Tag Archives: data protection

Could recent backlash crash the not-so-smart city?

Posted on by

In May 2020, Google-affiliated Sidewalk Labs abruptly cancelled its smart city vision for Toronto’s waterfront, citing that “unprecedented economic uncertainty” created by the pandemic had made the project unachievable.

Named ‘Quayside’, the venture proposed a 12-acre development of sleek apartments and neighbourhood amenities that heavily incorporated data and technology into urban design and residents’ daily living.

Including an underground delivery system and ice-melting heated roads, the futuristic plan aimed to turn Toronto into the world’s first truly ‘smart city’.

Yet, the Quayside development faced fierce criticism before it could even get underway.

Planned for the heart of the development was the harvesting of an extensive flow of data, amassed by studying millions of residents’ daily movements through sensor-laden streets and buildings.

However, critics saw a darker side to Sidewalk Labs, fearing that residents’ data would be stored and used by Google. Such fears only intensified after a series of publicised data breaches at Big Tech companies.

US businessman Roger McNamee described the project as “the most highly evolved version to date of surveillance capitalism”, warning that Google would use “algorithms to nudge human behaviour” for corporate interests.

Despite Sidewalk’s assurances that the data collected wouldn’t be shared with third parties, Toronto city council members began to voice official concerns. A National Research Council report stated that Canada was in danger of becoming a “data cow” for foreign tech companies.

After years of a controversial public debacle that played out in court rooms and street protests, the proposals were eventually abandoned altogether.

An industry slowing down

The story of Quayside’s defeat perhaps has greater implications for the future of smart city culture. Toronto has coincided with numerous high-profile examples of downscaling in grand smart city projects across the world, such as Songdo in South Korea and the ill-famed Masdar City in Abu Dhabi.

In fact, the overall trend of the smart city sector is declining, as the regions with the most smart-city deployments have seen large drop-offs in new developments. For instance, the number of new projects in Europe increased year-on-year to a peak of 43 in 2016- yet fell to just 17 in 2020.

Likewise, data suggests that the major suppliers to government smart city projects have considerably weakened their influence on the sector. Since 2016, companies such as Cisco Systems, Vodafone and Telensa have greatly reduced the number of new developments that they are undertaking, whilst there are numerous examples of backtracking throughout the industry.

In late 2020, Cisco Systems announced that the company was scrapping its flagship smart-city software altogether. Such instances suggest at least a slowing down in production ventures or perhaps even a full-on shift in company priorities.

So, why is the smart city bandwagon beginning to falter?

Not ‘smart’ enough post-pandemic?

Whilst the privacy backlash movement that finished off Quayside is exemplary of existing privacy concerns before Covid-19, the pandemic may have further compounded the barriers faced by the smart city.

The hard-hitting financial implications and uncertainties created by the pandemic have presumably put ambitious smart city projects on the back burner, as city governments re-align their priorities towards economic recovery.

They’ve [smart city technology providers] all seen the challenges and the opportunities in this pandemic moment, says Nigel Jacob, co-chair of the Mayor’s Office of New Urban Mechanics, a civic-innovation research lab in Boston. “I think they are still struggling and looking at their product portfolio and looking to see what value they can add. I do think the field has shifted.“

Jacob suggests that the pre-Covid landscape of smart city promotion has ultimately shifted, a viewpoint that is echoed throughout the industry. Many believe that the pandemic has forced city governments and citizens to re-evaluate their priorities of what needs to be achieved through urban areas.

David Bicknell, principal thematic analyst for GlobalData, arguesSmart cities had their time. They are no longer about glossy, sensor-driven metropolises.“  He adds, “The impact of the pandemic and climate change now means smart cities cannot just be ‘smart’ – they must be resilient and sustainable, too.”

It could be argued that there is now a greater focus for citizens in creating tangible outcomes in their communities on the key issues of climate change, health and social equity.

Whilst the potential for technology to contribute to driving change in these areas is undoubted, the idea that a smart city business model should just be about the city getting smarter is difficult to uphold in the landscape of post-pandemic finances.

With the exception of climate change issues, the traditional smart city does not look to tackle the big issues that have really been reinforced by the pandemic, Jacob argues.

