Cause and Effect: Lessons for us all and what we can take from the recent, massive data loss.
The recent, highly-publicised loss of confidential personal data by a loyalty card service provider has provided a learning opportunity for Data Controllers and Data Processors alike.
The scenario is a very typical one — an organisation (the Data Controller) engages a third party (the Data Processor) to provide a specialist service, using the Data Controller’s client data to do so.
So what can we learn?
Under the Irish Data Protection legislation, the Data Controller must ensure that there is a formal contract in place, before any personal data is shared with the third-party service provider.
Responsibility: The Controller is effectively handing off customer data to another organisation, in order to receive a specialist service. However, they remain the Data Controller, with primary responsibility for the safety, security, accuracy and processing of that data throughout the duration of the engagement.
It has been interesting to observe the impact on the Data Controller’s brand during this case. While we now know that the data was stolen from the service provider’s system, the media nonetheless persisted for a number of days in referring to the actual Data Controller brands that were affected by the breach.
Regardless of where the personal data was stored at the time when it was stolen, it remains the responsibility of the Data Controller, and the legislation places liability on the Controller to ensure that the data will be held and processed in compliance with the Data Protection legislation. The Controller should use the Data Processor contract to protect their data from any such risk.
Obligation: As soon as the Data Controller becomes aware of any loss of, or threat to, the organisation’s sensitive personal data, either from their own systems and devices or from the systems of others, the Data Controller is obliged to notify the Office of the Irish Data Protection Commissioner within no more than two days. The notification should include any information relating to the data loss, as well as information on anything that is being done to recover the data, and to prevent a recurrence.
The Data Processor
At one level, we should be impressed by the calibre and range of the clients which this week’s central player has on its books.
When things go bad, however, as appears to have happened in Co. Clare, the high profile of one’s clientele only adds to the impact of the incident and the depth of the recovery challenge.
The Data Processor must hold and process the Data Controller’s data in an appropriate manner, complying at all times with the terms of the contract agreed between the two parties.
The Data Processor is often a specialist in a particular sector or service, and should be aware of the various standards and regulations which exist to regulate their area of expertise. Specialist service providers in any sector will be aware of the standards appropriate to their industry. For example, any organisation holding credit card information electronically must comply with the Payment Card Industry Data Security Standard (PCIDSS) regulations.
The standard requires that credit card data is encrypted while in transit, held securely, and naturally, protected from unlawful access and disclosure.
Professionally, the Processor should maintain a clear and regular line of communication with the Data Controller, so that any deviation from the terms of the contract, or incident occurring with the Controller’s data, can be reported as soon as possible.
It goes without saying that the Data Processor has its own reputation and brand to care for. A problem happening with the data of one client is a warning to other clients to beware of the same thing happening to their data. The implications are obvious, and unfortunate.
Every organisation is in business to make a profit, to fulfil their objectives and to meet their commitments to their customers, partners and stakeholders. For both the Data Controller and the Data Processor, their focus should also be on their duty of care towards the personal data they process.
Lessons to be learned
The Data Controller should conduct due diligence on the capability of their third-party service provider to meet the terms of their engagement:
• The Controller and Processor must enter into a formal contract, before personal data changes hands
• The Controller should include a ‘right of audit’ clause in their Processor contract
• The Controller should closely monitor the activities and data management practices of its third-party service providers on a regular basis, and should penalise breaches of the terms of the contract
• The staff of both the Controller and Processor should be aware of their obligations under the appropriate standards and regulations for their industry
• All staff should be familiar with the Data Protection legislation, and their responsibilities towards the personal data they hold
• Both the Controller and the Processor should have processes in place to detect a loss of data, or a breach of data management practices
• Both the Controller and Processor should consider having a Data Protection Officer within their organisations as a knowledgeable point of reference for compliance with the Acts
• Organisations must have a formal process in place to notify the Office of the Data Protection Commissioner as soon as possible once a significant breach is detected
• Controllers and Processors must work constructively with the Office of the Commissioner to investigate a breach, to minimise the impact on Data Subjects, and to prevent a recurrence of the circumstances which led to the breach in the first place
• Organisations should continuously evaluate their data processing capability to ensure that they are meeting regulatory guidelines and best industry practice
Sytorus is an independent Data Protection Consultancy, based in Dublin, and offers training, consultancy and privacy impact assessment services.