A note on Data Protection Officers

A note on Data Protection Officers

Data Protection Officers roles were revised by GDPR and the member state implementations. Here is a reminder for those that need it.

Article 37 states that a processor or controller requires a DPO if it is a public authority, if it requires regular sys systematic monitoring of data subjects on a large scale or if it processes special data.

A DPO may work for multiple companies, but Article 38 requires the DPO to be adequately resourced and supported.

The DPO must be appointed on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks specified in the GDPR Article 39.

Article 38 states that the DPO must be involved in in all issues which relate to the protection of personal data, be properly resourced to perform their duties and to maintain their professional expertise, not receive instructions on the conduct of their duties, not be dismissed for doing their job, and report to the highest levels of management.

The tasks of the role are defined in Article 39, the job is to advise the highest levels of management on their obligations, to monitor compliance including the assignment of responsibilities,  training and operations’ audits, to assist and monitor the data privacy impact assessments, to cooperate and act as a contact point for the supervisory body, in the UK, the ICO.

I have used the EU text as the source of my summary and is reproduced overleaf/below ...

This post was originally posted at linkedin.

Electing the GS? Not such a good idea!

Electing the GS? Not such a good idea!

So Momentum have decided that unlike in their own internal affairs, that the best answer to the crisis in democracy in the Labour Party is to elect its General Secretary.   I think this is wrong, critically, without a recall, this would be worse because the individual elected would have a mandate to do what they wanted. It would be poor even with a realistic recall mechanism. This article summarises my proposals, and republishes the idea of a member’s ombudsperson.

In my article, Labour Leak – Closing the Stable Door , I look at a series of reforms that Ithink would make things better. I argue that the Party needs better “controls”, segregation of duties, and better record keeping. I also argue for a new disciplinary system that needs a segregation of duties between, investigators, prosecutors, judges and a right of appeal and that it conforms to the principles of natural justice guaranteeing the right to a fair trial, innocence until proven guilty, the proportionality of any sanctions and that our rules respect the rights to privacy and free speech. The powers and inclination of the NEC to hold the GS accountable to policy, rules and law needs to be examined, there may be some changes that can be made but this is a cultural change, without a change of culture most of the rest of the reforms will fail. I also argue for a more professional management of money and financial controls, greater transparency on staff management, recognition of Chakrabarti’s comments on staff recruitment and management and accreditation by “Investors in People” and “A great place to work”.

There are a number of roles that should be examined to ensure they are sufficiently independent of the GS and the NEC and accountable to the law or their professional ethics. In this part of the article, I note, that proposals for an Ombudsperson were made to the Democracy Review but didn’t make it to the final report. I have with help retrieved the Ombudsman proposal as I think that it’s worth reviewing and should be part of a reconfiguring of the compliance function where the Head of Compliance is made independent of the NEC & GS and accountable to the rules and law. Compliance should tell organisations what they can’t do, while they retain the right to legal advice.

What’s needed is a renewal of a culture of decency so that the bureaucracy and the elected NEC members behave properly and fulfil their duties of trust. I have argued to change Labour’s rules to incorporate the Nolan principles as duty on all role holders but especially the NEC members, but unless recent wrong doing is punished, it’ll become just another policy to be ignored and circumvented. …

Can’t make it up

Can’t make it up

A note on LinkedIn on why managements need IT usage policies to prove their compliance and to act legally and fairly towards their employees. I suggest that ISO27001 is useful as a technical standard and COBIT as an organisational one.

This was written in the light of a couple of cases I had to deal with as an accompanying rep. or as an advisor.

You can’t claim that users are not performing if you can’t prove the IT systems work as documented. You can’t pursue a conduct disciplinary against people operating a policy. You can’t fulfil FOI or SAR requests if the data retention policy is suspect. You can’t be sure that corruption has not occurred if there is inadequate segregation of duties.

Having policy will help the organisation answer the following questions. Is our software supported?  Why and how was that data deleted? What should be logged? Who has permission to read, amend and run these programs and/or this data? Are our vendors signed up to our IT security goals? Why do you not know this?

This is all defined in these standards, and the GDPR makes certification to good practice evidence of good will. ISO27001 and COBIT are the big boys in town to prove technical and organisational protection.

