Tag Archive for records management

Data protection doesn’t require important records to be destroyed

FOIMan explains why any organisation which blames the destruction of important records on data protection rules is being either disingenuous or is ignorant of what the law requires.

In recent weeks The Guardian has drawn attention to the plight of those innocent people who have lived in the UK for many years, only to be told recently by the Home Office that they could face deportation. This week the Home Secretary finally apologised, but many people are still in a legal limbo, unable to prove their status, not realising that they would ever need to.

Now a former Home Office employee has reported that disembarkation cards which might have helped establish the status of many of these people were deliberately destroyed by the Home Office a few years ago. Responding to the claim, the Home Office has conceded that records were destroyed but claims that this was necessary to comply with the Data Protection Act (DPA). The records were, according to them, destroyed:

to ensure that personal data … should not be kept for longer than necessary. Keeping these records would have represented a potential breach of these principles.

This argument has a long pedigree. It was cited by a police chief constable at the time of the Soham murders as a reason why records were not retained about Ian Huntley which might have prevented his employment as a caretaker at a school. It was used more recently by the House of Commons to justify the early destruction of MPs’ expenses records.

In both these cases, and in the latest example, this is just plain wrong. If the press officer or whoever drafted this statement had checked with their Data Protection Officer, they would have been able to tell them this.

It is true that one of the data protection principles requires that personal data be kept no longer than necessary, and that data controllers – organisations – are required to put in place procedures to ensure this. However, note that word “necessary”. It places the responsibility fairly and squarely at the door of the organisation that has collected the data to decide what is “necessary” and to justify it. If records are still being used to answer enquiries about individuals’ immigration status (as the Home Office whistleblower has maintained), or are at the centre of one of the biggest scandals to hit modern British politics, I would suggest that it is “necessary” to retain them, and to do so can be easily justified. Data protection laws do not say they must be destroyed.

Furthermore, even if there is a view that it is no longer necessary to retain records for their original purpose, both the DPA 1998 and GDPR permit records to be retained for historical research purposes in a record office. The Home Office whistleblower reports that it was suggested that the cards be offered to a record office, but that they were told that no archive wanted them. As public records, the National Archives would have had first option on these and since these records would seem to be of great value to genealogists and those studying the history of migration and minority ethnic communities in the UK, it is hard to imagine them turning such an offer down. Even if they did, are we to believe that other record offices, including for example Brixton’s Black Cultural Archives (based in Windrush Square), a repository specialising in the history of Britain’s African and Caribbean communities, would have said no? It seems unlikely if they were given the opportunity (and the significance of the cards was explained to them). Data protection rules would have allowed the cards to be retained indefinitely in a record office.

Data protection rules simply do not require records with continuing value to be destroyed. Anyone claiming that they do is being disingenuous or is ignorant of what data protection requires. Let’s hope that organisations – particularly those that should know better – stop churning out this misconception every time that they are criticised for the disposal of records.

References:

Home Office destroyed Windrush landing cards, says ex-staffer, The Guardian, 17 April 2018 https://www.theguardian.com/uk-news/2018/apr/17/home-office-destroyed-windrush-landing-cards-says-ex-staffer

MPs to escape expenses investigations after paperwork destroyed by Parliament, Daily Telegraph, 2 November 2014 https://www.telegraph.co.uk/news/newstopics/mps-expenses/11204405/MPs-to-escape-expenses-investigations-after-paperwork-destroyed-by-Parliament.html

The politics of records management, FOIMan blog, 7 November 2014 https://www.foiman.com/archives/1337

Soham police chief ‘ignored advice’, The Guardian, 26 March 2004 https://www.theguardian.com/uk/2004/mar/26/soham.ukcrime

GDPR’s Duty to Document

FOIMan explains how GDPR puts keeping records well at its very centre.

Back in December, the Information Commissioner, Elizabeth Denham, indicated her wish for a new duty to document law. I’ve written previously about this here and here.

