We all remember the GDPR rush of 2018, when organisations raced to collect consents for marketing emails and publish updated Privacy Notices before the new data protection legislation – GDPR – came into effect on 25th May 2018. We were all focussed on getting our data protection policies in place. But what’s happened since then? Are we all compliant, job done? If only it were that simple. The truth is though, that many organisations still have a long way to go; even those with well-written Privacy Notices and Data Protection Policies aren’t necessarily following their own policies. This is where Data Protection Governance comes in. What is Data Protection Governance, and why is it so important?
Take the shocking data breach at Hackney Council, where names and addresses of potentially vulnerable tenants were publicly available on the Internet. This article from the BBC explains the data was freely available because the privacy settings weren’t set properly on the software being used to store the data, which was (the free version of) Trello.
However, that’s only the last broken link in a chain of events that, in my opinion, shouldn’t have happened in the first place.
How did the data breach happen?
If we look at Hackney Council’s Privacy Statement, this section about sharing data sounds very reassuring:
“We ask a number of companies to collect, store or handle your information on our behalf to help us to deliver our services – for example our ICT system providers. We remain responsible for your information and ensure that the right safeguards are in place through measures such as contract clauses.”
That’s exactly what I’d want to hear if Hackney Council were handling my personal data. But unfortunately, I think the data breach shows the policy isn’t necessarily being followed, perhaps due to a lack of oversight and governance.
Using Trello to store data
I’m making assumptions here, but I’m pretty sure that using the free version of Trello to store sensitive data wasn’t appropriately risk assessed. If it had been, I’d like to think it wouldn’t have been signed off on.
Even if it was signed off, should it have been? Have the risks involved in the use of Trello to store sensitive data been understood, assessed and controlled? As the Privacy Statement claims, have the right safeguards been put in place?
Putting aside how Hackney came to be using Trello, I’d be interested to know if there were rules for staff members about what types of data should/shouldn’t be stored in Trello, and if there was any training for staff on how to use the privacy settings properly.
So the breach may well be the result of a chain of unfortunate incidents, not just one setting being set incorrectly. Every circumstance that allows each link of a chain like that to be built is an example of a lack of governance, specifically data protection governance, in the organisation.
Hackney Council, like so many organisations, have undoubtedly been under a lot of pressure to continue providing services to residents throughout an unprecedented pandemic, and I’m not being cold-hearted about this. I completely understand the pressure and stress so many organisations continue to struggle with, and I am sure most people in councils and in social housing want to do the right thing by their residents, tenants and customers.
If you’re interested in learning more about how to translate that intention into actions, by building data protection governance into all of your processes, join me for a free webinar especially for the social housing sector – Using Your Customer Data to Build Trust & Fulfil Your Purpose:
Wednesday 8th September 2021 at 11am on Teams.