If you process employee or customer or indeed anyone’s personal data then you must take steps (known as organisational and technical measures) to keep it safe i.e. confidential, free from loss/ damage and available for use when needed.
However, despite your efforts there may well come a time when you suffer a personal data breach. It’s important to recognise when a breach has occurred and what to do.
GDPR defines a breach as “a breach of [your] security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.
Some examples are:
Sending an email containing someone’s personal information to the wrong person.
Leaving someone’s personal information on a photocopier where other people can see it.
Leaving a voice mail containing personal information about someone with the wrong person
Losing an unencrypted computer
Losing access to personal data following a ransomware attack
A file of papers going up in flames or being destroyed by flood.
Selling on a computer without properly erasing what personal data is on the hard drive.
Hackers gaining access to the HR part of your computer network.
All breaches should be documented but not all need reporting to the Information Commissioner’s Office (‘ICO’) or to the individual whose data it is. You need to look at the level of risk of harm to the individual as a result of the breach in security. If you do need to report it is without delay and no later than 72 hours from discovery of the breach.
If you fail to report/ notify the individual when you ought to then you can be fined by the ICO.
Even if you report you may get fined although more likely told to improve your security practices and how. If you keep having breaches the ICO may decide to pay you a visit to conduct a security audit.
Breaches and ICO audits are a pain (although with audits some good can come of them).
If you need help to avoid a breach or you have had one contact me.
Data protection within a business is often seen as somebody’s secondary role, usually the HR department, and a role that hasn’t been taken seriously.
Indeed, historically, many companies have seen it more as a hindrance to a company’s day-to-day running, and compliance has often been lax.
However, it’s a serious issue, and the bringing into law of GDPR brought this home to many as suddenly there was real legal clout behind the regulations – and rightly so.
As more and more people’s data gets harvested and stored by companies small and large, it becomes ever more critical that it’s handled securely and sensitively.
Spreadsheets, files and documents are easily shared within an office and indeed the rest of the company, but does anyone know exactly what’s in that data and who has access?
The ability to store vast amounts of information on extremely cheap devices such as USB memory sticks makes the problem even more significant. These devices are easily left lying around and can, therefore, be picked up and carried away.
I’m sure I’m not the only one to receive a report that an unencrypted USB containing personal information was put in a backpack which was then lost.
Data protection and the hype
Of course, a few high profile data leaks were plastered all over the news which brought the whole data protection situation into focus.
With people’s sensitive data being left on trains, or accessible via websites for all to see, people suddenly started to notice. The downside to this was that everyone had an opinion on what was and was not personal data, and what companies should be doing about it.
Companies of all sizes were being told they needed to register with the Information Commissioner’s Office (ICO) and employ a Data Protection Officer or they could end up being fined – or worse.
However, The ICO has made it clear which companies need to go to the expense of a Data Protection Officer (or “DPO”), and luckily, many small businesses don’t need to employ them.
What companies need to employ a Data Protection Officer?
Now, even though the definitions seem pretty straightforward, they are of course, open to interpretation and might need a bit of clarification.
First of all, then, let’s look at what the ICO says (also available on our DPO page):
The ICO states that you must appoint a DPO if:
you are a public authority, or,
your core activities consist of processing requiring regular and systematic monitoring [such as CCTV or profiling] of people on a large scale, or,
your core activities consist of processing on a large scale of special category data or criminal offence data.
Special category data is that about people’s race, ethnicity, political opinions, health, sexual orientation etc.
Criminal offence data is that about whether someone has committed a crime right through to the outcome of any prosecution.
The problem here is the language.
What does “large scale” mean?
The ICO doesn’t give any concrete detail on this (for good reason), so it’s up to the organisation to consider its use of data and whether it would consider it to be large scale.
When deciding if a DPO is needed the type of data, the amount of data being used and what is being done with it should be considered.
For example, if you have an eBay store selling second-hand goods, it’s likely the data you collect isn’t going to require you to appoint a DPO.
