Cabinet Office data breach fine – 6 key takeaways

December 2021

A data breach could be blamed on human error, when the real culprits are a lack of controls, checks and balances

The ICO has fined HM Government’s Cabinet Office £500,000 for a data breach, following the disclosure of people’s home addresses published in the New Year’s Honours List.

What went wrong and what lessons can we learn?

How did the data breach happen?

Here’s a summary – yes it’s quite dry but worth looking at. It illustrates how the devil really is in the detail when it comes to systems and end-user requirements from a data protection perspective.

  • In 2019, a new IT system was introduced in the Cabinet Office to handle public nominations for the New Year Honours.
  • The ICO investigation found the system was set up incorrectly; it was mistakenly configured to generate a CSV file which included people’s postal addresses. This should not have happened and was not a feature requested in the original build requirements.
  • Testing took place on the reports the system generated, but the postal address column went unnoticed. It’s believed this was partly due to the large number of fields in the spreadsheet and the focus being on making sure the list of successful Honours recipients was accurate.
  • Instructions were provided to staff to explain the process for running the reports. However, these were based on how the system should have been set up (i.e. the original build requirements) and didn’t include checks to make sure extraneous personal data was removed.
  • The error was identified at a later stage, but due to tight timescales to get the Honours list published, it was decided the file should be amended rather than making modifications to the IT system itself. A decision was taken to hide the postal address information, however it was still contained within the document itself, as it had not be deleted.
  • When the list was published on the Cabinet Office website on Friday 27 December at 10.30pm, this data became visible, and people’s postal addresses were accessible.
  • Some of the data affected was already in the public domain. However, numerous postal addresses which were not in the public domain were made public.

Steve Eckersley, ICO Director of Investigations, said: “The Cabinet Office’s complacency and failure to mitigate the risk of a data breach meant that hundreds of people were potentially exposed to the risk of identity fraud and threats to their personal safety.”

Action taken following the data breach

Within thirty minutes of the list being published, a member of the Government Communications Team alerted the Cabinet Office to the breach.

The list was quickly republished, removing the link to the offending CSV file. However, due to the automatic caching on the gov.uk website the file continued to be accessible (seriously, caching is the bane of my life too!).

A developer finally managed to permanently delete the CSV file shortly before 1am on the Saturday morning.

I’m sure this was an, er, interesting Friday night for those involved.

Individuals affected by the breach were contacted within 48 hours via email or telephone, and a few were contacted by post.

The Cabinet Office notified the ICO within 72 hours of becoming aware of the breach in accordance with GDPR.

In its enforcement notice the ICO acknowledges that the Cabinet Office acted promptly and undertook a full incident review.

Since the breach, it is reported a number of ‘operation and technical’ measures have been implemented to improve the system security and an independent review focusing on the handling of data was completed in 2020.

You can read more detail in the full enforcement notice

6 key takeaways

The ICO investigation and an independent review examined the Cabinet Office’s data handling practices in light of this breach. The findings provide useful tips on measures we should be considering and steps we should be taking. All of these speak to the need to take a Privacy by Design approach.

1. New systems

The review report said; “Interviewees raised a number of concerns around the procurement of new software to run their data handling processes. Some said that financial considerations meant that off-the-shelf solutions were chosen to run processes that, given their complexity, warranted bespoke solutions”.

A stark lesson: we need to make sure appropriate due diligence is conducted both at the procurement stage and when scoping the requirements for tech solutions, and ensuring development accurately matches that agreed scope. We need thorough UAT (user acceptance testing). We mustn’t roll-out new systems/software too quickly. Cutting corners can lead to mistakes.

Conducting a Data Protection Impact Assessment can often be really useful way of identifying and mitigating risks from the outset.

2. Procedures and processes

Staff need to be aware of, and have access to, clear data handling procedures and processes. In this case it was found procedures were insufficient or incorrect. There was also a lack of instructions for what to do in a crisis (i.e. how to reverse publication once the breach had occurred).

Are you confident your staff know how to handle data appropriately? Are your processes regularly reviewed and updated? Have you practiced or ‘war-gamed’ worse-case scenarios?

3. Out of hours incidents

It’s a bit of cliché, but data breaches inevitably occur at the worst possible time – at the weekend or on a Bank Holiday. Sod’s law they will happen when key people are on holiday or unavailable.

The Cabinet Office suffered a breach at 10.30pm, on a Friday, in between Christmas and New Year. They aren’t the first, and certainly won’t be the last to have this happen at the worst possible time.

Does your data incident plan cover such eventualities? A common gap can be not having mobile numbers for key people and not having contact details for ‘a second in command’ if the key person isn’t available.

Credit where credit’s due – in the circumstances I think it’s impressive they managed to get in touch with affected individuals within 48 hours and got their notification into the ICO within 72 hours.

4. Time pressures

Many businesses are high-tempo, with new systems and projects putting pressure on employees to meet deadlines and deliver on time.