Privacy concerns here to stay

The pandemic also introduced a new array of concerns surrounding data collection. Contact tracing apps, biometric vaccine passports and temperature scanning as a condition to entering premises have added fuel to the fire of privacy issues that people are now encountering.

Added to this, some academics worry that whilst these technologies have been accepted into day-to-day life under unprecedented measures, it leaves open the possibility of such platforms being manipulated for more sinister purposes in the future.

And, with the numerous high profile legal cases surrounding Facebook, Amazon and Google’s privacy policies now regular features in the media, the public is certainly more aware in its understanding of privacy issues since the Quayside story.

Final Thoughts

Despite how strongly opposed many residents were to the Toronto Quayside development, it is clear that the integration of sensors, scanners and cameras into city living is here to stay. And there are undoubted benefits of smart technologies that are already evident in cities throughout the world- from intelligent LED street lighting to data-driven traffic control systems.

However, for the potential of smart technologies to be truly realised and accepted by the public, the smart city must be re-aligned to fit the privacy conscious post-pandemic world.

Further reading: more about smart cities on The Knowledge Exchange Blog

Are smart cities at risk from hackers?

Posted on by

From traffic lights to bins, across the world, internet-connected technology is being integrated across all manner of everyday city infrastructure. Smart city technology can provide cities with real-time information which can be analysed to offer insights into how people interact with the city. These insights can be used to make cities operate more efficiently and ensure that cities are responding to the changing needs of their citizens. 

However, like any internet-connected device, smart city infrastructure runs the risk of being targeted by bad actors who wish to disrupt the operation of city life. 

This blog post explores the extent to which smart cities are vulnerable to attack by hackers and considers the steps that can be taken to prevent them from being compromised by nefarious actors. 

Connected and vulnerable

It’s an unfortunate fact of our increasingly more connected lives that as we connect more devices to the internet, we provide hackers with more opportunities to access our devices, compromise our networks, and gain access to personal information. In recent years, as we have added more Internet of Things (IoT) devices to our home networks, such as smart lightbulbs and thermostats, there is a chance we may be weakening the overall security of our networks. Experts have warned that these small IoT devices may not have the necessary level of sophisticated defences required to protect them from attack. 

Naturally, as these devices normally perform relatively inconsequential tasks (such as turning on a lamp) and don’t tend to host a great deal of personal data, many consumers do not consider the danger they could pose if compromised. Research has found that hackers may be able to gain access to entire home networks through hacking a single IoT device. This can enable hackers to access other connected devices, such as a phone, which holds a large amount of personal data. This can allow hackers to steal personal data, covertly spy on unknowing users, and gain access to email/social media/bank accounts. 

Therefore, as more small-scale infrastructure is connected to the internet, hackers will have more opportunities to take advantage of devices with lax security. In the context of smart cities, these vulnerabilities may be able to gain access to systems that operate critical city infrastructure. 

Smart city vulnerabilities

A key component of the development of smart cities is the fostering of a network of interconnected devices which cover a wide variety of city activities and functions. Through collecting and analysing this data, cities will be able to improve the way they operate in real-time and better respond to the needs of citizens. As such, smart city technology will have to be integrated into systems as simple as a streetlight and as complex as the public transit system. 

As previously discussed, IoT devices have varying levels of protection against hackers, and this is no different in the context of the smart city. Research conducted by UC Berkley found that small smart city infrastructure, such as CCTV systems and traffic lights, were more vulnerable to attack than more significant infrastructure, such as smart waste and water management systems. Vulnerabilities at any point of a network can allow hackers to gain access and potentially to compromise a more critical part of city infrastructure. 

Recently published guidance from the National Cyber Security Centre (NCSC) indicated that smart cities are a target for hackers, and warned that if systems are compromised there may be “destructive impacts”. For example, if a hacker can gain access to a smart traffic management system, they may be able to take the system offline and create traffic gridlock across a city. This would cause mass disruption and prevent people from moving around, which could result in threats to public safety. As a result, ensuring smart cities are protected from bad actors will be crucial as more city infrastructure is integrated into smart internet-connected systems. 

Protecting the smart city

Although smart cities will undoubtedly be a target for hackers, several actions can be taken to protect them from attack, and mitigations can be put in place to protect the wider smart city network if a single device is compromised. Ensuring that smart cities are designed with security at their core is vital. Adding on security at a later date will be ineffective and experts believe a “bolt-on” approach may pose more of a security risk. 

