Protecting privacy in the aftermath of the Facebook-Cambridge Analytica scandal

By Steven McGinty

On 4 June, Information Commissioner Elizabeth Denham told MEPs that she was ‘deeply concerned’ about the misuse of social media users’ data.

She was speaking at the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE) inquiry into the use of 87 million Facebook profiles by Cambridge Analytica and its consequences for data protection and the wider democratic process. The whole affair has shone a light on how Facebook collected, shared, and used data to target people with political and commercial advertising. And, in a warning to social media giants, she announced:

Online platforms can no longer say that they are merely a platform for content; they must take responsibility for the provenance of the information that is provided to users.”

Although this is tough talk from the UK’s guardian of information rights – and many others, including politicians, have used similar language – the initial response from the Information Commissioner was hardly swift.

The Information Commissioners Office (ICO) struggled at the first hurdle, failing to secure a search warrant for Cambridge Analytica’s premises. Four days after the Elizabeth Denham announced her intention to raid the premises, she was eventually granted a warrant following a five-hour hearing at the Royal Courts of Justice. This delay – and concerns over the resources available to the ICO – led commentators to question whether the regulator has sufficient powers to tackle tech giants such as Facebook.

Unsurprisingly, it was not long before the Information Commissioner went into “intense discussion” with the government to increase the powers at her disposal. At a conference in London, she explained:

Of course, we need to respect the rights of companies, but we also need streamlined warrant processes with a lower threshold than we currently have in the law.”

Conservative MP, Damien Collins, Chair of the Digital, Culture, Media and Sport select committee, expressed similar sentiments, calling for new enforcement powers to be included in the Data Protection Bill via Twitter:

Eventually, after a year of debate, the Data Protection Act 2018 was passed on the 23 May. On the ICO blog, Elizabeth Denham welcomed the new law, highlighting that:

The legislation requires increased transparency and accountability from organisations, and stronger rules to protect against theft and loss of data with serious sanctions and fines for those that deliberately or negligently misuse data.”

By introducing this Act, the UK Government is attempting to address a number of issues. However, the Information Commissioner, will be particularly pleased that she’s received greater enforcement powers, including creating two new criminal offences: the ‘alteration etc of personal data to prevent disclosure‘ and the ‘re-identification of de-identified personal data’.

GDPR

On 25 May, the long awaited General Data Protection Regulation (GDPR) came into force. The Data Protection Act incorporates many of the provisions of GDPR, such as the ability to levy heavy fines on organisations (up to €20,000,000 or 4% of global turnover). The Act also derogates from EU law in areas such as national security and the processing of immigration-related data. The ICO recommend that GDPR and the Data Protection Act 2018 are read side by side.

However, not everyone is happy with GDPR and the new Data Protection Act. Tomaso Falchetta, head of advocacy and policy at Privacy International, has highlighted that although they welcome the additional powers given to the Information Commissioner, there are concerns over the:

wide exemptions that undermine the rights of individuals, particularly with a wide exemption for immigration purposes and on the ever-vague and all-encompassing national security grounds”.

In addition, Dominic Hallas, executive director of The Coalition for a Digital Economy (Coadec), has warned that we must avoid a hasty regulatory response to the Facebook-Cambridge Analytica scandal. He argues that although it’s tempting to hold social media companies liable for the content of users, there are risks in taking this action:

Pushing legal responsibility onto firms might look politically appealing, but the law will apply across the board. Facebook and other tech giants have the resources to accept the financial risks of outsized liability – startups don’t. The end result would entrench the positions of those same companies that politicians are aiming for and instead crush competitors with fewer resources.

Final thoughts

The Facebook-Cambridge Analytical scandal has brought privacy to the forefront of the public’s attention. And although the social media platform has experienced minor declining user engagement and the withdrawal of high profile individuals (such as inventor Elon Musk), its global presence and the convenience it offers to users suggests it’s going to be around for some time to come.

Therefore, the ICO and other regulators must work with politicians, tech companies, and citizens to have an honest debate on the limits of privacy in a world of social media. The GDPR and the Data Protection Act provide a good start in laying down the ground rules. However, in the ever-changing world of technology, it will be important that this discussion continues to find solutions to future challenges. Only then will we avoid walking into another global privacy scandal.


The Knowledge Exchange provides information services to local authorities, public agencies, research consultancies and commercial organisations across the UK. Follow us on Twitter to see what developments in policy and practice are interesting our research team. 

If you found this article interesting, you may also like to read our other digital articles.

