And why is data protection governance so important?
We all remember the GDPR rush of 2018, when organisations raced to collect consents for marketing emails and publish updated privacy notices before the new data protection legislation (GDPR) came into effect on 25 May 2018.
But what’s happened since then? Are we all compliant, job done? If only it were that simple. The truth is though, that many organisations still have a long way to go; even those with well-written privacy notices and data protection policies aren’t necessarily following their own policies.
Take the shocking data breach at Hackney Council, where names and addresses of potentially vulnerable tenants were publicly available on the internet. This article from the BBC explains the data was freely available because the privacy settings weren’t set properly on the software being used to store the data, which was (the free version of) Trello.
However, that’s only the last broken link in a chain of events that, in my opinion, shouldn’t have happened in the first place.
If we look at Hackney Council’s Privacy Statement, this section about sharing data sounds very reassuring:
“We ask a number of companies to collect, store or handle your information on our behalf to help us to deliver our services – for example, our ICT system providers. We remain responsible for your information and ensure that the right safeguards are in place through measures such as contract clauses.”
That’s exactly what I’d want to hear if Hackney Council were handling my personal data. But unfortunately, I think the data breach shows the policy isn’t necessarily being followed, perhaps due to a lack of oversight and governance.
I’m making assumptions here, but I’m pretty sure that using the free version of Trello to store sensitive data wasn’t appropriately risk assessed. If it had been, I’d like to think it wouldn’t have been signed off on.
Even if it was signed off, should it have been? Have the risks involved in the use of Trello to store sensitive data been understood, assessed and controlled? As the privacy statement claims, have the right safeguards been put in place?
Putting aside how Hackney came to be using Trello, I’d be interested to know if there were rules for staff members about what types of data should/shouldn’t be stored in Trello, and if there was any training for staff on how to use the privacy settings properly.
So the breach may well be the result of a chain of unfortunate incidents, not just one setting being set incorrectly. Every circumstance that allows each link of a chain like that to be built is an example of a lack of governance in the organisation.
Hackney Council, like so many organisations, have undoubtedly been under a lot of pressure to continue providing services to residents throughout an unprecedented pandemic, and I’m not being cold-hearted about this. I completely understand the pressure and stress so many organisations continue to struggle with, and I am sure most people in councils and in social housing want to do the right thing by their residents, tenants and customers.
For more information
If you’re interested in learning more about how to translate that intention into actions, by building data protection governance into all of your processes, join me for a free webinar for the social housing sector – ‘Using your customer data to build trust and fulfil your purpose’.
Wednesday 8 September 2021 at 11 am on Microsoft Teams.
Anthony Collins Solicitors expands Church of England Diocesan Registrar work with new appointment
Kirsty Duxbury, a lawyer at national social purpose law firm Anthony Collins Solicitors (ACS) and Deputy Registrar of the Diocese of Blackburn, has been appointed as Diocesan Registrar of the Diocese of Worcester.
Monday 25 July 2022Read more
Anthony Collins Solicitors completes merger with specialist practice Jobling Gowler
Social purpose law firm Anthony Collins Solicitors (ACS) has merged with Cheshire-based specialist private client practice Jobling Gowler.
Friday 1 July 2022Read more
PODCAST: Episode 4 – Hidden disability awareness: Mental health – A colleague’s experience with counselling
In this podcast, Puja Desai interviews Kimberley Foster and discusses her experience with counselling. This is a really helpful podcast for anyone who has thought about counselling.
Monday 13 June 2022Read more