GDPR isn’t done. It's an on-going process, and above all, good business sense. For those working in the Civil Service who have access to large amounts of important personal data (including special category data as defined by the GDPR and the Data Protection Act 2018) this is especially vital to understand particularly within the context of the Government’s accountability and transparency agenda. Specifically, “Open Government” still needs to respect data protection laws and the importance of safeguarding personal data. Moreover, despite all the publicity and understandable concern about hacking, most data protection breaches occur as the result of human error, not malice.
It is therefore essential that all processes and procedures are up to standard across Government, and that every effort has been made to make individuals working in the Civil Service aware of their responsibilities regarding data protection, data privacy and their responsibilities whatever their role.
Some top tips regarding sound management of personal data therefore include:
- Civil Servants should know what personal data is being recorded, on what legal basis and for what specific purpose. This can be done using a Record of Processing Activity (RoPA), which needs to be reviewed and updated regularly. ICO can demand to see this document at any time, so it needs to be kept up to date.
- Even if your team have been trained about GDPR, this should be revisited, in order to keep their awareness high with a specific focus on Subject Access Requests, the difference between Subject Access Requests and Freedom of Information Requests (FOIs) and how to manage a data breach.
- Any contracts with suppliers should be reviewed and a process established to make sure that the contracts are compliant with the legislation.
- Civil servants will be involved in making some data public. Particular thought needs to go into processes to make sure material being placed on a website for example, is reviewed in terms of personal data. This all needs care, particularly in terms of the potential harm that could be caused to the individual should the wrong information get into the public domain.
Recent data breaches, such as the publication of the home addresses of those included in the New Year’s Honour List, have increased the necessity for all those working in Government to be absolutely on the ball regarding their data protection obligations.
Writers: Susan Doe and Naomi Korn of Naomi Korn Associates
The text is licensed for use under a Creative Commons Attribution Share Alike Licence (CC BY SA)