Oli Rear 0:22 Hello DPO and welcome to the latest episode of the data protection Made Easy podcast hosted by data protection people. My name is Ali Rai, and for the purposes of this introduction, I am joined by my colleague Mr. David Holmes, a scary James and Mr. Producer miles, Mr. Producer, Martin rework, but I'd start I'd started with pronouns. Unfortunately, I had to follow it through. Good afternoon, everyone. How are you all doing? Yeah, good. Good.
Carrie James 0:49 Yeah, really good. Been a really good session today.
Oli Rear 0:52 It was a very good session, a producer Miles is with us, but he's a bit poorly. So actually, I won't pick on him. I'll leave him alone. He's already told me what I need to blog anyway. So you can you can sit quietly? It's okay. But yes, very good session this afternoon, Carrie, I agree. What are we talking about? Guys, we live about what's in the news. And we did some fun things on that.
Carrie James 1:12 You say you say a bit about what was in the News, the news is about half of the session. The news does come around to being relevant to the data breaches. So you know, kind of fits
Oli Rear 1:23 in? We got there eventually, right? Yeah, sure. For sure. Go on there. What were you gonna say?
David Holmes 1:28 I was gonna say, I actually found the description as well, the candidate the going through the definition and really pulling the definition apart quite interesting and useful. In that sense, and I its use an area like talking about most areas. who's listening to this. But yeah, I found the definitions and understanding what a personal data breach is from a technical point.
Oli Rear 1:50 Yeah, you lucky so as I was about to call you out there, because you were talking about going through the definition point partway went actually introduced the topic. So it's really gonna pull you up on that, say, the definition of what, Dave? But yeah, we were talking about personal data breaches today, one of those favourite areas. But to be fair, you know, Carrie, and I also very much enjoy it don't wait. Yeah. It's fascinating. There's loads to talk about. We had some really good contributions this week. I mean, we always say that, we always say that, but actually, this week, they were particularly good, I thought, some really, really cogent points from some other people on the session. Speaking of which, if you the listener would like to come along to the live sessions, you know, maybe get on the mic yourself, or even just pop a question in the chat that I'm always keep an eye on, let us know, go to the DPP website, you can sign up and you can come along to our live sessions. You know, it's every week, obviously, different topics, but you can come along to those that take your fancy and ask a question get involved. We would very much like to see you there. I don't think there's too much else for us to plug in. This is part one of two on data breaches. As you will hear in the main session. We're back next week, there's still loads to talk about. I think one of the main things, one of the things that we want to get into more is we probably want to talk about some of the practicalities around internal reporting and promotion of that. Systems training is one things I'd like to lean on a little bit more next week. At Dave, is there anything that you teach your fantasy for next week that we want to talk about?
David Holmes 3:22 Yeah, I think they may, we alluded to it a little bit towards the end, but around the cultural element of making it positive, or necessarily fun, but positive thing to to report and the consequences of getting it wrong in that sense.
Oli Rear 3:39 Yeah, I think I'll be good to get into Carrie, is there anything that you're looking forward to discussing next week in particular?
Carrie James 3:46 I think you guys have both pinched all the best ones. I agree. I think sort of how to get staff engaged in really report in it and sort of things you can do with that.
Oli Rear 3:58 Yeah, I think there's a lot to be said on that. And I wouldn't be surprised if it makes up the main bulk of next week, next week, where we will try and spend as carolers to less time on the news because we did go a little bit overboard this week. But as you say, it did come around in the end and provided a very able segue into our main conversation. So without further ado, I will let you we will let you get into the main session listener if you enjoy it. You know, why not? Let us know head over to Trustpilot I've not done it. I don't think I did it last week but head over to Trustpilot leaves a review nine drop the three of us carriers Absolutely, trouncing everyone on Trustpilot reviews. So
Carrie James 4:36 not since Kathy started. Oh,
Oli Rear 4:38 not since Kathy started. Yeah, actually, that's true. You still you still trouncing everyone and delivery. But yeah, if you enjoy, why not head over there. And you know what, if you don't enjoy, let us know, how can we improve? You know, all feedback is welcome. We're always looking to improve this channel. We really enjoy doing these podcasts. And if there's any way in which you think we could bolster it, we can improve it. Then we will Really appreciate it if you'd like. But without further ado, I will leave you in the very capable hands of Mr. David Holmes, just Kerry James, and myself. Data breaches, we sometimes like to do a little bit about what's been in the news this week from a data protection, privacy, security, etc. standpoint. There's a couple of bits to talk about things that I had seen things that I hadn't, based on on the little document that we've got here. I don't know where we want to start guys carry Dave, is there anything in particular that you wanted to start with?
David Holmes 5:35 There's something that I was going to cover up and I'm sure everybody's seen it, because I wasn't on the session last week. So I do apologise if you've spoken about it. It's just in relation to the Queen's speech and the government's slashing, shall we say, of European bureaucracy and some of the laws and obviously debt protection is a part of that. And there's a debtor reform consultation that went round. Was it September something really, for people to give feedback and thoughts about did we discuss that? Do you have a look at that and kind of kick that around a little bit on the the session last week? Was it?
Oli Rear 6:08 We we did a little bit, Dave, but our ultimate conclusion of carrying out it was that? Well, not a lot was said actually, in terms of what's to come? You know, there wasn't a huge amount provided. So we didn't have a huge amount to say about it. But I think our feeling generally on these reforms. Apologies about that. voicecrack The our feelings generally, we we think it's it's quite a lot of posturing. You know, there's some some sound bites in there that will be good for the press, I suppose. But really, we don't think there's going to be too much substantial other than a lot of rebranding. I think. So, we didn't necessarily I mean, I don't want to speak on your behalf carry but I think we didn't necessarily subscribe to some of the perhaps panicking or fear mongering either. And that's come along with this. Is that a fair representation of what we said last week?
Carrie James 7:02 Yeah. Yeah, I agree. I think it's just a lot of sort of wait and see. But there's no point in getting ourselves riled up about something when we haven't even seen any real details as such, that's actually going to be in the bill. So I'm not going to particularly worry about it until the actual mod documents come out about it.
