th December 2018
For further information and to make a booking,
  1. Visit PDP's website 
  2. Telephone PDP at +44 (0)207 014 3399
  3. Download the PDF Training Catalogue
Peter Given_ Bond Dickinson
Peter Given
Womble Bond Dickinson
From May 2018, organisations will be required to notify serious data breaches to both national data protection authorities and individuals, except in a narrow range of circumstances. This practical training session looks at the new breach notification obligations in detail, including:
  • the types of incidents that will trigger the requirement to notify
  • actions that organisations should be taking now in order to prepare for mandatory breach notification
  • incident response plans and opportunities to mitigate risk
  • implications for data processors
  • what the ICO, and other relevant regulators, will expect organisations to do
  • the requirement for an internal breach register and how to maintain it
  • consequences of failing to notify breaches 
It is recommended that delegates attending this session have a basic knowledge of current data protection legal requirements. Delegates with no existing knowledge may find it helpful to attend Data Protection Essential Knowledge Level 1 before attending this training course.

The next available dates for this course are:
  • London    Monday, 25th June 2018
  • London    Monday, 3rd December 2018
For further information and to make a booking,
  1. Visit PDP's website 
  2. Telephone PDP at +44 (0)207 014 3399
  3. Download the PDF Training Catalogue 
Did you pass the
Practitioner Certificate in Data Protection prior to 2018?
 

Practitioner Certificate in Data Protection - GDPR Conversion Programme

The online self-study Programme for candidates who gained their qualification prior to 2018 to upgrade their qualification for the GDPR era.


GDPR Event
 
11th & 12th October 2018 London, UK 

 

* Workshop Topics have been announced *
 

This year, the conference is dedicated to reviewing the practical implications of the General Data Protection Regulation, and to help organisations ensure they are compliant
 
 
* New course for 2018 *
Cybersecurity for Data Protection Professionals  2nd July 2018 - London
Breach Notifications Training Course 

This session is prepared specifically in the context of the GDPR and the objective of compliance professionals dealing more assuredly and knowledgeably with cybersecurity within their organisations.

"By far the most practical resource available to help understand the complexities of the GDPR..."
A Practical Guide to UK and EU Law  

This book is an invaluable practical resource for organisations in preparing for the new era of compliance under the GDPR.
Find out more & Order your copy here >


Qualify as a Data Protection Practitioner

Flexible training options allow you to train alongside other commitmentsMore information >  
"The course content was informative and well presented, with very knowledgeable trainers. The exam was challenging, so I feel a real sense of achievement in having gained this qualification."   Caroline Chalk
Head External Information Services
Civil Aviation Authority
"I found the course to be thoroughly enjoyable and enlightening in a number of areas. I have managed to apply the knowledge gained through the course already in my day to day role."
Brendan Byrne
Senior Managing Consultant Security & Privacy
IBM
"The qualification strikes the right balance of interpreting important and complicated legislation and imparting this to students with a well structured course, underpinned with simple to understand information and then a vigorous examination. Organisations should feel assured by any of its staff undertaking and passing this qualification that their information is being managed and shared securely."
Kim Bellis
Records Service Manager
Royal Cornwall Hospitals NHS Trust
"I am very pleased to have followed the Practitioner Certificate in Data Protection course and passed the examination. This will be of great benefit to my employer, as it demonstrates the value we place on this complex area of ethics and compliance."
Alan White
Data Protection Manager
Pitney Bowes
"The course which was delivered by experts in the field of Privacy and Data Protection Law was very enjoyable and engaging. The examination was based on applying legislation and knowledge to practical cases rather than a test of how much information you could remember. I am delighted that I passed the exam and to have a qualification that is very much respected, as well as letters after my name! I recommend both the course and the examination for anyone wanting to increase their knowledge of Data Protection Law."
Bleneta Carr
Investigator
Pearson Education
"I am delighted to have achieved this qualification. The Certificate sets a recognised standard for data protection professionals and it has provided me with the knowledge and confidence of data protection requirements, especially in light of the impending new Regulation."
Joanne Maurizi
Assistant Manager
mutualone
"Synectics Solutions recognises that compliance with data protection regulation is critical to all organisations that handle personal information. It has never had a greater focus than at the present time. Having looked at the training and professional qualifications available, we concluded that the PDP certification was the most appropriate for our business. The course was delivered by legal experts in the field. They were able to bring the events to life with real-life scenarios and case studies."
Steve Sands
Head of Security
Synectics Solutions
 
PDP, Canterbury Court, Kennington Park, London, SW9 6DE, United Kingdom
 
 
 

PRSB Newsletter April/May Edition 2018

 
PRSB Newsletter -  April/May edition 2018

PRSB launches new project to improve information sharing in urgent care

The PRSB has started work on a new project to improve information flows between urgent care services to ensure the right data is available in different urgent care settings to support good patient care.  
 