Guidance from the NCSC sets out the importance of understanding who is supplying the infrastructure and being aware that some companies may have links to foreign governments who may wish to gain access to UK systems for nefarious purposes. 

Key steps that the NSCS advise should be taken to protect the smart city include:

  • Understanding the goal of the smart city and potential unforeseen impacts.
  • Examining the threats posed to the smart city.
  • Setting out the governance of smart city cybersecurity and ensuring staff have the correct skills.
  • Understanding the role of suppliers in the delivery of smart city infrastructure and cybersecurity.
  • Being aware of relevant legal and regulatory requirements (particularly surrounding data protection).

Final thoughts

The development of smart cities may provide opportunities to create cities that are more efficient and responsive to the needs of citizens. Unfortunately, as more infrastructure is connected to the internet, hackers are provided with more opportunities to disrupt systems and harvest personal data. The levels of disruption and data will undoubtedly make smart cities an attractive target for bad actors.

Therefore, to reap the benefits of the smart city, it will be vital that security is at the core of the development of the smart city, and that local authorities ensure they have a clear understanding of who is responsible for cybersecurity. 

If you liked this article you may also be interested in reading:

Protecting privacy in the aftermath of the Facebook-Cambridge Analytica scandal

Posted on by

By Steven McGinty

On 4 June, Information Commissioner Elizabeth Denham told MEPs that she was ‘deeply concerned’ about the misuse of social media users’ data.

She was speaking at the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE) inquiry into the use of 87 million Facebook profiles by Cambridge Analytica and its consequences for data protection and the wider democratic process. The whole affair has shone a light on how Facebook collected, shared, and used data to target people with political and commercial advertising. And, in a warning to social media giants, she announced:

Online platforms can no longer say that they are merely a platform for content; they must take responsibility for the provenance of the information that is provided to users.”

Although this is tough talk from the UK’s guardian of information rights – and many others, including politicians, have used similar language – the initial response from the Information Commissioner was hardly swift.

The Information Commissioners Office (ICO) struggled at the first hurdle, failing to secure a search warrant for Cambridge Analytica’s premises. Four days after the Elizabeth Denham announced her intention to raid the premises, she was eventually granted a warrant following a five-hour hearing at the Royal Courts of Justice. This delay – and concerns over the resources available to the ICO – led commentators to question whether the regulator has sufficient powers to tackle tech giants such as Facebook.

Unsurprisingly, it was not long before the Information Commissioner went into “intense discussion” with the government to increase the powers at her disposal. At a conference in London, she explained:

Of course, we need to respect the rights of companies, but we also need streamlined warrant processes with a lower threshold than we currently have in the law.”

Conservative MP, Damien Collins, Chair of the Digital, Culture, Media and Sport select committee, expressed similar sentiments, calling for new enforcement powers to be included in the Data Protection Bill via Twitter:

Eventually, after a year of debate, the Data Protection Act 2018 was passed on the 23 May. On the ICO blog, Elizabeth Denham welcomed the new law, highlighting that:

The legislation requires increased transparency and accountability from organisations, and stronger rules to protect against theft and loss of data with serious sanctions and fines for those that deliberately or negligently misuse data.”

By introducing this Act, the UK Government is attempting to address a number of issues. However, the Information Commissioner, will be particularly pleased that she’s received greater enforcement powers, including creating two new criminal offences: the ‘alteration etc of personal data to prevent disclosure‘ and the ‘re-identification of de-identified personal data’.

GDPR

On 25 May, the long awaited General Data Protection Regulation (GDPR) came into force. The Data Protection Act incorporates many of the provisions of GDPR, such as the ability to levy heavy fines on organisations (up to €20,000,000 or 4% of global turnover). The Act also derogates from EU law in areas such as national security and the processing of immigration-related data. The ICO recommend that GDPR and the Data Protection Act 2018 are read side by side.

However, not everyone is happy with GDPR and the new Data Protection Act. Tomaso Falchetta, head of advocacy and policy at Privacy International, has highlighted that although they welcome the additional powers given to the Information Commissioner, there are concerns over the:

wide exemptions that undermine the rights of individuals, particularly with a wide exemption for immigration purposes and on the ever-vague and all-encompassing national security grounds”.

