Government Data Sharing

Cabinet Minister Francis Maude has recently unveiled his initiative to increase the ability for Government departments to share public data.

The plans, if passed, will make it easier for government and public sector organisations to share confidential public information. The plans will also make it possible to license the sharing of data where it is currently prohibited, subject to privacy safe guards.

According to the ICO, data sharing is currently seen as the disclosure of data from one or more organisations to a third party organisation or organisations, or the sharing of data between different parts of a single organisation, which can take many forms.

The initiative proposes to put in place  fixed guidelines which look set to aide good practice – enabling organisations to collect and share personal data in a way that is fair, transparent and in-line with the expectations of those whose information they are sharing.

Data sharing has been discussed in detail since 2007, with Tony Blair proposing amendments to the Data Protection Act to allow greater data sharing between departments within the government – but this was met by opposition from those who stated that this would affect data privacy.

Government departments, if they choose to data share, need to have a secure and reliable system in place with which to store sensitive information. Through removing the manual files and replacing the process with a secure, electronic system data protection is adhered to, and only those who are privy to reviewing certain information have access to it securely. This reduces the likelihood of sensitive information being lost, stolen or falling into the hands of those who should not have access to it.

We would be naive to believe that data sharing currently does not exist – what should be concerning is the way in which this sharing may occur. With many files being paper, surely the manual processes associated with sharing the information should be cause for alarm?

NHS Trust fined £90,000 for serious data breach

A recent news story has highlighted how a Central London Community Healthcare (CLCH) NHS Trust has been fined £90,000 after a serious breach of the Data Protection Act.

The breach occurred in March 2011, following on from patient lists being faxed to the wrong recipient, around 45 faxes over a three month period. The lists had contained sensitive personal data relating to 59 individuals.

An investigation from the ICO into the data breach found that neither member of staff involved with the breach had received data protection training and that the organisation did not have adequate checks in place when sending information.

The handling of public data has been a popular news topic recently with various government officials being penalised for not providing the necessary care in handling such information. But surely all organisations handling such data should be putting vigorous processes and robust systems in place to manage all corporate information, especially that of a sensitive nature, if not because of the media furore that ensues after a breach is found then certainly for operational reasons?

Through the use – and regular review – of such processes and systems, fines such as those imposed by the ICO can be avoided.

This case has highlighted that organisations are not only failing to protect their clients’ or patients’ data, but are also failing to protect themselves when it comes to the data which they handle and the systems which support them.

By not having a reliable system in place – both in terms of IT infrastructure and internal practises – organisations are letting down their clients, customers and indeed anyone whose information that they hold, and ultimately undermining their own long-term stability. 

The impact of the proposed EU data reforms

The Confederation of British Industry (CBI), a UK business lobbying organisation, has shared its concerns over the proposed changes to the EU data protection regulations; specifically, the potential financial impact on businesses as well as the risk of data compliance restrictions stifling innovation.

The CBI argues that many innovative business models, citing advertising and the music industry as examples, rely on data-sharing to generate revenue and ensure they are providing a tailored user experience and suggests that proposed reforms would restrict businesses’ ability to do this.

In addition to implementing data-sharing restrictions, the CBI highlights the financial consequence of complying with the reforms. The European Commission claims that its proposals will save businesses €2.3 billion a year, across all EU countries, by creating a coherent and streamlined approval process for organisations working across EU states. However, the CBI believes that this is an overestimation of the business benefits and overlooks compliance costs such as changing IT systems, re-training staff, implementing call centres to handle data compliance issues and, in some cases, appointing a Data Protection Officer. While costs are likely to be incurred in order to comply, businesses need to carefully consider the potential cost should they suffer a data breach.

Businesses could potentially face fines of up to two percent of their revenues should they fail to report a breach in the 24 hour time period and the cost to brand reputation should not be overlooked either, as recently demonstrated in the news reports surrounding Global Payments’ data breach.

Those that choose to implement a document management system mitigate the risk of suffering a data breach and incurring huge fines as their documents containing sensitive data are stored in a central, secure system. Other cost burdens that the CBI highlight, such as re-training and IT refresh, would also be significantly reduced, if not eliminated, as the document system is integrated with existing IT infrastructure, improving ease of use.

Click here to find out more about how a document management system could help improve your data protection processes. 

Pritchard's - A Lesson in Compliance

The recent case of Pritchard Stockbrokers using client money for its own expenses highlights the severity with which the FSA is now dealing with organisations that are breaching regulations.

The FSA issued a first supervisory notice to Pritchard, preventing it from taking part in further regulated activities, after being found guilty of using client money for its own expenses. In addition to breaching the golden rule of ring fencing client monies this also put client monies at risk – the firm’s assets were also frozen and clients were informed that Pritchard was no longer working for them.

The regulator said that it had come to the decision as it had ‘serious concerns’ – specifically that Pritchard had failed to arrange ‘adequate protection’ for client’s assets when it was responsible for them.

The impact for Pritchard’s is severe - all retail clients’ stock assets transferred to W. H. Ireland  and cash assets to  Reyker Securities plc, whilst Pritchards itself has now entered administration. W. H . Ireland’s £500,000 investment secures 8,000 new clients with non-cash assets of £400 million. This increases its private-client stockbroking client numbers by c.50% and total assets under management by c.25%. The cost of compliance cannot be under-estimated, nor, perhaps the potential benefits.

Pritchard’s actions raise several questions – not least how the stockbroker could go unnoticed using client money for internal expenses. This highlights the necessity for internal systems and processes which would record or flag abnormal activities regarding the movement of funds and fraudulent activity.

It also highlights how businesses at risk of legislation and compliance need to remain on ‘their toes’. Legislation doesn't generally go away; if anything the trend is for increased regulation  and firms must ensure they have sufficient processes in place to establish and maintain compliance. Failure to do so will inevitably result in warnings, as highlighted in the case of Pritchard’s, that have the potential to evolve into fatal penalties. 

Could Churchill & Direct Line’s £2.17m FSA fine have been avoided with better systems? Oh yes…

 ‘FSA imposes £2.17 million fine for failure by Direct Line and Churchill to conduct their businesses with due skill, care and diligence’
http://www.fsa.gov.uk/pages/Library/Communication/PR/2012/003.shtml

The Financial Services Authority (FSA) has imposed a fine of £2.17 million for failings by Direct Line Insurance Plc and Churchill Insurance Company to prevent files that the FSA had requested from being improperly altered.

In collecting the 50 complaint files for review, the FSA found 27 of the files were altered before submission, due to the firms failing to act with due skill, care and diligence. 

The failing for which these insurance firms are being penalised is clearly inappropriately enabling staff to alter files. This kind of alteration can largely only occur when files are stored without sufficient versioning control. In itself, this is a huge downfall, more so when an audit trail is required. For legally admissibility purposes document and content management applications make this impossible. 

Manually archived documents are not afforded the same security as those which are electronically available. For a long time, we have been professing that a document management system provides an indisputable record for files and as such a key element, and typical requirement, of this system is immutability – once an item is entered into the system it cannot be altered under any circumstance, and it seems that those within Direct Line and Churchill would have done well to have implemented such a system. 

Working with previous clients in the Financial Services arena has given us a full appreciation of the variety of needs that such organisations have. The main requirement is usually the ability to provide a clear audit trail of every single document – essential in order to comply with FSA requirements. Through using a document management system, the software enables all of the business content to be rigorously controlled and yet also easily shared, with the ability to administer security controls of various strength determined by the document itself. 

The main point associated with it is that once in the system, documents simply cannot be altered. This in itself that would have saved these two insurers a lot of trouble, and cash.