How My Council Services supports GDPR compliance
The purpose of this document and disclaimer
The purpose of this document is to help existing Abavus customers understand how My Council Services can help them comply with the EU General Data Protection Regulation requirements which will came into effect in May 2018.
The My Council Services platform is designed to comply with the following national and international legislation with regards to data protection and user privacy:
UK Data Protection Act 1988 (DPA)
EU General Data Protection Regulation 2018 (GDPR)
The document provides an overview of the general approach that Abavus Ltd is taking to GDPR, as well as describing specific details relating to the use of the My Council Services digital platform as it relates to GDPR compliance.
Note, not all organisations use all of the features of My Council Services so not all the information in this document will be relevant to every customer. Note too that this document relates only to data held on the My Council Services platform. It does not cover other third party systems and databases that customers might use.
The information in this document should not be construed or used as legal advice about the content, interpretation or application of any law, regulation or regulatory guideline. Customers and prospective customers must seek their own legal counsel to understand the applicability of any law or regulation on their processing of personal data, including through the use of Abavus’s products or services.
Abavus is registered with the Information Commissioner Office (ICO) as a data processor. Details of our ICO registration are here: https://ico.org.uk/ESDWebPages/Entry/Z2907810
What is GDPR and why is it relevant to My Council Services?
The European Union (EU) introduced its data protection standard over 20 years ago through the Data Protection Directive 95/46/EC. Because the EU requires each member state to implement Directives into national law, we have ended up with a patchwork of different national privacy laws.
Over time, technological developments have introduced new challenges to the protection of personal data. In response to this situation the EU has developed the General Data Protection Regulation (GDPR), which is directly applicable as law across all member states. The process of the United Kingdom leaving the EU will not alter the need for UK-based organisations to ensure full compliance with GDPR. GDPR is effective from 25 May 2018.
GDPR is relevant to any organisation, whether based inside or outside the EU, that processes personal data from EU-based individuals. Personal data, also known as personal information or personally identifiable information in other parts of the world, is any information relating to an individual that enables them to be directly or indirectly identified, for example by reference to identifiers such as names, identification numbers, location data, online identifiers (including pseudonymous identifiers) or to one or more factors specific to the individual’s physical, physiological, genetic, mental, economic, cultural or social identity. With new and strengthened rights for individuals, accountability requirements for companies, and increased scrutiny by regulators, organisations collecting and handling personal data in the EU, both offline and online, will need to consider and manage their data handling practices and use cases more carefully than before.
Key principles of GDPR
Under the GDPR, the data protection principles set out the main responsibilities for organisations. More detailed advice is available on the Information Commissioner’s website here: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/.
In summary, Article 5 of the GDPR requires that personal data shall be:
- processed lawfully, fairly and in a transparent manner in relation to individuals
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
- accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Managing and processing personal data in My Council Services
GDPR consolidates and strengthens existing rights for individuals such as the ability to have their personal data rectified or erased upon request, or the right to receive a copy of their personal data. It also introduces new rights for individuals such as the right to data portability.
Organisations are therefore expected to carefully review their current practices with regard to the management of their data records in cloud-based applications such as My Council Services, whether those relate to their employees, their end-customers, their suppliers or their website users. The following sections describe how My Council Services supports compliance with GDPR.
Where is data held in My Council Services Stored?
The GDPR imposes restrictions on the storage and transfer of personal data outside the European Union, to third countries or international organisations. These restrictions are in place to ensure that the level of protection of individuals afforded by the GDPR is not undermined. Details are available on the ICO website here https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/international-transfers/.
All the data captured via the My Council Services platform is stored and processed within the UK. We do not move data outside of the UK. All customer data is housed and processed in two data centres in separate London locations: a primary data centre and failover data centre. Access to and visibility of data is controlled via the My Council Services Role-based Access Control (RBAC) module.
The legal ownership of the data resides with the Council. We will not delete the Council’s data on its customers from our systems without the proper permission from the Council.
How long does My Council Services hold personal data for?
We hold the data until one of the following occurs:
- We are instructed by the Council to delete it (subject to there being lawful grounds for deletion)
- The Council terminates its contract with Abavus and the related My Council Services instance and all associated data is permanently and irrevocably deleted
- An individual data subject deletes their data or selects specific records of their data for deletion. In this context any re-registration or deletion request will be subject to the overarching data retention policy that has been set by the Council
How does My Council Services support the individual’s right to erasure?
GDPR gives individuals the right to rectify personal data that is inaccurate or to have incomplete personal data completed.