In addition, Dominic Hallas, executive director of The Coalition for a Digital Economy (Coadec), has warned that we must avoid a hasty regulatory response to the Facebook-Cambridge Analytica scandal. He argues that although it’s tempting to hold social media companies liable for the content of users, there are risks in taking this action:

Pushing legal responsibility onto firms might look politically appealing, but the law will apply across the board. Facebook and other tech giants have the resources to accept the financial risks of outsized liability – startups don’t. The end result would entrench the positions of those same companies that politicians are aiming for and instead crush competitors with fewer resources.

Final thoughts

The Facebook-Cambridge Analytical scandal has brought privacy to the forefront of the public’s attention. And although the social media platform has experienced minor declining user engagement and the withdrawal of high profile individuals (such as inventor Elon Musk), its global presence and the convenience it offers to users suggests it’s going to be around for some time to come.

Therefore, the ICO and other regulators must work with politicians, tech companies, and citizens to have an honest debate on the limits of privacy in a world of social media. The GDPR and the Data Protection Act provide a good start in laying down the ground rules. However, in the ever-changing world of technology, it will be important that this discussion continues to find solutions to future challenges. Only then will we avoid walking into another global privacy scandal.

The Knowledge Exchange provides information services to local authorities, public agencies, research consultancies and commercial organisations across the UK. Follow us on Twitter to see what developments in policy and practice are interesting our research team. 

If you found this article interesting, you may also like to read our other digital articles.

How data leaks can bring down governments

Posted on by

Swedish Parliament building

By Steven McGinty

In July 2017, the Swedish Government faced a political crisis after admitting a huge data leak that affected almost all of its citizens.

The leak, which dates back to a 2015 outsourcing contract between the Swedish Transport Agency and IBM Sweden, occurred when IT contractors from Eastern Europe were allowed access to confidential data without proper security clearance. Media reports suggested that the exposed data included information about vehicles used by the armed forces and the police, as well as the identities of some security and military personnel.

The political fallout was huge for Sweden’s minority government. Infrastructure Minister Anna Johansson and Interior Minister Anders Ygeman both lost their positions, whilst the former head of the transport agency, Maria Ågren, was found to have been in breach of the country’s privacy and data protection laws when she waived the security clearance of foreign IT workers. In addition, the far-right Sweden Democrats were calling for an early election and Prime Minister Stefan Löfven faced a vote of no-confidence in parliament (although he easily survived).

However, it’s not just Sweden where data leaks have become political. Last year, the UK saw several high-profile incidents.

Government Digital Service (GDS)

The UK Government’s main data site incorrectly published the email addresses and “hashed passwords” of its users. There was no evidence that data had been misused, but the GDS recommended that users change their password as a precaution. And although users did not suffer any losses, it’s certainly embarrassing for the agency responsible for setting the UK’s digital agenda.

Scottish Government

Official documents revealed that Scottish Government agencies experienced “four significant data security incidents” in 2016-17. Three out of four of these cases breached data protection legislation.

Disclosure Scotland, a body which often deals with highly sensitive information through its work vetting individuals’, was one organisation that suffered a data leak. This involved a member of staff sending a mass email, in which email addresses could be viewed by all the recipients (a breach of the Data Protection Act).

Murdo Fraser, MSP for the Scottish Conservatives, criticised the data breaches, warning:

These mistakes are entirely the fault of the Scottish government and, worryingly, may signal security weaknesses that hackers may find enticing.”

Hacking parliaments

In the summer of 2017, the UK parliament suffered a ‘brute force’ attack, resulting in 90 email accounts with weak passwords being hacked and part of the parliamentary email system being taken offline. A few months later, the Scottish Parliament experienced a similar sustained attack on parliamentary email accounts. MPs have suggested Russia or North Korea could be to be blame for both attacks.

MPs sharing passwords

In December 2017, the Information Commissioner warned MPs over sharing passwords. This came after a number of Conservative MPs admitted they shared passwords with staff. Conservative MP Nadine Dorries explained:

My staff log onto my computer on my desk with my login every day. Including interns on exchange programmes.”

Their remarks were an attempt to defend the former First Secretary of State, Damian Green, over allegations he watched pornography in his parliamentary office.