You can’t make it up anymore. …

Google, the GDPR and Brexit

Google, the GDPR and Brexit

Google are going to move their UK users data from Ireland to the USA. I wrote a little note on my linkedin blog. I headline it as

Google are moving UK data from Ireland to the US … what does this say about UK/EU/US dataflows and ompliance with the GDPR and the world’s data protection laws.

I also point out the need for robust legal redress to comply with the GDPR, which the UK and USA may not meet and that the UK will lose access to the US Privacy Shield arrangements. I note that the UK will lose its member state privileges and powers under the GDPR when the transition period ends and that RIPA 2016 and the immigration exception of the DPA 2018 may cause the Commission some problems with respect to “Adequacy”.

I note that model clauses and binding corporate rules will remain in place and I wonder if this is a business opportunity for a European based phone operating system author as people choose to withdraw from Android? Nokia? Canonical? …

What is to be done, with Lewisham Council?

Finally I have submitted my thoughts on Lewishams’ Democracy Review. Lewisham Democracy Review by Dave Levy V1_1. My initial thoughts were published in this article on this blog. Three things,

  1. I am shocked at the true legal position, we elect a dictator, with no recall, & no term limits. Executive Mayor’s are not just a first-amongst-equals “Leaders” with a different mandate, it’s an alien form of government, lifted from the US & France and designed to reduce the accountability of the decisions from voters and their political parties. I am equally shocked at the extent to which the Mayor’s power’s are delegated to full time staff.
  2. I have recommended that they abolish the Mayoral system, and in the expectation that this will be rejected,
  3. I recommend a series of reforms to improve the accountability and transparency of the Mayor, Council and senior officials including a recall mechanism, term limits and much improved monitoring of personnel, decisions and programmes.

The deadline is Sunday.

A URL for the document is http://bit.ly/2DA5aho, a SURL for this article is https://wp.me/p9J8FV-1IN …

Five steps to Compliance

As we entered the ground rush zone for the GDPR a number of organisations issued numbered guidance documents in preparation. I joined in and published a blog article on my linkedin blog called “Beyond Adequate Protection”. This had my five point list of tasks to be GDPR compliant. I summarise them here,

  1. Know and document your personal data catalogue and its lawful purpose
  2. Create an identity solution for your data subjects, so subject access requests can be fulfilled
  3. Build a record keeping solution
  4. Ensure that your incident management solutions are compliant
  5. Implement changes to the software development Life Cycle(SDLC) to include privacy impact assessments

The original article deals with these in a bit more detail but I finish by saying that it’s only this easy if your organisation already meets the need to provide adequate technical and organisational protection.

 …

Managing Compliance Software

Managing Compliance Software

I have just published on my linkedin blog a little essay on managing software used for the purpose of compliance. One key insight which one might consider is that these programs are being used because you have to not because you want to. Also society does not want businesses innovating the compliance software, we need to know it does what society requires not what the business wants. This makes the governing super strategy for these applications one of “operational efficiency”, or in Dan Remenyi’s model, a “support” system. For compliance systems it is advantageous to buy or adopt a package and to adopt the package’s optimum process; society has confidence that companies are complying with the law, and the companies share the maintenance costs and get a superior product and support. In some cases, the requirement that society has confidence that compliance is correct leads to the regulators giving companies the software or running it themselves.  …

Tory Conference Data Breach

Over the weekend, it seems to have been established that the Tory Party’s confence app suffers a major secutity flaw and that personal details of its users are available to all. While the BBC seem concerned that the ex-Foreign Secretary’s details are available, its of equal concern that all the journalists are also exposed. The maximum fine for any breach is €20m.

A further problem is that under the new laws, people who suffer a breach of rights no longer have to prove harm. This would seem to be a breach of rights and so will be treated at the serious end of the spectrum and there’s a low burden of proof.

Additionally I would add, this app It should have had a data privacy impact analysis and if deemed a high risk, permission needs to be sought from the ICO to deploy it.

The cyber-security controls should have been defined before and tested before and after the DPIA.

The Tories have 72 hours to notify the ICO of the breach and will need to consider remediation for each an every user impacted.

I am sure the ICO would not want the Tories to be their first case as they would like to have established a precedent based tariff; they wouldn’t want the governing party to be the precedent; expectations are that the ICO will be one of the more forgiving of the European data protection supervisory authorities. …