A survey conducted in April and May 2023 revealed that around ** percent of the companies that do business in the European Union (EU) and the United Kingdom (UK) found it challenging to adapt to new or changing requirements of the General Data Protection Regulation (GDPR) or Data Protection Act 2018 (DPA). A further ** percent of the survey respondents said it was challenging to increase the budget because of the changes in the data privacy laws.

As of February 2025, the largest fine issued for violation of the General Data Protection Regulation (GDPR) in the United Kingdom (UK) was more than 22 million euros, received by British Airways in October 2020. Another fine received by Marriott International Inc. in the same month was the second-highest in the UK and amounted to over 20 million euros.

A survey conducted in April and May 2023 revealed that around 35 percent of organizations in the United States and 40 percent of organizations in the United Kingdom pay higher costs for international data transfers due to data privacy regulations, but they also find it manageable. Furthermore, approximately 35 percent of respondents from both countries think the regulations encourage businesses by guaranteeing that the data will be safeguarded in other countries.

A Data Protection Impact Assessment (DPIA) is one of the ways to find out what privacy risks people face when information is collected, used, stored, or shared about them. This helps the London Borough of Barnet find issues so that risks can be taken away or lowered to a level that is acceptable. It also cuts down on privacy breaches and complaints that could hurt the Council's reputation or lead to action by the Information Commissioner (the government watchdog). The London Borough of Barnet makes DPIAs public in with its Data Charter and the 2018 Data Protection Act and UK GDPR.

Whilst this some of the requested information is held by the NHSBSA, we have exempted some of the figures under section 40(2) subsections 2 and 3(a) of the FOIA because it is personal data of applicants to the VDPS. This is because it would breach the first data protection principle as: a - it is not fair to disclose individual’s personal details to the world and is likely to cause damage or distress. b - these details are not of sufficient interest to the public to warrant an intrusion into the privacy of the individual. https://www.legislation.gov.uk/ukpga/2000/36/section/40 Information Commissioner Office (ICO) Guidance is that information is personal data if it ‘relates to’ an ‘identifiable individual’ regulated by the UK General Data Protection Regulation (UK GDPR) or the Data Protection Act 2018. The information relates to personal data of the VDPS claimants and is special category data in the form of health information. As a result, the claimants could be identified, when combined with other information that may be in the public domain or reasonably available. Online communities exist for those adversely affected by vaccines they have received. This further increases the likelihood that those may be identified by disclosure of this information. Section 40(2) is an absolute, prejudice-based exemption and therefore is exempt if disclosure would contravene any of the data protection principles. To comply with the lawfulness, fairness, and transparency data protection principle, we either need the consent of the data subject(s) or there must be a legitimate interest in disclosure. In addition, the disclosure must be necessary to meet the legitimate interest and finally, the disclosure must not cause unwarranted harm. The NHSBSA has considered this and does not have the consent of the data subjects to release this information and believes that it would not be possible to obtain consent that meets the threshold in Article 7 of the UK GDPR. The NHSBSA acknowledges that you have a legitimate interest in disclosure of the information to provide the full picture of data held by the NHSBSA; however, we have concluded that disclosure of the requested information would cause unwarranted harm and therefore, section 40(2) is engaged. This is because there is a reasonable expectation that patient data processed by the NHSBSA remains confidential, especially special category data. There are no reasonable alternative measures that could meet the legitimate aim. As the information is highly confidential and sensitive, it outweighs the legitimate interest in the information. Section 41 FOIA This information is also exempt under section 41 of the FOIA (information provided in confidence). This is because the requested information was provided to the NHSBSA in confidence by a third party - another individual, company, public authority or any other type of legal entity. In this instance, details have been provided by the claimants. For Section 41 to be engaged, the following criteria must be fulfilled:

A survey conducted in April and May 2023 among companies that do business in the European Union and the United Kingdom (UK) found that over half of the respondents, 53 percent, felt very prepared for the General Data Protection Regulation (GDPR). A further 35 percent of the companies believed they were moderately prepared, while 10 percent said they were slightly ready to comply with the EU and UK privacy legislations.