The work will analyse how information is shared within the NHS 111 Clinical Assessment Service (where doctors, nurses and other healthcare professionals review patient requests for clinical advice) as well as transfers of information that support referrals into services, discharges and other uses of information such as for research, audit and planning purposes. Clinical records in integrated urgent care services are usually recorded in free text, which makes it difficult to review consultations in a systematic way and share information in a usable form at transfers of care. If information in care records was structured and coded, it would be easier for clinicians to share, making care better and safer for patients. Supported by NHS England and the Royal College of Physicians’ Health Informatics Unit, this project will outline the areas where standards for information exchange are needed, with a view to developing a new standard to meet these needs later in the year. For more information please contact info@theprsb.org.
 
 
 

Are you ready for national opt-out in May?


A national data opt-out is being introduced from 25 May 2018, to give patients more choice about how their confidential information is used and shared. The NHS is currently informing patients, public and the workforce about their choices and the benefits that using data for research and planning can bring to heath and care, as well as how the data is protected across the health and care system. 
 
PRSB understand the importance of being able to use information not only for direct care but also for research, audit and planning purposes, so that care can be improved and made safer for patients. We also recognise the importance of people being able to choose their course of action and having the right information to do this. Care professionals may be asked by patients about the national data opt-out, and NHS Digital will be providing further information to help support them. For more details visit the national opt-out website or subscribe to the newsletter.
 

Matthew’s story is shared by MPs


This month we released the moving story of Matthew Prosser, who has profound and multiple learning disabilities. The film features Matthew’s parents, Tony and Tricia, talking about the prospect of digital care plans, and how they could transform the future of care for Matthew and others like him. It’s been shared by MP Norman Lamb and Lord James O’Shaughnessy, under-secretary of state at the Department of Health, as well as many others. We’d like to invite you to share the film with your colleagues and stakeholders, which you can find pinned on our Twitter profile. If you have any feedback, or would like to use it as part of a presentation for NHS or care providers, please contact lizzie.cernik@theprsb.org.
 

Selecting local health and care record exemplars


The PRSB has been invited to take part in the assessment process for selecting proposals submitted to NHS England for Local Health and Care Record Exemplar status (LHCRE). The aim of the Local Health and Care Record programme is to create joined up medical and care records that help people receive better care and help the NHS and social care improve the quality of care, conduct cutting-edge research and plan services better. The assessment process is underway, with a final set of exemplars to be agreed later this Spring. Following this we’ll be talking to potential sites, who may be interested in working with us to implement standards, in order to find out more about how we can support them moving forward.
 

PRSB gets active in UK events

We’ve been involved in lots of events in the past month, raising awareness about standards at the TechUK Health and Social Care Council meeting, HSJ Modernising Healthcare Summit and the Royal College of Occupational Therapists’ branch forum.
 
Our CEO Lorraine Foley delivered a speech at TechUK, while our chair Professor Maureen Baker spoke on a panel at the HSJ summit in Oxfordshire, where delegates discussed the impact of information sharing on patient care, and the problems that professionals can face when standards aren’t in place.
 
The PRSB also held an interactive workshop at the Royal College of Occupational Therapists this month to raise awareness about the work we are doing to improve integration between different health and care services. The goal of the session was to get more occupational therapists involved in our work through surveys and workshops- as well as sharing the messages of our work with colleagues and stakeholders across the UK.
 
If you’re a patient or you work in health or care and would like to find out more about getting involved, please contact info@theprsb.org.
 

Upcoming events
 

Next month the PRSB will be speaking at e-Health Week and Patient Information Forum’s digital health event, to raise awareness about the important work we have been doing to improve the safety and quality of care.  
 
At e-Health Week, which takes place on the 15th and 16th May at Olympia London, we’ll be exhibiting at stand number 232, while Phil Koczan and Maureen Baker will be taking part in speaking sessions throughout the day. Maureen will also be engaging with patients at a Patient Information Forum on Digital Health Information, drawing upon her experience as a GP and her work with the Professional Record Standards Body to talk about the importance of accurate, timely records being shared between care professionals and with patients.
 
In June we’ll be heading to Glasgow to exhibit at the NHS Scotland event from 18th- 19th June and the Digital Healthcare Show which is due to take place at ExCeL London on 27th and 28th June.
We’ll be raising awareness at these events about the importance of good information sharing, and the impact it can have on the lives of patients and professionals. If you’re attending any of these events, we’d like to invite you to visit our stand and attend our speaking sessions.
 

