Data Protection for Credit Unions
First Compliance have a depth of experience with Credit Unions and deliver ‘scale appropriate’ advice to minimise risk relating to GDPR and your data protection obligations.
Our services for Credit Unions fall into one of three categories
- Data protection advisory; expert support for the in-house representative, and practical advice on all data protection related areas for Credit Unions.
- Data protection services; gap analysis, policy and process documentation, process re-engineering, compliance monitoring, incident support, risk assessments, impact assessments.
- Outsourced DPO services; including outsourced Data Protection Officer DPO services or Representation.
“We have found them easy to deal with …. have a range of legal, technical and Credit Union experience that means they understand the risks associated with data protection for credit unions …. a robust process which is appropriate for the scale and nature of Unity Credit Union and I would recommend Paul to others who need support with Data Protection.”
Pat Owens, CEO Unity Credit Union
Nominations – remaining lawful in the context of GDPR
There has been much time spent debating the impact of GDPR upon Nominees, and in particular the requirement relating to the obtaining and the provision of access to nominee information. We provide a concise analysis and recommend a 4 point plan to minimise the exposure to a Credit Union.
What are the data protection issues with nominations
The key considerations relating to the lawful processing of nominee data are as follows;
- Obligation to inform Subjects of personal data obtained indirectly.
- Denial of access to nominees on foot of an access request.
- Providing members access to their nominee details.
We have examined the management of obligations relating to Nominees in the context of the Credit Union Acts, the Succession Acts, the exceptions to disclosure provided for under GDPR and Irish legislation. None of these provide particularly ideal justification to administer nominees in the manner commonly used today.
Actions to mitigate against risk
Considering this position and the almost universal position of Credit Unions to continue to manage nominations in the same manner, we suggest that you consider the following actions to demonstrate due consideration of the rights of the Subject (the nominee) and to protect the interests of the Credit Union should they become the test case in this regard.
Actions to protect the position of the Credit Union include;
- Document an operational risk assessment with a particular focus on the three elements listed above.
- List the safeguards that have been put in place.
- Implement a standard notice relating to Nominees that is to be included in all Access Request responses.
- Re-format the nomination form to bring it into line with the requirements for a document that is subject to the Succession Acts (the requirements for a will).
Retention of nominee data
Article 21.5 of the Credit Union Acts state that each Credit Union shall keep a record; (a) of the names of all persons nominated by it’s members under subsection (1) and such other details as will positively identify the nominees; and (b) of all revocations or variations (if any) of nominations under that subsection. We suggest consideration of the following process to satisfy these requirements and balance them with your data protection considerations;
- Record nominees in a format suggested in point 4 above.
- Create a separate form for Revocation. It should confirm the wish of the member to revoke the previous nomination and the date that that nomination was issued in the first instance. Signed and dated.
- In the event of a member wishing to appoint new nominee(s); retain a copy of all revocations and of the current nominee form only. i.e. no personal data relating to previous nominees.
- ‘Variations’ are to be attached to the current nomination.
A hard Brexit – key actions for CUs
The UK may be outside of the EU in the near future and this will require safeguards to be put in place by organisations in Ireland before they transfer personal data to the UK, including Northern Ireland. We summarise your legal obligations and the simple actions required to ensure that your Credit Union is not exposed.
Transfer to countries outside of the EU requires one of the following;
- An Adequacy Rulingby the EU. This ruling judges the third state’s data protection as adequate for the processing of EU personal data without additional action e.g. Switzerland or New Zealand.
- Appropriate Safeguards, these include among other things
- An EU standard data protection clause between the organisations.
- Binding corporate rules.
- Approved codes of conduct.
- Failing the above in specific casesrelying on consent from the subject, or the performance of a contract with the Subject.
The awarding of an Adequacy Ruling to the UK in the event of a no deal Brexit is not a given. The enactment of legislation granting powerful surveillance and retention powers to UK policing authorities in 2016 has already been judged as inconsistent with EU regulation and may prevent a full adequacy ruling.
