Watch on YouTube
Check out the show description
Check out the show description
In this special episode, Michala Liavaag and Hannah Nacheva, a Data Protection Officer, discuss what you need to know about data protection and privacy.
28th January 2022: Data Privacy Day.
👉 Cited in this episode:
Records of processing ROPA https://ico.org.uk/for-organisations/accountability-framework/records-of-processing-and-lawful-basis/
Human rights equality Act: https://www.equalityhumanrights.com/en/human-rights-act/article-8-respect-your-private-and-family-life
⭐Found this useful? Please rate and review, as it helps reaching more people
👍You can also subscribe and share on social media
💬 Contribute to future episodes with your cyber security concerns and questions
🤝Connect with Michala and Cybility Savvy:
✍🏾Written and produced by Michala Liavaag
🎦Co-produced and edited by Ana Garner video
🎵Music by CFO Garner
Read the episode transcript
Read the episode transcript
Welcome to Cybility Savvy, the show that demystifies cyber security for not-for-profit boards and leaders
Hello I’m Michala Liavaag, founder of Cybility consulting and host of the Cybility Savvy podcast and the youtube channel Cybility TV. Today I’d like to welcome you to data privacy week. The purpose behind having a data privacy week is to impress upon everybody the importance of online privacy, and educate people about how to manage their personal information. Because in this day and age of technology everywhere: in our pockets, in our homes, you know, how can we actually keep it private? But that's not what I’m actually going to really talk to you about today, because you're here as leaders in your organizations, wondering what you can do to help your organization respect the privacy of people that you serve, and also being transparent about how you collect and use people's data.
There's a bit of confusion around the terms, which in one way you know, kind of doesn't matter, because the key thing is you're thinking about data anyway. But for those of you who do want to know the difference, data protection really means different things depending on which perspective you're looking at. From a legal perspective it's all about the sort of protection of people, their data, and their right around how their data is used. Whereas data protection in a security sense, is actually around things like the controls to protect those people's rights. So, for example encryption would be part of data protection, but anything that can help prevent data from being corrupted or destroyed that sort of thing. So different things in different perspectives depending on who you are. But ultimately the privacy side and the security side both go in data protection. And these in turn, are part of the information governance function.
Privacy is probably one of the things that most people think of in relation to data protection, because you're thinking very much about people's rights, and how organizations can use their data lawfully. And that is part of data protection absolutely, people's rights and having a representative representing those rights in an organization, and having that viewpoint is quite important. Then you've got the security aspect of it, where we're really thinking about confidentiality, making sure that there are controls around protecting all information that needs to be protected, not all information is as valuable as others, in terms of the controls that we put around them. And then we've got the sort of thinking around integrity of information, and making sure it's accurate and not corrupted, and then also the information is available to all that need it at the time that they need it. So those are the sort of security concerns.
Now the thing that kind of joins them together is the aspect of confidentiality. From a legal perspective, you've got the commonality of confidence, where if there's certain information that somebody would expect to be treated as confidential, like my health record for example, then people with access to that are expected not to share that with people without my consent. So you've got the privacy side looking at people's rights, you've got the confidentiality nature of some of that information, and security protecting that.
One thing that kind of wraps around all of this is ethics around how data it is used. When we think about how data is used, we think about the information life cycle. So this is really one of those core building blocks for everything around what we do with data, from how we actually either create it in the first place or collect it from others, how we use it and where we store it, who we share it with, and particularly with partnerships in not-for-profits, there's an awful lot of sharing that does happen. The bit that people tend to sort of sometimes forget, is the archiving safely of that data if it needs to be kept for a certain period of time, and if it doesn't need to be kept, then the secure destruction of that data.
When you think about you know privacy teams, data protection officers, and security teams, we all care about data as it moves through that life cycle, but we look at it in slightly different ways. Data protection professional would look at it from a kind of: is it actually legal to do this from data protection law perspective? Also a consideration to: is it ethical? Because just is legal doesn't mean we should. In healthcare actually, they also have caldicott guardians whose role it is to specifically look at: is it ethical to do that with healthcare data?