PRSB supporting Digital Health Summer Schools

As part of our new partnership with Digital Health, we are supporting the Digital Health Summer Schools 2018, and will be working with them to develop sessions on standards and patient engagement. The event, which is being held on the 18-20 July at The University of Birmingham, will include a range of varied sessions and you can find out more about the programme here. Three site visits, including two Global Digital Exemplars, will also be available to delegates. Site visits are a popular part of the Summer Schools programme, providing an opportunity to visit leading NHS organisations.


Site visits

University Hospital Birmingham NHS FT (acute GDE) - A chance to get the inside track on key initiatives at a digitally mature hospital trust in the NHS.Birmingham and Solihull Mental Health NHS FT (mental health GDE) - Visit one of the NHS’s digitally advanced mental health providers.Birmingham CCG - The first Summer School CCG site visit will cover steps to integrate care across Birmingham.


Places on the site visits are strictly limited and will be offered on a first come, first served basis. A full programme of Summer Schools sessions will be run for those not attending the site visits. Visit the Digital Health Summer Schools 2018 website for further details.

 

Care connect standards to help information flows
 

INTEROPen has been working on new Care Connect standards so that information can flow freely between different clinical systems, to support joined up services across the health and social care sector.

When health and care professionals can access, share and add accurate and up-to-date patient information at the point of care and across different clinical contexts, they are able to make timely and considered decisions about a patient’s immediate or ongoing care, improving overall care. A team of INTEROPen members, including IT suppliers, NHS England and NHS Digital specialists, and PRSB clinical advisers have been working together to develop the national standards and requirements that will ensure computer systems use the same digital language to talk about the conditions, symptoms, medications and other information described in a patient record. A full and detailed guide to Care Connect, entitled ‘What is Care Connect?’, is due to be published by INTEROPen and shared in our newsletter later this spring. To find out more, take a look at the videos from INTEROPen’s Interop Summit, read this Introduction to Care  Connect API, or to take part in a FREE day of learning for clinicians hosted by INTEROPen, Clinicians on FHIR: The Connectathon, on 24 May in London. To join INTEROPen contact admin@interopen.org or complete their online form.
 

Australia introduces digital child health initiative

Australia’s states and territories have joined forces to create a new digital initiative that will ensure the right child health information can be accessed by care professionals, to improve the health and wellbeing of Australian children. The Australian Digital Health Agency is partnering with eHealth NSW and the Sydney Children’s Hospitals Network (SCHN) to establish the National Children’s Digital Health Collaborative.
SCHN Chief Executive Dr Michael Brydon said that records on a child’s health and development are currently captured in multiple paper and digital systems, meaning they are not always available when they are needed. “The Collaborative is exploring how every child in Australia can have the option of a comprehensive digital health record from the time they are conceived, through those critical first years and adolescence; readily accessible by parents and healthcare providers and ultimately for that individual throughout their life.“This will be of enormous value – not only to healthcare professionals providing care to those children – but to the children themselves as they become young adults and start making decisions about their own health and care,” Dr Brydon said.
 

Share our updates

We’d like to invite you to share this newsletter with stakeholders and colleagues. If you have been forwarded this newsletter and would like to receive our updates on a regular basis, please contact holly.kearn@theprsb.org or subscribe here
Twitter
YouTube
Facebook
Website
Email
LinkedIn

 The PRSB · 32-36 Loman Street · London, Bst SE1 0EH · United Kingdom Email Marketing Powered by MailChimp
 
