Freedom of Information: New Draft S.45 Code of Practice

FOI1_thumb.jpg

Amongst all the hype about GDPR it is easy to miss developments in other areas of information law.  In November 2017, the Cabinet Office published the revised code of practice (under section 45 of the Freedom of Information Act 2000) for consultation.

In July 2015 the Independent Commission on Freedom of Information was established by the Cabinet Office to examine FOI’s operation. In its report the Commission concluded that FOI was working well. It did though make twenty-one recommendations to enhance the Act and further the aims of transparency and openness.

In its response to the Commission’s report, the government agreed to update the S.45 Code of Practice. The draft code provides new, updated or expanded guidance on a variety of issues, including:

  • Transparency about public authorities’ FOI performance and senior pay and benefits, to mandate FOI Commission recommendations for greater openness in both areas.
  • The handling of vexatious and repeated requests. The FOI Commission specifically recommended the inclusion of guidance on vexatious requests.
  • Fundamental principles of FOI not currently included in the Code, e.g. generalprinciples about how to define “information” and that which is “held” for the purposes of the Act.

The code is not law but the Information Commissioner can issue Practice Recommendations where she considers that public authorities have not complied with the guidance set out in this Code. The Commissioner can also refer to non -compliance with the Code in Decision and Enforcement Notices.

As well as giving more guidance on advice ad assistance, costs, vexatious requests and consultation the code places new “burdens” on public authorities including the following:

  • Public authorities should produce a guide to their Publication Scheme.
  • Those authorities with over 100 Full Time Equivalent (FTE) employees should, as a matter of best practice, publish details of their performance on handling FOI requests.
  • Pay (salaries over £90,000), expenses and benefits of senior staff at director level and equivalents should be published at regular intervals. Of course local authorities are already required to publish some of this information by the Local Government Transparency Code.

  • The public interest test extension to the time limit for responding to an FOI request should normally be no more than 20 working days.
  • Internal reviews should normally be completed within 20 working days.

Furthermore, the other S.45 Code covering datasets will be merged with the main section 45 Code so that statutory guidance under section 45 can be found in one place. There will also be an annex explaining the link between the FOI dataset provisions and the Re-use of Public Sector Information Regulations 2015.

Public authorities need to consider the draft code carefully and decide whether the additional obligations are workable given pressures on resources, especially due to GDPR’s pending implementation.

The deadline for consultation responses is 2nd February 2018.

 

We will be discussing this and other recent FOI decisions in our forthcoming FOI workshops and webinars. For those wanting an internationally recognised qualification the BCS Certificate in Freedom of Information  starts in February 2018 in Manchester and London.

Posted in Freedom of Information, Section 45, Transparency | Leave a comment

GDPR Training Courses in Dubai

dubai-architecture-beach-boat-buildings-hotel-nature-ocean-peaceful-sand-sea

Act Now Training is pleased to announce two forthcoming GDPR training workshops in Dubai (UAE).

The General Data Protection Regulation (GDPR) will not just have an impact on Data Controllers and Data Processors in the European Union (EU). It will also apply to organisations in the rest of world that are:

  • processing personal data of individuals living in the EU;
  • offering goods or services to individuals in the EU, even if there is no charge for such goods or services; or
  • engaging in monitoring or profiling activities of individuals in the EU (for example, the use of cookies/behavioural advertising).

Failure to comply with GDPR could lead to massive reputational damage and a fine of up to 20 million Euros or 4% of global annual turnover (whichever is higher).

Our Dubai workshops will examine the legal and practical impact of GDPR on Middle East/GCC based organisations. All the key issues for Data Controllers as well as Data Processors will be discussed including international transfers, contract clauses and guarantees, security and breach notification and when a Data Protection Officer needs to be appointed. Crucially we will discuss how GDPR is a business opportunity rather than a threat. By the end of the workshop delegates will be able to write their own action plan for GDPR compliance.

Ibrahim Hasan, solicitor and Director of Act Now Training, will deliver the first two workshops in Dubai. He said:

“I am really pleased to design and deliver this new GDPR workshop in Dubai. It will add to our growing experience of delivering data protection training abroad. Dubai is the latest addition to our increasing international portfolio. We plan to use it as a platform to showcase our other GDPR courses and consultancy services.”

More details and a course outline here

Our 2018 course programme contains many more GDPR courses and live webinars which are held in locations throughout the UK. Our GDPR Practitioner Certificate is proving very popular with those who need to get up to speed with GDPR as well as budding Data Protection Officers.  If you require these courses delivered at your premises, tailored to your needs, please get in touch.

