The Information Commissioner's Office (the UK data protection supervisory authority) last week published its Regulatory Action Policy. The policy has been created to provide direction and focus for those they regulate, specifically the action that will be taken against organisations and individuals who have breached the GDPR. The policy also addresses the upcoming Data Protection Act 2018 and the other data protection and related law they regulate.
This article explores and summarises the implications.
For more information on how we can support your organisation see our DPO Essentials Service here.
priorities for regulatory action
The ICO has defined a number of themes where specific risks and threats have been identified. These themes set the tone for regulatory action in 2018 / 19. The priorities for regulatory action are:
- Large scale data and cyber breaches involving financial or sensitive information
- AI, big data and automated decision making
- Web and cross device tracking for marketing (including political purposes)
- Privacy impacts for children (including Internet of Things connected toys and social media / marketing apps aimed at children)
- Facial recognition technology applications
- Credit reference agencies and data broking
- Use and sharing of law enforcement data, including intelligence systems
- Right to be forgotten/erasure applications
The regulatory action policy states the ICO will take a selective approach to enforcement action, using their discretion when looking at the features and context of each case, whilst applying their resources to the areas of greatest risk. Importantly, they will take account of the GDPR’s requirements for greater consistency across Europe when determining the appropriate type and level of regulatory response to their data protection remit.
Usefully, the regulatory action policy provides guidance for when enforcement action will be considered, which includes for:
- The nature and seriousness of the breach or potential breach
- Where relevant, the categories of personal data affected and specifically special categories
- The number of individuals affected, the extent of any exposure to physical financial, psychological harm, and, where it is an issue, the degree of intrusion to their privacy
- Whether the issues raises new or repeated issues, or concerns that technological security measures are not protecting the personal data
- The gravity and duration of a breach or potential breach
- Whether the organisation or individual involved is representative of a sector or group, raising the possibility of similar issues arising again across that group or sector if not addressed
- The cost of measures to mitigate any risk, issue or harm
- The public interest in regulatory action being taken (for example, to provide an effective deterrent against future breaches or clarify or test an issue or dispute)
- Whether another regulator, law enforcement body or competent authority is already taking (or has already taken) action in respect of the same matter
- In relevant cases, the expressed opinions of the European Data Protection Board
What does this mean for schools?
There’s a few important points here that will help prioritise your efforts in managing compliance.
If you haven’t done so already make sure you have undertaken a comprehensive technological assessment of your IT systems and services against the NCSC 10-Steps to Cyber Security. why?
The first theme in the ICO’s priorities is cyber security and specifically security of sensitive information. Schools process significant amounts of sensitive data and need to evidence appropriate protection. When reporting a data protection breach, this guidance infers your school will be asked about the technological and cyber security protections you had in place to mitigate such risks. If you haven’t any, don’t know or just can’t answer the question, then there is greater probability of being investigated further.
The Data Protection Bill 2018 reinforces the IT systems management cyber security expectations through the following requirement:
- Each controller and each processor must implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks arising from the processing of personal data.
- In the case of automated processing, each controller and each processor must, following an evaluation of the risks, implement measures designed to:
- Prevent unauthorised processing or unauthorised interference with the systems used in connection with it
- Ensure that it is possible to establish the precise details of any processing that takes place
- Ensure that any systems used in connection with the processing function properly and may, in the case of interruption, be restored
- Ensure that stored personal data cannot be corrupted if a system used in connection with the processing malfunctions
We've developed and are delivering an efficient IT systems technical and vulnerability assessment against the NCSC 10-Steps to cyber security. Every organisation is required by law to undertake one. It's not optional. Working with 9ine gives you the opportunity to baseline your IT systems compliance against similar sized and funded schools.
Ensure you have assessed and documented the costs for mitigating actions required to reduce the likelihood of a breach from the processing activity you undertake. Why?
The regulatory action policy makes clear that organisations who self-report and engage with the supervisory authority to resolve issues, as well as those who demonstrate strong information rights accountability arrangements, can expect the ICO to take these into consideration when deciding on enforcement action. It is those organisations who understand their risks and know the costs to remediate them, even if they cannot afford the remediation action, who will be encouraged and rewarded. Organisations who do not assess their risks, can afford to mitigate their risks, but do not, are more likely to be deemed intentionally or wilfully negligent. The takeaway being: assess the costs required to mitigate the risks associated with processing even if you know you do not have the immediate funding to mitigate the risks.
Having access to experts such as 9ine's DPO Essentials Team is part of the assessment a school needs to undertake when considering the provisions of 'necessary resources'. Our team of Education experts can advise and guide you.
