A survey conducted in April and May 2023 revealed that around ** percent of the companies that do business in the European Union (EU) and the United Kingdom (UK) found it challenging to adapt to new or changing requirements of the General Data Protection Regulation (GDPR) or Data Protection Act 2018 (DPA). A further ** percent of the survey respondents said it was challenging to increase the budget because of the changes in the data privacy laws.

As of February 2025, the largest fine issued for violation of the General Data Protection Regulation (GDPR) in the United Kingdom (UK) was more than 22 million euros, received by British Airways in October 2020. Another fine received by Marriott International Inc. in the same month was the second-highest in the UK and amounted to over 20 million euros.

A survey conducted in April and May 2023 found that less than half of the surveyed organizations in the United States and the United Kingdom (UK) had completed selected actions to comply with state data privacy laws in the United States. Around ** percent of the respondents had made a comparison of the United States' state-level privacy law frameworks. A further ** percent said they were in the process of doing so. Furthermore, ** percent of the respondents said they had updated privacy policies, while almost ** percent were in the process of planning and conducting data assessments.

Whilst this some of the requested information is held by the NHSBSA, we have exempted some of the figures under section 40(2) subsections 2 and 3(a) of the FOIA because it is personal data of applicants to the VDPS. This is because it would breach the first data protection principle as: a - it is not fair to disclose individual’s personal details to the world and is likely to cause damage or distress. b - these details are not of sufficient interest to the public to warrant an intrusion into the privacy of the individual. https://www.legislation.gov.uk/ukpga/2000/36/section/40 Information Commissioner Office (ICO) Guidance is that information is personal data if it ‘relates to’ an ‘identifiable individual’ regulated by the UK General Data Protection Regulation (UK GDPR) or the Data Protection Act 2018. The information relates to personal data of the VDPS claimants and is special category data in the form of health information. As a result, the claimants could be identified, when combined with other information that may be in the public domain or reasonably available. Online communities exist for those adversely affected by vaccines they have received. This further increases the likelihood that those may be identified by disclosure of this information. Section 40(2) is an absolute, prejudice-based exemption and therefore is exempt if disclosure would contravene any of the data protection principles. To comply with the lawfulness, fairness, and transparency data protection principle, we either need the consent of the data subject(s) or there must be a legitimate interest in disclosure. In addition, the disclosure must be necessary to meet the legitimate interest and finally, the disclosure must not cause unwarranted harm. The NHSBSA has considered this and does not have the consent of the data subjects to release this information and believes that it would not be possible to obtain consent that meets the threshold in Article 7 of the UK GDPR. The NHSBSA acknowledges that you have a legitimate interest in disclosure of the information to provide the full picture of data held by the NHSBSA; however, we have concluded that disclosure of the requested information would cause unwarranted harm and therefore, section 40(2) is engaged. This is because there is a reasonable expectation that patient data processed by the NHSBSA remains confidential, especially special category data. There are no reasonable alternative measures that could meet the legitimate aim. As the information is highly confidential and sensitive, it outweighs the legitimate interest in the information. Section 41 FOIA This information is also exempt under section 41 of the FOIA (information provided in confidence). This is because the requested information was provided to the NHSBSA in confidence by a third party - another individual, company, public authority or any other type of legal entity. In this instance, details have been provided by the claimants. For Section 41 to be engaged, the following criteria must be fulfilled:

A survey conducted in April and May 2023 among companies that do business in the European Union and the United Kingdom (UK) found that over half of the respondents, ** percent, felt very prepared for the General Data Protection Regulation (GDPR). A further ** percent of the companies believed they were moderately prepared, while ** percent said they were slightly ready to comply with the EU and UK privacy legislations.

