Over 1,000 of our staff have completed our mandatory Data Awareness training so far, and we are aiming to reach 100% compliance by the end of the roll-out. One of our aims of the project was to share our work, so here are our reflections and the content itself.
In preparation for GDPR, we asked:
How might we:
- … equip our staff to fulfill their responsibilities to keep our resident and staff data safe, and to handle it lawfully.
- …equip our decision makers to make decisions about data with an understanding of the law.
- …support people working on behalf of Hackney who don’t have access to training budgets eg. foster carers.
- …support people in our communities with data protection responsibilities that don’t have access to training eg. scout leaders.
- …give other organisations the chance to use our content instead of spending their own time and effort on creating something similar.
We talked to several specialists agencies about how they could help, and selected Helpful Digital to work with us on development of the content. We decided to use their Digital Action Plan – their personalised, digital skills programme to help groups develop the confidence and skills to use digital tools at work.
How did we develop the content?
We kicked off with a workshop with Helpful Digital and staff from our Information Management and Information Security teams. We decided to develop one plan for people handling data, and one plan for people making decisions about data. We started by producing Hackney-specific content that referenced our policies and procedures.
The content took some time to refine – we wanted to make sure that it contained useful practical advice rather than regurgitating the law. The Council deliver such a vast range of services that it was a challenge to find examples that would be applicable to everyone. After our first draft we were lucky enough to have willing volunteers from across the Council to test out the content. Getting some extras eyes and perspectives on it helped us to identify the changes needed in the next iteration.
- We will remove the references to Hackney Council policies and procedures, to produce equivalent plans for non-Hackney users.
- We will adapt the decision-maker’s plan to to include scenarios specific to our Councillors.
- We will plan for our annual refresher, thinking ahead about how we adapt content to support this.
How can you use this content?
You are free to use this content however you will find it useful. You might keep it in document form, but could also choose to move the content into your own Learning Management System. Another option is to use Helpful Digital’s Digital Action Plan platform with our content at a small cost – you can read more about this option here.
We have published the content on GitHub here.
- Content for people handling data is called ‘Beginner’ and marked 1-5.
- Content for people making decisions about data is called ‘Intermediate’ and is marked 1-5.
- There is a final quiz for all levels of plan.
Some of our post-it note ideas in the early stages of creating the content:
The closer we get to 25 May, the more emails I receive reminding me that the General Data Protection Regulation (GDPR) is coming soon. Some of these give the sense that the changes to our data protection laws will be apocalyptic and many of them don’t actually seem to have understood the new regulations at all! This is made slightly more dramatic by the uncertainty about when the UK’s new Data Protection Bill will actually be passed into law (so we can’t be 100% certain what the requirements will be – although we do have a good idea).
At Hackney we have been reminding ourselves that the fundamental principles of data protection remain the same – we need to look after the data and privacy of our citizens and employees and we need to make sure that we are using data in ways that are consistent with our legal obligations for delivering services to the borough’s residents and businesses.
Part of the change in the law is to increase transparency – making sure you know what we are doing with your data and what your rights are. And in line with the principle of transparency we are working in the open, so that others can benefit from the investment we’re making in complying with the new law if it would be useful to them.
If you’re a business then you’re likely to find that the exact details of work you need to do to comply with the GDPR will vary depending on the type of organisation you are and the types of data you hold, this summary might provide some useful pointers for your own compliance planning.
In summary, the work we’re doing covers the following areas:
- Our training is designed for anyone – we have reviewed & refreshed our data protection and information security training. We are working with local agency, Helpful Digital, to develop an online ‘Data Awareness Training’ tool. There is a basic level for those handling data, and an intermediate level for those making decisions about data. We’ll be sharing this, so that any other organisation can use it (a community volunteer that maintains a list of other volunteers, for example).
- Information Asset Register – we’re building a register of what information we have, where it is, what controls are around it, who is accountable for it, where we got it from, who we share it with and what our lawful basis for processing it is. That will make it easier to respond to requests and ensure we’re complying with the law. We have been fortunate that the Local Government Association has made a ‘Record of Processing Activity’ tool available through their LG Inform Plus subscription service which we are using to help us build our register. This details all local government activities with the recommended lawful basis for processing and the underpinning legislation that relates to the power or duty (where it’s indicated that data is processed due to a legal obligation or public task).
- Policies – we have refreshed our policies that relate to information management and security. Just as we are sharing products we are creating, we are also using good work of other organisations where permitted. In this case we based our new policies on those of other councils, saving Hackney time and money. These updated policies are clear and concise, and will have supporting technical standards and guidance.
- Retention & disposal – existing data protection law already requires that we only keep data for the time that we need it for the purpose it was collected for. This doesn’t change with the new law, but we do need to tell individuals how long it will be kept for when we collect it from them. We have also been hard at work reviewing our older data archives and have made some policy decisions about email, have been reviewing the paper records that we store and plan to dispose of historic data that is no longer needed over the coming year. As part of this review work, we’ve been working with our colleagues in the Hackney Archives to make sure that any important archive records are retained for future use.
- Privacy notices – the new law extends individuals’ right to be informed, and we are now required to provide a large amount of additional information when we ask for data explaining why we need it and how it will be used and stored. We are following the guidance from the Information Commissioner’s Office to take a ‘layered’ approach. This means that we will provide be a short summary paragraph in Plain English at the time that we ask for the data (eg when someone completes a form) and this will point to a more detailed notice on the Hackney Council website, with additional detail for each service. We will be sharing these in an online document, licensed under Open Government Licence, so that they can be reused by others, free of charge.
- Identity Management – we have been exploring how we can minimise the number of times that we ask for ID documents from residents across multiple services through using technology that can simplify managing identity. This would not only save us money by avoiding the need to repeat steps across different services but would also make it easier for citizens to access services without having to prove who they are every time that they use a new service. We’re working together with the Government Digital Service and Tower Hamlets to see if there is potential to use the GOV.UK Verify service to achieve this.
Different organisations will need to take different steps, depending on what data they have and how they have managed it previously. We hope that by sharing details of the work we’re doing, by working in partnership with others and making our work open it will help you understand what the GDPR involves and help other organisations with their own preparations.
If you run a business or other organisation / group that processes personal data then we’d recommend you take a look at the information that the Information Commissioner’s Office have provided online https://ico.org.uk/for-organisations/business/. You can also contact their helpline which is able to offer advice if needed: https://ico.org.uk/global/contact-us/helpline/. You may also find this cyber security guidance from the National Cyber Security Centre useful https://www.ncsc.gov.uk/smallbusiness.