Headlines...

Harrison v Cameron: What This Case Means for Responding to Subject Access Requests (SARs)

A recent High Court ruling in Harrison v Cameron has clarified an important question in data protection law: when responding to a Subject Access Request (SAR), do you have to reveal the names of individuals who received the requester’s personal data?

The short answer? Sometimes—but not always.

Background

Mr. Harrison, a property investor, hired ACL, a landscaping company run by Mr. Cameron. Things turned sour, and after Harrison terminated the contract, Cameron recorded two phone calls and shared them with colleagues, friends, and family. Harrison claimed the recordings damaged his reputation and business and issued SARs demanding to know who had received them.

The Court’s Findings

The judge made a few key rulings that are particularly useful for data controllers:

• Named individuals—not just categories—may need to be disclosed. This includes employees of the controller.

• However, exemptions apply. If naming third parties would infringe on their rights or expose them to harm, controllers can withhold those names.

• A balancing test is required. Controllers must weigh the data subject’s right to access against risks to third parties. Content Capture Services know where this line and is!

• Controllers have discretion. The court emphasised that organisations responding to SARs have a “wide margin of discretion” when applying exemptions.

• The purpose of the SAR matters. Evidence showed Harrison used previous disclosures to send intimidating legal letters, which justified ACL’s refusal.

Why This Matters

This case confirms that while data subjects can expect transparency, their rights are not unlimited. If you’re responding to a SAR, particularly one involving internal communications or sensitive third-party data, this case is a helpful guide on when—and when not—to disclose. Content Capture Services can help you implement the best practice here.

The King’s Speech and accompanying briefing notes from Downing Street have shed some light on the proposed new Digital Information and Smart Data Bill (“DISD Bill”). The bill aims to “harness the power of data for economic growth, support a modern digital government, and improve people’s lives.” While details are currently limited, the DISD Bill is expected to significantly impact how businesses operate, interact with customers, suppliers, and partners, and comply with legal obligations concerning digital information and smart data. Growth and innovation seem to be key focuses of the bill, and as more details emerge, it will be vital for businesses to stay informed about its potential implications for their data activities and strategies.

Key Features of the DISD Bill

Several core proposals have been confirmed, many of which may ring a bell from the earlier DPDI Bill:

Data Protection:
The bill promises targeted reforms to data laws, aiming to maintain high standards while increasing clarity to support the development and use of new technologies.

Strengthening the ICO:
The bill plans to give the Information Commissioner’s Office (ICO) stronger powers and a modernised structure, including a CEO, board, and chair. While similar structural changes were proposed in the DPDI Bill, questions remain about how the Labour government will handle the ICO’s independence.

Digital Verification Services:
The bill supports the creation of secure digital identity products by certified providers, simplifying identity checks for everyday activities like buying age-restricted goods, moving house, and employment screening. This could also facilitate smoother online transactions.

Smart Data Schemes:
A legal framework for Smart Data is proposed, allowing customers to share their data securely with authorised third-party providers. Inspired by Open Banking, this would enable businesses to enhance customer data with broader business insights to improve decision-making.

Scientific Research:
Proposals include allowing “legitimate” researchers to obtain broad consent for data use in scientific studies, easing restrictions on processing personal data for research purposes.

The Devil Lies in the Detail

The announced aspects of the DISD Bill reveal the government’s focus on leveraging data for economic and societal benefits. However, many details remain unclear, and while there are overlaps with the DPDI Bill, the new government’s approach could differ significantly. Notably, concerns had been raised under the DPDI Bill regarding potential weakening of data protection rights, with the previous government prioritising post-Brexit regulatory flexibility.

Conclusion

It is still unclear how the DISD Bill will differ from the DPDI Bill, but it is likely the current government will aim for a more balanced approach to data protection amendments while maintaining strong protections for personal data. Businesses and individuals should stay up-to-date on the bill’s progress to prepare for potential changes in the data landscape.

CCS have found that Ai redaction software products over promise and under provide.

All the main options tested struggled with automatic redaction due to the complexity of understanding context and the nuanced nature of sensitive information. Redacting isn’t just about removing predefined keywords or patterns; it requires understanding the context in which a word or phrase is used. For example, Ai might redact a name in one document but miss the same person’s identity in a different context, such as through indirect references. Sensitive information can also be implied through surrounding text, making it hard for Ai to consistently recognise all privacy risks.

Additionally, Ai models were found to lack real-world comprehension, often failing to detect legal, ethical, or domain-specific nuances. Over-redaction, such as removing irrelevant data, and under-redaction, like missing hidden or implied sensitive information, were common pitfalls. Human oversight is still essential to ensure the appropriate balance between privacy protection and maintaining document integrity when redacting complex documents. So a helpful tool to reduce work but not a magic wand!