Close

PDP - Compliance News Updates - 24 April 2018

Final guidelines on consent, transparency and BCRs
 
 
PDP header graphic
  Issue: 24.04.2018

News 
Final guidelines on consent, transparency and BCRs
The Article 29 Working Party has now published its final guidance on consent. One new change from the draft guidance is the insertion of a new section addressing requests for consent online, where continued use of a site is stated to amount to consent (the Working Party says that this will be inadequate). The Working Party also issued final guidelines on transparency and the BCRs approval procedure. The contents of the final guidelines will be analysed in-depth as part of Privacy & Data Protection's ongoing GDPR series.
Two UK firms fined for making nuisance calls
Two firms in West Yorkshire have been fined by the Information Commissioner's Office for calling people registered with the Telephone Preference Service. Bradford-based Energy Saving Centre Ltd, which offers services such as replacement windows and doors and guttering, made seven million calls over a seven month period without screening them against the TPS register. The ICO fined the firm £250,000 because at least 34,000 of these calls were made to TPS subscribers. In a separate case, Alex Goldthorpe, trading as Approved Green Energy Solutions, was fined £150,000 for making over 300,000 calls to TPS subscribers between April and July 2017. Energy Saving Centre has also been issued with an enforcement notice ordering it to stop illegal marketing.
Hamburg opens non-compliance procedure against Facebook
Hamburg's data protection regulator is the latest to open an investigation against Facebook over the Cambridge Analytica scandal. Hamburg's Data Protection Commissioner, Johannes Caspar, notified Facebook in writing that he had opened the probe, saying that "first we will seek a statement from Facebook and then hearings will begin". The investigation could lead to a fine of up to 300,000 euros ($370,000).
US court drops long-running data access case involving Microsoft
TA long-running case over whether US authorities have a right to access data stored outside of the country has been brought to an end after the Supreme Court found the legal dispute to be "moot" in light of recent developments. The dispute stemmed from a drug trafficking case in which Microsoft was served with a domestic warrant requesting emails stored at a data centre in Ireland. Microsoft challenged the warrant, stating that the government didn't have the right to access private information stored abroad at the time. In March, the Clarifying Lawful Overseas Use of Data Act (CLOUD Act) was passed by Congress and signed into law, providing a legal framework that clarified the position with warrants. It was on this basis that the Supreme Court reached its decision. The case isn't over yet however: the Justice Department has since obtained a new warrant under the new law. Microsoft is currently in the process of reviewing the warrant and deciding how to respond.
MPs raise 'serious concerns' over NHS Digital stewardship of data
A group of UK MPs said it had "serious concerns" over the ability of the senior leadership of NHS Digital to understand and protect health and social care data. The comments came within a House of Commons Health and Social Care Committee report into the memorandum of understanding on data-sharing between NHS Digital and the Home Office which came into effect on 1st January. In January 2018 the Committee asked NHS Digital to suspend its involvement in the agreement, saying that there was "inadequate consultation during the formulation of the MOU and a failure to pay due regard to the underlying ethical considerations and potential unintended consequences for public health [which] resulted in a situation where data-sharing is taking place in a manner which...could lead to serious unintentional consequences for both individuals and wider public health." The request was rejected, so the Committee took further evidence on the issue and has now come to the same conclusion.
TSB apologises following online banking data breach
UK bank TSB has apologised to customers who could not access their accounts through the company's app and online banking service on Sunday night and Monday morning. A number of customers complained of a "data breach" and said that they were able to view other people's account information through the app. The issues came after TSB carried out planned upgrade work to its technology over the weekend. One honest customer said he had been credited with a large sum of money that was not his once he managed to get back into the app. "My balance, because of my overdraft, is in minus, but my balance was showing at £13,000," said Laim McKenzie, from Paisley in Scotland.
Belgian Privacy Commission issues recommendation on Impact Assessment
The Belgian Privacy Commission has issued a recommendation (currently only available in French and Dutch) on Data Protection Impact Assessments and the prior consultation requirements under Articles 35 and 36 of the GDPR. The recommendation is intended to provide guidance on the core elements and requirements of a DPIA. Among the key takeaways, the Belgian DPA states that the obligation to conduct a DPIA in certain circumstances should be interpreted in light of two central principles of the GDPR: the principle of accountability and the risk-based approach. In terms of when a DPIA is required, the DPA said that carrying out a DPIA is not mandatory for every processing operation. Instead, a DPIA is only required where a type of processing is "likely to result in a high risk to the rights and freedoms of natural persons."
FTC revises its security settlement with Uber
The Federal Trade Commission has modified its 2017 settlement with Uber after learning of an additional breach that was not taken into consideration during its earlier negotiations with the company. The modifications are based on the fact that Uber failed to notify the FTC of a November 2016 breach which took place during the time that the FTC was investigating an earlier, 2014 breach. The revised proposed agreement goes beyond the FTC's original settlement and requires Uber to address software design, development and testing, how the company reviews and responds to third-party security vulnerability reports, and prevention, detection and response to attacks, intrusions or systems failures. Uber also would be required to report to the FTC any incident where the company is required to notify any US government entity about the unauthorised access of any consumer's information.
Facebook moves 1.5bn users out of reach of new European privacy law
In a tweak to its terms and conditions, Facebook is shifting the responsibility for all users outside the US, Canada and the EU from its international HQ in Ireland to its main offices in California. It means that those users will now be on a site governed by US law rather than Irish law. The move is due to come into effect shortly before General Data Protection Regulation comes into force in Europe on 25th May. Meanwhile, the company has also started asking European and Canadian users to let it use facial recognition technology to identify them in photos and videos. Facebook originally began face-matching users outside Canada in 2011, but stopped doing so for EU citizens the following year after protests from regulators and privacy campaigners. The move is likely to be controversial.
 

More in depth data protection news and articles... 

PDP Journals logo
 
 
New GDPR Article Series 

Privacy & Data Protection journalIntroducing a special series of articles on the practical changes that organisations need to implement in order to prepare for the GDPR

Visit the
Privacy & Data Protection for a Free Sample and to Subscribe
 

Subscribe to two or more titles at the same time and receive a 15% discount off the cheapest journal.
 

 
PDP Training logo


Our professional and practical Training Courses enable delegates to understand the legal requirements in key areas of information and data protection compliance. Courses run throughout the year around the United Kingdom.
 