This is because it would breach the first data protection principle as: a) it is not fair to disclose claimant personal details to the world and is likely to cause damage or distress. b) these details are not of sufficient interest to the public to warrant an intrusion into the privacy of the claimant. Please click the below web link to see the exemption in full. https://www.legislation.gov.uk/ukpga/2000/36/section/40 Breach of Patient confidentiality Please note that the identification of claimants is also a breach of the common law duty of confidence. A claimant who has been identified could make a claim against the NHSBSA or yourself for the disclosure of the confidential information. The information requested is therefore being withheld as it falls under the exemption in section 41(1) ‘Information provided in confidence’ of the Freedom of Information Act. Please click the below web link to see the exemption in full.

Under the Freedom of Information Act 2000, I request the following information: The number of individuals of all ages who were prescribed contraceptives in the financial years 2019-2020, 2021-2020, 2020-2021, 2021-2022 and 2022-2023 in community settings (GP surgeries and pharmacies) broken down by contraceptive method. I would also like the proportion these represent of contraception users. For example, X proportion of those on contraception are using the Mirena coil. If possible, I would also appreciate if this were broken down by age of those prescriptions too. To clarify, I mean patients. I also mean both contraceptive drugs and appliances/devices Response A copy of the information is attached. Please read the following information to ensure correct understanding of the data. Fewer than five Please be aware that I have decided not to release the full details where the total number of individuals falls below five. This is because the individuals could be identified, when combined with other information that may be in the public domain or reasonably available. This information falls under the exemption in section 40 subsections 2 and 3 (a) of the Freedom of Information Act (FOIA). This is because it would breach the first data protection principle as: a - It is not fair to disclose individual’s personal details to the world and is likely to cause damage or distress. b - These details are not of sufficient interest to the public to warrant an intrusion into the privacy of the individual. Please click the weblink to see the exemption in full: www.legislation.gov.uk/ukpga/2000/36/section/40 NHS Business Services Authority (NHSBSA) - NHS Prescription Services process prescriptions for Pharmacy Contractors, Appliance Contractors, Dispensing Doctors, and Personal Administration with information then used to make payments to pharmacists and appliance contractors in England for prescriptions dispensed in primary care settings (other arrangements are in place for making payments to Dispensing Doctors and Personal Administration). This involves processing over one billion prescription items and payments totalling over £9 billion each year. The information gathered from this process is then used to provide information on costs and trends in prescribing in England and Wales to over 25,000 registered NHS and Department of Health and Social Care (DHSC) users. Data Source: ePACT2 - Data in ePACT2 is sourced from the NHSBSA Data Warehouse and is derived from products prescribed on prescriptions and dispensed in the Community. The data captured from prescription processing is used to calculate reimbursement and remuneration. It includes items prescribed in England, Wales, Scotland, Northern Ireland, Guernsey/Alderney, Jersey, and Isle of Man which have been dispensed in the community in England. English prescribing that has been dispensed in Wales, Scotland, Guernsey/Alderney, Jersey, and Isle of Man is also included. The data excludes: • Items not dispensed, disallowed and those returned to the contractor for further clarification. • Prescriptions prescribed and dispensed in prisons, hospitals, and private prescriptions. • Items prescribed but not presented for dispensing or not submitted to NHS Prescription Services by the dispenser. Dataset - The data is limited to presentations prescribed in BNF sections 0703 Contraceptives and BNF section 2104 Contraceptive Devices. Data is presented at BNF Sub Paragraph and BNF Presentation level. Time Period - Financial years 2019/20, 2020/21, 2021/22, 2022/23 and 2023/24 (April 2023 - January 2024). Data is currently available up to and including January 2024. Organisation Data - The data is for prescribing in England regardless of where dispensed in the community. British National Formulary (BNF) Sub Paragraph and Presentation Code – The BNF Code is a 15-digit code in which the first seven digits are allocated according to the categories in the BNF, and the last eight digits represent the medicinal product, form, strength and the link to the generic equivalent product. NHS Prescription Services has created pseudo BNF chapters, which are not published, for items not included in BNF chapters 1 to 15. Most of such items are dressings and appliances which NHS Prescription Services has classified into four pseudo BNF chapters (20 to 23). Patient Identification - Where patient identifiable figures have been reported they are based on the information captured during the prescription processing activities. Please note, patient details cannot be captured from every prescription form and based on the criteria used for this analysis, patient information (NHS number) was only available for 98.28% of prescription items. The unique patient count figures are based on a distinct count of NHS number as captured from the prescription image. Patient ages are based on the age as captured from the prescription image and relates to the patient's age at the time of prescribing/dispensing. Please note it is possible that a single patient may be included in the results for more than one age band where a patient has received prescribing at different ages during a financial year. The figures for the number of identifiable patients should not be combined and reported at any other level than provided as this may result in the double counting of patients. For example, a single patient could appear in the results for multiple presentations or both financial years. Patient Age - Shows the age of the patient, if recorded. Data Quality for patient age - NHSBSA stores information on the age of the recipient of each prescription as it was read by computer from images of paper prescriptions or as attached to messages sent through the electronic prescription system. The NHSBSA does not validate, verify or manually check the resulting information as part of the routine prescription processing. There are some data quality issues with the ages of patients prescribed the products. The NHSBSA holds prescription images for 18 months. A sample of the data was compared to the images of the paper prescription forms from which the data was generated where these images are still available. These checks revealed issues in the reliability of age data, in particular the quality of the stored age data was poor for patients recorded as aged two years and under. When considering the accuracy of age data, it is expected that a small number of prescriptions may be allocated against any given patient age incorrectly. Application of Disclosure Control to information services (prescriptions) products- ePACT 2 data is not published statistics - it is available to authorised NHS users who are subject to Caldicott Guardian approval. We have no plans to apply disclosure control to data released to ePACT 2 users. These users are under an obligation to protect the anonymity of any patients when reusing this data or releasing derived information publicly. All requests that fall under the FOI process are subject to the NHSBSA Anonymisation and Pseudonymisation Standard. The application of the techniques described in the standard is judged on a case-by-case basis (by NHSBSA Information Governance) in respect of what techniques should be applied. The ICO typically rules on a case-by-case basis too so each case or challenge or appeal is judged on its own merits. FOI rules apply to data that we hold as part of our normal course of business.

