The world of information is shrinking. Here’s a heart warming story about a very large organisation and an individual who pays a funny game called petanque.
In our efforts to broaden our appeal and get ourself on the map (the only map that matters – Google maps) – we dropped a pin at our ground in a park in Huddersfield and asked Google for a business listing. They were happy to list us. All we had to do was fit into their strict model. We had to choose what business we were involved in. Petanque club wasn’t a valid answer, we had to select sports complex which sounds very grand for a 30m by 12m pitch composed mostly of gravel but no matter.
Next step was to verify the location and the business. This is where it went wrong again. There were 2 options verify by phone or verify by postcard. Strangely phone verification wasn’t available so we had to opt for postcard. Trouble is, our patch of gravel doesn’t have a regular post delivery. It doesn’t have a building let alone a door or a letterbox. So Google couldn’t contact us by mail. They had driven past us and photographed the hedge alongside our pitch but maybe they were on automatic pilot at the time.
A quick trawl through the support pages provided a solution. Give another address for the postcard – any address will do a long as you receive post at it. Once you have received the postcard, verified that the club is at an address where it isn’t then change the address to what you really want. Strange that a multi zillion dollar international company would allow this simple ruse but that’s what their customer support recommended so I did it. Google said it would have to check my change of address before re-verifying it.
Today Google rang me.
I knew it was them as my phone said +1(650) 253-2000 and helpfully suggested the call was coming from Mountain View, CA, United States. Someone over there asked if I was Huddersfield Petanque Club and did I live at xxxx Road to which I replied yes and no. They asked me to explain and I told them the story.
They asked 2 tough security questions. What’s Greenhead Park? Is it a neighborhood or an estate? (It’s a park). They repeated the question not understanding my reply so I added it’s a green space in the middle of a town. That did the trick. Next question was what is Marsh Gates. Is it a Neighborhood or an estate? (it’s a set of gates at the entrance to the park). They understood this.
So they verified the club and we should now be on Google Maps. Next step is changing our picture from a street view image of my front door to a picture of our playing area.
Risk Management is one of the things that many people claim to know about. Often though, their lack of knowledge is exposed when they end up either focusing on the wrong risks or creating some complicated process that educates no one and leads everyone on a merry dance. And truth be told it can be quite difficult to understand; which may explain why people switch off it or create complex processes to support the basic principles of managing risk.
However, the future is here and managing risks to information is about to go from a reasonably unknown practice into a full blown framework and way to help manage your GDPR compliance. (And selfishly as someone that has done Information Risk Management for a few years now I can finally say, “Yippeeee!”).
The General Data Protection Regulation (GDPR) is going to be implemented in May 2018. Throughout the GDPR there are references to the capturing and management of data protection risks. Combine that with the need under GDPR to demonstrate compliance, and therefore demonstrate the management of risks to that compliance, we are likely to see a quick rise in Information Risk as a discipline / practice / skill.
‘Information risk’ up until today has been a varied discipline. If you were to Google the term, or speak to any recruitment agency they would say that Information Risk was the domain of ‘Cyber Security’. Currently, outside of the NHS toolkit, the only other country wide frameworks that make reference to information risk management is ISO27000 and 27001. But not everyone goes for these, or indeed has a need to, so what we are left with, is an information risk management practice that varies greatly in approach and usefulness.
The GDPR doesn’t give you chapter and verse on how to implement it. However, it does in several areas, reference the need to do it and indeed as it starts to become embedded we will start to see further standards on what it should look like.
Firstly, and in the most obvious place, is Article 25 ‘Data Protection by Design and Default’. This article outlines the requirements for embedding Data Protection principles into the very core of new designs and ideas for products and services. Article 25(1) outlines that Data Controllers should implement appropriate technical and organisational measures to mitigate the risks posed against the rights and freedoms of the natural person by the processing proposed. Now, in order to determine what is ‘appropriate’ as a control you need to have first determined the likelihood and impact of that particular threat materialising.
Voila! A risk management process is born.