Joining the digital revolution: social workers’ use of digital media

In January 2018, NHS digital published a report, which highlighted the accessibility and availability of digital platforms to help social workers with their job role. The research, which was compiled from survey data, sought to understand not only how social work could be supported through the use of IT and digital platforms, but also to assess the current level of usage and understanding of digital technologies among the current workforce. While more than half of survey respondents said they had access to a smart phone as part of their role, far fewer were actually able to access case notes and other necessary documents digitally from outside the office.

The survey found there was an appetite for greater and better use of digital media in day-to-day work, which practitioners felt would not only improve their ability to work more flexibly but could also be used to forge better relationships with people who use services. In some instances, respondents to the survey felt improved use of digital media may provide a way to communicate more effectively with those who had previously been unwilling to engage, particularly in relation to social work with young people. The research found that digital technology was used in a range of ways to build and manage positive relationships, particularly with service users, including:

  • communicating with them to gather specific data (as part of assessment);
  • delivering interventions (such as self-guided therapy or telecare); and
  • supporting team work (peer support and online supervision)

Questions around the use of social media

Earlier research around the use of digital media in social care more generally found that it is used in a variety of capacities, such as storing and maintaining records, communications and day-to-day tasks such as booking appointments and scheduling in visits. However, the use of digital technologies by social workers can at times extend beyond simply maintaining records and scheduling visits. Many felt that while digital media in some ways makes their job easier, in other ways it can add to the stress of an already difficult job role.

A lot of the anxiety concerning digital technologies centres around social media. In the most positive of ways, it can be a core platform to allow service users to communicate, and make the social work team appear more accessible to people who may feel uneasy communicating in more formal ways. However, significant challenges around ethics and practice remain. Repeated instances of social workers being reprimanded have made some social workers wary of using social media platforms. In September 2017 HCPC published guidance which encourages practitioners to continue to use social media, but to seek advice and help if they are ever unsure. The guidance suggested that social media, if used responsibly, could support professionals to raise the profile of the profession and network with others nationally and internationally.

Supporting confidentiality and security

For many social workers and social work supervisors many of the challenges around using digital media centre on the necessity for confidentiality and security of information. While much of social work practice within offices is digitised with regard to record and case file keeping and report writing, security issues concerning remote access to files is one of the major challenges. In many cases until digital security can be assured, it will be difficult for social workers to work fully remotely and flexibly without some travel back to the office. GDPR also raises some interesting questions for the profession with regards to storing and accessing data.

An opportunity to improve information sharing and partnership working

It is well recognised that the use of digital media provides an opportunity to improve efficiency and partnership working within social work. If used effectively and supported well, it can allow information to be stored, shared and accessed across a range of different services, which can be particularly useful for increased health and social care integration. However, challenges in practice remain – including the ability of social workers to remotely access notes and information, the need to align working and IT systems, and the ability to access and read data in a number of formats across a number of devices. Research stresses the importance of risk management and appropriate training for staff so that they feel comfortable and confident using media platforms.

A welcome change in the profession?

For many within the profession, the rise of digital platforms as a way to engage with service users and provide increased support and flexibility for social workers themselves has been a positive development. It is a great leveller and can encourage service users who feel comfortable to engage in a much more transparent way with social workers. However, NHS Digital research shows that there are still significant challenges. Overcoming these to successfully integrate digital platforms and interfaces into social work practice has the potential to revolutionise not only how social workers engage with service users, but how they themselves conduct their work. Improved collaboration with other services, increased flexibility, and increased capacity for completing and recording continuing professional development and training to improve practice are just some of the potential fruits of social work’s digital revolution.


Follow us on Twitter to see what developments in public and social policy are interesting our research team.

If you enjoyed this blog, you may also like:

Digital technology in social work practice

World Social Work Day: promoting community and sustainability

How data leaks can bring down governments

Swedish Parliament building

By Steven McGinty

In July 2017, the Swedish Government faced a political crisis after admitting a huge data leak that affected almost all of its citizens.

The leak, which dates back to a 2015 outsourcing contract between the Swedish Transport Agency and IBM Sweden, occurred when IT contractors from Eastern Europe were allowed access to confidential data without proper security clearance. Media reports suggested that the exposed data included information about vehicles used by the armed forces and the police, as well as the identities of some security and military personnel.

The political fallout was huge for Sweden’s minority government. Infrastructure Minister Anna Johansson and Interior Minister Anders Ygeman both lost their positions, whilst the former head of the transport agency, Maria Ågren, was found to have been in breach of the country’s privacy and data protection laws when she waived the security clearance of foreign IT workers. In addition, the far-right Sweden Democrats were calling for an early election and Prime Minister Stefan Löfven faced a vote of no-confidence in parliament (although he easily survived).

