The cost of non-compliance
The General Data Protection Regulation, in the form of the Data Protection Act 2018 (DPA2018), has now been with us for a little over a year. Now would seem a good time to step back, take stock of its impact, re-examine the challenges and the uncertainties that have affected the fostering providers that we have worked with so far.
Before the GDPR became effective, we predicted that the first year would not see any large fines meted out by the Information Commissioners Office. Indeed, the ICO themselves stated it was not their intent to do this, whilst making it clear that larger fines were certainly on the horizon. We hope that the guidance and support we have provided to the IFPs with whom we work, has gone some way to ensuring a proactive stance toward better data protection than the sector has seen before.
Outside the sector, we have seen a stark and sobering uplift in fine notices. Prior to GDPR, Facebook were fined the then maximum of £500,000 in relation to the Cambridge Analytica incident. Take this in contrast to the £183,000,000 fine notice given to British Airways in July 2019. Whilst this represents 1.5% of BA’s global turnover, it is still considerably less than the maximum of 4%, which could have been levied. This would have amounted to a fine of around £488,000,000 – almost 1,000 times the pre-GDPR maximum. The ICO clearly means business.
Although not possible to predict potential fines for those fostering providers who fail in the protection of personal information, there are measures that can be taken to reduce the likelihood and threats of breaches, the two key constituents of risk.
To control or not control – that is the question
A common issue that has arisen over the last year is how local authorities have approached the challenge. Some LAs see providers as data processors whilst others class them as joint controllers. Clearly, this is unhelpful when designing processes that seek to treat information in the same robust manner. This lack of a common approach presents a challenge in managing data protection processes that adequately serve the GDPR, Data Protection Act and the contractual obligations that providers have to operate under. Taking a simplistic Controller/Processor view complicates matters because information is managed in different ways during the lifecycle of referral, carer onboarding, placement and termination. An objective reading of the GDPR necessitates a review of data protection principles that will provide a clear distinction of the roles and responsibilities in terms of which party performs which function.
Another clear area of contention lies in satisfying the rights of care leavers as data subjects. In an ideal scenario we would see a formal handover of data to the relevant LA upon termination of the placement; this is mandated in some contracts, but not all. A complication is that most of our provider partners meet resistance from LAs when trying to deliver care leaver information and are specifically instructed not to do so. This, in itself, creates a further issue – as retaining personal information beyond the need to do so, is not compliant with GDPR. Providers recognising the critical importance of a care leaver’s story are stuck in the middle of a data retention conundrum. This issue matters; a common and legally compliant process for safeguarding this vital information must be established.
Subject Access Requests
The providers we work with experienced an average of five requests over the last year. This represents an increase on previous years. Some providers had never had one before and some had only seen a couple over the proceeding few years. It is clear that data subjects have become more aware of their rights and expect such requests to be managed efficiently and effectively. The majority of requests we have seen over the last year are from carers who have left the agency; compared to one request from a care leaver and none whatsoever from staff members.
Questions about redaction abound. Our advice is to ensure that the rights of third parties are respected. This does not mean that the information provided to the data subject needs to look like a 1970’s UFO disclosure from Area 51 redacted in black marker pen; it means that information impacting the rights of a third party should be risk assessed prior to redaction. Redaction techniques are also of varying quality. Using PDF editing tools can be ineffective as some simply overlay the information rather than obfuscate it. This can result in a simple copy and paste into a Word document that then reveals the redacted information – our advice is to test the tools you have selected thoroughly.
Reported data breaches have also increased with an average of three per provider over the year. Not all breaches are reportable to the regulator, however increased awareness has driven the rise in internal reporting. Paper records continue to be a source of breaches that reinforces the need for well controlled technical solutions to help manage data protection strategies. Guardian Saints maintains that recognised certifications such as Cyber Essentials help to manage and reduce data protection risks by improving data security. An added benefit of certification is that customers and suppliers will have greater confidence in providers’ cyber security practices.
Why use an external DPO service or consultancy?
Employing a dedicated Data Protection Officer (DPO) is an obvious choice for larger providers who have the financial resources to accommodate the position. However, smaller providers still have the same requirements in terms of data protection as their larger counterparts. A data breach can be a challenging event. Determining how it occurred, what actions need to be taken, conducting a risk assessment, deciding whether it is reportable – such decisions can only be made if you have a working understanding of the GDPR together with the appropriate level of expertise in information risk management.
There are many elements to GDPR compliance that seem quite daunting to those without the right level of expertise – for example conducting a Data Privacy Impact Assessment (DPIA) on your key services or ensuring one has been performed by the local authority on their systems to protect your carers’ personal information.
A DPO’s first responsibility is to Data Subjects, so be prepared for constructive criticism on data management, protection and the procedures you have in place to manage data subject rights. DPOs will also monitor an organisation’s compliance position with GDPR. A DPO cannot be an extension of your IT or administration departments. This would be a clear conflict of interest.
Providers who have identified a requirement for a Data Protection Officer function take different approaches. This role is invariably taken by an internal employee or with the use of a DPO service such as that Guardian Saints provide. Some agencies are still on the fence in this area but whatever decision is made, the implementation of robust processes and clear policies will be required to ensure that data protection issues and events can be managed successfully with minimum impact to the data subjects. DPOs are necessarily independent but will work with providers to signpost deficiencies and a ‘path to green’ to reduce risk and drive efficiencies. Where cost is an issue or where you are unsure of the need for a DPO, consultancy should be sought on issues that may result in impacts for your agency and, of course, the data subjects you serve.
Having seen first-hand how providers and local authorities have managed GDPR over the last year, the focus has been on compliance and keeping organisations within the law by managing people and internal processes. The key area missed by so many organisations that we deal with is that the GDPR and DPA 2018 are there to protect the personal information of data subjects. We all need to remember that data protection is the key and we can only do this by working together to a common framework that enables the fostering community to control, process and manage information securely on behalf of all our data subjects.