Under the Freedom of Information Act 2000, I request the following information: The number of individuals of all ages who were prescribed contraceptives in the financial years 2019-2020, 2021-2020, 2020-2021, 2021-2022 and 2022-2023 in community settings (GP surgeries and pharmacies) broken down by contraceptive method. I would also like the proportion these represent of contraception users. For example, X proportion of those on contraception are using the Mirena coil. If possible, I would also appreciate if this were broken down by age of those prescriptions too. To clarify, I mean patients. I also mean both contraceptive drugs and appliances/devices Response A copy of the information is attached. Please read the following information to ensure correct understanding of the data. Fewer than five Please be aware that I have decided not to release the full details where the total number of individuals falls below five. This is because the individuals could be identified, when combined with other information that may be in the public domain or reasonably available. This information falls under the exemption in section 40 subsections 2 and 3 (a) of the Freedom of Information Act (FOIA). This is because it would breach the first data protection principle as: a - It is not fair to disclose individual’s personal details to the world and is likely to cause damage or distress. b - These details are not of sufficient interest to the public to warrant an intrusion into the privacy of the individual. Please click the weblink to see the exemption in full: www.legislation.gov.uk/ukpga/2000/36/section/40 NHS Business Services Authority (NHSBSA) - NHS Prescription Services process prescriptions for Pharmacy Contractors, Appliance Contractors, Dispensing Doctors, and Personal Administration with information then used to make payments to pharmacists and appliance contractors in England for prescriptions dispensed in primary care settings (other arrangements are in place for making payments to Dispensing Doctors and Personal Administration). This involves processing over one billion prescription items and payments totalling over £9 billion each year. The information gathered from this process is then used to provide information on costs and trends in prescribing in England and Wales to over 25,000 registered NHS and Department of Health and Social Care (DHSC) users. Data Source: ePACT2 - Data in ePACT2 is sourced from the NHSBSA Data Warehouse and is derived from products prescribed on prescriptions and dispensed in the Community. The data captured from prescription processing is used to calculate reimbursement and remuneration. It includes items prescribed in England, Wales, Scotland, Northern Ireland, Guernsey/Alderney, Jersey, and Isle of Man which have been dispensed in the community in England. English prescribing that has been dispensed in Wales, Scotland, Guernsey/Alderney, Jersey, and Isle of Man is also included. The data excludes: • Items not dispensed, disallowed and those returned to the contractor for further clarification. • Prescriptions prescribed and dispensed in prisons, hospitals, and private prescriptions. • Items prescribed but not presented for dispensing or not submitted to NHS Prescription Services by the dispenser. Dataset - The data is limited to presentations prescribed in BNF sections 0703 Contraceptives and BNF section 2104 Contraceptive Devices. Data is presented at BNF Sub Paragraph and BNF Presentation level. Time Period - Financial years 2019/20, 2020/21, 2021/22, 2022/23 and 2023/24 (April 2023 - January 2024). Data is currently available up to and including January 2024. Organisation Data - The data is for prescribing in England regardless of where dispensed in the community. British National Formulary (BNF) Sub Paragraph and Presentation Code – The BNF Code is a 15-digit code in which the first seven digits are allocated according to the categories in the BNF, and the last eight digits represent the medicinal product, form, strength and the link to the generic equivalent product. NHS Prescription Services has created pseudo BNF chapters, which are not published, for items not included in BNF chapters 1 to 15. Most of such items are dressings and appliances which NHS Prescription Services has classified into four pseudo BNF chapters (20 to 23). Patient Identification - Where patient identifiable figures have been reported they are based on the information captured during the prescription processing activities. Please note, patient details cannot be captured from every prescription form and based on the criteria used for this analysis, patient information (NHS number) was only available for 98.28% of prescription items. The unique patient count figures are based on a distinct count of NHS number as captured from the prescription image. Patient ages are based on the age as captured from the prescription image and relates to the patient's age at the time of prescribing/dispensing. Please note it is possible that a single patient may be included in the results for more than one age band where a patient has received prescribing at different ages during a financial year. The figures for the number of identifiable patients should not be combined and reported at any other level than provided as this may result in the double counting of patients. For example, a single patient could appear in the results for multiple presentations or both financial years. Patient Age - Shows the age of the patient, if recorded. Data Quality for patient age - NHSBSA stores information on the age of the recipient of each prescription as it was read by computer from images of paper prescriptions or as attached to messages sent through the electronic prescription system. The NHSBSA does not validate, verify or manually check the resulting information as part of the routine prescription processing. There are some data quality issues with the ages of patients prescribed the products. The NHSBSA holds prescription images for 18 months. A sample of the data was compared to the images of the paper prescription forms from which the data was generated where these images are still available. These checks revealed issues in the reliability of age data, in particular the quality of the stored age data was poor for patients recorded as aged two years and under. When considering the accuracy of age data, it is expected that a small number of prescriptions may be allocated against any given patient age incorrectly. Application of Disclosure Control to information services (prescriptions) products- ePACT 2 data is not published statistics - it is available to authorised NHS users who are subject to Caldicott Guardian approval. We have no plans to apply disclosure control to data released to ePACT 2 users. These users are under an obligation to protect the anonymity of any patients when reusing this data or releasing derived information publicly. All requests that fall under the FOI process are subject to the NHSBSA Anonymisation and Pseudonymisation Standard. The application of the techniques described in the standard is judged on a case-by-case basis (by NHSBSA Information Governance) in respect of what techniques should be applied. The ICO typically rules on a case-by-case basis too so each case or challenge or appeal is judged on its own merits. FOI rules apply to data that we hold as part of our normal course of business.

