• PDP - Compliance News Updates - 24 April 2018

    Final guidelines on consent, transparency and BCRs
    PDP header graphic
      Issue: 24.04.2018

    Final guidelines on consent, transparency and BCRs
    The Article 29 Working Party has now published its final guidance on consent. One new change from the draft guidance is the insertion of a new section addressing requests for consent online, where continued use of a site is stated to amount to consent (the Working Party says that this will be inadequate). The Working Party also issued final guidelines on transparency and the BCRs approval procedure. The contents of the final guidelines will be analysed in-depth as part of Privacy & Data Protection's ongoing GDPR series.
    Two UK firms fined for making nuisance calls
    Two firms in West Yorkshire have been fined by the Information Commissioner's Office for calling people registered with the Telephone Preference Service. Bradford-based Energy Saving Centre Ltd, which offers services such as replacement windows and doors and guttering, made seven million calls over a seven month period without screening them against the TPS register. The ICO fined the firm £250,000 because at least 34,000 of these calls were made to TPS subscribers. In a separate case, Alex Goldthorpe, trading as Approved Green Energy Solutions, was fined £150,000 for making over 300,000 calls to TPS subscribers between April and July 2017. Energy Saving Centre has also been issued with an enforcement notice ordering it to stop illegal marketing.
    Hamburg opens non-compliance procedure against Facebook
    Hamburg's data protection regulator is the latest to open an investigation against Facebook over the Cambridge Analytica scandal. Hamburg's Data Protection Commissioner, Johannes Caspar, notified Facebook in writing that he had opened the probe, saying that "first we will seek a statement from Facebook and then hearings will begin". The investigation could lead to a fine of up to 300,000 euros ($370,000).
    US court drops long-running data access case involving Microsoft
    TA long-running case over whether US authorities have a right to access data stored outside of the country has been brought to an end after the Supreme Court found the legal dispute to be "moot" in light of recent developments. The dispute stemmed from a drug trafficking case in which Microsoft was served with a domestic warrant requesting emails stored at a data centre in Ireland. Microsoft challenged the warrant, stating that the government didn't have the right to access private information stored abroad at the time. In March, the Clarifying Lawful Overseas Use of Data Act (CLOUD Act) was passed by Congress and signed into law, providing a legal framework that clarified the position with warrants. It was on this basis that the Supreme Court reached its decision. The case isn't over yet however: the Justice Department has since obtained a new warrant under the new law. Microsoft is currently in the process of reviewing the warrant and deciding how to respond.
    MPs raise 'serious concerns' over NHS Digital stewardship of data
    A group of UK MPs said it had "serious concerns" over the ability of the senior leadership of NHS Digital to understand and protect health and social care data. The comments came within a House of Commons Health and Social Care Committee report into the memorandum of understanding on data-sharing between NHS Digital and the Home Office which came into effect on 1st January. In January 2018 the Committee asked NHS Digital to suspend its involvement in the agreement, saying that there was "inadequate consultation during the formulation of the MOU and a failure to pay due regard to the underlying ethical considerations and potential unintended consequences for public health [which] resulted in a situation where data-sharing is taking place in a manner which...could lead to serious unintentional consequences for both individuals and wider public health." The request was rejected, so the Committee took further evidence on the issue and has now come to the same conclusion.
    TSB apologises following online banking data breach
    UK bank TSB has apologised to customers who could not access their accounts through the company's app and online banking service on Sunday night and Monday morning. A number of customers complained of a "data breach" and said that they were able to view other people's account information through the app. The issues came after TSB carried out planned upgrade work to its technology over the weekend. One honest customer said he had been credited with a large sum of money that was not his once he managed to get back into the app. "My balance, because of my overdraft, is in minus, but my balance was showing at £13,000," said Laim McKenzie, from Paisley in Scotland.
    Belgian Privacy Commission issues recommendation on Impact Assessment
    The Belgian Privacy Commission has issued a recommendation (currently only available in French and Dutch) on Data Protection Impact Assessments and the prior consultation requirements under Articles 35 and 36 of the GDPR. The recommendation is intended to provide guidance on the core elements and requirements of a DPIA. Among the key takeaways, the Belgian DPA states that the obligation to conduct a DPIA in certain circumstances should be interpreted in light of two central principles of the GDPR: the principle of accountability and the risk-based approach. In terms of when a DPIA is required, the DPA said that carrying out a DPIA is not mandatory for every processing operation. Instead, a DPIA is only required where a type of processing is "likely to result in a high risk to the rights and freedoms of natural persons."
    FTC revises its security settlement with Uber
    The Federal Trade Commission has modified its 2017 settlement with Uber after learning of an additional breach that was not taken into consideration during its earlier negotiations with the company. The modifications are based on the fact that Uber failed to notify the FTC of a November 2016 breach which took place during the time that the FTC was investigating an earlier, 2014 breach. The revised proposed agreement goes beyond the FTC's original settlement and requires Uber to address software design, development and testing, how the company reviews and responds to third-party security vulnerability reports, and prevention, detection and response to attacks, intrusions or systems failures. Uber also would be required to report to the FTC any incident where the company is required to notify any US government entity about the unauthorised access of any consumer's information.
    Facebook moves 1.5bn users out of reach of new European privacy law
    In a tweak to its terms and conditions, Facebook is shifting the responsibility for all users outside the US, Canada and the EU from its international HQ in Ireland to its main offices in California. It means that those users will now be on a site governed by US law rather than Irish law. The move is due to come into effect shortly before General Data Protection Regulation comes into force in Europe on 25th May. Meanwhile, the company has also started asking European and Canadian users to let it use facial recognition technology to identify them in photos and videos. Facebook originally began face-matching users outside Canada in 2011, but stopped doing so for EU citizens the following year after protests from regulators and privacy campaigners. The move is likely to be controversial.

