At the beginning of the year it was reported that the Australian Border Agency made the personal details of almost 10,000 asylum seekers held in detention publically accessible; names, dates of birth and other personally identifiable information was released, which could have serious implications for those seeking asylum. In the UK it was also reported that hundreds of police staff were disciplined for snooping on ex-wives and members of the public without authority, publishing sensitive data on social media and spreading rumours in the communities they were policing after accessing confidential police information.
Stories like these hit the headlines every day and often the legal impact surrounding these types of personal information breaches are overlooked. At the top level, Data Protection legislation is in place to protect the rights of individuals. As it is the law there is no choice whether to participate or not; you must ensure the correct policies are in place, the culture is such that it values sensitive information and respects privacy and that those dealing with sensitive information are trained and know how to handle it.
The existing legislation, the Data Protection Act 1998, is long overdue an overhaul following the pace of technological and business changes over the past 16 years. The current Data Protection framework is under review by the European Union to ensure that updated legislation will reflect how data is being used. As the heated debate on how to reform Data Protection legislation continues it is worth noting some of the pros and cons to the evolution of regulations. At the beginning, EU Member States were pushing for one set of controls for all organisations, no matter how big or small. They have since settled on ‘proportionate’ controls which will save smaller organisations putting in place mandatory specific data protection roles and responsibilities when they aren’t necessary. However, there is a continuing debate around whether a compliance-based approach (getting directly involved in the process of abiding by the law rather than focusing on achieving the outcome) is the way forward. This may quash creativity and innovation within organisations who will no longer be able to express their own unique (and adequate) methods of protecting the personal data they hold.
As the future Data Protection landscape remains uncertain, we can only wait to see how the dust settles both in Brussels and in the UK. Until then, there is still a lot organisations can do to ensure when the new legislation hits, they are not faced with a mountain of new work to do. Here are some of the common pitfalls to help you and your organisation prepare:
- Protection must extend to opinions. Opinions expressed in emails, face-to-face or in reference to personal development reviews are considered to be that person’s personal data;
- Adequate training is essential and can be a manager’s “get out of jail free card.” In the UK, the Information Commissioner’s Office will look at what training and procedures are in place in the event of a breach and if they adequately demonstrate the best endeavours of your organisation;
- The impact of multiple Subject Access Requests. People have the right to request all the personal information an organisation holds on them, in the form of a Subject Access Request – REMEMBER this includes expression of opinions.
Prepare in advance and save time and money, and possibly a jail sentence if you get it wrong! (One of the EU proposals is to make data breaches a criminal offence.)