GDPR in the Public Sector
The General Data Protection Regulation (GDPR) defines a ‘personal data breach’ as ‘a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed’
While earlier version of the Data Protection Bill had proposed to exempt public bodies from fines, the Data Protection Act 2018 (which transposed the regulation into Irish Law) determined that Public Authorities and public bodies may face fines up to €1 million for personal data breaches. This is in contrast to the €20 million or 4 per cent of annual global turnover potential fines for non-public bodies.
However, what is more significant for the public sector, is the reputational damage that can occur in the event of a significant data breach. The public sector is curator of large volumes of data including sensitive health, education, social security and housing records.
The GDPR also introduced the requirement for organisations to report personal data breaches to the Supervisory Authority (the Data Protection Commissioner in Ireland) within 72 hours of becoming aware of the breach. Where a breach is likely to result in a high risk to the affected individuals, organisations must also inform those individuals without undue delay
In the DPC Annual Report May 25 – December 31st (1), there were 3,687 reported Date Breach notifications. Of these, 1,258 were in the public sector with Unauthorised Disclosure accounting for 1064 (84.5%).
The report cites the following as typical examples:
*inappropriate handling or disclosure of personal data,e.g. improper disposal, third-party access to personal data – either manually or online, unauthorised access by an employee;
*loss of personal data held on smart devices, laptops,computers, USB keys and paper files; and
*malicious or criminal cyber incidents such as bruteforce attacks, hacking, malware, phishing and ransomware.
Information Security Challenges for the Public Sector
Challenges which the Public Sector face in Information Security:
*Outdated Legacy IT Platforms
*Increasing volumes of complex data
*Levels of expectation from the Public-Sector in-service delivery
While many government organisations have prioritised digital transformation, there remains the problem of outdated pre-existing technologies and outdated legacy IT platforms. This is a significant factor in slowing the adaption of cloud-based computing. Cloud based IT systems can reduce the security risks to data with strong security safeguards and with end to end data encryption.
The large volume and sensitive nature of the data in the Public Sector domain mean that is high risk in terms of its loss, theft or misuse. This is relevant both in terms of accidental mismanagement and also deliberate and malicious cyber-attacks.
Cyber-attacks can be broadly categorised in three main ways.
*Distributed Denial of Service: whereby an attempt is made to overwhelm an online service with traffic (connection requests) from multiple sources to render it inoperable
*Ransomware: a malicious from of malware/virus that infiltrates network systems (often in the form of unfiltered emails attachments and downloads) which can result in the paralysis of the network
* Malicious Data breaches: whereby hackers target networks to purposely steal sensitive data
The public has a certain level of expectation in how transactions are conducted including their interactions with government bodies. This includes seamless service such as online transactions and portal access to their information, negating the need for paper forms, automating data entry and generally providing the customer with a more satisfying experience.
Addressing the Problem
In a BSI Group survey (2), it was indicated that for most of the public sector, adopting the cloud means adopting Microsoft Office 365.
‘This migration is driven by several factors with the top three being business continuity and disaster recovery, mobile and remote working, and security. Capitalizing on this movement of data to the cloud we see a large percentage of public sector users having remote access to email, file data and CRM systems’
Microsoft Dynamics 365 offers a comprehensive set of in-built information security measures, such as:
*Encryption for data both in rest (database) and transit
*Data retention Policies to ensure that data is not retained for any longer than necessary and minimising the risks of data breaches
*Role based security whereby access of only granted to the assigned security role as opposed to the individual
For cloud deployed version of Dynamics 365, data is ‘co-located’ which means that it will not disappear should something happen to the data centre ensuring availability and integrity.
With in-built security, such as distributed denial of service (DDOS) attack prevention and regular penetration testing, there is continuous validation of the performance of security controls and processes.
Embracing digital transformation in the Public Sector is a step in the right direction in reducing Information Security risks. Additional benefits to the Public Sector are improved operational efficiency and a better customer experience.
“Embracing digital transformation in the Public Sector is a step in the right direction in reducing Information Security risks”
How can OpenSky help?
As Ireland’s Only GovTech digital transformation specialist, OpenSky work with many Public Organisations – delivering future-proofed citizen access and operational efficiency. This includes delivering solutions to customers who are striving to adhere to the requirements of GDPR and who are focused in reducing risks around information security.
Specifically, in the area of Data Retention and Deletion (‘storage limitation’), organisations are seeking to build automated data deletion into systems once their defined retention timelines expire (if the data no longer exists, it cannot be breached!). We work with our customers in translating their retention schedules into system functionality.
OpenSky also assist customers in conducting DPIAs (Data Protection Impact Assessment) in identifying risks to personal data and providing mitigations for these risks. DPIAs can be completed for both new systems (in design) and those already existing and operational. For existing systems, these mitigations can include such actions as:
*Preventing the collection of unnecessary personal data by altering systems and deleting such previously collected data from databases
*Enabling organisations to be able to meet the requirements surrounding consent management
*Anonymisation and pseudonymisation of data
The GDPR has put the spotlight firmly back on Data Protection, across all sectors. With the wealth of sensitive personal data in its remit, the Public Sector needs to rise to, and meet, all the challenges surrounding keeping this data safe.
Source of Information/Reference links:
- Annual Report 25 May – 31 December 2018 – Data Protection Commissioner (DPC)
2. Information and Cyber Challenges in the Public Sector – Survey 2018 (BSI Group)
As Ireland’s Only Govtech digital transformation specialist, we deliver future-proofed citizen access and operational efficiency.
Our Govtech business expertise has transformed over 50 public sector bodies in Ireland & the UK. Within transport, waste, housing & health, our systems impact 2.5m people every day & manage 100m digital transactions every month in Government.
Taking a Customer-Centric approach, we equip government teams with scalable and sustainable citizen platforms, shared digital business process information systems, legacy system modernisation and data management services.
Our expertise & approach provides our clients with a path towards increased cost-efficiency, reduced risk of investment and superior citizen services.
Working with the best technologies & MS Gold Certified Partners, we have 15 years of digitising processes, connecting citizens – building a safer nation.
OpenSky Data Systems is a dynamic, quality oriented and dedicated IT and consultancy solutions company. Founded in 2004, we operate from our headquarters in Kildare, Ireland as well as in our other offices in Poland & India.