The review of the Cabinet Office found there was regular pressure to deliver on urgent political priorities; “The pace required to deliver on these priorities was cited by some business units and stakeholders as potentially compromising the disciplines of good personal data handling”.

Is your organisation at risk of pushing too hard to the detriment of data protection? Are people aware of the potential risks?

5. Training and awareness

The Cabinet Office had seven modules in their “Responsible for Data” e-Learning. However they were unable to provide the ICO with a clear percentage of who’d completed the training.

The regulator found employees in the Press Office and Digital Team, who were also involved in the process of the data being published, hadn’t received data protection training in the past two years.

This demonstrates the importance of not only making sure staff receive adequate, regular and appropriate training, but also why its important to keep records too.

6. Accountability

Do you have clear lines of accountability and responsibility? It’s a potential recipe for disaster to leave less experienced or junior members of staff to handle important jobs (especially late on a Friday night). Are senior members of staff available to sign off and check things when required?

In summary…

When I first heard of this breach back in December 2019, my heart sank for those involved in pushing the button. Would the finger inevitably be pointed at them for making such a big and very public mistake?

But I also thought, how could it have got to this stage? How could there not have been checks and balances in place throughout the process to make sure people’s private postal addresses could never be published?

In the independent review commissioned by the Cabinet Office, the following important observation is made: “Breaches, such as the one that impacted New Year’s Honours recipients in December 2019, are too easily assigned to human error where a greater consistency of process, controls and culture across Cabinet Office could have reduced the risk systemically”

We all have feet of clay, and this is not an issue which will be limited to the Cabinet Office.

 

As a data protection consultant since 2015, Philippa advises a broad range of clients and delivers data protection training. She regularly writes GDPR guidance to support privacy teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

Personal Data Breaches: Can ‘over-reporting’ be curtailed?

November 2021

The Information Commissioner’s Office has said organisations are over-reporting data breaches. One proposal discussed in the UK Government’s consultation on data reform aims to tackle this issue by raising the threshold for when organisations need to report a personal data breach.

Is this a good idea or not?

The number of reported breaches jumped dramatically after GDPR came into effect back in 2018, quadrupling the figures. Pre-GDPR, the ICO would receive around 3,000 notifications a year. Post-GDPR, it rose to more than 3,000 a quarter (2018/19).

You might argue this wasn’t surprising and no bad thing.

GDPR tightened rules around breach reporting, with increased potential penalties for non-compliance. The rise in reporting might suggest companies were taking heed of the legislation and holding their hands up to their mistakes.

Since then the figures have come down to around 2,300 a quarter (July – September 2021).

This still represents sizeable figures, the ICO is clearly overwhelmed and has specifically highlighted some organisations are reporting breaches when they don’t need to.

It’s worth noting most reported breaches aren’t investigated (one would hope because they aren’t serious enough); just 20% result in an investigation. Even then, not all investigations lead to enforcement action.

The UK is not alone, the European Data Protection Board (EDPB) says many supervisory authorities across Europe have experienced over-reporting too.

With this in mind, does the law need changing… or does the problem lie with our reporting habits?

Current data breach reporting obligations

At present, organisations must report a personal data breach unless it is ‘unlikely’ to result in a ‘risk’ to the rights and freedoms of natural persons.

The key to assessing whether to report to the ICO or not is in the supplementary guidance published by the UK Regulator and at a European level from the European Data Protection Board (previously Article 29 Working Party).

In broad terms, the ICO tells us we need to assess the potential adverse consequences of a breach for individuals, basing this on how serious these are and how likely they are to happen.

There is also helpful guidance specifically aimed at small businesses, which includes examples of incidents that would need to be reported and ones which wouldn’t.

The ICO points us towards EDPB guidance, which expands on how to assess the risks and the consequences we should consider, such as discrimination, identity theft or fraud, financial loss or reputational damage.

Proposal to revise the data breach reporting threshold

A reading of the UK data reform consultation reveals the Government considers the current threshold too low, and proposes raising it.

It also suggests current over-reporting is likely to be driven by organisations fearing the financial and/or reputation repercussions should they be found to have failed to comply with the obligation to report breaches.

This ‘better safe than sorry’ approach, the Government believes, is partly responsible for the significant spike in reporting since GDPR was introduced.

The idea, then, is to change the law so organisations must report a breach ‘unless the risk to individuals is not material’ – so organisations would need to consider materiality when deciding whether to report or not.

The ICO would be encouraged to provide new guidance on what would constitute ‘non-material’ risk, along with examples of what kinds of incident would be reportable and which wouldn’t.

Will this make a difference?

Many organisations are likely to welcome the threshold for reporting being higher. In our recent survey it was one of the most popular reform proposals.

Such a move could potentially both save organisations time, energy and costs, as well as easing the burden on the ICO.