    More in depth data protection news and articles... 

    PDP Journals logo
    New GDPR Article Series 

    Privacy & Data Protection journalIntroducing a special series of articles on the practical changes that organisations need to implement in order to prepare for the GDPR

    Visit the
    Privacy & Data Protection for a Free Sample and to Subscribe

    Subscribe to two or more titles at the same time and receive a 15% discount off the cheapest journal.

    PDP Training logo

    Our professional and practical Training Courses enable delegates to understand the legal requirements in key areas of information and data protection compliance. Courses run throughout the year around the United Kingdom.
    Here is a selection of courses taking place shortly:   
    Alison Deighton_ TLT Solicitors
    Alison Deighton
    TLT Solicitors
    All organisations are required to observe the rights of individuals under data protection law. A key objective of the GDPR is to strengthen and extend those rights. Additionally, individuals have a right to claim compensation from both controllers and processors where financial loss or other damage occurs as a result of processing operations which breach the requirements of the GDPR.This training session looks at the new rights under the GDPR in detail, and also considers the changes to the pre-existing rights, including updates to time limits and new requirements for documentation. The session covers:
    • the right to be informed
    • requirements for handling subject access requests
    • profiling and automated decision taking
    • the right to data deletion
    • the right to restriction of processing
    • the right to object to processing
    • the right to data portability
    • compensation
    • the right to cessation of direct marketing
    • exemptions for organisations
    • changes that should be made to organisations' privacy policies 
    Delegates attending this session must have a basic knowledge of current data protection legal requirements in order to be able to understand the material in this session. Delegates with little no existing knowledge should attend Data Protection Essential Knowledge Level 1 before attending this training course. The course is taking place on the following dates:
    • Belfast            Thursday, 7th June 2018
    • Glasgow         Monday, 24th September 2018 
    For further information and to make a booking,
    1. Visit PDP's website 
    2. Telephone PDP at +44 (0)207 014 3399
    3. Download the PDF Training Catalogue
    Fedelma Good
    Fedelma Good
    Big Data is big business, and the technology that gives rise to the activity known as profiling has multiple benefits for both organisations and individuals. However, these benefits come with risks, and it is these risks that the General Data Protection Regulation ('GDPR') seeks to mitigate against.This practical session considers how organisations can reap the benefits of Big Data whilst minimising the risks of falling foul of the legal provisions, including:
    • how data protection law applies to profiling and Big Data
    • how the extended territorial scope of the GDPR catches ever more profiling activities
    • the rights individuals have under the GDPR, including transparency, control, data minimisation and data portability
    • controllers' increased accountability to individuals and the remedies available to individuals
    • the circumstances in which profiling is acceptable
    • how to reduce the risks of 'discriminatory' decision-making
    • the relevance of the privacy by design and default regime
    • the GDPR position on profiling and special category personal data
    • practical guidance on what information must be supplied to customers and others
    • how to obtain explicit consent, where required.
    The course is taking place on the following dates:
    • London   Tuesday, 12th June 2018
    • Belfast    Thursday, 6th December 2018
    For further information and to make a booking,
    1. Visit PDP's website 
    2. Telephone PDP at +44 (0)207 014 3399
    3. Download the PDF Training Catalogue
    John Wilson_ JMW Mosaic
    John Wilson
    JMW Mosaic
    This training course provides an in-depth analysis of the key issues and challenges facing those responsible for the management of records and information in the current business environment. This training session is designed to meet the needs of senior and more experienced practitioners and builds on the basic and intermediate skills and techniques covered on the Records Management 1 and Records Management 2 training courses. Topics covered include:Information governance
    •  Dealing with risk
    •  Records management policy development
    • Embedding good records management practice
    • Records migration and dealing with legacy records
    • Digital continuity - managing electronic records over time
    Delegates are encouraged to share their own experiences in the session. 

