All Posts

All Posts

The Case for Confidence in Defensive Breach Reporting

When something goes wrong, most of us would rather over-report than under-report. It feels safer, especially in high risk domains where trust is fragile and the impact can be significant. But the ICO is clear: defensive reporting isn’t good practice , and defensive notification to individuals can cause real harm. This post is about staying inside the legal thresholds, and staying confident in our decisions. A practical lens for assessing harm Before we get into thresholds, it

3h4 min read

Duty of Candour vs. Patient Notification for Data Breaches

In healthcare, “being open with patients” can mean more than one legal obligation. Two common ones are the statutory Duty of Candour and patient notification after a personal data breach. They can feel similar because they both involve openness, apology, and clear communication, but they come from different laws and apply in different situations. Sometimes only one applies; occasionally both apply together. Understanding the difference helps practices respond confidently and

5h3 min read

Silence isn't Golden with Subject Access Requests

In our role as DPO for a large number of busy GP practices, we are hyper aware of the importance of how organisations handle subject access requests. This process is about trust, transparency and accountability. Staying on the right side of compliance means (1) monitoring disclosure requests (2) actively engaging with your Data Protection Officer (DPO) (3) avoiding the “radio silence” trap. 1. Monitoring Disclosure Requests A subject access request a request under the right

4d4 min read

Tycoon 2FA / MFA-Bypass Threat - Legacy MFA has left the building.

Hello again! I'm writing to brief you on a significant and fast-evolving cyber threat affecting organisations that rely on cloud authentication and multi-factor protection. The Tycoon 2FA phishing kit represents a meaningful shift in how attackers can bypass MFA, and it is important that all organisations understand the risk and strengthen their defences accordingly. What has happened Tycoon 2FA is a commercially available phishing toolkit that takes the old idea of a fake lo

4d3 min read

Is AI Consent putting your GP practice at risk?

Don't use the word consent, it's misleading AI in healthcare is powerful—and different. It’s new to many patients, and care settings come with an inherent power imbalance: people are unwell, worried, time-pressed, and reliant on clinicians. Because we are not permitted to use consent (the Information Commissioner has confirmed this to us), the ethical—and practical—answer is more transparency, earlier, and in layers. Putting it bluntly: it is not acceptable to spring a one-li

Nov 73 min read

Why Your AI Supplier Won't Explain

Opacity in your supply chain isn’t always about them having something to hide. Opacity has many faces; some calculated, some careless, and some very ordinary. When we buy or inherit algorithmic systems, we may find that AI vendors speak the language of the sales deck and that algorithmic snake oil. Yet when DPOs ask how the model actually works, that models are in the pipeline and their source, the conversation often stops at “commercial sensitivity" or worse, confused silenc

Nov 63 min read

ISO 27001 Physical Controls - Still Important in a Cyber World?

Let’s be honest - when most people think about information security these days, their minds jump straight to the cyber side of things. Firewalls, MFA, phishing, ransomware etc, - the digital world tends to dominate the conversation. But here’s the thing, even the best cyber security in the world won’t help if someone can simply walk into your office and plug a USB stick into something or reach over the counter and grab some sensitive paperwork. ISO 27001 Physical Controls are

Nov 54 min read

How do I know if an AI tool is safe to use?

I find that, when small organisations start exploring AI, whether to automate recruitment, triage enquiries, or analyse customer data, the conversation usually begins with excitement. New efficiencies, lower costs, smarter insights are all on the table. But the more important conversation, the one that rarely takes place early enough, is about safety. Not safety in the technical sense of cybersecurity, but in the broader human sense: is this system safe to use on the people y

Oct 243 min read

Bring Your Own AI - The Risks for Data Protection

It’s becoming common to see employees using their own AI tools at work; like a comms officer who drafts with ChatGPT, a finance manager who automates reconciliation through a plug-in, a policy lead who runs data through an “AI summariser” to save time. Small, pragmatic innovations emerge as people find ways to work within systems that often struggle to keep pace with real-world demands. For Data Protection Officers, this “Bring Your Own AI” trend is both inevitable and risky.

Oct 223 min read

Locums and 'Bring your own Tech'

Across the NHS and wider health sector, locums and temporary clinicians are often essential to keeping services running. They move between organisations, adapt quickly, and bring a wealth of experience. But increasingly, my customers tell me, they’re also bringing their own technology. That might mean the familiar dictation software they use in their main practice, a personal transcription app, or even an AI-powered scribe that listens, writes, and structures their notes. Whi

Oct 223 min read

Why Simple Fixes for Missing Data Can Create Big Problems in AI

When building AI systems, missing data is unavoidable. Maybe patients didn’t report their income, maybe students skipped a survey, maybe a sensor failed. To keep things moving, developers often use quick fixes like mean imputation , replacing missing values with the average of what’s there. It sounds harmless. But in practice, it can quietly introduce bias, reduce accuracy, and create unfair outcomes. What is imputation? Imputation is the process of filling in missing values

Oct 142 min read