I'm the Head of Information Rights and Information Security (IRIS) and Data Protection Officer in the House of Commons. This means that I'm more aware than most of the importance of using appropriate technology.
One of our roles is to make sure that Parliament stores information securely and in accordance with legislation. We also need to find and access information quickly to respond to requests for access under the information laws - the Freedom of Information (FOI) Act, the Data Protection Act (DPA), and Environmental Information Regulations (EIR).
I'm going to explain a bit more about the work that I do in this post and what it means for Parliament.
I've worked in this type of role for 14 years and I'm proud to say that Parliament is one of the most transparent organisations that I've ever worked in. My team deal with approximately 600 to 700 requests for information a year, which can come from anyone, anywhere in the world.
If the House of Commons holds the information, we're committed to making that information available to everyone who requires it (subject to a few narrow exemptions).
There's three strands to our work:
- information rights (FOI, EIR) – being transparent about Parliament's work and making sure people have access to the information they need. Things like parliamentary information and personal data
- information security – protecting parliamentary and personal data by making sure it's handled and shared appropriately. This includes accreditation of new technologies so that we only use secure and trusted equipment and software
- data protection – complying with the Data Protection Act. This requires appropriate handling and security of personal data but also provides certain rights to individuals and gives them some control over their data
One of the biggest challenges at the moment is the introduction of the General Data Protection Regulation (GDPR) which builds on the Data Protection Act.
This new legislation has important elements and enhancements that emphasise accountability and organisations showing that they're compliant. It comes into effect in May 2018 and we're working hard to make sure that the House of Commons and MPs are compliant with the new rules.
GDPR also raises the responsibility of the Data Protection Officer for an organisation, and part of that responsibility is to make sure the role is publicised. As the Data Protection Officer for the House of Commons, one of the ways I'm doing that is by writing this blog post.
One of the major changes is the fine for personal data breaches, which will increase from £500k to roughly £17 million. Here in IRIS, we need to prepare everyone for the changes.
Some other important changes include:
- organisations have to become more transparent
- making sure systems and solutions are designed with privacy in mind
- carrying out data protection impact assessments
- increased rights for individuals
- a tight timeframe for reporting breaches to the UK regulator
- changes to rules around consent
New levels of information classification
Together with the Lords, PDS, and records management colleagues, we're also updating the current Parliamentary Protective Marking Scheme (PPMS) to introduce new levels of classifications for information. This will also include Office 365 tools to support the scheme and make it easier to apply.
Working more flexibly
We've seen a lot of improvements over the years which has meant that the data we store is more secure and people can work more flexibly. We always need to balance the security and access controls of information with what users need to do their jobs. All while complying with information laws.
Technology can make our lives easier and help us to work more efficiently, but the one thing that is difficult to change is human behaviour. It's usually the reason behind most information security breaches.
In the House of Commons, human behaviour accounts for 92% of incidents. For example, sending information to the wrong email recipient, not securing personal data, or having information stolen from a bag, car, or in a burglary when off the parliamentary estate.
The more we can do to help people understand how to manage parliamentary and personal data appropriately, the better.
Parliamentary staff can get in touch with IRIS if they need advice on information rights and security. For help with GDPR, search on the intranet for more information and to access the online training course.