Similarly Article 35, ‘data protection impact assessment’ (DPIA) talks about a very similar process with regards to risks to Data Protection. In a DPIA, a Data Controller would assess the risks to the rights and freedoms of natural persons by the processing in scope and determine, with the DPO where appropriate, what controls should be put in place that are appropriate to the level of risk. This assessment shall contain at least;
a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller;
an assessment of the necessity and proportionality of the processing operations in relation to the purposes;
an assessment of the risks to the rights and freedoms of data subjects referred to in paragraph 1; and
the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation taking into account the rights and legitimate interests of data subjects and other persons concerned.
Or, in other words, everything that you would expect to see in a risk assessment under current risk assessment practices (especially if you already engage in information risk as a discipline).
Article 32 ‘Security of Processing’ goes a little further and states the below;
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
the pseudonymisation and encryption of personal data;
the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.
Here we see the familiar areas of Information Security Risk Management, with some little tweaks to make it relevant for GDPR. But again, the principle of knowing what your threats and vulnerabilities are so that you can assess them and then ensure your technical and organisational measures are appropriate to the level of risk. You can’t effectively know one without the other.
Another key area that risk and risk assessments come into play relates to Breach Notification in Article 33 (the Authority) and 34 (the data subject). In both articles the requirement to notify is necessary unless the breach is ‘unlikely to result in a risk to the rights and freedoms of natural persons’.
Please note however that in article 34 wording swaps this around and says the duty to inform the data subject is there if there is a high risk to the rights and freedoms of natural persons.
In other areas that either reference the need to risk manage or instances where as above only become necessary where a risk management process determines it are;
Prior Consultation (article 36)
Tasks of the Data Protection Officer (article 39)
Derogations for specific situations (international data transfers) (article 49)
Tasks of the Supervisory Authority (Article 37)
Tasks of the Data Protection Board (Article 70)
As we all know the GDPR is long and has the potential to become infinitely complicated depending on what processing you are doing, therefore you cannot possibly hope to comply with 100% of it 100% of the time. Find me someone that can and I’ll show you a magician. Therefore you need to ensure that you have a robust and easy to understand risk management process in place to manage your GDPR risks and determine what areas need more focus and what areas are ‘low risk’.
If you’ve not started your GDPR implementation programme yet, one thing that has worked well for me when determining where on earth to begin with this is to complete a data inventory, which includes why information is being processed, and to do a risk assessment on that inventory. What areas show up as massive gaps in current compliance let alone GDPR and what show up as minor tweaks? Once you have a reasonable level of overview you can then start to prioritise and logically see how things fit into place leading up to 2018. You can also see what areas of risk you can carry forward past May 2018 as currently there is no expectation from any of the supervisory authority that you will have / be 100% compliant by day 1.
Scott Sammons CIPP/E, AMIRMS is an experienced Data Protection & Information Risk practitioner and blogs under the name @privacyminion. He is on the Exam Board for the GDPR Practitioner Certificate.
Read more about the General Data Protection Regulation and attend our full day workshop.
The General Data Protection Regulation (GDPR) is going to be implemented in May 2018 despite the Brexit vote. Indeed the Government has confirmed that GDPR is going to be part of UK law even after the UK leaves the EU. So say hello to Breach Notification, the Right To Be Forgotten, the joys of Privacy Impact Assessments and, in some cases, the mandatory Data Protection Officer.
The GDPR Practitioner Certificate (GDPR.Cert) is aimed at those undertaking the role of Data Protection Officer under GDPR whether in the public or the private sector. This is going to be a challenging role. In November, the new Information Commissioner (Elizabeth Denham) said in a speech at the NADPO annual conference:
“I think the role of DPO can be one of the toughest jobs around. You have to help your organisations deliver, but you have to do it in a privacy responsible and transparent way. That’s really challenging in lots of varied situations.”
This course will teach delegates essential GDPR skills and knowledge. It builds on the success of the Act Now Data Protection Practitioner Certificate (launched in April 2014), which it replaces, by focussing on GDPR. The course takes place over four days (one day per week) and involves lectures, assessments and exercises. This is followed by a written assessment. Candidates are then required to complete a practical project (in their own time) to achieve the certificate.