Here is a selection of courses taking place shortly:   
 
Alison Deighton_ TLT Solicitors
Alison Deighton
TLT Solicitors
All organisations are required to observe the rights of individuals under data protection law. A key objective of the GDPR is to strengthen and extend those rights. Additionally, individuals have a right to claim compensation from both controllers and processors where financial loss or other damage occurs as a result of processing operations which breach the requirements of the GDPR.This training session looks at the new rights under the GDPR in detail, and also considers the changes to the pre-existing rights, including updates to time limits and new requirements for documentation. The session covers:
  • the right to be informed
  • requirements for handling subject access requests
  • profiling and automated decision taking
  • the right to data deletion
  • the right to restriction of processing
  • the right to object to processing
  • the right to data portability
  • compensation
  • the right to cessation of direct marketing
  • exemptions for organisations
  • changes that should be made to organisations' privacy policies 
Delegates attending this session must have a basic knowledge of current data protection legal requirements in order to be able to understand the material in this session. Delegates with little no existing knowledge should attend Data Protection Essential Knowledge Level 1 before attending this training course. The course is taking place on the following dates:
  • Belfast             Thursday, 7th June 2018
  • Glasgow          Monday, 24th September 2018 
For further information and to make a booking,
  1. Visit PDP's website 
  2. Telephone PDP at +44 (0)207 014 3399
  3. Download the PDF Training Catalogue
 
Fedelma Good
Fedelma Good
PwC
Big Data is big business, and the technology that gives rise to the activity known as profiling has multiple benefits for both organisations and individuals. However, these benefits come with risks, and it is these risks that the General Data Protection Regulation ('GDPR') seeks to mitigate against.This practical session considers how organisations can reap the benefits of Big Data whilst minimising the risks of falling foul of the legal provisions, including:
  • how data protection law applies to profiling and Big Data
  • how the extended territorial scope of the GDPR catches ever more profiling activities
  • the rights individuals have under the GDPR, including transparency, control, data minimisation and data portability
  • controllers' increased accountability to individuals and the remedies available to individuals
  • the circumstances in which profiling is acceptable
  • how to reduce the risks of 'discriminatory' decision-making
  • the relevance of the privacy by design and default regime
  • the GDPR position on profiling and special category personal data
  • practical guidance on what information must be supplied to customers and others
  • how to obtain explicit consent, where required.
The course is taking place on the following dates:
  • London    Tuesday, 12th June 2018
  • Belfast     Thursday, 6th December 2018
For further information and to make a booking,
  1. Visit PDP's website 
  2. Telephone PDP at +44 (0)207 014 3399
  3. Download the PDF Training Catalogue
John Wilson_ JMW Mosaic
John Wilson
JMW Mosaic
This training course provides an in-depth analysis of the key issues and challenges facing those responsible for the management of records and information in the current business environment. This training session is designed to meet the needs of senior and more experienced practitioners and builds on the basic and intermediate skills and techniques covered on the Records Management 1 and Records Management 2 training courses. Topics covered include:Information governance
  •  Dealing with risk
  •  Records management policy development
  • Embedding good records management practice
  • Records migration and dealing with legacy records
  • Digital continuity - managing electronic records over time
Delegates are encouraged to share their own experiences in the session. 

The next available dates for this course are:
  • Glasgow        Friday, 22nd June 2018
  • London          Wednesday, 26 September 2018 
For further information and to make a booking,
  1. Visit PDP's website 
  2. Telephone PDP at +44 (0)207 014 3399
  3. Download the PDF Training Catalogue


Final few places remaining for May 2018
PC.dp Residential Programme

The residential option on the Practitioner Certificate in Data Protection Programme (GDPR) provides candidates with the opportunity to study the Programme intensively on four consecutive days (rather than five for the
Standard Programme)  
  
 

"By far the most practical resource available to help understand the complexities of the GDPR..."
A Practical Guide to UK and EU Law  

This book is an invaluable practical resource for organisations in preparing for the new era of compliance under the GDPR.
Find out more & Order your copy here >
* New course *
Cybersecurity for Data Protection Professionals  2nd July 2018 - London
Breach Notifications Training Course 

This session is prepared specifically in the context of the GDPR and the objective of compliance professionals dealing more assuredly and knowledgeably with cybersecurity within their organisations.


