General Data Protection Regulation

[Carl]

With the upcoming General Data Protection Regulation (GDPR) coming into force mid May, has this or is this going to effect the way fire and rescue services record information, especially carrying out home visits? From what I read, we will not be allowed to collate the information that we have in the past and tougher rules will be put in place. 

Most FRS's appear to have employed a dedicated GDPR officer to deal with this. Do you know the implications your service is expecting?

[Matt]

My understanding of it is not to collect more personal information than is needed for the reason you are taking information, persons can only be contacted if consent given by themselves, if data is lost (even a piece of paper from the printer could be classed as a breech/loss) the individual could be responsible rather than company.  It has to be in simple language that you are collecting data and you need to make it clear how the information is used.  Also data shouldn't be kept for any longer than it is needed.

The individual has the rights for the data to be erased and the right to see it amongst other rights.  GDPR has been on the cards for a number of yards but due to the date coming soon, 25th May I don't think many realise their role as part of it yet.  It will be interesting to see how FRS deal with it, the only sector where I have seen any work in trying to prepare is Education, most organisations have a data protection officer/controller so alot of this would come under their remit.

HFSC/CFS I think will be where changes will be seen but if the data is Handel correctly and the right questions asked and consent given there may be little change possibly?

[Becile]

It has wide reaching consequences for all areas of the business that includes data in everyway mdt, risk info, hfsv (sorry safe and well) data sharing and storage, basically anyone collecting any data for any reason, for all the reasons mentioned before.

We had a potential data breach that was notified to the information commissioners office which was a huge wake up call for us having to clense many data sets etc that literally took every area of business doing nothing else for about 6 weeks.

If you think this is an exaggeation..check you work emails and files and folders for any data you have, names ,numbers, pictures etc etc. and that's just you, now take it to the department of team area and so on.

Leave info on paper copies, a big no no, not secure. Codes and numbers in the cab, no no. If your service isn't all over this, they should be, it's been coming for years, and the potential fines are massive, let alone the reputational damage/risk. All organisations are required to have a data controller, but as mentioned some organisations are not aware of what they are responsible for !!

For us as a county brigade we are the data owners but county are the data controller.

This is not a bad guide GDPR Checklist.pdf

[Matt]

With a lot of things like this there is so much interpretation, in my day job I see so much of this, but it all comes down the controller advising what steps need to be taken with some systems.

I never even thought about the MDT, at the end of the day its a computer and should be treated the same as a desktop or laptop, should be locked when not in use.

Curious to know how many operationally have had any input on this and to what level.