Note, The UK has already stated that it is permitting personal data to flow freely from the UK to the EU.
Advance planning that is likely to minimise exposure to the Credit Union in the event of a hard Brexit includes;
- Assess your IT systems and ensure that you are not transferring personal data to the UK (e-mail, operating systems, analysis systems, insurance, storage of voice or cctv).
- Where a written instruction has not been already received, write to all members who have requested their documents to be sent to the UK to confirm that instruction in writing.
- Amend your membership agreements to state that instructions to transfer data outside of the state are considered an expansion of their agreement with the Credit Union. This is not strictly necessary, however, it is a measure that is likely to provide additional clarity and confirm that any instruction is part of a contract (membership agreement) rather than consent. This will reduce the likelihood of an action against the Credit Union.
Breaches – When should a Credit Union report
Breaches are one of the critical events most feared by any organisation. Where the personal data involved includes financial data it can become an emotive issue for Members and result in regulatory intervention. There are specific processes and actions that will minimise exposure and we summarise them below
Understanding the process & high level actions
This is a well understood process, however there is often a nervousness when individuals need to apply it in practice. You can find a fully documented breach process here. The three basic steps (in this order) are to;
- Take action to minimise/correct exposure or risk to the Subject.
- Assess the risk to understand if the DPC or Subjects need to be informed.
- Document the actions taken.
A breach related to the loss of control over personal data only, and needs to be reported when it poses a risk to the rights and freedoms of the Subjects. A breach can include
- A cyber breach.
- Accidentally providing the personal data of one member to another.
- The loss of a laptop, mobile phone or other device containing personal data.
- Sending an e-mail to the wrong person.
- Using data for an unlawful purpose. This is often non-intentional, however is a breach. e.g. cctv, excessive voice recording, the use of proof of identity or other contact details for a purpose other than for what it was obtained for.
The most effective way to prevent or these incidents is through the implementation of good process and staff training.
How to manage breaches with ease
The main reasons why breaches cause real stress to a business are because of their infrequent occurrence and the treat of having to report to the regulator. We would suggest the following actions to most organisations to ensure that they are confident in their steps to react to a breach;
- Have an individual (not necessarily a DPO) appointed to be knowledgeable of the process and to take ownership.
- Have all staff trained to react immediately and to report internally. There is a 72 hour timeline on reporting obligations.
- Know when to report. Have a simple risk analysis prepared in advance. Reporting is normally advisable except where the data is encrypted or has been transferred to a trusted party. note; Reporting a breach is normally advisable and there is no penalty if the breach is withdrawn or reclassified at a later stage. The Data Protection Commission DPC currently encourages reporting.
- Be aware that the DPC is focused on delivering good outcomes, and provide advice to you if need be. They are good to engage with not likely to impose punitive conditions upon a CU unless they are warranted.
- Know when you need help. These may include;
- IT support.
- Professional advice relating to reporting obligations.
- Risk mitigation actions.
- Train staff; Training to create a culture of data protection is the one of the most effective ways to avoid and to react to breaches.
We do not wish to underplay the significance of a data breach, simply to emphasise that good preparation and a cool head in the event of a breach are likely to protect the Credit Union from reputational or regulatory harm.
Subject Access Requests – The key elements for ‘street wise’ management of Access Requests
Many Access Requests are as a result of grievances by members or by staff and these events are often a key indicator of another underlying issue or a possible legal action. There are 5 clear actions that every CU needs to implement to assure good process and ensure that it avoids some of the hurdles that could result in litigation of regulatory actions.
There are many standard parts of the legislation relating to Subject Access Requests(SAR) that are commonly understood within the CU community like the 30 day timeline, the exceptions to the requirement to disclose, and how to respond to Subjects legitimately. We provide a complete process document here for free. This paper focuses on how to remain ‘street wise’ while managing Subject Access Requests.