However, it’s not just Sweden where data leaks have become political. Last year, the UK saw several high-profile incidents.

Government Digital Service (GDS)

The UK Government’s main data site incorrectly published the email addresses and “hashed passwords” of its users. There was no evidence that data had been misused, but the GDS recommended that users change their password as a precaution. And although users did not suffer any losses, it’s certainly embarrassing for the agency responsible for setting the UK’s digital agenda.

Scottish Government

Official documents revealed that Scottish Government agencies experienced “four significant data security incidents” in 2016-17. Three out of four of these cases breached data protection legislation.

Disclosure Scotland, a body which often deals with highly sensitive information through its work vetting individuals’, was one organisation that suffered a data leak. This involved a member of staff sending a mass email, in which email addresses could be viewed by all the recipients (a breach of the Data Protection Act).

Murdo Fraser, MSP for the Scottish Conservatives, criticised the data breaches, warning:

These mistakes are entirely the fault of the Scottish government and, worryingly, may signal security weaknesses that hackers may find enticing.”

Hacking parliaments

In the summer of 2017, the UK parliament suffered a ‘brute force’ attack, resulting in 90 email accounts with weak passwords being hacked and part of the parliamentary email system being taken offline. A few months later, the Scottish Parliament experienced a similar sustained attack on parliamentary email accounts. MPs have suggested Russia or North Korea could be to be blame for both attacks.

MPs sharing passwords

In December 2017, the Information Commissioner warned MPs over sharing passwords. This came after a number of Conservative MPs admitted they shared passwords with staff. Conservative MP Nadine Dorries explained:

My staff log onto my computer on my desk with my login every day. Including interns on exchange programmes.”

Their remarks were an attempt to defend the former First Secretary of State, Damian Green, over allegations he watched pornography in his parliamentary office.

Final thoughts

The Swedish data leak shows the political consequences of failing to protect data. The UK’s data leaks have not led to the same level of political scrutiny, but it’s important that UK politicians stay vigilant and ensure data protection is a key priority. Failure to protect citizen data may not only have financial consequences for citizens, but could also erode confidence in public institutions and threaten national security.


The Knowledge Exchange provides information services to local authorities, public agencies, research consultancies and commercial organisations across the UK. Follow us on Twitter to see what developments in policy and practice are interesting our research team. 

General Data Protection Regulation (GDPR): what the public sector needs to consider

Graphic design image: three padlocks in front of a futuristic city.

By Steven McGinty

In March, the Information Commissioner’s Office (ICO) published the results of a survey into local government information governance as part of their preparations for the General Data Protection Regulation (GDPR), which comes into force on 25 May 2018.

Although the ICO notes that many local authorities have good data protection policies, there are still councils where work needs to be done. The survey findings include:

  • A third of councils do not undertake Privacy Impact Assessments (PIAs)
  • 26% of councils do not have a data protection officer
  • 50% do not require data protection training before accessing systems

Under the new GDPR the above findings could constitute a breach, and result in the ICO taking action against the offending council. Recently, the ICO fined Norfolk County Council £60,000 (under the Data Protection Act) for failing to dispose of social work case files appropriately.

What impact will Brexit have on the GDPR?

The UK Government has finally triggered article 50 of the Lisbon Treaty, starting the process for leaving the European Union (EU). However, this does not mean that the UK will escape the European Commission’s GDPR. Digital minister, Matt Hancock, has confirmed that it is in the UK’s best interests to ensure the ‘uninterrupted and unhindered flow of data’, stating that the GDPR would be fully implemented into UK law, even after we leave the EU.

Is the public sector exempt from the GDPR?

There have been reports that some public sector bodies believe that they are exempt from the GDPR. This assumption is based on the regulation’s special conditions and derogations, which allow member states to restrict the GDPR’s scope to safeguard the public interest (some countries, such as Denmark, already have exemptions for public sector bodies). Additionally, fining a public sector body has also been viewed as making little sense – taking from one public sector budget and placing it in another.

However, both of these assumptions are flawed. As the GDPR has been designed to enhance the rights of EU citizens, it would be against the spirit of the regulation to introduce blanket exemptions for the public sector. And it is certainly not unheard of for regulators to fine public bodies, such as the recent Norfolk County Council case, or the Hampshire County Council case in August 2016, where the council was fined £100,000 by the ICO for leaving social care case files in a disused building.

How does the GDPR differ from the Data Protection Act?