We’ve developed a state-of-the-art, secure internal video rendering farm that sets the industry standard for efficiently handling large video processing tasks. Leveraging the latest GPU (graphics processing unit) technology, our system can ingest, process, and deliver long-length video clips without the need to break them down into smaller segments. Click here for more Video Redaction Service Description

With the Prime Minister calling a General Election for July 4, 2024, the UK Parliament has entered a ‘wash-up’ period to finalise any uncompleted legislation. Legislation that is not completed by the end of the ‘wash-up’ on May 24 will lapse and may be reintroduced in the next Parliament. The Data Protection and Digital Information (DPDI) Bill did not complete its passage by the end of the ‘wash-up’ and has therefore lapsed.

It is understood that the Bill’s failure was due to disagreements in the House of Lords over controversial late amendments introduced by the Department of Work and Pensions (DWP). These amendments aimed to facilitate data sharing between the DWP and private companies, primarily banks, to prevent fraud. However, they were controversial and faced significant opposition in the House of Lords.

The DPDI Bill was a significant step forward for the UK’s data protection framework, offering a range of opportunities. These included making the UK a more attractive place for AI technology research, development, and deployment, establishing new frameworks for Smart Data and Digital ID, and providing the UK with the flexibility to adapt to a rapidly changing global trade environment.

The failure of the DPDI Bill is therefore disappointing, especially given the broad support in Parliament for its wider reforms.

The UK tech industry will be frustrated by the Bill’s failure, particularly given the extensive consultation that took place. It will now be the responsibility of the next Government to resume these reforms following the election. Whichever political party wins the election should not miss this opportunity. Instead, they should build on the progress made in this Bill to create a pro-innovation and high-standard data protection regime for the UK. This should also include enabling smart data and digital ID schemes, allowing better management of data and interaction with public services.

We’ve assisted CERN, renowned for the Hadron Collider, in organising decades of unstructured video data with metadata. This valuable resource is now easily accessible.

The “right to be forgotten,” enshrined under Article 17 of the General Data Protection Regulation (GDPR), allows individuals to request the deletion of their personal data when it is no longer necessary, or if it has been unlawfully processed. This right empowers individuals to take control over their online privacy, particularly in a digital landscape where personal information is often stored and shared without clear consent.

Key scenarios for exercising the right to be forgotten include when the data is no longer needed for the original purpose, consent has been withdrawn, or the individual objects to the processing of their data for direct marketing. However, the right is not absolute and must be balanced against other factors, such as freedom of expression, public interest, or legal obligations. For instance, a news outlet may not be required to erase articles that contain personal data if it serves the public’s right to information.

The right to be forgotten is a crucial tool in the GDPR framework, allowing individuals to mitigate the long-term consequences of having their personal data widely available, especially in an age where digital footprints can be permanent and far-reaching.

But how do UK Organisations execute a request? CCS can help Click Here For More…

One sentence changed the CCS mission overnight…

In 1996, Bill Gates famously declared that “content is king,” predicting that the internet would evolve into a dominant platform for the distribution and monetisation of content. He foresaw that, just as in traditional media, quality content would drive traffic, attract advertisers, and generate revenue online. Nearly three decades later, Gates’ statement has largely been proven right, and its relevance continues today, albeit in a more nuanced form.

The proliferation of digital platforms—websites, blogs, social media, and streaming services—confirms that content remains a primary driver of engagement. From written articles and videos to music, podcasts, and online courses, content is the backbone of the internet’s success. Successful platforms like YouTube, Netflix, and Spotify demonstrate that creating and distributing high-quality, engaging content is central to capturing and retaining users.

However, the landscape has evolved. While content is still king, distribution and discoverability have become equally important. The rise of search engine algorithms, social media, and recommendation systems means that even the best content can go unnoticed if not properly optimised or shared. Platforms like Google and Facebook prioritise content that aligns with user preferences, making it essential for creators to understand SEO, algorithms, and audience behavior.

Moreover, content marketing has emerged as a critical business strategy. Companies now focus on providing value through blogs, videos, and infographics to engage consumers and build brand trust. This reinforces the notion that relevant, targeted content is crucial for building relationships and driving business growth.

In today’s world, content is more accessible and diverse than ever. Gates’ prediction holds true, but it’s clear that alongside content, distribution, strategy, and adaptability are key to success. As long as people seek information, entertainment, and value online, content will remain a dominant force in shaping digital experiences.