Wednesday, 14 July 2010

“We’re now fit for purpose – so taste the difference!”

I left the Design Council’s offices in Covent Garden today with this tag line ringing in my ears. Had I been to a Sainsbury’s launch? No – it was an event which marked the publication of the (upbeat) Information Commissioner’s Annual Report for 2009/10.

I expect that the press releases will repeat the messages that Christopher Graham wanted to emphasise today, so anyone who’s that interested can get that spin from the usual sources. What I was keener to appreciate was the tone of the Commissioner’s report, and to get a better sense of the role that the Commissioner’s staff see themselves playing in the forthcoming year.

The impression I had when stumbling out into the rain in Covent Garden was that the Commissioner’s staff were determined to proclaim that they were regulators who meant business, and that organisations whom in the past, may have ignored the data protection rules, should not be surprised if they faced painful enforcement action in the future.

On data protection (as well as freedom of information) issues, the ICO was at the heart of the Government’s transparency agenda. Of course there was a need to balance freedom of information with legitimate data protection rights, but it was wholly wrong to assume that “data protection” would provide the great duck out of the 21st Century, as perhaps “health & safety” legislation provided the great duck out of the 20th Century.

What they do is really where it’s at – in terms of the current political debates on accountability, privacy, freedom and transparency.

So, as a data controller, what should I really concern myself with in 2010?

Well, it’s clear that technological advances are going to raise fears among some individuals that data controllers are all set to exploit personal information in ways that are ever more devious, which could lead to a collapse in confidence in some institutions. But a remedy is at hand. The more transparent a data controller is about their intentions, then easier it will be to set these (probably irrational) fears aside.

An attitude of “we know what’s best for you” is unlikely to wash in this current decade, and I suspect that many data controllers who have taken a pretty cursory view of their customer’s expectations will face a real wakeup call when their customers leave them in droves for competitors who are keener to respond to legitimate privacy concerns. The more transparent an organisation is, the less it may feel obliged to rely on “consent” as a condition for using personal information.

I have always disliked relying on “consent” as a condition for processing, as it means that I have to build systems which take account of the fact that individuals may exercise their rights to “object”. For me , the best condition for processing personal information is that it is in the legitimate interests of the individual concerned, and that my actions do not harm or affect the legitimate interests of that individual.

Also, a new data protection principle - that of accountability - ought to emerge. What this means is that data controllers should be expected to be more accountable for the way they use personal information, and that individuals (rather than just the regulator) should be given legal powers to challenge data controllers when they failed to do what they had previously announced that they would do.

I think that this means that the Commissioner’s Office would welcome a pretty fundamental review of current data protection legislation, rather than a quick tweak around its edges. So, if the European Commission really plans to publish proposals for a revised Directive by this winter, then let’s hope that it doesn’t take the easier option of just offering some minor proposals to trim some of the most impractical provisions. What we all really need is a Directive that is fit for the (digital) world as it currently is, and as it is likely to be during the next decade, rather than just how the world was some 20 years ago.

I also think this means that the Commissioner’s Office would welcome fundamental changes to the delivery mechanisms specified in the Directive. While the main Data Protection Principles seem fine (once you also add the accountability principle), surely some EU Data Protection authorities are deluding themselves if they seriously think that, for example, they should exercise powers, and are equipped, to control (or approve) all the transborder information flows that emanate from their jurisdictions. Perhaps some of these regulators really do believe that they have the powers that even King Canute lacked. Can some of these European regulators really turn back (or give prior approval to) all the information tides that ebb and flow from their shores (or borders)?

I think not, but I suspect that some European regulators might think otherwise.

And what about the freedom and security debate? What have I sensed from the conversations I’ve had today?

Interestingly, I did hear one comment from someone in the Commissioner’s Office later today, who was keen that the Commissioner should remain wary of the Home Office’s views on the best ways to combat terrorism. Proportionality and necessity were important principles, but it should not be taken as read that what was proportional in an analogue world would also be proportional in a digital world.

I sensed from that aside that his Office would look very carefully at any proposals that emerge from the Home Office’s Interception Modernization Programme. Indeed, one of those officials mentioned that very programme by name. Evidently, Home Office proposals to combat terrorism should not result in their becoming a recruiting sergeant for terrorism.

Salus populi est suprema lex?

Not necessarily so,Cicero. The health, safety or welfare of the public is not necessarily the supreme law.

Let’s have a bit of proportionality and necessity thrown into the mix too, just for good measure.