White Label Consultancy | 29th September 2020

Not every man for himself: Risk assessments, transfers and ethical empowerment in the public sector

The saying ‘Every man for himself’ indicates not only a fundamental principle of competition along with an ambitious striving towards a goal. Much more, the saying enhances the idea of singularity and maybe even exclusion. ‘Every man for himself’ thus becomes the tale of insulation and maybe even lack of community-thinking. By ‘community-thinking’ we mean a set of common values and mutual relationships in a system of data processing that takes place in the public sector.

In this blog post we touch upon different values that we identify as needed to ensure a decent interaction between the different stakeholders at hand.

But who is that protagonist ‘every man’. Every man literally is everybody. But we can get even closer to a kind of specific definition. The public sector is ‘every man’. Every tax-paying citizen, being an inhabitant of a national state, continuously delivers tax data, health data and a variety of other kinds of data into the well of data caretaken by the public sector with its multitude of institutions, regions, ministries and authorities.

The legal grounds for the processing of the major part of that data flow in the public sector is not consent but the necessity of processing the data in question according to the principles listed in Article 6 of the GDPR.

When consent is not requested, as the data subject has no way of opting out and the processing is mandatory, the ethical foundation and constitution of the processor assumes a paramount importance and calls for specific scrutiny and attention. This is the case when the public sector is responsible for the processing of personal data. There is as such an imbalance of power that lies in the relation and must be taken into consideration. To quote a famous character from children’s literature: ‘- He who is very strong must also be very kind’- Pippi Longstocking by Astrid Lindgren. Meaning, in this context, that if you hold the upperhand, you must be very careful about how you exercise that power.

Inspite of the imbalance of power and the antagonistic setup, one thing is clear. The latter part of the term ‘for himself’ is a bit off – we’re all in the same boat regardless our power

Trust and trustworthiness – engagement and assessment

Trust becomes an indispensable part of this setting, and trustworthiness becomes the pivotal point. Trust is invested by the data subject in the engagement with the public sector the data subject depending on the ethical constitution of the party processing his/her data. There needs to be a trust-base in the ‘open society’. Where borders are solely physical and even then, they can be transgressed.

Basically, trustworthiness is the quality of actions and intentions by a party as viewed and interpreted by another party who is subject to- or otherwise impacted by those actions.

And trustworthiness is the data subject’s guarantee that data are handled with care and concern. In a transparent manner with clear purposes and leaning on the CIA – confidentiality, availability, integrity as the textbook security parameters.

The public sectors around the world are increasingly undergoing a digitization transformation and in some countries, they are almost fully digitized. Next step for most modern organizations in the public sector is to apply Cloud, and now the plot thickens. Isn’t there an inbound controversy in handing over citizen’s data to a third party? Can the citizen trust the public sector when they let go of some of the control?

Our immediate answer to this question is ‘yes’. There is no discrepancy in entrusting a third party, even a third party in a third country, part of the value chain in the processing of citizen data. Neither is there a legal restrain. Here’s why.

The Schrems II ruling

The Schrems II ruling is significant in many ways. Invalidating the Privacy Shield as a data transfer mechanism and upholding both the standard contractual clauses (SCC) and the binding corporate rules (BCR) as legal mechanisms still to be used when transferring data is the core take-away from the ruling. The incitement of the ruling is clear; we need basic guarantees when transferring data to countries that are not part of our data protection framework. We need to know that data are handled in the same way that we promise each other in EEA. Otherwise we are going to lack good reasons to trust the entities caretaking our data.

But the main issue in this case is neither legal nor territorial. It is on actual security. And we must remember that neither the GDPR nor any other national laws state that data transfers are illegal. GDPR states that certain security measures must be in place, but those might as well be in place in Dhaka as in Dublin and on condition that enforceable data subject rights and effective legal remedies for data subjects are available.

What needs to be done, amongst numerous other initiatives, when the public sector choses to use a sub-processor, eventually in the Cloud, is to make sure that the security measures – organizational, technical, physical as well as legal, are proportional and allow for continuous trust between the citizen, the exporting organization and the importer/sub-processor. In Denmark there is a term ‘to trust blindly’ and obviously this is not feasible when the subject of the trust is of great value. All parties must act with great care which is why assessment of all joints of the chain must take place. These are some relevant considerations one can delve into when dealing with the complex topic of data transfers between entities around the globe.