Article 16 of GDPR states:
“The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed.
In addition to the ability to rectify or update personal data, Article 17 gives data subjects the right to erase personal data on request in specific situations. This right is also commonly referred to as “the right to be forgotten”.
My Council Services enables data subjects who are registered users of the My Account Portal to request erasure or full deregistration of their data (see figure one below). An anonymised record of services requests and cases is retained for the purposes of accurate historical reporting on service activity by the Council.
All erasure and de-registration processes are subject to the Council’s wider data retention policy. If a data subject requests de-registration, but the Council has the lawful basis for retaining such data, for example if the individual owes money to the Council, then the lawful right to retain data will override the de-registration request.
Organisational data retention policy will be a configuration-controlled capability on the platform. This functionality will be available for use before the 25th May 2018.
Figure 1 – Tools for erasure and deregistration
How does My Council Services support data minimisation?
Existing data protection legislation requires organisations to ensure that they only collect the personal data they need for the purposes they have specified. Organisations are also required to ensure that the personal data they collect is sufficient for the purpose for which it was collected. Data that has been collected for one purpose cannot be repurposed without further consent. GDPR further strengthens this principle, stating that data should be “adequate, relevant and limited to what is necessary for the purpose it was collected.”
The My Council Services platform supports Councils’ data minimisation obligations. The Master Data Management modules of My Council Services (people, organisations and assets) enable the scope of data held on individuals to be effectively managed and monitored, and are designed in such a way as to minimise the replication of data held.
That said, it is incumbent upon Councils to develop and document their own policies to demonstrate their commitment to data minimisation as part of their overall GDPR management strategy.
How does My Council Services handle pseudonymisation?
Personal data that has been pseudonymised (e.g. key-coded) may fall within the scope of GDPR, depending on how difficult it is to attribute the pseudonym to a particular individual. For example, an individual’s IP (internet protocol) address could be considered pseudonymised data as it potentially reveals data relating to their location.
GDPR applies to both automated personal data and to manual filing systems where personal data are accessible according to specific criteria. This is wider than the Data Protection Act’s definition, and could include chronologically ordered sets of manual records containing personal data.
My Council Services fully supports Councils’ obligations as regards pseudonymised data, although that support is conditional upon Councils formulating, documenting and keeping up to date a compliant policy and rationale.
How does My Council Services enable transparency?
Data subjects who are registered users of the My Council Services My Account portal can review and monitor all their interactions and ongoing processes with the Council at any time (see figure two below).
Figure 2 – Enabling transparency and monitoring for individual data subjects
How does My Council Services enable data portability?
The right to data portability allows data subjects to obtain and reuse their personal data for their own purposes across different services. It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability.
Data portability is of greater relevance in commercial scenarios where a consumer may want the ability to obtain and re-use self-declared information to ensure that they are receiving the best commercial proposition in return for paying for service or product.
That said, there are implications for public services, for example, when a customer is moving from one local authority area to another.
Providing data portability is founded upon the ability to provide data subjects with transparency as to how their data is used, as well as enabling them to monitor data processing, and both of these principles are catered for within the My Council Services platform.
However, My Council Services does not currently provide a process for self-service data portability. We are currently seeking feedback from our clients regarding this requirement, in order that we can provide a suitable solution in due course.
How does My Council Services support the individual’s rights in relation to automated decision making?
The right of subject access allows an data subject to access information about the reasoning behind any decisions taken by automated means. This can cover the following scenarios:
- An individual can give written notice requiring you not to take any automated decisions using their personal data;
- Even if they have not given notice, an individual should be informed when such a decision has been taken; and
- An individual can ask you to reconsider a decision taken by automated means.
The My Council Services platform offers a comprehensive, rules-based, automated workflow system. In addition, some Councils are implementing ‘risk based’ decision processes that are both automated and that use data which resides in third party systems.
For every action taken on the platform (whether automated or manual) My Council Services captures and stores metadata in an audit trail against the individual service request, task, case, asset, organisation and person. All automated workflow rules are fully documented on the platform in a format that is readable by a person, requiring no particular technical skill. All data relating to automated decision-making can be quickly collated and presented in response to a request from an individual customer.
How is personal data secured in My Council Services?
My Council Services includes state-of-the-art data security mechanisms and controls. The platform is designed and engineered to use ‘privacy by design and privacy by default’ principles, and latest standards and best practices will continue to be supported as the platform develops.
The following measures are in place to ensure the security of personal data that is stored and that may be transferred during planned and authorised workflow on the platform.
