Category Archives: Uncategorized

An Open Letter to Jacob Rees-Mogg

Dear Mr Rees-Mogg

I suspect you and I wouldn’t agree on many things, but, before I moved into private practice I spent many years in the public sector. I saw many examples of efficient and inefficient working there (as well as countless dedicated officers who rarely had time to be sitting at their desks when senior management deigned to visit).

So, despite our different worldviews, and in the spirit of helping improve the efficiency of the offices of Members of Parliament, may I make a couple of suggestions about data protection compliance?

First, you said recently, before the European Scrutiny Committee, that constituents who come to see you at surgery are asked to sign a two-page disclaimer. Nothing in our data protection law requires this (in fact, expecting them to sign one is likely to be contrary to those laws). You should give anyone whose personal data you collect certain information, generally in the form of a notice, but that’s just a matter of being fair and transparent – there’s no reason at all to require a signature or a disclaimer. You could even just refer them to a notice on your own website (your current one is rather well hidden). That should save you a bit of time and money.

Second, at the same hearing, you were concerned that you needed to delete files on constituents prematurely. Again, this appears to be a misapprehension on your part. Personal data should be kept for as long as is necessary in relation to the purpose for which it was collected: if you still need it, you keep it. There – another efficiency tip!

Third, and more generally, I do find that there is a lot of misunderstanding of data protection law. It has a dual objective – to offer protection to individuals and to allow for free movement of data (both of which are obviously subject to qualifications and provisos). I don’t pretend that the law couldn’t do with some revisions, and I’ve even spoken to some of the people helping with the reform programme to suggest a few. But in general, it’s quite possible to run the public bodies and businesses efficiently and also comply with the data protection law – but I fear that training and awareness of that law have been, and continue to be, handled rather inefficiently at government level.

Yours
Jon Baines

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, GDPR, not-entirely-serious, parliament, Uncategorized

NADPO April webinar

Our next regular NADPO lunchtime webinar is next Tuesday. We have

  • Dr. Ben Collier, Edinburgh University – “Influence government: exploring data issues with digital nudge campaigns in the public sector.
  • Lucas Amin, Open Democracy – “Problems with FOI compliance across UK government and enforcement by the ICO”

Members get free entry. If you are not a member and would like a free place, ask me at chair at nadpo dot co dot uk (nb – repeat askers will instead be nudged down the “become a member” path).

Leave a comment

Filed under Uncategorized

NADPO March webinar

The next NADPO monthly webinar is on 22 March. As usual, we have two great talks:

  • Joe Chapman, Scottish Information Commissioner’s Office – ‘Access to information post-pandemic: learning from the experience of FOI in Scotland’
  • Ashley Winton, Mishcon de Reya LLP – ‘Adtech and Website Analytics – the current state of play’

Attendance is free for all NADPO members (attendance at all NADPO events is always free for members – no “in-game purchases” for them). And Data Protection Forum members are also allowed to attend for no charge.

If anyone else is especially interested in NADPO, or these specific talks, please contact me at chair at NADPO dot co dot uk – I can often be persuaded to offer a free space in those circumstances.

Leave a comment

Filed under Uncategorized

Latest NADPO event

The next of the monthly NADPO lunchtime webinars will be next Tuesday (22 February), with speakers Dr Chris Pounder, of Amberhawk Training, on “Do the proposed changes to the UK’s human rights regime undermine the UK_GDPR?” and Johnny Chagger, of Leeds Teaching Hospitals NHS Trust on “Integrating heath and social care records” (Johnny’s talk has a provisional title for now).

NADPO members can attend for free (as they can at all our events). If you are not a member, but are interested in the talks, and interested in joining NADPO, please feel free to drop me a line at chair at nadpo dot co dot uk. We generally have a couple of free tickets to offer.

Leave a comment

Filed under Uncategorized

NADPO event – some free spaces on request

NADPO, the membership association for information rights professionals, which I’ve chaired for some years now, is holding the latest in its online lunchtime webinars next Tuesday.

We’re delighted to be joined by Professor Kirstie Ball of St Andrews University, who will be talking on the theme of “Worker monitoring and surveillance: Psycho-social risks and organizational justice” and by Dr Ben Worthy, Senior Lecturer in Politics at Birkbeck College, University of London on “Resistance and undermining of FOI”.

Attendance is free for members, but we generally allow a few free tickets for those who are interested in the topics, and who may be interested in joining NADPO. Please contact me (chair at NADPO dot co dot uk) if you would like to request a place.

Leave a comment

Filed under Uncategorized

NADPO events

Just a very quick blogpost to highlight that, since earlier this year NADPO (of whom I am Chair), has been running monthly online webinars for members on the third Tuesday of each month (with a break in August).

The latest event will take place on Tuesday 21 September, with speakers Sophie Van der Zee on “The power of personalised deception detection – Is Trump lying or just wrong?” and Dr Neil Bhatia on “Enforcing the enforcer? – The ICO orders the ICO to respond to an FOI request!”

Further details are available on the NADPO website.

Leave a comment

Filed under Uncategorized

DCMS admits reappointment of Elizabeth Denham was unlawful

A post by me on the Mishcon de Reya website.

Leave a comment

Filed under Uncategorized

Recital 7 of the new SCCs – it’s a doozy

Post by me on the Mishcon de Reya website.

Everyone needs to understand the new model clauses for international transfers, and recital 7 is a red flag.

Leave a comment

Filed under Uncategorized

Regulatory breach reporting webinar

My firm recently held a webinar on regulatory notification obligations. We had Laura Middleton, head of ICO’S breach reporting team, as well as me and a couple of colleagues.

The highlights of the recording are here: https://www.mishcon.com/news/tv/-self-reporting-regulators-advantages-pitfalls

Leave a comment

Filed under Uncategorized

ICO statutory duty to promote economic growth

From time to time I can be a bit critical of the Information Commissioner’s Office (ICO). Indeed, in the past I may have criticised them for appearing to promote things or exercise their functions in a way that exceeded what their core role is. For instance, I may have queried why they frequently appear to be cheer-leading for innovation and digital economic expansion (not that I think those things are inherently to be avoided).

But it’s important to note that their functions are not limited to regulation of specific laws. Rather, under section 108 of the Deregulation Act 2015, and (made under that Act) The Economic Growth (Regulatory Functions) Order 2017, the ICO, as well as a host of other regulators, has a statutory duty to exercise her regulatory functions (other than those under FOIA, interestingly) with regard to the desirability of promoting economic growth. In particular, she has to consider the importance for the promotion of economic growth of exercising the regulatory function in a way which ensures that regulatory action is taken only when it is needed, and any action taken is proportionate.

Additionally, under section 110 of the Deregulation Act 2015 ICO (and other regulators) must also have regard to this guidance: https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/603743/growth-duty-statutory-guidance.pdf

When people (again, I should include myself) question, for instance, the paucity in the UK of low-level GDPR fines for low-level infringements, they should take into account these provisions.

Whether this aspect of the Deregulation Act 2015 is actually reconcilable with the provisions of the GDPR (and, now, the UK GDPR) is a separate question. In principle, there need not be a clash between the promotion of economic growth and the regulation of compliance with the duty to observe the fundamental right to protection of personal data, but in practice, such clashes tend to occur.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, Information Commissioner, Uncategorized