The problem with “voluntary”

Over the last few days there have been a few high profile data breaches in Ireland. One of them (New Beginning’s transfer of data on 1500 individuals to a 3rd party in Malta) is a text book example of a common type of data protection breach (data being processed for a purpose for which it was not originally obtained, transfer to a 3rd party processor without formal contract, failure to implement appropriate technical and organisational measures to keep the data secure, an attempt to pass the blame to a contractor, an opening position when the breach was discovered (by the media) that this was not a matter for the DPC as no breach has occured).

The other (UL student finance data being leaked on their website) appears to be an unfortunate accidental disclosure (but time will tell), but the University appeared to be unaware of the requirement under the Data Security Breach code of practice to notify the DPC of the breach given the nature of the data.

Both highlight the problem with “voluntary” schemes in Data Protection compliance (and indeed any form of effective regulatory governance). Basically… if it is voluntary it will be ignored or not considered until the day after it has become a problem. And this is doubly worrying because the EU Council of Ministers has recently diluted the provisions around the role of the Data Protection Officer in the draft EU Data Protection Regulation to what I would describe as “homeopathic” levels.

“Voluntary”, “optional”, and “self-certified” are all phrases that should strike fear into the hearts of any sensible Data Governance practitioner working with regulated data as they inevitably lead to poorly framed risk assessments and glutonous risk appetites as they cut away any sembleance of a mandate for internal Governance and Regulatory operation teams and hobble to the point of ineffectiveness any statutory Regulator.

The law-talking bit…

Ireland is relatively unique in Ireland in that we have gone some of the way towards having a sensible Data Breach Notification regulation with the Data Protection Commissioner’s Code of Practice on Data Security Breach Notification. I was involved in the consultation process on this code of practice and it is reasonably well balanced and reasonably clear as to what the obligations are on any Data Controller (or Data Processor) who becomes aware that data relating to individuals “has been put at risk of unauthorised disclosure, loss, destruction or alteration”. Note: It applies not just to actual incidents of loss, unauthorised access, or unauthorised disclosure or alteration, but to where there is a risk that any of the aforementioned might happen.

The DPC treats the Code of Practice as if it were binding and leverages it as part of their “soft law” arsenal for enforcement. The problem is that it’s not binding. While it was approved by the DPC in July 2011 and has jumped almost all the hurdles to having full legal effect, the Code of Practice has been approved under Section 13(2) of the Data Protection Acts, which means it is a voluntary gentlemans’ agreement that has real effect in a criminal prosecution (and enforcement actions under the Data Protection Acts are criminal prosecutions). For the Code of Practice to have real teeth, it would need to have gone on to the Section 13(3) process whereby it would be presented to the Oireachtas to be approved. The code of practice would then take the form of a Statutory Instrument in effect, extending the Data Protection Acts. More importantly, it would, under Section 13(6) of the Data Protection Acts, need to be “taken into account” in proceedings in any court or tribunal.

Section 13(2) Codes just don’t have that power. They are a guidance, a guideline, but they can be ignored without any direct penalty. So persons who realise they have a data breach might keep quiet about it in the hope that nobody notices and then might have to come out fighting if the media were to find out about it for example.

Within the draft EU Data Protection Regulation there is a provision (Article 35) which, in both the Commission and Parliament texts of the Regulation mandates that Data Protection Officers be appointed in organisations that either have 250 staff (Commission version) or process data on over 5000 data subjects per annum (Parliament version). I disagreed with the first approach – today a one-man-band business can process a heck of a lot of data. The second threshold I grudgingly agree with to a point. My personal view is that you need to have someone in your organisation who has a reasonably full time job of looking after the governance of your data and ensuring compliance.

In fairness to the draft EU Data Protection Regulation, the provisions agreed in the Parliament go a long way to providing a clearly mandated Data Governance function for Data Protection compliance, with some strong provisions about independence, provision of training and resources, and a host of other things that make it clear this is not a brass-plate job for someone who can’t be trusted not to run with scissors.

However, the Council of Ministers last month agreed to a version of Article 35 which made it optional to have a Data Protection Officer, unless some other EU law or member state law required it. This is, frankly, lunacy. It means that a more complex Regulation with increased focus on risk management approaches and ensuring effective governance controls over data doesn’t require people who have lots of data to have anyone with the job of making sure they know the rules of the game and are empowered to ensure that the rules of the game are being followed in the organisation.

The Upshot…

Assume, for a moment, that a social enterprise has gathered the personal and personal financial data of approximately 3000 households, amounting to approximately 6000 individual data subjects (allowing for joint home ownership).

1. If they lose that data under current legislation, they are not obliged to tell the DPC (but the DPC would really like it if they would…)
2. They will not be required under the current proposal from the Council of Ministers to ensure they have someone on staff (or on a retainer) who knows the rules of the game for Data Protection at a detailed level and is independent of the management structures so they can advise impartially

They may be invited to consider doing so by a national Regulator. They may be required to do so by a specific national or EU law in specific context (which embuggers the “standardisation” of Data Protection compliance across the EU instantly). But there’s no penalty or impact for not doing it.

Just like there is, as it stands, only a stern talking to if you ignore the Data Security Breach code of practice.

In circumstances like that, organisation management will engage in mental discounting activities, trading off the pain in the neck and/or costs associated with breach notification or Data Protection Officers and governance against the probablity of being found out. Many times I’ve heard phrases like “what’s the minimum we need to do to comply?” and “what’s the minimum we’ll get away with?” in the context of regulatory governance. These are dangerous conversations to have in the context of “voluntary” compliance codes or “optional” governance structures.

Concepts of “Voluntary”, “Optional”, and “Self-Certified” have their place. But their place should not be in the definition of the core mandate that exists for Data Governance in an organisation or in the context of the steps that need to be taken to ensure personal data privacy rights are upheld in the EU (they’re fundamental rights remember!)

The Outcome

It appears I’m not the only one concerned about all of this. One Irish newspaper has carried an editorial today about the weaknesses in the Data Breach code of practice and the powers of the DPC to enforce it. Writing in the Irish Independent, Colette Browne comments on the effect of “voluntary” codes with no teeth:

The result is that companies, instead of dealing with the negative publicity surrounding a breach of this nature, prefer to remain silent and hope the media never gets wind of what transpired.

That is an example of the “mental discounting” at work.

But even more tellingly, the head of the French Data Protection Authority (CNIL) has openly critized the current “risk based approach” in the Data Protection Regulation, particularly after the proposals from the Council of Ministers.

She has warned that:

• An excessive reliance on a “risk based” approach could weaken protections for fundamental rights.
• The current negotiation process appears to have confused risk migitation and respect for rights
• Risk based assessments should not displace the principle of Accountability

In her remarks she is also reported by Hogan Lovells (a leading international law firm specialising in Data Protection) to have been very clear about the need to have fundamental Data Governance structures in place for Data Protection:

…accountability should apply to all forms of processing, not just to “risky” ones. Obviously the level of resources and safeguards applied will depend on the level of the risk, but the principle of accountability, i.e. having a data protection governance structure in place, should remain constant.

So. Regulators are of the view that making the Governance function for Data Protection optional is not advisable in a Risk based compliance model.

Words like “voluntary”, “optional”, or “self-certified” should be treated with healthy scepticism when dealing with matters of data and especially where there is an intersection between data and Fundamental Rights.