Security Operatives notebook as a privacy risk
This week is a bit of an eye opener for many people. For decades security operatives have carried and used notebooks as a staple part of their equipment. I myself still use one and strongly believe in them as an excellent tool. In fact I published a blog and short video on the subject recently. However we must also recognise that times change and we need to be constantly adapting to ensure we are complying with not only new legislation but the demands society place on us as service providers. Data and privacy are now the most valuable commodity that people possess and one which security operatives must guard for the public with as much care as they would products, property or persons in their care. Recently I wrote to the data protection commissioner with a number of queries about the data we collect in our notebooks. The answers are detailed below and throw up some serious questions for security operatives and for employers. It doesn’t mean the end of the security notebook but it does mean we need some more security around the data we collect in them.
With personal data and privacy coming to the forefront of Irish society and the approaching introduction of GDPR I have been looking at the security industry as a whole in terms of privacy and data management. For many years we have as part of our role collected personal data such as names, addresses, dates of birth, images, video etc and processed it in a variety of ways. How many times have you written down the personal details of a person who has lost or found property or a person arrested for theft in a retail store and thought nothing of the data you have just collected. All of this data has value and is covered by legislation. Ever lost or misplaced a notebook or accident report form? There are now large legal implications for both you (from an employment perspective) and your employer from a legal perspective.
What is this GDPR?
That’s a whole other set of articles. Basically GDPR stands for the General Data Protection Regulations. It’s new European privacy and data protection regulation which will be passed into law in May 2018 in Ireland. It’s contains enhanced controls on data held and processed as well as increased rights for individuals. In my opinion it is one of the biggest legislative changes we are likely to see in the security industry in terms of how it effects what we do. You can find out more information on it here
I sent a number of questions to the consultation department of the Data Protection Commissioner about security operatives notebooks. I’ll reprint my full email below:
Email to DPC
To whom it concerns,
I have a query relating to the gathering of personal data in the security industry in particular in relation to the use of security notebooks. I am writing as I can’t seem to find any clear guidance on your website on the issue.
To give the issue some context. Security operatives working across the private security sector (of which there are almost 30,000) are expected to carry a personal notebook as part of their equipment. This is advised across Ireland, UK and most other regulated security markets and is covered in the introductory training programme for all new entrants to the sector. Generally they are expected to provide this themselves, but in some instances they are supplied by the employer.
In these notebooks would be recorded the personal data of numerous members of the public who come in contact with the security operative. This would include names, addresses, dates of birth, mobile phone numbers etc. for variety of reasons including lost property, found property, accidents, witness to incidents, arrests, etc.
The notebook containing all of this data is then retained by the security operative on his/her person and brought home with the security operative after work. In the case of a person working for a contract security provider it would also be brought from location to location.The personal data is stored indefinitely even after the completion of the notebook. Details for arrests or accidents subject to civil claims would be retained by the security operative for a number of years in case it is required for court and the other data must be stored in the notebook for the same time as to remove the non required pages would damage the integrity of the notebook on legal evidence. I have a number of queries around this practice that I am hoping you can provide clarification on.
1. Where the notebook is purchased and held by the individual at the request of his/her employer and for the sole purpose of work related tasks who is the data controller?
2. Where a security company employee is gathering data on behalf on a third party client are the individual and security company simply data processors and the client the data controller?
3. Is there a compliance issue around the storage of the personal data in the security operatives home or the transfer of data to other sites where the person may be working?
4. What would the Commissioner regard as reasonable retention periods for such data and who is responsible for the disposal of the data?
5. Is this data subject to an access request from a member of the public?
6. In terms of data gathered by consent such as contact details for lost property or witness details should there be a notice given at the point of collection of the purpose, retention period etc?
7. Where data is not gathered with explicit consent such as the personal details of a person who has been arrested should this data be gathered at all or should a notice be given at the point of collection of the purpose, retention period etc?
8. Are security companies who collect this type of data subject to registration with DPC or would they require a DPIA to be carried out on these activities?
Can I add that while all of this is common practice this query is in no way implying any malicious behaviour in the industry just a lack of awareness and I would like clarification to assist the industry in becoming compliant.
I can appreciate that the above is quite technical but essentially what I was trying to uncover was who is responsible for the data we gather. The security operative or the employer?What policies or procedures should be in place to store this data? What information should we be giving to the public?
