Information Governance

Real-World Example of Why it is Critically Important

Information-GovernanceOver the past week the Irish State has been rocked by revelations that the Irish police (An Garda Siochana) had been recording calls into and out of police stations since the 1980s. Representative bodies for both rank and file police officers and the “management” layer in the organization quickly declared their shock and surprise at this, with questions being raised by them about who was doing this, who was overseeing this, and what the purpose of the recordings was. The most senior ranking officer in the force, retired suddenly as the story broke, perhaps the first in a series of heads that might roll as a result.

Over the course of the week, it emerged that the issues had been known about for many years and had arisen in a court case in 2013 and again in recent months. Various agencies had met on various aspects of the recordings but there had been insufficient or incomplete communication at government level as to the fact of the recordings and the implications. It also emerged that far from being a “legacy” process which had just been left switched on, unattended and forgotten in a dusty broom-cupboard of an office, the system had been updated twice in the last few years.

The last time it was updated coincided with the introduction of a Code of Practice for Data Protection (Privacy) by the Irish police force in 2007. However no consideration appears to have been given to the data protection implications of the recording during the tendering for the most recent update to the system which took place in 2008.

The Irish Government has convened a full Commission of Inquiry to assess the implication of the recordings that have been recovered on both analogue tape and digital media. The potential exists for both significant breaches of privacy rights and also for convictions to be declared unsound on the “fruit of the poison tree” grounds should evidence have been identified from recordings that were obtained unlawfully. Questions exist around the reuse of tapes historically with calls being recorded over.

The absence of certainty is a significant issue. The unanswered questions remain hanging like vultures around the careers of a number of senior officials, and potentially the government. Information is still coming out and the full facts may only be known when the Commission of Inquiry has finished its work.

Basically it’s a bit of a headache and no mistake.

But it is a great example of the importance of an active and engaged Information Governance culture and structures in an organization, particularly as purposes for processing information, legislation, and technology evolve over time.

An Alternative Present

In a conveniently located parallel universe, there is also an Irish Police force. It is led by Commissioner Myles O’Brien, who bears an uncanny resemblance to a Star Trek character. In true Star Trek parallel universe style he is proud of his goatee. Myles has 40 years under his belt as a police officer in a variety of roles.

He was involved in the original installation of a call recording system in the 1980s, when bomb threats were regularly phoned into police stations by terrorists from Northern Ireland and some members of organized criminal gangs. Being a student of history, he remembered Nixon’s downfall as a result of recordings so, despite there being no “top down” mandate to do so at the time he kept detailed records himself of the reasons why calls were being recorded and he documented the processes that were being used and technologies deployed for that recording. He logged that there were certain phones that were recorded and he logged the other phones that were outside the net.

A few years later he was seconded into the Technology directorate in the police force. There was a project underway to upgrade the call recording system. Myles was asked to contribute to the process. He produced his notebooks of processes, business rules, and exceptions to the rules for the project team. This saved them a few months in implementation time and Myles got agreement that they would formally document all the processes and business rules he had logged and put a proper Governance process around the change management of things, such as if a phone extension in a police station was moved, to make sure that only those telephones that needed to be recorded were recorded.

He also got agreement to a paper-trail of decision rights where any changes to the recording configuration were being proposed so that any risks to criminal prosecutions arising from the existence of the recording technologies was mitigated. He encouraged the “powers that be” to include reminders on protocol and processes for call recording in regular internal briefings and had signs put up in secure areas to remind police officers of the recording protocols.

Due to his diligence on the project, Myles was encouraged to go for another promotion and soon he began the climb from humble sergeant to the top ranks of the organization.