Sharing the burdens in a joint venture

When assessing the different joins of the value chain it can be an almost unmanageable task for many organizations, but especially the public sector that delivers numerous services and utilize many different systems. What we will suggest in the following is that the assessment of the processing, the security of the importer or vendor is not a responsibility that is solely pushed towards the vendor, but a responsibility that is shared amongst the stakeholders applying collaborative methods to reach the common goal; to create the best possible security under the relevant circumstances for the citizen (every man).

The exporter of data (in this case the public sector) can shoulder only some of the workload, and therefore inevitably additional pressure is being put on the importer that is requested to deliver packaged information on specific topics and issues in order to satisfy the exporter.

The data importer being the object of investigation, is burdened by documentation requests, requirements and asked to perform detailed audits in order to provide the information that will meet the expectations of the exporter. On the other hand, the exporter/data controller might have a hard time getting the relevant documentation from the vendor.

The importer/exporter relationship is indeed very complex and sensitive. This stems from the very nature of the relationship as importers/vendors are held accountable for providing documentation of their compliant processing. There lies within this relation a natural division of labour which puts the burden of evidence on the shoulders of the importer/vendor, but the exporter/data controller certainly has a responsibility of enhancing a good work environment and being worthy of his/her responsibility of assessing in a professional manner.  From an atmosphere of lack of trust, the data transfer cooperation tries to find direction, and adequate measures are applied as the process continues. The process of risk assessment likens a battle to the death where responsibility is something, you’d rather give to others than to carry yourself. This is a pitiful reality that probably has occurred in the slipstream of the massive fear enhancing media coverage up to due date 25th of May 2018 and in the slipstream of a fearful atmosphere on the subject in general.

Sadly, to these assessment prior to data transfer cases, there is an initial imbalance and a lack of proportions if one does not act with due caution. We are still awaiting the guidelines from the EDPB after the ruling of Schrems ll, but interpreting the actual ruling it does not necessarily put additional demands on the security of transfers to third countries and the importers there – it depends on the actual level of security contributing to safeguarding the demand of compliance with the essential guarantees in the GDPR.

So before panicking as an exporter, one should have a look at the actual setup and the documentation of the security and in a cooperative manner engage the importer in the assessment you’ve made. This would be a fair, transparent and proportionate strategy for all parties sharing the responsibility and nurturing a trustful relation.

Joint venture – in order to not venture too far

The risks assessed all inform of actions taken and identified gaps that could call for further mitigations. But one needs to assess the mitigating initiatives too and find the most proportionate solutions that do not pose new risks. If for instance, encryption tools are  kept within the company in order to augment the level of security related specifically to external threats, there is a potential default risk, as the tools may be lost or forgotten about when employees leave the company for new roles or are moved around in the organization chart when internal roles are changed.

The initial mitigation process thus paves the way for additional risks, the assessment of which are less precise and less predictable, and these secondary risks are of a much more futile nature and more complicated to assess.

The point is, that there is no end to the string of risks, but there a possible new beginning tying the exporter and the importer together in a symbiosis, that may be long lasting if the string of risks stemming from mitigation processes are handled well. Before putting the newest most advanced technology to use or putting a demand on your importer/vendor, one must carefully consider the implications that this could further introduce to both you and other parties in the value chain.

Empowerment

There is no easy solution to these dilemmas or catch 22s, but if the importer is empowered by the exporter, this will promote mutual trust and increase trustworthiness. But the trust must obviously be based on actual circumstances of a high level of security. This can be assessed jointly by deeming the documentation already provided and jointly deciding on new proportionate demands filling in the gaps in a pragmatic and implementable manner.

Transfers to third countries are not illegal. But in a joint venture the exporter and importer must find a level of risk mitigation that is proportionate to the processing and the assessment of the organization as well as the surrounding environment. This exercise is at best done in cooperation to prevent misunderstandings, disproportionate measures or mistrust.

Not every man for himself, then, but all for one and one for all.