Centre of Excellence for Information Sharing
Recently I took part in a live-streamed panel debate organised by UK Authority (in partnership with Civica Digital). The event was designed to explore the how we’re responding to three new pieces of ‘data legislation’:
- General Data Protection Regulation (GDPR);
- Digital Economy Act (DEA); and
- new Data Protection Bill.
It was great to be invited to take part (if a little daunting being ‘on camera’), and particularly nice to be part of such an interesting and varied panel – with representatives from the Information Commissioners Office (ICO), Civica digital, and the London Chief Information Officers (CIO) council.
As a non-information governance expert, I thought I might be the only one highlighting the cultural and organisational change impacts of this swathe of new legislation. However, it was heart-warming to hear others agree on the importance of cultural factors. Giving us the opportunity to talk about GDPR implementation as an opportunity for whole organisation change (which can’t be delivered by information specialists alone), and to ensure that we don’t lose the confidence and trusting relationships we’ve built up under the previous legislation.
Following the panel debate, I’ve continued to reflect on the GDPR, DEA and new Data Protection Bill. There’s lots of things to think about within the many pages of these regulations, but three things which have particularly struck me are:
- We need to focus on the common ‘enabling’ elements – yes there are noticeable differences between the legislation, not least the focus on individual rights within the GDPR whilst the DEA looks more at enabling government / the delivery of public services. However, there’s a lot of common elements where we might better place our attention. Transparency and communication are two of these shared elements, but for me the common point we mustn’t lose sight of is that, despite the use of the term ‘data protection’, this legislation is intended to support appropriate sharing of information, not prevent it.
- Building in privacy from the start is ‘investing to save’ – Whether through the use of the Privacy by Design approach developed by the ICO, or through the business cases advocated by the DEA, we need to make sure that privacy is taken into consideration in service design / programme management right from the start. This is more than just a case of spending the time required to comply, it’s about investing the time right at the start of your project to think about the data sharing and privacy issues which, if left till the last minute, could create problems and concerns which seriously delay the implementation of your ambitions. And, if you’re worried that your information governance (IG) leads won’t want to be involved this early, don’t be. As we’ve heard a clear message time, and time again, from our work with local places, that IG leads want to be in from the beginning not just a last-minute addition to the project team.
- Who decides if data sharing is in the public interest? – Within both the GDPR and DEA there’s a recognition that data sharing should be in the public’s interest (GDPR) or resulting in benefit for the individual or household whose data is shared (DEA). But in the absence of clear definitions, how will bodies delivering public services decide what constitutes public interest or individual benefit? This is a question I don’t have the answer to, but I do think it reinforces the need for the public to be involved in designing the services and data sharing processes intended to support them.
So, these are a few of my thoughts, but what do you think? With 25 May 2018 fast approaching, the Centre is looking for ways to support the public sector prepare for GDPR, and the introduction of the DEA. So, what is happening in your organisation, and how can we help? Please share your comments below or by emailing [email protected] to tell us what your GDPR and DEA cultural challenges are, and what support you’d like.