Tuesday 3 January 2012

ICO reveals its 2012 targets -as do I

A late Xmas present arrived on my desk today – the Commissioner has written to me outlining his 2012 Information Rights Strategy. While the ICO’s general duties require his officials to educate, empower, engage, enable and enforce, this simply can’t be comprehensively done given the resources available to the folk in Wilmslow. Choices must be made. To quote a phrase in pretty common use in 2011, the ICO has to be “selective to be effective”. And, in 17 pages, the document sets out the areas which have been prioritised as meriting special attention this year.

One of the underlying outcomes is the need to ensure that: the law, technology and public policy developed consistently within the ICO’s goal, but without imposing disproportionate burdens on organisations. When I read that, I sensed that war was being declared against the uber data protection geeks who see DP compliance merely as a tick box exercise, rather than a struggle to win over the soul of the data controller.

And here are the 5 priority areas :
1) Health
2) Credit & finance
3) Criminal justice
4) Internet and mobile services
5) Security

Any surprises?

I would have described the areas in slightly different terms, based on my knowledge of the probable reasons behind the emergence of these areas:
1) The need for society to pool sensitive information about individuals for the greater benefit of the community (so long as it’s not used in a manner calculated to be detrimental to an individual)
2) Maladministration involving a small minority of labour- intensive batch processes
3) The tension between retaining information only for special purposes when there is no legitimate need for it to be retained for the purposes originally envisaged by the original data controller
4) The globalisation of data flows, masterminded by actors who may well be established, but who do not have their head office located within the EC
5) Weak or non-existent IT protective measures which leave individuals prone to compromise

For me this is good news - as I think I know a thing or two about these special areas. So I'm looking forward to playing a pretty full-on role.

The ICO announces that its well up for a fight, too – it does not see itself as a necessarily populist regulator: “In assessing where the public interest lies we will work hard to understand the importance the public attach to the different aspects of information rights and will factor this into our choices. This does not mean that we will always adopt positions that are universally popular. We take the view that sometimes the public interest will be best served by us acting to protect the information rights of minorities or by us drawing attention to the downsides of new developments that might otherwise appear attractive.”

Perhaps this means that it won’t assume that every last drop of EC legislation needs to be enforced with the same degree of rigour. It may not have time to concern itself with the minutiae of some of the more esoteric data protection arguments (like which cookies are to be deemed strictly necessary, rather than those which are merely necessary, and hence subject to the user’s consent, whatever that means ....). Phew.

Significantly, the ICO also sets itself apart from its peers who are more inward looking as far as transborder data flows are concerned. Perhaps this means that the folk at Wilmslow are tiring of some of the arguments that go on within the Article 29 community, and instead it intends to adopt a more robust and global approach: “We need to work, not just within the EU but also more widely at international level, most particularly with other information rights regulators, to ensure that, in so far as it makes sense to do so, we take a consistent and harmonised approach to the application of information rights law.”

I like that stuff. When I cast my eyes into my crystal ball, I don’t see a “fortress EC” any more. I see a global playing field, with those who are left behind being those who fail to recognise that data, like the weather, is no respecter of geographic, administrative or political borders.

I like what I read – especially as after 11 years working for one company, the time has come for me to consider how and where I can be most passionate about my own particular data protection philosophy.

So, as I prepare to leave my current employer, I do hope that if there is anyone out there, seeking help on matters relating to health, credit & finance, criminal justice, internet & mobile services or security, they might kindly drop me a line, and we can talk.

And if it’s commutable from Crouch End, I could be very interested!

The strategy is now available to be downloaded from the ICO's website at http://www.ico.gov.uk/