Category: Data Protection

The ICO’s enforcement (or lack of enforcement depending on your view) in the Royal Free/DeepMind case has divided the data protection community. The ICO found that the Royal Free had breached four data protection principles, had breached the medical confidentiality of 1.6 million patients but concluded that such a breach warranted an Undertaking. Reaction from many data protection specialists has often been on the following lines: “If a breach on this scale involving millions of patients’ Health Sensitive Personal Data

A few comments on the Data Protection Bill as announced in the Queen's Speech. Note that it is a Bill (i.e. primary legislation) covering all aspects of data protection including law enforcement as does the current Data Protection Act. As is well known, Member State law can allow modifications to Articles 4(7), 4(9),  6(2), 6(3)(b), 6(4),  8(1), 8(3), 9(2)(a), 9(2)(b), 9(2)(g), 9(2)(h), 9(2)(i), 9(2)(j), 9(3), 9(4),  10,  14(5)(b), 14(5)(c), 14(5)(d),  17(1)(e), 17(3)(b), 17(3)(d), 22(2)(b),  23(1)(e),  26(1),  28(3), 28(3)(a), 28(3)(g), 28(3)(h),

Yesterday, the Court of Appeal achieved something that the Information Commissioner (ICO) has been trying to do for nearly a decade; to require a review of procedures that allow for the disclosure (or non-disclosure) of criminal convictions that have no relevance to employment. For example, in the last Annual Report (2016) the previous Commissioner noted his inability to help the data subject: “We considered a complaint from an individual who had a request for deletion of an arrest record refused.

Using the advanced mathematical techniques employed by those calculating the benefits of Brexit, this blog has been able to deduce the level of the proposed “replacement-for-notification-fees”, levied on controllers, to meet the costs of the ICO under the GDPR. I can report that these fees are set to rise significantly (at least 50% across the board). Indeed, those paying the current registration fee of £500 per year might find themselves paying just short of £7K per annum.  Fees well north

The ICO has just published draft Advice (the “Advice”) on the use of consent under the General Data Protection Regulation (GDPR). All I can suggest is that readers engage with the consultation over the content of this draft Advice (especially if a data controller relies on data subject consent). What follows is a set of statements from the 40 page Advice concerning consent under the GDPR, followed by my commentary which I hope helps your understanding of the issue. This should