Category: Data Protection

In the next three weeks, there will either be a trade agreement with the European Commission (EC) or no trade agreement.  As a sophisticated Barnsley fan, I have unshakeable faith in my abilities to recognise that one of these two outcomes will be correct. If there is a trade agreement, I suspect the EC will chuck in an adequacy agreement with the UK with the caveat that it is subject to review by the Council of Ministers, European Data Protection

The Government has published six Principles that govern the development of its digital identity policy.  As most governmental departments and businesses are providing more online services (encouraged by COVID), a citizen’s ability to prove his or her identity digitally is becoming more important (e.g. to facilitate interaction with Government or to authorise electronic payments). The six digital identity Principles are: “Privacy, Transparency, Inclusivity, Interoperability, Proportionality”  and “Good Governance” and can be found in Section 4.2  of a 5,000+ word text

The Glorious Twelfth is the date when land-owners of moorland estates celebrate the start of the grouse shooting season; August 12 this year was about the time the Information Commissioner (IC) became “fair game” for many commentators. The IC’s detractors fall into two groups.  In the blue corner is the Conservative supporting Press (e.g. Daily Mail, Telegraph and The Sun);  Newspapers that have been critical of the IC’s prolonged absence from the UK.   Also in the blue corner (but silent

The current A level results debacle has raised two data protection questions.  Namely whether the right not to be subject to automated decision (A.22 of GDPR) applies and whether the exemption for exam results (Schedule 2 paragraph 25 of the DPA2018) is fit for purpose? The answer to both questions, in my view,  is “NO”. Despite yesterday’s Government U-turn, this blog shows that the two questions above are inter-related; for example, transparency of the processing of personal data associated with respect to

I am going to enter the fray about the data protection events surrounding the EU Referendum and the delayed Parliamentary report into Russian interference; it is only now the full story can be told. This story contains a few incredible chapters: (a) the breaches of the law with respect to the-use of personal data during the Referendum campaign; (b) non-cooperation by leading actors with Parliamentary Committees and investigations, (c) deliberate obstruction (at best) and lying (at worst) and (d) the

This week has seen quite a lot of commentary concerning Standard Contract Terms (SCCs) and the possible need to augment them with additional safeguards when transferring personal data to a Third Country. The problem has arisen because the Schrems II judgement (see references) viewed the SCCs as providing a baseline of Data Protection safeguards.  It suggested that the controller and processor should implement further safeguards if required,  and if the additional safeguards (if required) could not be implemented, then the

I thought I would do a blog on how the current GDPR applies to the tracing of people via the APP being promoted by NHSX.  There is a dearth of data protection detail  (NHSX has yet to publish a DPIA),  and I think this could be useful contribution to the public debate (especially as Ministers are promoting the APP heavily). Note: the DPIA for the Isle of Wight was published on May 8 (see references for a link). So please

I have just arrived back home from an essential tube journey on the Northern line to the newly opened station at Nine Elms.  On the seat opposite me, I found one page of minutes which looks like a record of a meeting in the American Embassy discussing the post-COVID19 environment and what passengers to the USA can expect on arrival after Easter (when President Trump hopes the pandemic in the USA will be over). The minutes identify two types of

Yesterday, Reuters (followed by the Guardian and Social Media) reported that next month, Google are moving personal data about its UK users to a Google company in Delaware in order to reduce the protection for UK data subjects.  There are similar moves intended for Google’s related services such as YouTube, YouTube Paid Services and Google Play. This blog goes into this assertion which I don’t think is wholly correct; in summary the provisions of the GDPR do apply but there