A problem shared...

As Iceland boss Richard Walker decried data protection and human rights laws for allegedly preventing him and his staff from sharing information with other retailers in order tackle the scourge of shoplifting, Handley Gill’s specialist data protection consultants consider how these and other laws apply to retailers and shopping centre operators and identify the steps retailers can take to lawfully share personal data for the purposes of preventing or detecting crime.

Nicola Cain3 September 2024Data Protection, Personal Data, GDPR, General Data Protection Regulation, Regulation (EU) 2016/679, UK GDPR, UK GENERAL DATA PROTECTION REGULATION, Data Controller, Data Sharing, Data Sharing Agreement, Criminal Conviction & Offence Data, Article 10 UK GDPR, Section 11 Data Protection Act 2018, s.11 DPA 2018, Section 11(2) Data Protection Act 2018, s.11(2) DPA 2018, Section 10 Data Protection Act 2018, S.10 DPA 2018, Section 10(5) Data Protection Act 2018, s.10(5) DPA 2018, Retail, Retail Crime, Theft, Shoplifting, Data Protection Offences, Data protection impact assessment, DPIA, Appropriate Policy Document, Schedule 1 Data Protection Act 2018, Public Domain, Manifestly Made Public, NT1 & NT2 v Google LLC [2018] EWHC 799 (QB), Data Privacy, Misuse of Private Information, Article 8 ECHR, Article 8 European Convention on Human Rights, Rehabilitation of Offenders Act 1974, Retention Schedule, Data Retention, Section 170 Data Protection Act 2018, Prevention or detection of crime, Crime prevention, Crime detection, Human Rights Act 1998, Reputation Management, Defamation, Libel, SlanderComment

On Hand July 2024

July 2024 edition of Handley Gill’s monthly digital newsletter, On Hand, with all the latest developments in data protection (UK, EU and global), cyber security, AI and machine learning, content regulation, online safety, open justice, access to information, reputation management and free speech, digital markets regulation, human rights & ESG. Presented in a readily digestible digital format, those who prefer the traditional newsletter format can export the newsletter to pdf.

Nicola Cain31 July 2024Data Protection, PERSONAL DATA, GDPR, General Data Protection Regulation, UK GDPR, UK GENERAL DATA PROTECTION REGULATION, DATA PROTECTION ACT 2018, PRIVACY AND ELECTRONIC COMMUNICATIONS REGULATIONS, PECR, ePrivacy Directive, Data Privacy, Cyber Security, Information Security, CONTENT REGULATION, Content Moderation, Reputation Management, Libel, Slander, Defamation, Malicious Falsehood, Misuse of Private Information, Privacy, Confidential Information, Breach of Confidence, Article 8 European Convention on Human Rights, Free speech, Freedom of Speech, Freedom of Expression, Article 10 European Convention on Human Rights, Open Justice, Access to Information, Freedom of Information Act 2000, FOIA, Environmental Information Regulations 2004, AI, Artificial Intelligence, Digital Markets Regulation, Human Rights, Human Rights Act 1998, European Convention on Human Rights, ESG, Environmental Social & Governance, Environmental Social & Corporate Governance, Online Safety, Online Harms, eSafety, EU AI Act, Online Safety Act 2023, Digital Markets Act, Cookies, Contempt, EU Corporate Sustainability Due Diligence Directive, Information Commissioner, ICO, Information Commissioner's Office, Data Subject Rights, Data protection impact assessment, DPIAComment

Now you see me...

As police forces are encouraged by the government to expand their use of live facial recognition technologies, with the Prime Minister announcing additional funding, Handley Gill Limited’s specialist consultants consider the legal issues that arise and the actions that Chief Constables and forces must take prior to deploying or even procuring LFR for law enforcement purposes.

Nicola Cain15 April 2024Data Protection, Personal Data, Part 3 DPA 2018, Part 3 Data Protection Act 2018, Law Enforcement, Law Enforcement Processing, Police, Policing, Biometric data, Biometric Processing, Sensitive Processing, Human Rights, DATA PROTECTION ACT 2018, Human Rights Act 1998, Article 8, Article 8 ECHR, Article 8 European Convention on Human Rights, Article 14 ECHR, Article 14 European Convention on Human Rights, Facial Recognition, Live Facial Recognition, LFR, Public Sector Equality Duty, PSED, Discrimination, Bias, Surveillance, Surveillance Camera Commissioner, Biometrics Commissioner, Data protection impact assessment, DPIA, Appropriate Policy Document, Equality Impact Assessment, Community Impact Assessment, Human Rights Impact Assessment, Cyber Security Risk Assessment, Integrated Impact Assessment, Model Card, Algorithmic Impact Assessment, Algorithmic Transparency Report, Algorithmic Transparency, Data Processing Agreement, Data Sharing Agreement, Joint Controller Agreement, Privacy Policy, Privacy Notice, House of Lords Justice & Home Affairs CommitteeComment

