A survey conducted in April and May 2023 revealed that around ** percent of the companies that do business in the European Union (EU) and the United Kingdom (UK) found it challenging to adapt to new or changing requirements of the General Data Protection Regulation (GDPR) or Data Protection Act 2018 (DPA). A further ** percent of the survey respondents said it was challenging to increase the budget because of the changes in the data privacy laws.

A survey conducted in April and May 2023 found that less than half of the surveyed organizations in the United States and the United Kingdom (UK) had completed selected actions to comply with state data privacy laws in the United States. Around ** percent of the respondents had made a comparison of the United States' state-level privacy law frameworks. A further ** percent said they were in the process of doing so. Furthermore, ** percent of the respondents said they had updated privacy policies, while almost ** percent were in the process of planning and conducting data assessments.

As of February 2025, the largest fine issued for violation of the General Data Protection Regulation (GDPR) in the United Kingdom (UK) was more than 22 million euros, received by British Airways in October 2020. Another fine received by Marriott International Inc. in the same month was the second-highest in the UK and amounted to over 20 million euros.

DP (Data Protection Act) / SAR (Subject Access Request) - Out of time

A survey conducted in April and May 2023 revealed that around 35 percent of organizations in the United States and 40 percent of organizations in the United Kingdom pay higher costs for international data transfers due to data privacy regulations, but they also find it manageable. Furthermore, approximately 35 percent of respondents from both countries think the regulations encourage businesses by guaranteeing that the data will be safeguarded in other countries.

SAR Database contains details of staff & ex-staff Data Protection Act (DPA) SARs received by BIS (including predecessor departments BERR and DTI, and relevant Executive Agencies), and DECC.

A survey of UK young adults between 18 and 34 years in October 2023 found that ethnic minorities tend to exercise their data protection rights. Around 33 percent of respondents representing ethnic minorities said they had refused to provide their biometric data, compared to 22 percent of white respondents. Similarly, young people of color were more likely to ask an organization to stop using their personal information.

This dataset is a central catalogue of Data Protection Impact Assessments (DPIAs) of smart city projects that collect personal information in public spaces. By publishing this in one place for the first time, it will enable public transparency and support good practice among operators. A DPIA helps to identify and minimise the risks of a project that uses personal data. Further information: DPIA registration form: https://www.london.gov.uk/dpia-register-form Information Commissioner DPIA: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/data-protection-impact-assessments/

According to a survey conducted in October 2023, over 40 percent of individuals in the United Kingdom (UK) who had heard of or could explain "information or data rights" interpreted it as "data protection rights." Moreover, 33 percent said that, to their understanding, "information or data rights" refer to "rights to data control and usage."

BackgroundThe COVID-19 pandemic brought global disruption to health, society and economy, including to the conduct of clinical research. In the European Union (EU), the legal and ethical framework for research is complex and divergent. Many challenges exist in relation to the interplay of the various applicable rules, particularly with respect to compliance with the General Data Protection Regulation (GDPR). This study aimed to gain insights into the experience of key clinical research stakeholders [investigators, ethics committees (ECs), and data protection officers (DPOs)/legal experts working with clinical research sponsors] across the EU and the UK on the main challenges related to data protection in clinical research before and during the pandemic.Materials and methodsThe study consisted of an online survey and follow-up semi-structured interviews. Data collection occurred between April and December 2021. Survey data was analyzed descriptively, and the interviews underwent a framework analysis.Results and conclusionIn total, 191 respondents filled in the survey, of whom fourteen participated in the follow-up interviews. Out of the targeted 28 countries (EU and UK), 25 were represented in the survey. The majority of stakeholders were based in Western Europe. This study empirically elucidated numerous key legal and ethical issues related to GDPR compliance in the context of (cross-border) clinical research. It showed that the lack of legal harmonization remains the biggest challenge in the field, and that it is present not only at the level of the interplay of key EU legislative acts and national implementation of the GDPR, but also when it comes to interpretation at local, regional and institutional levels. Moreover, the role of ECs in data protection was further explored and possible ways forward for its normative delineation were discussed. According to the participants, the pandemic did not bring additional legal challenges. Although practical challenges (for instance, mainly related to the provision of information to patients) were high due to the globally enacted crisis measures, the key problematic issues on (cross-border) health research, interpretations of the legal texts and compliance strategies remained largely the same.

