Category Archives: Uncategorized

Meet the new Bill, same as the old Bill

I’ve written a piece for the Mishcon de Reya website on the return to Parliament this week of the data protection reform legislation

Leave a comment

Filed under Uncategorized

NADPO February webinar

NADPO’s online webinars continue on Tuesday 28th February 2023 at 1.30pm, with the following speakers and topics.

Professor Ross Anderson – ‘Will the online harms bill protect children? Is there a case for breaking encryption?’

Justin Sherman, Duke University Sanford School of Public Policy: “Your Data’s for Sale: The Data Brokerage Ecosystem and Risks to Privacy and Security”

The Zoom link will be sent to NADPO members the day before the webinar.

If you are not a member but would like to “test the water” please contact me at chair at nadpo dot co dot uk – I can normally be persuaded to offer a free place!

Leave a comment

Filed under Uncategorized

NADPO monthly webinar, 24 January

The next NADPO monthly webinar will be on 24 January, with two excellent speakers and topics

Dr Monica Horten, Open Rights Group – “Everything in moderation: social media surveillance and the Online Safety Bill”

Hassan Khan, Jason Ceci and Jonah Stegman: “No Privacy in the Electronics Repair Industry”.

As always, attendance is free for members, who should note that the start time is 13:30 rather than the usual 12:30.

We generally also have a couple of tickets available for anyone who is thinking of joining NADPO and wants to test the waters, so to speak. Contact me at chair at nadpo dot co dot uk if you’re interested.

Leave a comment

Filed under Uncategorized

Does DHSC have a compliant ROPA?

Article 30(4) of the UK GDPR requires a controller to make its records of processing activities (ROPA) available to the Information Commissioner (ICO) upon request.

ROPAs are required for most large controllers, and should include at least

  • The name and contact details of the organisation (and where applicable the data protection officer).
  • The purposes of processing.
  • A description of the categories of individuals and categories of personal data.
  • The categories of recipients of personal data.
  • Details of transfers to third countries including documenting the transfer mechanism safeguards in place.
  • Retention schedules.
  • A description of the controller’s technical and organisational security measures.

Ordinarily, in my experience, controllers will maintain a ROPA in one document, or one set of linked documents. This not only enables a controller to comply with Article 30(4), but reflects the fact that a ROPA is not just a compliance obligation, but contributes to and assists the controller in its information governance functions.

This all makes the position of the Department of Health and Social Care (DHSC) rather odd. Because, in response to a Freedom of Information Act (FOIA) request for disclosure of its ROPA, it stated that the request was “vexatious” on the grounds of the time and costs it would have to incur to respond. This was because, as the DHSC subsequently told the ICO when the latter was asked to issue a FOIA decision notice

We hold a collection of documentation across different formats which, when put together, fulfils our obligation under Article 30 of the GDPR to record and document all of our personal data processing activities…[and]…to locate, retrieve and extract all of this documentation would involve a manual trawl of the whole organisation and each document would then need to be reviewed to check for content such as personal data, commercially sensitive data and any other information that would otherwise not be appropriate to place into the public domain

For this reason, the ICO accepted that compliance with the request would be “grossly oppressive” and this, taken with other factors, meant that the FOIA request was indeed vexatious.

The ICO is tasked with regulating both FOIA and data protection law. The decision notice here notes this, and says

the Commissioner feels duty bound to note that, if the DHSC cannot comply with the request because it would impose a grossly oppressive burden to do so, it is unlikely that the DHSC would be able to provide its ROPA to the Commissioner, which is a requirement under Article 30 of the UK GDPR, without that same burden

There’s a big hint here to DHSC that it should adopt a different approach to its ROPA for the future.

But the decision notice does contain some rather strange wording. In the context of the words quoted just above, the ICO says

This decision notice looks at the DHSC’s compliance with FOIA only and the Commissioner cannot order the DHSC to take any action under any other legislation.

It is true that, under his FOIA powers, the ICO cannot order the DHSC to comply with the UK GDPR, but, quite evidently, under his UK GDPR powers, he certainly can: Article 58(2)(d) specifically empowers him to

order the controller…to bring processing operations into compliance with the provisions of this Regulation, where appropriate, in a specified manner and within a specified period

I am not aware of anything in FOIA, or data protection law (or wider regulatory and public law) that prevents the ICO from taking enforcement action under UK GDPR as a result of findings he has made under FOIA. Indeed, it would be rather strange if anything did prevent him from doing so.

