Thursday, 4 July 2013

What’s the public sector got to worry about next?

A senior local authority executive(not from Hackney, who’s town hall appears in today’s image) has recently realised that data protection is important and, as he was in charge of it, he had asked a friend of mine to develop a presentation on what he ought to be thinking about. So, my friend set about creating a short list of the main data protection issues that face the public sector over the next year. I was asked to review the list. 

It included:

  • preparing for the new EU Data Protection Regulation (assuming it is ratified soon); 
  • data sharing and anonymisation of data;
  • improving proactive disclosure under FoI (given that the ICO is developing the publication schemes);  and
  • addressing data security issues in relation to Bring Your Own Device, home working,  and cyber-crime.

It was a good start. What could I add?

Well, if you’ve just got ten minutes facetime with a senior bod, there’s not a lot of point going into  a great deal of detail. The trick is to use a couple of soundbites as hooks to engage the senior executive to the extent that they actually ask for a paper which develops the issues that are of concern. 

Given the current level of uncertainty about whether there will be an EU Data Protection Regulation (let alone what might be in it), I suggested that he need not spend too much time on this issue. 

In an ideal world, and if our sterling squad of national data protection negotiators  from their offices in Petty France have their way, the UK will be faced with legal requirements that public authorities will actually be able to afford to implement. Hurrah! Our ace team of brilliant officials over at the Ministry of Justice will present the compliance bill to their chums at the Department of Communities and Local Government, who will be so overjoyed at the (low) cost to local authorities that the Chief MoJ Negotiator will be carried shoulder high from Petty France to Westminster Bridge, where he will be tossed into the River Thames to celebrate his success.

In a less than ideal world, where an EU measure is passed and where the a compliance bill is unacceptably high, I predict that a baying mob of the same officials will drag the Chief MoJ Negotiator from Petty France to Westminster Bridge, where he will be tossed into the Thames, anyway.

Returning to the topic in hand, I suggested that my chum add a couple of new points to spice up his presentation.

First, I suggested he mention how hard it will continue to be to design and implement an information governance / compliance programme when the public sector is undergoing so much change. It’s awfully diffcult, for example, to carry out privacy impact assessments when local authorities are so busy working out new models of joint service provision. Who knows who will be doing what and with what safeguards? When new institutions are created to take over the role of established organisations (particularly in the health sector) who will know in advance  what data sharing agreements may need to cease or be re-written? Crucially, if certain members of staff are under notice of possible redundancy, it’s not at all clear how the appropriate data sharing agreements can be drafted before the new institutions have to assume their responsibilities, because the relevant people aren't in place.

Second, I suggested he mention the difficulties of managing these issues effectively when local authority budgets are so tight. Who has the resources to carry out (or commission) decent privacy impact assessments, for example, especially when so few people outside the data protection community have ever heard of them, let alone (inside the community) know how to do one?

Third, and before the senior executive loses concentration completely, I suggested he should end the presentation by asking who should be accountable for the decisions that might need to be taken which result in the public authority being incapable of demonstrating that it has taken appropriate measures to safeguard personal data.  And how should this senior executive liaise with the ICO's enforcement team when reporting data breaches that occurred because they would not sign off the funding that was required to build and maintain the measures and systems that would have better safeguarded personal data.

If that doesn’t prompt the executive to request a more detailed paper on the relevant issues, then I’m not sure what might.