Tag Archive for Data Protection

Data protection doesn’t require important records to be destroyed

FOIMan explains why any organisation which blames the destruction of important records on data protection rules is being either disingenuous or is ignorant of what the law requires.

In recent weeks The Guardian has drawn attention to the plight of those innocent people who have lived in the UK for many years, only to be told recently by the Home Office that they could face deportation. This week the Home Secretary finally apologised, but many people are still in a legal limbo, unable to prove their status, not realising that they would ever need to.

Now a former Home Office employee has reported that disembarkation cards which might have helped establish the status of many of these people were deliberately destroyed by the Home Office a few years ago. Responding to the claim, the Home Office has conceded that records were destroyed but claims that this was necessary to comply with the Data Protection Act (DPA). The records were, according to them, destroyed:

to ensure that personal data … should not be kept for longer than necessary. Keeping these records would have represented a potential breach of these principles.

This argument has a long pedigree. It was cited by a police chief constable at the time of the Soham murders as a reason why records were not retained about Ian Huntley which might have prevented his employment as a caretaker at a school. It was used more recently by the House of Commons to justify the early destruction of MPs’ expenses records.

In both these cases, and in the latest example, this is just plain wrong. If the press officer or whoever drafted this statement had checked with their Data Protection Officer, they would have been able to tell them this.

It is true that one of the data protection principles requires that personal data be kept no longer than necessary, and that data controllers – organisations – are required to put in place procedures to ensure this. However, note that word “necessary”. It places the responsibility fairly and squarely at the door of the organisation that has collected the data to decide what is “necessary” and to justify it. If records are still being used to answer enquiries about individuals’ immigration status (as the Home Office whistleblower has maintained), or are at the centre of one of the biggest scandals to hit modern British politics, I would suggest that it is “necessary” to retain them, and to do so can be easily justified. Data protection laws do not say they must be destroyed.

Furthermore, even if there is a view that it is no longer necessary to retain records for their original purpose, both the DPA 1998 and GDPR permit records to be retained for historical research purposes in a record office. The Home Office whistleblower reports that it was suggested that the cards be offered to a record office, but that they were told that no archive wanted them. As public records, the National Archives would have had first option on these and since these records would seem to be of great value to genealogists and those studying the history of migration and minority ethnic communities in the UK, it is hard to imagine them turning such an offer down. Even if they did, are we to believe that other record offices, including for example Brixton’s Black Cultural Archives (based in Windrush Square), a repository specialising in the history of Britain’s African and Caribbean communities, would have said no? It seems unlikely if they were given the opportunity (and the significance of the cards was explained to them). Data protection rules would have allowed the cards to be retained indefinitely in a record office.

Data protection rules simply do not require records with continuing value to be destroyed. Anyone claiming that they do is being disingenuous or is ignorant of what data protection requires. Let’s hope that organisations – particularly those that should know better – stop churning out this misconception every time that they are criticised for the disposal of records.

References:

Home Office destroyed Windrush landing cards, says ex-staffer, The Guardian, 17 April 2018 https://www.theguardian.com/uk-news/2018/apr/17/home-office-destroyed-windrush-landing-cards-says-ex-staffer

MPs to escape expenses investigations after paperwork destroyed by Parliament, Daily Telegraph, 2 November 2014 https://www.telegraph.co.uk/news/newstopics/mps-expenses/11204405/MPs-to-escape-expenses-investigations-after-paperwork-destroyed-by-Parliament.html

The politics of records management, FOIMan blog, 7 November 2014 https://www.foiman.com/archives/1337

Soham police chief ‘ignored advice’, The Guardian, 26 March 2004 https://www.theguardian.com/uk/2004/mar/26/soham.ukcrime

Propping open the gate

FOIMan discovers that the government has an answer to ‘legitimate’ concerns over the GDPR and FOI.

One of the concerns of the Information Commissioner and many observers in relation to the General Data Protection Regulation (GDPR), is that it could potentially lead to less information about individuals being disclosed under FOI. Obviously protecting personal data is important but it shouldn’t stop legitimate public debate around things like MPs’ expenses or council Chief Executives’ pay.

