Business Consultant Information Governance Operations,
Essex County Council
As we move ever nearer to ‘D-day’ for implementing the General Data Protection Regulation, or GDPR as it's known, (25th May 2018 in case you need a reminder!) I have been reflecting on the positives in the new legislation in regard to information sharing (yes there are some, honest!).
I, like others, have experienced concern at the sheer volume of preparatory work to get into a fully (or even a ‘mostly’) compliant state. In an organisation the size of Essex County Council, this is particularly challenging. However, despite the continual scaremongering and creeping panic, I took the opportunity to step back and look at what the GDPR and the revised Data Protection Act can deliver in terms of supporting better information sharing.
In Essex we have the Whole Essex Information Sharing Framework (WEISF) which is open to all organisations, irrespective of sector, to support lawful and ethical information sharing. With ever shrinking budgets, information sharing is critical to achieving service transformation, bringing better outcomes and better use of funds. The Centre of Excellence have been a great source of support as we develop and grow the framework, acting as critical friends and giving great insight into similar work in other areas. More detail can be found in their case study on the WEISF.
So, why do I think GDPR will help, you might ask? Well, one of the biggest barriers to information sharing is the varied levels of information management maturity with your various partners. It is incredibly difficult to get best value from data if you don’t know what data you have, and how you are currently using it, and what the gaps are that could be filled via information sharing. The requirements of the GDPR should help to deliver some of these outcomes by:
- Article 30 – Records of Processing Activity. This combines your information asset register with information mapping to document what data you have and how you are using it and safeguarding it. Once this has been created you will have visibility of how you use your data, and any potential gaps that could be filled by sharing data.
- The refreshed privacy notices required by the GDPR affords the opportunity to explain all of the purposes you wish to make of data (where you have an appropriate legal basis), and potentially expand these, e.g. to include service improvement/evaluation/research/prevention and detection of crime and fraud. This then enables more data sharing in the future which is fair and fully compliant.
- Existing data sharing protocols should be discovered as you carry out your data audit to compile your Records of Processing Activity, enabling better management and a central repository.
- The GDPR requires a deeper understanding of the conditions for processing, and this again will support better information sharing.
- Privacy Impact Assessments (PIA) being a legal requirement for high risk processing will help to embed their use into an organisation – I would recommend a PIA for any processing of personal data as it really helps to identify risks.
- The greater focus on accountability underpins clearer responsibilities for Data Controllers and Data Processors and contract management.
I could go on (and run the risk of sending you to sleep!) but it’s quite an impressive list as it is! I understand that it looks like a mountain of work, and that is quite probably because it IS a mountain of work, but there is a clear pay-off down the line as it better supports us to more easily share information and protect personal information, and that has to be a good thing, right?