On 28 April, I explored this issue a bit further in a talk to the public sector group of the Information and Records Management Society (IRMS) at a venue in Westminster. I’d been asked to talk about the need to keep records for corporate requirements identified in the FOI s46 Code of Practice.

The s46 Code does spell out the need to keep records to meet legal requirements, to record precedent, to document legal and other rights, and to justify actions taken. It’s worth noting that s.48 of FOIA gives the Information Commissioner the power to issue “practice recommendations” requiring public authorities to bring their practice into line with the Codes of Practice. So the s46 Code establishes a duty to document and the Act gives the Commissioner (admittedly limited) powers to enforce it.

Leaving FOI behind though, I handed delegates postcards of the image above. It illustrates the data protection principles as set out in the General Data Protection Regulation (GDPR). Right at the centre of my image is the accountability principle. It means that organisations will not be able to comply with the other principles without being able to demonstrate their compliance. In other words, they need to keep records to show what they are doing with people’s personal data. What they told those people when it was collected. Whether they gave consent. What their data protection impact assessment concluded. And so on.

Keeping records – and keeping them well – is central to compliance with GDPR. Records management should form a central plank of your GDPR preparations over the next year. Not least because it is very clear that the Information Commissioner is very interested in records management indeed.

Let me know if you need a speaker for your event – I’m always happy to help if I can. If you’re looking for in-house training on GDPR, get in touch for a quote.

References:

s.46 Code of Practice

GDPR

Delving Deeper into Denham’s Drive for a Duty to Document

FOIMan examines the Information Commissioner’s proposals for a new duty to document.

In December, the Information Commissioner, Elizabeth Denham, gave a speech at an event celebrating 250 years of freedom of information. During the speech Ms. Denham indicated that she wanted the government to legislate for a “duty to document”.

I wrote briefly about this at the time. But in my latest piece for PDP’s Freedom of Information Journal (available here), I’ve looked further into the Information Commissioner’s proposals.

Amongst the issues explored are:

  • what effect FOI has had on public sector records management;
  • how the Information Tribunals have dealt with the issue of records management;
  • what problems is the Commissioner seeking to resolve;
  • what tools are available to the Commissioner now;
  • and finally, are there any existing duties to document along the lines that Elizabeth Denham suggests?

Better information?

FOIMan reviews the government’s response to Sir Alex Allan’s review of government record-keeping and information management.

The Cabinet Office

“Good records management is essential for good government”, said Sir Alex Allan in his report to the Cabinet Secretary on the management of digital records in December 2015 (though dated August 2015 at the bottom of the report itself). It wasn’t particularly surprising that he found that the state of records management was not good:

“almost all departments have a mass of digital data stored on shared drives that is poorly organised and indexed.”

He didn’t comment on what that said about the quality of government.

The Cabinet Office – now responsible for information management across government – has published its response this week in a report entitled Better Information for Better Government. For a start, the fact that it has taken the best part of 18 months to respond to a fairly straightforward analysis of the issues with information management within government gives a clue to the single most important reason why records are in a mess: information management is not a priority – for civil servants or their political masters.

The problems that Sir Alex identified – lack of high-level buy-in, failure to comply with record-keeping procedures, a vast legacy of poorly organised information – persist, and the new report doesn’t really offer much in terms of a way forward. It repeats Sir Alex’s analysis of record-keeping, providing a very useful summary of how the problem developed. It also agrees with Sir Alex’s conclusion that technology is the answer – though adds little to our knowledge of how technology will do this. A table lists the technologies that are most likely to be of assistance, but no conclusions are reached as to what should be done. Data analytics or eDiscovery tools are highlighted as being a potentially useful solution, before the report points out that their expense and the need for specialist users might lead Departments not to employ them.

There’s an emphasis in the report on Departments doing their own thing. It’s not hard to imagine those leading the project being fobbed off by Departments wary of Cabinet Office interference, and perhaps weary of (mostly failed) attempts to address poor records management over the years.

The report does recognise the most significant impediment to improved information management: people. There is talk of “creating the expectation of regular information management”. This is to be done by making it easier to save records by improving the technology used, but also by using “nudge” techniques:

“Departments might also consider deploying behavioural science techniques to encourage civil servants to perform information management tasks more regularly and effectively.”