The main project aims were to examine the human rights implications of rapidly developing technologies. As noted above, in an increasingly digitised world, technological developments and the collection, storage and use of 'big data' pose unprecedented challenges for the protection of human rights. The aim of the project was to examine the intersection of such technological developments and the ideals of human rights protection. The work focused on both positive and negative aspects of this relationship. As noted above, the core research aims were organised on these issues that cut across the threats and opportunities:1) How is the use of ICT and big data shaping the content and scope of rights? (2) How does the use of ICT and big data shape operational practices across state and non-state activities? What new theoretical questions and implications for human rights are generated? (3) What methodologies are needed to identify and document the misuse of modern technologies and the failure to comply with rights-based obligations? (4) How can the use of ICT and big data best support evidence-based approaches to human rights protection and advocacy? (5) What possibilities and limitations exist for regulating the collection, storage and use of ICT and big data by states and non-state actors? The deposited data largely focuses on interviews with law enforcement and security agency representatives about uses of digital technology. We found that an enthusiastic embrace of technnology often existed yet this was not always accompanied by the development of codes of practice, regulatory frameworks and operational guidence on how they should be used. In addition to a potential regulatory vacuum, such disconnects also placed additional burdens on law enforcement themselves as they sought to apply existing rules and regulations. This is something we have described in publications as 'surveillance arbitration'. We also include interviews with civil society actors and lawyers that interrogate these issues and associated digital rights campaigning matters in more detail.