However, in practice, organisations will still be required to assess what might be ‘non-material’ and will still be under the time pressure of having to notify a reportable breach within 72 hours of becoming aware of it.

Is there a danger one type of assessment will just be replaced with another, and businesses will still ‘err on the side of caution’, reporting anyway because they’re under the clock?

Whatever form the assessment takes, organisations will still need to be able to justify any decision not to report.

This also doesn’t necessarily address the issue of organisations reporting because they fear the consequences of failing to comply with the obligation to report breaches. There will still be an obligation to report, and within the same timescale.

I wonder if part of the problem is one of culture and perception. Does there need to be more assurance given to organisations? If they’ve acted in good faith, but are still deemed to have got it wrong, how will that impact on penalties for non-reporting?

There’s a difference between honest mistakes by organisations trying their best, and those who ignore the rules to save time and money.

How the courts are handling data breach claims…

A recent case provides some useful insights into how UK courts deal with claims relating to data breaches. Especially ones where, on the face of it, any risk to individuals seems negligible.

In the High Court case of Rolfe & Ors v Veal Wasbrough Vizards, the defendants were lawyers representing a private school. The case centres on an email regarding outstanding fees incorrectly sent to the wrong recipient. This person who received it immediately highlighted the error and confirmed they’d deleted it.

Nonetheless, the people who should’ve received the email brought a claim for damages for the misuse of confidential information, breach of confidence, negligence and damages under data protection law.

In a clear case of common sense jurisprudence, the Court found no credible case that distress or damage could be proved. It found the claim to be ‘plainly exaggerated’ and the suggestion that the Claimants could have suffered distress or worry was ‘frankly an implausible suggestion’ in the case of a single breach which was quickly remedied.

This case should offer a level of comfort to organisations, should they face low-level data breach claims (possibly facilitated by legal companies chasing post-GDPR data breach claims).

It also reinforces the fact that the ICO doesn’t need to be troubled with minor incidents, which may fall under the definition of a personal data breach, but are highly unlikely to have adverse consequences.

As the saying goes, de minimis non curat lex – ‘the law does not concern itself with trifles’.

As a data protection consultant since 2015, Philippa advises a broad range of clients and delivers data protection training. She regularly writes GDPR guidance to support privacy teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

Record of Processing Activities: Pros and Cons

October 2021

How important is it to keep robust records of your data?

Should it be mandatory for organisations to maintain a Record of Processing Activities (RoPA)?

One of the areas attracting interest under the UK Government’s proposals to reform UK data laws is a relaxation of the requirements for record keeping.

Under the UK GDPR, organisations are required to document their data processing activities. For businesses of 250 employees or more these records should meet a number of specified requirements.  Smaller organisations which carry out special category or ‘high risk’ processing are required to document these activities.

That’s regardless of whether you’re acting as controller or processor.

The Government is proposing to remove mandatory record keeping requirements.

Yes, you heard that right… the idea is to replace these with a more flexible requirement to maintain records as part of a Privacy Management Programme (PMP). So in effect, records will still be needed, but there may be more flexibility about how you go about it.

Organisations would be able decide on the right level of detail they need in their own records, taking into account the volume and sensitivity of the personal information they handle.

Therefore, organisations handling simple or fairly routine processing activities could, in theory, keep simpler, less onerous, records of those activities.

Sound like a welcome easing of ’box ticking’?

Why is record keeping important?

Record keeping is often regarded amongst privacy professionals as one of the most fundamental and necessary requirements of the GDPR.

It requires organisations to map and record the personal data they hold across the organisation, including what personal data assets are used, where it is stored, what it’s used for, who it’s shared with and what measures & controls are in place to protect it.

The problem many organisations face is that creating and maintaining these records (in line with GDPR Article 30 requirements) can be onerous and time consuming.

As data is typically used by many different business functions, the process requires the support of stakeholders across all the business functions that process data.

But once in place, your Record of Processing Activities (or RoPA) can really give you a solid advantage to help you meet some of the most important data protection standards.

Six benefits of robust record keeping

1. Transparency – Getting to grips with your processing activities enables you to create a clear and accurate privacy notice(s). With good records in place, you can be confident you’ve identified all the types of processing which need to be covered in your privacy notices.

2. Individual rights – When you receive a Subject Access Request, your records can really help to locate and access the specific data required to fulfil the request.

3. Risk awareness and management – Knowing and recording your processing activities allows you to properly understand the full breadth and sensitivity of your processing. That’s vital to identify where your privacy and security risks lie, so you can establish your priorities.

4. Fair and lawful processing – Confirming and recording which lawful basis (or bases) you’re using for each processing task enables you to make sure you’re meeting the relevant conditions.

5. Keep track of your data processors – Logging all your processors helps you keep on top of contractual requirements and international data transfers.

6. Data breach – Your records could be very useful if and when you suffer a data breach. They can help you to identify what personal data may have been exposed and how sensitive that data is, helping you quickly conduct a risk assessment and decide how best to act.

