Act Now Training has teamed up with Damar Training on materials and expertise underpinning its new Data Protection and Information Governance Practitioner Level 4 Apprenticeship.
The apprenticeship, which received final approval in March, will help develop the skills of those working in the increasingly important fields of data protection and information governance.
With the rapid advancement of technology, there is a huge amount of personal data being processed by organisations, which is the subject of important decisions affecting every aspect of people’s lives. This poses significant legal and ethical challenges, as well as the risk of incurring considerable fines from regulators for non compliance.
This apprenticeship aims to develop individuals into accomplished data protection and information governance practitioners with the knowledge, skills and competencies to address these challenges.
Ibrahim Hasan, Director of Act Now, said:
“We are excited to be working Damar Training to help deliver this much needed apprenticeship. We are committed to developing the IG sector and encouraging a diverse range of entrants to the IG profession. We have looked at every aspect of the IG Apprenticeship standard to ensure the training materials equip budding IG officers with the knowledge and skills they need to implement the full range of IG legislation in a practical way.”
Damar’s managing director, Jonathan Bourne, added:
“We want apprenticeships to create real, long-term value for apprentices and organisations. It is vital therefore that we work with partners who really understand not only the technical detail but also the needs of employers.
Act Now Training are acknowledged as leaders in the field, having recently won the Information and Records Management Society (IRMS) Supplier of the Year award for the second consecutive year. I am delighted therefore that we are able to bring together their 20 years of deep sector expertise with Damar’s 40+ year record of delivering apprenticeship in business and professional services.”
This apprenticeship has already sparked significant interest, particularly among large public and private sector organisations and professional services firms. Damar has also assembled an employer reference group that is feeding into the design process in real time to ensure that the programme works for employers.
The employer reference group met for the first time on May 25. It included industry professionals across a variety of sectors including private and public health care, financial services, local and national government, education, IT and data consultancy, some of whom were part of the apprenticeship trailblazer group.
If your organisation is interested in the apprenticeship please get in touch with us to discuss further.
The Public Records (Scotland) Act 2011 (PRSA 2011) requires public bodies in Scotland to develop a Records Management Plan and submit it for the approval of the Keeper of the Records of Scotland. Many of these plans, usually approved on a five year basis, are now approaching the time when they will need to be revised and put through the approval process once again. Moreover, the Keeper’s team have been actively revising their “Model Plan” and will be expecting more from authorities on the submission of their new plans over the next couple of years.
The PRSA 2011 received Royal Assent on 20 April 2011, aiming to fill a gap in information governance which had long existed. Although there had been some sector specific records requirements there was no overall legislative framework guiding the creation, management or retention of information in the Scottish public sector.
The Act came in on the back of the 2007 Shaw Report which blamed poor record keeping for many of the difficulties faced by former residents of residential schools and children’s homes. The Scottish Government took a broad view of the implications of Shaw; this in turn led to the PRSA covering a broad range of named public authorities including the Scottish Government and Parliament, local authorities, NHS, police and the courts.
Despite concerns, strongly expressed at the time by COSLA among others, that the Act would present yet another onerous burden during a period of particularly harsh austerity, it is probably fair to say that the PRSA has been a success, giving Scotland a solid statutory basis for its record keeping for the first time.
Records Management Plans
The core of the Act is the requirement to develop and maintain a Records Management Plan. This, in theory, can take any form but in practice authorities have tended to closely follow the Keeper’s “Model” comprising (originally) 14 elements:
Senior management responsibility
Records manager responsibility
Records management policy statement
Archiving and transfer arrangements
Business continuity and vital records
Competency framework for records management staff
Assessment and review
One significant change to the way that the Keeper will be assessing authorities’ Records Management Plans is that there is now an “Element 15” in the Model Plan, covering third party records. S2 and S3 of the Public Records (Scotland) Act always defined the scope of the legislation broadly so as to cover the records of external agencies carrying out functions on behalf of the public authority, but that is now going to be more explicitly defined and the Keeper will expect to see evidence of policies and procedures under this “Element 15”.