Ensure you understand the risks to processing in the education sector and take proportionate mitigating action. Why?
The ICO will take greater interest in breaches of information rights that could be representative of a sector or group. There are three areas of concern which we have identified as representative of the school sector. These are:
- Cyber security awareness and adherence to the NCSC 10-Steps to Cyber Security. This is a topic regularly reported on in the national and international press. There is gap in experience and expertise and is one of the areas where schools are asking for support in, including advice on when an IT system fails or cyber security breach has occured
- Management and security of internet filtering data given the obligations of Keeping Children Safe in Education 2016. Common themes are that the wrong people are managing filtering in schools and that data subjects may not necessarily be aware of how the systems are profiling and reporting on their online behaviour. In many cases the systems are not configured properly, which means they are not working properly and identifying risks - this is both a breach of Keeping Children Safe in Education and the GDPR, under Article 32 1(b) availability.
- Physical access and management of paper and hard copy documents. Common themes are lockable storage not being provided, or being underutilised or even when provided, and clean desk policies not being in place or enforced.
You should take these three examples, document them as risks for your school and assess you level of compliance given the issues we have described. You should also be aware of ongoing and developing risks in the sector.
It is no conincidence that as a consultancy practice, we've developed an in-house team of experts with a core of technical, cyber security and data protection expert consultants. This expertise is required by law and is available to all our schools on DPO Essentials.
When is a school likely to face a penalty notice?
The ICO’s decision to impose a penalty notice gives consideration to the following:
- The nature, gravity and duration of the failure
- The intentional or negligent character of the failure
- Any action taken by the data controller or data processor to mitigate the damage or distress suffered by the data subjects
- The degree of responsibility of the data controller or data processor, taking into account technical and organisational measures implemented by the controller or processor
- Any relevant previous failures by the data controller or data processor
- The degree of cooperation with the Information Commissioner, in order to remedy the failure and mitigate the possible adverse risks of the failure
- The categories of personal data affected by the failure
- The manner in which the infringement became known to the Commissioner, including whether, and if so to what extent, the data controller or data processor notified the Commissioner of the failure
- The extent to which the data controller or data processor has complied with previous enforcement notices or penalty notices
- Adherence to approved codes of practice or certification mechanisms
- Any other aggravating or mitigating factor applicable to the case, including financial benefits gained or losses avoided, as a result of the failure (whether or indirectly)
- Whether the penalty would be effective, proportionate and dissuasive
The aggregation of the ICO’s strategic themes, the principles for choosing enforcement action and the type of penalty to impose gives us a good indication of the level of accountability required by schools to demonstrate and manage compliance.
Whilst it is unlikely state funded schools will be fined significant sums due to the disproportionate impact on finances and lack of benefit in doing so to the wider public, the receipt of enforcement action through other means is highly likely. This may lead to a greater organisational impact on those schools than that of a financial fine. It is our interpretation that fee paying schools can expect a lower degree of leniency when it comes to enforcement action through financial penalties.
Our expert Data Protection team have 25 years of experience working with the ICO on personal data breach management. Having access to Education experts in data protection will support, reduce risk and enable breaches and information rights requests to be dealt with efficiently.
The expertise required to prepare for and manage compliance is not to be underestimated
We have a extensive team of experts to support school leaders with expertise, knowledge, policies, processes and procedures to prepare for and manage compliance. Schools joining our DPO Essentials service are able to implement and demonstrate the organisational and technical measures they have put in place given their obligations. Some of the benefits:
- A service desk resourced by qualified data protection officers to answer questions, queries on data protection, providing management support in the event of a breach and when receiving information rights requests
- Data Protection Safe Information Handling documentation that explains to staff how to handle physical and digital data
- Information Rights policies and procedures, with 9ine handling all information rights requests (including subject access), identity validation, execution of the request, logging and auditing
- Breach Management policies and procedures, with 9ine managing a seven stage approach that includes the following:
- Log, evaluate, acknowledge - identifying the type and extent of the breach
- Evaluate and act - based on the data protection Serious Incident Requiring Investigation (SIRI) protocol, putting in place proportionate measures to minimise the breach
- Containment and recovery - putting in place the actions to minimise the impact of the breach
- The right to be informed, including how to develop privacy notices, where they are required, and example privacy notices to use at points of collection
- Guidance on the completion of DPIAs as prescribed by the ICO
Organisationally we have the greatest depth of expertise within the education consultancy sector, with in-house data protection consultants, data protection officers, cyber security, and IT operations management expertise. For more information on how we can help your school.