The 5 key ‘street wise’ elements to avoid unintentional harm to the CU are;
Recognise a request
Valid and legitimate requests may be served electronically, on paper or by word of mouth. Particular attention needs to be taken to;
- Recognise a request. GDPR has enabled SARs to be served orally and all members of staff need to be aware that if a member requests access to their personal data that this has a legal implication. Where a member of staff is not certain if they have been served with a SAR it is essential that the data protection representative is informed and can decide on a course of action.
- Recognise if this is a request for ‘information’ of for ‘access’. There are separate requirements in law for each of these situations and a false interpretation of the request could expose the CU to unnecessarily effort or to liabilities.
De-escalate a request at an early point
Our experience is that Controllers often assume that a request is for full disclosure of information. We typically recommend that the CU communicates with the Subject at an early stage and ask the Subject what they are looking for. This will typically reduce the amount of data required and provide an opportunity to understand the context of the SAR. This simple action will often de-escalate a situation and enable the CU to address the core motivation behind the request.
The importance of Identity
Having identified a request, this is perhaps the most important action to avoid a reputation-damaging breach. Personal Data must be requested and released to the Subject only, and if the request is made by a third party representing the Subject, this must be verified explicitly. Be thorough. If the CU fails on this count and solicitors become involved at a later stage it will cause real harm.
Many organisations accept the bona fide of a request from a solicitor on a subject’s behalf, and the regulator has indicated likewise, however it is prudent to always seek validation.
Additionally, scammers have been known to go to some length to impersonate a Subject to access data. If the CU falls for this trap and releases personal data, this will be a data Breach. A scam of this nature is normally with a view to extortion, and the mere association with this type of activity can cause severe reputational damage to a CU.
Follow a documented process
All elements of the SAR process need to be administered effectively. A well written process will guide the CU and demonstrate data protection preparedness to the regulator in the event of regulatory action. A full SAR process document is available free here from First Compliance.
It is also sensible to have a well constructed Privacy Notice that fulfils many of the other requirements relating to notifications to a Subject in the event of a SAR. This will avoid an inadvertent failure to comply with the specific requirements of a SAR response as detailed in law.
Understand what has to be disclosed
The CU has an obligation to store personal data in a lawful manner and that includes both the capacity to keep it safe and to organise personal data in a manner that enables access or deletion in a manner that is consistent with it’s purpose. Many CUs also have historical systems (often on paper of microfiche) that cause further difficulty. These formats need to be catalogued.
In any event, the CU needs to make reasonable effort to retrieve such data and to be aware of the exceptions to disclosure. There are any exceptions to disclosure and perhaps the most discussed (nominations aside) is the release of data relating to employees in the course of their work. Precedent has been set in the French and Irish courts that suggests that an organisation does not need to release data that is exclusively related to the fulfilment of a work function unless it is in some manner personal to the Subject.
Particular care also needs to be take not to release third party personal data. We recommend a thorough review of data to be released, typically by a person who is not the person that has compiled the data, to redact all third party data. This simple action inevitably results in a safer process.
Similar information relating to Access Requests by State Authorities (Garda, CAB and etc.) can be seen here.
State Authority (Garda, CAB and etc.) Access Requests – How to avoid embarrassment in court
State Authority Access Requests SAAR are a relatively common occurrence for Credit Unions, with a request for cctv footage being the most common. This is typically on foot of investigation of a potentially illegal act and the information that you provide is evidence. If this case goes to court you will be called to validate that this data was obtained legitimately by you and by the authorities.
It is important to stick to a formal SAAR process and never to take a shortcut. Acknowledging that you took that shortcut is likely to the event that causes real embarrassment in court. In the event of key information having been obtained unlawfully it will destabilise a case and in many instances cause a judge halt the proceedings. This may subsequently result in the CU being paused for an unlawful release of personal data.