BackgroundThe COVID-19 pandemic brought global disruption to health, society and economy, including to the conduct of clinical research. In the European Union (EU), the legal and ethical framework for research is complex and divergent. Many challenges exist in relation to the interplay of the various applicable rules, particularly with respect to compliance with the General Data Protection Regulation (GDPR). This study aimed to gain insights into the experience of key clinical research stakeholders [investigators, ethics committees (ECs), and data protection officers (DPOs)/legal experts working with clinical research sponsors] across the EU and the UK on the main challenges related to data protection in clinical research before and during the pandemic.Materials and methodsThe study consisted of an online survey and follow-up semi-structured interviews. Data collection occurred between April and December 2021. Survey data was analyzed descriptively, and the interviews underwent a framework analysis.Results and conclusionIn total, 191 respondents filled in the survey, of whom fourteen participated in the follow-up interviews. Out of the targeted 28 countries (EU and UK), 25 were represented in the survey. The majority of stakeholders were based in Western Europe. This study empirically elucidated numerous key legal and ethical issues related to GDPR compliance in the context of (cross-border) clinical research. It showed that the lack of legal harmonization remains the biggest challenge in the field, and that it is present not only at the level of the interplay of key EU legislative acts and national implementation of the GDPR, but also when it comes to interpretation at local, regional and institutional levels. Moreover, the role of ECs in data protection was further explored and possible ways forward for its normative delineation were discussed. According to the participants, the pandemic did not bring additional legal challenges. Although practical challenges (for instance, mainly related to the provision of information to patients) were high due to the globally enacted crisis measures, the key problematic issues on (cross-border) health research, interpretations of the legal texts and compliance strategies remained largely the same.

I can confirm that the NHS Business Services Authority (NHSBSA) holds the information you have requested. However, we consider the full names of NHSBSA employees to be personal data under section 3(2) of the Data Protection Act 2018. Disclosure of an employee’s name may result in their identification. Please be aware that I have decided not to release the full name of the person(s) corresponding with you. This is because the personal details of NHSBSA employees as this information falls under the exemption in section 40 subsections 2 and 3(A)(a) of the FOIA. As the requested information would allow a NHSBSA employee to be identified, I consider this information is exempt. This is because it would breach the first data protection principle as: a. it is not fair to disclose NHSBSA employees’ personal details to the world and is likely to cause damage or distress to the NHSBSA employee b. these details are not of sufficient interest to the public to warrant an intrusion into the privacy of the NHSBSA employee The requested information is exempt if disclosure would contravene any of the data protection principles. For disclosure to comply with the lawfulness, fairness, and transparency principle, we either need the consent of the data subject(s) or there must be a legitimate interest in disclosure. In addition, the disclosure must be necessary to meet the legitimate interest and finally, the disclosure must not cause unwarranted harm. This means that the NHSBSA is therefore required to conduct a balancing exercise between the legitimate interest of the applicant in disclosure against the rights and freedoms of the NHSBSA employee. While I acknowledge that you have a legitimate interest in disclosure of the information, the disclosure of the requested information would cause unwarranted harm. Disclosure under FOIA is to the world and therefore the NHSBSA has to consider the overall impact of the disclosure and its duty of care. The expectation of the NHSBSA employees is that they will remain anonymous and will therefore not be subject to contact or pressure from claimants or campaigning groups. Given the likelihood that the personal details would identify the NHSBSA employee there is a reasonable expectation that this information will not be disclosed under the FOIA. Disclosing this information would be unfair and as such would breach the UK General Data Protection Regulation first data protection principle.