“GDPR is the biggest change to Data Protection in a generation. I have looked at every aspect of this revised course to equip Data Protection officers with the knowledge they need to tackle GDPR in a practical way.”
Tim will share his vast experience gained through years of helping organisations comply with their DP obligations. This, together with a comprehensive set of course materials and guidance notes, will mean that delegates will not only be in a position to pass the course assessment but to learn valuable DPO skills which they will be able to apply in their workplaces for years to come.
This new course builds on Act Now’s reputation for delivering high quality practical training at an affordable price:
This new course widens the choice of qualifications for DP practitioners and advisers. Ibrahim Hasan (Director of Act Now Training) said:
“We are pleased be able to launch this new qualification with less than 18 months to go to GDPR implementation. Because of its emphasis on practical skills, we are confident that it will become the qualification of choice for current and future Data Protection Officers.”
Act Now Training is pleased to report that it has completed another successful year of delivering the Practitioner Certificate in the Freedom of Information (Scotland) Act 2002. Now in its fourth year the course is the only certificated FOI course specifically designed for Scottish delegates.
Two courses were delivered in 2016 with 22 very strong candidates from a variety of backgrounds including the local government, education, health, government and regulatory sectors. All the delegates passed the course. Of these 3 achieved a distinction and 14 achieved a merit. The delegate feedback has been extremely positive:
“I really enjoyed the course and thought that Tim Turner really brought the subject to life. He was an excellent tutor and made this subject both interesting and informative with amusing anecdotes throughout. I would certainly go on another course being delivered by Tim Turner and I would recommend him to my peers.” LC, Glasgow Kelvin College
“Tim was an excellent tutor. His knowledge of the subject was vast and impressive. I learned a lot.” JM, Fife Council
“This is the most useful course I have participated in for a long time.” JT, Crofting Commission
Read a previous successful candidate’s observations here.
The course is endorsed by the Centre for FOI based at Dundee University. The Chair of the independent Exam Board , Professor Kevin Dunion (formerly the Scottish Information Commissioner and now the Executive Director of the Centre for FOI).
The most recent course was delivered by Frank Rankin who has many years of experience working in the Scottish public sector. Frank said:
“The Act Now certificate brings together a fantastic cross section of FOISA practitioners from a range of organisations, large and small, across all parts of the public sector. I love sharing ideas and experience with these colleagues, and learning from their campaign stories as well.”
The Act Now Practitioner Certificate in FOISA is now the qualification of choice for FOISA professionals in Scotland. The next course is in February 2017 runs over five weeks and is already filling up. For those who are time poor we also have a one-week intensive option. More details here: http://www.actnow.org.uk/content/113
Following a consultation last year, 1st September 2016 saw FOISA being extended to cover more organisations. Act Now has a full programme of FOISA workshops in Scotland.
I went on a Speed Awareness Course recently. I was not alone as 1,207,570 people did in 2015 and the numbers for 2016 will certainly be higher. There was a wonderful cross section of the population there and two trainers there as well. It was a good course with plenty of information about reading the road, hazards, speed limits quizzes and video.
My first reaction to the Notice of Intended Prosecution was that I’d start accumulating points and points (in car insurance terms) means price hikes so to be offered a course in lieu of points was a fantastic result. The cost of the course (£90) was irrelevant in fact I’d have paid much more to avoid the points. The cost of the Fixed penalty (£100) was also not an issue even though I didn’t pay it. It was the points on my licence that was at the forefront of my mind.
Not everyone is offered a course however
This says in plain English that you may be caught at 35mph but will avoid a prosecution but between 36mph & 42mph you will be offered a course. So just over the limit is OK; medium level speeding means a course but over the top speeding means a prosecution or fixed penalty. That’s why you see lines of executive cars chugging down the motorway with cruise control set at 78mph. This chart effectively raises all speed limits by 10% to 20% and could even be said to be an inducement to ignore posted speed limits but work with the generous grey area speeds the police allow.