Oli Rear 7:21 But having said that, Dave, you know, if, if you've got any thoughts, I actually pop something in the chat about substantial weakening of data subject rights will lead to adequacy, status, being at risk. That is one thing that we did pick out. And we were very much in agreement, Andrew, which is that? Overall, I think generally, and we spoke about this at the time when the initial proposal came out, which is that this follows a trend which we are not, you know, in favour of which is overall a weakening of the rights available to individuals and erosion perhaps of certain freedoms. And it comes at a time where we've discussed also over the past couple of weeks and erosion of certain other key, you know, statutory freedoms and rights, we've been talking about reforms to the Human Rights Act, Dave, Fisher, and things like that. And I think generally, it's a it's a worrying trajectory. And,
David Holmes 8:16 yeah, anybody's if you've not read the consultation document, it's still there when the Constitution was closed, so you've lost the opportunity to give your feedback. But I think it's worth reading the consultation document because there are some suitable recommendations in there. And if that's the direction of travel, then there is some benefits within it. Some of it's a little rubbish. Some of it is political posturing, some of it is could potentially be either highlight and misinterpretation of what currently there, or it's just rebadging, what's there in order just to politically say, we've changed when in fact, actually, all you've done is rebadged the current setup. So there's a few elements in it that's been quite interesting. So like things that are so obviously legitimate interests, do we necessarily need to do the balancing test that kind of thing. But there are elements in there such as well, we do need to be get away with removed the need to have debt protection officers, but you'd need somebody in place that is responsible for data protection, because the article or the document goes on about the DPS have particular skills, etc, etc, that kind of thing that might make it hard to recruit for certain sectors, and so on and so forth. But you still need somebody in the position of taking responsibility. But surely, that that's just if you're going to point somebody with responsibilities still want to make sure that they've got relevant knowledge and understanding of the law in order to make sure it's applied properly and adhere to So in essence, you rebadging a title with the same thing, but just calling it something else. But what will confuse me slightly in the document was the fact that you've got a responsible person or that person is responsible person instead of a DPO. If you want to appoint a DPO you can still appoint a DPO but you still need a responsible person, which just seems nuts
Oli Rear 9:59 Yeah, I mean, I mean, I think I think you're right. And I think a lot of it is gonna be an opportunity to manipulate the optics are around, you know, as you meant, as you mentioned earlier, sort of slashing European or Brussels red tape and Brussels legislation. I think it's an opportunity for, for the government to win some brownie points in that respect. But, you know, beyond that, I think there are important points around it. From our perspective, I think there are some things which will be valuable, as you mentioned, Dave, but also others that are slightly confusing and confused in and of themselves,
David Holmes 10:34 I think know for sure, for sure, because we've got things in there as well about the loosening of the accountability framework and the drawing on inferences from Canada and the the privacy management platform, and that kind of stuff, and kind of but loosely and around the edges, I think, but you've already got a privacy management platform, in essence, what the GDPR offers, I'm not saying the GDPR is perfect in that sense. But you've already got a platform and a framework to offer it to. So you kind of do what loosen this and call it something else, which in essence is kind of the same thing. And I got a feel from when I was because I was just going through the document recently. So I thought I'd probably best reread it and kind of go through bits. Just because it's useful to kind of keep mindful of the direction and keeps it front of mind, especially if anything happens in the meantime. And obviously clients keep asking about what was the reform mean, but kind of rereading back through and you're kind of thinking but I'm not sure if you're misinterpreting what is actually already there that is actually working in some of the stuff within the consultation document sometimes just to me just highlights as a misinterpretation about how it's actually applied. Because I don't necessarily see it in the light of which the DCMS has set it to,
Oli Rear 11:43 you've really come out swinging this week. That took a week off. Yeah, I could tell this pent up frustration.
David Holmes 11:52 I'll write a blog was going to call it something else. But I'll tell you off there, I can't repeat. I mentioned it's a miles and miles. So we might need to water it down somewhat before we actually push it out. There's a blog. But
Oli Rear 12:02 yeah, I'm sure you can tell us off. Since he is linked, a hawk talk blog, which I'll have to take a look at, which is interesting, because they're always a really, really good resource. We were always, always very keen on on their work over there. So that's that's one of the things in terms of the news. There's there's a couple other bits I want to cover from my site. You know, I don't have too much one things that Phil, our colleague, Phil, some of you will know, sent around this week was an article from some property development industry website, which is about it's titled, you know, very sort of clickbait title, but the the GDPR grey area catching up the majority of property professionals, turns out that GDPR, grey areas WhatsApp. And basically what it says is that, well, it makes a quite extraordinary claim, which is the most property professionals are, if not entirely compliant with the GDPR. Then basically that which, to me, is ludicrous, because I just don't think that's true at all. I mean, very few businesses can claim to be compliant, full stop. So the idea that an entire sector seems to have cracked, it seems ludicrous to me. But that's by the way that they're saying, you know, the one thing that the one thing that's catching them out is WhatsApp, the fact that they're increasingly using it, and using it in an unregulated fashion. And I suspect I'm, you know, I'm only speaking for myself here. But David Cameron, I suspect, you will have seen this a huge amount as well. Obviously, we work in social housing a lot. And platforms like WhatsApp, and it's not necessarily just WhatsApp, it could be signal or Telegram, or any of them are a nightmare from a compliance perspective, because it's such a difficult asset to manage.
David Holmes 13:51 Yeah, and I just don't that I don't think it's just a sector thing. Wasn't the government using WhatsApp at one point? Yeah,
Oli Rear 13:56 that's true. Yeah. We spoke about a couple of weeks back, the fact that there was a whole eat. There's a very good point, Dave, we spoke about this a couple months ago, maybe? Because there are issues around the fact that government we're exchanging, like important information and important documents via WhatsApp, which is a channel which was difficult from an foi perspective, I think, in terms of filling freedom of information requests, I don't remember the specifics of it. I think it was all to do with that. And from a purely from a government transparency and accountability perspective, it throws a bit of a spanner in the works, you know, you spot on Yeah.
David Holmes 14:32 So it's an interesting one with you, how do you feel about the use of what's available? Either you or your carrier? How do you feel about the use of WhatsApp as a dark device for the organisation to use as part of the official communications between people or unofficial communication towards you feel?
Oli Rear 14:48 Well, I mean, Carrie, I'm keen to hear your thoughts but personally dealt against it. Specifically, both internally if you're sort of using it as an unofficial communication channel in Turning between members of staff. But also if you're communicating with customers or tenants, or whatever your customer base is, through, members of staff are anyway, I just, to me, it's just a it's just an accident waiting to happen, quite frankly. But you know, Carrie, you may feel otherwise. Yeah,
Carrie James 15:16 no, I'm not a massive fan of WhatsApp for businesses or organisations for using it, I can see, I can see with when I've worked with it with the public sector, I can see how it can have benefits. So if you've got people in social housing, they may not have internet connected, and they may not have a laptop or anything else that their phone is their only device that during COVID, when staff weren't able to go into houses to do repairs, or to view anything, or to even check if the repair needed to be done. They were sort of leaning towards using WhatsApp as a method for those tenants to you know, take a video and send a video to, you know, the council WhatsApp. And so I think that, for that perspective, like yes, you can see there's a benefit because a lot it's easy for tenants to use. A lot of them probably have WhatsApp anyway. And so there's sort of that benefit there. But there's just so much about WhatsApp that makes it difficult and tricky. And you know, I just wasn't. And also, I've had to deal with the debt breach with WhatsApp as well, that was really stupid. So oh, well, I'll tell you. I mean, I prefer that people didn't use WhatsApp. And I think that internal communications within your own organisation, there's absolutely no need for it. When you've got things like teams, you've got email, you've got phones, you could book a meeting. I don't know why you would need to use it for work purposes internally. You may have a little work Whatsapp group outside to be like, Oh, shall we all you know, let's plan on going out for tea or something like that, where it's absolutely not talking about work. And that's fine, because it's just a group chat. But I think it's very difficult. I think it's one where you do the DPA on it. And it's quite hard to,
Oli Rear 16:59 you know, massively, and actually, to be fair, that's that's the card I've played before with customers when they go on to use it. So okay, fine. I'll do the DPI for you. And it comes. Yeah, and it comes back, you know, it's unbiased. I mean, I don't think they should use it, obviously, I'm going to do an unbiased dpi, but But you know, it comes back with a bunch of risks. And so you know, if you can find a way to mitigate all these and reduce them to a tolerable level and off you got it, by all means, but I think you're going to struggle between you and I. Anyway,
David Holmes 17:29 just quickly on that one, before we move on, on WhatsApp. When you did the DPA then if you're using WhatsApp for commercial purposes, and the other version, because the the article that Phil circulated suggested that there's like a business platform for, for using, what, how would you give effect to REITs? And how do you get the information out from the subject access request point, if you use it?
Carrie James 17:54 The point is, you realise you're relying on staff to consistently upload any relevant messages to your internal systems, which they're not really going to do consistently enough. And it's just, it's just a bit of a minefield, I think when I was looking at it a while ago, it the website, I could be wrong. But I think the website for whatsapp says that once the debt is in there, they can use it for whatever they want, or something like that. You may not say that anymore. But I'm sure there was something really weird in there that just was not GDPR compliant whatsoever that they would own the data or something, or that they saw themselves rather than a person. Yeah, the clauses like did not they did not fulfil article 28. Anyway.
