Briefing says that arrangements could need updating to comply with new EU Data Protection Regulation and Privacy Shield
Public sector IT association Socitm has urged local authorities to ensure their information governance arrangements will be up to scratch for the new European Data Protection Regulation and the EU-US Privacy Shield, both expected to be in place from 2018.
It makes the recommendation in a new briefing, Data protection: <Control><All><Delete>?, which warns that compliance with some aspects of the frameworks could be difficult – and that councils should get on with reviewing, and if necessary updating their information strategies.
“Accommodating the changes will be a matter of amending existing processes rather than inventing new ones,” said Dr Andy Hopkirk, head of research at Socitm. “Some of the changes could be onerous and problematic.
“For example, councils will need to be able to deal correctly and completely with ‘right to be forgotten’ requests – perhaps the single greatest challenge in an almost ubiquitously networked and distributed computing world.”
The European Data Protection Regulation, a draft of which has been approved by the European Parliament, will update the law to accommodate technologies and usage not known when the UK’s own Data Protection Acts were drafted in the mid-1990s.
Its key features include giving people easier access to their own data, clear information on how it is processed and the right to have it deleted. It should also make it easier for them to transfer personal data between service providers.
The EU-US Privacy Shield is replacing the Safe Harbor agreement, which was effectively nullified by a ruling of the European Court of Justice last year. This has provided a new momentum for organisations to ensure data is held in the EU, often preferably the UK, rather than US data centres where it has less legal protection.
The briefing says that operationally the new arrangements will be at least as safe as the old ones for UK public authorities that use US cloud service providers.
In both cases, national supervisory authorities will have the power to impose significant penalties on organisations that fail to comply.
Image by Reategui12,CC BY-SA 3.0 via Wikimedia Commons