Final thoughts

The Swedish data leak shows the political consequences of failing to protect data. The UK’s data leaks have not led to the same level of political scrutiny, but it’s important that UK politicians stay vigilant and ensure data protection is a key priority. Failure to protect citizen data may not only have financial consequences for citizens, but could also erode confidence in public institutions and threaten national security.

The Knowledge Exchange provides information services to local authorities, public agencies, research consultancies and commercial organisations across the UK. Follow us on Twitter to see what developments in policy and practice are interesting our research team. 

Drones in the city: should we ban drone hobbyists?

Posted on by

A young boy flying a drone

By Steven McGinty

Drones are becoming an increasingly observable feature of modern cities, from tech enthusiasts flying drones in local parks to engineers using them to monitor air pollution. And there have also been some high profile commercial trials such as Amazon Prime Air, an ambitious 30-minute delivery service.

However, introducing drones into the public realm has been something of a bumpy ride. Although the Civil Aviation Authority (CAA) produces guidance to ensure drones are flown safely and legally, there has been a number of hazardous incidents.

For example, in April, the first near-miss involving a passenger jet and more than one drone was recorded. The incident at Gatwick Airport saw two drones flying within 500m of an Airbus A320, with one pilot reporting a “significant risk of collision” had they been on a different approach path. In addition – and just 30 minutes later – one of these drones flew within 50m of another passenger jet, a Boeing 777.

Videos have also been uploaded to websites such as YouTube, which have clearly been taken from drones – a clear breach of the CAA’s rules prohibiting the flying of drones over or within 150m of built-up areas. This includes events such as the Cambridge Folk Festival, a match at Liverpool FC’s Anfield Stadium, and Nottingham’s Goose Fair. Jordan Brooks, who works for Upper Cut Productions – a company which specialises in using drones for aerial photography and filming – explains that:

They look like toys. For anyone buying one you feel like you’re flying a toy ‘copter when actually you’ve got a hazardous helicopter that can come down and injure somebody.

Privacy concerns have also started to emerge. Sally Annereau, data protection analyst at law firm Taylor Wessing, highlights a recent European case which held that a suspect’s rights had been infringed by a homeowner’s CCTV recording him whilst he was in a public place. Although not specifically about drones, Sally Annereau suggests this decision will have far reaching consequences, with potential implications for drone users recording in public and sharing their footage on social media sites. The Information Commissioner’s Office (ICO) has already issued guidance for drones.

The CAA report that there were more than 3,456 incidents involving drones in 2016. This is a significant increase on the 1,237 incidents in 2015.

The response

Cities have often taken contradictory approaches to drones. Bristol City Council has banned their use in the majority of its parks and open spaces. Similarly, several London boroughs have introduced ‘no drone zones’, although the London Borough of Richmond upon Thames has a relatively open policy, only banning drones over Richmond Park. Further, Lambeth Council requires hobbyists to complete an application form “to ensure suitability”, a standard similar to commercial drone pilots.

There have also been several accusations of double standards as large commercial operators such as Amazon receive exemptions to CAA rules, in front of photographers recording events, hospitals delivering blood, and researchers collecting data.

Although cities have a responsibility to protect the public, they also have to ensure citizens are able to exercise their rights. The air is a common space, and as such cities must ensure that hobbyists – as well as multinational firms – can enjoy the airspace. Thus, it might be interesting to see cities take a more positive approach and designate ‘drone zones’, where hobbyists can get together and fly their drones away from potential hazards.

The Knowledge Exchange provides information services to local authorities, public agencies, research consultancies and commercial organisations across the UK. Follow us on Twitter to see what developments in policy and practice are interesting our research team. 

General Data Protection Regulation (GDPR): 10 things business needs to know

Posted on by

 

European Union flag with a padlock in the centre.

By Steven McGinty

On 25 May 2018, the data protection landscape will experience its biggest change in over 20 years.  This is because the European Union’s (EU) General Data Protection Regulation (GDPR) will come into effect for all member states. The regulation, which has been described as ‘ambitious’ and ‘wide-ranging’, introduces a number of new concepts, including the high profile ‘right to be forgotten’ – a principle established in a case involving technology giant Google.

Below we’ve highlighted ten of the most important points for business.