The overwhelming feeling I had when reading this report was deja vu. We’ve heard many times before that records management is poor in government (and, to be fair, in most organisations outside government). We’ve also heard that technology and culture change are the answers. Reading this report I didn’t get the impression that addressing this problem is a priority, nor that leaders in government would be pressing for that to change. Without prioritisation and leadership, I’m afraid we’ll be reading another report like this in a decade’s time, and the decade after that, and…

Sources:

Government digital records and archives review by Sir Alex Allan, Cabinet Office, December 2015

Better Information for Better Government, Cabinet Office, January 2017

 

 

 

Valuable information

FOIMan on literally giving your information value.

coinsWe often hear people talk about information or data being valuable. But in the last 24 hours I’ve heard two separate speakers, ostensibly on two separate topics, discuss attributing actual monetary cost to information. So perhaps there’s something in it.

First, yesterday evening David Ryan, who was hired several years ago to establish the National Archives’ digital preservation department (and a declaration of interest, he also gave me my first information management job 20+ years ago – don’t hold it against him), was talking about the future of records management at the Information and Records Management Society’s London Group meeting. Amongst other things, David noted the move of many organisations to cloud storage, meaning that there is a noticeable increase in cost if more data is stored each month. He gave the example of Amazon’s cloud storage service, AWS, which now offers customers a retention scheduling tool to help them manage the cost by ensuring that stored data is automatically deleted or archived. He asked if anyone included a monetary cost for record series identified in their records retention schedules. Nobody did, but he speculated that that might become a feature of retention schedules and information asset registers in the future. An invoice might have an intrinsic value to a business in much the same way as a chair.

Which was fascinating but to some probably seemed a long way off. Then today I attended the Direct Marketing Association’s (DMA) Data Protection update, a conference aimed at informing marketers in particular about the General Data Protection Regulation (GDPR). It was an enjoyable event and I found it useful to hear about GDPR from a different perspective.

One session was delivered by Nicholas Oliver, a youthful entrepreneur who talked about “Unified decentralisation & the future of a consumer-led data economy”.

Yes, I know – I was fully prepared to spend that half-hour catching up on email. But it was very interesting.

Nicholas identified that most of us are rather unnerved by the growing trend towards creating unified profiles of us. The fact that Facebook appears to know what we just bought from Amazon and suchlike. He compared this practice to what Edward Snowden revealed about the US security services and concluded that there was little difference between that and what companies are doing to better target their marketing. Having collected all this data, the companies think they own it, and there have even been suggestions that individuals who try to prevent its use are somehow at fault (John Whittingdale, former Culture Secretary, being a notable proponent of this view in relation to ad-blocking).

Nicholas is a businessman and having identified the problem, was there of course to provide us with the answer – or at least his answer. His company, people.io, provides an online platform for people to choose what marketing they receive. And interestingly, given what David Ryan had to say, they actually get paid for their personal data. So you sign up, indicate your preferences, and at some point you or a charity of your choice, receive a payment. Meanwhile, the advertising you receive is more targeted (so in theory less irritating), and more likely to result in you spending money on products so the companies who sell things to you get more value from their advertising budget. What’s more, Nicholas stressed the fact that consumers have control over their data at all times – once they decide not to receive marketing anymore, their data is deleted. We’re used to our data being a valuable commodity to the companies that collect it. We’re maybe not so used to the idea that it might have monetary value to us.

I haven’t looked at Nicholas’ service and I’m not endorsing it (there may well be other products out there that do something similar), but I did think the approach he described was interesting and seemed very much in line with the GDPR’s emphasis on individual control over data. Elizabeth Denham, the new Commissioner, said yesterday that it’s not about privacy OR innovation, it’s about privacy AND innovation, and this sounded a lot like the kind of thinking that she has in mind. Put together with David’s talk yesterday, it has made me think about how literally to take the phrase “valuable information”.