Once again I received a really detailed and helpful answer from the lead consultant with the Data Protection Commission. I’m going to summarise the answers here because they are quite technical and legally worded so I’ll try make it as clear as I can.
1. Regardless of whether the company or the employee purchases the notebook the employer would be the data controller as the party determining the purpose and means of the collection of personal data. The employer is responsible for all data collected as part of a security operatives duty
2. Where a security company is gathering data as part of its contract with a client it is slightly different (but not much). Where data is processed strictly in accordance with a contract, and subject to the instructions of another party, the security company will be acting as a data processor. The individual employee should not be identified as a data processor as they are not subject to the data processing contract, which is between the client and the company. So the client as the data controller and the security company as the data processor have legal responsibility for the data.
3. On the subject of security operatives bringing the data home or to other sites. There is no inherent compliance issue with security operatives retaining data in personal notebooks, or in the transfer of data as long as appropriate safeguards are put in place to prevent unauthorised access to, or accidental disclosure or loss of the data. In the event of a personal data breach, the security company as a data controller will be responsible. It is strongly recommended that all employers have a procedure in place around this subject.
4. In relation to the storage period and disposal of this data. It is not within the remit of the DPC to stipulate retention periods for data. It is the responsibility of each data controller to determine an appropriate retention period based on the principle that data should be held for no longer than is necessary to achieve the purpose for which it was obtained. The retention period should be documented by the employer and the method of disposal as well as policy for ensuring that the security operative has disposed of the data.
5. This data should be considered within the scope of a subject access request by a member of the public. The employer should have a written policy for this and an access request form. All documents of this type containing personal data including reports, statements etc would also fall into this category.
6. In reference to the point about information given to data subjects at the point of collection. Article 13 of the GDPR outlines the information that should be provided to a data subject where information is collected from them. This includes the identity and contact details of the data controller, the reason for processing, the retention period and the right to access the data.
7. In relation to information taken from persons arrested etc or provided to the company about persons arrested. Article 14 of the GDPR outlines the information to be provided to a data subject where it is not obtained directly from them. Please note in this regard Article 14(5)(b) which states that the requirement to provide information shall not apply where, “the obligation…is likely to render the impossible or seriously impair the achievement of the objectives of that processing.” This would apply where information is gathered pursuant to an investigation and to inform the data subject would clearly prejudice tha purpose. Article 14(5)(b) goes to provide that, “in such cases the controller shall take appropriate measures to protect the data subject’s rights and freedoms and legitimate interests.” So essentially as long as the data is safeguarded then there is no requirement to inform the subject here. This would also apply to data compiled during an employee investigation.
8. With regard to carrying out a DPIA (data privacy impact assessment) for this processing and registration with the DPC. A DPIA is required where processing is likely to result in a high risk to the rights of data subjects and in particular where new technologies are introduced. It is the data controller’s responsibility to assess the level of risk, and thus whether a DPIA is required. It would seem though that if the practices you describe are long-standing and commonplace, it will most likely not be necessary to carry out a DPIA to ensure compliance from May 25th next year. If the business practices change, and in particular if new technological solutions are brought in I would advise a reconsideration of the necessity for a DPIA. This does not replace the need for adequate policies and procedures around this issue. With regard to resist ration the DPC is ensure as to whether registration will continue under GDPR but will update the public once the Data Protection Bill has been passed.
What does all of this mean
It means that we need to become a lot more aware of what we are doing with our notebooks and with personal data overall. I recently sent out a photo of my shoebox full of old notebooks spanning 17 years in the industry. I now realise the level of personal data I have been holding all of these years for no other reasons than memories (and a book maybe). What my previous employers may not realise however is the liability they hold for the data I hold. We all need to make ourselves much more aware of data privacy as an industry and begin to design stronger procedures to protect the data we hold.
I’m hoping this article will be of help to security providers, buyers of security and security operatives in tackling this subject. This article is just one piece of the puzzle. Notebooks are a tiny fraction of the data we hold. We all need to take a good look at what we currently do and understand that it’s probably no longer good enough. Data is the new gold and we have in our possession a commodity of great value. For security operatives out there let’s start looking at how we protect the modern golden nugget that is your notebook.