The My Council Services database is never exposed beyond an internal firewall. The internal firewall technology is constantly reviewed and upgraded to the latest standards.
Penetration tests are performed at least every 20 days. Any issues identified are immediately evaluated and acted upon. We also support third party penetration testing by Councils if they request this. The cost of such independent penetration testing will be borne by the Council. We also request that the Council share the full results of any independent penetration testing that it commissions, in order that we can act upon any relevant findings.
Source code encryption
All source code that is deployed to the My Council Services app is binary encrypted, preventing reverse engineering by hackers.
For Android devices specifically, the My Council Services native application can only be installed and run on the device’s internal memory.
Private key encryption
My Council Services utilises private key encryption technology to encrypt data packets. Private key encryption serves two purposes.
The first is authentication where the approach verifies the user.
The second is encryption of data. This approach assures that data in transit is secure and that it can only be accessed by an authenticated user upon receipt.
Secure sockets layer (SSL)
My Council Services uses Secure Sockets Layer (SSL) technology for all communication and web services. SSL is the standard security technology for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browsers remain private and secure.
Protecting against SQL injection
SQL injection is a code injection technique used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker). My Council Services has best practice measures in place to prevent SQL injection, and regular testing is conducted after every version upgrade to protect against it.
Role-based access control (RBAC)
The extensive data security measures described here are layered over with RBAC via data roles which secure personal data, access and visibility to it.
My Council Services offers a high level of encryption of data on any local device. The platform also protects against the possibility that Android native applications, if not adequately encrypted, can be reversed engineered for malicious reasons. To ensure that this cannot happen, the binary files are compressed, optimised, and obfuscated.
My Council Services uses AES 256 encryption web services for all mobile device communication. The My Council Services web services API can only be accessed via public access token using a unique identifier and is encrypted using AES256 encryption algorithm.
All transmitted data packets are also encrypted by private public key and further encapsulated by industry standard SSL layer providing very high levels of data security.
My Council Services uses transport layer security (TLS) 1.2 protocol for all communications. This ensures privacy and data security between our applications and our users on the internet.
Abavus Customer support for My Council Services
Abavus uses a third party cloud based product called Zendesk Support to enable the technical and customer support processes that we provide to our clients.
Zendesk Support puts all our customer support interactions in one place, so communication is easier, personal and efficient which we believe will enable an even better support service for our customers.
No user data or ‘data subject’ information that is stored in My Council Services is transferred to Zendesk for the purposes of delivery of the Abavus Support Service.
How does My Council Services ensure the native mobile applications are secure?
Many Abavus’s customers use our native mobile applications. The measures described above ensure the security of any data that is held locally on a device associated with the native application as well as any data that is transferred to and from the remote device.
The following measures are particularly relevant in this context:
- Binary source code encryption – ensures that the native mobile app cannot be reversed engineered and hacked for nefarious purposes
- Private key encryption – ensures the authentication of the user (from the app or the browser to the cloud-based platform) and makes certain that data is secure when in transit between the two
- Encryption standards – data held on the local device is encrypted to a high standard to ensure that it is secure
How does My Council Services protect against forms being spoofed?
All form pages are fully encrypted and for single use only.
How does My Council Services protect against cross site request forgery (CSRF)?
My Council Services completes a number of checks to ensure CSRF cannot occur when processing payments. These checks include hash key computation, and a final check confirms the payments have been accepted and taken, at which point the platform shows the payment as validated. The high standard of encryption across the My Council Services platform prevents CSRF attempts.
How does My Council Services protect against ‘man in the middle’ attacks?
My Council Services uses Secure Socket Layers (SSL) and TLS 1.2 to stop ‘man in the middle’ attacks.
Further questions regarding My Council Services and the GDPR
This document provides general guidance regarding how My Council Services supports GDPR compliance.
However, individual clients may encounter GDPR-related questions in relation to specific usage scenarios that are not directly covered in this document. These are not likely to be critical issues of compliance versus noncompliance; more likely they will be more nuanced considerations associated with ensuring best practice. If you find yourself with these or other types of questions, please do get in contact with us.
The Abavus Client Services Team is compiling a catalogue of specific usage questions and how these relate to GDPR. The chances are we will be able to provide relevant and practical guidance. We also want to hear from you so that we can add your questions to the library of support material that we continue to develop.
If you have further questions GDPR or about Abavus’s privacy and security policies or service options that can help address your GDPR needs, please consult our website or contact us directly by phone, email or social media.
Phone: 020 8530 2505