The Keeper is currently undertaking a review of these requirements so it is as yet unclear exactly what will be required. The issue was covered in some detail at the Stakeholders’ forums which the Keeper hosted last year, and there is some guidance and model contractual clauses available from the National Records of Scotland, and from the Scottish Council on Archives and Quality Scotland.
Another significant change in the Keeper’s approach to what will be required from Records Management Plans is a general refocussing on data protection. This had always featured in the Model Plan with element 9 dedicated to the appropriate management of personal data but now data protection runs through the Keeper’s guidance like the writing through a stick of rock. As well as beefing up element 9, each section of the Keeper’s guidance now includes a data protection theme as an example of good practice.
The scope of the PRSA continues to broaden. The Keeper is currently going through the approval process of the Integrated Joint Boards, and (as with Freedom of Information?) there will be pressure to extend the list of bodies covered by the Act. The position of Trusts and some other arms-length authorities remains unclear but all organisations of a public nature would be well advised to get up to speed with the requirements of the Public Records (Scotland) Act 2011.
Throughout the process of the passage of the Bill, the Keeper always made a commitment to use the carrot rather than the stick. This has worked well, with the very helpful team at the NRS providing support and guidance on a range of records issues. As the records environment matures, however, and as more is expected of authorities, might we see a more robust approach from the regulator? In retrospect, some of the early schemes which the Keeper approved now look somewhat thin; it may be unlikely that these would have passed had they been submitted today.
Act Now has arranged a series of webinars and full day workshops on the themes raised by the developments within the PRSA. Among other issues, we will be looking at:
Records Management Policies. Some authorities conflate “policy” and “Plan”. I’d suggest a clear separation, with the Policy simply summarising the case for records management, allocating responsibilities, defining terms and setting out key principles. This element of the plan can also be used to include area-specific policies and procedures which perhaps don’t fit neatly elsewhere.
We’ll consider the standards and resources available. What are the standards that you need to know about? In developing or amending your plan, how far can you rely on off-the-shelf resources such as business classification schemes and retention schedules? What do you have to do to make these really work for you?
The Keeper has a self-review mechanism for already established Records Management Plans. The “Progress Update Review” mechanism is available and the Keeper has suggested that completing this process will delay the requirement for a full resubmission of your Plan. But what factors should be considered in deciding when to use the PUR and when to complete a full resubmission?
Links to other relevant legislation. In particular, the GDPR, the Data Protection Act 2018 and the Freedom of Information (Scotland) Act 2004. As noted above, the start of the review of the model scheme was at the same time as the implementation of the GDPR and this seems to have very much focussed the Keeper’s attention on data protection. What will authorities need to do to ensure that their RMPs are up to speed with the new DP requirements?
Electronic Records Management. In theory, records principles are blind to the media by which the information is created, stored and managed. In practice, however, the Records Management Plan can be an excellent focus to develop and promote policies and practical guidance which relates specifically to information in alternative media.
Getting “buy in”. We will consider the best ways to get support for the Records Management Plan within your organisation. It is important that you are able to show the benefits of good records management – and not just in terms of statutory compliance or improved efficiency. By developing a culture of regarding information as a corporate asset you be able to demonstrate that records management is vital in evidencing the rights and responsibilities of the organisation and in maintaining a high quality corporate memory through the development of a proper archive service.
Making it real. The RMP should not just be a paper exercise but should be a functioning set of tools which ensure that the organisation derives maximum value from its information resources. To be of real value, the Plan needs to be embedded throughout the organisation, rather than just a neat stack of policies on a corner of the Chief Executive’s desk.
Craig Geddes is a qualified archivist and records manager, with 28 years’ experience working across the range of information governance activities. He has recently joined the Act Now team to deliver freedom of information and records management courses in Scotland.
On 20th September the Information Commissioner issued Equifax Ltd with a £500, 000 monetary penalty, the biggest fine it has issued to date, and the maximum allowed under the Data Protection Act 1998. Although half a million pounds might sound a significant amount of money, it represents a relatively modest amount compared to the fine the company might have received had the breech occurred 12 months late, under the GDPR regime.