Oli Rear 18:36 Well, this is a big problem with a lot of these, a lot of these apps is that ultimately, the providers position themselves as controllers, and kind of regardless of what your feeling is, there's nothing really particularly if you're sort of a well, specifically an SME, but even if you're sort of a medium scale organisation, there's not a huge amount you can do about that, because we're going to do come knocking down WhatsApp HQ doors, you know, saying, I want my data back anyway, we're at risk of spending far too long talking about this and not sufficiently about breach on WhatsApp, literally. And there's a lot there's a lot being said in the chat about a pros and cons alike and also references to our prime minister and his goings on during the pandemic, which may have been organised on WhatsApp. I don't know that for a fact. Anyway, last last few bits of news before we get into it, because as I say, Carrie, you set up a lovely segue a second ago. It's just a shame that we covered this one, you know, earlier, but there's one there's one I wanted to point out more than anything, because I don't really know a lot about it, which is that one of our colleagues, Joe, I think sent me this earlier in the week that particularly we were talking about PCI DSS a couple of weeks ago. So it's semi relevant, I guess, which is the MasterCard, apparently, one amongst others, looking to introduce biometrics as a way for making payments, so if you don't the shops introduced to analogy which will allow you to sort of pay with a smile or a wave, as opposed to typing in your typing your PIN, I suppose I've not looked into it in detail. I don't know how it's supposed to work. But just the the headline alone fills me with dread, quite frankly, because it's the sort of thing that I really don't like the development of. And I thought I would just raise it as a point. I'm sure there are people in the session here that know way more about that sort of thing than I do. And if you do, then please feel free to school me on why it may or may not be a good thing. I also wanted to point out, I think someone added this story in I think, Carrie, you've. So this is interesting, because Carrie, you've put in the notes, you may have talked about this or something similar in the past, so we can skip. But you're right, because we spoke about something near identical or not near identical, but very similar recently, where by so I'll let you give us the details. But effectively, someone has taken it upon themselves to meddle in the employers database for want of a better term, and has made quite a mess. But in this instance, it's backfired on them. Do you want to tell us a little bit about this?
Carrie James 21:06 Yes, from what I can tell this person started at a job. So they're still in probation. It's not worked out for one reason or another, and they've been let go. But before they've left, because it's a spa. They've deleted, gather deleted all the appointments that were booked. So then this ban has been had had to close and it's sort of caused all sorts of business. Calamity. And his eventually, somehow these couple of days of appointments are ever been closed as caused the whole business to collapse. I'm not quite sure how well, yeah, appointments closing gets to the business being closed. And there was a few comments I saw somewhere, I think I might have found this link on Facebook. Actually, there was a few comments, I think, where maybe it's not totally just because of these opponents, perhaps that the business failed. I think there's other elements in there. But it was just how did this person still have access to that data when they left sir had this person, because they said that she's done it from her own iPhone. So how well even
Oli Rear 22:09 it gets worse carry out. I saw this couple of weeks ago, my shooting news, I think I read it and But it gets worse because when they did this, so they logged in you right at the site access through one of their accounts to the booking system that the business used. But when they did it, before going ahead and deleting all the appointments, they actually changed their profile, so that it read as if it was one of their colleagues or suppose former colleagues, that was the one doing this. So there was an attempt, albeit very poorly on it concealment. And yeah, not good. Basically, the outcome of this is being sentenced under the Computer Misuse Act, because that's the sort of thing that happens. I think it's I think it's been a suspended sentence, community service, that sort of stuff. But I do believe that you know, any, any slip ups from here on out, and it's a prison sentence for the person in question, I believe reading him on the new stories. But yeah, just a silly, silly, silly thing to do. I don't know if there was anything specific other than than that, that you wanted to pick out carry? But
Carrie James 23:17 no, it was just another one of, you know, rogue employees having access to debt they shouldn't do going off and doing their own thing. It's just, I don't know, it's just a it's a tricky, it's a tricky one for employers to avoid, because she's obviously somehow logged into all of this on her phone. And I doubt they, I mean, they shouldn't have given a permission if that's something they allowed, then they're on policies needed to rework
David Holmes 23:41 precise, I think there's wider issues with it, she's always going to have to have access to that information. And all she was doing she wasn't obviously authorised to delete the information when she was disgruntled with the employer. So there's a rogue employee element of it, but to me, there's a wider element around security of access to the records maybe it's a small spam maybe they didn't have the technical infrastructure or technical support to look to things like MDM and all that kind of stuff but she had direct access from a mobile phone into the booking system and was able to book read and delete appointments that are apparently because you've been deleting in that sense, also a mobile phone and that just feels like there's a complete lack of appropriate security in place from the risks that were potentially made available
Oli Rear 24:25 as Labour's policy and all
David Holmes 24:27 that kind of thing. You know, I mean it's it's
Oli Rear 24:30 which Yeah, no sorry No, I was just gonna say which you make a very good point you know, he's talking about my micro business here I assume like tiny like just an individual spa so it's all well and good was rolling our eyes and go and get your joints move as little as policy and all that but you know, there won't be one small business and I mean,
Carrie James 24:51 mean actually, the this this owner of this business should know better because it says the director of another business that is actually got quite a few He says, it's like a pub chains they should know better than maybe what somebody who's a one man band running a little spa.
Oli Rear 25:09 I mean, I think the key point is to reinforce, you know, you know, sort this sort of stuff out, you know, it can have real impact on your business. If if you don't apply role based access controls properly, if you don't have, you know, a strong levers policy, if you don't have the controls in place to be able to revoke access on termination of employment and do it quickly. You know, I think one of the one of the articles I read was saying, you know, sometimes it's possibly even worth jumping the gun on this thing, you better to risk jumping the gun and revoking someone's access, when in fact, you end up keeping them on because you can restore that. But if if you if you leave it too late, and or, as in this case, all your appointments are delayed, and then all of a sudden you're in significantly hotter water. I'm conscious of how much time we are taking it yet it makes good point backup would have resolved it always have a backup. Yes, exactly. We're running sort of rapidly out of time, in terms of this segment. I don't want to take up too much time to enlighten us. But there's one last night and I think we can probably squeeze that in which
Carrie James 26:14 is this does go with today's theme actually, to be fair, this
Oli Rear 26:17 one perfect off you go then carry.
Carrie James 26:20 So this is one that I found in the news. Central Bedfordshire council had an foi Freedom of Information request, asking for as it I think, a special category data about Sen. D children. And the request to use this what this foi website called What do they know? And if you're not familiar with what do they know, you can ask a local authority question through what do they know and everything is made public? So your question is made public their responses made public any email contact between the two of you is all public on this website. And so when the council went and sent its FOIA request back with his answer, they actually included the full names of dozens of children. And along with whether they had a school place for September on up, and not just children, Sen. D children's, so there's a bit of extra sensitivities there. And they published it all on what do they know? So it's a data breach, not just giving the information they requested, but making it available at large? Which is ridiculous. Honestly, as someone that did a lot of foi, I saw this was just like, well,
Oli Rear 27:30 Victoria is coming up with a very sharp intake of breath. Yeah, I think that goes. And then facepalm. And Toby, I think that goes for all of us. Yeah. Terrible, terrible, thank
Carrie James 27:41 you must have been attached to the spreadsheet, and somebody has not checked the columns of the spreadsheet, to know, to notice what was included.
David Holmes 27:50 I've seen that in other breaches, whether there were those spreadsheets, even if the detail on the spreadsheet was capable of being shared with whoever you're sharing it with this doll, the hidden columns and that kind of element within spreadsheets, where if we're looking at documents, looking at email attachments, looking at email chains, we need to be absolutely sure there's nothing in there. You know, I mean, and we'll be talking about those as we move through. But I've certainly seen that occur more times and is necessary.