The key elements of the good management of State Authority Access Requests are;
- State authorities can ONLY request data on the basis of a law. Make sure that this is quoted and recorded by the CU before any release
- Always be mindful that this could end in court with you as a witness. Solicitors will always examine the legality of the obtaining of key data. This has the potential for a judge to dismiss a case.
- Be prepared and follow the process tightly. A full SAAR process document is available here at no cost from First Compliance.
- Document the request and the formal identity of those making the request. A template report is included in the documentation form First Compliance.
- Unless it is an emergency, taking time to get the process and information right is time well spent. In this environment information that takes time but is accurate is infinitely more valuable than information that is fast but potentially compromised
- Apply a good measure of common sense. It is never the intention of a Credit Union to frustrate authorities, simply to make sure that process is not compromised.
These simple actions will help the CU to avoid a potentially embarrassing release of data and enable you to manage these events with confidence.
How to keep it simple
Data Protection regulation is often implemented in Credit Unions in a manner that could be considered over engineered. While in many aspects this is necessary, particularly because of the nature of the business of a Credit Union, GDPR provides for many aspects of compliance to be proportionate to the scale and nature of the Controller. This enables CUs to make risk based decisions relating to implementation. We are examining operational risk in this context.
Credit Unions a needs to take a ‘call’ on may items that require judgement. These items are considered in good faith in the interest of both the Members and the CU, however may be open to regulatory challenge. Issues that may require a judgement call include;
- the acceptance of ID from a person who may not have a passport or driving license,
- managing vulnerable persons in the context of the Assisted Decision Making Acts,
- live monitoring of cctv in certain circumstances
- the obtaining of and access to Nomination data or,
- the retention of withdrawn loans information.
The Credit Union needs to document the rationale and considerations that lead to these decisions and demonstrate that risks to the rights and freedoms of the Subjects were considered. We recommend the maintenance of an Operation Risk Record ORR that documents each of these decisions and delivers
- A description of the issue
- The decision taken
- The safeguards put in place to protect the Subjects,
- The effect of not taking this decision
- A risk analysis of the impact on the Member and the CU
This enables the CU to make reasoned decisions relating to the delivery of service and demonstrate a structured process to manage operational risk.
Once implemented, this process is easy to maintain, enables the CU to systematically manage data protection related operational risks, and to defend it’s position in the event of an action by the regulator.
How to protect your Credit Union against risks relating to GDPR
Data protection regulation can be seen by many Credit Unions as another piece of legislation that puts more obligations on the organisation, however, many have not taken simple steps to minimise the risks from GDPR. This piece explores how to simplify your processes and to reduce exposure to GDPR related risk.
A risk based approach to GDPR
Managing data protection obligations has come into clearer focus over the last few years due to the additional regulatory requirements imposed by the GDPR. There is a very real threat of this legislation becoming a divisive tool in the event of legal action against the CU. There are three distinct categories of activity that any CU should consider to evaluate their level of data protection maturity;
- Gap analysis to identify exposures
- A plan of action to understand the risks and close vulnerabilities
- A clear and simple ‘monitoring, reporting and reaction’ plan for ongoing management and oversight
This may sound simple, and these activities may overlap, however, segmenting your approach in this manner brings real clarity and enables you to impose structure on those engaged to manage these obligations for the CU. These steps will enable a risk based approach and position the organisation to embed a culture of data protection. They will also minimise the effort required to remain compliant.
Where the risks from GDPR will come from
The risk of liability will typically come from members of staff, your members, your suppliers, or from criminality.
Employees/Volunteers and GDPR
There are many issues to consider in relation to staff. These are the three likely to help you to significantly reduce risk;
- Employee handbook; have a well written data protection terms in your employee handbook. Remember to cover the use of e-mail, social media, use of ‘work based’ personal data in the event of an Access Request and the personal responsibility of an officer in a regulated industry.
