Saturday 1 December 2012

Leveson and the ICO

Today I’m publishing an exchange of emails between me and someone who has read my recent blogs on the Leveson report. I’m looking forward to seeing what reaction it prompts:

“The popular press haven't made much of his recommendation that the ICO should be reconstituted, so I am grateful for your precis.

Does it surprise you as much as it surprises me that the proposed 'Information Commission' does not mention inclusion of information technologists?

The ICO are an information technology regulator that has complained in the past of a lack of senior staff with information technology experience, even abrogating its responsibilities as information regulator to the general public. Complainants in the BT/Phorm case were told "The ICO are not technical experts and so encouraged Phorm to be transparent and directly engage with technical experts to address concerns".

Personally (perhaps surprisingly) in many ways I would prefer to see the ICO Data Protection function completely abolished. The ICO serve no purpose because they won't enforce the DPA or use the additional penalty powers they have already been given... so offering false hope to the victims of private sector data protection offences.

In those circumstances it is better (in my view) for the public to understand clearly there is no protection at all, rather than offer false hope. Abolishing the ICO DP function unambiguously transfers the burden to the citizen to protect their own information from abuse by private sector organisations (which obviously isn't a fair fight, but it is better than misleading suggestions that the ICO will in some way 'protect your personal information' when they don't).

Leveson appears to think the other way, that the ICO DP function can be salvaged from this mess. I doubt that will be effective unless the organisation is overhauled from the roots up. Enacting s55 might act as a deterrent... but evidence to date suggests deterrents aren't effective unless they are complemented by robust independent enforcement.”

I replied:

“To be frank, I'm not surprise that Lord Leveson's report doesn't mention information technologists, as it really wasn't central to his investigation, and he didn't call (to my knowledge) any information technologists to give evidence. After all, He hardly mentioned the internet at all. You can usually tell where an investigation is heading by analysing the witnesses called, and the evidence provided in open session. As his report was always going to be based on the evidence that was presented to him, the absence of information technology evidence would have ruled out any reference to that function in the final report, anyway.

A lot of people share your views about the effectiveness of the ICO. The problem comes when Parliament sets expectations, by passing laws and creating a regulatory structure, and then starves the regulator of the funds that are required to do the job properly. I would focus my attention on the Ministry of Justice, just as much as the ICO. If a political decision is made to restrict data protection compliance resources (and we have to accept that the ICO is better funded than most of the other privacy commissions within the EU Member States), what we get is what we are given. Perhaps, rather than abolish the ICO, the critics should demand that it be better resourced and more accountable, in terms of its performance, to the public - or at least to those elements of the public that care so passionately about information rights governance. The Ministry of Justice has not been not been able to bid for funds that match the current level of public interest.

Having said that, my local authority is about to cut funding to a local hospital - and I know where my priorities lie, when public funds are tight.”

I’m always grateful to get feedback on my blog, or on the issues that particular posts raise. Any comments on this exchange of correspondence will be carefully considered, suitably redacted, and quite possibly published.

But don’t worry, your personal details are (reasonably) safe with me!