After Clive’s campaign had finished in Witney, I offered to help NHA Party with setting up information governance processes for the party. At the time, the Information Commissioners Office had guidance for non-profit organisations in multiple places, but now have an excellent self-assessment toolkit:
There are some areas which are not clear for political parties which I’ll come to later but the link is a great starting place. Confidential information removed from examples below.
Whatever I did needed to be comprehensible for volunteer staff, paid staff and mix of healthcare staff, some of whom would have NHS information governance knowledge / experience, others with none. I have had to write some information governance processes and documentation for learning or online collaboration systems I’ve been involved with and I’ve also been involved in developing Information governance eLearning and working with subject matter experts. It is also expensive to sign off against ISO 9000, 27000 etc and was out of scope at the time.
I started by writing a privacy impact assessment. I informed various members of the Executive of their roles in relation to data protection and party activity, Clive especially was extremely helpful in encouraging this to happen. I contacted each member of staff (voluntary or paid) and did what might be called business process analysis – asking what they did, what they used to do it and where they stored the data. The risks are quite common to different types of organisations.
I contacted each of the technology suppliers used by NHA Party to check how they processed data and I assessed them at the time as ‘adequate’ with a gigantic ‘but’ based on the information they had provided. The ‘but’ was due to the time of the disclosures of NSA illegal data processing and the inadequacy of Safe Harbor (where companies had applied) as indicated through the Max Schrems EU judgement. As EU Data Protection legislation in consultation at the time – for the size of the organisations involved including NHA, I highlighted the risks to the Senior Responsible Officer (SRO – Clive) and Senior Information Risk Owner (SIRO – Head of NHA IT) and we decided that it would be better to communicate in more detail to members about those risks and continue to investigate model clauses and agreeing information processing agreements (draft example – if I was doing again, it needs updating).
Due to the party’s size and small numbers of staff, rather than create multiple documents, I created an information asset register for the party for all known documents and included the risks and data integrity assessment. I began consultation on a local groups information asset register based on the overall IAR.
The issue that differentiates small political parties from small non-profits is that member documentation is not the same or used for the same purposes – so if you are doing a mailshot for a political party to their own members with different levels of membership, it is not specific in data protection wording / guidance so you have to assume applicability based on any relevant cases from the major political parties which have received public attention.
Before I left the party, I wrote a data breach process draft for consultation and a draft policy because I wanted to leave the party in the best position that I could, even with everything in draft, so that they could make any decisions they needed to make. I also wrote some draft training materials including igtraining. It is different working with volunteers and trying to explain standard IG concepts in a motivating way as another party volunteer myself and I had some difficult conversations that could have gone better.
There was a huge amount of documentation, laws and guidance to read but could do this again in 8 steps:
- Complete the ICO Self Assessment toolkit or similar.
- Write a privacy impact assessment
- Consult with staff / members / Executive about how they currently process information
- Update privacy impact assessment
- Draft and sign-off information asset register/s
- Draft and sign-off data breach process
- Draft and sign-off IG / data protection policy
- Ensure staff are trained.