Included in this week's Data & Privacy News: UK government tells companies to draft data transfer contracts in case of a no deal Brexit; Financial firms moving business to the public cloud are causing data privacy concerns.

UK government tells companies to draft data transfer contracts in case of a no deal Brexit 

In the latest batch of technical notices, the UK government has issued a warning to companies to start drafting standard contractual clauses for data transfers in case it doesn't manage to negotiate exit terms with the European Union before March 2019.

The government confirmed in the notice on data protection, that it would green light the transfer of UK data to other member states. However, guarantees could not be made for the reverse as Eurocrats have made it clear they won't rubberstamp the standards of protection applied by the UK (adequacy decision) until the UK is out of the bloc.

This leaves a period of time between the official exit date in March 2019 and the adequacy decision when data will not be able to flow into the UK and will be a major blow for companies doing business in Europe.

ICO Deputy Commissioner gives speech on key data breach reporting trends under the GDPR 

Information Commisioner's Office (ICO) Deputy Commissioner, James Dipple-Johnstone, has made a speech to the CBI Cyber Security: Business Insight Conference on the impact of the General Data Protection Regulation (GDPR) and Data Protection Act 2018 (DPA). 

In his speech, the Deputy Commissioner outlined key data breach reporting trends under the GDPR, which included:

  • Organisations struggling with the concept of 72 hours from the moment of awareness of the breach;
  • Reports are incomplete with a lack of people with suitable seniority and clearance to talk to the ICO; and
  • Over reporting by some controllers.

The Deputy Commissioner advised that businesses should read the ICO's reported guidance, take time to gather information by deciding whether reporting is required, report by phone, take extra steps to prevent cyber-attacks and look at the NCSC / ICO security outcomes.

Council issued with enforcement notice over subject access request backlog 

The ICO has issued the London Borough of Lewisham (LBL) an enforcement notice under the DPA requiring them to clear a backlog of subject access requests after they failed to meet agreed deadlines. The ICO has given LBL until the 15 October to action their request and inform the relevant individuals who submitted subject access requests before 25 May 2018.

The enforcement notice states that LBL had a backlog of 113 subject access requests on the 29 March 2018 with the oldest dating back to 2013. The council planned to eliminate these by 31 July 2018, however it admitted in July that it would not be able to meet the deadline. 

The Information Commissioner has shown concerns towards LBL's failure to adhere to deadlines set for clearing old cases and for identifying subject access requests in general.

Financial firms moving business to the public cloud are causing data privacy concerns 

A global survey of senior technologists and market data managers within the financial services sector has revealed that security is no longer a major concern for financial firms as they move business towards the public cloud. 

Of the firms surveyed, 82% believed that the need for greater security would help towards take up of the cloud, with only 12% indicating it as a factor in inhibiting its adoption. 

Financial institutions are seeing the cloud as key technology for managing their financial data, with many planning to increase their investment from 30% of IT budgets to 47% by 2019. 

The Thomson Reuters survey also found that the three main concerns when using the cloud were: data residency, data privacy and losing control over data.

Medical record requests for clients is causing confusion amongst solicitors 

Medical record requests are causing confusion amongst solicitors as to whether they can obtain them for free by making a subject access request under the GDPR.

Under the Access to Medical Records Act 1998, doctors are allowed to charge for providing medical record information, work which can be time cumbersant. However, it seems making a free subject access request under the GDPR is becoming increasingly prominent with some doctors receiving requests every week to supply notes.  

In response to the issue, the British Medical Association (BMA) has surveyed its members ahead of government talks and also issued some guidance. The BMA has stated that requests for creation or interpretation of medical reports falls under the Access to Medical Report Act, as both require new data to be produced. This is out of the scope of the GDPR and so doctors can charge a fee.

Key Contacts

Ross McKenzie

Ross McKenzie

Partner, Commercial & Data Protection
Aberdeen, UK

View profile
Helena Brown

Helena Brown

Partner, Commercial and Data Protection & Head of Data
Edinburgh, UK

View profile