Sunday, 30 October 2016

Post Brexit, what options are available for a GDPR-light Data Protection Act?

Let’s think the unthinkable.

Lets assume that, post Brexit, the British Government has an opportunity to decide how its data protection legislation should reflect the requirements of an aspiring British economy. And let’s assume that the Minister with responsibility for Data Protection asks for options about trimming back those elements of the General Data Protection Regulation that are unduly burdensome and, in practice, actually do very little to safeguard fundamental human rights.

Why might a Minister make such a request?

Just think of the pressures that are likely to face the public purse. Data controllers in the public sector will continue to have significant budgetary pressures over the next decade. So, all statutory obligations that have cost implications will need to be reviewed and justified. Difficult choices will need to be made. Costs that cannot be justified shouldn’t be permitted to continue to be imposed. And if the costs can’t be justified for public sector data controllers, then the same arguments ought to be able to be made with regard to (most) other data controllers.

What options might feature on the Minister’s list?

Hopefully, the following issues will be included:

  • Allow data controllers to levy a (relatively small) Subject Access Fee. In 27 years as a data protection practitioner, I’ve encountered too many situations where the individual had raised a complaint with the data controller, and had invoke the SAR process as a way not of resolving their complaint, but to “get their own back” and unnecessarily tie-up scarce resources. Its been my experience that a small SAR fees deter a good many unmeritorious requests.
  • Examine whether the GDPR right to require a data controller to pass an individual’s personal data directly to another data controller really ought to be a “fundamental” right, and thus within the ambit of the GDPR. Surely it should be up to the discretion of the data controller as to whether they should offer such a service to their customers.
  • Query whether it is necessary for there to be an obligation on certain (or any) organisations to appoint a DPO with the responsibilities that are specified in the GDPR. Why should a DPO, for example, be treated so differently to any other senior employee?
  • Query why fines for non-compliance need be set so high, or the higher rate (4% of global turnover) applicable for breaches of so many Articles of the GDPR , when the lower rate (2%) is arguably just as dissuasive.
  • Examine the mess that the rules on transborder data flows will impose (particularly) on cloud providers, and embark on a more pragmatic, less dogmatic, approach.
  • Query whether Data Protection Impact Assessments are required in so many cases, and whether the DPIA needs to address all the issues set out in the GDPR. Why can’t data controllers take a more pragmatic, risk-based approach be taken?
  • Clarify just what processes data controllers should document in order to demonstrate accountability, so that they aren't led to believing that a huge range of, for example, information flows, must be documented in considerable detail, on pain of a whopping fine from the regulator if they don’t.
  • Query whether individual’s rights really need to be as complicated as they are set out in the GDPR – which provides that their rights will depend, to some extent, on the legal grounds that data controllers rely on for processing personal data. Individuals may rightly feel aggrieved if their “rights” are oversold by people keen to sell the virtues of the GDPR. Individuals have to accept that data controllers have rights too.
  • Query the requirements & logistics for obtaining consent when data relating to children are being processed. Ignore the EU’s lower age limit of 13 and continue to accept that, in Scotland at least, young people can be treated differently to other minors when they reach the age of 12.
  • Query whether it is necessary to explain what an organisation’s “legitimate interests” are, when the legitimate interests condition is being used to process data.

These are all issues that don't really affect an individual's “fundamental” human rights. So, there is the possibility that some – or most- of them could be incorporated into a new Data Protection Act without the UK being accused of denying UK citizens rights that are equivalent to the fundamental human rights that are enjoyed by EU citizens.

“Equivalent” rights should not be taken to mean that a post-Brexit Data Protection Act should offer UK citizens rights that are “identical” to their EU chums. After all, countries like the Faroe Islands, Israel & Canada were awarded “adequacy” status by the European Commission a few years ago – not because their laws were identical to the requirements in the Data Protection Directive, but because it was, on balance, expedient for those countries to be so recognised.


Saturday, 29 October 2016

My 7 top security publications from the ICO

Given what can only be described as an omnishambles of security breaches, is there much more that the ICO can do to warn data controllers of the risks they should take account of?

Probably not.

What might be helpful though, is data controllers refreshing their memories about the guidance which has emerged from the ICO over the past few years.

In terms of the top 7 ICO publications, (virtual) copies of the following guides really ought to be at every DPO’s fingertips: 

7. Guidance on data security breach management (Dec 2012). This very high level, 8-page guide, builds on earlier advice that breaches of non-sensitive personal data relating to more than 1,000 victims should be notified to the ICO, while breaches of sensitive personal data relating to far fewer victims should also be notified.

6. Bring your own device (May 2013). This 13-page document contains advice on what a BYOD policy should contain, what security issues to consider with regard to data storage & transfers, and guidance on monitoring at work.

5. Guidance on the use of cloud computing (Oct 2012) This 23-page guide, evidently about to be revised by the ICO, contains a useful PIA-type check list which covering the issues (in terms of risks, confidentiality, integrity, availability & legal factors) to consider when using a cloud provider.

4. Privacy in mobile apps – guidance for app developers (Dec 2013). This 23-page guide contains some basic security advice, together with useful examples of good and bad practice for app developers.

3. Encryption (Mar 2016) This 35-page guide highlights, through a range of practical scenarios, when different encryption strategies can help provide a greater level of protection.

2. A practical guide to IT security (Jan 2016).  This natty 18-page guide reports on 10 practical ways to secure IT systems. Sections offer high level guidance on the importance of:
  • Assessing the threats
  • Getting in line with Cyber Essentials
  • Securing data on the move & in the office
  • Securing data in the cloud
  • Backing-up data
  • Staff training
  • Monitoring alerts
  • Documenting controls
  • Minimising data
  • Monitoring contractors

However, and by a country mile, top of my list of "must read" ICO security publications is:

1. Protecting personal data in online services: learning from the mistakes of others (May 2014). This 46-page guide focusses on the most common 8 computer security vulnerabilities:
  • Software updates
  • SQL injection
  • Unnecessary services
  • Decommissioning
  • Password storage
  • SSL/TLS configuration
  • Inappropriate locations
  • Default credentials

So there you have it. Security breaches may well occur despite data controllers having taken account of the ICO’s advice – but woe betide a data controller that suffers a security breach because they’ve wilfully disregarded the published advice.

An inability to follow these basic guides will continue to be an aggravating factor that will be taken into account when the Information Commissioner decides what level of Civil Monetary Penalty to impose on a recalcitrant data controller.