Directly effective

The GDPR is ‘directly effective’, which means that the regulation becomes law without the need for additional domestic legislation (replacing the Data Protection Act 1998). However, member states have also been given scope to introduce their own legislation on matters such as the processing of personal data. This may result in some EU states having more stringent rules than others.

Sharing data and monitoring

It also seeks to increase the reach of EU data protection law. Not only will EU-based data controllers and processors fall under the scope of the GDPR, but its authority will also extend to any business which either processes personal data or monitors the behaviour of individuals within the EU.

This will impact businesses who transfer data outside the European Economic Area (EEA). It will be their responsibility to ensure that the country the data is being transferred to has adequate levels of data protection. The most prominent example of this issue was the US Safe Harbour scheme, which was intended to protect European individuals whose personal data is transferred between the EEA and the USA. In 2015, the European Court of Justice ruled that this scheme had ceased to provide a valid legal basis for EEA-US transfers of all types of personal data. It has now been replaced by the Privacy Shield.

Transparency and consent

Greater obligations have been placed on business with regard both to seeking consent for use of personal data and providing detailed information to individuals on how their personal data is being used. The GDPR requires that consent notices are ‘unambiguous’ – not assumed from a person’s failure to respond – and that consent is sought for different processing activities. Law firm, Allen and Overy recommends that businesses review their notices to ensure they are fit for purpose.

Personal data/ sensitive data

Article 4(1) of the GDPR includes a broader definition of ‘personal data’ than previous legislation. It states that any information relating to an individual which can be directly or indirectly used to identify them is personal data. Specifically, it refers to ‘online identifiers’, which suggests that IP addresses and cookies may be considered personal data if they can be easily linked back to the person.

Enhanced rights

New rights and the enhancement of existing rights will require some businesses to improve the way their data is stored and managed. These rights include:

  • Data portability – Business must ensure that individuals can have easy access to their personal data in case they want to transfer their data to other systems.
  • Strengthening subject access rights – Individuals can now request access to their data for no cost and it must be responded to within 30 days (this is a change from the current legislation which requires a £10 fee and there is 40 days to respond).
  • Right to be forgotten – Individuals can request that an organisation delete all the information they hold on them (although this would not apply if there was a valid reason to hold that data).
  • Right to object to processing – Individuals have the right to object to the way an organisation is processing their data.
  • Right to restrict processing – Individuals have the right to request that the processing of personal data is temporarily stopped. This may be invoked whilst a right to object request is being investigated.

Personal data breach

Businesses have an obligation to report breaches to their national regulator, such as the Information Commissioners Office (ICO) in England.  The GDPR requires that notice must be provided “without undue delay and, where feasible, not later than 72 hours after having become aware of it.” This may be challenging for some businesses, particularly if the incident is discovered at the end of the working week.

Failure to comply with GDPR

The regulation introduces two levels of fines. Less serious offences under the regulation will be liable for a fine of up to €10,000,000 or 2% of global turnover – depending on which is highest. However, for more serious breaches, such as a breach of an individual’s rights or a breach during international transfers, a business may be held liable for up to €20,000,000 or 4% of global turnover.

In addition, individuals are also given the right of redress, and those who have had their rights violated may seek to receive compensation. This has led digital marketers to suggest that GDPR could be the next PPI – a practice where insurance was mis-sold to customers, which resulted in a large number of successful claims against financial institutions.

Privacy by design

Technology businesses should also consider data protection at the initial design stage of product development. This could involve adopting technical measures such as pseudonymisation – the technique of processing personal data in such a way that it can no longer identify a particular person. Additional measures, such as policies and programmes, would also show a national regulator’s commitment to compliance with the GDPR.

European Data Protection Board (EDPB)

A new body has been created to issue opinions and to arbitrate between disputes that arise with national regulators.  The board will be made up of heads of national regulatory bodies (or their representatives) and the European Data Protection Supervisor (EDPS), who govern the data processing activities of EU institutions. The opinions expressed by this board may have important implications for data protection legislation.

Impact of Brexit

Evidence suggests some businesses may be delaying taking action until they see the results of the Brexit negotiations. This possibly explains the research by cloud security firm, Netskope, which found that 63% of UK workers have never heard of the GDPR. Similarly, research by Veritas Technologies, a leading information management firm, has found that 54% of organisations have not ensured they will comply with the new GDPR.

