ProPublica’s Post

Data Protection and Freedom of Information may not be easy bedfellows but they can, and do, co-exist. And in a week when the Police Service of Northern Ireland announced a major data breach resulting in uncontrolled access to officers’ and staff names, grades and locations, which came about through a Freedom of Information request, it’s worth remembering that the Freedom of Information legislation has a range of exemptions for a good reason. FOI can be a powerful tool for journalists, campaigners and others who seek to ensure public transparency. In the PSNI case, a member of the public asked simply for a breakdown of staffing numbers by rank and grade. In error, the PSNI provided a spreadsheet containing the surnames of every officer and staff member, their initials and other data, and for several hours it remained online. At Shepherd and Wedderburn we often see that public bodies are snowed under with FOI requests. Tempting though it is to release information at speed and move on, every FOI request should be carefully considered before responding. Exemptions for personal data and personal safety allow information to be withheld, however the PSNI staff made errors by failing to understand the technology they were using. Human error is the leading cause of personal data breaches so, when releasing information under FOI, you should ensure not only that you know the FOI exemptions but also that you understand whether there may be data hidden on a document which is not visible to the reader on screen. The PSNI case is an extreme example that clearly demonstrates the need for vigilance when responding to FOI requests. Let's hope that lessons are learned to avoid repetition by the PSNI or any other public body.  

BakerHostetler's Eric Manski and Elana Weinblatt write: Consistent with recent trends in broadening the scope of state data breach notification statutes, Connecticut and Florida have expanded the definitions of personal information under their respective data breach notification statutes to include geolocation data. This change became effective in Connecticut as of Oct. 1 and will become effective in Florida on July 1, 2024. #statelaws #databreaches #personalinformation #geolocationdata #breachnotifications

A mix of people read the FOI Daily, but this one goes out more to the FOI and DP practitioners than the applicants (although the latter might choose to do some public spirited checking). Police Professional reports that Police Scotland has just completed a review of its FOI disclosure log. The force publishes all of its disclosure. In the light of the disastrous PSNI breach where so much personal data was published on What Do They Know, they took the log down to check every entry to see whether any data had been published inadvertently. There were 2054 requests and 195 contained an attachment: none of them had any personal data that wasn’t supposed to be there. This exercise has the advantage of being contained and coherent; I imagine a trawl back on your own page on WDTK would be a nightmare. Nevertheless, I think the exercise might be worth conducting. Even now, spreadsheets with errant pages and data are out there in the wild, and though you can’t go back in time, it’s possible that accidental disclosures haven’t been noticed by recipients. I’ve dealt with a few awkward, angry applicants who refused to delete data they shouldn’t have been sent; I’ve encountered many more who were keen to help. Even if they wanted to complain about the organisation’s mistake, they wanted to make sure the data was deleted or returned. When considering past accidents, the horse may have bolted, but you don’t know how far it got. I think Police Scotland’s actions are commendable, and worth copying. https://lnkd.in/eifcTPSX

I know a few people who like a spreadsheet! This ⬇️ is a useful reminder about data protection hygiene and risks. #DataProtection #Spreadsheets

DATA PROTECTION FEEDBACK FROM THE JOIC Excellent and engaging seminar from the Jersey Office of the Information Commissioner this morning with Paul Vane “Talking Data Protection Enforcement”. My key takeaways: 1. The trends in 2023 (poor data security, human error, unauthorised disclosures and delayed/incomplete responses to subject access requests) suggest that businesses’ personnel may need more data protection training and that a business’ compliance can be impacted by staff turnover as they lose experienced and trained personnel; 2. The JOIC’s aims continue to be to ensure that the public are well-served and to support businesses and help them to do the right thing; 3. However, six years into the regulatory regime, the JOIC will start to ramp up their oversight, in particular through more data protection audits, with onsite as well as desk-based audits being introduced; 4. Audits will be proactive and potentially thematic as well as reactive in response to issues identified at specific firms; 5. The fundamental elements of an audit are to check that the business is appropriately registered, that personnel have received appropriate training and that there are adequate checks and controls over systems and access. Terms of reference for an audit are agreed with the business in advance. #dataprotection #JerseyCI

One of the key considerations in most jurisdictions in notifying data subjects when their personal data is involved in an incident is whether or not the incident results to a high risk to the rights and freedoms to the data subjects involved. Since whether or not an incident results to high risk is a factual issue dependent on the nature, circumstances, volume, and categories of personal data involved as well as existing measures and actions taken to mitigate the risk of harm, it is important that the there's proper oversight and governance on the incident process, taking into account the obligation of accountability in every step of the process.

Navigating the aftermath of a data incident involves anticipating encounters with various regulators, each with distinct procedures and criteria. Following the containment of the incident, a swift and thorough assessment is crucial to identify relevant regulators. Depending on the incident's nature, organizations may face a large multistate investigation, individual ones, or a combination. Federal agencies like the FTC, HHS, and FCC may also intervene based on their jurisdiction. Time sensitivity is paramount, as notification deadlines vary, and a prompt response helps meet stricter timelines. Tailoring an approach for state AGs, administrative agencies, and federal regulators, along with meticulous preparation and communication, is vital for a smooth exit from the regulatory maze. #DataIncident #RegulatoryCompliance #IncidentResponse #DataProtection

What are five key harmful OCA practices and how are online operators able to make effective and informed choices about the processing of their personal data? Find out more here: https://ow.ly/kJP450PCSr9 #BristowsCookieJar

When organizations experience a data incident, they will need to chart a course by which they resolve the incident while limiting their legal exposure. Here are the regulators they will likely need to deal with.

When organizations experience a data incident, they will need to chart a course by which they resolve the incident while limiting their legal exposure. Here are the regulators they will likely need to deal with.