GDPR Friday Roundup – 27th October 2017


On Monday 30th October the Data Protection Bill will begin the Committee Stage in the House of Lords. See the passage of the Bill here.

The Lords Constitution Committee has published a report on the Data Protection Bill drawing attention to the interlocking relationship between the powers of the Data Protection Bill and current EU law. It says Bills such as this need careful scrutiny to ensure that their provisions will continue to function post-Brexit without needing significant amendment. Find the report here.

The Lords EU Home Affairs Sub-Committee has published the Government’s response to its ‘Brexit: EU Data Protection Package’ report which was published in July. Find the Government’s response to the conclusions and recommendations made by the Committee here.

The Lords Delegated Powers and Regulatory Reform Committee has published a report on the Data Protection Bill and the wide-ranging delegated powers in it. The Government has previously justified such powers on the basis that flexibility is needed to deal with future changing of circumstances. The Committee is worried that this ‘thin’ justification will allow current of future Ministers to implement important policy changes without the need for further primary legislation. Find the full report here.


Written Questions

School standards minister Nick Gibb MP responded to a question previously tabled by Labour MP Darren Jones on what the criteria is for refusing subject access requests for personal confidential data in the National Pupil Database and how the Department will ensure this criteria will comply with the GDPR. Mr Gibb responded that a subject access request may be refused if it falls within a statutory exemption. He said the Department is undertaking a programme of work in preparation for the GDPR, which will include a review of the policies and processes associated with Subject Access Requests. Read more here.

Digital minister Matt Hancock responded to a question previously table by Andrew Gwynne MP asking how many registered consultancies of the Government’s Cyber Essentials scheme had data exposed due to a configuration error in the Pervade Software platform. Mr Hancock responded that system logs from companies including assessors of and applicants to the Cyber Essentials scheme were exposed but that there is no evidence any data was extracted. Read more here.

Financial Secretary to the Treasury and Paymaster General Mel Stride MP responded to a question tabled by Chris Stephens MP on what work is being undertaken by HMRC in respect of the GDPR. Mr Stride responded that HMRC has appointed a Data Protection Officer who will advise HMRC on the actions necessary to ensure GDPR compliance, act as a first point of contact for regulators and for individuals whose data is processed. Read more here.


Who’s getting it wrong?

The ICO has concluded its investigation into a Conservative Party telephone campaign carried out in the run up to the 2017 general election. It found that two sections of the written script used by those making the calls crossed the line from legitimate market research to unlawful direct marketing. The ICO said it would not bring formal regulatory action because the overall campaign was genuine market research but it has warned the Conservative Party to get it right next time. Read more here.

The ICO has issued a warning to NHS employees about the consequences of looking at patient records without a valid legal reason. The warning comes after an NHS employee recently accessed the health records of a single patient 279 times over a three-week period. Although the employee knew the patient she had no lawful reasons to access their records. Read more here.


Other News

The National Audit Office has published a report on its investigation into the WannaCry cyber attack on the NHS in May suggesting the attack could have been prevented. The report suggests that NHS trusts were left vulnerable in the major ransomware attack because cyber-security recommendations were not followed. NHS Digital told the NAO that all affected Trusts shared the same vulnerability and could have take relatively simple action to protect themselves. Find the full report here.

In a review of 30 UK websites the ICO has found that website privacy notices are too vague and generally inadequate. Organisations need to be more open, honest and transparent in their online privacy notices about how they handle personal data. While the organisations reviewed generally specified what personal data would be collected, 26 out of 30 did not specify how and where information would be stored. 26 out of the 30 also failed to adequately explain whether they share data with third parties and who that data would be shared with. Read more here. This review – led by the ICO – was part of a global investigation by 24 data protection regulators around the world. Find the report here.

The consumer group Which? Is calling on the UK government to amend the Data Protection Bill so that independent organisations acting in the public interest can help groups of affected consumers to get collective redress. Read more here.



The ICO is inviting Data Protection Practitioners to register their interest in attending the Data Protection Practitioner Conference on 9 April 2018. Registration closes on 8 December with places allocated in January. Usually, one place will be offered to each organisation and if accepted, a £50 fee would be required.

Leave a reply

You must be logged in to post a comment.