However, it would be very surprising if the UK did not ‘mirror’ the protections offered by the regulation, particularly considering the UK’s significant input to the new legislation. Digital minister Matt Hancock has also confirmed that the UK government intends to fully implement the GDPR.

Final thoughts

If businesses already have policy and procedures in place to meet the requirements of the Data Protection Act, then they should have a solid foundation to comply with the GDPR. In many ways, the new regulation simply provides a clear framework for delivering good practice in data protection.

However, all businesses will need to take action to ensure compliance with the GDPR. Otherwise, the financial penalties (as well as reputational damage) of a breach could have serious consequences for their business. And this is not just an IT issue. The whole organisation, starting from board level, must show a willingness to understand the legislation and implement procedures that protect the fundamental rights of individuals.

Follow us on Twitter to see what developments in public and social policy are interesting our research team. If you found this article interesting, you may also like to read our other data-related articles

Counting the cost of data protection failures in local government

Posted on by

A laptop keyboard with a padlock on it.

By Steven McGinty

In August, Hampshire County Council were fined £100,000 by the Information Commissioner’s Office (ICO) after social care files and 45 bags of confidential waste were found in a building, previously occupied by the council’s adults’ and children’s services team.

Steve Eckersley, the ICO’s head of enforcement, explained that this data protection breach affected over 100 people, with much of the information “highly sensitive” and about adults and children in vulnerable circumstances.  In his view:

“The council’s failure to look after this information was irresponsible. It not only broke the law, but put vulnerable people at risk.”

A widespread problem

In 2015, Big Brother Watch, an organisation which encourages more control over personal data, published a report highlighting that local authorities commit four data breaches every day. It found that between April 2011 and April 2014 there were at least 4,236 data breaches. This included, at least:

  • 401 instances of data loss or theft
  • 159 examples of data being shared with a third party
  • 99 cases of unauthorised people accessing or disclosing data
  • 658 instances of children’s personal data being breached

In the past year, local authorities have reported a 14% increase from the previous year in security breaches to the ICO. The figures show that 64% of all reported breaches involved accidentally disclosing data. This supports research which suggests that human error is a major cause of data protection breaches.

These statistics are both positive and negative for the ICO. Peter Woollacott, CEO of Huntsman Security, suggests that it could show that local government is becoming better at identifying security breaches. However, he also acknowledges that most organisations are subject to multiple attacks, with only some being detected.

Areas for improvement

In 2014, the ICO conducted nine advisory visits and four audits of social housing organisations. It found that improvements could be made in ten areas, including:

  • Data sharing – organisations regularly share personal data but few have formal policies and procedures to govern this sharing.
  • Data retention – few organisations have data retention schedules for personal data, which provide details on when records should be disposed of, although most only extend to physical records. Data protection legislation sets out that data must not be stored for ‘longer than necessary’.
  • Monitoring – there is little evidence that organisations monitor their compliance with data protection policies.
  • Homeworking – where organisations allow staff to work flexibly, it often wasn’t formalised.
  • Training – there are varying levels of data protection training found in organisations.

Public confidence

Unsurprisingly, high-profile data breaches, such as the loss of 25,000,000 child benefit claimants’ details in the post by HM Revenue and Customs (HMRC), have left the public concerned about their data.

In October, a YouGov poll showed that 57% of people believed that government departments could not share personal data securely. And 78% of people didn’t believe or didn’t know whether the government had the resources and technology to stop cyber-attacks.

A poll by Ipsos Mori has also shown that 60% of the public are more concerned about online privacy than a year ago. The three main reasons given were: private companies sharing data; private companies tracking data; and the reporting of government surveillance programmes.

The cost of data protection failures   

The implications of failing to protect the public’s data are serious. Not only could local government be heavily fined by the ICO, but it could also have an emotional or economic impact on individuals if their data enters the wrong hands and is used maliciously (e.g. to commit an act of fraud).  However, there are wider issues for government.

At the moment, both local and central government are undergoing digital transformation programmes, digitising their own operations and moving public services online. Examples include social workers using electronic social care records and the public paying council tax or booking appointments through their local council’s website.

