Windrush immigration papers scandal: What it didn't teach UK.gov about data compliance
Bye Amber Rudd. And hey, maybe it's time to talk about consent
Comment Is there a lesson for politicians around the apparent destruction of disembarkation cards of citizens from Caribbean nations who arrived in the UK after the Second World War? Perhaps.
But it goes something like this: it's a bad idea for the Home Office to make it difficult for legal immigrants to prove their status. It's an even worse idea to do this while apparently under pressure over illegal immigrant targets. And lastly, it's really not a great look for the (as of last night, former) UK Home Secretary overseeing all of this to deny knowledge of the existence of the latter – whether or not that was true.
But is there a data protection message?
As news of Amber Rudd's resignation spreads, CEOs, information officers and their minions might now be looking at this play out and sweating as to what it means in terms of their own data retention practices. What have we got, should we still own it, when and how should we dispose of it?
The UK has said of the apparent disposal of the documents that to retain them would have breached the 1998 Data Protection Act and the fourth and fifth principles of the Information Commissioner's Office.
The truth is it's a bit of a stretch to claim that this episode contains much of relevance to the rest of the data-processing world, beyond providing a timely reminder that EU's General Data Protection Regulation is almost upon us.
Because, while GDPR says much about how long you may continue to hold data, it says next to nothing – but not quite nothing at all – about disposing of it. In short, if you hold on to data for too long, you could find yourself, come 25 May, on the receiving end of a pretty stiff fine.
However, should you decide to tip your paper records into a shredder, and drill holes through your disk platters, while you may experience all manner of commercial trouble, being unable to service customer contracts, you are probably fine in GDPR terms.
The bottom line is... the bottom line. One well-known media organisation that I worked for – which shall remain nameless – made this very clear a few years back. For on learning that its data protection was seriously wanting, the board asked three key questions:
- Are we compliant? The short and simple answer was no: it was seriously non-compliant when it came to permissions sought – mostly absent – as well as in its ability to construct a meaningful paper trail to cases where some sort of permission document did exist.
- What would it cost if we were discovered to be non-compliant? This was back in the days when even quite major breaches were met with a slap on the wrist and/or a derisory fine. £500 to £1,000 was not unusual: for this organisation, that was just petty cash.
- And finally: what would it cost to make us compliant? That was a bit harder. Still, the answer given by the consultants present, and from whom this story is derived, was: a lot more. Somewhere between £250,000 and £500,000.
The board exchanged glances. The decision, achieved through some sort of psychic osmosis, was unanimous. Unless or until these parameters changed, they saw no reason to do anything. After all, why spend a quarter of a million pounds to avoid a negligible fine which, with a little judicious pleading, might be bargained down to nothing and a commitment to do better in future?
Of course, there still remains the very best reason: to comply with the law. Flouting the law is always going to be a very bad policy. And besides, the parameters have changed and, with GDPR, will change even more, to the detriment of the rogue data processor. The Office of the Information Commissioner (ICO) can already impose fines of up to £500,000.
What'll it cost you?
GDPR means potential fines will ratchet up another order of magnitude, with the ICO empowered to fine organisations up to €20m or 4 per cent of the company's global annual turnover.
On the other hand, as in so much else around data and data collection, common sense, or at least sound commercial sense, is often in short supply.
Let's start with data collection stage, or even earlier, the specification of data requirements. Down the years I have worked with a procession of marketing managers, whose guiding principles when it came to collection seem to have been "just in case" and "nice to have".
Without doubt, such over-ambition lay behind the creation of a massively redundant database by one major European digital brand. What they had specified and built was capable of containing all data relevant to every single territory, even though the legal environment and sales process differed significantly, country to country.
The result was not pretty. A data audit showed most data fields were unused: each country used only that subset that made sense for them. The inflated structure made processing exorbitant. And little over a year after this million-pound white elephant was installed, just six of the 15 national operating companies were still using it. The rest had given up and gone back to using their own local systems.
Get a yes – an unambiguous yes
Recently we learnt that Facebook has been sucking up vast quantities of user data for years without quite explaining what it was up to.
Meanwhile, many Facebook apps have been seeking permission to collect personal data that seems like it cannot be integral to their working. Either they are collecting data they don't need and can't use, or they are asking for data they don't need and scaring their customers into the bargain.
As Baz Lurhmann might have put it: "Get consent. If I could offer you only one tip for the future, consent would be it."
After years of ambiguity, the GDPR finally produced, in Article 4 (11), a single uniform definition of consent. It is "any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her".
Lawyers can tapdance around that. But the essence of consent is clear, as is the basic qualification: you may keep data as long as the law, the relevant regulator or your contract with the end-user says you may – and even then for a reasonable time only.
Little, in that respect, has changed since the 1990s, when the advice from some very expensive lawyers was that hundreds of thousands of cold leads obtained by a financial organisation might only be held reasonably for a year, at the end of which, without updated permission, they must be binned.
Lack of consent is also an issue for companies merging: that same organisation later discovered, to its cost, it had no right to share acquired data with another company with which it merged. But then, this same awkward facet of data protection also caused difficulties for the Milk Marketing Board when a privatising government ordered it to give up its monopoly and join the market as Milk Marque.
As MMB, it had significant data on every milk-producing farm and farmer in the country – but the day it became Milk Marque, its rights to that data evaporated.
There are clear rules about how long you may hold data and your data compliance officer should be constantly checking permissions relative to use and telling you what data must go.
But what about UK.gov?
The rules for government are a little different. In 2009, a Court of Appeal ruled that the police could continue to hold on to conviction data for as long as they wished: in fact, for up to 100 years.
According to Lord Justice Waller: "The data controller must specify the purpose for which data is retained. There is no statutory constraint on any individual or company as to the purposes for which he or it is entitled to retain data."
Though he did add: "I would accept that the purposes must be lawful."
As for the police holding on to old data that the ICO had previously told them to bin? If the police thought it was OK, then it was.
States already have significant leeway to hold or process data for administrative purposes or where law and order are involved. So – pertinently – had the UK government wished to hold on to Windrush data almost forever, they would have had little difficulty in doing so.
Whether organisations holding archived data can claim similar concessions is a matter for each organisation and their compliance officers. For instance, customers may complain where data is lost or deleted. Call recordings, for instance. There is often annoyance when CCTV evidence gets deleted.
However, the legal issue remains: you may be penalised for keeping data when you shouldn't; not where you haven't kept data that some people wish you had held on to.
The exception, which the fine of Humberside police makes clear, is where you have lost data. In this case there were multiple security failings relating to a very vulnerable data subject and the ICO rightly made the police force pay.
Absent such incompetence, when it comes to the law – not considering issues around depriving a person of needful documents that establish their rights – you can almost certainly feel free to delete as you see fit. ®
Sponsored: Becoming a Pragmatic Security Leader