A survey conducted in April and May 2023 revealed that around 35 percent of organizations in the United States and 40 percent of organizations in the United Kingdom pay higher costs for international data transfers due to data privacy regulations, but they also find it manageable. Furthermore, approximately 35 percent of respondents from both countries think the regulations encourage businesses by guaranteeing that the data will be safeguarded in other countries.

Coastal Legislative Layer [Polyline]. The Coastal Overview data layers identifies the lead authority for the management of discrete stretches of the English coast as defined by the Seaward of the Schedule 4 boundary of the Coastal Protection Act 1949. The data are intended as a reference for GIS users and Coastal Engineers with GIS capability to identify the responsible authority or whether the coast is privately owned. The information has been assigned from the following sources, listed in by preference: Shoreline Management Plans 1. Environment Agency’s RACE database. Consultation with Coastal Business User Group and Local Authority Maritime records where possible. A confidence rating is attributed based on where the data has been attributed from and the entry derived from the source data. The following data is intended as a reference document for GIS users and Coastal Engineers with GIS capability to identify the responsible authority and the assigned EA Coastal Engineer so as to effectively manage the coast for erosion and flooding. The product comprises 3 GIS layers that are based on the OS MasterMap Mean High Watermark, this layers is: Coastal Legislative Layer Polyline represents the predominant risk; flooding or erosion, which are assigned to each section of the coastline. Attribution statement: © Environment Agency copyright and/or database right 2016. All rights reserved. © Crown copyright and database rights 2009 Ordnance Survey 100024198

Een Data Protection Impact Assessment (DPIA) is een van de manieren om erachter te komen welke privacyrisico’s mensen lopen wanneer informatie over hen wordt verzameld, gebruikt, opgeslagen of gedeeld. Dit helpt de Londense gemeente Barnet problemen te vinden zodat risico’s kunnen worden weggenomen of verlaagd tot een aanvaardbaar niveau. Het bezuinigt ook op inbreuken op de privacy en klachten die de reputatie van de Raad kunnen schaden of leiden tot actie van de Information Commissioner (de waakhond van de regering). De London Borough of Barnet maakt DPIA’s openbaar in zijn Data Charter en de Data Protection Act 2018 en UK GDPR. Een Data Protection Impact Assessment (DPIA) is een van de manieren om erachter te komen welke privacyrisico’s mensen lopen wanneer informatie over hen wordt verzameld, gebruikt, opgeslagen of gedeeld. Dit helpt de Londense gemeente Barnet problemen te vinden zodat risico’s kunnen worden weggenomen of verlaagd tot een aanvaardbaar niveau. Het bezuinigt ook op inbreuken op de privacy en klachten die de reputatie van de Raad kunnen schaden of leiden tot actie van de Information Commissioner (de waakhond van de regering).

De London Borough of Barnet maakt DPIA’s openbaar in zijn Data Charter en de Data Protection Act 2018 en UK GDPR.

All payments made by Bodmin Town Council in February 2012.

A list of payments for over £500 made to suppliers is required by the Code of Recommended Practice for Local Authorities on Data Transparency. However, Bodmin Town Council has given details of all payments made. Please note that some names have been redacted in accordance with the Data Protection Act 1998.