Carrie James 28:15 Yeah, I've caught it for responses before they've gone out. And I've checked the spreadsheet, because my rule was like kind of like the last stop before it gets disclosed. And I've caught it and said the service area, this has personal data in it, you need to change your answers. So because I was there to check it properly. I caught it if it had been sent straight out without me checking it that had been debated it breach caused by it.
Oli Rear 28:37 Yeah, so there's a few things have been picked up. Actually, one thing that I'm investigating now as to whether they were able to retract, I don't know if either of you know this where they're able to get it back off the website. I don't know off the top of my head. I can I can look it up. But just but just out of interest, because I'm kind of curious. I mean, people have pointed out the vulnerability of spreadsheets, as we've said, I mean, that the bane of any sort of disclosure officer's life, I suspect, or whatever your your role might be. But you know, that last stop, as you were saying, carried, you know, spreadsheets. And as you said, Dave, you know, you've seen well, I know, obviously I can't say too much, but I know that you've been involved or have seen really quite serious breaches that involve spreadsheets, I believe. Obviously, we can't say too much but yeah, there's a couple bits I wanted to pick up here. I mean, I was asking question would you be allowed to say you weren't send the responses through the website which I have to say this is slightly a blind spot for me I know you can do that Sol Sol Sol comes through like a portal you're allowed to say no, I'm not gonna send it through the portal. I'll send it to you directly or whatever. I don't know if that's the case for si le opposite me shaking your head.
Carrie James 29:44 Yeah, no, I don't think you could because the thing with fly on like Cyrus fly is disclosure to the public at large anyway, so it shouldn't matter whether it goes on what they know or not. Like that shouldn't it shouldn't matter because even though most times are only replying to one person in the email Oh, no, they could put it a large because that's what the idea of the information is you're not replying to one person you're applying to the world at large with that data. And so it shouldn't matter whether you use what they know or not. It's, I mean, I find it a really good resource. What do they know, when I've sort of wondered about FOIA is and how to work different things and see what other councils are up to. It's quite a, it's a good resource to see what kind of questions are out there and stuff and what answers are being given. So it's not just for the requested, it's useful? I found it useful as somebody, you know, on the other side of things,
Oli Rear 30:31 No, sure. Sure. There's an interesting question I asked her which Alan's asking so I guess as a result of that, how about nice acronym for what do they know is role as a controller in this? Because I suppose yeah, you would become involved in voluntarily or? I don't, I don't want to put words in anyone's mouth. But I suppose you are becoming a data controller at that point, because you have this information? Isn't the sort of thing where is it the sort of situation where you could claim section 170 of the dope Protection Act? Maybe? I don't know. Dave, what do you reckon?
David Holmes 31:07 I'd have to see what the how what did the nerves set themselves up? In that sense, and made, I'd have to see what the yeah, I'd have to definitely see what the documentation was on there. I don't think you could kind of respond to what they don't know and say, well, they should have reviewed and determined whether there's a breach or not, possibly if it wasn't, and so on and so forth. I think I think it's just their platform. What I was going to ask about the platform, I've never used it myself, I was gonna ask about the platform. Is it a free platform? Is it something that the deuce have as a something people can do? Or is there a charge to it to delimit money and marketing or under the under the platform funding? So
Carrie James 31:42 I'm on it now it says your donations keep the site and others like it running Sam think it's free? To answer a request to it, you'd have to pay, you'd have to sign up with it already. Thank you, because that signup is a requested they give you an email address, that's a bunch of numbers, I think is a bunch of numbers or your name. And then it says, what do they know? I think so you're given a what do they know, email address? From that, so it can link you to the request? Yeah.
David Holmes 32:07 And that's useful, because sometimes you've certainly seen that Perth versions for sales and that kind of thing. And I just wondered whether this was the same for you.
Oli Rear 32:16 Yeah, I mean, to be fair, I listened I it's a platform I've not heard of before. But it sounds right up my street. Because I'm big on sort of transparency and public accountability on that sort of thing. You will lose
Carrie James 32:25 afternoon on it. Right rabbit hole when you start going?
Oli Rear 32:30 Yeah, it sounds it sounds right up my street, Oh, apparently is a premium option for researchers or journalists.
David Holmes 32:36 I also guess there'll be something in the T's and C's saying you're liable for whatever you post that kind of maybe not lying? Or do you know, I mean, you're responsible, they'll be better work for
Oli Rear 32:44 you. But does that just one three? But does that work in practice? Like if you say, say they're now deemed to be a data controller? Because they've got that information? Right? Does that work in practice to just say, as a contractual term, I guess, if you had like, really strong indemnities, or liabilities blow bolted into that. You could maybe blank that. But it seems weak to me. I feel like if
David Holmes 33:06 Well, I guess if it's, I mean, I'm only guessing I've never really used it and been involved in it. But I'm guessing if the platform's for FOIA, and FOIA is not really personal data. In that sense, there may well be terms and conditions are using the platform is that you don't put anything up that's got personal data in it, and you're expected to read it before you then start responding through it. And if you're not happy responding through it respond directly to the request?
Oli Rear 33:27 Well, this is this is kind of I don't know if you're about to pick up on this carrier. But Ben's question, which I think is, which I think is a very interesting one. So would there be a controller or processor, they provide the platform, but you decide what to post? And how, how you use the site? Ah, that's very tricky, is
David Holmes 33:44 technically. Technically, if it's a platform for consumers, then would the processor relationship really work with the consumer?
Oli Rear 33:52 No, it wouldn't. No, but I think I'm not sure which way round Ben intended. But to my mind, I don't think they could be a process that because of the nature of it, and the public, I think for them, I think they could feasibly be an arrangement where that type of platform could serve as a processor. So if you approached like local authorities products, when we like, we can provide you with like a portal to do your FIS through I think that probably works. But like, in terms of where as you say, it's like the other consumer, but the member of the public to relationship like that. I'm not sure they could be a processor, I think they probably would be a controller. Anyway, we intend to talk about breaches here. So let's, I mean, this is, as I said, before, nice segue carry for us to talk a little bit about breaches a little bit more. So it's a very broad topic, of course. I don't know if either of you had any way you wanted to start specifically, I thought, from my perspective, what I would like to start from because we often do this because I think it's it's useful for us all to make sure you know, we're all in alignment. It's just a start and go back to them. what do we mean by a data breach? What? What are we looking at? And more importantly, what the textbook definition is? So that sounds like a good place to start.
Carrie James 35:12 Yeah, miles miles, we'll start at the beginning.
Oli Rear 35:15 may as well start at the beginning. I like to check because sometimes Dave has a different view on how
David Holmes 35:20 to seat normally.
Oli Rear 35:22 This is nothing if not a democracy. I mean, basically, when when we're talking about personal data breaches, which I think is our bag, really, because there's a whole host terminology out there, the most recent one to me, which I wasn't aware of, which I think is a niche term as a data spill. Maybe?
David Holmes 35:41 I've not, you know, that,
Oli Rear 35:42 I think very specific. I think so. Yeah. And I think I might be wrong, someone can correct me on that. But I think a data spill is technically a next term.
David Holmes 35:51 But it's not defined term in the GDPR.
