Thursday, 13 March 2014

Messages from Manchester

Those with a keen pair of ears at last week’s Data Practitioner Conference in Manchester (3 March) would have detected a subtle shift of emphasis of the ICO's enforcement policy. It was a shame that traffic - or business commitments - had prevented some 50 or so delegates from taking their allotted seats in the main conference hall. Yes, they had also prevented some 50 or so others from the opportunity of attending. But, the ICO knows who the miscreants are, and I'm assured that their names will prominently feature on the mailshots that the ICO's audit team will be sending to prospects who may benefit from an ICO advisory visit.

Even a cursory  glance at the delegates indicated that ICO data protection practitioner conferences have been radically transformed since Christopher Graham held his first event at the Lowry Hotel in December 2009. And who remembers attending Richard Thomas's conference on Privacy by Design at the same venue the previous year?

Gone (mostly) is the cohort of what the mighty Eduardo Ustaran has politely termed: "an elite of nerdy specialists". In their wake, a new class of compliance professional has emerged. A class of professional who appears less interested on discussing philosophical issues around various theories of privacy.

Perhaps we now have a more submissive class of privacy professional, a class more willing to be told what good practice is, rather than a class seeking to become intimately involved in designing these practices. Perhaps this is also due to hugely increased burdens of work within the office environment, which prevents so many data protection officers from physically having sufficient time to become more engaged in strategic policy work.

The main message of the day was that responsible organisations should focus on the needs of the customer, and on achieving good privacy outcomes, rather than focusing on compliance with the strict letter of the law. Good practice mattered more than strict compliance with legal requirements. This was not a day for the legal purists.

The second message of the day was that the ICO was not afraid of taking on the public sector, and that accountability for information governance failures would be placed firmly at the door of the political leadership at local government level, rather than at the level of the engine room. If statutory responsibilities were being ignored, resulting in potential harm to individuals, then it should be the officials who took the political decisions to refuse to allocate sufficient resources that should be held accountable.

This message placated a few public servants, but then late int he afternoon David Smith reaffirmed his view that, in light of the personal data breaches that had been reported to the ICO, data handling standards in the public sector were not equivalent to the standards that generally prevailed in the private sector.

That certainly gave many of the delegates something to think about as they returned to their homes.