Described by the Information Commissioner as “the biggest change to data protection law for a generation”, the General Data Protection Regulation (GDPR) attempts to bring data protection into the age of “big data”. It comes into force across the whole of Europe (including the UK) on 25th May 2018 which means that, if you process personal data, you don’t have long to get your data, systems and policies up to date and compliant.
In addition, the Data Protection Bill, which will replace the Data Protection Act 1998, had its first reading in the House of Lords on 13 September 2017. It is liable to change during the parliamentary process but is intended to provide “a comprehensive and modern framework for data protection in the UK, with stronger sanctions for malpractice”.
If you would like a short (4 page) briefing document setting out what SMEs need to be doing right now, please drop an email to email@example.com. If you would like to attend a practical seminar in Milton Keynes on what the changes are and how to implement them, please sign up using this link:
The European Commission and the US have reached political agreement on a new framework for transatlantic data flows: the EU-US Privacy Shield.
The Commission says that the new arrangement will place stronger obligations on US companies handling EU citizens’ personal data and includes robust enforcement measures, including increased cooperation with European Data Protection Authorities (DPAs). It will also contain limitations, safeguards and oversight mechanisms on US government agencies’ access to EU citizens’ personal data and the US has ruled out indiscriminate mass surveillance.
The European Commission says that the new arrangement reflects the requirements set out by the European Court of Justice in its ruling on 6 October 2015, which declared the old Safe Harbour framework invalid because US government surveillance threatens EU citizens’ privacy and they have no judicial redress.
Two men on trial in Thailand for the murder of two British people in September 2014, made requests to see data held on themselves by British police.
The High Court has affirmed the police decision not to disclose personal data to them.
The Commissioner of Police for the Metropolis was found to have correctly applied the Data Protection Act exemptions from complying with subject access provisions where this would be likely to prejudice the prevention or detection of crime or the apprehension or prosecution of offenders.
From 10 March 2015 it will become a criminal offence under the Data Protection Act 1998 for an employer to impose “enforced subject access” on job applicants or employees.
Enforced subject access is where an employer requires applicants or existing employees to obtain a copy of their criminal records by means of a “subject access request”, and supply it to the employer in connection with their recruitment or continued employment.
The main reason for this is that is can lead to the disclosure of spent convictions.
The confirmed correct approach is to use the criminal records disclosure regime, operated by the Disclosure & Barring Service (DBS).
Posted by: Clare Nicolaou Employment lawyer, Novalex Solicitors
The Information Commissioner’s Office (ICO) has held that a campaign group can rely on the “special purposes” exemption for journalism in the Data Protection Act (DPA).
The campaign group is investigating and reporting on corruption in a company.
Four individuals associated with the company made requests under the DPA for access to their personal data, including the source of those data. The campaign group refused their requests on the basis that the journalism exemption applied.
The ICO’s decision complies with its own guidance for the media on data protection and journalism but this is believed to be the first time the exemption for journalism has been extended to a non-media organisation.