The GDPR has been described ‘as the most important change in data privacy regulation in 20 years’, providing greater rights to citizens and harmonising data privacy laws across Europe. However, to achieve this, new requirements have been placed on organisations. These include:

  • Personal dataArticle 4(1) of the GDPR includes a broader definition of ‘personal data’ than previous legislation. It states that any information relating to an individual which can be directly or indirectly used to identify them is personal data. Specifically, it refers to ‘online identifiers’, which suggests that IP addresses and cookies may be considered personal data if they can be easily linked back to the person.
  • Privacy by designThe concept of ‘privacy by design’ is not new, but Article 23 of the GDPR makes this a legal requirement. In essence, it means that public sector bodies will have to consider data protection at the initial design stage of product development. This could involve adopting technical measures such as pseudonymisation – the technique of processing personal data in such a way that it can no longer identify a particular person.
  • Data Protection Impact Assessments (DPIAs) – As the ICO’s research highlights, a third of councils do not undertake any form of privacy impact assessment. From May 2018, public sector organisations will have to carry out DPIA’s for certain activities such as introducing new technologies and when processing presents a high risk to the rights and freedoms of individuals. In the latter case, organisations will need to consult the ICO to confirm they comply with the GDPR.
  • Appointment of a Data Protection Officer (DPO)Article 35 of the GDPR states that public bodies must have a designated Data Protection Officer. This can be an existing employee, as long as there is no conflict of interest, or a single DPO can represent a group of public sector bodies. As the ICO research suggests (26% of councils do not have a DPO), this is one of the main areas where councils need to improve.
  • Data portability– Public sector organisations must ensure that personal data is stored in a ‘structured, commonly used and machine readable form’, so that individuals can transfer data easily to other organisations. For instance, suitable formats would include CSV files.
  • Strengthening subject access rights– Individuals can now request access to their data for no cost and must be responded to within 30 days (this is a change from the Data Protection Act which requires a £10 fee and there is 40 days to respond). For complex cases, this can be extended by two months. However, individuals must be notified within one month and be provided with an explanation. These requests could prove time consuming and costly for public sector bodies, and as such, supports the case for introducing digital services that allow individuals access to their data.
  • Right to be forgotten – The right to erasure (its official name) allows individuals to ask an organisation to delete all the information held on them – although this would not apply if there was a valid reason to hold that data. This principle was established in the high profile case involving technology giant Google.
  • Failing to comply and breaching the GDPR – When there is a breach, public sector bodies will have an obligation to inform their national regulator (the ICO in England) “without undue delay and, where feasible, not later than 72 hours after having become aware of it.” These requirements could present challenges for public sector bodies, who are often engaged in providing vital public services with limited resources. However, policies will have to be introduced to ensure breaches can be reported promptly, particularly as the new penalties for data breaches are significant, with public sector bodies liable for fines of up to €10,000,000. In addition, individuals also have the right of redress and may seek compensation if they feel their rights have been breached.

What should public sector bodies be focusing on?

Although May 2018 may seem a long time away, the ICO research suggests some local councils (and the wider public sector) need to make several changes to ensure compliance with the GDPR.

Most importantly, organisations need to start reviewing the new regulation and considering how it applies to them. Evidence of a clear strategy – including the appointment of a Data Protection Officer, the use of privacy impact assessments, and staff training – will go a long way towards demonstrating an organisation’s intent to comply with the GDPR.


Follow us on Twitter to see what developments in public and social policy are interesting our research team. If you enjoyed this article, you may also be interested in: 

General Data Protection Regulation (GDPR): 10 things business needs to know

 

European Union flag with a padlock in the centre.

By Steven McGinty

On 25 May 2018, the data protection landscape will experience its biggest change in over 20 years.  This is because the European Union’s (EU) General Data Protection Regulation (GDPR) will come into effect for all member states. The regulation, which has been described as ‘ambitious’ and ‘wide-ranging’, introduces a number of new concepts, including the high profile ‘right to be forgotten’ – a principle established in a case involving technology giant Google.

Below we’ve highlighted ten of the most important points for business.

Directly effective

The GDPR is ‘directly effective’, which means that the regulation becomes law without the need for additional domestic legislation (replacing the Data Protection Act 1998). However, member states have also been given scope to introduce their own legislation on matters such as the processing of personal data. This may result in some EU states having more stringent rules than others.

Sharing data and monitoring

It also seeks to increase the reach of EU data protection law. Not only will EU-based data controllers and processors fall under the scope of the GDPR, but its authority will also extend to any business which either processes personal data or monitors the behaviour of individuals within the EU.

