Category: Data Protection

Do you know what? I am beginning to wonder whether some of the exemptions in Schedule 2 of the DPA2018 work as they should. So, if you disagree with the following analysis please make a counter argument. First, I think all the exemptions that are constructed using the use of the word “processed” provide a lawful basis for one controller to disclose personal data to another controller for the purposes/reasons identified in the exemption.  In this way, the exemptions permit a

Yesterday, the Secretary of State for Business was caught out misleading the public and Parliament concerning Brexit.  He evidently authorised a secret, multi-million pound bung to Nissan so that it maintained car production at its current level in Sunderland, post Brexit.  Sad to say, such secrecy by Ministers is rather commonplace with respect to Brexit and data protection. The evidence for this assertion comes from my latest FOI request to the European Commission (see references). For instance, consider the Prime

Belated Happy New Year. One thing can be certain following the recent Brexit Parliamentary shenanigans.  The UK will eventually choose from: (a) a hard Brexit; (b) a deferred Brexit; (c) a Brexit perhaps softer than Mrs May’s defeated Brexit, or (d) no Brexit.  As most options involve Brexit, the approach the Government has adopted to align Brexit with the GDPR is important. The draft “Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019” (the “Regulations”) were tabled

How do you think Brexit is going? When you ask this question, most people shake their heads, or utter an expletive or refer to sayings that contain words such as “brewery” and “organise”. Anyway, the draft Withdrawal Agreement has been made public and there has been quite a lot of data protection commentary saying that the UK does not need to worry about transfers of personal data from the European Union (EU) after March 29 (assuming the Agreement keeps its current

What makes processing “lawful” under the GDPR? The Information Commissioner (ICO) has stated that the word “lawfulness” has general application, as it did under the previous Data Protection Act (DPA1998). If my analysis is correct, this view is wrong; I think "lawfulness" is now limited in meaning to "compliance with the GDPR or DPA2018". If so, there is a significant risk that the level of the protection afforded to data subjects in the UK (and in Europe) is much diminished. First to

The Government’s Brexit policy assumes that the Data Protection Act 2018 is good enough to obtain an adequacy determination and envisages the ICO playing a full part in the European Data Protection Board; this is to protect the free flow of personal data to the UK.  This policy was brutally murdered last Friday by the EU’s lead Brexit negotiator who stated that the UK would have to seek an adequacy determination. Sadly, in March, the Information Commissioner told Parliament that there were

The Data Protection Bill (engaged in Parliamentary ping-pong) contains an exemption that allows confidential employment references to be kept secret in all circumstances; this exemption has not been discussed, debated or challenged. The exemption thus raises the spectre that an employer will be able to give a confidential reference about an employee where the employee is ignorant of the reference and has no right of access to check the accuracy of the reference. The exemption exists in a non-virulent form

Here is my take on the Facebook/Cambridge Analytica affair. I have no specialist inside knowledge or information but hopefully the blog can help focus the data protection debate on some of the issues (other than warrant delays and repeated claims by all parties that there is no data protection problem!). Please feel free to comment. First to Dr Aleksandr Kogan. He is the academic employed at Cambridge University who first obtained the personal data for an academic research project undertaken