I can confirm that we do hold the requested information however, we consider the name and General Medical Council (GMC) number to be personal data under section 3(2) of the Data Protection Act 2018. Disclosure of the medical assessor’s name or GMC number would result in the identification of the medical assessor when entered into the GMC public register. As the requested information would allow a medical assessor to be identified, I consider this information is exempt under section 40(2) and 40(3A)(a) of the FOIA (personal information). This is because it would breach the first data protection principle as: a) it is not fair to disclose medical assessors’ personal details to the world and is likely to cause damage or distress. b) these details are not of sufficient interest to the public to warrant an intrusion into the privacy of the medical assessor. For disclosure to comply with the lawfulness, fairness, and transparency principle, we either need the consent of the medical assessor or there must be a legitimate interest in disclosure. In addition, the disclosure must be necessary to meet that interest and finally, the disclosure must not cause unwarranted harm. In this case we do not have the consent of the medical assessor to disclose their personal information. This means that the NHSBSA is therefore required to conduct a balancing exercise between the legitimate interest in disclosing the information against the rights and freedoms of the medical assessor. Having reviewed the information you have provided I acknowledge that you have a legitimate interest in disclosure of the information. However, I agree with the previous decision that disclosure of the requested information would cause unwarranted harm. Whilst I acknowledge your comments on this, disclosure under FOIA is to the world and therefore the NHSBSA has to consider the overall impact of the disclosure and its duty of care. The expectation of the medical assessors is that they will remain anonymous and will therefore not be subject to contact or pressure from claimants or campaigning groups. Given the certainty that the name and/or GMC number will identify the medical assessor there is a reasonable expectation that this information would not be disclosed under the FOIA. Disclosing this information would be unfair and as such this would breach the UK General Data Protection Regulation first data protection principle. Please see the following link to view the section 40 exemption in full - https://www.legislation.gov.uk/ukpga/2000/36/section/40

Data De-identification and Pseudonymity Software Market Outlook

The global data de-identification and pseudonymity software market is projected to grow significantly, reaching approximately USD 4.2 billion by 2032, driven primarily by increasing data privacy concerns and stringent regulatory requirements worldwide.

The primary growth factor in the data de-identification and pseudonymity software market is the surge in data breaches and cyber-attacks. With the exponential increase in data generation, organizations are more vulnerable to data breaches and unauthorized access. These security concerns have prompted businesses and governments to invest heavily in robust data protection solutions. Data de-identification and pseudonymity software provide a secure way to anonymize sensitive information, making it less susceptible to malicious activities. As data protection laws become more rigorous, the demand for such technologies will continue to rise, further propelling market growth.

Another significant factor contributing to market growth is the growing awareness and emphasis on data privacy among consumers. In recent years, consumers have become increasingly aware of how their data is being used and the potential risks associated with data misuse. This heightened awareness has put pressure on organizations to adopt comprehensive data protection measures. Data de-identification and pseudonymity software offer a means to protect personal information while still allowing organizations to utilize data for analytics and decision-making. This dual benefit is a key driver for the adoption of these technologies across various sectors.

Moreover, regulatory compliance is a crucial driver for the market. Regulations such as the General Data Protection Regulation (GDPR) in Europe, the Health Insurance Portability and Accountability Act (HIPAA) in the United States, and various other data protection laws worldwide mandate stringent measures for data protection. Non-compliance can result in hefty fines and legal repercussions. Therefore, organizations are increasingly adopting data de-identification and pseudonymity software to ensure compliance with these regulations. The need for regulatory compliance is expected to sustain market growth in the foreseeable future.

Regionally, North America currently dominates the global data de-identification and pseudonymity software market, accounting for the largest market share. This is attributed to the presence of major technology players, stringent data protection regulations, and high adoption rates of advanced technologies in the region. Europe follows closely, with significant market contributions from countries such as Germany, France, and the UK, driven by robust regulatory frameworks like GDPR. The Asia Pacific region is also expected to witness substantial growth, fueled by rapid digitalization, increasing cybersecurity threats, and growing awareness about data privacy in countries like China, India, and Japan.