Een Data Protection Impact Assessment (DPIA) is een van de manieren om erachter te komen welke privacyrisico’s mensen lopen wanneer informatie over hen wordt verzameld, gebruikt, opgeslagen of gedeeld. Dit helpt de Londense gemeente Barnet problemen te vinden zodat risico’s kunnen worden weggenomen of verlaagd tot een aanvaardbaar niveau. Het bezuinigt ook op inbreuken op de privacy en klachten die de reputatie van de Raad kunnen schaden of leiden tot actie van de Information Commissioner (de waakhond van de regering). De London Borough of Barnet maakt DPIA’s openbaar in zijn Data Charter en de Data Protection Act 2018 en UK GDPR. Een Data Protection Impact Assessment (DPIA) is een van de manieren om erachter te komen welke privacyrisico’s mensen lopen wanneer informatie over hen wordt verzameld, gebruikt, opgeslagen of gedeeld. Dit helpt de Londense gemeente Barnet problemen te vinden zodat risico’s kunnen worden weggenomen of verlaagd tot een aanvaardbaar niveau. Het bezuinigt ook op inbreuken op de privacy en klachten die de reputatie van de Raad kunnen schaden of leiden tot actie van de Information Commissioner (de waakhond van de regering).

De London Borough of Barnet maakt DPIA’s openbaar in zijn Data Charter en de Data Protection Act 2018 en UK GDPR.

A survey of UK young adults between 18 and 34 years in October 2023 found that ethnic minorities tend to exercise their data protection rights. Around 33 percent of respondents representing ethnic minorities said they had refused to provide their biometric data, compared to 22 percent of white respondents. Similarly, young people of color were more likely to ask an organization to stop using their personal information.

Coastal Legislative Layer [Polyline]. The Coastal Overview data layers identifies the lead authority for the management of discrete stretches of the English coast as defined by the Seaward of the Schedule 4 boundary of the Coastal Protection Act 1949. The data are intended as a reference for GIS users and Coastal Engineers with GIS capability to identify the responsible authority or whether the coast is privately owned. The information has been assigned from the following sources, listed in by preference: Shoreline Management Plans 1. Environment Agency’s RACE database. Consultation with Coastal Business User Group and Local Authority Maritime records where possible. A confidence rating is attributed based on where the data has been attributed from and the entry derived from the source data. The following data is intended as a reference document for GIS users and Coastal Engineers with GIS capability to identify the responsible authority and the assigned EA Coastal Engineer so as to effectively manage the coast for erosion and flooding. The product comprises 3 GIS layers that are based on the OS MasterMap Mean High Watermark, this layers is: Coastal Legislative Layer Polyline represents the predominant risk; flooding or erosion, which are assigned to each section of the coastline.

I can confirm that we do hold the requested information however, we consider the name and General Medical Council (GMC) number to be personal data under section 3(2) of the Data Protection Act 2018. Disclosure of the medical assessor’s name or GMC number would result in the identification of the medical assessor when entered into the GMC public register. As the requested information would allow a medical assessor to be identified, I consider this information is exempt under section 40(2) and 40(3A)(a) of the FOIA (personal information). This is because it would breach the first data protection principle as: a) it is not fair to disclose medical assessors’ personal details to the world and is likely to cause damage or distress. b) these details are not of sufficient interest to the public to warrant an intrusion into the privacy of the medical assessor. For disclosure to comply with the lawfulness, fairness, and transparency principle, we either need the consent of the medical assessor or there must be a legitimate interest in disclosure. In addition, the disclosure must be necessary to meet that interest and finally, the disclosure must not cause unwarranted harm. In this case we do not have the consent of the medical assessor to disclose their personal information. This means that the NHSBSA is therefore required to conduct a balancing exercise between the legitimate interest in disclosing the information against the rights and freedoms of the medical assessor. Having reviewed the information you have provided I acknowledge that you have a legitimate interest in disclosure of the information. However, I agree with the previous decision that disclosure of the requested information would cause unwarranted harm. Whilst I acknowledge your comments on this, disclosure under FOIA is to the world and therefore the NHSBSA has to consider the overall impact of the disclosure and its duty of care. The expectation of the medical assessors is that they will remain anonymous and will therefore not be subject to contact or pressure from claimants or campaigning groups. Given the certainty that the name and/or GMC number will identify the medical assessor there is a reasonable expectation that this information would not be disclosed under the FOIA. Disclosing this information would be unfair and as such this would breach the UK General Data Protection Regulation first data protection principle. Please see the following link to view the section 40 exemption in full - https://www.legislation.gov.uk/ukpga/2000/36/section/40