Oli Rear 35:56 This this, what I'm saying is that there's a lot of terminology around it. But But what we mean, specifically as a defined term is personal data breach, right, which is ultimately a breach of security leading to unauthorised access processing, etc, of personal data. That's like the core element. Right. And and I think the way to think about this, I don't know how you to get about your your reach settlements with customers. But from my perspective, the way I often look at when, when I get the panicked call of all this has happened, is it a personal data breach? is to say, well, you know, let's go through it. And let's go through it almost as a two part test. Right. So the first part is, has there been a breach of a security measure, whether it's a technical one and organisation or one, has there been a compromise to the integrity, availability, confidentiality, you know, resilience of that information, asset of that, that that personal data? And secondly, has that specific breach led to and perhaps I'm placing too much emphasis on that, but has that specific breach of a security measure led to one of the listed consequences? And what you find is that a lot of the time you are able to weed out certain incidents as a result of doing that, because either there's not been a breach of a security measure, or that security measure hasn't inherently led to one of the listed consequences. I don't know if that's the way that you to work through it. But that's certainly the way that that I do.
David Holmes 37:18 Yes, I do. It's a two part test you look at is it been a breach of security and ultimately, kind of paraphrase? And has it been a consequence on some kind of negative consequence on personal data? If you kind of want to really kind of strip it back a little bit in that sense you're looking for as being a breach of security may lead you to think well, what is a breach of security? What do we mean by security? And you've got article 32, for security, processing? You Tom. So you look potentially, okay, well, has anything been breached in the sense of technical and organisational measures? But then again, without turn it into a really kind of moot point? What is what do we mean by breached, ultimately? Because if for it to be a personal data breach, it's got to fit within the definition of the within the GDPR, hasn't it? Ultimately, which is always a confusing point, when and I know we've discussed this, and I know I got me a little kind of a moron off session about it when you get these. Well, it's an EMS. Well, the death of the law doesn't define any of this, I think is a hangover, possibly from health and safety, or a comfort blanket for those who like to report them. But it's either a breach or isn't a breach, right? Yes, actually,
Carrie James 38:18 I do. I do like our bit I do like a near mister. I do like it when near misses are reported. Because sometimes you can identify a name a couple of near misses, that maybe there's a trend and you can prevent it becoming a full breach in the future. So I think near misses do have a useful place within data as a whole.
Oli Rear 38:37 I think I think that's a fair point, Carrie, because we didn't build a picture. Right?
David Holmes 38:42 Well, again, just kind of a bit of a moot point. If it's if it's not been a breach of security that's impacted personal death in the way does that not that that means it potentially that person is not a personal data breach does not necessarily mean it's not an information security breach, not information doesn't mean it's not a security breach, it's not a security reason leading to something else. So you could still have it reported as a security incident. It's just not a personal data breach.
Oli Rear 39:05 You've just beat me to the punch. That's why I wanted I was gonna say, Okay, well, if we're not going to accept near misses, or you know, what those contentious bad we feel about the term information security incident, but you've beaten me to the punch now. But you're right. I mean, ultimately, just because it's not a personal data breach doesn't necessarily mean that it's not, you know, an incident that we should a record and be remedy. And, or at least see at the very least monitor, you know, specifically and I guess the character, your point and part of the value of recording an incident which falls short, even incident which falls short, if you wanted to introduce that level of hierarchy, if there is such a thing, but if you were to say that, you know, personal data breaches is the real deal. Maybe an information security incident is something which there's still a breach of a security measure, but it falls short the personal data breach because it's an effect personal data. And then below that even you have maybe a near miss, in that it's could have spiralled, but it's been core or whatever. Yeah, you know if you did introduce that level of hierarchy, but part of the value in that. And I think that's what Andrew saying I'm not finished reading his comment is in trend analysis, right and actually monitoring these things. Ultimately, even if you don't go to the level, I don't want to say the word KPI because they will go mad. But But, but ultimately, that's kind of what it is right as a KPI is something which you can monitor is, you know, Where are these coming from? Where, you know, why are they occurring? Is it something that we can nip in the bud? Now? Is it something which, because ultimately, nothing is going to make you look more daft and something that keeps occurring? And you're not dealing with it? Either because you're failing to record it or because you're you don't think it's significant enough. And as a result, then you do have an incident and you look all the worst? Right? Andrew, you've got your hand up? Would you like to comment on this point?
Unknown Speaker 40:54 Yeah, I started to try. And it's easier probably to put a quick sentence in what I was getting at in my comment was, sometimes we find ourselves in the position of trying to defend the organisation rather than defend the data subjects rights. And we do live in a sort of bipolar world DPS. I had a complaint today, I worked for a local authority, somebody was saying there's been a breach of my data, because you sent me information with my personal data and it unencrypted by ordinary email. But clearly, for that to be a breach, that would have to be a negative consequence. And if it doesn't fit the definition, you can save a lot of resource being mopped up by playing the straight bat and saying it doesn't comply with the definition of a breach because there wasn't a negative consequence. And therefore, whilst it might not have been best practice, there hasn't been a consequence. So there's no breach?
Oli Rear 41:54 I think that's yeah, I think that's,
Carrie James 41:57 that's not a data breach. But depending on what information was sent in that email, it could be a breach of internal policy. So if you'd sent 1000 pages I request
Unknown Speaker 42:08 for overseas resident being asked to confirm his electoral details was still current, and wanting to continue on the electoral roll for overseas residence. So it had his name and his current address, his old UK address that made him qualify, and that was it. So even if that had been broadcast on what did they know, the negative consequence would have been infinitely small. But there was no evidence it's gone anywhere outside of the email to him. So.
David Holmes 42:37 Yeah, and I just kept coming back to that as well. I think it's really interesting point, it just made me think a little bit further around it when you're looking at a personal data breach being a breach of security? Well, if we look at article 32, security is appropriate security that's appropriate to the risk. So if you look in the incident that you've had there, Andrew, and kind of go well, is the security around the data appropriate to the risk that we've received, and it's neither been a security incident nor a personal data breach? If it's within what's deemed to be appropriate? Surely, maybe a moot point? But
Oli Rear 43:05 no, I think Ash has a very good point, though, because I've had a couple recently of incidents where actually the breach, the breach just about meets the definition, because technically, there has been a level albeit very minut of unauthorised access, or at least extremely low risk associated with that unauthorised access. And there has been a breach of a security measure. But actually kind of what we're getting at here. And one things which is interesting is that the only reason that in those instances it was technically a breach of a security measure is because the organisational policy on that was actually almost disproportionate to the level of inherent risk, right? So that they'd gone above and beyond. So say, for instance, because I know some businesses do encrypt all external traffic. I've seen every single email that goes out of business is encrypted, where you'd say that arguably that might not be proportionate. In fact, it almost certainly isn't. But you know, or even password protect absolutely everything. But if you sort of fell short of that. It's an interesting question, isn't it? Because then a you. I mean, technically you have breached your organisational security measure, or even your technical organisation, don't measure it depending on on the scenario. But if it was, above and beyond, it's an interesting conflicts I hadn't really thought about until you just vocalise to them.
David Holmes 44:33 And there's another way there's another element to it as well, kind of thinking back, in addition to what I've just said that if your security measures are appropriate to the risk, and there was a breach, does that mean your security wasn't appropriate? Or can you have a breach even if the security is appropriate?
Oli Rear 44:50 I certainly don't want to massage your ego but wasn't that the subject of your dissertation for your masters?
David Holmes 44:56 Well, unfortunately, I try not to mention that but yeah, that's kind of what the areas I was Looking at, which is why it's a sort of really, I think it's really fascinating area, because obviously you've got a definition of a breach involves security. So looking at the security, and that kind of stuff, you're looking at what what is a breach in that sense, if you want to go down line or something either failed, it was missing or is ignored that kind of thing. But then you're looking at is this a security appropriate to the risk, and so on the Salesforce, but even if it had anything appropriate, and there was a breach, does that mean, the security wasn't appropriate? Well, not necessarily the cursed because the skirt is not an absolute requirement? Is it? It's not it's got to be no risk. In that sense. It's got to be absolute security. We didn't say that. She says it's got to be appropriate to the risk.