The big question that came up halfway through the course was
“Should I tell my insurers that I’ve been on the course?”
The trainer was clear.
“Your details will be held on a database so other police forces who may catch you speeding will not offer you a course. This will last for 3 years. The Police will not pass this information to anyone else”
Searching the web will find plenty of discussion on this subject. Here’s what the AA (which provides Speed Awareness Courses) says
“Your personal details are protected by the Data Protection Act 1998. If you elect to participate, you agree to your details being checked by us against the ACPO national database to establish if you have completed a similar course within the last 3 years of this offence.
If you complete a “National” course, your details relating to the course will remain on file with the ACPO national database for road safety research purposes for a further 7 years from the date of the offence, after which any personal reference to you will be erased. These details will not be released to any other party apart from other UK Police Forces if they are considering making an offer of a course in the future.”
ACPO has disappeared and NPCC (National Police Chiefs Council) has sprung up but it’s logical to assume that the data is still there but the name of the Data Controller has changed.
Ndors is the national body that oversees the courses. They say
“Once a person has been on the course then no further action will be taken, there is no fine to pay and they will not have any points put onto their licence.”
A generally held point of view is that there is no conviction so no requirement to inform insurance companies. However some insurance companies (largely the Admiral group) have started to ask potential customers if they have been on a Speed Awareness Course as in their view that person although not convicted have shown an inclination to speed and this would affect any insurance premium.
The web has plenty of forums where this issue is discussed and opinions of insurance companies range from infuriated to incensed. A typical comment is
“Insurance companies will use any excuse to weasel out of paying a claim because they are cheating bastards.”
But who is right in this matter? Is there a data protection angle? We think so.
If anyone approached the police database and asked to see if a person was on that database because they had been on a Speed Awareness Course I would expect the answer to be no you’re not getting it – it’s confidential. Even using the Freedom of Information Act would elicit this response and it seems the right response. There are other exemptions that might apply
However the Insurance companies are not going down that route as they know they don’t have a right of access. They are asking people to voluntarily inform them that they have been on such a course so that they can increase their insurance premium. They point to a general catch-all in their small print that customers must inform them of anything that might affect their insurance. Can insurance companies ask this? Can they ask a question that they know the person doesn’t want to answer because it invades their privacy?
Do you have cancer?
Do you smoke?
Do you walk 5,000 steps a day
Have you dropped litter and been fined?
Have you separated from your partner?
They say that if you withhold such information it may invalidate the policy but they can’t collect it lawfully unless they obtain it from the customer as they have no lawful means of obtaining it. If you have a massive claim and they see a £25,000 payout in prospect they might just use a private investigator to look into the claim and see if they can find some fault with it. He may stray outside the law and find evidence of your course…
But if you voluntarily answer the question that they may not be able to ask you haven’t you consented to giving the answer?
Consent hits the first button in Schedule 2 so the Insurance companies are processing fairly and lawfully. Or are they? If you are asked to consent to a disclosure that will have an adverse effect on your life is that a true consent or an enforced consent?
Consent isn’t defined in the Data Protection Act so it has its ordinary meaning. A quick web search says consent is “permission for something to happen or agreement to do something”. Do you think customers are agreeing that Admiral can hold their Course attendance and increase premiums as a result? Or are they reluctantly disclosing for fear of losing their insurance?
Other parts of Schedule 2 don’t seem to apply except for old faithful paragraph 6 – the legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject. Whoever inserted the tiny word prejudice here many years ago may have done the nation an immense service. Of course it will prejudice the rights and freedoms of someone who hasn’t been convicted of a speeding offence yet is in danger of being penalised for doing so.
And if you’re thinking of diving into schedule 3 think again. It’s not sensitive data. It’s a training course not a conviction.
So on balance it’s probably unlawful for Insurance companies to ask the question as it’s not a freely given consent; they have no access to the police database of course attendees and if they do set a data hound on the case he probably can’t access the information lawfully either.
But there’s also a left field solution. All seasoned FOI professionals know that there’s a way of answering a request without actually answering it. Yes you’re remembering it now aren’t you – it’s the Neither Confirm nor Deny option.