So it does seem that the ICO could order DHSC to get its ROPA in order. Maybe the big hint in the FOIA decision notice will have the desired effect. But regulation by means of big hints is perhaps not entirely in compliance with the requirement on the ICO, deriving from the Regulators’ Code, to ensure that its approach to its regulatory activities is transparent.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, DHSC, Freedom of Information, Information Commissioner, records management, ROPA, Uncategorized

Cabinet Office “Clearing House” to be dismantled

By me, on the Mishcon de Reya website:

Leave a comment

Filed under Uncategorized

NADPO September webinar

NADPO’s next lunchtime webinar (after a short summer break) will be next month, on Tuesday 27 September at 12.30pm – 2pm, with David Renton, barrister, of Garden Court Chambers, on “Data, policing and equality law” and Rosemary Jay, senior consultant attorney at Hunton Andrews Kurth Chambers, on the ICO’s proposed strategy and how it sits (or doesn’t) with the proposed changes to the ICO role/relationship with others in the Data Protection and Digital Information Bill.

Attendance is free, as always, to NADPO members. If you are not a member but are interested in joining drop me a line at chair at nadpo dot co dot uk and I may be able to offer a free ticket on a trial basis.

Leave a comment

Filed under Uncategorized

An Open Letter to Jacob Rees-Mogg

Dear Mr Rees-Mogg

I suspect you and I wouldn’t agree on many things, but, before I moved into private practice I spent many years in the public sector. I saw many examples of efficient and inefficient working there (as well as countless dedicated officers who rarely had time to be sitting at their desks when senior management deigned to visit).

So, despite our different worldviews, and in the spirit of helping improve the efficiency of the offices of Members of Parliament, may I make a couple of suggestions about data protection compliance?

First, you said recently, before the European Scrutiny Committee, that constituents who come to see you at surgery are asked to sign a two-page disclaimer. Nothing in our data protection law requires this (in fact, expecting them to sign one is likely to be contrary to those laws). You should give anyone whose personal data you collect certain information, generally in the form of a notice, but that’s just a matter of being fair and transparent – there’s no reason at all to require a signature or a disclaimer. You could even just refer them to a notice on your own website (your current one is rather well hidden). That should save you a bit of time and money.

Second, at the same hearing, you were concerned that you needed to delete files on constituents prematurely. Again, this appears to be a misapprehension on your part. Personal data should be kept for as long as is necessary in relation to the purpose for which it was collected: if you still need it, you keep it. There – another efficiency tip!

Third, and more generally, I do find that there is a lot of misunderstanding of data protection law. It has a dual objective – to offer protection to individuals and to allow for free movement of data (both of which are obviously subject to qualifications and provisos). I don’t pretend that the law couldn’t do with some revisions, and I’ve even spoken to some of the people helping with the reform programme to suggest a few. But in general, it’s quite possible to run the public bodies and businesses efficiently and also comply with the data protection law – but I fear that training and awareness of that law have been, and continue to be, handled rather inefficiently at government level.

Jon Baines

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, GDPR, not-entirely-serious, parliament, Uncategorized

NADPO April webinar

Our next regular NADPO lunchtime webinar is next Tuesday. We have

  • Dr. Ben Collier, Edinburgh University – “Influence government: exploring data issues with digital nudge campaigns in the public sector.
  • Lucas Amin, Open Democracy – “Problems with FOI compliance across UK government and enforcement by the ICO”

Members get free entry. If you are not a member and would like a free place, ask me at chair at nadpo dot co dot uk (nb – repeat askers will instead be nudged down the “become a member” path).

Leave a comment

Filed under Uncategorized

NADPO March webinar

The next NADPO monthly webinar is on 22 March. As usual, we have two great talks:

  • Joe Chapman, Scottish Information Commissioner’s Office – ‘Access to information post-pandemic: learning from the experience of FOI in Scotland’
  • Ashley Winton, Mishcon de Reya LLP – ‘Adtech and Website Analytics – the current state of play’

Attendance is free for all NADPO members (attendance at all NADPO events is always free for members – no “in-game purchases” for them). And Data Protection Forum members are also allowed to attend for no charge.

If anyone else is especially interested in NADPO, or these specific talks, please contact me at chair at NADPO dot co dot uk – I can often be persuaded to offer a free space in those circumstances.

Leave a comment

Filed under Uncategorized

Latest NADPO event

The next of the monthly NADPO lunchtime webinars will be next Tuesday (22 February), with speakers Dr Chris Pounder, of Amberhawk Training, on “Do the proposed changes to the UK’s human rights regime undermine the UK_GDPR?” and Johnny Chagger, of Leeds Teaching Hospitals NHS Trust on “Integrating heath and social care records” (Johnny’s talk has a provisional title for now).

NADPO members can attend for free (as they can at all our events). If you are not a member, but are interested in the talks, and interested in joining NADPO, please feel free to drop me a line at chair at nadpo dot co dot uk. We generally have a couple of free tickets to offer.

Leave a comment

Filed under Uncategorized