Oli Rear 45:35 slight bit of feedback? No, I think you're bang on. You know, that's that's a very valid point. The next I don't care if you had anything that you wanted to highlight in relation to that I do, try and make sure to give you an opportunity to have a Dave.
Carrie James 45:52 I do think it's really interesting that you know, that you say security appropriate to the risk. So in that case, a cup, like an address, you know, might be overkill, sending that by Mimecast or egress, whereas sending a full I'm sorry, response, you would, you know, I would expect more security there. So, I'm not sure, you know, sort of where the organization's risk appetite sits, as well, because some people might think that sending more personal data is fine, others might think less. But this is why it's really important to be policies sort of separate these things out. So people know what they do. So people can know if they've breached policy or not breach policy, and that they've got that backup behind them. If somebody does complain like this.
David Holmes 46:33 Absolutely. These are these are element under the deal. The variable didn't there is some people like me saying it, some people don't want me saying it. Risk is subjective. That's the issue with risk. So when you're saying risk is, is the security appropriate to the risk? What we need to be able to identify the risk and then make sure we've got appropriate security, but it's the risk element itself. And identifying risk itself is subjective. What one person might think is high risk, maybe somebody else's medium or low risk.
Carrie James 46:59 Oh, yeah. Cuz you might be happy to cross the road in front of traffic. Whereas I might go to the Green Man and wait, for sure. Did you risk every day and stuff like that? For sure, for sure, is
David Holmes 47:09 less relevant in it. That's why I love this topic. There's loads of elements in it.
Oli Rear 47:12 And actually, I think, I think Andrew made a very good point in relation to, you know, how you how you quantify that, as an organisation can really help respond to it and mop it up. And I've done exactly the same thing, when there's been a complaint come in saying, Oh, you've you've breached my data, etc. And, actually, I think you'll find this isn't a personal data breach. I mean, obviously, you play it with a greater degree of apology and sympathy. But But effectively, you say, yeah, it's not actually a breach. I mean, we'll sort it out. And don't worry, but, you know, it's not actually a breach, and therefore, we don't need to do anything with it. So I think it's a very, very valid point. The other one I want to come to, if that's all right, and we are nearing the end of our time, despite the fact that we've barely scratched the surface. And we really have barely scratched the surface this week, because we spent too long talking about the news. And that's my fault. But the next one I wanted to talk about purely because we're talking about thresholds here effectively, aren't wave of what is considered personal data breach. I talked about the reporting thresholds, right, because that's the next question that we all get asked as the DPO. As as the support whoever it is, is this a breach? Do we have to report it? And there's often still a huge amount of confusion around what constitutes a reportable incident, just so we're clear. And this is where I'm maybe make a fool of myself. I don't get it right. But all breaches have to be reported, unless they are unlikely to pose a risk to the rights and freedoms of individuals, correct?
David Holmes 48:50 Yes, unless it's unlikely that's a bit of a tongue twister isn't unless it's unlikely.
Oli Rear 48:55 What, which is not to be clear the same thing as it has to be reported? If it's likely, it's actually a much higher, sorry, a much lower bar. Because unless it's unlikely puts the burden on us the organisation to demonstrate that it's unlikely. Right? Yeah. Mice mice that are more difficult.
David Holmes 49:16 Yeah, my starting point is they all need to be reported internally and logged for all the development reported regardless, you then determining whether the notification principle or the notification requirements been met, and it's an attic notification requirements have been met, then in that case, then you're going to have to inform the ICO that's why I look at it, is it the fact that the all are reportable just to whoever's managing that within the organisation? You're right looking technical, but unless it's unlikely, which is quite a low threshold, isn't it? The look at it's interesting. You raised that though, because anybody who's coming back to the bit I started ranting on about at the beginning of this for the DCMS paper.
Oli Rear 49:57 It's almost like I set this up on purpose.
David Holmes 50:00 If you're very good all your buddies,
Oli Rear 50:02 go on sounds about the DCMS paper,
David Holmes 50:04 we'll be looking at trying to change the threshold the paper is well worth reading the paper you'd like to set early without recovering yourself. But within those around about page 60, I think they do talk about the threshold for reporting and it goes through the exact bit under the law and what the law currently states and that kind of thing. But the the DSM s is pepper indicates that the exemption could only be relied upon where there is likely to be no risk to the individual's rights and freedoms. I'm not quite sure if that's a correct interpretation to be able to see what other people's thoughts are. Because the law didn't say no rescue says unless it's unlikely to be a risk. And my interpretation of that unless it's unlikely to be a risk is actually whether the risk is going to materialise, you might have the risk but the risk isn't going to materialise. You're not making that kind of sense.
Oli Rear 50:56 Yeah, so this this is this is the thing I often talk about. And under makes good points point out that, you know, there's also a second tier of reporting, which is whether you have to notify the individuals affected as well, which is a higher tier. Because effectively, you have to, as we've said, report all incidents unless they're unlikely to pose a risk. But you have to notify individuals if there is likely to be a high risk. And this is often when I'm talking through, you know, our support guys and taking them through the process of you know, them learning about breaches, I say there's two axes that you're considering here. You're considering likelihood of risk and you're considering level of risk, right or the level of harm. So you're looking at how likely is it to materialise? Is it remote? Is it virtually certain? And you're also looking at what's the impact? If it does materialise? Is it going to be really substantial? Is it going to do some real damage to someone? Or is it actually, you know, relatively minut? And I guess that's one of the things you'll get an update, right that there's one of the key things is how remote is the likelihood of this harm materialising? Well, for
David Holmes 52:03 sure, it's also looking at the fact that if if the if the incident or the breach has been reported sufficiently quick enough, and you can take sufficiently quick enough mitigating actions, to limit the fallout in that kind of sense, you may actually reduce the requirement of it being kind of a high risk to the individual to the individual doesn't need to be notified or even reduced it from potentially being a reportable incident to the ICO, if you can demonstrate that it's, the risk is unlikely, unless it's unlikely to materialise, that kind of trying to use a language within the law in that kind of sense. So it's looking at the fact that something's happened and being able to operate off it quickly to kind of limit the damage and kind of content in the incident from occurring.
Carrie James 52:47 Yes, like getting the information back as well. So when I've worked with councils, you might have what looks to be a bad incident to start with. But once you've gotten it, you know, if it's a letter gone to the wrong house, you can go to the house, get the letter back, and then the data is back within your control. And there's a lot less that can then happen with it once it's taken back from that person. So there are, you know, like you said, mitigations, you can do is making sure that staff report these things fast enough. I think we had this as a question, didn't we? So it'd be good to answer as well, because they asked for this session.
Oli Rear 53:21 That's true. That's true. I'll makes a very good point. I agree. I do find it where that threshold for notifying individuals is lower than the threshold for knowing the know find the regulator. I've always found that old, don't someone probably understands the rationale behind that. But I don't. Yeah, that was one of the questions posed, I've noticed someone just put their hand up. I'm afraid I've lost the name. But if you want to come on, and the stranger I was
David Holmes 53:50 sorry, I just took it in there. We're just looking at the differences in the notification to the ICL need that subject, there's a welcome back sorry for really cutting over the top of you there as well. I think they some of the differences because it's such a low bar to notify the ICO that if the ICO has got issues with it, technically, if they're going to be on top of everything, they'll be able to kind of advise guide and monitor and go we feel the need to be telling the data subjects if your assessment is wrong, the higher is the individual. And the impact on the individual is so high risk, the critic quickest quickest way if I can speak to mitigate it is to tell somebody, you're gonna have to tell your bank, we've just lost your card details, that kind of thing. And the quickest way is to go directly to the individuals, that kind of thing. And I think the difference is to try and get the ICOs involvement prior week with some levels prior to the fact that you just go running shows that the dead object in our case is that kind of thing. But that's kind of
Oli Rear 54:44 No, I understand that. I now want to yield the floor to the person who wants to speak which I believe is Elise.