Section 1(1)(a) of the FOI Act allows this where confirming would in itself disclose sensitive or potentially damaging information that falls under an exemption.
So when the Insurance company asks the question you Neither Confirm nor Deny that you have been on a course. They can’t make any further decisions on your premium. They can’t say “well it’s obvious that he’s done a course” as they have no evidence of it.
Good luck with that one.
Finally if you do find yourself being asked the question and any of the solutions here are a bit too drastic you can always swap insurers to one that doesn’t ask the question. But as you do remember that all the individuals who were coerced into unfairly disclosing Speed Awareness courses to Admiral may find that Admiral shares the data anyway. Big Brother (or Big Insurer) is not far away.
In the vanguard of forced consent is Admiral. Not content with asking up about speed awareness courses you’ve been on they now want to trawl through your facebook posts to make decisions on what type of person you are so they can adjust premiums of party animals. See http://www.bbc.co.uk/news/business-37847647 Fortunately Facebook has declined to give Admiral access. But questions have to be asked as to how far Admiral or other insurers will go to into your personal affairs to work out a suitable premium especially for you. A word trending in DP circles as GDPR approaches is Profiling. Maybe it’s time you found out what it will mean for your company in the future.
“We will be members of the EU in 2018 and therefore it would be expected and quite normal for us to opt into the GDPR and then look later at how best we might be able to help British business with data protection while maintaining high levels of protection for members of the public.”
Writing on her blog the Information Commissioner (Elizabeth Denham) welcomed this announcement. However it is technically incorrect for her to say:
“The government has now confirmed that the UK will be implementing the General Data Protection Regulation (GDPR).”
As I have explained in a previous blog post, the Government has no choice but to implement GDPR as the UK will still be a member of the EU on 25th May 2018 when it comes into force.
This announcement does though put an end to months of uncertainty as Data Controllers waited to see what the Government would do after the UK leaves the EU. Although last month’s announcement of the Great Repeal Bill meant that yesterday’s announcement was not a big surprise.
GDPR will replace the Data Protection Act 1998 (DPA) and represents the biggest change to data protection law for 20 years. With some GDPR breaches carrying fines of up to 4% of global annual turnover or 20 million Euros, now is the time to start planning (if you have not already started!).
The ICO’s overview of GDPR is a good place to start. It has also published 12 steps to take towards compliance. We would emphasise:
Raising awareness of GDPR at all levels within the organisation (See our GDPR poster).
Considering who is going to fulfill the mandatory role of Data Protection Officer. What skills do they have and what training will they need? Our Data Protection Practitioner Certificate, with an emphasis on the practical skills requited to implement GDPR, is an ideal qualification for those aspiring for such positions.
Reviewing information security polices and procedures in the light of the GDPR’s security obligations particularly breach notification.
Look out also for amendments to Section 40 of the Freedom of Information Act 2000, Section 38 of the Freedom of Information (Scotland) Act 2002, Regulation 13 of the Environmental Information Regulations 2004 and Regulation 11 of the Environmental Information (Scotland) Regulations 2004. All contain exemptions from disclosure of personal data by reference to the DPA.
The ICO will be publishing a revised timeline setting out what areas of guidance it will be prioritising over the next six months. Elisabeth Denham ends her blog with these wise words:
“I acknowledge that there may still be questions about how the GDPR would work on the UK leaving the EU but this should not distract from the important task of compliance with GDPR by 2018.”
Act Now has a series of blog posts as well as a dedicated GDPR section on its website with detailed guidance on different aspects of the Regulation.
Much has been written about the complexities of the current legal regime relating to public sector data sharing. Over the years this blog has covered many stops and starts by the government when attempting to make the law clearer.
The Digital Economy Bill is currently making its way through Parliament. It contains provisions, which will give public authorities (including councils) more power to share personal data with each other as well as in some cases the private sector.