OK so there’s many positives, but what are the challenges organisations face trying to comply with the current rules?

Six downsides of the GDPR-based approach to record keeping

1. Complexity – The level of detail required makes the records time consuming to create.

2. Resources – Maintaining records which meet GDPR requirements requires resources and is an on-going challenge.

3. Ownership – The data protection team can’t do this on their own. You are likely to need to appoint people across different business function to take ownership of maintaining records within their function.

4. One size doesn’t fit all – Organisations all operate differently and are engaged in widely differing processing activities. Some smaller businesses may carry out highly-sensitive activities. Bigger organisations that fall under the mandatory requirement may not. The current ‘standard template’ approach lacks flexibility.

5. Cost – Due to the current level of complexity, some businesses have felt the need to invest in a privacy technology solution to help them create and manage their processing records. So for those businesses there’s a cost consideration.

6. Staying up to date – Left unmanaged your records quickly become outdated and useless.

In Summary…

More flexibility around record keeping would be a practical move, allowing for organisations to adopt a more tailored and proportionate approach.

However, there’s the risk removing mandatory requirements could lead to record keeping ‘falling off the radar’ and data protection teams could get less traction within the business.

We should not ignore the very valuable role which our records can play. If this proposal goes ahead, we should take care not to over-simplify our records too much.

Perhaps a mid-way solution could work – keeping mandatory requirements to maintain records, but removing the prescribed list of what should be in them?

I think the ROPA may well be an area whether there is a 50 / 50 split between those who see the benefit of keeping mandatory requirements and those that would appreciate more flexibility.

After a successful career in publishing Simon moved into data protection consultancy in 2015. Simon advises businesses of all sizes across a wide range of sectors. He held the role of Director of Information Governance at Royal Mail Group in the run up to GDPR enforcement. He regularly delivers data protection courses for clients and the Institute of Data & Marketing (IDM).

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

Privacy Management Programme – what does one look like?

October 2021

The concept is nothing new, but the term Privacy Management Programme (PMP) has been flung into the spotlight by the UK Government’s plans to reform data laws.

In a nutshell, the Government plans to revise the current accountability framework, replacing existing obligations (some of which are mandatory) with a requirement to implement a PMP.

It’s argued the current legislative framework ‘may be generating a significant and disproportionate administrative burden’ because it sets out detailed requirements organisations need to satisfy in order to demonstrate compliance.

The idea is a new ‘risked-based accountability framework’ will be introduced, requiring organisations to implement a PMP, but allow flexibility to internally tailor the programme to suit the organisation’s specific processing activities.

What is a Privacy Management Programme?

A PMP is a structured framework which supports organisations to meet their legal compliance obligations, the expectations of customers and clients, fulfil privacy rights, mitigate the risks of a data breach – and so forth.

Such a programme should recognise the value in taking an all-encompassing, holistic approach to data protection and privacy; embedding data protection principles and the concept of privacy by design and default.

Core components of a Privacy Management Programme

There are a number of PMP approaches and frameworks in existence. The UK Government has not yet elaborated on what they would expect a PMP to look like.

This top-level summary is broadly based on the IAPP’s Privacy Programme Management approach.

  • Governance

Organisations should develop and implement a suitable framework of management practices which make sure data is used properly and in line with organisational aims, laws and best practice. This should include adopting a privacy by design and by default approach; ensuring appropriate measures are in place to prevent unnecessary risks.

  • Assessments

Achieving clear oversight of the data held and processed, including any suppliers used to support business activities. Developing risk assessment tools which help to identify privacy risks and manage them effectively (e.g. Privacy Impact Assessments / Data Protection Impact Assessments).

  • Record-keeping

Mapping and maintaining an inventory of where personal data is, its purpose, how it is used and who it’s shared with.

  • Policies

Developing and implementing clear policies and procedures to guide staff and give them clear instructions about how personal data should be collected, used, stored, shared, protected and so on.

  • Training and awareness

Making sure adequate and appropriate training is conducted to give staff the knowledge and understanding they need to protect and handle data lawfully and in line with organisational expectations in their day-to-day roles. Making sure people are aware of how their organisation expects them to behave.

  • Privacy rights

Putting in place appropriate procedures to effectively and efficiently fulfil individual privacy rights requests, such as the right of access, erasure or objection.

  • Protecting personal information

Crucial to any PMP is protecting personal information. Working in conjunction with information security, a data protection by design approach would be expected – a proactive rather than reactive approach.

  • Data incident planning

Creating and developing data incident procedures and plans. Having appropriate methods to assess risk and potential impact, as well as understanding breach notification requirements.

  • Monitoring and auditing

Last, but by no means least no PMP would be complete without a methodology for tracking and benchmarking the programme’s performance.

What might change?

To many who’ve endeavoured to comply with the GDPR, all of the above will sound very familiar.