The reason this is an issue is that the s.40 exemption for personal data – or at least the part of it that is most often relevant – revolves around the data protection principles set out currently in schedule 1 of the Data Protection Act 1998 (DPA). The first and most relevant of these says that data must be processed fairly and lawfully. In determining whether a disclosure of information is lawful, authorities have to consider whether it is justified by reference to a condition in schedule 2 of DPA. The condition that most often applies to FOI disclosures is that there is a legitimate interest in disclosing the information that can only be met by the disclosure. This has to be balanced against the rights of the individual. It is this condition that has led to lots of personal information about pay, expenses and so much besides entering the public domain.

The problem is that whilst GDPR more or less replicates the first principle, and the conditions as well, it explicitly says that public authorities can’t use the legitimate interests condition. In other words, potentially there could be no legal mechanism to justify disclosures of personal information in the public interest.

Schedule 18 of the Data Protection Bill 2017, the first draft of which was published yesterday, addresses this by the simple expedient of saying that as far as FOI is concerned, the GDPR bar on public authorities using legitimate interests to justify use of data can be ignored. If this survives the passage of the Bill, the gateway for lawful disclosures of personal data under FOI will remain open. Which is good news for public sector accountability.

GDPR – the phoney war is over

FOIMan launches a new resource to help practitioners and others get to grips with the General Data Protection Regulation (GDPR).

Data Protection Reform and GDPRThose interested in privacy had been waiting for years for the European Union to agree its new rules on data protection. Finally, in May of this year, the General Data Protection Regulation (GDPR) became law. Cue party poppers all round.

The party was well and truly pooped though a month later. Instead of starting a long campaign to educate colleagues and businesses about their new obligations (which take effect from May 2018), practitioners have been forced to spend the summer and early Autumn speculating about what BREXIT means for GDPR. Even if they wisely chose to continue their preparations, their words fell on stony ground as those in charge looked to government for a decisive message more informative than “BREXIT means BREXIT”.

Thankfully we now have more clarity. During a committee hearing last week, the Secretary of State for Culture, Media and Sport, Karen Bradley, stated that:

“An example might be the General Data Protection Regulation, which of course comes into effect in the spring of 2018. We will be members of the EU in 2018 and therefore it would be expected and quite normal for us to opt into the GDPR and then look later at how best we might be able to help British business with data protection while maintaining high levels of protection for members of the public.” (Oral evidence to the Culture, Media and Sport Select Committee, HC 764, 24 October 2016, answer to Q.72)

So whilst there’s still a possibility that the rules will change again in a few years, at least we now know that GDPR is coming to stay and will be with us for a while. Long enough for us to give it a bedroom and clear some drawer and wardrobe space. Maybe even to cut it a set of keys.

In the meantime, the hands of the clock have been moving apace. There are now just over 18 months to get your house in order, which is not long given how much you need to do to make sure that you meet GDPR’s exacting requirements.

Thankfully there are lots of places to look for help. And now I’m adding to the list. I’ve added a new section to the FOIMan site dealing specifically with data protection reform and GDPR. There are free resources to help you understand your obligations, and suggestions as to where to start your preparations. There’s also a link to the GDPR itself in case you need it. I’ll be updating this page from time to time and adding new links, resources and suggestions so keep popping back for more as your preparations continue.

Valuable information

FOIMan on literally giving your information value.

coinsWe often hear people talk about information or data being valuable. But in the last 24 hours I’ve heard two separate speakers, ostensibly on two separate topics, discuss attributing actual monetary cost to information. So perhaps there’s something in it.

First, yesterday evening David Ryan, who was hired several years ago to establish the National Archives’ digital preservation department (and a declaration of interest, he also gave me my first information management job 20+ years ago – don’t hold it against him), was talking about the future of records management at the Information and Records Management Society’s London Group meeting. Amongst other things, David noted the move of many organisations to cloud storage, meaning that there is a noticeable increase in cost if more data is stored each month. He gave the example of Amazon’s cloud storage service, AWS, which now offers customers a retention scheduling tool to help them manage the cost by ensuring that stored data is automatically deleted or archived. He asked if anyone included a monetary cost for record series identified in their records retention schedules. Nobody did, but he speculated that that might become a feature of retention schedules and information asset registers in the future. An invoice might have an intrinsic value to a business in much the same way as a chair.

