As Head of Information Rights and Information Security (IRIS) and Data Protection Officer in the House of Commons, it's my job to know about the importance of using appropriate technology.
One of IRIS' roles is to make sure that Parliament stores information securely and in accordance with legislation. We also need to find and access information quickly to respond to requests for access under the information laws - the Freedom of Information (FOI) Act, the Data Protection Act (DPA), and Environmental Information Regulations (EIR).
I'm going to explain a bit more about the work that I do in this post and what it means for the House of Commons.
How this applies to the House of Commons
I've worked in this type of role for 14 years and I'm proud to say that Parliament is one of the most transparent organisations that I've ever worked in. My team deal with approximately 600 to 700 FOI requests a year, which can come from anyone who requires it (subject to a few narrow exemptions).
If the House of Commons holds the information, we're committed to making that information available to everyone who requires it (subject to a few narrow exemptions).
There's three strands to our work:
- information rights (FOI, EIR) – being transparent about the work of the House of Commons and making sure people have access to the information they require. This is wide ranging and can include anything from a recipe for our jerk chicken, records held in our historic archive or information relating to current news
- information security – protecting parliamentary and personal data by making sure it's handled and shared appropriately. This includes accreditation of new technologies so that we only use secure and trusted equipment and software
- data protection – complying with the Data Protection Act. This requires appropriate handling and security of personal data but also provides certain rights to individuals and gives them some control over their data
One of the biggest challenges at the moment is the introduction of the General Data Protection Regulation (GDPR) which builds on the foundation of the current Data Protection Act. It's the biggest change in privacy law in twenty years.
This new legislation has important elements and enhancements that emphasise accountability and transparency and organisations will be required to demonstrate that they're compliant. It comes into effect in May 2018 and we're working hard to make sure that the House of Commons and MPs are aware of the new rules.
One of the major changes is the increased fine for personal data breaches, which will increase from £500k to approximately £17 million. Here in IRIS, we need to prepare everyone for the changes.
Some other important changes include:
- being accountable and transparent
- making sure systems and solutions are designed with privacy in mind
- carrying out data protection impact assessments
- increased rights for individuals
- a tight timeframe for reporting breaches to the UK regulator
- changes to rules around consent
New levels of information classification
Together with the Lords, PDS, and records management colleagues, we're also updating the current Parliamentary Protective Marking Scheme (PPMS) to introduce new levels of classifications for information. This will also include Office 365 tools to support the scheme and make it easier to apply.
Working more flexibly
We've seen a lot of improvements over the years which has meant that the data we store is more secure and people can work more flexibly. We always need to balance the security and access controls of information with what users need to do their jobs - all while complying with information laws.
Technology can make our lives easier and help us to work more efficiently, but the one thing that is difficult to change is human behaviour. It's usually the reason behind most information security breaches. Things like sending information to the wrong email recipient, not using the blind copy field when sending email to a large amount of recipients, not securing personal data, or having information stolen from a bag, car, when off the parliamentary estate or at home.
Educating staff is the most important aspect - the more we can do to help people understand how to manage parliamentary and personal data appropriately, the better.
Parliamentary staff can get in touch with IRIS if they need advice on information rights and security. For help with GDPR, search on the intranet for more information and to access the online training course.
*blog post was updated for accuracy on 25 April