Category: News

The Government intend to change the accountability arrangements in the UK_GDPR in such a way that it will become harder to hold controllers to account.  In summary, Chapter 2 of the DCMS Consultation document (“Data: a new direction”) makes two main proposals in relation to accountability: to reduce or remove the requirement to undertake DPIAs (A.35 and A.36); to reduce or remove the requirement to have a Data Protection Officer (A.37-A.39); to remove the need to create a register of

The Government proposes that the “Legitimate Interests” balancing test between controller and data subject in A.6(1)(f) is changed so that the controller’s legitimate interests always prevails in a limited number of pre-defined circumstances. As far as I can see, this proposal is based on a false data protection analysis and illustrated by examples that show that no change is needed. If the controller’s legitimate interests always prevails, it follows that the data subject’s right to object to the processing and

This blog is limited to commentary on the Government’s proposals for the Further Processing of personal data found in section 1.3 of the DCMS Consultation document (“Data: a new direction”). In summary, the Consultation proposes to exempt the application of the Purpose Limitation (or Finality) Principle whenever there is an important public interest in the further processing; this further processing could be undertaken by a controller different to the one that collected the personal data.  As this blog shows, the

This blog concerns the Government’s proposals for the processing of personal data for research purposes; they are unreliable, untrustworthy and unethical.  For instance, I show how the proposals are so “flexible” they can allow for secret research, using of special category of personal data or criminal offence personal data, similar to the “research” that gave rise to the Cambridge Analytica scandal. The proposals relating to research The commentary is limited to the proposals in Section 1.2 (paragraphs 34-50) of the

The Home Office’s (very truncated) consultation on a revised Code of Practice involving overt surveillance of public places (e.g. the use of facial recognition CCTV, Automatic Number Plate Recognition (ANPR)) ends in early September. In summary, the draft Code contains too many general platitudes for my liking and is deficient on important detail.  So much so, one wonders whether the Home Office is taking this public consultation seriously. The two main deficiencies are: omission of key elements of the UK_GDPR

I have just spent hours drafting a letter for our hard-pressed Information Commissioner (IC) to send to the Secretary of State at the DCMS (Oliver Dowden).  It reads: “Dear Ollie.  Sod off. I’m independent.  Lots of love.  Lizzie”. Of course such a letter won’t be sent, but it should be.  The reason: there have now have been three attempts (at least) where the independence of the current or future IC is under attack by Ministers. The problem is that Government

Today’s Sunday Telegraph reports, on its front page, that the UK Government is sympathetic to the idea that Judgments made by the European Court of Human Rights (ECHR) in Strasbourg do not automatically apply in the UK.   If such non-application occurred, then it would jeopardise the Adequacy Agreement concerning personal data flows from the EU to the UK, as finalised by the European Commission last Friday. Why is the UK deemed adequate? Recital 5 to the Agreement states “that the

Yesterday, the Taskforce on Innovation, Growth and Regulatory Reform (TIGRR) reported to the Prime Minister on how the UK could, in general,  reshape its approach to regulation and seize new opportunities from Brexit with its newfound regulatory freedom.  Unsurprisingly, changes to the UK_GDPR are high on TIGRR’s list. In summary, under the heading “Replace GDPR with a new UK framework for data protection”,  perhaps with a “UK Framework for Citizen Data Rights”, TIGRR propose:  a Common Law approach towards enforcement;

Like many, I did not know about the Ministerial Directions that require NHS Digital to create a national database of GP medical records until the indefatigable “Med Confidentiality” NGO raised its profile.  In this blog, I will make some comments about data protection safeguards, most of them statutory,  which appear to me to be missing. NHS Digital, at the behest of the Secretary of State for Health, has been given Directions to take copies of medical records from all GP surgeries in