If the public buy into ‘digital by default’ (the policy of ensuring online is the most convenient way of interacting with government), then services could be delivered a lot more efficiently, resulting in significant savings. However, if the public are concerned over the security of their personal data, they may be less willing to consent to its use by government.

We’ve already seen this in some areas. In 2014, the Scottish Government announced plans to expand an NHS register to cover all residents and share access with more than 100 public bodies, including HMRC. This year, the Scottish Government attempted to bring into effect the ‘Named Person Scheme’, where every child in Scotland would be assigned a state guardian, such as a teacher or health visitor.

With both of these schemes concerns have been raised over privacy, including from the ICO in Scotland. The Supreme Court has also ruled against the Named Person Scheme, over the data sharing proposals.

Final thoughts

Local government needs to be robust in ensuring compliance with data protection legislation. The financial costs could be great for local government, but the bigger concern should be public trust. If councils fail to meet their legal obligations, they may find it challenging to implement policies that use public data, even if it brings the public benefits.

Follow us on Twitter to see what developments in public and social policy are interesting our research team. If you found this article interesting, you may also like to read our other data related articles. 

Idox: enabling transformation, collaboration and improvement

Posted on by

Idox_logo 800 x 800 jpeg

If you follow this blog regularly then you’ll know that we write on all areas of public and social policy. What you might not realise though is that our Knowledge Exchange team is just one part of a much wider business – Idox – providing specialist information and data solutions and services.

I’ve been working with Idox for about four years, but I’m still topping-up my knowledge about the organisation. Last week, at the company’s end-of-year get-together, my brain was like an overworked sponge as it tried to absorb a multitude of facts, figures and achievements during two days of workshops and presentations (to say nothing of the informal chats in between the working sessions).

From this wealth of information, I’ve compiled a selection that I think conveys a flavour of the depth and diversity of Idox today.

Ten things you might not know about Idox…

  1. The Reading Room, which is the newest addition to the Idox family of companies, has developed digital solutions for a wide range of customers, including Porsche and Clarence House, and this year developed a virtual reality test drive app for Skoda.
  2. Idox’s recently-launched iApply service enables planning applications and building control consent to be applied for via a single source, streamlining the application process.
  3. The Idox GRANTFinder policy and grants database contains details of over 8000 funding opportunities.
  4. Real-time information delivered by Idox’s Cloud Amber keeps the travelling public up-to-date about transport services and helps manage traffic congestion.
  5. The Idox group currently employs almost 600 people in over 10 countries, including the UK, the Netherlands, Germany, the United States, India and Australia.
  6. The Idox Elections service not only ensured the smooth management of postal voting for the 2015 UK general election, but has also supported delivery of local authority and community council elections in the UK, as well as this year’s local elections in Norway.
  7. Idox has a strong presence in the compliance sector, raising awareness among managers and employees of the importance of complying with regulations, from corruption prevention and data privacy to occupational safety and cybersecurity.
  8. Idox Engineering Information Management, provides critical engineering document management and control applications to the oil and gas, mining, pharmaceutical and transport industries in 50 countries.
  9. CAFM Explorer, Idox’s computer aided facilities management software, supports building maintenance and property management for organisations in 45 countries, and recently partnered with the Hippodrome to help maintain one of London’s most popular attractions.
  10. From food safety monitoring to licensing taxis, Idox’s regulatory services help local authorities enforce the rules that keep us safe.

One more thing…

Finally, the meeting reminded me of one thing I already knew, and it’s to do with the part of Idox where I work – the Knowledge Exchange.

Over breakfast on the second morning, a colleague from McLaren talked about the difficulties in finding the right information on the web. Search engines only go so far, he said, providing too little or too much. This is where skilled intermediaries, such as Idox’s team of Research Officers, can make a difference, identifying, sorting and presenting information that people can use to make decisions, support arguments and advance their businesses.

The Idox event was an enjoyable, if exhausting, couple of days, and it demonstrated the many ways in which the company is supporting public, private and third sector work.

Clearly, there’s much more to learn about Idox.

Our popular Ask-a-Researcher enquiry service is one aspect of the Idox Information Service, which we provide to members in organisations across the UK to keep them informed on the latest research and evidence on public and social policy issues. To find out more on how to become a member, get in touch.

Follow us on Twitter to see what developments in public and social policy are interesting our research team.