Finally, we have sold over 350 copies of our GDPR handbook. We are donating £1 from each sale to the  DEC Rohingya Crisis Appeal.

Happy New Year!

Posted in Dubai, GDPR, Privacy, Training | Leave a comment

RIPA Surveillance Oversight and Inspection Regime Changes

canstockphoto19424111

By Steve Morris

On 1st September 2017 Lord Justice Fulford commenced his new role as the Investigatory Powers Commissioner. Assisted by the Investigatory Powers Commissioner’s Office (IPCO), he will undertake the oversight functions of three previous Commissioners under the Regulation of Investigatory Powers Act 2000 namely the Chief Surveillance Commissioner, Interception of Communications Commissioner and the Intelligence Services Commissioner.

This marks a major milestone in establishing a new oversight regime set out in the Investigatory Powers Act, which was given Royal Assent in 2016. The Act, amongst other things, provides new powers for the police to access communications data e.g. telephone records, internet usage information etc. More on the Act in further blog posts.

Not only does the new commissioner take over the inspection and oversight functions carried out by the previous commissioners, he takes on responsibility for the pre-approval of certain police activities authorised under the Police Act 1997.

The Investigatory Powers Commissioner’s Office will consist of around 70 staff. This will be made up of:

  • Around 15 Judicial Commissioners, current and recently retired High Court, Court of Appeal and Supreme Court Judges;
  • A Technical Advisory Panel, of scientific experts; and
  • Almost 50 official staff, including inspectors, lawyers and communications experts.

Over the next 12 months Judicial Commissioners will start to take on their prior approval functions relating to the Investigatory Powers Act 2016, including interception, equipment interference, bulk personal datasets, bulk acquisition of communications data, national security notices, technical capability notices and communications data retention notices. The Judicial Commissioners will be supported in this work by the Technology Advisory Panel.

What impact will this new commissioner have on local authority inspections under Part 2 of RIPA carried out previously by the Office of the Surveillance Commissioners (OSC)? I suspect not a lot. The same issues will be considered as previously. The final OSC annual report once again highlights the recurring issue of investigations using social networks e.g. Facebook.

If you have an inspection coming up read our guide here.

Steve Morris is a former police officer who delivers our RIPA Courses as well as a course on Internet Investigations.

Now is the time to consider refresher training for RIPA investigators and authorisers. Please see our full program of RIPA Courses which have been revised to take account of all the latest developments. We can also deliver these courses at your premises, tailored to the audience. Finally, if you want to avoid re inventing the wheel, our RIPA Policy and Procedures Toolkit gives you a standard policy as well as forms (with detailed notes to assist completion) for authorising RIPA and non-RIPA surveillance. Over 200 different organisations have bought this document (available on CD as well).

Posted in CCTV, OSC, RIPA, Surveillance | Leave a comment

Seasons greetings to all

canstockphoto40392156

Act Now Training would like to wish all of its colleagues a wonderful festive period and a very happy new year.

Posted in Uncategorized | Leave a comment

GDPR: What’s Happening?

bike2

If you want to avoid watching Grandad murdering “Mistletoe and Wine” over the festive season, you could escape to a lesser evil; catching up on your GDPR reading! You may have missed some of the recent GDPR publications.

The Article 29 Working Party (A29WP) started handing out its Christmas presents early. Its Guidelines on Personal Data Breach Notification  was published for consultation a few weeks ago. Once finalised this document will offer valuable assistance to Data Controllers when deciding when to report a data breach to the Information Commissioner’s Office and to Data Subjects under Articles 33 and 34 of GDPR. (See also our previous blog post on this subject.)

23rd January 2018 is the deadline for commenting on the A29WP’s Guidelines on Consent  and Transparency.

There is a lot of misinformation and confusion out there about consent. As the Information Commissioner has pointed out in her myth busting blog post, consent is only one way to justifying processing of personal data under Article 6 (and 9) of GDPR. What is consent? When is it explicit? When is it freely given? These are just some of the questions addressed in the draft guidelines.\

Transparency is a key requirement of the First Data Protection Principle in Article 5 of GDPR. It is also the theme of the Data Subject’s rights in Article 13 and 14; the right to information.Amongst other things, the draft guidelines on this topic address the important issue of privacy notices, their content and timing.

The Data Protection Bill is currently being scrutinised by the House of Lords in the Committee Stage. One important amendment has been agreed which will be good news for public authorities (defined by clause 6 of the Bill as those subject to Freedom of Information laws). “Legitimate interests” is one of the conditions for processing personal data under Article 6. However GDPR states that it is not available to “public authorities in the performance of their tasks.” This caused concern amongst some public authorities who felt that some of their personal data processing, especially when involved in commercial activities, did not always fit the other conditions in Article 6. In particular it was not “a task carried out in the public interest or in the exercise of official authority” as per Article 6(1)(e).