So, the Government isn’t proposing we do away with all the hard work already done. It’s planning a relaxation to some of the mandatory requirements; giving organisations more flexibility and control over how they implement certain elements of their programme.

On the one hand, this could be seen as a welcome move away from a ‘one-size fits all’ approach under UK GDPR, giving organisations more flexibility around how implement their privacy programmes to achieve desired outcomes.

On the other hand, there are fears the removal of mandatory requirements will lead to a watering down of the fundamental principle of accountability (a principle significantly bolstered under GDPR).

As a data protection consultant since 2015, Philippa advises a broad range of clients and delivers data protection training. She regularly writes GDPR guidance to support privacy teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

UK data reform: Data Protection Officers

September 2021

One of the more surprising and thought-provoking proposals in the UK Government’s plans for data regime reform is removing the mandatory requirements surrounding appointing a DPO.

The idea is to replace the DPO with a requirement to designate a suitable individual (or individuals), who would be responsible for a privacy management programme and for overseeing data protection compliance.

Is this a good or risky move?

The Government consultation accepts there may be potential risks in removing mandatory DPO requirements, if this was seen to significantly weaken internal scrutiny. It points out organisations which undertake high risk processing may still choose to appoint someone who performs a similar role.

Who currently falls under the mandatory requirement?

At present, organisations need to appoint a DPO if they are a public authority or body or if their core activities require large scale, regular and systematic monitoring of individuals or consist of large-scale processing of special categories of data, or data relating to criminal convictions and offences. These requirements apply to both controllers and processors.

Most small businesses not involved in high-risk processing have always been out of scope. However some medium sized organisations have been unsure whether they should appoint a DPO or not. The advice given in the past was ‘if in doubt appoint a DPO’.

What key tasks must a DPO currently perform?

The DPO role currently has a formal set of accountabilities and duties, laid down within the GDPR. Let’s look at how these could be affected under the new proposal.

  1. Duty to inform and advise the organisation and its employees about their obligations under UK GDPR and other data protection laws. This includes laws in other jurisdictions which are relevant to the organisation’s operations. It’s questionable if a ‘designated individual’ without the obligations to stay close to these laws and guidance would remain so well informed about significant developments which may affect processing and if they would feel empowered to speak up when changes are needed.
  2. Duty to monitor the organisation’s compliance with the UK GDPR and other data protection laws. This includes ensuring suitable data protection polices are in place, training staff (or overseeing this), managing data protection activities, conducting internal reviews & audits and raising awareness of data protection issues & concerns so they can be tackled effectively. It appears the Government doesn’t want to formalise these responsibilities.. Some feel this could that lead to a reduction in awareness and understanding of data protection across businesses and potentially a slipping back in data protection standards across the wider business.
  3. Duty to advise on data protection impact assessments (DPIAs). The proposals also include scrapping the mandatory requirement to conduct DPIAs. Risk assessments for data will continue to important, but they would not need to be formalised like a DPIA is now. Instead, organisations will enjoy greater flexibility around their approach to assessments.
  4. Reporting directly to the highest level of management. So who will the designated individual report too? Could they become siloed within a specialist function (such as IT or Marketing) leading to a change of focus? Current law and guidance highlighted potential conflicts of interests between operating within a specialist function and the impartiality required to perform DPO tasks (Article 39). Is there a risk the level of oversight of data protection matters by the Board could be diminished?
  5. Autonomy. Under the GDPR, a DPO must not receive any instructions regarding the exercise of his/her duties: therefore they currently need a high degree of autonomy. The GDPR also states a DPO cannot be dismissed or penalised for performing his or her duties. It looks likely autonomy will reduce under these proposals.
  6. Duty to be the first point of contact for individuals whose data is processed, and for liaison with the ICO. It seems logical the designated individual would continue to fulfil these roles, but would it be mandatory?

What do people think?

We’ve gathered the views of some key people on whether the DPO role should be scrapped or not:

“The role of the DPO is an essential part of ensuring compliance and the UK GDPR is clear that a DPO is only a mandatory requirement in certain circumstances, particularly where the processing of personal data involves large scale processing of sensitive data. To remove this requirement weakens accountability. It creates even more uncertainty than there is now. To suggest that the need for a DPO is a burden on SMEs is red herring as most SMEs do not have to have a DPO.”
Robert Bond – Senior Counsel, Bristows Law Firm

“The proposals are not a massive change on the substance and practice of the DPO role. Changes might come to the employment protections the DPO currently enjoys, but in managing the privacy programme, many of the activities that the DPO completes in Art. 39 (Tasks of the DPO) will be broadly the same. Where things might differ is the requirements in Art. 37 (Designation of the DPO) and 38 (Position of the DPO), particularly when it comes to resources, instructions and independence. I am not convinced these were all implemented to the letter of the law already, but they might not be explicit requirements.

