And why is data protection governance so important?     

We all remember the GDPR rush of 2018, when organisations raced to collect consents for marketing emails and publish updated privacy notices before the new data protection legislation (GDPR) came into effect on 25 May 2018.

But what’s happened since then? Are we all compliant, job done? If only it were that simple. The truth is though, that many organisations still have a long way to go; even those with well-written privacy notices and data protection policies aren’t necessarily following their own policies.

Take the shocking data breach at Hackney Council, where names and addresses of potentially vulnerable tenants were publicly available on the internet. This article from the BBC explains the data was freely available because the privacy settings weren’t set properly on the software being used to store the data, which was (the free version of) Trello.  

However, that’s only the last broken link in a chain of events that, in my opinion, shouldn’t have happened in the first place.

If we look at Hackney Council’s Privacy Statement, this section about sharing data sounds very reassuring:

“We ask a number of companies to collect, store or handle your information on our behalf to help us to deliver our services – for example, our ICT system providers. We remain responsible for your information and ensure that the right safeguards are in place through measures such as contract clauses.”

That’s exactly what I’d want to hear if Hackney Council were handling my personal data. But unfortunately, I think the data breach shows the policy isn’t necessarily being followed, perhaps due to a lack of oversight and governance.

I’m making assumptions here, but I’m pretty sure that using the free version of Trello to store sensitive data wasn’t appropriately risk assessed. If it had been, I’d like to think it wouldn’t have been signed off on.

Even if it was signed off, should it have been? Have the risks involved in the use of Trello to store sensitive data been understood, assessed and controlled? As the privacy statement claims, have the right safeguards been put in place?

A quick look at Trello's (or Atlassian's – the owner of Trello) Privacy Policy shows it to be a US-based company, still relying on the (now meaningless) Privacy Shield to assure EU and UK customers their data is secure, which is the first red flag. On top of that, I’m not sure how legally binding the contract would be, even if it did contain appropriate safeguards, considering Hackney appeared to be using just the free version of Trello (I’m not a lawyer though!) And of course, there is much debate in the world of data protection over whether there can be any such thing as appropriate safeguards when using US-based storage anyway.

Putting aside how Hackney came to be using Trello, I’d be interested to know if there were rules for staff members about what types of data should/shouldn’t be stored in Trello, and if there was any training for staff on how to use the privacy settings properly.

So the breach may well be the result of a chain of unfortunate incidents, not just one setting being set incorrectly. Every circumstance that allows each link of a chain like that to be built is an example of a lack of governance in the organisation.

Hackney Council, like so many organisations, have undoubtedly been under a lot of pressure to continue providing services to residents throughout an unprecedented pandemic, and I’m not being cold-hearted about this. I completely understand the pressure and stress so many organisations continue to struggle with, and I am sure most people in councils and in social housing want to do the right thing by their residents, tenants and customers. 

For more information

If you’re interested in learning more about how to translate that intention into actions, by building data protection governance into all of your processes, join me for a free webinar for the social housing sector – 'Using your customer data to build trust and fulfil your purpose​'.

Wednesday 8 September 2021 at 11 am on Microsoft Teams.

Click here to register for the webinar.