Data protection

The use of personal information is regulated by the General Data Protection Regulation and the Data Protection Act 2018. Data protection was already a complex issue but this new legislation makes it even more complex: a far more detailed information analysis and more detailed records, policies and transparency are required.

Data protection is also an important issue:

  • The Information Commissioner’s Office regularly imposes fines of £50,000 to £120,000, and has imposed fines as large as £400,000
  • An organisation may have to self-report breaches to the ICO and the individuals affected
  • Individuals affected by breaches are entitled to full compensation for their losses and their distress
  • The High Court has ruled that an organisation was liable for data protection breaches by its employees even though they were acting against the organisation’s interests
  • A single complaint can trigger a huge increase in insurance premiums as insurers may be concerned that it reveals a systemic failure.

Individuals have a right to know what information about them an organisation holds, and how it is used and shared. But there are some important limits to this, and providing too much information could just as easily be a data protection breach as providing too little. The complexity of the legislation, and finding the resources needed to gather, review and edit a large amount of information within strict time limits – usually just one month – can be challenging.

My services include:

  • Help with compliance
  • Writing policies, procedures and privacy statements – These help to ensure that your organisation stays within the law when your staff use personal information in the course of their everyday tasks.
  • Advice on specific issues – It might be the use of personal information for marketing purposes, the use of personal information relating to children, the monitoring of staff emails and telephone calls, or the retention or protection of personal information generally.
  • Assistance with requests for information – This might be limited to advice on how your organisation should respond to a particular request, or it might extend to reviewing, selecting and editing the information ready for disclosure and preparing the covering letter.
  • Training – In-house training can be very cost-effective. You can read some of the feedback on my training here.

Previous data protection work includes:

  • A data protection audit and compliance programme for a national, multi-site charity – British Lung Foundation
  • A review of information flows and data protection compliance for a leading online provider of agency nursing staff – Nursing Online
  • Helping a number of independent schools and academies with their data protection compliance programmes in the context of child protection issues, including staff training
  • Helping a leading funder of healthcare services implement a compliant national IT infrastructure – Assura Medical
  • Advising police on the data protection issues affecting CCTV recordings and a politically sensitive investigation overseas – Wiltshire Police Authority
  • The use of teacher related information, with international data protection issues – The Training and Development Agency for Schools
  • Advising a major international supplier of semiconductor design systems on its data protection compliance – Zuken
  • The use of officer health monitoring systems and aerial surveillance using unmanned aerial vehicles – The South West Fire and Rescue Service
  • A sensitive investigation into medical treatment at a nursing home – A County Council
  • Training solicitors