In 2007 he was working on two big projects: the upgrade (again) of the call recording system to replace tapes with digital recording, and the roll out of a formal Code of Practice for how the police force would comply with Data Privacy rules. As an Assistant Commissioner he had oversight now of all operational technology issues in the force. But he missed getting his hands dirty on projects so he’d chosen to get involved directly in these two projects. He was concerned about:

  • Retention of digital recordings – the old tape system had meant that calls were recorded over unless pulled out for evidence purposes. Now all calls could be retained indefinitely.
  • The Terrorist threat had receded – so what was the purpose for recording calls now? Was there other reasons why it could or should be done?
  • The potential ease with which telephone extensions could be added to the call recording pool in the new digital system and the need for controls and protocols to prevent unauthorized recording of calls between staff and their families or, more importantly between prisoners and their lawyers.

He was conscious that the Code of Practice on Data Privacy set out some clear statements of intent around compliance with a broad and occasionally complex area of legislation and he had to ensure that the culture of “note everything down just in case” that had existed in the force was tempered by structures and processes that ensured a respect for privacy and ensured clarity as to the acceptable purposes for recording and retaining calls. After all, he didn’t want to risk valid convictions being overturned due to overzealousness by junior officers presented with a shiny new toy.

Myles ensured clear documentation of every phone that was being recorded. He established clear protocols for the use of recording and made sure that this was clearly briefed to all senior officers and the staff who would be extracting call recordings from the digital system. He established an audit log protocol and undertook that he, or his successor, would be accountable for ensuring that that log was audited and unauthorized access to recordings or unauthorized modifications to the configuration of the recording processes would be a serious disciplinary matter.

He conducted a review of all the potential reasons why calls might need to be recorded. Having identified a few, he determined that the best approach would be to flag on all numbers that citizens would call in on that calls would be recorded for “Quality and training purposes, for use as evidence in investigations or prosecutions, or for National Security reasons.” If it was good enough for a call center it was good enough for him he decided.

All processes were documented and shared with key decision makers in the Attorney General’s office and the Data Protection Commissioner. Clear protocols for the destruction of recordings after 90 days unless retained for use in criminal investigations were in place.

Myles found himself promoted soon after that to Commissioner.

And it was as Commissioner that he got a call one day from the independent Police Oversight authority regarding allegations of secret recording of calls in police stations. He smiled. He offered to bring copies of all the process and protocol documentation, along with the audit and control logs for the past three years over to them personally and to go through them. He did, and the Oversight Authority was happy that there was no abuse of the system and that no issues affecting the validity of prosecutions or convictions arose.

A call came through to Myles from the Minister for Justice about the same matter a few hours later. “Was this a matter for concern?” he was asked. “Perhaps, but only if someone has gone around our governance and if they have I’ll arrest them myself,” he replied.

And that weekend he read the papers knowing that, thanks to his efforts over thirty years ago, he was able to answer any questions that might arise about those recordings. He chuckled over his eggs and bacon at a headline referring to the recordings. He knew he had put in place strong structures, an appropriate culture, and auditable and verifiable controls to strike the right balance between privacy rights and policing.

“Move along, move along. There’s nothing to see here!” he smiled. Forever a beat cop at heart.

Share

submit to reddit

About Daragh O Brien

Daragh is the Founder and Managing Director of Castlebridge, a leading Information Governance, Privacy, and Strategy consultancy based in Ireland. He has a degree in Business & Legal Studies from University College Dublin, and is a Fellow of the Irish Computer Society. Prior to founding Castlebridge, Daragh worked for over a decade for a leading Irish telecommunications company in roles as diverse as Call Centre operations, Single View of Customer Programme management, and Regulatory Compliance and Governance. He a regular presenter and trainer at conferences in the UK and worldwide. Apart from his consulting and education work, Daragh is also Data Privacy Officer for DAMA International, a faculty member at the Law Society of Ireland, and a contributing research partner to the Adapt Centre in Trinity College Dublin. He lives in Wexford in the South East of Ireland and can be reached at daragh@castlebridge.ie or on twitter: @daraghobrien. In 2016, he was ranked by Onalytica as the 24th most influential person on Twitter in Information Security (including Data Governance and Data Privacy).

Top