I think the biggest impact will be DPO as a service. But for the in-house DPO, they will take on the management of the privacy programme and the world will keep turning.”
Stephen McCartney – Data Protection Officer, Simply Business

“We welcome the consultation to ensure legislation surrounding data protection continues to be appropriate. An area being considered is no longer requiring a mandatory Data Protection Officer to be in role. For us having a dedicated individual at a suitable level helps with overall ownership and accountability. Although we are not at the size to have a dedicated DPO in place, having someone who as part of their role can lead the development and oversight is important and I worry there could be a lack of consistency applied across firms with how they apply the ‘suitable individual’ and would they be at the required seniority in the business or have the ability to influence required changes to systems and controls.”
David Mollison – Chief Risk Officer, Monmouthshire Building Society

“I’m highly sceptical about the government’s proposals. Simplification is a laudable ambition, but removing the mandatory requirement to appoint a DPO risks removing the clear accountability that the role is intended to provide – and which is an essential foundation for data protection. The government says some organisations, particularly smaller ones, “may struggle to appoint an individual with the requisite skills who is sufficiently independent.” It’s unclear how the proposal to designate “a suitable individual” helps solve this problem and avoids weakening internal scrutiny, which the government itself highlights as a risk.”
Martin Turner, Managing Director, Full Frame Technology

It’s going to fascinating to see how matters progress. It all makes me think of another quote – ‘May you live in interesting times!’.

After a successful career in publishing Simon moved into data protection consultancy in 2015. Simon advises businesses of all sizes across a wide range of sectors. He held the role of Director of Information Governance at Royal Mail Group in the run up to GDPR enforcement. He regularly delivers data protection courses for clients and the Institute of Data & Marketing (IDM).

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

Data Retention: Tips and Techniques

May 2021

We know we should only keep personal data for as long we need it, then destroy it.  It sounds simple, so why do so many organisations struggle to with it?

GDPR may have been enforced three years ago, but organisations have actually now had five years since GDPR was finalised in 2016 to get their house in order. Yet data retention still remains a challenge.

It’s not surprising. The list of personal data we hold can be extensive including the data of employees, customers, clients, website visitors and also perhaps supporters, enquirers and so on. This breadth of personal data may be used in many different ways for a wide variety of purposes.

Data retention is nuanced and complex. We can’t just apply a blanket retention period for everything. It requires a granular, considered and flexible approach. How long we should keep data depends on the purposes we need it for.

Some data may only be necessary for a very short period, for example, cookie session data. This should be deleted immediately as the browsing session expires. But other data is needed for far longer, such as employment records.

Organisations need sound policies and practices in place to govern data retention, to make sure they comply with legal requirements.

It also makes sense from a business perspective; robust data retention means less data to disclose (and explain) in response to a Subject Access Request and less data to worry about (and explain) in the event of a data breach.

So how should you tackle this in practice?

Let us help!

In brief, here are some key steps you can take.

1. Understand the risks
Keeping personal data too long, or indeed not keeping it long enough, could present risks.  So first understand what your risks look like – such as legal, security, commercial and reputational risks.

2. Make a positive start
It’s vital to understand the personal data you process and the varied purposes it’s used for. Do you have all this information documented? Many organisations will refer to their Records of Processing Activities (RoPA). But if you don’t currently have accurate & up-to-date records, then its wise to map your data flows and create a central log of your processing activities.

3. Deciding on retention periods
When deciding how long to keep certain types of data, bear in mind there are legal retention requirements you need to be aware for certain situations. Perhaps the most obvious example is the retention of employment data.

Where laws don’t define how long you should keep data, you need to make balanced justifiable decisions on how long you genuinely need the data and therefore what retention period should be.

4. Controllers, processors and sub-processors
Most businesses outsource some of their data processing to suppliers (processors). As a controller, you need to tell your processors how long they must keep your personal data and ensure this is covered in contracts with suppliers.

5. Creating a data retention policy and schedule
A data retention policy should say what you need to do to comply and the schedule confirms the specific retention periods.
The best tip here is to try to keep it simple. Get your colleagues involved so they can help make decisions regarding the data they process in their teams. Tell people why this is important and make sure they know the role they play.

6. Actions when the retention period is reached
What will you do when you reach the retention period? Firstly you should check to make sure there’s no genuine reason you still need to retain the data for longer, such as under legal hold. If not, then in most cases you may choose to destroy the data.

However in some situations you might wish to anonymise it. For example, you may choose to keep aggregated (non-personal) data for management information purposes.

7. Implementation of data retention periods
Think about the best way to gain support from your senior leadership team, to make sure you get traction across the organisation. There’s no point updating your retention policy and schedule if everyone ignores it!

Make sure you have agreed who makes the final retention decisions.  It’s also important to build in some flexibility, as circumstances may change.