Qualify as a Data Protection Practitioner

Flexible training options allow you to train alongside other commitmentsMore information >  
"The course content was informative and well presented, with very knowledgeable trainers. The exam was challenging, so I feel a real sense of achievement in having gained this qualification."   Caroline Chalk
Head External Information Services
Civil Aviation Authority
"I found the course to be thoroughly enjoyable and enlightening in a number of areas. I have managed to apply the knowledge gained through the course already in my day to day role."
Brendan Byrne
Senior Managing Consultant Security & Privacy
IBM
"The qualification strikes the right balance of interpreting important and complicated legislation and imparting this to students with a well structured course, underpinned with simple to understand information and then a vigorous examination. Organisations should feel assured by any of its staff undertaking and passing this qualification that their information is being managed and shared securely."
Kim Bellis
Records Service Manager
Royal Cornwall Hospitals NHS Trust
"I am very pleased to have followed the Practitioner Certificate in Data Protection course and passed the examination. This will be of great benefit to my employer, as it demonstrates the value we place on this complex area of ethics and compliance."
Alan White
Data Protection Manager
Pitney Bowes
"The course which was delivered by experts in the field of Privacy and Data Protection Law was very enjoyable and engaging. The examination was based on applying legislation and knowledge to practical cases rather than a test of how much information you could remember. I am delighted that I passed the exam and to have a qualification that is very much respected, as well as letters after my name! I recommend both the course and the examination for anyone wanting to increase their knowledge of Data Protection Law."
Bleneta Carr
Investigator
Pearson Education
"I am delighted to have achieved this qualification. The Certificate sets a recognised standard for data protection professionals and it has provided me with the knowledge and confidence of data protection requirements, especially in light of the impending new Regulation."
Joanne Maurizi
Assistant Manager
mutualone
"Synectics Solutions recognises that compliance with data protection regulation is critical to all organisations that handle personal information. It has never had a greater focus than at the present time. Having looked at the training and professional qualifications available, we concluded that the PDP certification was the most appropriate for our business. The course was delivered by legal experts in the field. They were able to bring the events to life with real-life scenarios and case studies."
Steve Sands
Head of Security
Synectics Solutions
 
PDP, Canterbury Court, Kennington Park, London, SW9 6DE, United Kingdom
 
 
 

PDP - FOI News Update - 24 April 2018

Council fined after revealing personal data in FOI response
 
FOI email header
  Issue: 25/04/2018

News

Council fined after revealing personal data in FOI response
After being issued with seven decision notices regarding late FOI responses earlier this month, the Royal Borough of Kensington and Chelsea has been fined £120,000 by the Information Commissioner's Office after it unlawfully identified 943 people who owned vacant properties in the borough. The fine was made under the Data Protection Act. Names of the owners and the addresses of their unoccupied homes were sent to three journalists who had requested statistical information under the Freedom of Information Act. The journalists later published three of the names.
Council fails in appeal over FOI request and commercial prejudice
Hartlepool Borough Council has lost an appeal against a ruling by the Information Commissioner because it failed to provide evidence of what harm to commercial interests would be done by disclosing material dating from 2005 and relating to the transfer of ownership of Durham Tees Valley Airport. FOI Applicant John Latimer had made a FOI request for papers relating to how ownership of 75% of the airport came to be transferred by the six Tees Valley local authorities to property firm Peel. Some information was provided but the council withheld the rest, though it later made further releases, and Latimer took his case to the Commissioner, who ruled in his favour. Giving judgment in the First-Tier Tribunal General Regulatory Chamber (Information Rights), Judge Anisa Dhanji said neither the council nor property firm Peel had shown any convincing reason for keeping private details of the deal they did over the airport.
Labour proposes to make housing associations subject to FOIA
A new Labour Green paper proposes making housing associations subject to the Freedom of Information Act and requiring all social landlords to publish fire safety reports regularly. Currently, housing associations can refuse to answer requests about fire risks, safety problems, eviction policies, waiting lists and other matters. Jeremy Corbyn and Shadow Housing Secretary John Healey will unveil the paper, titled Housing for the Many, at the Local Government Association headquarters in London this week.
Councillor attacks press use of FOI
An East Renfrewshire councillor has attacked the press and public over Freedom of Information requests. During a recent meeting Labour Member Alan Lafferty slammed "lazy journalists" and political researchers and demanded that those who use FOI laws be "weeded out." Councillor Lafferty also complained about residents' use of FOIs. He said: "We're getting to the stage where it's diverting resources from frontline services." Cllr Lafferty was speaking after it was revealed that the council dealt with a record 1,296 FOI requests last year. That was up by 10 per cent on the previous highest total, with requests from political groups making up 13 per cent of submissions.
BBC obtains copy of "Bruno letter"
The BBC has obtained a document that sheds new light on the decision by British politician Jeremy Thorpe's lawyers not to let him give evidence at his Old Bailey trial in the 1970s, when he was charged of conspiracy and incitement to murder. The letter was from Mr Thorpe to an American man called Bruno, sent after they had met in San Francisco in 1961. Had Mr Thorpe given evidence, he would have faced questioning about his sexuality which he wanted to avoid. The FOI Specialist Martin Rosenbaum received the "Bruno letter" and connected records from the US Federal Bureau of Investigation after making an FOI request under US Freedom of Information law.
Freedom of infomation JournalMore freedom of information news and articlesVisit the website to receive a Free Sample Copy or to Subscribe Now"PDP's FOI journal has proved very helpful in keeping us up to date with developments in FOI, interesting news and case law."Deborah Coombs
Nottingham University Hospitals NHS TrustSubscribe to two or more journals at the same time and receive a discount
For more information, visit PDP Journals

PDP Training logo
Professional and practical Training Courses enable delegates to understand the legal requirements in key areas of compliance.  
 