The Bill will give public authorities a legal power to share personal data for four purposes:
To support the well being of individuals and households.The specific objectives for which information can be disclosed under this power will be set out in Regulations (which can be added to from time to time). The objectives in draft regulations so far include identifying and supporting troubled families, identifying vulnerable people who may need help re tuning their televisions after changes to broadcasting bands and providing direct discounts on energy bills for people living in fuel poverty.
For the purpose of debt collection and fraud prevention. Public authorities will be able to set up regular data sharing arrangements for public sector debt collection and fraud prevention but only after such arrangements have been through a business case and government approval process.
Enabling public authorities to access civil registration data (births, deaths and marriages) (e.g. to prevent the sending of letters to people who have died).
Giving the Office for National Statistics access to detailed administrative government data to improve their statistics.
The new measures are supported by statutory Codes of Practice (currently in draft) which provide detail on auditing and enforcement processes and the limitations on how data may be used, as well as best practice in handling data received or used under the provisions relating to public service delivery, civil registration, debt, fraud, sharing for research purposes and statistics. Security and transparency are key themes in all the codes. Adherence to the 7th Data Protection Principle (under Data Protection Act 1998 (DPA)) and the ICO’s Privacy Notices Code (recently revised) will be essential.
A new criminal offence for unlawful disclosure of personal data is introduced by the Bill. Those found guilty of an offence will face imprisonment for a term up to two years, a fine or both. The prison element will be welcomed by the ICO which has for a while been calling for tougher sentences for people convicted of stealing personal data under the DPA.
The Information Commissioner was consulted over the codes so (hopefully!) there should be no conflict with the ICO Data Sharing Code. The Bill is not without its critics (including Big Brother Watch) , many of whom argue that it is too vague and does not properly safeguard individuals’ privacy.
It is also an oversight on the part of the drafters that it does not mention the new General Data Protection Regulation (GDPR) which will come into force on 25th May 2018. This is much more prescriptive in terms of Data Controllers’ obligations especially on transparency and privacy notices.
These and other Information Sharing developments will be examined in our data protection workshops and forthcoming webinar.
Illustration provided by the Office of the Privacy Commissioner of Canada (www.priv.gc.ca)
Under the Data Protection Act 1998 (DPA), a Data Controller should issue a privacy notice to Data Subjects whenever personal data is gathered from them. This should be done at the point of collection or as soon as reasonably practicable after that. The notice should (at the very least) include:
The identity of the Data Controller
The purpose, or purposes, for which the information will be processed
Any further information necessary, in the specific circumstances, to enable the processing in respect of the individual to be ‘fair’ (in accordance with the 1st DP Principle).
The ICO says that organisations need to do more to explain to service users what they are doing with personal personal data and why. The code includes examples of compliant notices as well as suggested formats for online notices, in apps and even a sample video privacy notice.
As we know the General Data Protection Regulation (GDPR) will be in force in May 2018 (and still relevant despite the Brexit vote). The GDPR specifies further detail to be included in privacy notices. It also requires notices to be issued even where personal data is received from a third party. The code briefly explains these new requirements including a useful table. The ICO says that by following the good practice recommendations in the code, organisations will be well placed to comply with the GDPR regime. Read Scott’s blog post on the new requirements here.
This code has been issued under section 51 of the DPA. The basic legal requirement is to comply with the DPA itself. Organisations may use alternative methods to meet the DPA’s requirements, but if they do nothing then they risk breaking the law. When considering whether or not the DPA has been breached the Information Commissioner can have due regard to the code.
The code includes a helpful checklist, covering key points and tips on how to write a notice.
Privacy Notices need to be regularly reviewed and updated to reflect any changes. The ICO is considering other practical ways of supporting organisations in achieving greater transparency such as the feasibility of a privacy notice generator!
Want to know more about privacy notices under GDPR? Attend our full day GDPR workshop.
GDPR Practitioner Certificate (GDPR.Cert) – A 4 day certificated course aimed at those undertaking the role of Data Protection Officer under GDPR whether in the public or the private sector.
This throws up some interesting issues. A qualified, experienced data protection officer is a valuable commodity. They do exist but command salaries approaching £50,000 in large organisations (stop laughing at the back) and if you’re a small organisation they’re not going to work for you for peanuts. So where do you find a qualified, experienced DPO?