Unknown Speaker 54:52 Yeah, I was just gonna say I think that risk piece is really quite interesting because in the social care side of things, we have certain scenarios and I've come across them where when we're analysing the risk of that breach to the data subject, the risk of them not engaging with us then as an authority, particularly around sort of safeguarding can often be in some circumstances higher than the risk of telling them about the data breach. So there's a real often a really challenging balancing act. And that can be really difficult. We've had a number of conversations with the ICAO about it fully,
Carrie James 55:25 fully agree that at least I've had that with councils, depending on if the council's already had difficulty engaging a family anywhere that the thought like having to tell them that you've breached their data could actually, you know, you could be putting children at harm if the family then completely withdraw from the council. So sometimes, whilst if it was another case, and a really good relationship with a debt subject, you might tell them, if you actually go into risk, completely shattering that relationship and putting children at home and putting people at risk, because they won't get your services, then yeah, it's, it's difficult. But yeah, you can see there's the argument for there of not telling them because telling them is possibly likely going to upset them and harm them more than that's where the business knowledge is really important. And as DPO, I'm not making that decision, separate from understanding that that risk within the business, I would always get a service done. If you need a service manager, you need to know from the social worker that's involved in the family, anybody who's got direct involvement, and can really say, this is how we think this is going to swing if you do this, or if you do this, you know, sort of having that in depth knowledge is really key for these kinds of tricky, reportable situations.
Unknown Speaker 56:36 Yeah. Just wanted to raise that on that. So
Oli Rear 56:38 no, I see. Your point. Yeah, really good point. And we see it a lot in, in social housing, where there's sort of, it's funny, I was talking to a friend of the podcast about this just the other day, and talking about, particularly sectors like social housing effectively being like a first line of care now, with these individuals who often have complex needs, both from a physical and mental health standpoint, and we see loads of it, and you might have a breach that actually, you know, might just about be sufficiently serious to notify the individual or even if it's not, sometimes you might just wake up and say, Well, we're going to notify them from a transparency perspective, but actually, that person has very complex mental health needs. And it can be far more damaging to them to notify them of that and say, Oh, by the way, you know, your information safe. And whether it's from, as at least very rightly points out whether it's from a perspective of damaging the relationship with the individual, maybe compromising on engagement, or even purely just from sending them spiralling, you know, it can happen. And yeah, no, absolutely. Excellent point, I think, the question that we did want to cover because someone asked about in anticipation of this episode, and we have just hit on Mark, but we'll keep going for a little bit is, how do you ensure that reporting happens internally? Because that's kind of one of the key points, right, which is, yeah, if you're the DPO, you can't have eyes everywhere, even though we do we try our best. Yeah. How do you really promote good internal reporting? I mean, the number one thing, and I suspect this is what Dave certainly will jump to by Carryalls, or jump to is training, right? Yes. Training, recognition, awareness
Carrie James 58:22 policies, I think, a good thing as well as when you do have a data breach, you know, you don't have to name and shame anybody around your organisation. But you could give a summary, this is what's happened, reminder. You know, if you think anything like this has happened already with you, and you've got reported it, or if this happens to you, then you need to report it. Because it can be that can also be the difference between a high higher risk or a lower risk is whether the person who's done the breach internally, you know, if they recognise it, then you know, good, but if they recognise it, and then sit on it, or try to fix it themselves, that can actually sometimes make a breach worse, than just notify the DPO you know, straight away for that subpart of what to do with x, it could be that it was reportable. But you don't find out about it as a DPS for another week, when they think oh, yeah, well, we did this thing. And then we did that. And then we thought we'd do this, and then this happened. And so we did that. And it's you come into it at the very back end. Like why did you do any of that? Why don't you just tell me and it's it's difficult getting to that sort of it's just come back to train and and really just hammering it home to get staff to report it. And this is why I don't mind near misses been reported, because at least I know, people are thinking about it, if they're applying in the MS. You know, they're aware of this might be a breach. And that's why it's always really good. But I always said, you know, thank you. That's really good practice for reporting this.
Oli Rear 59:41 And you make an extremely good point, though, which is that whenever I deal with an organisation moved from a due diligence perspective, or even just if I start working with a new customer say, oh, have you had any breaches in the last 12 months or any breaches at all recently? And they say, No. You just think we've said this to me before it's a red flag because I either tells me that you are beyond compliant, which seems I mean, it's not even a question of compliance, actually, because you can be as compliant as you want to start breaches. It's an issue of reporting. So something's not going right.
David Holmes 1:00:12 Well, yeah, the starting point for me is a couple of points as well. And I agree with everything that was said, in essence, but it's, it's about getting a culture within the organisation, right? Because you need people to feel comfortable at bringing issues because kind of saying that I've cropped up, some people may find that kind of a negative not necessarily want to kind of self report if they've done it or self report and others that they're working with. So it needs to be a positive environment for bringing them forward, and not necessarily a fearful thing, because otherwise, all you're gonna do is hide issues and people there's not going to report on something's happened, and it'll just go missing anyway. So it needs to be a supportive environment and supportive culture for bringing it forward. And for reporting, and it should be a positive thing. And I absolutely get the fact that I've seen the break. And this unfortunately, where there's very little that I can see when breaches are brought forward is there a feedback loop to the individual or the team, in that sense, in order to let them know to be a lot of the trends is it's really, really important that you, you tell us if things happen, and so on and so forth, or something along those kind of lines to report it. And then nothing ever happens and ever get any feedback saying, Thanks. There's never this is what's happened. As a consequence, you said we did kind of approach there's none of that. And I often find that it's a breakdown when you're talking to individuals and teams within organisations about how we found the reporting process, etc, etc. And a lot of them would like that kind of feedback, not necessarily to say you've saved the world. But the delight, that kind of feedback, because we say it's important, we'll just give them a little bit of work and give them a little bit respect back in that kind of positive environment.
Oli Rear 1:01:35 Yeah, I think that's a brilliant point. And I say under your hand up, I'll come to you just a second, if that's okay. I think that's an excellent point, though. Because all too often. So we, we often see instances where organisations will look to potentially penalise staff for reporting breaches, because they'll say, you know, it's a disciplinary issue, which I'm not a fan of at all, because I think it can put people off boarding, but also you get instances where even that if that's not the case, the only outcome for the member of staff is reporters, right? Well, that's it, you're going on training. And even though we try and make our training as engaging as possible, I think most stuff here more data protection changes roll their eyes. So I think you're right, giving that sort of feedback and saying, you know, this is actually there's been a positive here, you know, this lesson learned, I think, is, is excellent. And under, I want to continue, but just before I do I, for the listener, I have to bring this up, which is Alan's post in the chat. I'm not gonna say where answers coming from, because I don't want to expose them like that. That answers. They had a breach reported last week that was originally discovered in 2016. Luckily, pre GDPR has they've overrun their 70 to 50,000 hours or so. Yeah, very funny. Andrew, you want to say?