Britain's Got Talent's Got Problems

Handley Gill Ltd’s specialist consultants provide initial comment and analysis on The Sun’s report of David Walliams’ data protection claim against one of the co-producers of ITV’s Britain’s Got Talent, Fremantle Media, including the nature of the claim, potential defences and the sums being claimed. The claim arises from the the leak of a transcript of comments made by Walliams on set to The Guardian in November 2022.

Nicola Cain8 October 2023Data Protection, Personal Data, Data Protection Act 1998, GDPR, General Data Protection Regulation, DATA PROTECTION ACT 2018, UK GDPR, UK GENERAL DATA PROTECTION REGULATION, Data Breach, Data Litigation, Sensitive Personal Data, SPECIAL CATEGORY PERSONAL DATA, S.2 Data Protection Act 1998, S.32 Data Protection Act 1998, Special Purposes Processing, Special Purposes Exemption, Journalism Art or Literature, Article 9 GDPR, Article 9 UK GDPR, Data Protection Offences, s.170 Data Protection Act 2018, S.170 DPA 2018, Right to Erasure, Right to be Forgotten, Article 17 GDPR, Article 17 UK GDPR, WM Morrison Supermarkets plc v Various Claimants [2020] UKSC 12, TLT v Secretary of State for the Home Department [2016] EWHC 2217 (QB), Sir Cliff Richard v (1) BBC and (2) Chief Constable of South Yorkshire Police [2017] EWHC 1291 (Ch), Article 33 GDPR, Article 33 UK GDPR, Personal Data Breach Record, Breach Log, Data protection impact assessment, DPIA, Legitimate Interests Assessment, LIA, Retention Schedule, Privacy Notice, Data Controller, Vicarious LiabilityComment

Pride 2023: Take pride in your processing

Effective data protection compliance measures can promote, empower and protect the LGBTQIA+ community and can not only assist organisations in identifying and eliminating discrimination, but also in supporting LGBTQIA+ individuals and enabling them to have their gender identity and sexual orientation recognised.

Nicola Cain26 June 2023DATA PROTECTION, PERSONAL DATA, UK GDPR, UK GENERAL DATA PROTECTION REGULATION, GDPR, GENERAL DATA PROTECTION REGULATION, DATA PROTECTION ACT 2018, DPA 2018, SPECIAL CATEGORY PERSONAL DATA, SENSITIVE PERSONAL DATA, SEX LIFE, SEXUAL ORIENTATION, GENDER, PRIDE, LGBTQIA+, Inferred personal data, Data protection impact assessment, DPIA, Article 4(1) UK GDPR, Article 4(1) GDPR, Article 9(1) UK GDPR, Article 9(1) GDPR, Section 10 Data Protection Act 2018, S.10 Data Protection Act 2018, S.10 DPA 2018, Schedule 1 Data Protection Act 2018, Schedule 1 Part 2 paragraph 8 Data Protection Act 2018, Schedule 1 Part 2 paragraph 16 Data Protection Act 2018, Schedule 1 Part 2 paragraph 17 Data Protection Act 2018, Article 5(1)(d) UK GDPR, Article 5(1)(d) GDPR, Article 17 UK GDPR, Article 17 GDPR, Right to be Forgotten, Article 21 UK GDPR, Article 21 GDPR, Article 25 UK GDPR, Article 25 GDPR, Article 5(1)(c) UK GDPR, Article 5(1)(c) GDPR, Appropriate Policy Document, Data ControllerComment

CrapITa

Handley Gill’s data protection consultants consider recent supply chain cyber attacks, including the unfolding of the recent Capita and Zellis / MOVEit data breaches, and identify the steps data controllers should take when engaging data processors as part of their supply chain or giving third parties access to personal data, and the lessons to be learned for vendor management throughout the data processing lifecycle.