Secondly will there be a requirement upon you to have one? It looks like there will be three clear cases.
processing is carried out by a public authority,
the core activities of the controller or processor consist of processing which, by its nature, scope or purposes, requires regular and systematic monitoring
of data subjects on a large scale
the core activities consist of processing on a large scale of special categories of data.
But to go back to the DPO what does qualified mean? Yes there are qualifications out there. The accepted gold standard in the UK is the BCS certificate which has 40 hours of training plus a testing 3 hour exam. There are other firms in the sector who offer their own versions and most of them involve significant study (30 or 40 hours) plus exam. Other qualifications exist, like our GDPR Practitioner Certificateand CIPP certification from the International Association of Privacy Professionals – some for US and some for UK professionals – but the question everyone wants answering is which qualifications will satisfy the GDPR?
Do training providers have to apply for acceptance or endorsement from the EU or their national regulator? Will the content of these courses be examined or will a standard be set and the training providers tailor their material to a certain level or will it be a free for all with no standard to work to? Do you want a DPO who knows how to conduct a Privacy Impact Assessment or who knows about International Data Transfers or one with an understanding of the history of Data Protection? Or will there be a requirement to study a certain (large) number of hours to demonstrate competence? At the moment it looks like all the DPO will need is “sufficient expert knowledge” which doesn’t in itself mean a qualification.
Other skills required by a good DPO are those of Diplomat, Trainer; Advisor, Confidante; Interpreter; Persuader; Listener; Friend to requestors; Policy & procedures writer. They have the ability to talk to the top level of the organisation yet explain complex law in Plain English. Not your run of the mill person.
It looks like the route map will require the DPO to be an employee but one with a different type of outlook. Privacy is becoming a big vote winner; organisations who don’t respect customers privacy will feel the backlash of disgruntled consumers. It really needs someone who is part of the organisation who is present at all times and understand the data processing systems of their employer but is detached enough to be able to criticize his own organisation.
There is a way out for small organisations who think they need a DPO to ensure their organisation is fully compliant with the new regulation. Don’t give the job to an existing member of staff and expect them to learn it on the job; Don’t appoint a knowledgeable, qualified, experienced but expensive DPO – bring in an external one you can use as and when you need them.
Externals have significant benefits. They don’t work full time so the on costs disappear; You can bring them in as required for short term task and finish assignments; You can save the costs of training and continuing education for an internal data protection officer; your staff will react better to an external who appears to have the status of a “consultant”.
Externals also won’t have any political or organisational baggage and can act in an unbiased manner without fear for their job. An external data protection officer also has no worries about favouring certain departments or individuals in the company. Many organisations appoint their Head of Legal as their DPO which brings with it the ethical/legal/best course of action conflict. An external won’t need to bother with this.
You can concentrate on your core business and the external can take care of your data protection.
Once you have appointed an external DPO they will compile a detailed data protection audit on your data protection compliance. They will then identify possible data protection issues and legal risks and explain what is required to remedy them. Then you can start making the necessary changes. Your business will soon be in full compliance with current data protection laws.
But it doesn’t stop there. The external DPO will be on call and can discuss day-to-day DP issues by phone or email for a small fee. If more detailed work is required further fees and timescales can be agreed.
Working with an external data protection officer is based on a consulting agreement. There may be a retainer fee plus an hourly or daily rate to follow. If your Data Protection needs are low you may not have to consult your EDPO too often.
Not surprisingly EDPOs are starting to appear on the web. They’re quite common in Germany and it’s likely they will become a staple in the UK. Various UK law firms advertise such a service but unsurprisingly the rates they charge are not on view. It might end up costing more than you think especially if you opt for a ’big’ name.
There’s also the scope however for sharing a DPO. This has already happened in various parts of the country as cash strapped rural councils pay for a percentage of a DPO and have them on site part of a week.
