Collaborative Learning Discussion 3

Discussion Topic

There are several case studies published during years 2014 – 2018 concerning GDPR related issues and breaches.
Considering the case study you have chosen answer the following questions:

  • What is the specific aspect of GDPR that your case study addresses?
  • How was it resolved?
If this was your organisation what steps would you take as an Information Security Manager to mitigate the issue?

Initial post

Disclosure of CCTV footage from a direct provision center

In this case study, a resident of a direct provision accommodation center (owned by RIA and managed by Aramark) complained about an alleged disclosure of CCTV (closed-circuit television) footage showing some residents’ images. Apparently, that footage was taken because of an altercation between the complainant and another resident.

The complainant noticed a possible data disclosure during her participation in a radio program. The radio host claimed that he had a copy of that CCTV footage.

After reading the case study, few points attract my attention:


  • Neither Aramark nor the RIA could deny the fact that the CCTV footage had not been disclosed to the radio station. (Data Protection Commission, 2020)

  • During the investigation, the RIA confirmed that there were no policies or practice documents in place for the management of CCTV operating in accommodation centers. (Data Protection Commission, 2020)

  • The CCTV footage of an altercation involving the complainant had been downloaded by authorized personnel from Aramark and transmitted to the RIA. The reason for the download and transmission was that the captured events related to security, and health and safety issues. According to Aramark, due to the size of the file in question, the employee had saved the footage to a Google link for onward transmission to the RIA. (Data Protection Commission, 2020)

Unfortunately, after a thorough investigation, the Data Protection Commission (DPC) couldn’t find how the CCTV footage came into the possession of the radio station.

To avoid such incidents, I would establish few steps based on the GDPR (General Data Protection Regulation):

  • In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from an accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored, or otherwise processed. (General Data Protection Regulation, 2016)

  • The EU GDPR (General Data Protection Regulation) and DPA (Data Protection Act) 2018 require you to carry out a DPIA (data protection impact assessment) before certain types of processing. This ensures that you can mitigate data protection risks. (General Data Protection Regulation, 2016)


References:

Data Protection Commission (2020) CaseStudies:DataProtection Commission. Available from: https://dataprotection.ie/en/pre-gdpr/case-studies [Accessed 05 October 2010]

GDPR (2016) Available from: https://gdpr-info.eu/ [Accessed 06 October 2010]

Peer Response 1

Great post David!

I like your comment on the "risks that are presented by data processing". As covered in Article 24 of the GDPR, establishments are expected to ensure that appropriate technical and organisational controls are implemented to ensure that data is processed in accordance with the regulation (GDPR, 2016). A processor who is acting on behalf of a controller is also expected to do same under Article 28 of the GDPR (GDPR, 2016).

In this scenario, both RIA and their processor Aramark failed in their duty of ensuring unauthorised disclosure and to make matters worse, there was no evidence of a document between both parties detailing their responsibilities with respect to personal data processing (Data Protection Commission, 2020). A learning point from this scenario for information security managers is to ensure there are robust agreements or policies between their organization and its processor spelling out guidelines on various aspects of data processing, notably the transfer of data between both parties over a network.

Another important point to note in this case study is that the Data Protection Commission found both the RIA and Aramark in contravention of Section 2C of the Data Protection Act which requires employees to be aware of and comply with all security measures (Data Protection Commission, 2020). This emphasises the importance of security awareness amongst employees in the workplace.

References

Data Protection Commission (2020) CaseStudies|DataProtection Commission. Available from: https://dataprotection.ie/en/pre-gdpr/case-studies [Accessed 09 October 2010]

GDPR (2016) Available from: https://gdpr-info.eu/ [Accessed 09 October 2010]