Nicola Cain10 June 2023Data Protection, Personal Data, Information Security, Cyber Security, Cyber Resilience, Cyber Attack, Data Breach, Supply Chain Risk, Supply Chain Security, Vendor Management, Capita, UK GDPR, UK GENERAL DATA PROTECTION REGULATION, DATA PROTECTION ACT 2018, Information Commissioner, Information Commissioner's Office, ICO, Pensions Regulator, Financial Conduct Authority, FCA, Data subjects, Compensation, Data litigation, Ransom, Ransom Payment, Department for Science Innovation & Technology, DSIT, Cyber Security Breaches Survey 2023, Article 25(1) UK GDPR, Article 25(1) GDPR, Data Controller, Data Processor, Data Processing Agreement, DPA, Data Processing, Article 28 GDPR, Article 28 UK GDPR, Article 32 GDPR, Article 32 UK GDPR, Cyber Insurance, Cyber Insurance Cover, Liability, Data protection impact assessment, DPIA, Administrative fine, Monetary penalty, Article 82(3) UK GDPR, Article 82(3) GDPR, Regulatory Action Policy, Article 33 UK GDPR, Article 33 GDPR, Article 34 UK GDPR, Data Breach Notification, Breach Response Plan, Incident Response Plan, Injunction, Injunctive Relief, Article 82 GDPR, Article 82 UK GDPR, CVE-2023-34362Comment

Can data protection save the planet?

To acknowledge Earth Day, Handley Gill’s specialist consultants comment on how data protection / data privacy compliance can contribute to satisfying environment, social, and governance (ESG) goals, and the practical steps that organisations can take to implement and report upon sustainability measures to demonstrate accountability.

Nicola Cain3 May 2023Data Protection, Data Privacy, GDPR, UK GDPR, Compliance, Regulation, Earth Day, Environment, Sustainability, ESG, Environmental, Social, Governance, Environmental Social & Governance, Climate Change, Privacy by Design, Data Protection Impact Assessment, DPIA, Data Minimisation, Data Retention, Information Security, Advertising, Marketing, Programmatic Advertising, Accuracy, Data Accuracy, Data Deletion, Directors' Duties, Companies Act 2006, s172(1) Companies Act 2006, s414C(7) Companies Act 2006, Securities and Exchange Commission, SEC, International Sustainability Standards Board, ISSB, Task Force on Climate-Related Financial Disclosures, Sustainability Accounting Standards Board, UN Sustainable Development Goals, Global Reporting Initiative, World Economic Forum, Stakeholder Capitalism Metrics, GR1 Universal Standards, Data ControllerComment

Watch and learn

Handley Gill Limited, and its specialist data protection consultants, respond to the Information Commissioner’s (ICO’s) consultation on its draft ‘Employment practices: monitoring at work’ guidance, which addresses the lawfulness of the use of workplace monitoring and surveillance technologies in the workplace (whether office, home or remote working) and on workers’ devices.

Pile Up Ahead?

Handley Gill comments on the Government’s response to the ‘Data: A New Direction’ consultation, which previews the content of the forthcoming Data Reform Bill, and identifies other issues which would merit being addressed in the proposed legislation.

Nicola Cain7 July 2022Handley Gill LimitedPERSONAL DATA, UK GDPR, UK GENERAL DATA PROTECTION REGULATION, DATA PROTECTION ACT 2018, DPA 2018, PECR, PRIVACY AND ELECTRONIC COMMUNICATIONS REGULATIONS, DATA: A NEW DIRECTION, DATA PROTECTION REFORM, BREXIT, NATIONAL DATA STRATEGY, CONVENTION FOR THE PROTECTION OF INDIVIDUALS WITH REGARD TO AUTOMATIC PROCESSING OF PERSONAL DATA, POLITICAL PROCESSING, ARTICLE 6 UK GDPR, SPECIAL CATEGORY PERSONAL DATA, SCHEDULE 1 DATA PROTECTION ACT 2018, ANONYMITY, ANONYMOUS DATA, ARTICLE 4(1) UK GDPR, THE COUNCIL OF EUROPE’S CONVENTION 108, THE COUNCIL OF EUROPE CONVENTION 108, PRIVACY MANAGEMENT PROGRAMME, DATA PROTECTION OFFICER, ARTICLE 37 UK GDPR, DATA PROTECTION IMPACT ASSESSMENT, DPIA, ARTICLE 35 UK GDPR, ARTICLE 30 UK GDPR, RECORDS OF PROCESSING ACTIVITIES, ARTICLE 36 UK GDPR, PRIOR CONSULTATION, ARTICLE 12(5) UK GDPR, MANIFESTLY UNFOUNDED OR EXCESSIVE, VEXATIOUS OR EXCESSIVE, ARTICLE 45(2) UK GDPR, INTERNATIONAL DATA TRANSFERS, ADEQUACY DECISION, S.17B(1) DATA PROTECTION ACT 2018, COOKIES, COOKIE CONSENT, REGULATION 6 PRIVACY AND ELECTRONIC COMMUNICATIONS REGULATIONS, REGULATION 22(2) PRIVACY AND ELECTRONIC COMMUNICATIONS REGULATIONS, SOFT OPT-IN, MARKETING, INFORMATION COMMISSIONER, EXPERT PANEL, ENFORCEMENT, MONETARY PENALTY NOTICE, ARTICLE 15 UK GDPR, DATA SUBJECT ACCESS REQUEST, SUBJECT ACCESS REQUEST, BILL OF RIGHTS, EUROPEAN COURT OF HUMAN RIGHTS, UK SUPREME COURT, SUPREME COURT, EUROPEAN COMMISSION, COMMISSION IMPLEMENTING DECISION C(2021) 4800, Data Protection & Digital Information BillComment

