Category: Other Information Law

If a=b and b=c then it follows that a=c. So, how does this set of simple equations relate to data protection? Well if direct marketeers, privacy advocates and supervisory authorities recognised that a=c then most of the debate concerning data protection and the marketing purpose would be settled. Don’t believe me? Just follow the argument under the current Act (DPA) or indeed the General Data Protection Regulation (GDPR). All across Europe (and especially the UK) there has been a debate

If Member States can, by law, exercise legislative “flexibility” when implementing 50+ Articles of the General Data Protection Regulation (GDPR), how can the Regulation ever become harmonised across European Union? Pose this important question another way: given that the UK Government intends to use legislative flexibility to the maximum in favour of the interests of controllers (see report on meeting with the Minister in January; references), how do we know that the UK will not enact something that could be

This brief blog is to explain why, “in” or “out”, the UK has to implement the General Data Protection Regulation (GDPR). This is important given that some organisations might think that a “Leave” vote might change matters with respect to the GDPR compliance (especially as the Cabinet Minister responsible for GDPR implementation, John Whittingdale, is a prominent “outer”). Obviously, if the vote in June is for “Stay” then the UK remains a Member of the European Union (EU) and the

For a long time, I have been arguing that the national security agencies should apply the data protection principles to their processing of personal data subject, if necessary, to exemptions from subject access and fair processing requirements. Today’s report from the Joint Committee on the Draft Investigatory Powers Bill (DIP) supports that position. In summary, if the criminal intelligence processed by the police relating to serious crime can be subject to most data protection requirements without mishap (since the 1984 Act),

Tomorrow the Information Commissioner will give his views on the draft Investigatory Powers Bill (“the Bill”) to a cross party Parliamentary Committee examining the Bill. The Bill proposes a power for the national security agencies to collect Bulk Personal Datasets (BPD) by a warrant signed by the Secretary of State which is subject to review by a Judicial Commissioner (the “double lock”). A Bulk Personal Dataset is any collection of personal data, where the “majority of the individuals are not,

Government policy towards the wider use of the National Insurance Number (NINo) as a general identifier appears to have changed again. This ever shifting policy now illustrates that well know saying “What goes around comes around”. As is well known, the “general identifier” powers in the Data Protection Act (Schedule 1, paragraph 1(4)) have never been activated with respect to the NINo. This is because Government well knows that there are lots of data controllers using the NINo for all sorts of

Note added 5th Jan 2016: my blog of this date augments the text below Many commentators have said that identifying a likely bomber/terrorist is like looking for a needle in a haystack.  So what do you do? The choices are: (a) build the largest haystack about all the population because you know that the needle has to be in there “somewhere”; or (b) have the powers to look at all the relevant smaller haystacks that are around when you have

This blog explains the extent to which the national security agencies have been collecting bulk Communications Data using powers which are being exercised in a way that were never subject to Parliamentary scrutiny.  Such data collection is neither subject to the relevant Code of Practice covering communications data nor to scrutiny from the Regulator who was specifically tasked by Parliament to supervise the use of communications data. The blog comprises yet another lesson in the dangers of leaving wide ranging

Please see the blog of 25/10/2015 which updates this blog Google was given 35 days (which elapsed around October 1st) to respond to the Commissioner's Enforcement Notice; I have found out from a very reliable source that Google has not appealed (i.e. passed over the opportunity to defend the policy at the Tribunal).  As Google risks criminal prosecution if they have not complied with the ICO’s demand, I am assuming Google has complied. The nine search results related to a