Author: info@amberhawk.com

The immigration exemption in Schedule 2 (paragraph 4) of the Data Protection Act 2018 (DPA2018) has always been controversial; it is subject to a judicial review by the High Court, in London, on July 23 & 24. The controversy arises because an exemption that was not needed by the immigration authorities under the DPA1984, nor under the DPA1998, has nothing to do with crime, tax, any compulsory court order, any mandatory disclosure requirement or national security issue. However, suddenly this exemption became an urgent necessity

This blog shows that the current furore concerning access to a rape victim’s phone, relying on consent of a rape victim, sits uneasily with a data protection analysis.  I also point out that there appears to be three forms of “consent” floating around in the GDPR/Data Protection Act 2018 (“DPA2018”) framework. First of all, the relevant part of the DPA2018 to consider is the law enforcement elements, as access to the victim’s phone is by the police or prosecutors in relation

{Blog changed on 2nd April due to the threat of legal action by the Homeland Security Department of USA} Amberhawk is pleased to announce that it has won a Cyber Security Challenge UK competition for the best idea in 2019 (so far) to prevent cyber-crime in the young.  Our idea involves enhanced parental responsibility, increased awareness of computer crime and teaches children under the age of ten about the dangers from hacking.  No special technology or software is needed. To

Do you know what? I am beginning to wonder whether some of the exemptions in Schedule 2 of the DPA2018 work as they should. So, if you disagree with the following analysis please make a counter argument. First, I think all the exemptions that are constructed using the use of the word “processed” provide a lawful basis for one controller to disclose personal data to another controller for the purposes/reasons identified in the exemption.  In this way, the exemptions permit a

Yesterday, the Secretary of State for Business was caught out misleading the public and Parliament concerning Brexit.  He evidently authorised a secret, multi-million pound bung to Nissan so that it maintained car production at its current level in Sunderland, post Brexit.  Sad to say, such secrecy by Ministers is rather commonplace with respect to Brexit and data protection. The evidence for this assertion comes from my latest FOI request to the European Commission (see references). For instance, consider the Prime

Belated Happy New Year. One thing can be certain following the recent Brexit Parliamentary shenanigans.  The UK will eventually choose from: (a) a hard Brexit; (b) a deferred Brexit; (c) a Brexit perhaps softer than Mrs May’s defeated Brexit, or (d) no Brexit.  As most options involve Brexit, the approach the Government has adopted to align Brexit with the GDPR is important. The draft “Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019” (the “Regulations”) were tabled

How do you think Brexit is going? When you ask this question, most people shake their heads, or utter an expletive or refer to sayings that contain words such as “brewery” and “organise”. Anyway, the draft Withdrawal Agreement has been made public and there has been quite a lot of data protection commentary saying that the UK does not need to worry about transfers of personal data from the European Union (EU) after March 29 (assuming the Agreement keeps its current

What makes processing “lawful” under the GDPR? The Information Commissioner (ICO) has stated that the word “lawfulness” has general application, as it did under the previous Data Protection Act (DPA1998). If my analysis is correct, this view is wrong; I think "lawfulness" is now limited in meaning to "compliance with the GDPR or DPA2018". If so, there is a significant risk that the level of the protection afforded to data subjects in the UK (and in Europe) is much diminished. First to