The Inaugural Meeting of the Scottish Privacy Forum Took Place on 23 October 2008 at The

Scottish Privacy Forum

The inaugural meeting of the Scottish Privacy Forum took place on 23 October 2008 at the Carlton Barcelo Hotel in Edinburgh.

In attendance:

Peter Ashe / Information Consultant / NHS Services Scotland
Gillian Black / Lecturer in Law / EdinburghUniversity
Kerr Donaldson / Head of eCare Design Authority / Scottish Government
Maureen H Falconer / Sr Guidance & Promotions Manager / ICO
Kim Kingan / Health Information Governance Lead / Scottish Government
Kenny Meechan / Legal Manager / Glasgow City Council
Ken Macdonald / Assistant Commissioner (Scotland) / ICO
Peter Mackenzie / Information Governance Officer / NHS Tayside
Eddie McConnell / Director of Corporate Development / SCRA
Pat McKay / Head of Information Strategy Unit / GCU
Carol Peters / Information Security Officer / East Renfrewshire Council
Charles Raab / Professor Emeritus / EdinburghUniversity
Frauke Sinclair / Head of Identity & Privacy Policy / Scottish Government
John Taylor / Prof of Government & Information Mgt / GCU
Donald Thomson / Scottish Police FoI Co-ordinator / ACPOS
John Wilson / Independent Consultant / Atos Origin

Apologies:

Jason Ditton / Professor / Scottish Centre for Crime & Justice Research
Kirsten Gooday / Community Care Providers Scotland
Annie Gunner-Logan / Director / Community Care Providers Scotland
Deborah Henderson / Sr Solicitor / Glasgow City Council
Les Kingston / Group Data Protection Manager / Aegon UK
William Malcolm / Sr Associate / Pinsent Mason
Ros Micklem / National Director / EHRC
Alan Miller / Chair / SHRC
Janet Murray / Caldicott Guardian / NHS ISD
Mike Nellis / Professor / University of Strathclyde
Ben Plouviez / Head of Information Services / Scottish Government
Alan Reid / Lecturer in Law / EdinburghNapierUniversity
Mary Sinclair / Project Co-ordinator / SCVO
William Webster / Sr Lecturer in Public Management / StirlingUniversity
Karen Williams / Director of Corporate Services / Grampian Police
Discussion & Outcome / Action
1 / An introduction to the day was given, followed by some background regarding the context and purpose of the Forum and the day’s proceedings. / KM
2 / A presentation was given on the SG’s Data Handling Review and the key recommendations which formed three broad themes of:
Leadership & Governance; Process & Compliance; Communication & Culture. / MF
3 / There followed a series of group discussions on the three broad themes with rapporteurs appointed for each of the themes. Discussion on each theme centred around three questions with the rapporteur summarising the separate discussions at the end:

1. Leadership & Governance:
2. What do you and your sector expect from SG/ICO in terms of leadership and guidance?

The groups felt that SG should take more of a lead in drawing relevant individuals together to share knowledge and to learn from ‘near miss’ situations. It was also felt that SG could facilitate engaging with individuals at executive level within the various sectors and that good data handling was not just about information security.
As the regulator, the ICO provides governance and oversight but clearer messages were needed in respect of the interpretation of data protection. In addition, it was felt that a lot of guidance has been given by the ICO but there is a need for simplification.
1.2.Are you aware of your organisation’s governance mechanisms and how they are implemented? Is there a SIRO in your organisation and, if so, what is their status?
Overall, it was felt that there was a lack of understanding/ engagement, especially at executive levels. The SIRO is not always recognised across sectors, especially in the NHS. However, it was felt that the establishment of SIROs within organisations may have the effect of placing responsibility on one individual when, in fact, a number of individuals are accountable for good data handling.
1.3.What is happening with annual assessment of information risk management?
There is high awareness in respect of audit, especially concerning Audit Scotland. Annual improvement plans should be introduced. There is also high awareness of the need for risk assessment and establishing a risk register. Some sectors, such as the NHS, have a self-assessment process and are seeking common training programmes.

