The inaugural meeting of the Scottish Privacy Forum took place today in Edinburgh. Initiated by a number of data protection and privacy experts in Scotland, it was sponsored by the Information Commissioner's Office and designed to "to facilitate the exchange of information and good practice between the different sectors (private, voluntary and public) and key individual stakeholders with an interest in the processing of personal data in Scotland."
Eighteen participants, from a range of sectors, met for a day of roundtable discussions. The focus of the day was the Scottish Government's Data Handling Review, published in June 2008. The Assistant Commissioner, Ken Macdonald, started proceedings by welcoming everyone, while Maureen Falconer, the Senior Guidance and Promotions Manager for the ICO's Scottish office, provided a succinct summary of the Government report.
The rest of the day comprised three focus group discussions, each taking a different aspect of the Report. To ensure a full and frank discussion(!), the ICO representatives left the room for these sessions, returning for each plenary session. The three topics under discussion were the three themes identified in the Government report: Leadership and Governance; Process and Compliance; and Communication and Culture. Questions such as developing good practice and communicating data protection policies within the workplace were discussed. Issues such as the difficulty of engaging colleagues in data protection arose, especially where this was seen as impeding the business needs of the organisation. Clear data protection policies can help to ensure that data protection becomes integrated into the business of the organisation and is not regarded as a cumbersome "add on".
It was agreed that the Scottish Government was in a good position to play a stronger role in devising data sharing policies, especially in respect of projects or initiatives it introduced in the public sector. In contrast, the ICO's office was seen as providing more specialist guidance, in response to specific queries – and to provide a mediation service where disputes arose!
The inaugural meeting came the day after another announcement of extensive data losses, this time within the private section: insurance company Zurich confirmed it had lost a back-up tape of customers' personal data – containing information relating to 51,000 UK customers. The loss took place in South Africa, giving rise to concerns of a breach of the eight data protection principle (regarding transfers of personal data outwith the EEA), as well as of the seventh data protection principle (which requires appropriate technical and organisational measures to be taken to keep data secure). With high profile personal data losses continuing, it seems there is still a pressing need for an improvement in data collection and management, and it is to be hoped that the Scottish Privacy Forum will contribute to the ongoing development of workable policies in Scotland. Our next meeting will be in the first quarter of 2010.