This will impact businesses who transfer data outside the European Economic Area (EEA). It will be their responsibility to ensure that the country the data is being transferred to has adequate levels of data protection. The most prominent example of this issue was the US Safe Harbour scheme, which was intended to protect European individuals whose personal data is transferred between the EEA and the USA. In 2015, the European Court of Justice ruled that this scheme had ceased to provide a valid legal basis for EEA-US transfers of all types of personal data. It has now been replaced by the Privacy Shield.

Transparency and consent

Greater obligations have been placed on business with regard both to seeking consent for use of personal data and providing detailed information to individuals on how their personal data is being used. The GDPR requires that consent notices are ‘unambiguous’ – not assumed from a person’s failure to respond – and that consent is sought for different processing activities. Law firm, Allen and Overy recommends that businesses review their notices to ensure they are fit for purpose.

Personal data/ sensitive data

Article 4(1) of the GDPR includes a broader definition of ‘personal data’ than previous legislation. It states that any information relating to an individual which can be directly or indirectly used to identify them is personal data. Specifically, it refers to ‘online identifiers’, which suggests that IP addresses and cookies may be considered personal data if they can be easily linked back to the person.

Enhanced rights

New rights and the enhancement of existing rights will require some businesses to improve the way their data is stored and managed. These rights include:

  • Data portability – Business must ensure that individuals can have easy access to their personal data in case they want to transfer their data to other systems.
  • Strengthening subject access rights – Individuals can now request access to their data for no cost and it must be responded to within 30 days (this is a change from the current legislation which requires a £10 fee and there is 40 days to respond).
  • Right to be forgotten – Individuals can request that an organisation delete all the information they hold on them (although this would not apply if there was a valid reason to hold that data).
  • Right to object to processing – Individuals have the right to object to the way an organisation is processing their data.
  • Right to restrict processing – Individuals have the right to request that the processing of personal data is temporarily stopped. This may be invoked whilst a right to object request is being investigated.

Personal data breach

Businesses have an obligation to report breaches to their national regulator, such as the Information Commissioners Office (ICO) in England.  The GDPR requires that notice must be provided “without undue delay and, where feasible, not later than 72 hours after having become aware of it.” This may be challenging for some businesses, particularly if the incident is discovered at the end of the working week.

Failure to comply with GDPR

The regulation introduces two levels of fines. Less serious offences under the regulation will be liable for a fine of up to €10,000,000 or 2% of global turnover – depending on which is highest. However, for more serious breaches, such as a breach of an individual’s rights or a breach during international transfers, a business may be held liable for up to €20,000,000 or 4% of global turnover.

In addition, individuals are also given the right of redress, and those who have had their rights violated may seek to receive compensation. This has led digital marketers to suggest that GDPR could be the next PPI – a practice where insurance was mis-sold to customers, which resulted in a large number of successful claims against financial institutions.

Privacy by design

Technology businesses should also consider data protection at the initial design stage of product development. This could involve adopting technical measures such as pseudonymisation – the technique of processing personal data in such a way that it can no longer identify a particular person. Additional measures, such as policies and programmes, would also show a national regulator’s commitment to compliance with the GDPR.

European Data Protection Board (EDPB)

A new body has been created to issue opinions and to arbitrate between disputes that arise with national regulators.  The board will be made up of heads of national regulatory bodies (or their representatives) and the European Data Protection Supervisor (EDPS), who govern the data processing activities of EU institutions. The opinions expressed by this board may have important implications for data protection legislation.

Impact of Brexit

Evidence suggests some businesses may be delaying taking action until they see the results of the Brexit negotiations. This possibly explains the research by cloud security firm, Netskope, which found that 63% of UK workers have never heard of the GDPR. Similarly, research by Veritas Technologies, a leading information management firm, has found that 54% of organisations have not ensured they will comply with the new GDPR.

However, it would be very surprising if the UK did not ‘mirror’ the protections offered by the regulation, particularly considering the UK’s significant input to the new legislation. Digital minister Matt Hancock has also confirmed that the UK government intends to fully implement the GDPR.

Final thoughts

If businesses already have policy and procedures in place to meet the requirements of the Data Protection Act, then they should have a solid foundation to comply with the GDPR. In many ways, the new regulation simply provides a clear framework for delivering good practice in data protection.

However, all businesses will need to take action to ensure compliance with the GDPR. Otherwise, the financial penalties (as well as reputational damage) of a breach could have serious consequences for their business. And this is not just an IT issue. The whole organisation, starting from board level, must show a willingness to understand the legislation and implement procedures that protect the fundamental rights of individuals.


Follow us on Twitter to see what developments in public and social policy are interesting our research team. If you found this article interesting, you may also like to read our other data-related articles