Data Protection Defence
"They are really useful, helpful and responsive. They always understand our position in order to give advice to our organisation. I'm delighted with them." (Chambers UK)
The handling of personal information in accordance with the Data Protection Act 1998 (DPA) is a minefield. In May 2018 the General Data Protection Regulation (GDPR) comes into direct effect throughout the EU and, Brexit or not, any organisation processing the personal data of an EU citizen will have to comply with stricter conditions set out there.
Edward Snowden and his whistleblowing revelations that the US Stat Authorities are carrying out mass surveillance on non-EU citizens has increased privacy concerns resulting in the demise of the Safe Harbour agreement and concerns about the legality of sending personal data safely to the US and elsewhere.
Any person information held in digital or paper format is protected by the DPA and if it is lost, misused or shared inappropriately it is likely that the DPA has been breached and since April 2010 the Information Commissioners Office (ICO) has had the power to issue substantial fines to organisations who do not process data in compliance with the DPA. The ICO has used its powers to impose significant fines of up to £500,000 on public bodies, non-profit making organisations, individuals and private companies. In 2018 it will have the power to impose substantially higher fines of up to 20,000,000 euros.
In addition, it has become easier for individuals to claim compensation under the DPA if personal data is lost, misused or shared inappropriately resulting in pecuniary loss or distress.
BTO’s Data Protection Defence Team is the only team of lawyers in the UK who have experience of successfully challenging a fine imposed by the ICO for a breach of the DPA. Therefore, its lawyers speak with authority on how best to handle a data breach, how best to handle the ICO and how best to handle all forms of personal data.
The team also provides compliance advice and training in relation to the DPA; the eight processing principles and how to avoid coming into contact with the ICO. In Scotland, BTO’s team is unique and at the forefront of providing DPA advice.
The team provides strategic advice in relation to information requests from data subjects, the police and other regulators and under freedom of information legislation; in particular, handling the tricky situations where this legislation overlaps.
What we do:
- Strategic advice and options to management when a potential data protection issue emerges
- Drafting and redrafting of DP policies and procedures
- DPA Compliance Training
- Advice on data sharing, data retention and subject access requests, including the new Privacy Shield
- Keeping your marketing within the law
- CCTV and surveillance compliance
- How to handle ICO investigations and appeals to the Information Tribunal
- How to handle information requests
- Making Subject Access Requests (Individuals)
- Managing Subject Access Requests (Organisations)
Paul Motion, Partner and Solicitor Advocate, was already specialising in technology law several years before the Data Protection Act 1998 or Freedom of Information Acts came into force. He chaired the Law Society of Scotland’s Technology Committee for sixteen years from May 2000, pre-dating (and observing and commenting upon) the introduction of virtually all modern E-commerce and privacy related legislation such as the DPA and FOI. Paul is also “on his feet” in court regularly since he is a highly experienced civil Solicitor Advocate.
A recognised expert in Data Protection and contentious IT/IP law, Paul has run many ground breaking cases, notably [with BTO Associate, Laura Irvine] the only successful appeal to date anywhere in the UK against a DPA penalty imposed following a DPA breach. Paul and Laura were acting on behalf of Scottish Borders Council, against a £250,000 Data Protection Monetary Penalty. In 2012 following a case involving fake online reviews Paul and Associate Lindsay Urquhart set up the BTO Online Reputation Team which has attracted referral work from other solicitors. Paul also drafts and advises on the content of data protection and privacy policies
Laura Irvine is a Solicitor Advocate and along with BTO Partner Paul Motion represented Scottish Borders Council at the successful appeal against the civil monetary penalty of £250,000 imposed following a DPA breach. As a criminal lawyer, Laura’s view is that these substantial fines should in fact be seen as criminal in nature and has written on this subject – Data Protection Monetary Penalties: Absolutely Criminal? Laura has continued to advise clients in relation to data breaches and also has experience of advising public and private bodies in relation to subject access requests, freedom of information requests and general data protection issues.
Lindsay Urquhart is an Associate who works with partner Paul Motion on technology, Data Protection and Freedom of information matters. Lindsay advised Scottish Borders Council regarding monetary penalties issued to them by the Information Commissioners Office, these penalties were later to become the subject matter of a ground breaking case in which the Council was successfully defended by Paul Motion and BTO Associate, Laura Irvine, resisting a £250,000 Data Protection Monetary Penalty. Lindsay has provided advice on data protection, data sharing, and data monitoring. She has advised a variety of clients, including Local Authorities, Charities, Registered Social Landlords, Housing Associations, Private Individuals and Businesses.
In 2012 following a case involving fake online reviews Lindsay Urquhart worked with Paul Motion to establish the BTO Online Reputation Team which has attracted referral work from other solicitors. Lindsay and Paul have worked on a variety of cases relating to online data, reputational issues and harassment.
To discuss your data control/protection issues, please contact Paul Motion, Laura Irvine or Lindsay Urquhart on T: 0131 222 2939 E: firstname.lastname@example.org
- Subject Access Requests
Dealing with complex SAR from ex-employee who asked for a huge amount of detailed information through the use of a forensic IT consultant and significant redaction of documentation.
- ICO Notification
Providing advice to a client about how to notify the ICO about a data incident, successfully avoiding enforcement action from the ICO, twice.
- Housing Associations
Advising housing association about how to manage their employees being recorded covertly by service users’ families.
- Named Person in schools and Data Protection Act 1998
Providing compliance advice on the provision of the Named Person in schools and the Data Protection Act 1998.
- CCTV and surveillance compliance
Assisting with the review of data protection policies and procedures.
- Data Protection Training
Providing training for: Audit Scotland; Fife Council; SHARE; South Lanarkshire Council; Aberdeenshire Council; Grampian Health Board and George Watson's College.
"We could not have asked for better legal advisers."BTO Client
"They are really useful, helpful and responsive. They always understand our position in order to give advice to our organisation. I'm delighted with them."BTO Client
The Data Protection Defence Team regularly provides training in relation to data protection, the new Regulation and information law. This is always tailored to the audience we are talking to and to the sector that our audience comes from. Training is fundamental to compliance with the Data Protection Act 1998. Please speak to a member of the team on about how we can assist you to comply.
A number of the delegates who have attended BTO’s courses have commented specifically on the team's knowledge of DP, the manner in which they put it across (in a non-lawyer fashion) and their friendly and outgoing personality. What became apparent following the courses was that delegates were reciting examples BTO had delivered at the training, giving us confirmation that they not only understood the training, but were able to remember and demonstrate what they had learned.
Contact: T: 0131 222 2939 E: email@example.com