Unknown Speaker 1:02:51 Just stop laughing at that one? Myself? It's brilliant. Yeah, I think can we come from a county council, we have a team that pick up initial breach reports, incidents, be they security further process or actually involving personal data. And they triage that so quite a lot of them can be dealt with at a very low level. And all reports get some feedback and advice. And I don't think there's any, or very few stuff in any of our organisations that actually a deliberately breach apart from the rogue members of staff, or don't actually know that I shouldn't have done that, if I'd done my job properly. That wouldn't have happened. So it's normally mistakes and failing to follow a process. So most of our targeting is reminding people at the processes that are already there, putting an arm around them and say, look, at the end of the world, this was a low level low risk, no damage done. But thank you for reporting it. And we is the patting on the back for coming out into the open and saying, I've sent this to the wrong person. But they have assured me they've deleted it. And they're in the police. And it should have gone to somebody else in the council, for example, trusted professional, they deleted it, but I'm telling you that I made a mistake. And this is how I think it happened. And so you can monitor the causes, such as, and we've had loads and loads of debates, who's has autocomplete on their emails still? Yes, I can. I can hear colleagues. Also on this listening. I can hear them laughing from here. So even the ICO don't have autocomplete on. You have to physically choose the address you're sending your email to so there's a human involvement and you can't blame the machine for getting it wrong. So I think that's one thing.
David Holmes 1:04:36 I think that's a really valid point to pick up on as well as the fact that because we only employ humans, that robot human error will be an element of things going wrong and therefore levels Yeah, those lower levels will be You can't expect people to disengage themselves from the home life and everything that's going on with them work and vice versa and that kind of thing. So you're always carrying a bit of baggage. You might have not slept probably might have had, could have had probably kids you might be seen Make the battle gotta go shopping other got something else, you've got life going on in the background. So therefore human being humans will always have an element of human error. And we need to be able to support people very similar to what you're saying there, Andrew, which I think it's a very good point that we need to acknowledge the fact that things will go wrong to a greater or lesser degree, because we're employing humans. And then human error recruiting we got
Unknown Speaker 1:05:20 Emma Young is a very good post, about going back and reviewing to make sure that the improvements you suggest have actually been done.
Oli Rear 1:05:29 Yeah, no, absolutely. Because that's the thing. I think we'll have to come to this in the second episode, because we're rapidly running out of time, but it is definitely worth revisiting this and the idea that you have a breach, you do a breach report, or you log it, whatever you remedy, it doesn't stop there. doesn't stop there, you know, go back afterwards, as Emma says, conduct that review, make sure that it's not going to happen again. I also very much like Lisa's comment, who says they have a data protection working group, and we always tell people who do something wrong that that punishment in inverted commas is that they have to join the group. I bet they love that. I just wanted to finish,
David Holmes 1:06:05 how do you keep control of sexuality, but
Oli Rear 1:06:09 I just wanted to finish on and I think this is more, maybe a teaser for next time, actually, if anything else, a point which Andrew makes their debut touched on also, and I think it loops back around to all the things we spoke about right at the start. I think one of the things that is key in all of this is not just training, but systems training. Because all too often Oh, David, I, you and Dave, you and I have spoken about this a lot is all too often you start a new job, and then someone goes as your password as you log in, off you go. So it's our farm. And that is going to be one of the number one causes of of breaches, right, as the people are finding workarounds or, you know, working with systems that they don't necessarily fully understand. And that as a result, those you know, whether it's cutting corners intention, or whether it's just, you know, specific ways of working that you develop, because we all develop specific ways of working with the systems that we use, right. But as a result of that, I think that is one of going to be one of the number one cause of breaches. And I hate to bring this up now, because you know, we've not got the time to talk about it. But I think that is a clear issue. And I think it's the thing that I I will provide as my final thought, with a view to picking that up next week. But for some other final thoughts from yourselves, Dave, carry what, what what can we leave the listeners with on this?
David Holmes 1:07:33 Yeah, my final thought really is just to really cover off the DCMS is because I mentioned about the looking at lowering the threshold where the government are considering whether to change the stress threshold, so that organisations must report a breach unless the risk to individuals is not material. Again, it's only part of the consultation process. What's come out the other end after the discussion altogether, and pushed out is weird to say we don't know at the moment. This is only the consultation. They're asking for thoughts and feedback on it. But that's kind of the direction of the travel that we're looking at. Because as mentioned, we're looking at changing the threshold. So it's only fair that we gave an indication of where the government's thoughts were on that.
Oli Rear 1:08:10 Excellent. Carrie, any closing thoughts from you on this before we we come back next week?
Carrie James 1:08:16 Yeah, I mean, it's all been really interesting discussion. Actually, there's been a lot going on in this one. But I found it really interesting what Andrew was saying, I'm very curious, actually, which counsel Andrew works with, cuz it sounds a lot like the one that I used to work with, in the way that they sort of process the breaches and stuff. But it is as well, you know, part of engaging staff with reporting breaches is to make them feel like they're not being punished, if they do, and say, you know, thank you for reporting it and making them feel sort of better about it. I had so many people, like, I've had people on the phone in tears before because they've done a very minor breach. And half of the time has been, okay, well tell me what happened. And it's gonna be okay, you know, maybe go get a cup of tea and a biscuit. And it's with breaches. I always think it's a matter of when you're going to do one, not if you're going to do one. Sure. Which sort of I think does make people like I've done a breach before. It was only a low level, I'll add, it's very low level. But I've done I think I've done two actually. No, no, no. It's very low, very low level. But me, I do this as a job. And I've done a data breach because it's just so easy sometimes when you're working quickly. And there were both ones been internal in the council, but sent to the wrong email address. And it's just so easy to do when you're sort of trying to work quickly that if you had to do a disciplinary for everybody that had a breach in a council, HR would keel over and collapse. Like they wouldn't like the amount of breaches. I don't know how many Andrew gets per week, but I could sometimes be dealing with like four or five in a day on a bad day. God sent all those people to HR, like happen.
Oli Rear 1:09:53 They wouldn't want you very much is he sent some coughing emojis, so I think I think he agrees with you. Yeah, it's good. So if you've been if you've been doing breaches all over the place since you joined us, we probably
Carrie James 1:10:05 Yeah, no, I will tell you if I do it, but I haven't done, but I don't deal with personal debt or in the same way that I did with the council either. So it's a lot, it's very different here than when I worked in the council, what I do so Touchwood, I'll be I
Oli Rear 1:10:19 would touch wood. On that note, I think we can bring this to a close, we've run over by a little bit. This is hence why I said right at the start offer for those who were with us. You know, it would be it would be good to sort of get some feedback on whether we start these early going forwards, just to be able to, you know, fit it all in. But yeah, let us know what you what you feel about that for that for the live sessions. Paul's joining just closing, unfortunately. But yeah, no, I think this is a really good conversation. There's still loads to talk about. Obviously, we've teased a couple of bits that we can talk about next week. As I say, we'll be back next week with part two of this episode on data breaches. We're very much looking forward to that. Kari will certainly be joining us, Dave, I assume you will also be joining us for that.
David Holmes 1:11:06 Yeah, should be around. Yeah.
Oli Rear 1:11:07 You got now so one of you.
David Holmes 1:11:11 I'll make a special effort for you.
Oli Rear 1:11:14 Thank you so much. So we look forward to that. We look forward to seeing all of you, hopefully next week as well. We hope you enjoyed that I certainly did. Back, as I say next week, part two of data breaches. In the meantime, if you're listening to this back on the podcast, please do get in touch with us. If you want an invite to the live events, they're always a lot of fun. They're basically just exactly the same. You don't you don't miss too much other than the opportunity to get involved directly as some people have done today, which we thank them for because very, very good to get their contributions and really helps with the sessions. On that notes. I shall wish you all a very lovely weekend and we will catch up with you next week, I think.
David Holmes 1:12:00 Absolutely. Thank
Oli Rear 1:12:00 you everybody.
David Holmes 1:12:01 It's been a great session to all those who took part and interacted it's useful told me your thoughts as well. All the best. Have a great weekend and I'll speak to you soon
We recommend upgrading to the latest Chrome, Firefox, Safari, or Edge.
Please check your internet connection and refresh the page. You might also try disabling any ad blockers.
You can visit our support center if you're having problems.