    The next available dates for this course are:
    • Glasgow        Friday, 22nd June 2018
    • London          Wednesday, 26 September 2018 
    For further information and to make a booking,
    1. Visit PDP's website 
    2. Telephone PDP at +44 (0)207 014 3399
    3. Download the PDF Training Catalogue

    Final few places remaining for May 2018
    PC.dp Residential Programme

    The residential option on the Practitioner Certificate in Data Protection Programme (GDPR) provides candidates with the opportunity to study the Programme intensively on four consecutive days (rather than five for the
    Standard Programme)  

    "By far the most practical resource available to help understand the complexities of the GDPR..."
    A Practical Guide to UK and EU Law  

    This book is an invaluable practical resource for organisations in preparing for the new era of compliance under the GDPR.
    Find out more &Order your copy here >
    * New course *
    Cybersecurity for Data Protection Professionals  2nd July 2018 - London
    Breach Notifications Training Course 

    This session is prepared specifically in the context of the GDPR and the objective of compliance professionals dealing more assuredly and knowledgeably with cybersecurity within their organisations.

    Qualify as a Data Protection Practitioner

    Flexible training options allow you to train alongside other commitmentsMore information > 
    "The course content was informative and well presented, with very knowledgeable trainers. The exam was challenging, so I feel a real sense of achievement in having gained this qualification."   Caroline Chalk
    Head External Information Services
    Civil Aviation Authority
    "I found the course to be thoroughly enjoyable and enlightening in a number of areas. I have managed to apply the knowledge gained through the course already in my day to day role."
    Brendan Byrne
    Senior Managing Consultant Security & Privacy
    "The qualification strikes the right balance of interpreting important and complicated legislation and imparting this to students with a well structured course, underpinned with simple to understand information and then a vigorous examination. Organisations should feel assured by any of its staff undertaking and passing this qualification that their information is being managed and shared securely."
    Kim Bellis
    Records Service Manager
    Royal Cornwall Hospitals NHS Trust
    "I am very pleased to have followed the Practitioner Certificate in Data Protection course and passed the examination. This will be of great benefit to my employer, as it demonstrates the value we place on this complex area of ethics and compliance."
    Alan White
    Data Protection Manager
    Pitney Bowes
    "The course which was delivered by experts in the field of Privacy and Data Protection Law was very enjoyable and engaging. The examination was based on applying legislation and knowledge to practical cases rather than a test of how much information you could remember. I am delighted that I passed the exam and to have a qualification that is very much respected, as well as letters after my name! I recommend both the course and the examination for anyone wanting to increase their knowledge of Data Protection Law."
    Bleneta Carr
    Pearson Education
    "I am delighted to have achieved this qualification. The Certificate sets a recognised standard for data protection professionals and it has provided me with the knowledge and confidence of data protection requirements, especially in light of the impending new Regulation."
    Joanne Maurizi
    Assistant Manager
    "Synectics Solutions recognises that compliance with data protection regulation is critical to all organisations that handle personal information. It has never had a greater focus than at the present time. Having looked at the training and professional qualifications available, we concluded that the PDP certification was the most appropriate for our business. The course was delivered by legal experts in the field. They were able to bring the events to life with real-life scenarios and case studies."
    Steve Sands
    Head of Security
    Synectics Solutions
    PDP, Canterbury Court, Kennington Park, London, SW9 6DE, United Kingdom