U-turn?

Handley Gill summarises the Government's publication of its response to the ‘Data: A New Direction’ consultation, previewing the content of the forthcoming Data Reform Bill, which was proposed in ‘The Benefits of Brexit’ policy paper and formally announced in the Queen’s Speech 2022.

Nicola Cain22 June 2022Personal Data, UK GDPR, UK General Data Protection Regulation, Data Protection Act 2018, DPA 2018, PECR, Privacy and Electronic Communications Regulations, Data: A New Direction, Data Protection Reform, BREXIT, National Data Strategy, Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, Article 89 UK GDPR, Recital 159 UK GDPR, Recital 33 UK GDPR, Article 14 UK GDPR, Recital 62 UK GDPR, Disproportionate effort, Article 6(1)(f) UK GDPR, Political processing, Article 6 UK GDPR, Special Category Personal Data, Schedule 1 Data Protection Act 2018, Anonymity, Anonymous Data, Article 4(1) UK GDPR, the Council of Europe’s Convention 108, the Council of Europe Convention 108, Privacy management programme, Data Protection Officer, Article 37 UK GDPR, Data Protection Impact Assessment, DPIA, Article 35 UK GDPR, Article 30 UK GDPR, Records of Processing Activities, Article 36 UK GDPR, Prior Consultation, Article 12(5) UK GDPR, Manifestly Unfounded or Excessive, Article 45(2) UK GDPR, International data transfers, Adequacy Decision, s.17B(1) Data Protection Act 2018, Alternative Transfer Mechanisms, Article 46 UK GDPR, Law enforcement processing, Part 3 Data Protection Act 2018, Part 4 Data Protection Act 2018, Cookie Consent, Regulation 6 Privacy and Electronic Communications Regulations, Regulation 22(2) Privacy and Electronic Communications Regulations, Soft Opt-In, Marketing, Regulatory Enforcement, Information Commissioner, Statutory Duties, Statement of Strategic Priorities, Expert Panel, Technical Reports, Notice of Intent, Final Penalty Notice, AI, Artificial Intelligence, Article 22 UK GDPR, Automated Processing, Voluntary Undertakings, Data Breach Reporting, Article 33 UK GDPR, Article 15 UK GDPR, Data Subject Access Request, Reverse Transfers, Article 49 UK GDPR, Derogations, s.35 Digital Economy Act 2017, Data Sharing, Algorithm Transparency, Schedule 1 Part 2 Data Protection Act 2018, Substantial Public Interest, Biometric Data, Impact Assessments, Legitimate Interests Assessment, Biometrics Commissioner, Smart Data Schemes, Data Intermediaries, Article 46(2)(f) UK GDPR, Certification Regime, Surveillance Camera Commissioner, Schedule 16 paragraph 2(2) Data Protection Act 2018, Data Protection & Digital Information BillComment

Deep Impact on Data Protection Impact Assessments

Data controllers should revisit their Data Protection Impact Assessments (DPIAs).

DPIAsNicola Cain15 November 2020Data protection, Data protection impact assessment, GDPR, Article 35, Law enforcement processing, High risk processing, Data controller, Criminal conviction & offence data, Data Protection Act 2018, Section 64, Biometric data, Systematic public monitoring, Law Enforcement, Law Enforcement Processing, DPIA, Part 3 Data Protection Act 2018