- Electronic surveillance; this is the most likely activity for a solicitor to focus on in the event of conflict. Significant awards have been paid out for infringements relating to the monitoring of staff in the workplace. If you use cctv and voice recording you need to ensure this data is used lawfully. Reliance on data used unlawfully can jeopardise a case and an opposing lawyer will know this. Caution is advisable.
- Training; provide your staff with appropriate ‘street wise’ GDPR training and they are less likely to inadvertently cause you a liability.
Customers/Suppliers and GDPR
Where a customer or supplier owes you money, has a complaint or is exposed to a liability themselves and they seek legal advice, they are likely to use any GDPR infringements by you to their benefit. The top actions to protect yourself from claims are to;
- Have a well written data protection clause in contracts with customers and suppliers.
- When provided with customer/supplier 3rd party personal data (their employees & etc) ensure that they warrant that that data has been obtained lawfully.
- Cater for the transfer of debt and use of sub-contractors.
Malicious Attack/Hackers and GDPR
This is becoming an increasingly relevant concern to all organisations as people are becoming more aware to the value of personal data. Ill-doers know how easy it is to sell personal data on the dark web and that controllers will often pay to retrieve their valuable data (rather than it to be made public). Recommendations for preventing malicious attack are;
- Keeping paper documents secure, particularly the personal data of members. Data theft isn’t necessarily digital.
- Knowing where your digital data is processed and how it is used. Many CUs do not know where their data is, often on e-mails or on managed services and do not have a full picture of how that data is processed. A simple data flow map that is easily understood by management can be very informative and a practical solution. The CEO and senior management need to know this, not just the IT person.
- Good housekeeping; Keep anti-virus and firewall software up to date and systematically examine access logs to your IT systems and secure locations.
- Most staff have a positive approach to data security when their responsibilities and obligations are explained in a clear manner and without the legal mumble-jumble.
Managing business risks relating to GDPR
Be aware of false positives
Many Credit Unions have documentation or processes in place to manage GDPR obligations that are high on good intent. However, often miss key elements that;
- A claimant’s solicitor will focus upon in the event of a claim
- Are designed to protect the organisation form harm
- Can be implemented in practice in the context of a Credit Union
Top offenders are often the IT department or a legal person with a surface level knowledge of the relevant legislation. A data protection maturity analysis in the context of your current preparedness for a GDPR related claim may close many gaps and minimise your exposure to risk.
Keeping your Credit Union GDPR compliant
The basics are simple
- Know your purpose and basis for processing personal data
- Have the basic data protection policies in place
- Inform subjects of their rights (a mature privacy notice is essential)
- Have an ‘Access Request’ and ‘Breach’ process in place
- Keep personal data secure
These are the basics that a representative will require to protect you in the event of GDPR being used in a claim against you.
You can find the FREE First Compliance ‘Access Request’ and ‘Breach’ processes documents here.
Unnecessary Appointed of Data Protection Officers in CU’s
There is no mandatory requirement for most Credit Unions (CU’s) to appoint a Data Protection Officer (DPO), however, many have done so. The position of a DPO is a statutory role with defined authorities and protections that impose real costs. This position is not designed for organisations on the scale of most Irish Credit Unions and there is a better way to manage these obligations.
General Data Protection (GDPR) provides for the appointment of DPOs for organisations that manager personal data on a large scale or where their core activities involve the management of special data. There is much debate over the definition of ‘large scale’ and while it is not an exact science, non state organisations with under 200 employees, are unlikely to fall into this category. Additionally, the collection of special data in CUs normally comprises of CCTV or voice recordings, or is in relation HR matters or to insurance. These are not core activities. This being the case, the appointment of a DPO is a voluntary action.
However, should a regulatory authority (the Central Bank) or another statutory body express an opinion that a DPO is likely to be necessary for certain categories of Credit Unions this may create a situation where an appointment is advisable for some.