Which was fascinating but to some probably seemed a long way off. Then today I attended the Direct Marketing Association’s (DMA) Data Protection update, a conference aimed at informing marketers in particular about the General Data Protection Regulation (GDPR). It was an enjoyable event and I found it useful to hear about GDPR from a different perspective.

One session was delivered by Nicholas Oliver, a youthful entrepreneur who talked about “Unified decentralisation & the future of a consumer-led data economy”.

Yes, I know – I was fully prepared to spend that half-hour catching up on email. But it was very interesting.

Nicholas identified that most of us are rather unnerved by the growing trend towards creating unified profiles of us. The fact that Facebook appears to know what we just bought from Amazon and suchlike. He compared this practice to what Edward Snowden revealed about the US security services and concluded that there was little difference between that and what companies are doing to better target their marketing. Having collected all this data, the companies think they own it, and there have even been suggestions that individuals who try to prevent its use are somehow at fault (John Whittingdale, former Culture Secretary, being a notable proponent of this view in relation to ad-blocking).

Nicholas is a businessman and having identified the problem, was there of course to provide us with the answer – or at least his answer. His company, people.io, provides an online platform for people to choose what marketing they receive. And interestingly, given what David Ryan had to say, they actually get paid for their personal data. So you sign up, indicate your preferences, and at some point you or a charity of your choice, receive a payment. Meanwhile, the advertising you receive is more targeted (so in theory less irritating), and more likely to result in you spending money on products so the companies who sell things to you get more value from their advertising budget. What’s more, Nicholas stressed the fact that consumers have control over their data at all times – once they decide not to receive marketing anymore, their data is deleted. We’re used to our data being a valuable commodity to the companies that collect it. We’re maybe not so used to the idea that it might have monetary value to us.

I haven’t looked at Nicholas’ service and I’m not endorsing it (there may well be other products out there that do something similar), but I did think the approach he described was interesting and seemed very much in line with the GDPR’s emphasis on individual control over data. Elizabeth Denham, the new Commissioner, said yesterday that it’s not about privacy OR innovation, it’s about privacy AND innovation, and this sounded a lot like the kind of thinking that she has in mind. Put together with David’s talk yesterday, it has made me think about how literally to take the phrase “valuable information”.

GDPR is coming – BREXIT or not

FOIMan points to a comment from a BREXIT campaigner which reinforces the message that a vote to leave the EU would have little effect on the adoption of the new General Data Protection Regulation in the UK.

On my data protection courses I’ve come to expect the obvious question whenever I mention that the General Data Protection Regulation (GDPR) will come into force on 25 May 2018 and will apply across the European Union (EU). Which is, of course:

What happens if we vote to leave the EU on 23 June?

I’m no constitutional expert, but I’ve been reassured by the fact that my usual answer has been in line with what many other commentators have said on this question. GDPR is coming whether we leave the EU or not. The latest comments from the BREXIT camp if anything seem to me to reinforce this view.

Firstly, one of the most likely flavours of BREXIT is that the UK would join the wider European Economic Area (EEA) – the group that Norway is a member of. Nations in this group still have to comply with many EU laws, and this would include GDPR. Result of this option: GDPR would apply.

Secondly, if the UK goes for another flavour of BREXIT, then it wouldn’t have to adopt GDPR itself, but following the European Court’s decision on Safe Harbor last October, if UK businesses were to continue to do business with European companies and public bodies then it would almost certainly have to adopt an “equivalent” level of data protection. Result of this option: a new Data Protection Act that is to all intents and purposes the GDPR by another name.

One complicating factor is that it has previously been assumed that post-BREXIT negotiations would take two years to complete. This would mean that however we vote, the GDPR would apply for a matter of months after 25 May 2018. If businesses and public bodies have to do enough to comply with the regulation for a few months, what would be the point of lowering standards that they have already worked to meet?

Now comments by one of the leading BREXIT campaigners seem to me to make it even more important for businesses to assume that GDPR is on the way – and will be here to stay. Michael Gove recently suggested that negotiations post-BREXIT would be unlikely to be complete by the time of the General Election in 2020. If BREXIT happens more than 2 years after GDPR has been brought into force, it seems less likely than ever that BREXIT would affect GDPR.

The bottom line is: whatever the outcome on 23 June, the GDPR is on the way and organisations need to prepare for it now.