When someone buys from you, you’ll need their name, email and address. You certainly don’t need their gender, ethnicity or date of birth.
And when the transaction is complete, you send the invoice, and you’re done with them.
This sort of data can’t be classed as special category, and there’s probably not much of it, either.
However, an online store such as Amazon is a different matter.
Companies like this collect a lot of data and actively use it in their marketing. They use profiling software to analyse their customers’ behaviour – hence why you get emails out of the blue when you realise you have nearly used all of that face cream that you bought from them .
This would satisfy the “profiling” aspect of the rules.
Types of data
Of course, data isn’t just digital bits and bytes.
As the regulations point out, CCTV data can also contain sensitive information, for obvious reasons.
And, of course, printed documentation is often ignored. If you have customer information, profiles on them and financial data printed out, this also needs to be controlled, and you’ll probably need a DPO.
Public Authority
We’ve left the easiest one ’till last because you should know whether you’re a public authority or not! If you don’t know the Data Protection Act will tell you.
However, if you carry out tasks in the public interest, and are paid by the taxpayer, you’re probably a public authority.
In Summary
If you’re a public authority, you need a DPO
If you handle large amounts of special category or criminal offence data , then you may need one
If you are involved in large scale monitoring of people you may need one.
If you’re an online store merely fulfilling orders, you probably don’t need one.
If you’re at all in doubt about whether you should hire a DPO, you should, of course, seek advice, and you can contact us or call us on: 07397 943394.
This blog is limited to overt (that is employees know it is happening) surveillance.
If an employer collects or generates any personal data (‘information’) about an employee then they have to do so in accordance with data protection law. This means complying with the six (seven if you include accountability) principles of data protection.
Employers must:
Ensure they have a legal ground to collect, store, consider, share, and generally make use of the information
Ensure that what is done with the information is within the reasonable expectation of the employees
Ensure employees know what is happening with their information
Use the information for legitimate purposes
Ensure that they collect the right information and enough of it- but not too much
Ensure that what they collect and deal with is accurate – and kept up to date
Ensure they do not keep it for longer than needed
Ensure that it is kept confidential and steps taken to prevent loss/damage and to ensure it is available for use when needed.
I’ll now expand upon the key points.
How can we do it legally?
Employees cannot consent to surveillance as consent requires a free take it or leave it choice. I would imagine that most employees would feel obliged to agree to surveillance – which isn’t consent.
As such the legal ground is likely to be that the surveillance is necessary to perform the employment contract or it is necessary in the legitimate interests of the employer to know what their employees are doing.
Whatever ground is relied upon it is good practice and indeed may be a legal requirement, to undertake a Data Protection Impact Assessment before any surveillance takes place. This will oblige an employer to set out what they are trying to achieve by the surveillance, if the type of surveillance proposed is, in fact, necessary and is also, what the law refers to as, “proportionate”. It will also address risks to the privacy of the employees and inform the employer as to whether the surveillance ought to go ahead and, if so, what should be done to minimise the risk of any privacy harms.
How do we tell employees we are conducting surveillance?
With a Privacy Notice- all of the purpose(s) [including any potential disciplinary action] of processing personal data should be clear – and the lawful ground for doing what the employer proposes to do set out. If information is to be shared with anyone this should also be set out. This notice should be given before any processing takes place.
What should we collect and how much?
Employers need to think about what they are trying to achieve by surveillance. They need to think about what information they need to achieve the purpose and collect no more than is needed.
How long can an employer keep the information?
It depends on what the information is collected/ generated for. As soon as an employer has achieved the purpose and no longer need it then it should be erased/ destroyed.
What about security?
An employer should look at what information they are processing and how they do so. How is it being stored or shared? An employer should look at what threats to confidentiality or integrity there might be [only those who need to see personal data should do so], how it might be lost or damaged or availability affected. They should also consider how likely that is to occur and, if it does, what the consequences for the employee might be. Weighing this up then appropriate organisational and technical measures to address the risk should be taken.
Can employees see what an employer collects?