The amendment to the Bill resolves this issue by saying that a Data Controller will only be a public authority “when performing a task carried out in the public interest or in the exercise of official authority” vested in it. Therefore where a Public Authority Data Controller is processing personal data for other reasons it will still be able to rely upon legitimate interests. We will be covering this in our Data Protection Bill webinar in January 2018.

And Finally…

  • We have finalised our 2018 course programme.
  • Our GDPR Practitioner Certificate is proving very popular with those who need to get up to speed with GDPR as well as budding Data Protection Officers. Read about the last set of results 2 out of the first 3 courses in 2018 are fully booked.
  • If you require tailored GDPR training delivered at your premises, please get in touch.
  • We have sold over 350 copies of our GDPR handbook. We are donating £1 from each sale to the DEC Rohingya Crisis Appeal.

image credits: https://londonist.com/category/things-to-do/christmas-in-london

Posted in A29WP, DP Bill, GDPR, Privacy, Uncategorized | Leave a comment

Act Now Launches GDPR Handbook

We all know that the General Data Protection Regulation (GDPR) cannot be read in isolation.

In September, the DCMS published the Data Protection Bill. Amongst other things, it sets out how the UK Government intends to exercise its GDPR “derogations”; where Members states are allowed to make their own rules.

There are also a number of guidance documents from the Information Commissioner’s Office as well as the Article 29 Working Party on different aspects of GDPR. Wouldn’t it be useful to have one version of the GDPR containing clear signposts to the relevant provisions of the Bill and official guidance under each Article/Recital?

Act Now is pleased to announce the launch of its GDPR Handbook. This is a B5 size colour document. It is designed for data protection practitioners who want a single printed resource on the GDPR. It contains the full text of the GDPR together with:

  • Corresponding GDPR Recitals under each Article
  • Notes on the relevant provisions of Data Protection Bill
  • Links to official guidance and useful blog posts
  • Relevant extracts of the Data Protection Bill (in the Appendices).

A lot of the useful explanation of the provisions (Articles) is contained in the Recitals, which are at the front of the official text of the GDPR. Consequently, the reader has to constantly flick back and forth between the two. By placing the corresponding Recitals under each Article, the Act Now GDPR Handbook allows a more natural readying of the GDPR.

The Act Now GDPR Handbook is currently on sale at the special introductory price of £29.99. There is a 33% discount for the public sector and charities.

This will be a very useful document for those acting as Data Protection Officer under GDPR as well as data protection lawyers and advisers.

CHARITY DONATION

In recent weeks, half a million people, mostly Rohingya women and children, have fled violence in Myanmar’s (Burma) Rakhine state. They are seeking refuge in Bangladesh, where they urgently need food, water, shelter and medical care.

For each copy of the GDPR handbook you order, Act Now Training will donate £1 to the Disasters Emergency Committee’s Emergency Appeal.

By popular demand, we have added an extra course in Manchester for our GDPR Practitioner Certificate. Our first workshop on the Data Protection Bill course is fully booked. We have places left in London and Manchester.

Posted in Article 50, Brexit, Data Protection, DP Bill, EU DP Regulation, GDPR, International, Local Authorities | 2 Comments

Scottish Information Commissioner’s Annual Report 2016/17

edinburgh-castle_thumb.jpg

Last month, Margaret Keyse, the Acting Scottish Information Commissioner, published her annual report for 2016/17.  Amongst other laws, Ms Keyse enforces the Freedom of Information (Scotland) Act 2002 (FOISA).

The report reveals that during 2016/17:

  • Public awareness of FOISA remained at its highest ever level, at 85%.
  • The Office of the Scottish Information Commissioner (OSIC) met or exceeded most of its investigation performance targets (10 out of 12).
  • It issued its first ever Enforcement Notices.
  • It carried out 15 level 4 interventions with authorities to address practice concerns.
  • It launched an online appeal service, making it possible for requestors to make appeals online, and receive real-time help and advice, at any time of day.
  • It responded to its 20,000th enquiry since 2005.

Act Now has a full programme of FOISA workshops in Scotland. If you are new to FOI in Scotland or want to boost your career through gaining a qualification, our FOISA Practitioner Certificate is ideal. The four day course is endorsed by the Centre for FOI ,based at Dundee University.

The next course starts in Edinburgh in February 2018. If you’re considering enrolling on the course, what can you expect? Read a successful candidate’s observations.

Posted in FOISA, Freedom of Information, Scotland, Scottish Information Commissioner | Leave a comment