How Good is the Public Sector at Recording its Data Processing Activities?
Right now, in Ireland, national attention has been given to the Mother and Baby Homes Commission and what is to happen with their findings.
This led us at Castlebridge to ask about how good Public Sector bodies are in general at keeping and protecting personal data. The first check would usually be whether they have kept proper records of the data processed. Under the Accountability principle of GDPR, organisations are required to actively prove their compliance with Data Protection Law. For many organisations this will take the form of documented processing activities, achieved by completing a Record of Processing Activities (ROPA).
The value of ROPAs is heightened in the public sector, where transparency on the use of public power to process the data of individuals is an area of necessary scrutiny.
We, at Castlebridge, have reviewed 30 ROPAs from public sector organisations in a report which is to be released next week. This review has revealed a series of recurring problems within the documentation kept which are highlighted below. Full scoring of the performance of individual Public Sector organisations will also be released next week.
The ROPAs reviewed in this report were obtained under Freedom of Information Requests by Digital Rights Ireland.
What is the Legal Requirement under GDPR?
Article 30 of GDPR mandates the conditions under which processing activities must be documented. Specifically, organisations must complete a Record of Processing Activities if:
- They have 250 or more employees (although this is contained in a Recital and not an Article, and Regulators have advised that compliance with other obligations is difficult to demonstrate without a ROPA being done)..
- b. The type of processing involved poses a risk to the rights and freedoms of individuals.
- c. The processing involves Special Category Data as identified under article 9 of GDPR.
- d. The processing involves criminal convictions or offences.
- e. The processing is carried out regularly and cannot be considered “occasional”.
The record kept must include the contact details of the Data Controller/Joint Controller/Data Processors. Furthermore, the organisations must:
- Identify the legal basis for the processing operation, including transfers.
- Identify the purposes of processing.
- Describe categories of personal data and the categories of data subjects.
- Identify the categories of recipients to whom personal data have, or will be, disclosed (including recipients in 3rd countries or International Organisations).
- Provide a general description of the technical and organisational security measures applied.
Common Issues Found
What are Processing activities?
Lack of understanding as to what actually constitutes “processing activities” appears to be a common issue among the organisations surveyed. For the record, this is pretty much anything that an organisation can do with personal data.
Lack of Detail
A further concern is a lack of regard for detail. For instance, the Competition and Consumer Protection Board states a processing activity as “Customer Charter” or “Health and Safety”. This definition is too vague and undermines the data subject’s ability to understand or question what processing is happening to his/her/their data. It also does not help the organisation to understand the rationale behind their processing activity, thereby limiting any chance for process improvement or quality control.
Purpose of Processing
There is a common misinterpretation of the meaning of “purpose of processing.” Organisations often record different types of documents instead of processing activities. For example, stating that “Contracts of Senior Management” or “administration” does not identify the reason why this data is being processed.
Another common area of concern is that of retention schedules. 20% of organisations surveyed did not mention a retention policy at all (potentially due to redaction). Among the other organisations reviewed, some included very specific retention schedules while others included very general policies such as “indefinite”, as was found to be the case with Health Insurance Authority and CORU. Some have retention schedules for all areas while others (see Commission for Public Service Appointments) do not. DIT states that it retains personal information “as long as is necessary to fulfil the purposes” leaving its policy less useful for the organisation itself and open to misconduct.
We will reveal the full report along with the scoring of organisations next week. But in the meantime, we can reveal that a very small portion of Public Sector bodies are doing an exemplary job of recording their data processing activities. This is a heightened concern when we think of the governmental power given to these organisations and the even more pressing need for transparency in their operations when it comes to our data. If the trust between government bodies and the public is to be improved, getting ROPAs right is a prerequisite.
How Can We Help
Castlebridge helps organisations think about their data as a critical asset that has to be governed well to mitigate and manage data-related risks. This goes beyond just putting in the frameworks, tickbox templates, or shiny software, and includes education and training of staff at all levels in fundamentals of data and data management.
We have upcoming public courses on
- Data Governance (4th Nov)
- Register of Processing Activities (11th & 18th November)
- Data Quality (9th December)
If you aren’t sure about your needs, you can book an Advisory Clinic call with our team for a 1 hour quick consultation and diagnosis. Alternatively, if you are unsure of your immediate needs but have budget unspent this year, you can buy a Budget Manager Voucher to pre-pay for advisory or other services any time in the next 12 months.