Data rich, insight poor - launching Alarm's Blue Light Group
There was a large and enthusiastic turnout at the first Blue Light seminar of the combined police and fire sector groups. Members gathered at law firm sponsor Browne Jacobson’s historic Victoria House office in central Birmingham for a data themed event.
Daniel Milnes, Partner and Data Protection Officer at Forbes kicked off the day with a fact-packed session on GDPR and privacy regulation in general. As he commented: “we all have to do it. It’s not going away. Also, be warned: the ICO may want to make an example of public organisations.”
Everyone has 25 May in diaries as D-Day for data regulation changes. Here are some of the key tips Daniel discussed:
- Old style consent will not cover you so you have to get new consents by D-Day or find a different basis for processing those data.
- The Public Register of Data Controllers will no longer be available - you have to actively manage (and been seen to manage) consents and privacy notices directly from your organisation. It is an organisation’s responsibility to publish for the public record.
- Check the extent of your cyber insurance cover.
- Keep an eye out for potential future class actions – like Morrisons where liability can arise from wrongful actions of an employee.
- Look out for new offences, including:
Reincluding individuals from anonymous data
Withdrawing information – don’t make data harder to find as it can look like a cover up.
- Even small amounts of data can reveal identity information. Watch out for the small numbers rule, especially in FOI requests.
- There are only 72 consecutive calendar hours to report a breach, so have a good and rapid data breach plan, it also forms part of your data security compliance.
- Don’t forget if no one has read the data there is no breach. If data is misdirected all is not lost, it can be redirected. Act fast.
- The accountability principle means you MUST have a compliance plan and not just a data protection policy.
- The more data you hoard, the greater the risk.
- Look at individual data subject rights:
Right to erasure only applies in six instances; it doesn’t apply to everyone all the time. Don’t delete things you shouldn’t delete just because the subject asks you to.
Right to object to profiling means there is now a right for automated decisions to be looked at by a real person. It is actually the decision that is reviewed, not the profiling.
Data portability is the right to have back in portable format, data that has been provided. Don’t give out more information than you need to: this is not an Subject Access Request.
Right to complain. There will be more complaints; the ICO is recruiting more staff to handle complaints because of the GDPR statutory duty to investigate.
- The GDPR covers all types of information – from notice boards to CCTV. People, not machines cause breaches, so manage your use of paper as well as online information.
- Training and proof of training is essential – you have to be able to prove your training and your systems.
- Include third parties and supply chains (like your forensics team) in your GDPR measures. Create new contracts that are GDPR compliant and bring existing ones up to standard.
- Part 3 of the Data Protection Bill implements the Law Enforcement Directive and creates a different version of GDPR principles and rights in a law enforcement setting. It also takes effect on 25 May 2018.
- Bodies with an investigatory or prosecuting function (police forces, fire authorities and local authorities) will need to assess which version of the regime applies to dealing with any individual.
Alix Bedford, Risk Consultant at Zurich Municipal presented on Cyber business risk. Alix said cyber attacks are increasing in number and sophistication everyday. There is a greater threat of smartphone attack and denial of service attacks.
She started by asking pertinent questions: “is your organisation doing enough to understand your cyber risk? Is your organisation doing enough to protect against cyber risks? How does your organisation protect vulnerable data?”
Alix made some key points:
- According to PwC’s Global Cyber Risk Survey former employees are the most likely source of data breaches, so human resources and legal teams need to be involved in data security measures.
- The internet of things (connected devices on the asset register, like MRI scanners in the NHS) create data security issues. Risks include vulnerable entry point to network, easy access to home networks and password generalisation.
- How involved are corporate boards in cyber security strategy? You need top level buy in and an understanding of resources.
- A chief information officer is a false mitigation if he/she is the only one with the knowledge across the organisation.
- Mandatory training on cyber security should be at least annual, at best updated as new threats appear.
- A cyber incident response plan should be part of the business continuity plan. It has to cover the whole of your supply chain.
- The number one loss of data is in fact loss of paperwork.
Cloud security and stability risk checklist:
Will data remain in the UK or a GDPR compliant country? Data protection must meet the same level of security.
If you cancel or end a contract with an IT provider, what is the guarantee of no information remaining on servers or hard drives?
Inspect the cloud provider. What is the physical level of risk in the building?
Audit all your activities.
How attractive is the rest of the cloud provider’s data? Does it mean your data is more at risk?
What are the business continuity arrangements?
- When and how will you be notified if there is an incident?
DCI Richard Evans from West Midlands Police gave a fascinating presentation on the value of big data and data science along with the ethical issues associated with their use. Richard explained what big data is and its advantages: “it is data that simple maths and normal software cannot deal with. The advantage of data science is that you can apply advanced statistical analytical processes over big data sets to provide information and insight that was previously unknown. This insight has validity due to the scientific approach to acquire it, thereby providing an evidence base for decision making.”
West Midlands Police and other forces in the UK and abroad are improving their analytical maturity by using data science and advanced analytics to inform decisions on resource allocation, interventions and assist in workforce management.
For example, in Seattle the police department have utilised a new data platform to improve their understanding of many areas of their business including complaints about officers thereby improving the way they can hold themselves responsible.
Data science as Richard commented, is neither easy nor cheap but has positive uses. Data science is highly accurate in its predictions but also highly contentious. It can create false positives. There are reputational issues if the public loses trust and faith in policing, so addressing the ethical issues attached to its use is paramount.
He talked through a case study based on the work being done at West Midlands Police and told the story of development of the ethical board to govern decisions being made on use of big data and data science.
Slides from the Blue Light event are available to download from Past event outputs.
Kath Holder from West Midlands Police, Chair of the Blue Light Group, introduced new fire representatives, Charles Thomas from Essex County Fire & Rescue Service and Sue Nugent from Devon & Somerset Fire & Rescue. She emphasised that Members are invited to lead on the location of where future events are hosted and what presentations are created, as well as content for guidance documents and webinars, to best support the Blue Light Group. Please contact Kath with your suggestions.
The Blue Light Group has 58 Police and 50 Fire Members and is recruiting new Members and new Member organisations, as well as Committee representatives. Contact a member of the Committee for more information.