In this blog we consider the incident, the actions of the parties and we speculate on what type of sanctions the company could have faced under the GDPR.
Equifax Ltd is a major credit reference agency based in the UK. Since 2011 it has offered a product called the Equifax Identity Verifier (EIV) which enables clients to verify the identity of their customers, online, over the telephone or in person. To verify an individual’s identity, the client enters that individual’s personal information on the Equifax system, which is then checked against other sources held by Equifax Ltd. Initially the EIV was processed by its US parent, Equifax Inc. Equifax Ltd in the UK was the data controller and Equifax Inc in the USA was the data processor. In 2016, Equifax Ltd transferred the data processing for the EIV product to the UK. This required the migration of the personal data to the UK. However, the US company did not then delete all the UK personal data from its system, which its should have done as it had no lawful reason for continuing to store this data.
The cyber-attack incidents
Equifax Inc was subject to a number of cyber-attacks, between 13 May and 30 July 2017. During this period the attackers exploited a vulnerability in the US company’s online consumer-facing disputes portal. This enabled the attackers to access personal data of about 146 million individuals in the USA. Additionally, they were able to access the name and date of birth of up to 15 million UK individuals, contained in the EIV dataset. In addition, in respect of some 637,430 UK data subjects their telephone numbers and driving license numbers were also a compromised.
An additional data set (the GCS dataset) was also attacked and this allowed the hackers to access the email addresses of over 12,000 UK individuals. More significantly, for another 14,961 UK residents the compromised data was account information for Equifax’s credit services and included data subjects’ name, address, date of birth, user name, password (in plain text), secret question and answer (also in plain text), credit card number (obscured) and some payment amounts. This personal data was held in a plain text file, as opposed to the actual data base. The storage of password data in plain text was contrary to the company’s Cryptography Standard which specifically required that passwords were to be stored in encrypted, hashed, masked, tokenised or other form. The file was held in a file share, which was accessible to multiple users.
In March 2017 Equifax Inc., received warning of the vulnerability of its Apache Struts 2 web application framework (that it used in its consumer facing online disputes portal). The warning came from the US Department of Homeland Security Computer Emergency Readiness Team which identified a critical level of vulnerability. The US company disseminated this warning to key personnel, but the consumer facing portable was neither identified or patched.
Equifax Inc. became aware of the cyber attack on 29 July 2017, and then further aware that the data of UK individuals had been compromised by late August 2017. However, Equifax Inc failed to warn Equifax Ltd until late September 7th, 2017, at least a week after it became aware the UK personal data had been compromised.
Equifax Ltd notified the ICO on 8thSeptember. In this respect, its behaviour would have met the strict breach notification requirements of the GDPR which require a data controller to notify the Commissioner within 72 hours of become aware of the breach. Initially they reported that about 1.49 million individuals’ data had been lost. This was later revised upwards to 15 million data subjects. They also indicated, incorrectly, that the data accessed did not include residential addresses or financial information.
The Information Commissioner’s Findings
On the facts, the Information Commissioner decided that although the information systems in the USA were compromised, Equifax Ltd was the data controller responsible for the personal data of its UK customers. The Commissioner found that Equifax had failed to take appropriate steps the ensure its US parent, and data processor, was protecting the information. The Monetary Penalty Notice lists the various contraventions of the DPA 1998:
Principles 5, 2 and 1
Following the migration of the EIV dataset from the US to the UK, it was no longer necessary for the US company to keep any of the data. The data set had not been deleted in full and was kept longer than necessary.
In relation to the GCS dataset stored on the US system, Equifax Ltd was not sufficiently aware of the purpose for which it was being processed until after the breach. In the absence of any lawful purpose the retention was unnecessary.
The UK company failed to follow up or check that the data had been removed from the US systems, or to have an adequate process in place to check this was done.
Equifax had not undertaken an adequate risk assessment (s) of the security arrangements put in place by its data processor before transferring the data to it or following the transfer.