A practice has arisen in the sector to appoint DPOs. Our research has indicated that this is likely to have originated form an ‘if in doubt appoint’ approach suggested by an industry body, and in absence of a more informed advice it gained momentum. Additionally, a history of enforcement action from regulators in this sector has instilled a fear of the consequences of inaction. These appear to be the prime factors that have led to the appointment of DPOs across the sector.
Where an individual has been formally appointed as a DPO they have statutory authorities that are designed for a large scale body. DPOs must not be instructed how to carry out their roles (to do so is unlawful and exposes the board to liability) and may demand the resources that they require to fulfil their roles. Additionally they “shall not be dismissed or penalised” in relation to the performance of their role.
In our opinion this exposes a Credit Union to three forms of risk that are unnecessary;
- It opens the role to become greater and more costly than necessary.
- Exposes the board to risk should it want to provide direction of curtail activities.
- May lead to significant HR issues should a Credit Union need to part ways with a DPO .
This level of risk is simply not necessary in the context of Credit Unions in Ireland.
Credit Unions need to demonstrate reasonable oversight in the context to the scale and nature of the individual entity to manage their obligations. This can be satisfied by;
- Appoint an internal representative with responsibility for data protection. This is not a formal DPO role and is not subject to the regulatory control.
- Appoint third party professional support to support the representative.
This will enable the CU to implement appropriate processes to manage the ongoing oversight requirements and to react to events or incidents with confidence. In the absence of incidents or policy/process reviews the role of a representative should demand no more than two days per month.
This structure will cost less, enable the CU to avail of experts with a broader industry knowledge and cut through much of the over-engineering of the role that is currently prevalent in the sector. It will also empower the CU to act swiftly and more informed manner to manage events that may arise.
Reducing Cost of Managing your Data Protection Obligations
The cost of managing regulatory obligations is often overplayed and in the case of data protection, the deliverables do not always protect the Credit Union (CU) to the degree that that they should. The processes to minimise relating to Data Protection regulation for Credit Unions is in the main a set piece and the ongoing maintenance of standards should not be cumbersome, however, this is not the full story. The risk of liabilities is most likely to come from a small number of items and in our experience these are not well managed in the CU environment.
That said, the greatest exposure to unnecessary costs often comes from ‘false positives’; believing that a Credit Union has good processes in place where in reality there is room for improvement.
Many Credit Unions have overly complex processes in place with elements of duplication and they should really focus on the basics that will guard against risk. These typically include the management of loans documentation, CCTV and voice recording, nominations, staff contracts, the monitoring of staff at work, the culture of redaction and the management of identity data. Additionally, a well written and concise Access Request and Breach processes are an essential element of any Credit Union’s preparedness. Sadly, what we see in practice is often lacking in substance. You can find free process documents here
The ongoing requirement should be embedded in the normal working of the Credit Union and the effort to maintain this should be minimal. Costs should primarily relate to training, oversight and the capacity to manage events. These should use simple and well documented processes and not be cumbersome for a Credit Union.
If you currently uses a legal or accounting firm to manage these responsibilities it is (in our experience) quite possible that they have not implemented effective process change to minimise exposure to risk and the corresponding reporting process. First Compliance provide an informed services that is focused on the avoidance of risk to a Credit Union and it is typically less expensive than the traditional provider and delivers exactly what a Credit Union needs.
How Expert Advice Reduces Risk Related to Data Protection
Expert support for Credit Unions should fall into two distinct categories;
- Process update – the update of policies, processes, notifications and training to reduce the exposure to harm from data protection regulation.
- Professional support – seasoned professional support to guide and advise the compliance officer (or Data Protection representative) to remain compliant and act in a manner that avoids risk. This includes systematic review, mentoring, training and hands on support in the event of an event.
Engaging experts with Credit Union and broader industry experience can shortcut the processes, remove many areas of uncertainty, identify the risks and ultimately save you time and money.
First Compliance have a real depth of knowledge in the Credit Union sector and can reduce your exposure to risk related to GDPR. Call us on 087 7787606 or reply to this mail for an initial confidential conversation.