Compliance, Culture, and Tone at the Top

The Data Protection Commissioner has just published his annual report. It makes (as always) interesting reading. It has only been released in the last 30 minutes but there are elements of it that I will return to in detail in a post on my company website later this week (once digested).

Over here on my personal blog I thought I’d pick up on a broader question that bubbles up frequently in Data Governance and Compliance, not least in Data Protection. That is the importance of “tone at the top”.

The DPC’s Annual report instances a number of breaches by way of case study and a report on an audit follow up. The audit of An Garda Siochana’s Pulse system is mentioned in dispatches. Which brings me to the troubling topic of this post.

The Minister for Justice and Defence has disclosed into the public domain information about another person (a Data Subject) relating to an alleged (and disputed)  “stop and caution” which came into his possession one must assume in the course of his ministerial function from some, as yet unconfirmed, source. The Minister sees nothing wrong with disclosing personal data, and in this case potentially sensitive personal data, for his own purposes. He has stated in his defence that he felt the disclosure was in the “Public Interest”. His Taoiseach has backed him in his actions.

It brings to mind the argument put forward by Nixon when challenged by David Frost about the legality of certain actions. Just because you can do something doesn’t mean you should – this is the long repeated mantra of Data Protection practitioners world wide.

To extrapolate a little: a senior member of the executive management of an organisation has disclosed publicly information about another person that has come into their possession through the course of their professional activities. The disclosure is without a clear lawful purpose but the manager feels it is in the Public Interest to know the kind of person they are dealing with (“Public Interest” and “Of Interest to the Public” are two different concepts). The manager sees nothing wrong with this. His CEO sees nothing wrong with this and backs the manager.

If this was a private organisation the DPC would be investigating and the executive and CEO would potentially be facing personal liability under section 29 for their consent and connivance in the commission of an offence under the Data Protection Acts.

When the Minister for Justice and Defence, under whose Department the Data Protection Acts reside, cannot recognise where the political win that comes from dropping the other guy in it because you have a information about them others don’t have runs into conflict with fundamental rights to Personal Data Privacy and the Data Protection Acts themselves, the tone at the top is resonating bum notes.

When the Taoiseach sees no problem with this, the bum notes become cacophonic.

If the Minister is to argue that business owners and public servants should respect the law then his recent actions inject a diminished minor note to the fanfare he should have around Data Protection, what with him being the Minister in Europe charged currently with shepherding the revised Data Protection Regulation to a final text.

Why should an SME owner or CEO of a large corporate challenged with respecting the Data Protection Acts seek now to act in compliance with that legislation? The Minister can flaunt it, why not them? Why should a young garda officer on the beat, struggling to make the mortgage payment that month, respect the Data Protection Acts and their code of conduct under the Garda Siochana Act when offered money by external entities for information when the Minister can unthinkingly ignore the ethics and letter of the legislation in pursuit of political point scoring?

Over two years ago I wrote about the same issues arising in a political context. One key quote sticks out in the context of the current situation with regard to political leaders:

If they are promoting a “tough on regulation” policy platform, then they must lead with a clear “tone from the top” of Compliance and good Governance.

The Office of the Data Protection Commissioner is intended to be independent and is required under the TFEU to be so. However they operate under the auspices of the Department of Justice and Defence. In such a structure there is a significant risk that the clarinet solo of the Commissioner (still grossly under resourced) will be drowned out by the cacophonic discord of the Tone at the Top.

The DPC has commented today that:

in general the public sector, including ministers, has a solemn duty to protect any personal data coming into its possession and may only disclose it when it has the consent of the individual concerned or under another basis laid down in law.

Should Deputy Mick Wallace make, or have made, a complaint it would be interesting to see how the Government and the Commissioner’s office would act to avoid the kind of enforcement actions related to a lack of independence of the Regulatory Authority (the DPC) that have arisen in Hungary. Certainly it would be a matter worthy of mention in the 2013 Annual Report of the DPC. Bluntly it would represent a clear test of the independence of the Office of the Commissioner (and for that matter their resourcing) if they were to have to investigate a Minister rather than just a Minister’s department or agency.

The Data Protection Acts owe their genesis and evolution to the actions of political forces in Europe in the early years of the 20th century. We should be very worried when the Minister responsible for internal and external State Security feels that encroaching on a right to privacy without a clear lawful purpose is an acceptable political tool.

The Tone at the Top is braying some bum notes this week and some conductor needs to bring the orchestra back in tune. Otherwise, like all great bands, musical differences may trigger the beginning of the end.

I had looked forward to the Minister’s statement today but am underwhelmed by his position that Deputy Wallace’s status as a public personality is a justification for the disclosure. Where this the case, the DPC audit of the Gardaí and Dept of Social Protection would not have been so concerned about access of data relating to celebrities. The disconnect and discord in the “tone at the top” is palpable!

(If the use of the phrase “tone at the top” in connection with Fine Gael and Data Protection is familiar to some, this post might refresh your memory)