Yes – unless an exemption applies (for which see the Data Protection Act 2018) an employee is entitled to a copy of any information that relates to them as well as other information such as why it has been processed, who it has been shared with etc. This is known as the right of access.
Whenever an organisation (this could be a business, charity, school etc.) shares personal data externally it is deemed to be ‘processing’ it. This means (let’s stick to ordinary personal data for the purpose of this blog] that there has to be a legal ground to do so.
How do we do that?
There are 6 ways that personal data (information that relates to an identified or identifiable living individual) can be potentially processed.
They are:
The individual has given their consent. The UK GDPR has a particular definition for what constitutes consent – it has to be a freely given- a take it or leave it choice. A typical example might be marketing. Someone knows what they will be sent by an organisation and they tick a box to say they agree….
Sharing is necessary for the performance of a contract to which an individual is party to or in order to take steps at their request prior to entering into a contract. Think buying something online. The retailer may pass your name and address on to a delivery company so that it can be transported to you.
Sharing is a legal requirement– such as the duty of organisations working in the regulated sector to make ‘Suspicious [money laundering or terrorist financing] Activity Reports’.
There is a need to share to protect an individual’s vital interests -or those of another. This is life and death situations. Think of someone who says they are going to jump from a bridge. A concerned organisation may pass on that information to the Police.
Sharing is necessary as part of a public task or as part of an organisation’s official authority. Many public sector organisations routinely share information, for instance, under the National Fraud Initiative.
Sharing is necessary to meet the legitimate interests of an organisation or of a third party. An example would be where the Police, engaged in a criminal investigation, contact an organisation to ask for information about an individual who has relevance to the inquiry. This ground requires the sharing party to consider the impact on the privacy of the individual if the information were to be shared. Documenting this exercise by completing a Legitimate Interests Assessments form is good practice.
Organisations that process personal data should, by now, have a Record of Processing Activities which sets out what personal data they share, of who, to who and what the legal base(s) for doing so is. This is what the UK GDPR refers to as ‘accountability’.
Is that all there is to it?
As well as having a legal ground to share information an organisation should do so fairly and transparently. An individual shouldn’t be surprised that their information has been shared with a third party [although there are circumstances when personal data can be shared without the knowledge of an individual] indeed any recipients of an individual’s personal data should be listed on the Privacy Notice given to the individual.
There are other principles that relate to the sharing (‘processing’) of personal data. The key ones being that you should only share the minimum amount of personal data you need to share in order to achieve the purpose of sharing and that what is shared is accurate and up to date. Also, the organisation sharing has to take appropriate measures to keep the personal data confidential when sharing and ensure it is not lost or damaged whilst doing so.
The Code
The Information Commissioner’s Office has recently [December 2020] issued a Code of Practice in relation to data sharing. That Office will look at what the code says when deciding if the person sharing has complied with their obligations under the law. It focuses on Independent Controller (those who individually determine what is done with data and how it is processed) to Independent Controller sharing and Joint (where two or more determine what is to be done and how) Controller situations.
Some sharing is routine. In these situations, it is wise (and in Joint Controller situations a legal requirement) to have a Data Sharing Agreement. This is, at it sounds, an agreement setting out the purposes of the sharing and the respective obligations of the parties in respect of the personal data. It also sets out who will be responsible for dealing with any requests by individuals seeking to exercise their data protection rights such as to secure access to their data or to have it erased. The code provides more information as to what should be in a Data Sharing Agreement.
In one – off situations it is wise to document the process by requiring organisations who want the personal data to set out what they want and why they want it. The other party can then consider the request and, whatever the decision, record it and the reasoning behind it. This will be useful if the ICO ever investigate a complaint made by an individual about data sharing.
The ICO recommends that if you plan to share information that you undertake a Data Protection Impact Assessment [‘DPIA’]. This should be done before any final decision to share. The law sets out when one is legally required – when there is a high risk of harm to an individual(s) from the proposed processing (sharing).