When you've got a data protection person saying it's legal, if healthcare the caldicott, saying it's ethical, then when it comes to security, we don't need to worry about that, because that's already been answered. We look at then how do we secure it and actually achieve those objectives and make sure it can all be used in a safe way? So, we've already spoken about the elements around information governance, data protection privacy, and security, but what does that actually mean for you as people that need to seek assurance and the responsibilities for the organization?
Whilst I’ve worked in information governance for a long time and I specialized in information security, I thought I’d invite somebody along to talk a little bit more about it. So, I’d like to welcome Hannah Nacheva along to the channel today. Hi Hannah.
Hannah Nacheva: Hi Michala, thanks very much for having me on board.
Michala Liavaag: Oh you're welcome thank you so much for coming along today appreciate it.
Hannah: No problem at all.
Michala: What was your take around the way I kind of broke out the privacy, data protection, security and information governance?
H: It fits with the way that I understand it. Information governance being the governance of your information, whether that's personal data or whatever data it is, you know: personal, confidential data, whatever you manage, that's information governance. Then we've got cyber security or IT security, which is the technical measures that you have to protect digital data or electronic data. I mean we could all go into data management, data hygiene. It's fairly simple, keep it simple, stick to the kiss principles.
M: There's a lot of confusion around some of these terms and what it really means for people. Could you perhaps just give us a very simple overview in terms of what it means in terms of the obligations around data protection for particularly the boards?
H: Okay with the introduction of GDPR in 2018, that moved data protection responsibility up the ladder a little bit. So now that it is, it is very very firmly in the hands of the board in terms of directing privacy, and the responsibility for privacy. The intention of things like fines for example, was definitely to actually make it very very clear the responsibility of privacy and data protection rests with the board. One of the most important things around board level responsibilities is the idea of having data protection officer. If your processing involves a large amount of sensitive data processing, so things to do with people's demographics, their religion, perhaps their health, their gender, that means that you will need to appoint somebody who is specifically overseeing your data protection responsibilities, and advising you on those. As a data protection officer, I will often be reporting back to the board on their responsibilities, giving them almost like a state of the nation report on their responsibilities in terms of data protection, and how the organization is meeting those obligations, and keeping people safe, which is what data protection is about. It's important to bear in mind that the legislation's intentions was to try and balance out the rights of a data subject and to give them more control over their data, and more of a say in what large organizations do. There's a power imbalance between an organization, which tends to hold more power over people, particularly in the employment space. When you're talking about processing employment data, or for the purposes of employment, where you have that duty of confidentiality over the information that you use. The responsibility of the board is to make sure that they are being responsible and ethical with that processing, not over processing, not using too much data that you don't need. So one of the first principles as well is: if you don't need to process personal data, don't do it. I think that the data minimization principle is probably the biggest one. Only use it when you have an absolute essential business use for it.
M: What about would you say to those on board who've perhaps read something about the fact that the UK after Brexit were no longer part of the EU, so what about if they sort of heard or being advised that: oh no don't worry, GDPR doesn't apply to us anymore?
H: Absolutely not the case. So what happened when we brexited was that we, essentially, had already incorporated GDPR into our laws. So GDPR sits alongside the data protection act 2018 in UK law. So basically GDPR has now become UK GDPR for the purposes of the law, all of our laws. So the data protection act is actually the law that clarifies the application of UK GDPR. So what happened when Brexit occurred was that a few things were changed in terms of the scope and who is responsible. So, for example, in EU GDPR the person who is responsible and makes decisions around things like adequacy, would be the European Data Protection Board, but in the UK that would be the secretary of stat now. It has undergone a few tweaks to make it applicable to UK law, but it's still very much all of the articles were copied wholesale over from one law to another, so GDPR is still very much relevant and valid.
M: Brilliant thank you for clearing that one up. The GDPR then still applies to us. We've got the data protection that still applies to us. You talked about those obligations as a board, and how everything was sort of lifted up slightly. What would you say that I should be asking the exec team about that data processing? What questions would you advise that we ask to seek their assurance?