  • PDP - FOI News Update - 24 April 2018

    Council fined after revealing personal data in FOI response
    FOI email header
      Issue: 25/04/2018


    Council fined after revealing personal data in FOI response
    After being issued with seven decision notices regarding late FOI responses earlier this month, the Royal Borough of Kensington and Chelsea has been fined £120,000 by the Information Commissioner's Office after it unlawfully identified 943 people who owned vacant properties in the borough. The fine was made under the Data Protection Act. Names of the owners and the addresses of their unoccupied homes were sent to three journalists who had requested statistical information under the Freedom of Information Act. The journalists later published three of the names.
    Council fails in appeal over FOI request and commercial prejudice
    Hartlepool Borough Council has lost an appeal against a ruling by the Information Commissioner because it failed to provide evidence of what harm to commercial interests would be done by disclosing material dating from 2005 and relating to the transfer of ownership of Durham Tees Valley Airport. FOI Applicant John Latimer had made a FOI request for papers relating to how ownership of 75% of the airport came to be transferred by the six Tees Valley local authorities to property firm Peel. Some information was provided but the council withheld the rest, though it later made further releases, and Latimer took his case to the Commissioner, who ruled in his favour. Giving judgment in the First-Tier Tribunal General Regulatory Chamber (Information Rights), Judge Anisa Dhanji said neither the council nor property firm Peel had shown any convincing reason for keeping private details of the deal they did over the airport.
    Labour proposes to make housing associations subject to FOIA
    A new Labour Green paper proposes making housing associations subject to the Freedom of Information Act and requiring all social landlords to publish fire safety reports regularly. Currently, housing associations can refuse to answer requests about fire risks, safety problems, eviction policies, waiting lists and other matters. Jeremy Corbyn and Shadow Housing Secretary John Healey will unveil the paper, titled Housing for the Many, at the Local Government Association headquarters in London this week.
    Councillor attacks press use of FOI
    An East Renfrewshire councillor has attacked the press and public over Freedom of Information requests. During a recent meeting Labour Member Alan Lafferty slammed "lazy journalists" and political researchers and demanded that those who use FOI laws be "weeded out." Councillor Lafferty also complained about residents' use of FOIs. He said: "We're getting to the stage where it's diverting resources from frontline services." Cllr Lafferty was speaking after it was revealed that the council dealt with a record 1,296 FOI requests last year. That was up by 10 per cent on the previous highest total, with requests from political groups making up 13 per cent of submissions.
    BBC obtains copy of "Bruno letter"
    The BBC has obtained a document that sheds new light on the decision by British politician Jeremy Thorpe's lawyers not to let him give evidence at his Old Bailey trial in the 1970s, when he was charged of conspiracy and incitement to murder. The letter was from Mr Thorpe to an American man called Bruno, sent after they had met in San Francisco in 1961. Had Mr Thorpe given evidence, he would have faced questioning about his sexuality which he wanted to avoid. The FOI Specialist Martin Rosenbaum received the "Bruno letter" and connected records from the US Federal Bureau of Investigation after making an FOI request under US Freedom of Information law.
    Freedom of infomation JournalMore freedom of information news and articlesVisit the website to receive a Free Sample Copy or to Subscribe Now"PDP's FOI journal has proved very helpful in keeping us up to date with developments in FOI, interesting news and case law."Deborah Coombs
    Nottingham University Hospitals NHS TrustSubscribe to two or more journals at the same time and receive a discount
    For more information, visit PDP Journals