The following is a selection of some of PDP's current courses.  
Estelle Dehon, Cornerstone Barristers
Estelle Dehon
Cornerstone Barristers
Since the Freedom of Information Act 2000 came fully into force in 2005 we have experienced a fundamental change in the relationship between UK government and its citizens as government information has become more publicly accessible. Greater transparency is also a key policy of the Coalition Government, and in light of the deficit reduction programme there is an ever increasing public interest in how public money is spent. This has led to the publication of a wide range of public sector datasets and proposals to expand the Freedom of Information Act through the Protection of Freedoms Bill. Information Officers are central to these developments and need to be fully aware of the Act and the impact of future changes to it.This training session is designed to help those who are on the receiving end of requests for information and those who advise and assist them.This training course can be used as credit towards gaining the Practitioner Certificate in Freedom of Information.Upcoming dates for this training course are:
  • Belfast           Monday, 24th September 2018
  • Manchester   Tuesday, 16th October 2018
For further information and to make a booking,
  1. Visit PDP's website 
  2. Telephone PDP at +44 (0)207 014 3399
  3. Download the PDF Training Catalogue 

 
FOI Practical Training - Level 2 (Applying the Exemptions)
Liz Fitzsimons, Eversheds
Liz Fitsimons
Eversheds

Public sector bodies must make daily decisions on how to respond to requests for information under the Freedom of Information Act 2000 and how to apply the exemptions in the Act. Those decisions are increasingly reviewed and, in many cases, overturned by the Information Commissioner, the Information Tribunal and the Courts. As case law develops and changes, public authorities need to ensure that they understand when the exemptions can be applied, and what they have to demonstrate to apply them correctly.This training session considers in detail the practical application of the main FOI exemptions.A discount is available for delegates booking both FOI Level 1 and FOI Level 2.This training course can be used as credit towards gaining the Practitioner Certificate in Freedom of Information.Upcoming dates for this training course are:
  • Belfast           Tuesday, 25th September 2018
  • Manchester    Wednesday, 17th October 2018
For further information and to make a booking,
  1. Visit PDP's website 
  2. Telephone PDP at +44 (0)207 014 3399
  3. Download the PDF Training Catalogue 

FOI and Data Protection - How They Work Together

Damien Welfare, Cornerstone Barristers
Damien Welfare Cornerstone Barristers
The competing demands of Freedom of Information and Data Protection legislation in the UK present challenges for all public bodies involved in collecting, holding and disclosing personal information. Understanding the interface between Freedom of Information laws (including the Environmental Information Regulations 2004 (EIR)) and the Data Protection Act 1998 (as well as the provisions of the upcoming General Data Protection Regulation) is essential for all those involved with information management in the public sector.This session, which is designed for people who already work with FOI issues, explains the key principles underlying the differences between FOI and data protection laws, including when personal data should and should not be released in response to subject access requests and FOI/EIR requests. Delegates who do not have an existing understanding of the basics of FOI law are recommended to attend FOI Level 1 before attending this session.This session enables delegates to understand how to manage requests for information, and to achieve best practice within their organisation.This training course can be used as credit towards gaining the Practitioner Certificate in Freedom of Information.Upcoming dates for this training course are:
  • Belfast            Wednesday, 26th September 2018
  • Manchester    Thursday, 18th October 2018
For further information and to make a booking,
  1. Visit PDP's website 
  2. Telephone PDP at +44 (0)207 014 3399
  3. Download the PDF Training Catalogue 
 