Fewer than five Please be aware that I have decided not to release figures where the total number of People on Digital Scheme falls below five. This is because the individuals could be identified, when combined with other information that may be in the public domain or reasonably available. This information falls under the exemption in section 40 subsections 2 and 3 (a) of the Freedom of Information Act (FOIA). This is because it would breach the first data protection principle as: a - it is not fair to disclose individual’s personal details to the world and is likely to cause damage or distress. b - these details are not of sufficient interest to the public to warrant an intrusion into the privacy of the individual. Please click the below web link to see the exemption in full. www.legislation.gov.uk/ukpga/2000/36/section/40

Please be aware that I have decided not to release the full details where the total number of individuals falls below five. This is because the individuals could be identified, when combined with other information that may be in the public domain or reasonably available. This information falls under the exemption in section 40 subsections 2 and 3A (a) of the Freedom of Information Act. This is because it would breach the first data protection principle as: a) it is not fair to disclose patients’ personal details to the world and is likely to cause damage or distress. b) these details are not of sufficient interest to the public to warrant an intrusion into the privacy of the patients. Please click the below web link to see the exemption in full. www.legislation.gov.uk/ukpga/2000/36/section/40 Breach of confidentiality Please note that the identification of individuals is also a breach of the common law duty of confidence. An individual who has been identified could make a claim against the NHSBSA for the disclosure of the confidential information. The information requested is therefore being withheld as it falls under the exemption in section 41(1) ‘Information provided in confidence’ of the Freedom of Information Act. Please click the below web link to see the exemption in full. www.legislation.gov.uk/ukpga/2000/36/section/41 Year of claim 2024 2023 2022 2021 2020 Total MMR claims for a Vaccine Damage Payment 0 <5 18 26 8 Total MMR claims awarded a Vaccine Damage Payment 0 0 0 0 0 Total rejected MMR claims for a Vaccine Damage Payment 0 <5 18 26 8 Please note that this request and our response is published on our Freedom of Information disclosure log at:

IntroductionThe ubiquity of Bring Your Own Device (BYOD) personal smartphones, Instant Messaging (IM), and third-party apps, has made these technologies compelling for efficient communications between clinicians regarding patient care. However, the sensitivity of patient-related information necessitates secure, GDPR compliant modalities that prevent unauthorised access and ensure confidentiality. This scoping review explores existing guidelines, policies, and regulations that advise clinicians in the UK and Ireland on the secure use of these digital communication tools.MethodsFollowing the Joanna Briggs Institute (JBI) updated Framework for Scoping Reviews and the PRISMA ScR guidelines, this review examines the literature to identify relevant guidelines, policies, and regulations informing current clinical practice on the use of this technology. Academic databases including OneSearch, Embase, EBSCO, PubMed, Medline, and CINAHL were searched, in addition to hand searches of professional entities' websites, including trade unions, regulators, two national health systems, and several employers. Direct inquiries were made to 69 professional entities via telephone, email, websites, and X (formerly known as Twitter).ResultsThe review identified 18 papers that broadly recognise the importance of secure communication however, a lack of information on the appropriate selection or configuration of these popular technologies was evident. Most guidelines emphasise general security and data protection standards rather than providing clear actionable recommendations for technology use, thereby leaving a significant gap in technical guidance for clinicians.DiscussionThere is a distinct lack of detailed, specific, consistent technical guidance available to clinicians. This review evidences an urgent requirement for enhanced guidelines that specify the most secure platforms, appropriate features, and configuration to maximise the security and confidentiality of clinical communications. Further research is recommended to develop comprehensive, actionable advice for clinicians.

Fewer Than Five Please be aware that I have decided not to release the exact number of patients, where the number is fewer than 5. This is because the patients could be identified when combined with other information that may be in the public domain or reasonably available. This information falls under the exemption in section 40 subsections 2 and 3A (a) of the Freedom of Information Act. This is because it would breach the first data protection principle as: a. it is not fair to disclose patient personal details to the world and is likely to cause damage or distress. b. these details are not of sufficient interest to the public to warrant an intrusion into the privacy of the claimant. Please click the web link below to see the exemption in full. https://www.legislation.gov.uk/ukpga/2000/36/section/40 Breach of Patient confidentiality