In September 2024, the Irish Data Protection Commission fined Meta Ireland 91 million euros after passwords of social media users were stored in 'plaintext' on Meta's internal systems rather than with cryptographic protection or encryption. In May 2023, the EU fined Meta 1.2 billion euros for violating laws on digital privacy and putting the data of EU citizens at risk through Facebook's EU-U.S. data transfers. European privacy legislation is seen as being far stricter than American privacy law, and the sending of EU citizens’ data to the United States resulted in the record breaking penalty being issued to the tech giant. In January 2023, after it was discovered that Meta Platforms had improperly required that users of Facebook, Instagram, and WhatsApp accept personalized adverts to use the platforms, the company was issued a 390 million euro fine by the European Commission. EU regulators claim that the social media giant broke the General Data Protection Regulation (GDPR) by including the demand in its terms of service. In addition, Meta was fined 405 million euros by the Irish Data Protection Commission (DPC) in September 2022 for violating Instagram's children's privacy settings. In November 2022, the DPC fined Meta a further 265 million euros for failing to protect their users from data scraping. GDPR violations in 2022 Social media sites and companies are not the only types of online services upon which users' data can potentially be compromised. In 2022, the online service with the biggest fine for violating GDPR was e-commerce and digital powerhouse Amazon, which was issued a 746 million euro fine. Furthermore, in December 2021, Google was penalized 90 million euros for GDPR violations. What are the most common GDPR violations? Since GDPR went into effect in May 2018, fines have been imposed for a variety of reasons. As of June 2022, companies' non-compliance with general data processing principles accounted for the largest share of fines, resulting in over 845 million euros worth of penalties. Insufficient legal basis for data processing was the second most common violation, amounting to 447 million euros in fines.

Dataset on commits (and repositories) on GitHub making reference to data privacy legislation (covering laws: GDPR, CCPA, CPRA, UK DPA).

The dataset contains:
+ all_commits_info_merged-v2-SHA.csv : commits information as collected from various GitHub REST API calls (all data merged together).
+ repos_info_merged_USED-v2_with_loc.csv: repository information with some calculated data.
+ top-70-repos-commits-for-manual-check_commits-2coders.xlsx: results of the manual coding of the commits of the 70 most popular repositories in dataset.
+ user-rights-ω3.csv: different terms for user rights teriminology in legislation.
+ github_commits_analysis_replication.r: main analysis pipeline covering all RQs in the R programming language.

In order to perform also the initial data collection, the GitHub REST API can be used, collecting data using time intervals, for instance:
https://api.github.com/search/commits?q=%22GDPR%22+committer-date:2018-05-25..2018-05-30&sort=committer-date&order=asc&per_page=100&page=1

This dataset accompanies the following publication, so please cite it accordingly:

Georgia M. Kapitsaki, Maria Papoutsoglou, Evolution of repositories and privacy laws: commit activities in the GDPR and CCPA era, accepted for publication at Elsevier Journal of Systems & Software, 2025.