At a recent educational conference a group of 30 schools in the same region kicked around the idea of each contributing to buy a DPO for all of them who would fulfill their information law obligations. Sounds quite a good idea until you realise there’s only about 240 working days in a year so each school would have 8 of those days to themselves and the shared DPO would have a significant petrol expenses tab. A few rural councils with a shared DPO would have a much better deal.
Sadly GDPR is not well understood and there are those who think Brexit will derail it (though not true) but a wise organisation should be thinking now if and when they will need a DPO, what qualification they will have and how do they find one.
An external who is called on infrequently might appear be the cheapest option but might have further hidden costs and a part share of a DPO might be a good short term solution but would they be as good as the expert knowledge and day to day hands on work of a full timer.
Good news for Data Protection Officers…
We are running a series of GDPR webinars and workshops and our team of experts are available to come to your organisation to deliver customised data protection/GDPR workshops as well as to carry out health checks and audits. Our GDPR Practitioner Certificate (GDPR.Cert), with an emphasis on the practical skills required to implement GDPR, is an ideal qualification for those aspiring for such positions.
540 appeals were made to the Commissioner in 2015/16. This is a 14% increase on last year, but is down from 578 appeals two years ago.
The number of “failure to respond” appeals fell significantly in 2015/16. The Commissioner accepted 61 “failure to respond” cases for investigation. This was 16% of her investigation caseload – a significant reduction on the 25% three years ago.
Appeals volumes fell for some sectors. Most notably for the Scottish Government and its agencies, where appeals fell from 23% of the Commissioner’s caseload in 2014/15 to 15% this year (from 111 appeals to 84).
Appeal volumes increased for others. Appeals in relation to non-departmental public bodies increased, from 6% of the Commissioner’s caseload in 2014/15 to 10% this year. This was largely due to an increase in Scottish Fire and Rescue Service appeals, from 1 in 2014/15 to 12 this year.There was also a significant increase in appeals about requests made to Police Scotland. They rose from 9% of appeals last year to 15% in 2015/16 (from 45 to 81 appeals). 3% of Police Scotland’s information requests resulted in an appeal, compared to a national average of 0.8%.
61% of appeals came from members of the public. The media accounted for 20% of appeals, and prisoners 7%.
60% of the Commissioner’s decisions found wholly or partially in the requester’s favour. If an authority has incorrectly withheld information, the Commissioner’s decision will require it to be released.
73% of cases were resolved by the Commissioner within 4 months.
Public authorities reported receiving 68,156 information requests in 2015/16. This is a 2% increase on 2014/15. Figures are reported in a publicly available database set up by the Commissioner. The portal data also shows that 75% of requests resulted in some or all of the requested information being provided, and that public authorities themselves are reporting 35% fewer ‘failures to respond’ to information requests since 2014/15.
Public awareness of FOI is at its highest ever level, at 85%. This is up from 84% last year, and 78% in September 2013.
FOI awareness is lower amongst 16-24 year olds. Ipsos MORI polling also revealed lower awareness amongst young people. The Commissioner is working in partnership with Young Scot to address this lower awareness.
Speaking at the launch of the report Rosemary Agnew said:
“These signs of improvement in FOI performance are welcome. As my report demonstrates, the majority of information requests result in some or all of the information being disclosed. It is encouraging that only a very small proportion of requests are appealed. I’m also pleased that the number of appeals made about a failure to respond has fallen significantly following our work to tackle this issue.”
“Unfortunately, our experience is that these improvements are not universal. There is still a clear gap between the best performing authorities and those who lag behind. As you will see from my report, my focus still lies in promoting good practice and intervening when I find poor practice.”
In an excellent example of Open Data, the Commissioner has also published detailed information on the appeals received since 2005, broken down by public authority, region and sector, in Excel spreadsheets on her website.
Following a consultation last year, 1st September 2016 saw FOISA being extended to cover more organisations.
Act Now has a full programme of FOISA workshops in Scotland. If you are new to FOI in Scotland or want to boost your career through gaining a qualification, our FOISA Practitioner Certificate is ideal. The four day course is endorsed by the Centre for FOI, based at Dundee University.
The next FOISA Practitioner Certificate course in Edinburgh is starting in February 2017.