Data Breaches, AI and Data Protection Trends in 2023: Q&A with Lynn Wyeth, Head of Information Governance
Effectively and securely handling and protecting sensitive data is important in any sector, but it’s even more vital for the public sector.
To give you the latest information and answers to all things AI in the public sector, data breaches and data protection trends for 2022, we spoke to our expert trainer and Head of Information Governance at Leicester City Council, Lynn Wyeth.
Get to Know Lynn Wyeth
Not only is Lynn Head of Information Governance, she's also Leicester City Council's Data Protection Officer. She manages the function that oversees Data Protection legislation, the Freedom of Information Act, the Environmental Information Regulations and the Regulation of Investigatory Powers Act.
On a day-to-day basis, Lynn is involved with policy writing, assessing data protection impact assessments, investigating data breaches and running a team that answers thousands of information requests every year.
If you're a Data Protection Officer in the public sector, we run a popular training course, taught by Lynn, to help you excel in your role through tools and proven techniques. Secure your place today.
Let's Get into the Questions...
1. We saw from 2020 and 2021 that our data is never 100% safe from breaches, so what are three things that organisations can do in 2022 to protect personal public data more effectively?
"One of the main priorities has got to be awareness raising in staff and embedding a culture that everyone is responsible for looking after personal data. It’s not good enough to have a tick box exercise of an online refresher training every year. Staff need to get into the habit of checking every email they send, every letter they put in an envelope and every record they save electronically. Your employees, often due to human error, can be your largest source of data breaches. We need to change their behaviour, and they learn that by doing things correctly over and over until its second nature.
Thanks to the rise of cyber-attacks and ransomware, it’s really important that organisations invest in appropriate security measures and well-trained IT security staff to try and protect the organisation. Ensuring protections are in place such as firewalls, virus protection, regular patching, pen-testing etc. may not save you from a zero-day attack but could stop many other cyber criminals compromising or stealing your data.
Finally, get it right from the start. View your Data Protection Impact Assessment, and the concept of Privacy by Design, as a valuable tool to prevent problems later on and not just a tick box exercise. Invest the time in designing your service, process or sharing arrangement early on and you’ll hopefully face less pain in the future!"
2. What do you think the future of data protection looks like? Or do you think there will be specific trends in the new year?
"The UK Government’s consultation on data reform shows a direction of travel that will re-badge GDPR as a UK privacy framework. The proposals look like they will effectively reduce some of the mandatory requirements GDPR implemented; sometimes renaming it, sometimes potentially weakening data protection.
Those organisations that see GDPR as a burden will take advantage of such reforms and possibly data subjects’ rights will be weakened. I believe those organisations that appreciate the risks associated with data protection, or see that having strong privacy rights for service users is a good business model, will continue to carry out some of the good practices GDPR required."
3. Data protection often requires lots of manual labour, so is a strong data protection software the main key to effective and secure data security?
"Of course, there’s all sorts of software out there that helps make processes more efficient for data protection practitioners, be it logging systems for Subject Access Requests received, or redaction software. Some of the software available is invaluable for security of the data, offering encryption or passwording facilities.
Recently, the ability to add retention schedules to data has improved records management practice immeasurably, allowing organisations to have more confidence that they are not keeping data longer than necessary, in breach of GDPR principle for data retention.
Conversely, some software can cause problems. Security flaws or not fit for purpose e.g. data cannot be deleted, only archived, can cause extra headaches for data protection officers. Your Data Protection Impact Assessment of the software will need an extensive appraisal of potential data protection and security issues."
Discover how to manage your records and information more effectively.
4. The public are more curious than ever about their data – including how it’s stored, used and what it’s really needed for – so with this call-out for greater transparency in mind, should organisations be taking a more user-focused approach to data management?
"Absolutely, and many organisations are, including the public sector. We are continuing in our digital transformation projects to allow users to access their accounts online and see the data that is held on them where possible, and carry out more self-service and transactions online or in Apps on smartphones. The pandemic has accelerated some of this work.
We are also being less risk-averse when it comes to using platforms that users are comfortable with, e.g. moving to WhatsApp (for Business) where appropriate. The GDPR did improve Privacy Notices somewhat but there is still more to do to ensure users understand exactly what data will be used for."
Not a Data Protection Officer but still want to improve your data and digital skills? Here are 6 reasons why you should.
5. With the rise of the Metaverse and other technological advancements, do you think Blockchain will be implemented deeper in the public sector to help protect data in 2022?
"I don’t think Blockchain is something the majority of the public sector will be involved with anytime soon. A lack of budget for investment, plus a lack of skilled and knowledgeable staff (and senior management) is a key barrier, as well as some of the issues around aligning with policy objectives. Challenges include a lack of regulation, lack of interoperable infrastructure, inefficient and energy-costly transactions and the absence of effective governance models."
6. We know that data mapping is important to GDPR, but what if we used artificial intelligence to help us with various data mapping activities? Good or bad idea?
"AI can prove incredibly effective and efficient in some of the simpler process-driven activities. The time saved is invaluable as organisations need to become more efficient, and the public sector in particular has had to do more with less. Task-driven processes such as issuing parking permits, or managing council tax payments for standard transactions can easily be automated.
But, care does have to be taken where higher-level decisions are made that can impact on individual rights and freedoms though, especially with predictive analytics. Sometimes local solutions or complexities prove challenging even for a competent robot and still require human intervention where an individual needs to be aware of the thousands of pieces of legislation and case law that dictate policy and process in the public sector! Your Data Protection Impact Assessment will be invaluable at identifying any risks for any particular AI processing."
Want to learn more about Data Protection Impact Assessments? Read our blog post all about it.
Boost Your Data and Digital Skills with our Training Courses
Whether you want to learn how to comply with Data Subject Access Requests (SARs), carry out data protection impact assessments or handle tricky FOI requests, we've got just the course for you. View upcoming courses and secure your spot.
2+ years in SEO and content marketing. Striving to help public sector professionals develop their skills and learn something new through high-quality content.