1. Process & Compliance
2. What is the good practice in your organisation in relation to the minimum standards?

There was some concern that ‘the minimum standards’ were not widely known but some examples of good practice included: the higher education website which shares good practice across the sector, providing consistency in induction and follow-up; NHS Scotland were there is a good structure of information management and governance; the local authority Scottish Information SecurityGroup, although there is an issue with one contact point rather than 32 for all authorities and the practical challenge of dealing with 32 local authority chief executives. There is a need to influence the content of FE/HE courses to include more about Info Governance.
2.2.What is your organisation’s view of PIAs, to what extent are they becoming embedded and what examples are there?
Promoting PIAs is challenging as, unfortunately, they are often viewed as cumbersome and a huge undertaking, requiring significant resources to make them meaningful. It was felt that they should be embedded into the current risk assessment regime and be more ‘business as usual’ rather than only project-led, as well as the need to add a citizen-centred focus to existing risk assessment. The question of whether a PIA should be conducted in-house or contracted out was discussed with focus on the problems of getting the wording correct in any contract. Concern over who should be responsible for approving it was also noted.
2.3.What actions have been taken to improve security, such as encryption, and what examples are there of good and bad practice?
Examples of good practice include good education, positive workable alternatives to processing personal data and anonymising and minimising data handled. It was felt that bad practice often happens through complacency, particularly by professionals. However, it was also felt that the prohibition on portable media imposed in some sectors may have a detrimental impact on an organisation’s ability to function efficiently although the need to use the latest technology in the first place was questioned. Encryption is obviously necessary but there is a danger that it replaces asking whether personal data needs to be processed in the first place. It is also just as important to share bad practice as it is good practice.

1. Communication & Culture

(Due to time constraints, only one question was discussed)
3.1.What privacy/data protection policies exist in your organisation and how are they communicated?
Most organisations have data protection policies in place, including information sharing protocols, although it was acknowledged that gaps can exist in some sectors. A mix of communication methods was identified across sectors, including: single point of contact for enquiries; on-line guidance; system-based messaging reminders; national information sharing and competency frameworks and standard operating procedures to follow.
The efficacy of Data Sharing Protocols was questions in terms of sharing with others outside their own groups. It was felt that there was a need to summarise documentation for accessibility in respect of sharing and to develop microsite/intranet links to support networks within and without the organisation. In addition, an annual review would assist in ensuring relevant and necessary data sharing. / KK
EMcC
CR
4 / Review of the day’s discussions
It was clear that there was great diversity of interests in respect of privacy, security and delivery of good practice. Indeed, this often creates dichotomies and trade-offs as organisations seek to operationalise the various concepts. There is no doubt that the HMRC loss in 2007 was a cataclysmic event in data protection terms as it moved privacy matters higher up the agenda across all sectors. However, it also created a climate of fear, exposing the internal procedures of organisations and whether they were meeting expectations.
New roles have been created, such as the SIRO, but how they integrate in organisations is still being worked through. Moreover, there is a need to distinguish between approaches to security and wider data protection issues in respect of privacy – secure systems may nevertheless be privacy unfriendly. There are examples of good structures such as in the NHS and police where there is a clear emphasis on good data protection but whether this can be shared across organisational boundaries remains to be seen.
Tensions are perceived to exist in a number of areas, not least in the ICO’s role as mediator and the new powers and penalties being proposed. Tensions are also seen in the ICO’s promulgation of PIAs while there are few examples of any completed and this is a huge challenge to organisations. While current guidance is helpful organisations are not clear how they fit into their existing regimes.
Staff training was seen as fundamental to good data handling but there is a need for this to be better embedded within organisations. While examples do exist of good practice, a question was raised as to whether this could be integrated into national protocols, perhaps through working with Audit Scotland. Community partnerships and outcome agreements seemed a good place to encompass good practice examples. The Forum could also be seen as a good avenue for such sharing. / KD
5 / The Future of the Forum:
The event has been very useful, particularly in providing a platform for sharing cross-sector experiences. It is clear that the Forum is fulfilling a need given the energy and enthusiasm of the participants to share and grasp the various issues raised. While there have been conferences staging data protection specific events, they do not provide the opportunity to broaden out data protection issues in the same way as the Forum. However, the Forum must focus on real issues from the practitioners’ perspective and provide an avenue to take forward issues that arise between sectors.
It is proposed that the next meeting focus on the implementation of the Privacy Principles which will be published by then. There is an issue about how they are given the status required to make them of any significance within organisations and also as to how ‘portable’ they might be across sectors. In this regards, it will be important to try to attract more representation from the private and voluntary sectors. However, it is equally important to keep the Forum of a size which allows open discussion. Thought must therefore be given as how the private sector can be involved and the benefits to be had. For example, while data sharing is most widely practiced within the public sector, aspects of this are relevant across sectors, such as authentication of identity and, in all of this, it is important not to forget the citizen’s perspective.
A final point was raised regarding the Freedom of Information Centre set up by DundeeUniversity and whether the potential for a data protection equivalent could be pursued. / KM
6 / The next meeting:
A possible date and time will be circulated in the spring. / KM

23 October 2009