Data protection

The use of personal information is regulated by the General Data Protection Regulation and the Data Protection Act 2018. Data protection was already a complex issue, but this new legislation requires a far more detailed analysis of information systems and more detailed records, policies and transparency.

Data protection is an important issue:

  • The Information Commissioner regularly imposes fines of between £50,000 and £120,000, has fined Facebook £500,000 (the maximum under the old law), and is proposing to fine Marriott International £99 million and British Airways £183 million
  • An organisation may have to self-report breaches to the ICO and the individuals affected
  • Individuals affected by breaches are entitled to compensation – the Court of Appeal has approved group litigation against Google, where each individual claim is likely to be too small to litigate but the total is likely to be huge
  • The courts have held an organisation liable for data protection breaches by its employee, even though he was acting against the organisation’s interests
  • A single complaint can trigger a huge increase in insurance premiums, as insurers may be concerned that it reveals a systemic failure.

Individuals have a right to know what information about them an organisation holds, and how it is used and shared. But there are some important limits to this, and providing too much information could just as easily be a data protection breach as providing too little. The complexity of the legislation, and finding the resources needed to gather, review and edit a large amount of information within strict time limits can also be challenging.

My services include:

  • Help with compliance
  • Writing policies, procedures and privacy statements – These help to ensure that your organisation stays within the law when your staff use personal information in the course of their everyday tasks.
  • Advice on specific issues – It might be the use of personal information for marketing purposes, the use of children’s personal information, the monitoring of staff emails and telephone calls, or the retention or protection of personal information generally.
  • Assistance with requests for information – This might be limited to advice on how your organisation should respond to a particular request, or it might extend to reviewing, selecting and editing the information ready for disclosure and preparing the covering letter.
  • Assistance with ICO investigations – whether this is a paper exercise or interviews under caution
  • Training – Effective and role-appropriate training for all staff is virtually mandatory, but in-house training can be very cost-effective. You can read some of the feedback on my training here.

Examples of previous work

  • A data protection audit and compliance programme for a national, multi-site charity – British Lung Foundation
  • A review of information flows and data protection compliance for a leading online provider of agency nursing staff – Nursing Online
  • Helping a number of independent schools and academies with their data protection compliance programmes in the context of child protection issues, including staff training
  • Helping a leading funder of healthcare services implement a compliant national IT infrastructure – Assura Medical
  • Advising police on the data protection issues affecting CCTV recordings and a politically sensitive investigation overseas – Wiltshire Police Authority
  • The use of teacher related information, with international data protection issues – The Training and Development Agency for Schools
  • Advising a major international supplier of semiconductor design systems on its data protection compliance – Zuken
  • The use of officer health monitoring systems and aerial surveillance using unmanned aerial vehicles – The South West Fire and Rescue Service
  • A sensitive investigation into medical treatment at a nursing home – A County Council
  • Training solicitors