Technical and Organisational Measures (TOMs) for the handling of data are key to Data Governance and Data Protection. On 20 Aug 2021[1], the DPC issued a decision (DPC Case Ref: IN-20-7-1) against the charity MOVE Ireland, imposing a reprimand, a fine of €1,500, and demanding various corrective actions, after detailing numerous failings on the part of the charity concerning Articles 5I1)(f) and 32(1) GDPR as it pertained to ensuring integrity and confidentiality of data, and having adequate technical and organisational measures in place.

The case against MOVE Ireland is an interesting, but sadly common one that interrogates what lengths a controller should go to to meet obligations for ensuring confidentiality, integrity, availability and resiliency under Article 5(1)(f), including the proper application of ‘technical and organisational’ measures. As such, it’s a good case for any entity — large or small — who processes personal data.

Policies, Procedures and Training … And Then a Breach

MOVE (Men Overcoming Violence) Ireland is a registered charity. They focus on working with male domestic abusers via weekly group counselling sessions, and encouraging the men to take responsibility for and ultimately change their attitudes and behaviours. In those sessions, men speak openly about issues they face, their views about their partners and family, and in some cases, criminal activity.

MOVE employs a number of coordinators and 35 facilitators who lead the weekly sessions across Ireland. The facilitators were required to make video recordings of these sessions, which they stored on unencrypted SD cards, and later uploaded to OneDrive folders[2]. The sessions were recorded for the purpose of assessing the facilitators’ skills and method of delivering sessions. Data was not shared with others outside of the organisation.

On February 3, 2020, MOVE notified the DPC of a personal data breach, after it discovered that 18 SD cards had been lost. MOVE Ireland was unable to determine if the cards were accessed, or if personal data was included. The SD cards were first discovered to be missing in December 2019, and potentially impacted between 80-120 men.

On 12 Aug. 2020, the DPC issued an Inquiry Commencement Letter to MOVE “notifying the organisation that the DPC had commenced an Inquiry under and in accordance with section 110(1) of the 2018 Act.” [para. 3.7] The letter contained details of the personal data breach, and explained that the scope of the inquiry was limited to MOVE’s compliance with the principle of integrity and confidentiality pursuant to Article 5(1)(f) of the GDPR and the technical and organisational measures (TOMs) used by MOVE to ensure security of processing pursuant to Article 32(1) of the GDPR.

In its correspondence with the DPC, MOVE cited as a mitigating factor, the fact that the charity notified the DPC of the data breach in the first place, as it did not feel that the breach was a serious one, on account that the SD cards were only unaccounted for, and there was no evidence that they had been stolen or that others had accessed them without authorization. A rather bold approach, if you ask me, particularly since their notification was well outside of the 72-hour window of Article 33 GDPR. They also asserted that they had adequate policies, procedures and training in place around how to handle personal data.

(Claiming that the SD cards were simply unaccounted for was also a bold approach as the DPC had taken action against O2 back in 2012 because they had lost a backup tape that may or may not have had personal data on it, so there was some precedent here, even if it wasn’t referenced in this decision)

It Don’t Mean a Thing … If It Isn’t Regularly Improved

In her ruling, the Data Protection Commissioner identified the following key considerations:

  1. Whether MOVE adequately assessed the likelihood and severity of the risk to the rights and freedoms of data subjects affected by the breach;
  2. Whether the TOMs in place were sufficient to ensure confidentiality and integrity on the SD cards (and to a lesser extent, the availability and resiliency of the data)[3]
  3. Whether the measures implemented by MOVE were regularly tested, assessed, and evaluated for effectiveness in respect of the security of the SD cards.

To all three, the Data Protection Commission found MOVE Ireland was lacking.

Risk Assessment and maintenance of controls

The Commissioner stressed that at the outset, MOVE failed to adequately assess risk. While MOVE had conducted an audit in May 2018, it had not considered risks related to the processing of recordings and local upload of group recordings, particularly the sensitive nature of the content of those recordings, which may have included information on participant’s sex lives and criminal histories.

The DPC also dinged the charity for conducting a single point-in-time assessment of risk, rather than an ongoing, continuous review and assessment of technical and organisational processes, procedures and measures relating to its data processing activities. The Commissioner repeatedly emphasized how when it comes to security measures, controllers and processors must “continually evaluate the effectiveness” of their measures and controls (para. 8.12). In business process-speak, this is referred to as the “continuous improvement’ cycle — Plan → Do → Check → Act.

Plan Do Check Act Cycle (aka Deming Cycle or Shewhart Cycle) is a fundamental quality systems concept for continuous improvement of processes, policies, controls, and governance

And it was ultimately due to this lack of regular checking, assessment and evaluation that MOVE failed to implement appropriate TOMs, such as encrypting the SD cards (or better still, not recording sessions at all), conducting ongoing audits and oversight by coordinators to ensure compliance with organisational processes, having regular training and awareness of staff members, and a proper records management system, As part of the corrective action component of the decision, the DPC gave MOVE until September 30, 2021 to bring its processing operations into compliance. Presumably, this occurred.

Setting a Fine balance

The DPC also found that MOVE’s failures around Articles 5(1)(f) and 32(1), were sufficiently severe to warrant an administrative fine. While the fine amount of €1,500 was small (just 0.22% of MOVE’s annual turnover), it was necessary, in order to dissuade the charity, and others, from similar behaviour. The low level of the fine illustrates the balanced approach that the DPC needs to take in cases, As Clíona Saidléar of Rape Crisis Networks Ireland points out in the Irish Examiner report on this decision,  “there isn’t any point in penalising the charity out of existence”, but action needs to promote better practices.

The Bare Minimum Isn’t Good Enough for Governance

The MOVE Ireland case is a good example of ‘meat and potatoes’ data protection decision making. The controller is a small, well-meaning organisation. The breach was relatively limited, and appears from the record to have had minimal actual impact to the data subjects. The fine was impactful to the controller, but certainly not headline-grabbing. There’s nothing flashy about this decision at all — and that’s why it’s so important.

The concerns raised by The Commissioner are points that each and every data controller and processor should be considering as part of their BAU (business as usual) processes. No one is immune from obligations to implement effective TOMs (technical or organisational measures), or regularly check and re-assess their risks and practices. Training and awareness need to be ongoing — not just one-off events. And the same goes for all those policies and procedures… Fortunately, we at Castlebridge have gotten awfully good at all this sort of thing and can help with reviews, audits, and training.

In other words, the bare minimum — just having something on paper — isn’t good enough in Ireland.

Related Links

Footnotes

[1] While the judgment was made final in August, the DPC only posted the decision in November 2021.

[2] The DPC regularly spells this out as ‘One Drive’ but I have reverted to how it is spelled by Microsoft.

[3] As an aside, availability of data was not really addressed by the DPC. Coming from a security background, I find this interesting. Although MOVE noted that session data was retained only for four months, and was not shared with participants, there is a reasonable argument that if a data subject had filed a SAR seeking personal data held by MOVE, information contained on those SD cards relating to or about them would not be available.

Carey Lening

Carey Lening

Carey Lening, CIPP-E, CIPP-US works with Castlebridge as an outside information security and risk consultant. She has over 20 years of progressive experience assessing risks and enabling top-tier data security and data protection for industry leaders like Facebook, Palantir and numerous Fortune 500 companies. Her cross-functional and cross-domain knowledge makes her equally comfortable discussing the legal nuances of data protection with lawyers, hashing out technical and operational security controls with engineers and information security professionals, doing a risk audit, and providing a high-level overview to the C-Suite.