The Data Processing Agreement between Equifax Ltd and Equifax Inc was inadequate and failed to provide appropriate safeguards/ security safeguards or the standard clauses.
Equifax Ltd had failed to ensure adequate security measures were in place. The Commissioner identified numerous examples of the inadequacy of the safeguard that were in place, including the lack of encryption; the use of plant text data, allowing multiple users to have access to plaintext files; failing to address IT vulnerabilities; having out of date software; failing to undertake sufficient and regular system scans
Poor communications between the UK and US companies particularly in relation to the US company’s delay in making the data controller aware of the breach.
The Data Processing Agreement between Equifax UK and Equifax Inc was inadequate in that it failed to incorporate the standard contractual clause as a separate agreement and/or to provide appropriate safeguards for data transfers outside the EEA.
There was therefore a lack of a legal basis for the international transfer of this data.
Overall the Information Commissioner found multiple failures at Equifax Ltd, which led to personal information being kept longer than necessary and vulnerable to unauthorised access. Given the nature of the breaches, individuals were exposed to the risk of financial and identity fraud. The Commissioner concluded that the maximum financial penalty it could levy was proportionate in all the circumstances.
What difference would it make if this happened under the GDPR?
If the same breaches had occurred post May 25th then both Equifax Ltd and Equifax Inc., might find themselves in a substantially different situation.
The level of fine: The most obvious difference would be in relation to the level of fine that the ICO could impose. Under Article 83 GDPR the ICO can impose a fine of up to £17 million (20m Euro) or 4% of global turnover. Equifax Ltd is part of a global group that operates or has investments in over 24 countries. According to its 2016 Annual Report the Equifax Group’s global annual revenue for 2016 was $3.144.9 billion. 4% of this is about $125 million. In 2016 the UK company, Equifax Ltd, recorded revenue of £114.6 million. This alone could lead to a fine of over £4.5 million.
Data Subjects’ rights to sue for damages: Although this is not a new right under the GDPR, the GDPR now expressly permits individuals to sue for both material (financial) and non-material damage, such as distress. In many respects this represents a bigger risk for companies such as Equifax who are processing data whose loss could cause significant harm to data subjects. Given the heightened awareness amongst the public of the GDPR, it is not difficult to anticipate that these type of high-volume breaches could result in class actions for compensation.
Breach Notification: Article 33 imposes a condition that data processors must notify data controllers ‘without undue delay’ if they become aware of a data breach. The delay on the part of the US company in informing the UK company would constitute a breach of Article 33.
Notifying Data Subjects: Under Article 34 GDPR the Data Controller has a duty to notify data subjects that their personal data has been breached, where the breach is likely to result in a high risk to their rights and freedoms. Equifax Ltd issued a press releaseon 7thOctober 2017 saying that I would we will now begin writing to all impacted customers with immediate effect. This again does not meet the requirements of notification ‘without undue delay’.
We are running GDPR and DPA 2018 workshopsthroughout the UK. Head over to our website to book your place now. New Dates added for London!
In difficult economic times, traditional face-to-face learning is often the first activity to fall victim of budget cuts. However the area of Information Governance is currently the subject of rapid change. After four years of negotiation, the new EU General Data Protection Regulation (GDPR) has now been formally adopted by the European Parliament and will come into force on 25th May 2018. The FOI Commission’s report, published in March, will lead to additional obligations for public authorities under the Freedom of Information Act. And the list goes on…
Launched at the 2016 IRMS conference in Brighton, the IRMS Foundation Certificate in Information Governance is a fully online yet interactive course. There are four learning modules (Records Management, Security and Information Assurance, Data Protection and Freedom of Information). Using the latest web based technology, delegates will be able to learn from the comfort of their own desk by attending four live online webinars. In addition they will be able to tailor their learning through doing four recorded modules from a choice of six. Finally they will do a short online assessment to achieve the certificate endorsed by the excellent reputation of the IRMS.