After a successful career in publishing Simon moved into data protection consultancy in 2015. Simon advises businesses of all sizes across a wide range of sectors. He held the role of Director of Information Governance at Royal Mail Group in the run up to GDPR enforcement. He regularly delivers data protection courses for clients and the Institute of Data & Marketing (IDM).

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

Are we sharing more data than ever before?

May 2021

During lockdown and the subsequent gradual re-opening, there’s been a significant increase in the number of online forms we have to fill in.

Going out for dinner, entering a pub, getting your Covid vaccination, health forms for osteopaths, forms for dentists, hairdresser appointments forms – the list goes on.

The fact is everywhere we go right now seems to involve filling in an online form. And sometimes this includes collecting sensitive health-related information.

Inevitably all these forms are online, to save us catching the lurgy from pencils, pens or pieces of paper!

As collectors and consumers of these forms what should we be concerned about?

1. What data is being collected? It should be limited to what is needed to do the job and no more!

2. Why’s it needed? It should be clearly explained to the customer, event attendee, patient (and so on) why this information is required.

3. How long will it be kept? If visiting the pub, it will only be needed for track and trace purposes, so should be securely deleted after 21 days (under England guidelines). If it’s a trip to the dentist, is it clear this information is being added to your health file or not?

4. What will it be used for? In certain obvious instances data will be collected for health screening purposes. The key question is to establish whether there’s any reason to retain the information after the check-in moment.

5. What other purposes is data collected for? Often pubs or restaurants may ask people to register with their app for table service. As part of this service there may be a request to create an account. Any marketing permissions should be separate and should not be a condition of registering.

6. What privacy notices are displayed? It should be easy to access further privacy information.

7. Is the form secure? Many organisations, especially smaller ones such as beauticians and hairdressers are likely to be using a third party’s software to create the form. Such providers should be subject to a level of scrutiny. Remember the data breach from Typeform in 2018? In their case they hadn’t synchronised back-ups with clients and had retained large quantities of personal data. Lots of companies’ customer and other personal data was affected.

In addition to the above, there’s also the scanning of the Government app QR codes. After a couple of false starts, the NHS is starting to look like a useful resource. It will store Covid test results, a record of vaccinations, as well as other test and trace information. Is it clear how long this is kept for and under what lawful basis?

What about data sharing? The government has been free with public interest as their lawful basis for collecting and sharing data. We have no idea how much has been shared and also no real idea as to how useful this sharing has been.

In conclusion, the pandemic has been extremely good cover for an explosion in data capture and given the public health card has been played so many times no-one really knows how much data is being retained.

 

Data protection team over-stretched? Get in touch to find out more about how we can help with no-nonsense, practical privacy advice and support. Contact us

Julia is an experienced data protection consultant and has been advising businesses since 2016. She regularly delivers GDPR training as well as developing bespoke GDPR guidance for our clients.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

Social media targeting: consent or legitimate interests?

April 2021

Social media marketing is well established and mainstream – lots of organisations carry out targeted advertising via various social media platforms.

But are we being open and upfront about it? Do our customers, or supporters, know enough about how you use their data on social media platforms?

From retargeting your own customers by uploading pseudonymised data to a social media platform, through to targeting ‘lookalikes’, there are a variety of options available.

Are there any compliance risks when we conduct these activities? Do people have enough control over the use of their data and the advertising they see? And to what degree are people even bothered by it?

What does the ICO think?

We began to get an insight into the ICO’s expectations when they published their draft Direct Marketing Code, back in January 2020.

Firstly, yes they are in scope:

Online behavioural advertising and some types of social media marketing are not classed as electronic mail under PECR but these are still direct marketing communications.

The ICO points out the need for transparency:

Individuals may not understand how non-traditional direct marketing technologies work. Therefore it is particularly important that you are clear and transparent about what you intend to do with their personal data.

Individuals are unlikely to understand how you target them with marketing on social media so you must be upfront about targeting individuals in this way.

You must be transparent and clearly inform individuals about this processing so that they fully understand you will use their personal data in this way. For example, that you will use their email addresses to match them on social media for the purposes of showing them direct marketing.

When using “list-based” tools (e.g. Facebook Custom Audiences or LinkedIn contact targeting), where you upload personal data you already have to the platform (e.g. list of email addresses) you must be transparent and clearly inform people about this processing.

The draft DM Code says:

You must be upfront about this processing. Individuals are unlikely to expect that this processing takes place, therefore you should not bury information about any list-based tools you use on social media within your privacy information.

It is likely that consent is the appropriate lawful basis for this processing as it is difficult to see how it would meet the three-part test of the legitimate interests basis. However you will still need to ensure you also meet transparency requirements.

If an individual has objected to you using their personal data for direct marketing purposes, you cannot use their data to target them on social media, including by using list-based tools.

So, the ICO says we need consent.

But actually many disagree with this rather draconian interpretation of the law. Remember this is still draft guidance and we don’t know if it will change or when the Code will be published.

