Event report: public sector data protection
Holyrood Public Sector Data Protection conference - Image credit: Holyrood
There has been a cultural shift in data protection in the wake of the implementation of GDPR, but has it been a shift to a culture of fear?
Holyrood’s Public Sector Data Protection conference took place just a day after Morrisons lost a challenge to a ruling that the supermarket chain was liable for a data breach that saw thousands of employee details leaked online.
In the first data leak class action in the UK, Morrisons will now appeal to the Supreme Court to prevent a situation where up to 100,000 employees could seek compensation.
The security breach took place in 2014, years before the introduction of GDPR, when an employee posted all payroll data online and sent it to newspapers.
Information compliance officers everywhere may have reassured staff that GDPR has not led to heavy-handed enforcement from the regulator, the Information Commissioner’s Office (ICO), but might this ruling redirect fear towards that of litigation?
In other words, are data subjects more empowered to take matters into their own hands after a data breach?
Solicitor Paul Motion said: “I thought one of the most surprising parts of the Morrisons appeal judgement was the final paragraph, where the court of appeal said, ‘Well, you can insure against these things anyway’. I thought, ‘wow’.”
He said he had been advising clients to think about cyber insurance “for months”.
GDPR has led to much more awareness that people can report breaches and seek damages.
Maureen Falconer of the ICO said reports of data protection breaches had increased by 400 per cent since the new regulations came into force.
However, the sharp rise in reports and data requests didn’t necessarily mean there were more breaches actually happening, she added, and this was echoed by various speakers and delegates.
Awareness has also grown sharply, even among those with the responsibility for ensuring data security.
Motion’s firm, BTO Solicitors LLP, wasn’t the only organisation to emerge from GDPR with a new understanding of the sheer volume of data and data processes it handles.
Helen Findlay, head of information assurance and risk at the Scottish Government, said civil servants had been on a similar journey.
Government departments, she said, doubled their information assets from 1,000 to 2,000 after GDPR implementation.
Findlay’s department had had to “spend a lot of time myth-busting” after discovering key areas of GDPR “were not widely understood”.
The cultural shift to “privacy by design”, where approaches to data protection are embedded into systems from an early stage, has come a long way in the public sector, she said.
“Moving forward, what I think we’re seeing is a revisiting of historical risks,” said Glasgow City Council’s head of information governance, Dr Kenneth Meechan.
“The big bang is in one sense over, and now we’re getting on with the business as usual.
“We’re looking at things we’ve always done one way and asking, with a GDPR hat on, ‘do we want to keep on doing it this way?’”
Findlay agreed. “We’re still doing what we’re doing, but we’re doing much greater volumes of it,” she said.
Alex Cash, global privacy engineer at OneTrust, said there had been “panic, chaos and misunderstanding” as GDPR approached, leading to a “mad dash or scramble” to increase knowledge on privacy.
This has led to a “prioritisation approach”, he said, which has shifted from concentrating on what needs to be documented under Article 30 of GDPR to “data subject rights and consent management”.
One of the cultural changes experienced by the public sector is a shift from asking for consent in the use of data, to one of explaining how data will be used.
Ultimately, when it comes to public services, people often do not have a choice about whether their data will be used.
Asma Ali, data protection officer and solicitor at Police Scotland, said it had been “a difficult one” for the force.
“We are seeing an increase in the numbers of the public who want to withdraw consent than previously,” she said.
Meechan said: “I’ve spent most of the last 18 years telling people in the organisation to ‘make sure you’ve got consent’… after a major legal reverse ferret my position is now ‘for goodness’ sake, don’t ask for consent.’
“It has been a big shift, because the whole shift of GDPR and the messages coming out from the centre is it is about giving people back control, and our response to that at an organisational level has been to stop asking for consent.”
So has GDPR done its job in furthering the rights of people over their own data?
People might feel more informed and empowered to challenge breaches, but when it comes to using public services, their data will be needed.
“In the end, it’s all about the human right to privacy,” said Findlay.