Understanding the Environmental Information Regulations
Damien Welfare, Cornerstone Barristers
Damien Welfare Cornerstone Barristers
The Environmental Information Regulations 2004 cover a wide range of information which has often been assumed to fall under the Freedom of Information Act.The scope of EIR is not restricted just to "green" subjects or information, but extends to land use, planning, transport, waste, energy, agriculture, housing development, public nuisance, and aspects of public health, food safety, buildings maintenance and cultural sites.Public authorities and their advisors, and those contracting with the public sector or carrying out public functions, need to understand the scope of the Regulations in order to handle information requests correctly. This session explains the meaning and scope of the EIR. It examines in detail the boundary with FOI, based on decisions of the Information Commissioner and Information Tribunal and on guidance from DEFRA; including the potential role of a remoteness test in limiting the range of information covered. It analyses the "exceptions" and how to approach the public interest test.The course equips practitioners to recognise and handle practical issues arising under the Regulations with confidence, and to avoid the pitfalls of dealing with information requests under the wrong regime.This training course can be used as credit towards gaining the Practitioner Certificate in Freedom of Information.Upcoming dates for this training course are:
  • Belfast            Thursday, 27th September 2018
  • Manchester    Friday, 19th October 2018
For further information and to make a booking,
  1. Visit PDP's website 
  2. Telephone PDP at +44 (0)207 014 3399
  3. Download the PDF Training Catalogue 
The latest edition (Volume 14, Issue 3), features the following articles:Back to the FOIA: how FOIA affects historical records - Paul Gibbons, aka FOIManTo hold, or not to hold - that is the question - Lynn Wyeth, Leicester City CouncilRecent decisions of the Commissioner and Tribunal - Alison Berridge & Imogen Proud, Monckton Chambers
Request a FREE sample or

For more information, please visit PDP Journals


Advanced Records Management Training
Glasgow - 22nd June 2018
 
 

This training course provides an in-depth analysis of the key issues and challenges facing those responsible for the management of records and information in the current business environment.
 
PDP Logo 
Contact us 
 
Should you have any Training, Conference, Recruitment or Journal queries, please 
send us an email


PDP Training Catalogue 2018  
available for download
 
Browse through PDP's leading information compliance qualifications and training courses 
 
PDP Training Catalogue 2018 
  
 
     
Flexible training options allow you to train alongside other commitments  
   
 
"I am very pleased to have achieved the Practitioner Certificate in Freedom of Information. The programme provides excellent knowledge and understanding on the practical applications of handling requests for information"
Louise Smith
Financial Ombudsman Service
"A very worthwhile qualification which I wholeheartedly recommend to colleagues"
Barbara Tyldesley
The Environment Agency
"I am so pleased to have passed the Practitioner Certificate in FOI. The 4 day course was excellent and I am now confident in my role as FOI Officer for Social Services. The course has helped me develop my skills and knowledge of FOI/EIR and DP and I would encourage anyone working in this area to attend."
Rachael Strand
Flintshire County Council
"The Practitioner Certificate in FOI was an excellent opportunity to receive specialised training and gain a recognised qualification. In particular, I found the instructors to be both knowledgeable and engaging. As a regulator in an overseas territory, I was easily able to translate the learning into practice. I have and do encourage other FOI practitioners to take advantage of this training programme."
Clara Smith
Information Commissioner's Office (Grand Cayman)
"I am delighted to have passed my examination, achieving this qualification and attending the courses have been a very positive experience which have boosted my confidence and enthusiasm for this subject. I found the courses very informative and the course handout binders are an excellent reference tool which is very relevant to the workplace."
Julie Johnson
Durham County Council
"I'm delighted to have passed the exam; it was hard work preparing for an exam, having not sat one for over 10 years, but the course materials really helped structure my revision. Passing has increased my confidence in dealing with the Act which will be of benefit to myself as well as my organisation."
Heledd Thomas
Comisiynydd y Gymraeg
"I found this to be a comprehensive course, which was well structured to be relevant and of interest to everyone from FOI beginners to more seasoned practitioners. The course tutors were very knowledgeable and clearly very interested in their respective topic areas, and the course was similarly detailed and well-taught."
Mark Reynolds
Barclays
"I'm thrilled to have gained this qualification. FOI can be a complicated area to understand and apply, but the tutors were excellent in bringing it to life in an interesting way."
Angela Sanderson
Big Lottery Fund
"The Practitioner's Certificate has equipped me with the knowledge and confidence to undertake my role. I found the courses well presented and easy to follow. The case studies are particularly useful, as they give an insight into different scenarios that one may experience. I would recommend PDP to anyone wanting to gain this qualification."
Kim Starbuck
London Borough of Barking and Dagenham "Both the thought provoking training and materials as well as passing the exam will help to ensure we provide a prompt quality service when dealing with information requests particularly as those involving planning can raise complex issues"
John Pierce
The Department for Communities and Local Government 
 
PDP, Canterbury Court, Kennington Park, London, SW9 6DE, United Kingdom
 
 
 

Clinical Coding Conference: Looking to the future

 

 

Following the success of last years event,

Read more...

Contact IHRIM

Office open Monday to Friday
9AM to 2PM

Connect with IHRIM

We use cookies to improve our website and your experience when using it. Cookies used for the essential operation of this site have already been set. To find out more about the cookies we use and how to delete them, see our privacy policy.

  I accept cookies from this site.
EU Cookie Directive Module Information