
Privacy Day 2021
28 Jan 2021
The 28th January each year is 'officially' known as Data Privacy Day or Data Protection Day in Europe where it originated.
Not an opportunity that greetings card manufacturers have latched onto (yet), but nevertheless a good opportunity to take stock of the importance of privacy in our lives.
If you want to know the background, here are the details from the Council of Europe.
Co-incidentally, we were struck the other day by the attitude that organisations sometimes adopt to the issue.
Have a look at this popup taken from a well known media website. It's wonderful that the publishers are trying to explain their policies in such a prominent way, but the flippancy and level of dismissiveness shown in the bottom paragraph are astonishing.
Maybe they aren't a very serious publication and at least they don't say they were 'taking our privacy and data protection seriously'. We are sadly left reminding ourselves that the British press doesn't have an enviable record on this subject.
Copyright © Exigia Ltd., All rights reserved
When is an Agreement not an Agreement?
Answer: When it's an NHS Data Sharing Agreement
06 Jan 2021
Data Sharing is one of the areas of information governance that organisations find most challenging, along with confusion over the two main roles involved in the processing of personal information - (data) controller and (data) processor.
As a result, when we act as consultants or as Data Protection Officer, this is where we most often need to steer organisations in the right direction to ensure compliance with data protection legislation.
In reality the new NHS 'Agreement' is more of a checklist of good practice for organisations to follow; modelled on the recently updated ICO Data Sharing Code and set in an NHS context. The guidance that comes with the 'agreement' is fairly comprehensive, but unfortunately, the NHS perpetuates its practice of muddying the waters by turning a perfectly adequate guidance process into a document that looks like a binding agreement; complete with an expiry date and a signatory section. Please be aware that the NHS Data Sharing Agreement:
- is NOT a binding agreement
- is NOT a contract
- has NO legal force
- is NOT a Data Processing Agreement (which is legally binding) and does not replace the need for one where necessary
Signing up to best practice is always a good thing, and adopting this document as the norm for sharing NHS patient data should help. Organisations must nevertheless make the effort to understand the guidance and adopt it, whilst observing all data protection laws and the common law duty of confidentiality.
We applaud this attempt to update NHS guidance, but the danger remains that organisations will assume that by signing one of these 'Agreements' they have done everything needed in a 'one size fits all' way. They should instead analyse their situation thoroughly (possibly with the aid of its accompanying guidance) and take the additional steps that are frequently necessary.
If you are confused over your role in a 'data sharing' exercise with the NHS or the legality of your personal data processing, Exigia is here to help.
Copyright © Exigia Ltd., All rights reserved
Personal Data Transfers to the EEA - BAU for now
01 Jan 2021
Now that the 'Transition' period following the United Kingdom’s exit from the EU is over, the UK privacy regulation incorporated in the Data Protection Act, 2018 and also known as the “UK GDPR”, has come into force, replacing the EU GDPR.
Having also entered into a Trade & Co-operation Agreement, the transition period for personal data transfers from the EU (or EEA) to the UK has been extended for up to six months. During this period, the UK may not change its data protection laws without the EU’s agreement or the extended transition period will terminate.
The agreement, therefore, allows for the continued flow of personal data from the EU to the UK after which they will be considered as international transfers under the EU GDPR unless the EU has approved an 'adequacy' decision in the UK's favour.
For transfers from the UK, the UK GDPR adopts the EU's list of countries counted as adequate and transfers of personal data to these countries remain valid.
Copyright © Exigia Ltd., All rights reserved