A senior local authority executive(not from Hackney, who’s town
hall appears in today’s image) has recently realised that data protection is
important and, as he was in charge of it, he had asked a friend of mine to
develop a presentation on what he ought to be thinking about. So, my friend set
about creating a short list of the main data protection issues that face the
public sector over the next year. I was asked to review the list.
It included:
- preparing for the new EU Data Protection Regulation (assuming it is ratified soon);
- data sharing and anonymisation of data;
- improving proactive disclosure under FoI (given that the ICO is developing the publication schemes); and
- addressing data security issues in relation to Bring Your Own Device, home working, and cyber-crime.
It was a good start. What could I add?
Well, if you’ve just got ten minutes facetime with a senior
bod, there’s not a lot of point going into
a great deal of detail. The trick is to use a couple of soundbites as hooks
to engage the senior executive to the extent that they actually ask for a paper
which develops the issues that are of concern.
Given the current level of uncertainty about whether there
will be an EU Data Protection Regulation (let alone what might be in it), I
suggested that he need not spend too much time on this issue.
In an ideal world, and if our sterling squad of national
data protection negotiators from their
offices in Petty France have their way, the UK will be faced with legal
requirements that public authorities will actually be able to afford to
implement. Hurrah! Our ace team of brilliant officials over at the Ministry of
Justice will present the compliance bill to their chums at the Department of
Communities and Local Government, who will be so overjoyed at the (low) cost to
local authorities that the Chief MoJ Negotiator will be carried shoulder high
from Petty France to Westminster Bridge, where he will be tossed into the River
Thames to celebrate his success.
In a less than ideal world, where an EU measure is passed and
where the a compliance bill is unacceptably high, I predict that a baying mob
of the same officials will drag the Chief MoJ Negotiator from Petty France to
Westminster Bridge, where he will be tossed into the Thames, anyway.
Returning to the topic in hand, I suggested that my chum add
a couple of new points to spice up his presentation.
First, I suggested he mention how hard it will continue to
be to design and implement an information
governance / compliance programme when the public sector is undergoing so much change.
It’s awfully diffcult, for example, to
carry out privacy impact assessments when local authorities are so busy working out new models of joint service provision.
Who knows who will be doing what and with what safeguards? When new
institutions are created to take over the role of established organisations
(particularly in the health sector) who will know in advance what data sharing agreements may need to cease or be re-written? Crucially, if certain
members of staff are under notice of possible redundancy, it’s not at all clear
how the appropriate data sharing agreements can be drafted before the new institutions have to assume their
responsibilities, because the relevant
people aren't in place.
Second, I suggested he mention the difficulties of managing these issues effectively when local authority budgets are so tight. Who has the resources to carry out (or commission) decent privacy impact assessments, for example, especially when so few people outside the data protection community have ever heard of them, let alone (inside the community) know how to do one?
Second, I suggested he mention the difficulties of managing these issues effectively when local authority budgets are so tight. Who has the resources to carry out (or commission) decent privacy impact assessments, for example, especially when so few people outside the data protection community have ever heard of them, let alone (inside the community) know how to do one?
Third, and before the senior
executive loses concentration completely, I suggested he should end the
presentation by asking who should be accountable for the decisions that might
need to be taken which result in the
public authority being incapable of demonstrating that it has taken appropriate measures to safeguard personal data. And how should this senior executive liaise
with the ICO's enforcement team when reporting data breaches that occurred
because they would not sign off the funding that was required to build and
maintain the measures and systems that
would have better safeguarded personal data.
If that doesn’t prompt the executive to request a more
detailed paper on the relevant issues, then I’m not sure what might.
.
Posts
