IT practitioners urge councils to review information governance ahead of law changes

A group representing IT practitioners in the public sector has urged councils to review their information governance arrangements ahead of impending changes to data protection and online privacy laws.

Socitm also warned supplier organisations that they should plan for more demanding compliance enquiries from their customers in local public service delivery, and from the citizen/business users of those services too.

In a briefing Socitm suggested that compliance with some aspects of the new legislative framework "could be difficult".

Dr Andy Hopkirk, Head of Research at Socitm, added: “Accommodating the changes will be a matter of amending existing processes rather than inventing new ones. Some of the changes could be onerous and problematic. For example, councils will need to be able to deal correctly and completely with ‘right to be forgotten’ requests - perhaps the single greatest challenge in an almost ubiquitously networked and distributed computing world.”

Key features of the changes highlighted by the group are contained in:

• the draft European Data Protection Regulation that will replace the Data Protection Directive currently in place; and
• the new EU-US Privacy Shield replacing the Safe Harbor agreement of 2000 that was struck down by the European Court of Justice in 2015.

Socitm noted how the Safe Harbor agreement bridged cultural and political differences between Europe and the US regarding online privacy. “While the EU sees protection of personal data as a human right, America considers it mainly in terms of consumer protection. Safe Harbor allowed firms to transfer data from the EU to America if they self-certified safeguards equivalent to those required under European Data Protection legislation.”

It added: “Legal action in the wake of the Snowden revelations challenged the degree of protection for citizens’ data provided by Safe Harbor. New measures giving foreigners’ data some legal protection have been put in place, but it is not yet known whether the European authorities will consider that US privacy protection is now adequate.”

The briefing said that operationally, it looked like the new EU-US Privacy Shield would be at least as safe as before for UK public services to use US cloud service providers.

Socitm said the new European Data Protection Regulation would meanwhile update the law to accommodate technologies and usage not known when the UK’s own Data Protection Acts were drafted in the mid-1990s. These technologies and usage include pervasive online business transactions, social media and cloud computing.
 
“Key principles set out in the draft are to increase digital security for individuals; make the data protection legislation suitable for the digital age; and reduce bureaucracy,” it said.

“Individuals are to get easier access to their own data and clear, understandable information about how it is processed; it will be easier for them to transfer their personal data between different service providers and, subject to circumstances, they will have the right to have their data deleted.
 
“The new laws apply to companies based outside the EU that store and process the personal data of all those resident within the EU. National supervisory authorities will be empowered to enforce these laws, with the ability to impose significant penalties for non-compliance.”