H: Right, so I would ask them how do they build privacy by design into your innovation? So as a board, you will be presented for strategic change programs, for programs of innovation, to sign off on new suppliers, to sign off on tenders, and what I would say is to always bear in mind the use of data within those. So let's speak about the idea of a data controller. Most boards will be classed as a data controller. So they are the people who collect the data, who use the data, and who make decisions about it. And often the third-party suppliers who you are employing to do projects with, or to do new strategic innovation projects, they will be your data processor, so they're almost doing it on your behalf. You are still responsible as the data controller for whatever the data processor does, so therefore it's very very important that you scrutinize those tenders, you scrutinize the use of the data, you scrutinize the data transfer, and the data security arrangements within the contracts, and it's very very clear as to who's the data controller, where the responsibility lies, and what their obligations to you, as a data processor for the security and safety of that data. And also to make sure that there's something, a get out of jail free card when they when that contract ends. Another key idea or a key principle is that the data doesn't belong to us.
M: Could you just perhaps explain a little bit about whose data is it anyway? The idea of a data subject, some people won't be familiar with that term.
H: So, a data subject in law, in the regulations, is a living breathing individual. They call it a natural person in law, which sometimes confuses people because they go: well, what is an unnatural person? Actually, in law, an unnatural person exists. So, an unnatural person would be an organization, in legal terms, who would you sue. You wouldn't sue the individual, you would sue the organization. So, you would sue the unnatural person. Whereas GDPR only applies to natural persons in law. and these are living individuals. who have rights. And remembering the origins of data protection comes from article 8 of the European human rights act, where that that comes from and living people have rights and they have rights over their own data and the data belongs to them. If it identifies them, then it is their data. You are borrowing it, and using it with their permission.
M: That's a really key point right there. Companies think they own data that they've collected, when actually it's more like the organizations are custodians of that data and have responsibilities to those. I just want to go back a little bit. You mentioned the importance of obviously looking at it throughout the whole life cycle. Talk just very quickly a little about the sorts of things we might be thinking as we move through that life cycle.
H: Say for example we have employed a new web design company to come up with a new data collection site. So we've got an event running, where we will want people to sign up to run in a marathon for us. That will involve collecting people's data, so that you will have a sign up form and the event hosting company who is creating this new website for this event is creating a new data collection portal for you, so people can sign up for this event. What you've got to think about is what is your legal basis of processing. What is the reason that you are collecting that data? Because you cannot cross purposes. So you can't collect the data and then use it for another purpose. You've also got to make sure that it's kept safe and secure, so you've got to make sure that that web portal has the necessary security arrangements that you will require to keep it up to your standards of security. So you've got to make sure that's screened to make sure that it's secure. You've also got to make sure that you have a data sharing agreement in place with that new supplier, which sets out their obligations to you as a processor, what they're supposed to be doing with your data or data they're collecting and what they could use it for and what they can't use it for. You might also want to scrutinize their obligations under article 28 of GDPR, which is looking at liability. So what sort of data are they collecting? For example, maybe this event is quite strenuous, you want to make sure the people are over 18 and they're of good health. If you're starting to collect health data around them, you know do you have any pre-existing conditions which may mean that you can't participate in this event? You've always got to make sure that you have explicit consent from the person to collect that data, and you explain to them why that data is needed. All of these things must be set out in the contract. If they are processing particularly risky data or sensitive data, which would come under article 9, which is the demographic data about people's health, religion, gender, that sort of thing, that there is extra liability in that contract to cover you for the potential fallout of a data breach. The greater the risk of the data, the greater the fallout of the data loss or a breach of security, which will lead to the loss of that data. So you have got to make sure that, not only have you got the security to cover that data, but you've also got the fallback so if that security does fail, that you have got the confidence that they will be able to compensate you for the fallout of that breach. So, the greater the liability, the greater the amount that they will compensate you in that contract for the loss of that data. So when that arrangement ends, when that data processing ends, you have something in that contract that says: when you've done that, you will delete all of the data or return it to us.
M: Well what I’m hearing then, is we expect certainly large organizations, people that are sort of working on these events and sorts of things, they know all this stuff and they're doing it all. But we still need to be challenging and asking these questions around that. You mentioned earlier, if we just pop back to the life cycle for a moment, about using it, storing it securely, how we share that information. Particularly I’m interested to say a little bit about the archiving and destroying. You talked about how after whatever this event is in their contract and that relationship with the party ends, about giving that sort of data back but what about the challenges around understanding whether you should be archiving or destroying it?