The ICO recommend that a DPIA be carried out even if not legally required. A DPIA is a way of identifying what might go wrong personal privacy wise when data is shared, the likelihood of occurrence, the harm that might result and, if it did, how severe it would be. Knowing of the risks then the parties involved in the sharing can work to put in measures to do away with risk or to reduce it to an acceptable level.
The code provides a handy checklist to go through when considering sharing personal data.
Conclusion
Think carefully before you share personal data. Get it wrong and you could face ICO Investigation, claims by harmed individuals for compensation and damage to reputation.
As of 1 January, this year UK law that is concerned with the security of personal data (and what happens when things go wrong) is contained within the UK General Data Protection Regulation (‘UK GDPR’) and the Data Protection Act 2018. The law is concerned with personal data -any information that relates to an identified or identifiable living individual.
If a Data Controller [someone who determines what is done with personal data and how it is dealt with] or Data Processor [someone who processes personal data on behalf of a Controller] fails to comply with the law (and there are lots of compliance obligations) then the Information Commissioner’s Office (‘ICO’) may take enforcement action against them. In the most serious cases this can result in a fine.
Affected individuals -known as ‘data subjects’ can also seek compensation for any harm that they suffer. There will also likely be reputational damage if a failure to comply with the law becomes public knowledge as well as a loss of organisational time dealing with issues and putting matters right.
However, information is a wider term than mere personal data. It includes personal data but will also include things such as intellectual property, corporate financial information, business plans or research.
Information security seeks to ensure that all information (that actually needs securing) whether that be in electronic or in hard copy form is secured.
On the other hand, data protection is about how to handle personal data in accordance with the data protection laws i.e., how to lawfully process personal data, how to secure valid consent, the data protection rights of individuals, the need for contracts, when to undertake a Data Protection Impact Assessment, how to transfer personal data overseas etc.
The disciplines do overlap as the UK GDPR places an obligation on a Data Controller (anyone who employs staff or has individuals as customers or schools or membership organisations and so on) to process personal data in a manner that ensures appropriate security. This includes protection against unauthorised or unlawful processing and against accidental loss, destruction or damage. A Data Controller must protect using appropriate technical or organisational measures.
The UKGDPR does not tell a Data Controller what technical (or organisational) measures are appropriate. This is because security is not a ‘one size fits all exercise’. Every organisation that processes personal data is different and it is for the organisation to assess risk and to decide what is appropriate.
What is appropriate requires an assessment of what types of personal data is processed by the organisation and its sensitivity/ criticality to the organisation. Regard should be had to how the personal data is processed and what could ‘go wrong’. Any vulnerabilities in existence and threats to the personal data should be identified as well as the likelihood of any threat materialising and, if it did, the impact upon the individuals concerned. Cost of implementation also plays a part.
Weighing all of the above up then what is appropriate to protect the personal data (and restore availability and access to it in the event of an incident) can be determined.
For technical measures, a cyber security specialist can assist. Organisational measures include staff training and policies, procedures, and guidance as to what to do/ not do.
A failure to have appropriate information security impacts upon data protection as the law is concerned with the privacy of individuals. If there is unauthorised access to or disclosure of personal data or it is lost or damaged in some way then this impacts upon privacy and may cause harm to individuals.
The following specific UK GDPR obligations also have a bearing on information (personal data) security:
1) only collecting (and thus securing) what personal data is needed, collecting the right data, ensuring it is not kept for longer than needed and of course maintaining Confidentiality, Integrity and Availability;
3) the need for Privacy by Design i.e., considering security and how it ensures privacy at the design stage- before any processing gets underway;
4) the need to undertake Data Protection Impact Assessments in certain circumstances – these can be used to identify risks to personal data and the identification of appropriate control measures;
5) the need for documented agreements when two or more controllers work together -to focus the mind of the parties on their obligations and security;
6) the need to undertake security due diligence on data processors and the right to inspect them and the need for contracts.
8) when things go wrong – assessing risk of harm to individuals, potentially notifying the ICO, communicating with affected individuals and dealing with any investigation by the ICO.
