Will the ICO change its approach to the public sector following more high profile data breaches in some of the UK’s Police Forces?
Yesterday Simon Bryne, Chief Constable of the Police Service of Northern Ireland (PSNI), resigned. Amongst a number of issues leading up to the resignation was the accidental publication of the details for around 10,000 PSNI officers and staff and the loss of an officer’s laptop and notebook.
Meanwhile, the Met Police has experienced a data breach following unauthorised hacking of the IT company that produces warrant cards.
Not to be left out, Norfolk and Suffolk Police have shared details of crime victims, witnesses and suspects, following an earlier breach back in November 2022.
Not withstanding the fact that these incidents were all breaches of data protection legislation, each of these incidents has placed individuals at risk.
The ICO are investigating these cases, but it remains to be seen whether there will be any change in approach by the ICO, and whether any any fines will be issued. It certainly seems from first sight that the organisations in question have not read ‘Lessons Learned from Reprimands‘ (although the ICO would probably be better naming the document ‘Lessons IDENTIFIED from Reprimands’.
Any investigation is likely to include consideration of the root causes of the incident. A detailed full root cause analysis of most data breaches will tend to come back to one of a small number of issues:
- Authority, and the ability to be able to process data in ways that should not be permitted, eg through access management or oversight/checking, possibly due to a lack of resources in maintaining access management systems or for double-checking.
- Staff error, normally due to lack of training, often due to lack of time and courses….and therefore a lack of resources;
- IT user error (see staff error above); and
- Problems in IT systems (own or third party) within the system or due to user error. For system error, this can often be due to lack of testing (again due to lack of resources and time constraints), failure to apply patches, etc (see user error).
Thus most investigations will ultimately be down to a lack of resources. As an example, in the case of the PSNI breach, it appears that a junior member of staff posted the information as part of a response to a Freedom of Information request, raising questions about training, authority and oversight and, therefore, the resources that have been made available to enable the member of staff to do their job correctly.
Back office ‘stuff’ is never going to be as ‘sexy’ or as visible as the frontline jobs. However, if resources (time and budgets) are not made available by every level of management, organisational data protection processes are doomed to failure.
For those readers wondering why the Chief Constable of the PSNI was responsible for the data breach and felt the need to resign, the ICO gives clear guidance for compliance with GDPR:
“Accountability is not a box-ticking exercise. Being responsible for compliance with the UK GDPR means that you need to be proactive and organised about your approach to data protection, while demonstrating your compliance means that you must be able to evidence the steps you take to comply.”
Indeed, the first bullet point in the ICO accountability checklist states ‘We take responsibility for complying with the UK GDPR, at the highest management level and throughout our organisation.”
Think that the data breach experienced by the Met was not their fault? Again, the ICO gives clear guidance:
“Whenever a controller uses a processor to handle personal data on their behalf, it needs to put in place a written contract that sets out each party’s responsibilities and liabilities. Contracts must include certain specific terms as a minimum, such as requiring the processor to take appropriate measures to ensure the security of processing and obliging it to assist the controller in allowing individuals to exercise their rights under the UK GDPR.
Using clear and comprehensive contracts with your processors helps to ensure that everyone understands their data protection obligations and is a good way to demonstrate this formally.”
Remember, out-sourcing the operation does not outsource the accountability.
Back in April, I reported on the ICO approach to the public sectors, listing a number of specific examples of a soft approach to public sector management of data, and highlighting the sensitivity of the data at risk.
It will be interesting to see whether the ICO does now revise its approach, or whether fines will still just be the reserve of the private sector.