H: Remember: archiving is still a processing operation in law. The longer you keep data, the more you are at risk from that data. So you must have a really good reason that you'll need to archive and keep that data. And usually that is because of a retentionobligation that you have, which is actually set by other pieces of legislation. If you have a will, so you're processing data because there is a an estate, and any data that is to do with the wrapping up of that estate, will need to be kept for 13 years after the death of the individual. You won't need to have that actively sitting in a database where you can access it. You will want to archive that data and keep it secure somewhere, where it is put out of reach of normal use. So you'll want to have a data warehouse somewhere, which keeps that securely and locked away, but you will want to maintain strict access control over that data. So you won't want people touching that data, or using it in any way. You also may want to think about having some sort of archival routine, based on when you have archived that data so that it can be securely deleted once that retention limit has been reached.
M: I’m just thinking that a lot of people out there, they're not all going to be running large organizations with teams of people who can sort of go away and do all this stuff. What if I’m perhaps a trustee of a smaller charity? Do I still have the same obligations even though I don't have those resources?
H: Absolutely! You still have the same obligations, but I don't think it needs to be a bells and whistles approach. You don't have to have complicated data warehouses, you just need to have an awareness of where your data is, what you're using it for, and how long you need to keep it. And I think that's just generally, you know, having a record of processing activity is really key for this. And a record of processing activity doesn't need to be really complicated to have. All it does is it says okay this is the type of data we hold, this is the reason why we're using it, this is where it is, this is how long we have to keep it. And that's basically all you need to know around your data. And as long as you've got a list of that kept somewhere, you can keep it on a spreadsheet, I wouldn't recommend writing it down on a piece of paper or a set of post-it notes, but having it somewhere where you can access it, and you can look at it, you know where your data is, knowing where your data is means that you can keep control over it.
M: Thank you, that sounds a lot more doable.
H: Absolutely. Being aware of your data processing is a real key thing to have when you're a trustee because, obviously, you're responsible for this. You're responsible for making sure that your executive knows where their data is, knows what they're doing with it, and knows who they're sending it to. Because you know, that is a key element of trust. Trust is very paramount to data protection and data privacy
M: And security
M: I think that's really really key point Hannah, thanks for stressing that. Just because something's legal doesn't mean you should do it.
H: If you tell people what you're doing with it and particularly if you're relying on consent to collect data. Incentivizing that consent is not illegal. You can put that in, that's fine. For example, Sainsbury’s saying if you sign up to our rewards program, we'll collect your data, but here you can have some money off vouchers every month, that's perfectly legal, and it's called the data value exchange, they're more inclined to give you their data, and they're more likely to want you to keep it if you're keeping it safe and secure and they know what you're doing with it.
M: Just thinking then about sort of key takeaways then for this week. Let's pretend you know, I’ve got a board meeting next week, that project's there. What are your top three takeaways that I need to be thinking about and challenging for their insurance?
H: Data protection is all about privacy and security. Privacy by design, means that you're always thinking about the person whose data it belongs to, and your responsibilities and obligations to them when you're collecting it. So, always bear in mind would I feel comfortable with this do? I understand it as a party when I’m collecting data? Is it understandable, is it clear? People can't consent to things that they don't understand or are not clear to them. So, is it transparent? If I’m getting somebody else to collect that data, are they being transparent? Do we understand what they're doing with the data? Do we know where our data is? Do we know that it's secure? Do we know that we're deleting it when we no longer need it? All of these things are things that you need to think about, and that builds privacy and it bakes it into everything that you do. Always bear in mind: would I be happy with this as a data subject?
M: That's perfect, thank you. It's actually one of those questions as well that I use in training: would you be happy thinking about your data, you know being looked after by our own organization? And that can be an interesting answer depending on where you are. So no thank you so much, I really appreciate you coming and joining us for data protection day this year.
H: My Pleasure
M: Okay see you again then
H: See you bye bye
Adequacy: when the EU recognises that a country or entity provides an equivalent level of protection for personal data as the EU does
Legal basis for processing data:
Performance of a Contract
 The retention period can be derived from 1) legislation 2) contract 3) business requirements, in that order.