Wednesday, 22 February 2012

ISEB Accreditation: Chapter 1

I've been spending the past few days a little out of my comfort zone. No, not because I've been in Manchester, instead of London, but because I've gone back to "data protection school", as it were, and have been preparing myself for a professional exam in date protection. I'm referring to the Certificate in Data Protection, which is awarded by the Information Systems Examination Board.

This stuff is a little out of my comfort zone because it requires me to know just what the law says. I’m used, in my normal working life, to applying common sense to issues that face me, rather than having to refer to first principles and rely purely on what the law provides. So, it's been fun to remind myself about just what it is that the law does say, as it's often so helpful to go further than the strict letter of the law, and offer advice based on what I think ought to be acceptable to my company and its customers.

All of the delegates on this course are determined to sit the ISEB exam, and not just attend to familiarise themselves with some of the key elements. There is a great variety of prior data protection experience among the delegates, which is incredibly helpful, as it prompts discussion about the elegance with which the beloved Data Protection Act 1998 was drafted. I remember some of the discussions that were held behind the scenes, so to speak, as much of the implementing legislation was developed, following the adoption of the main Data Protection Directive back in the early 1990s.

Considerable time was spent back then discussing how clear the Parliamentary language ought to be - with some people hoping that it could be as confusing as possible, so as to put people off from trying to work out what their rights actually were, and subsequently from taking action to enforce them.

Well, we have been left with is a piece of legislation which certainly put off all but the most determined to enforce their rights through the courts.

Our course trainer, the wonderful Sue Cullen, is one of the stalwarts of the current data protection regime. She was part of a very small legal team that took a couple of legal points, about subject access rights and the definition of personal data, to the Court of Appeal back in 2003. Unfortunately, the Court appeared to take such a dislike to the defendant and his case that the leading Judge, Lord Justice Auld, took the opportunity to make a number of statements that didn't quite square with what many people (including people in the European Commission and a bunch of people from what was then known as the Data Protection Registrar’s Office) thought the law actually meant.

And, because no one else has had the funds (or the temerity) to ask the Court of Appeal to think again on the relevant issues since 2003, some of the stuff I am learning about is certainly stuff that would be frowned upon by European Commission (and by our chums in Wilmslow), and consequently they are hoping to change British law through the implementation of "that" Regulation, of which I'll try not to refer any more today.

Some homework before bed time, and I’m now looking forward to returning to the classroom for the second round of this intensive course the week after next.

I'm still smiling, and so far I'm extremely glad that I've committed myself to obtaining the Certificate.