Having been tasked to write again this week, I thought it would be nice to take a break from highlighting high profile news in the data protection landscape as we usually do. Instead, I am bringing a festive spin to data protection by writing about… Santa Claus! Is Mr Claus applying appropriate technical and organisational measures to protect your data? Does his truly have access to criminal data when compiling his naughty list and is he compliant with Article 10? What are his arrangements with the elves – are they employees or third party service providers and therefore amount to data processors?
As much as I would love to talk about how Mr Claus remains out of compliance with UKGDPR/GDPR (and we have spent more time than we care to admit discussing this in the office recently), I would like to get a couple of other things off my chest.
Information Governance (“IG”) and Data Protection compliance is much like any other form of legal compliance in that it is an ongoing process which you need to keep on top of. It may sometimes feel like a long road, but it’s certainly not a road leading to nowhere, and whilst the destination may change from time to time (due to new legislative changes or your organisation’s aims for instance), we must never forget that ensuring data protection compliance will always benefit your organisation, especially in an ever data-driven world. This week, I want to focus on a growing trend (or perhaps I have too many IG folk in my feed) of data protection professionals highlighting all the negative aspects of a company’s data protection compliance without simultaneously giving due recognition to the positives.
If you are setting out to critique an organisation, then let’s make sure it is a balanced assessment. As we all know, compliance is an ongoing and frankly difficult process. Perhaps that’s the reason why they have enlisted the help of professionals such as yourself, but much like any other form of feedback, being unnecessarily harsh adds nothing to the process. I am sure we would all like to work in an industry where data protection and IG professionals are viewed as enablers and people should look forward to their encounters with us. This approach does not mean that you should avoid having difficult conversations that sometimes need to be had in order to wrest a client back into compliance. I believe an IG manager at any organisation will always have the best of intentions but whilst this may be true, he/she may be overstretched in his/her duties and does not get round to addressing everything that one would have hoped to in a perfect world. Therefore, instead of giving that person a hard time, help the organisation to get back into compliance and leave Twitter for what it is intended for – laughing at Trump supporters for still thinking the world is flat.
The second item on my agenda is to touch on the fact that whilst the pandemic has been disruptive and horrible for almost everybody (unless you are party to one of those tasty Covid contracts or are one of fortunate the consultancies who were given a blank cheque to work on test and trace), it has really shown how wonderful our National Health Service (“NHS”) is and that our scientific community really are the crème de la creme. It may not mean much, but we are so proud of our clients and the outstanding work they have done. They really have been working around the clock, and this is evidenced by emails I have received that were sent during very unsociable hours. From dropping everything to support front line staff involved in treating Covid-19 patients and in setting up the appropriate infrastructure to enable vital Covid-19 research and to validate vaccine efficacy, to creating the National Immunisation Management System and designing a platform for clinicians to have virtual consultations in virtually no time, these folks have been absolute Trojans. Although we have rightly clapped for our front line heroes many Thursdays ago, perhaps when you are hopefully gathered round your loved ones this Christmas, it’s worth raising a glass to the those who have so selflessly made it happen from behind the scenes.
I am sure a time will come when we have to dissect both the decisions that were and were not made and I certainly hope the envisaged enquiry will be a thorough one that looks at all aspects of the Covid-19 response including how organisations have used and shared data. When that unfolds, let us learn all the lessons that we must but at the same time, due acknowledgment has to be given to things that have gone right rather than unjustly nit-picking and highlighting everything that the public sector’s IG departments have got wrong.
I often hear a Caldicott Guardian and Chief Clinical Information Officer (“CCIO”) of one of our NHS clients say to his team “don’t let perfection be the enemy of the good”. Similarly, we may find that not everyone gets their IG and data protection compliance ‘perfect’ but as long as no laws have been broken then let’s also recognise that ‘good’ is not a terrible bar to set given the horrible situation the NHS found itself in during the pandemic. When conducting such reviews, I will say it the way I see it based on my interpretation of the law but you can expect me to factor in the difficult circumstances you may have found yourself in, because let’s face it, without pragmatism we might as well step aside and let artificial intelligence do the work.