    PDP Training logo
    Professional and practical Training Courses enable delegates to understand the legal requirements in key areas of compliance.  
    The following is a selection of some of PDP's current courses.  
    Estelle Dehon, Cornerstone Barristers
    Estelle Dehon
    Cornerstone Barristers
    Since the Freedom of Information Act 2000 came fully into force in 2005 we have experienced a fundamental change in the relationship between UK government and its citizens as government information has become more publicly accessible. Greater transparency is also a key policy of the Coalition Government, and in light of the deficit reduction programme there is an ever increasing public interest in how public money is spent. This has led to the publication of a wide range of public sector datasets and proposals to expand the Freedom of Information Act through the Protection of Freedoms Bill. Information Officers are central to these developments and need to be fully aware of the Act and the impact of future changes to it.This training session is designed to help those who are on the receiving end of requests for information and those who advise and assist them.This training course can be used as credit towards gaining the Practitioner Certificate in Freedom of Information.Upcoming dates for this training course are:
    • Belfast           Monday, 24th September 2018
    • Manchester  Tuesday, 16th October 2018
    For further information and to make a booking,
    1. Visit PDP's website 
    2. Telephone PDP at +44 (0)207 014 3399
    3. Download the PDF Training Catalogue 

    FOI Practical Training - Level 2 (Applying the Exemptions)
    Liz Fitzsimons, Eversheds
    Liz Fitsimons

    Public sector bodies must make daily decisions on how to respond to requests for information under the Freedom of Information Act 2000 and how to apply the exemptions in the Act. Those decisions are increasingly reviewed and, in many cases, overturned by the Information Commissioner, the Information Tribunal and the Courts. As case law develops and changes, public authorities need to ensure that they understand when the exemptions can be applied, and what they have to demonstrate to apply them correctly.This training session considers in detail the practical application of the main FOI exemptions.A discount is available for delegates booking both FOI Level 1 and FOI Level 2.This training course can be used as credit towards gaining the Practitioner Certificate in Freedom of Information.Upcoming dates for this training course are:
    • Belfast          Tuesday, 25th September 2018
    • Manchester   Wednesday, 17th October 2018
    For further information and to make a booking,
    1. Visit PDP's website 
    2. Telephone PDP at +44 (0)207 014 3399
    3. Download the PDF Training Catalogue 

    FOI and Data Protection - How They Work Together

    Damien Welfare, Cornerstone Barristers
    Damien Welfare Cornerstone Barristers
    The competing demands of Freedom of Information and Data Protection legislation in the UK present challenges for all public bodies involved in collecting, holding and disclosing personal information. Understanding the interface between Freedom of Information laws (including the Environmental Information Regulations 2004 (EIR)) and the Data Protection Act 1998 (as well as the provisions of the upcoming General Data Protection Regulation) is essential for all those involved with information management in the public sector.This session, which is designed for people who already work with FOI issues, explains the key principles underlying the differences between FOI and data protection laws, including when personal data should and should not be released in response to subject access requests and FOI/EIR requests. Delegates who do not have an existing understanding of the basics of FOI law are recommended to attend FOI Level 1 before attending this session.This session enables delegates to understand how to manage requests for information, and to achieve best practice within their organisation.This training course can be used as credit towards gaining the Practitioner Certificate in Freedom of Information.Upcoming dates for this training course are:
    • Belfast            Wednesday, 26th September 2018
    • Manchester    Thursday, 18th October 2018
    For further information and to make a booking,
    1. Visit PDP's website 
    2. Telephone PDP at +44 (0)207 014 3399
    3. Download the PDF Training Catalogue 
    Understanding the Environmental Information Regulations
    Damien Welfare, Cornerstone Barristers
    Damien Welfare Cornerstone Barristers
    The Environmental Information Regulations 2004 cover a wide range of information which has often been assumed to fall under the Freedom of Information Act.The scope of EIR is not restricted just to "green" subjects or information, but extends to land use, planning, transport, waste, energy, agriculture, housing development, public nuisance, and aspects of public health, food safety, buildings maintenance and cultural sites.Public authorities and their advisors, and those contracting with the public sector or carrying out public functions, need to understand the scope of the Regulations in order to handle information requests correctly. This session explains the meaning and scope of the EIR. It examines in detail the boundary with FOI, based on decisions of the Information Commissioner and Information Tribunal and on guidance from DEFRA; including the potential role of a remoteness test in limiting the range of information covered. It analyses the "exceptions" and how to approach the public interest test.The course equips practitioners to recognise and handle practical issues arising under the Regulations with confidence, and to avoid the pitfalls of dealing with information requests under the wrong regime.This training course can be used as credit towards gaining the Practitioner Certificate in Freedom of Information.Upcoming dates for this training course are:
    • Belfast           Thursday, 27th September 2018
    • Manchester    Friday, 19th October 2018
    For further information and to make a booking,
    1. Visit PDP's website 
    2. Telephone PDP at +44 (0)207 014 3399
    3. Download the PDF Training Catalogue 
    The latest edition (Volume 14, Issue 3), features the following articles:Back to the FOIA: how FOIA affects historical records - Paul Gibbons, aka FOIManTo hold, or not to hold - that is the question - Lynn Wyeth, Leicester City CouncilRecent decisions of the Commissioner and Tribunal - Alison Berridge & Imogen Proud, Monckton Chambers
    Request a FREE sample or