Data Masking Tools play a pivotal role in enhancing the security framework of organizations by providing an additional layer of protection for sensitive information. These tools are designed to obscure specific data within a dataset, ensuring that unauthorized users cannot access or decipher the original information. As businesses increasingly rely on data-driven insights, the need for robust data masking solutions becomes more critical. By employing data masking tools, organizations can safely share data across departments or with third-party vendors without compromising privacy. This capability is especially beneficial in industries such as healthcare and finance, where data privacy is paramount. The integration of data masking tools with existing data protection strategies can significantly reduce the risk of data breaches and ensure compliance with regulatory standards.

Component Analysis

The data de-identification and pseudonymity software market can be segmented by component into software and services. The software segment is anticipated to hold the lion's share due to the increasing adoption of data protection solutions across various industries. Software solutions provide automated tools for anonymizing and pseudonymizing data, ensuring compliance with regulatory standards. These solutions are essential for organizations aiming to mitigate the risks associated with data breaches and unauthorized access. As cyber threats continue to evolve, the demand for advanced software solutions is exp

A dataset containing all requests under the Freedom of Information Act 2000 and Environmental Information Regulations 2004 recorded by the council in the 2016/17 financial year.

This dataset is updated on a monthly basis, one month in arrears.

Full requests and responses can be found on out Disclosure Log.

More information about the Act and Regulations can be found on our website.

A waste management licence is a legal document issued under the Environmental Protection Act 1990. A licence authorises the treatment keeping or disposal of waste in or on the land. Once we have issued a licence neither the activities nor the area of land may be changed unless the licence is modified. The Environmental Permitting Regulations regulating waste sites came into force on 6 April 2008. The new regime combines a number of earlier permitting / licensing regimes. Other related datasets available are: - Pollution Prevention and Control (IPPC) - Authorised Treatment Facilities (End of Life Vehicles) - Water Quality and Pollution Control (Discharge Consents) - Waste Electrical Electronic Equipment (WEEE)EPR Waste is the table for granted permits. EPR Waste Applications holds details of applications that did not or have not yet resulted in a permit or permit variation.

A waste management licence was a legal document issued under the Environmental Protection Act 1990. A licence authorised the treatment keeping or disposal of waste in or on the land.

The Environmental Permitting Regulations (EPR) regulating waste sites came into force on 6 April 2008. The new regime combines a number of earlier permitting / licensing regimes including this one.

Other related datasets available are: - EPR Industrial Sites (formerly PPC) - Water Quality and Pollution Control (Discharge Consents)

This is a quarterly snapshot of effective permitted waste sites in England.

Dataset on commits (and repositories) on GitHub making reference to data privacy legislation (covering laws: GDPR, CCPA, CPRA, UK DPA).

The dataset contains:
+ all_commits_info_merged-v2-SHA.csv : commits information as collected from various GitHub REST API calls (all data merged together).
+ repos_info_merged_USED-v2_with_loc.csv: repository information with some calculated data.
+ top-70-repos-commits-for-manual-check_commits-2coders.xlsx: results of the manual coding of the commits of the 70 most popular repositories in dataset.
+ user-rights-ω3.csv: different terms for user rights teriminology in legislation.
+ github_commits_analysis_replication.r: main analysis pipeline covering all RQs in the R programming language.

In order to perform also the initial data collection, the GitHub REST API can be used, collecting data using time intervals, for instance:
https://api.github.com/search/commits?q=%22GDPR%22+committer-date:2018-05-25..2018-05-30&sort=committer-date&order=asc&per_page=100&page=1

This dataset accompanies the following publication, so please cite it accordingly:

Georgia M. Kapitsaki, Maria Papoutsoglou, Evolution of repositories and privacy laws: commit activities in the GDPR and CCPA era, accepted for publication at Elsevier Journal of Systems & Software, 2025.

A dataset of polygons with an attribute table that summariss the location and status of land recorded within the public register kept under the part IIA contaminated land provisions of the Environmental Protection Act 1990.

The public registers content are proscribed in regulations but principally describe land where certain formal Part IIA actions have taken place OR where a statement regarding voluntary remediation has been filed.

Special sites where regualtory enforcement has been transferred to the Environment Agency are indicated.