GDPR – Choosing Your Basis for Processing

Our most recent webinar raised several interesting questions as well as one of my own about potential breaches that may come as a surprise. In this post I address:

  • Choosing a basis for processing – Public Task?
  • The use of VeraCrypt and other encryption schemes.
  • Addresses held by the ICO of data controllers – a conundrum.
  • E-mail headers and unintentional breaches

The Basis for Processing

An attendee is considering the use of “Public Task” for a small practice that prepares reports for the MOJ. On the surface I can see how this seems reasonable, however in keeping things simple let’s see what the ICO suggests about this choice:

  • You can rely on this lawful basis if you need to process personal data:
    • ‘in the exercise of official authority’. This covers public functions and powers that are set out in law; or
    • to perform a specific task in the public interest that is set out in law.
  • It is most relevant to public authorities, but it can apply to any organisation that exercises official authority or carries out tasks in the public interest.
  • You do not need a specific statutory power to process personal data, but your underlying task, function or power must have a clear basis in law.
  • The processing must be necessary. If you could reasonably perform your tasks or exercise your powers in a less intrusive way, this lawful basis does not apply.
  • Document your decision to rely on this basis to help you demonstrate compliance if required. You should be able to specify the relevant task, function or power, and identify its statutory or common law basis.

I think it may be a bit of a stretch to read this and confer it onto a group of psychologists, working together as associates, who prepare reports for the MOJ. In particular, this choice severely restricts what the controller can do with the data as the subject retains right of objection.

Looking further at the ICO’s take on this the overriding emphasis seems to be that processing is laid down in law, is performed primarily by public authorities or private organisations performing the functions of public authorities (ie. a water company). In particular to private organisations the ICO states: “However, if you are a private sector organisation you are likely to be able to consider the legitimate interests basis as an alternative.”

This leads me back around to my suggestion that legitimate interest seems most appropriate for nearly anything a psychologist is likely to need to do AND it is reinforced by the ICO’s interactive tool, which can be found here: ICO Interactive Tool

We have to be careful not to think we have roles we do not, in fact, have and to not read too much into one thing when another is so much more applicable.

Encryption

The most important thing about security, or locking up your bike at night, is to keep it simple enough that it is not a chore, straightforward enough that we do it every time, and strong enough to match the risk at hand. Bikes most often are stolen not because the lock wasn’t strong enough but because we just popped into the shop “for a second” and didn’t lock it at all.

See where I’m going with this?

The specific question related to VeraCrypt, but can apply just as easily to a myriad of other encryption products. Often, the debate around these products devolves into whether or not the NSA, CIA, or police can access the encrypted data. This is not our purpose or our risk. The downside to programs like VeraCrypt, Knox, and others is not that there is anything wrong with them — there isn’t — but that encryption has become simple to deploy and use automatically. I think Microsoft’s version on Windows 10 and up may require that you create a Microsoft account where your key will be stored. Mac’s version is tick boxed in security settings. You do not need to remember to lock up your data beyond remembering to log out as a user. Do not lose track of your passwords or you will be well and truly scuppered! Seriously though — both Apple and Microsoft have ways of possibly rescuing you if you have stored keys with your online accounts.

What third-party encryption can allow you to do is encrypt folders or files within the already existing encryption. Is this more secure. I don’t think so. Does it allow you to set aside some information that will not unlock upon entering the computer. Possibly. Is it worth the trouble or, to the point, is it commensurate with the risk. No, I don’t think so.

Geeks do suggest that open-source, third-party encryption routines may be easier to hack in that the public nature of their structure, which allows finding faults, also makes it easier to take advantage of those faults, even if only for a limited time. They also go on about evading the super sleuths, which is not our concern or worry.

Bottom line, the encryption built into your device has been designed by a well-funded company with a vested interest in keeping it as secure as reasonably possible.

Your responsibility is to use a strong password that includes upper and lower case nonsense characters, numbers, symbols and at least 8 and preferably 12 in number. Most hacks and breaches are because passwords are not present, are common default passwords (newuser, password, admin etc.).

DO NOT FORGET that your back up drive (you are doing backups…right?) should also be encrypted and password protected. There are several ways of doing this depending on how you perform backups. Apple’s Time Machine requires only a tick box. Others may require you to prepare the disk ahead of time.

Addresses of Data Controllers

Now this is a really interesting dilemma. When we register with the ICO we are giving up, in many cases, personal details as described in the regulations. The ICO goes on and publishes this information for the general public. Psychologists, in particular, are sensitive to making their personal addresses public. Stalking has, in our own experience, has raised its ugly head on more than one occasion.

I have gone over the ICO and do not find any alternative, as exists with Companies House, to keep the address private. Of course, the purpose is to make it possible for the public to contact the data controller!

I can think of several possible solutions and you may be able to think of more. We use one or more of these ourselves:

  • Use a PO Box — they are not expensive and are good for most business correpondence
  • Use Mailboxes Etc. or another mailbox service — London is full of these services including Regus virtual offices, UPS, and more
  • Use your accountant as a “service” address — if you are a limited company then your accountant may already be listed with Companies House as your official address.
  • Use a friend’s business but bear in mind that someone with less than legitimate interests may think they can find you there with malice in their heart

We use Mailboxes Etc and have used Regus in the past. It is a modest expense and we have found worth that cost.

I do find it interesting that public bodies like WHOIS are deciding if they have to remove names of website administrators in the EU from their directories while the ICO is preparing to put ours in the public domain!

A conundrum indeed.

Surprising Breaches

Finally, cc and reply all can bite us when we least expect it. When sending an email to large groups of people remember to use BCC, blind copy, so that recipients cannot see others on the list. This happens particularly when forwarding someone else’s email that has not been so observant. It can also happen when we reply to all to an email that did not use BCC in the first place.

Like so many things in security, be vigilant not only for your own oversights but especially the oversights of others.