Ibrahim Hasan, Director of Act Now Training, has developed the course with IRMS colleagues. He said:
“I am really pleased to have been involved with the development of this ground breaking new online qualification. I have used my experience in delivering Information Governance training for many years to help create a product which will hopefully meet a previously unmet demand amongst Information Management professionals.”
Meic Pierce Owen, the Chair of the IRMS said:
“I am genuinely proud to have overseen the development of this important qualification that offers all information professionals the opportunity to gain a solid grounding in contemporary Information Governance (IG). This qualification has relevance across all sectors and is equally valid for those looking to master the basics of contemporary IG as it is for those looking to progress to practitioner level study.
As a generalist practitioner who qualified from University just ahead of Data Protection, Freedom of Information and Information Security being covered in any detail on the courses, I am also delighted to put my money where my mouth is and be the first to sign up to study for this qualification- which I believe to be relevant to my CPD as well as being excellent value for money. I shall let you know how I get on…”
If you would like to know more about this exciting new course please visit us at the IRMS stand at the Brighton conference. See also our dedicated IRMS Certificate webpages or get in touch.
Be an Information Superhero and gain a Superhero Qualification!
On first sight, that’s a pretty startling statistic. The IRMS is the main industry body for records managers. If anyone could be expected to have articulated a vision for electronic records management, it was the people in that room.
But the truth is, I’m not that surprised by Julie’s experience.
Firstly, I think it’s partly to do with what Julie asked. If she’d asked whether those present had a records management policy, I suspect a much bigger proportion would have put their hands up. And many records management policies probably include a statement saying how the organisation aspires to manage electronic records. That’s a vision – but those present probably didn’t think of it as such.
But what about those who just don’t have any statement? I suspect a lot of people in that room didn’t have anything – no policy, no strategy, no vision. And I think I know why.
The people responsible for records management in a lot of organisations are nervous of getting it wrong. And all the talk of visions, strategies and programmes isn’t helping. All the competing theories and evolving attitudes are hard to keep up with. 10 years ago, public bodies were being encouraged to adopt electronic document and records management systems. Now it’s rare to hear a success story about such systems, and hardly anyone thinks they’re a good idea. How do you come up with a vision for the future operation of your organisation when the future keeps changing?
What’s more, in most organisations, the person responsible for records management may be relatively junior. Often they will be someone who was drafted into the role; it might only be part of their job.
But it is important that records management is addressed. Any business needs to manage its information. Back at the start of my career I worked for a pharmaceutical company. Our records management unit ensured that they were able to prove that they discovered their marketed drugs first – some of those records were worth billions to the business.
And it is necessary for compliance with legislation. For example, if you look at many civil monetary penalties issued by the Information Commissioner’s Office, you will find that poor records management played a part.
And public authorities of course are subject to the Freedom of Information Act. Section 46 of the Act requires the Lord Chancellor to issue a Code of Practice on the management of records. The Code of Practice was written by the National Archives and sets out the features that they expect to see in public authorities’ records management.Whilst not a statutory requirement, the Information Commissioner is unlikely to look kindly on a public authority that fails to meet its FOI obligations due to records management failings. Indeed he has been known to issue a practice recommendation to an authority insisting that they improve their records management.
So organisations – especially public sector ones – need to do something about records management. But what?
We can start by using the Code of Practice as a guide. What do the experts at the National Archives think should be in place?
And we can stop letting “the best be the enemy of the good”. Julie McLeod’s straw poll, as well as the more detailed research she was reporting on at the conference showed that many organisations had done very little. What actually needs to happen is something. We should improve records management one step at a time. We must be pragmatic.
That’s what I’m going to attempt to do in my new course for Act Now Training on Records Management and the Section 46 Code of Practice. I’ll explain the different requirements of the Code and practical things you can do to meet them. That’s obvious. But I’ll also tell you not to panic. Don’t try to do it all at once. What are the key things you can do that will improve your records management almost overnight? You will leave with an action plan for your organisation – so you’ll instantly be ahead of 90% of those conference delegates I mentioned. The key words are “Just Do It.”