Data protection: ICO’s updated data sharing code of practice

The Information Commissioner (ICO) published a ‘consultation on the draft data sharing code of practice’ on 16 July 2019.  The ICO is required by the Data Protection Act 2018 to update its data sharing code of practice, which was published in 2011.  The ICO had launched a call for views in August 2018. The updated draft code seeks to address these views and explains and advises on data protection legislation where it is relevant to data sharing.  Some of the aspects covered are: transparency, lawful bases for processing, the new accountability principle, and the requirement to record processing activities.  It also provides practical guidance and good practice advice in the sharing of personal data. The consultation questions are as follows, and respondents are invited to provide further comments or suggestions: Does the updated code adequately explain and advise on the new aspects of data protection legislation which are relevant to data sharing? If not, please specify where improvements could be made. Does the draft code cover the right issues about data sharing? If no, what other issues would you like to be covered in it? Does the draft code contain the right level of detail? If no, in what areas should there be more detail within the draft code? Has the draft code sufficiently addressed new areas or developments in Read Full Article…

Governance: Bribery Act 2010: post-legislative scrutiny

On 14 March 2019, the House of Lords Select Committee on the Bribery Act 2010 published its ‘Report of Session 2017-2019 The Bribery Act 2010: post-legislative scrutiny’ as to whether the Act is achieving its intended purposes.  The Select Committee was appointed by the House of Lords on 17 May 2018 to consider and report on the Bribery Act 2010.  The Act received Royal Assent on 8 April 2010 and came into force on 1 July 2011. In its principal conclusions and overall assessment, the report states that ‘the Act is an excellent piece of legislation which creates offences which are clear and all-embracing’, and the new offence of corporate failure to prevent bribery is regarded as ‘particularly effective’.  The report reviews the legislation and makes certain recommendations. The report highlights that the ‘Ministry of Justice Guidance’ (guidance), published under s.9 of the Act,  is less successful in providing SMEs with the information to assist them with adopting a formal anti-bribery policy, and could provide companies considering exporting with more assistance on the point at which hospitality would begin to influence the recipient’s course of action.   It is recommended that the guidance makes it clear that businesses need to conduct risk assessments, and provide staff training on procedures (see paragraph 194).  It is also recommended that the Secretary of State Read Full Article…

Data protection: Tribunal decides on ICO Information Notice under DPA 2018

The First-tier Tribunal (information division) has considered an appeal against an Information Notice issued by the Information Commissioner under section 142, Data Protection Act 2018 (DPA 2018).  In its decision (issued in January 2019), the Tribunal noted that this was the first such appeal to reach final determination under the regime introduced by the DPA 2018. The Information Commissioner has power, under the DPA 2018, to issue Information Notices requiring controllers and processors to provide her with information that she ‘reasonably requires for the purposes of carrying out’ her statutory functions. In July 2018 the Information Commissioner launched an investigation into the data protection compliance of Doorstep Dispensaree Ltd (the company), a pharmacy delivery service operating in the south of England.  The investigation was prompted by a report from the Medicines and Healthcare Products Regulatory Agency concerning the manner in which the company appeared to be processing personal data.  During the investigation, the Information Commissioner initially requested that the company provide relevant information voluntarily.  The company refused to provide the requested information.  The Information Commissioner followed up with a formal Information Notice. Section 143(6) DPA 2018 provides that ‘an Information Notice does not require a person to provide the Information Commissioner with information if doing so would, by revealing evidence of the commission of an offence, expose the relevant person Read Full Article…

Employment: Government consultation on confidentiality clauses and workplace harassment or discrimination

On 4 March 2019, the Government published an open consultation called: ‘Confidentiality Clauses: measures to prevent misuse in situations of workplace harassment or discrimination’. The purpose of the consultation is to seek evidence and views on the use of confidentiality clauses – also known as non-disclosure agreements or NDAs – in the employment context, and to propose further regulation to tackle their misuse. The consultation uses the term ‘confidentiality clause’ whether as a stand-alone agreement or part of a wider contract or settlement agreement. It is acknowledged that confidentiality clauses have an important role to play in protecting trade secrets or other confidential information pertaining to an employer. There are certain existing legal limitations on confidentiality clauses, for example, they cannot override anti-discrimination law under the Equality Act 2010, or remove the protections around making a protected disclosure (‘whistleblowing’).  Also, a stand-alone confidentiality clause cannot prevent someone taking a matter to an employment tribunal, however, a valid settlement agreement can waive this right. There is evidence to suggest that they have been used to intimidate victims of harassment or discrimination from disclosing their treatment to the police or other people.  Therefore, the consultation seeks to examine: whether there should be more limitations on confidentiality clauses in the employment context, to make it easier to understand when workers are able to disclose Read Full Article…

Governance: EHRC ‘Freedom of Expression’ guide for HEIs

On 2 February 2018, the Equality and Human Rights Commission (EHRC) published a guide on Freedom of Expression for Higher Education Providers and Students’ Unions in England and Wales (the Guide).  In its introduction, the guide states that it ‘provides practical advice on how to protect free speech and makes it clear to students what they should expect from their institutions’.  The guide is aimed principally at: governing bodies of universities and other higher education providers students’ union trustees It states that it may also be of interest to others including academic staff, students’ union elected officers, individual students and speakers. In 2017, the House of Commons and House of Lords Joint Committee on Human Rights held an inquiry into the state of freedom of speech in UK universities.  It was found that: ‘…while restriction of freedom of expression was not a widespread issue, there were concerns around increased bureaucracy, and potential self-censorship from students on campus as a result of the Prevent duty guidance. They also flagged intolerant attitudes and violent protest as potential obstacles to free speech, as well as a potential conflict in interpretation and grey areas in some existing laws and guidance.’ (see page 5 of the Guide) Following concerns raised by the inquiry, in May 2018 the Minister of State for Universities, Science, Research and Read Full Article…

Data protection: ICO blog – advice for organisations in relation to a possible no-deal Brexit

In a blogpost published on 13 December 2018, the Information Commissioner Elizabeth Denham sets out information for organisations, to help them prepare for the possible event of a ‘no-deal’ Brexit. The Information Commissioner said that, in view of the UK government’s intention that the GDPR will be absorbed into UK law at the point of exit, there would be no substantive changes to the data protection rules that organisations currently need to follow. In the Information Commissioner’s view, however: organisations that ‘rely on transfers of personal data between the UK and the European Economic Area (EEA) may be affected’ if the UK leaves the EU ‘without a withdrawal agreement that specifically provides for the continued flow of personal data’ although the UK government has made clear its intention to permit data to flow from the UK to EEA countries, transfers of personal data from the EEA to the UK will be affected The Information Commissioner refers organisations to the ICO’s ‘six steps to take’ guide, broader ‘guidance on the effects of leaving the EU without a withdrawal agreement’, and a general overview in the form of ‘Frequently Asked Questions.’  She also suggests that, where relevant, organisations should consider putting in place Standard Contractual Clauses (interactive guide available here) to facilitate transfers of personal data from/to the EEA. The blogpost states Read Full Article…