(When finalised, as a Code of Practice it will replace and carry more weight than the existing Direct Marketing Guidance, which doesn’t really touch on social media marketing).

So, is Legitimate Interests out of the question?

Many organisations may be currently relying on Legitimate Interests, especially when using “list based tools”. It’s not been made clear why the ICO believes these tools would not meet the three-part test for Legitimate Interests.

In contrast, the European Data Protection Board (EDBP) suggest in their August 2020 social media guidelines that Legitimate Interests might be suitable for social media targeting:

Generally speaking, there are two legal bases which could theoretically justify the processing that supports the targeting of social media users: data subject’s consent (Article 6(1)(a) GDPR) or legitimate interests (Article 6(1)(f) GDPR). A controller must always consider what the appropriate legal basis is under the given circumstances.

The EDPB goes on to explain the 3 conditions for a Legitimate Interests must be met:

(i) the pursuit of a legitimate interest by the data controller or by the third party or parties to whom the data are disclosed
[i.e. the processing must be for a legitimate purpose]

(ii) the need to process personal data for the purposes of the legitimate interests pursued, and
[i.e. the processing must be necessary]

(iii) the condition that the fundamental rights and freedoms of the data subject whose data require protection do not take precedence.

The EDPB reminds us that, in cases where a controller envisages to rely on legitimate interest, the duties of transparency and the right to object require careful consideration in relation to (iii) above.

Therefore it is important to make sure your privacy notice is clear about the use of personal data for social media targeting.

The EDPB also reminds us that CJEU have previously specified that, in a situation of joint controllership (as there might be with a controller and a social media platform):

It is necessary that each of those controllers should pursue a legitimate interest […] through those processing operations in order for those operations to be justified in respect of each of them.

Why would you want to be a trail blazer and limit the scale of your marketing activity by adopting a consent-based approach, when others don’t do it too?

John Mitchison is Director of Policy and Compliance at the Data and Marketing Association (DMA);

“The current compliance landscape can be very confusing for marketers, not least in the area of online advertising and social media.  We have a ‘draft’ version of the ICO’s Direct Marketing Code of Practice and guidance from the EU, of which the UK is no longer a part.

If a person has a first party relationship with a brand and a first party relationship with a social media platform it seems entirely reasonable for that person to see ads about the brand on the social site, and for this processing to be done under Legitimate Interest. 

Transparency and control are essential if you want to retain the trust with your customers; clearly explain what is going on in your privacy policy and allow people to opt out if they really want to.”

Consumer expectations

It can be argued people nowadays expect to see relevant advertising when they browse social media and that ads which are relevant to their interests have got to be better then untargeted ads.

So is there really any harm in this type of targeted advertising?

It’s important to acknowledge there could be harm if data is used in intrusive, appropriate or unlawful ways, especially were individuals may be minors or vulnerable people.

When data is used without the proper controls to protect people, such as offering dieting tablets to anorexics, targeting alcohol offers to alcoholics, or offering gambling services to problem gamblers – it is highly likely to be harmful.

This type of advertising is also regulated under the CAP code, so we’re not entirely reliant on data protection rules here.

But outside of these concerning situations, where targeted advertising is used for non-sensitive products and services, is this type of targeting likely to cause harm?

What user-controls are available within social media platforms?

Most social media platforms which carry advertising provide user controls on the advertising you are exposed to. For example, Facebook Ad Preferences enable users to:

  • see which advertisers are targeting you directly and hide ads if you wish
  • manage advertising topics and ‘see fewer’ if you wish
  • view data about your activity from ad partners
  • decide if you wish to share certain profile information (employer, job title, education & relationship status) for advertising purposes
  • edit you’re your interests and other categories used by advertisers to reach you
  • find out whose targeting you via audience-based advertising and hide those ads if you want

What are the risks to advertisers?

At this point in time, it seems the likelihood of enforcement action by the ICO regarding social media targeting (for non-sensitive products & services) appears rather low. But of course this could change.

It’s certainly wise to keep a close eye out for customer / supporter complaints which might arise from social media targeting, as if these are not handled properly, people could escalate their concerns to the ICO.

At the end of the day the key is making sure you are open and upfront about how you use people’s personal information.  Take a risk-based judgement call on the right lawful basis for your business and try to avoid any unwelcome surprises!

 

If you’d like any advice or support regarding social media marketing, or any other use of data, please get in touch – Contact Us 

After a successful career in publishing Simon moved into data protection consultancy in 2015. Simon advises businesses of all sizes across a wide range of sectors. He held the role of Director of Information Governance at Royal Mail Group in the run up to GDPR enforcement. He regularly delivers data protection courses for clients and the Institute of Data & Marketing (IDM).

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

SIGN UP FOR OUR NEWSLETTER

Get DPN updates direct to your inbox. Insight, free resources, guides, events & services from DPN Associates (publishers of DPN). All our emails have an opt-out. For more information see our Privacy Statement.