Life as an
international data protection consultant can have its drawbacks. 3.30am starts,
queues at the airports, and working out how to pay the charge as the hire car
drives through yet another automatic toll barrier.
But it also
has its benefits. Hotel meals, meeting people for the first time, and (yes
even) explaining to new colleagues that, at least in the UK, the ICO has given
some thought to the issue at hand and has published some helpful guidance on
its website which can lovingly be copied and used, as it (mostly) is in line
with that country’s data protection rules, too.
As I go
about my business, I sense that what people are still generally after is practical
guidance on how to comply with the basic data protection rules.
My
international work has recently focussed on how to craft Privacy Impact
Assessments. To that end, I’m immensely
grateful for some new stuff that’s on the ICO’s website. A draft Code of
Practice is currently under consultation, and I’m pretty impressed with what I
read.
The previous
guidance was, putting it politely, not an easy read. Much was written by academics who, while no
doubt absolutely brilliant in their own worlds, found it hard to craft a text which
connected to people who lacked lofty educational achievements.
The new guidance
is much easier to read. Perhaps the Plain English Campaign has already reviewed
it. I’m a
great supporter of the Plain English Campaign. I met the campaign’s founder, Chrissie Maher
in the early 1990s, when working for the Association of British Insurers. I was
involved in a project which offered guidance to insurance companies on what was required
of them following the implementation of the Unfair Contract Terms Regulations
1989. (Linked with that project, I also remember speaking at a number of events where an official from the Office of Fair Trading was speaking,
explaining to the audience what the OFT’s views were. That official was Richard Thomas. But that’s
another story.)
Anyway, back
to the plot.
The new draft
Code from the ICO also commends a much easier way to complete a PIA – which can
only be good news to those of us who do them. Perhaps more thought has been given to the type
of people who are currently Data Protection Officers. Not all are qualified
solicitors, or even graduates. Many are people whose education was completed
at an earlier stage, and so it is all
the more important that the ICO commends a process that can be understood – and
followed – by someone who lacks professional data protection qualifications.
I’ve been
trying it out in foreign parts. I’ve tweaked it slightly, but for me, it works.
I’ll be explaining the ICO how I’ve tweaked it when I respond to their
consultation – the deadline for comments is 5 November - but meanwhile I do encourage
people to try it out and to see if it works for them.
The
Trilateral research and consulting group
recently published some authoritative work on PIAs, including a 523 page book
that can be bought (soft cover version £35.99) and a 267 page research report that is available from the ICO’s website and can
be downloaded for free. The really key finding is the lack of PIAs that have
been carried out.
Hopefully,
the ICO’s simpler methodology to crafting one will be more eagerly adopted by
us data protection professionals, and more PIAs will find themselves in the
public domain.
Sources:
http://www.ico.org.uk/~/media/documents/library/Corporate/Research_and_reports/draft-conducting-privacy-impact-assessments-code-of-practice.pdf
http://www.plainenglish.co.uk/
http://www.plainenglish.co.uk/
Posts