    For more information, please visit PDP Journals

    Advanced Records Management Training
    Glasgow - 22nd June 2018

    This training course provides an in-depth analysis of the key issues and challenges facing those responsible for the management of records and information in the current business environment.
    PDP Logo 
    Contact us 
    Should you have any Training, Conference, Recruitment or Journal queries, please 
    send us an email

    PDP Training Catalogue 2018  
    available for download
    Browse through PDP's leading information compliance qualifications and training courses 
    PDP Training Catalogue 2018 
    Flexible training options allow you to train alongside other commitments  
    "I am very pleased to have achieved the Practitioner Certificate in Freedom of Information. The programme provides excellent knowledge and understanding on the practical applications of handling requests for information"
    Louise Smith
    Financial Ombudsman Service
    "A very worthwhile qualification which I wholeheartedly recommend to colleagues"
    Barbara Tyldesley
    The Environment Agency
    "I am so pleased to have passed the Practitioner Certificate in FOI. The 4 day course was excellent and I am now confident in my role as FOI Officer for Social Services. The course has helped me develop my skills and knowledge of FOI/EIR and DP and I would encourage anyone working in this area to attend."
    Rachael Strand
    Flintshire County Council
    "The Practitioner Certificate in FOI was an excellent opportunity to receive specialised training and gain a recognised qualification. In particular, I found the instructors to be both knowledgeable and engaging. As a regulator in an overseas territory, I was easily able to translate the learning into practice. I have and do encourage other FOI practitioners to take advantage of this training programme."
    Clara Smith
    Information Commissioner's Office (Grand Cayman)
    "I am delighted to have passed my examination, achieving this qualification and attending the courses have been a very positive experience which have boosted my confidence and enthusiasm for this subject. I found the courses very informative and the course handout binders are an excellent reference tool which is very relevant to the workplace."
    Julie Johnson
    Durham County Council
    "I'm delighted to have passed the exam; it was hard work preparing for an exam, having not sat one for over 10 years, but the course materials really helped structure my revision. Passing has increased my confidence in dealing with the Act which will be of benefit to myself as well as my organisation."
    Heledd Thomas
    Comisiynydd y Gymraeg
    "I found this to be a comprehensive course, which was well structured to be relevant and of interest to everyone from FOI beginners to more seasoned practitioners. The course tutors were very knowledgeable and clearly very interested in their respective topic areas, and the course was similarly detailed and well-taught."
    Mark Reynolds
    "I'm thrilled to have gained this qualification. FOI can be a complicated area to understand and apply, but the tutors were excellent in bringing it to life in an interesting way."
    Angela Sanderson
    Big Lottery Fund
    "The Practitioner's Certificate has equipped me with the knowledge and confidence to undertake my role. I found the courses well presented and easy to follow. The case studies are particularly useful, as they give an insight into different scenarios that one may experience. I would recommend PDP to anyone wanting to gain this qualification."
    Kim Starbuck
    London Borough of Barking and Dagenham "Both the thought provoking training and materials as well as passing the exam will help to ensure we provide a prompt quality service when dealing with information requests particularly as those involving planning can raise complex issues"
    John Pierce
    The Department for Communities and Local Government 
    PDP, Canterbury Court, Kennington Park, London, SW9 6DE, United Kingdom

Contact IHRIM

Office open Monday to Friday
9AM to 2PM

Connect with IHRIM

We use cookies to improve our website and your experience when using it. Cookies used for the essential operation of this site have already been set. To find out more about the cookies we use and how to delete them, see our privacy policy.

  I accept cookies from this site.
EU Cookie Directive Module Information