Wednesday 4 March 2015

The 2015 ICO Data Protection Practitioners Conference

A lot of people were pleased at how the ICO’s conference on Monday went.  Only a few nerves were frayed as delegates walked past a good natured picket line to get into the actual conference venue. Times are tough, and people need a way of letting off steam. If the demonstration helped raise awareness of their feelings, then all well and good.

It’s only the second time that demonstrators have been seen outside an ICO conference. The first occasion was back in the days when Richard Thomas was Information Commissioner, when a motley crew turned up to protest outside Manchester's swanky Lowry Hotel, evidently unhappy that privacy professionals were meeting to attend a conference on Privacy Impact Assessments. (Don’t ask why – it was a long time ago.)

Once inside, it was down to the usual stuff. The market stalls were pretty busy – exhibitors represented the private sector as well as the not for profit organisations this time. Introductions were made. Contact details were exchanged. The gallant National Association of Data Protection Officers crew, always so eager to comply with DP laws, even displayed a privacy notice on their raffle tickets. Did people want to win a £25 M&S voucher but not be contacted by NADPO after the event? If they did, they could exercise that choice. 

The usual soundbites were uttered by the usual suspects.  The ICO is “bringing clarity to a confusing and complex landscape of guidance, standards ad practices”. Such a remark couldn’t be made by (at least) some other European privacy regulators, who don’t particularly appear to see it as their job to simplify local laws.

“It’s about behaviours, not compliance” – again a remark that some other privacy regulators might think twice about making.

“Data protection is not an absolute right. We have to be there to ensure that rights are adequately applied.” Ouch. The folks manning the Fundamental Rights Agency won’t like an approach as pragmatic as that.

“The ICO is in the possibilities business just as much as it is in the prohibition business.” Wham. Not every regulator seems to wish to engage with data controllers (and data subjects, to be fair) as does the ICO.

“There is more to life than the Regulation.” Pow. A welcome reminder that life goes on, and that many of the issues that are faced by privacy professionals won’t change – even when the new legal framework is known. People should concentrate on trying to comply with the current law. It may be 14 years old, but it still presents very significant challenges to a large number of organisations.

Of course, the real benefit to such events is what is transacted at the margins of the meeting. And with some 700 privacy professionals packed together, tongues do start to wag. Privacy folk can be a notoriously indiscreet bunch.

The best news (for the private sector) is that, with the exception of enforcing the marketing rules, the ICO’s sights are pretty firmly set on the public sector. This year will see national health institutions gearing up for compulsory ICO audits. Next on the ICO’s target list is local government. After all, that is where a lot of sensitive personal data is being processed. And where an awful lot of damage can be inflicted on an awful lot of people.

What about criminal penalties for people who commit data protection offences? That old chestnut? Unlikely. Despite a law just waiting to come into force, the problem lies in the (lack of suficient) political will to bring the relevant provisions into force. Data Protection Minister Simon Hughes was keen to stress that the fault did not lie with the Liberal Democratic wing of the coalition Government.

If I were to propose changes to Britain’s constitution, I would require every Act to contain a “sunrise” clause – which effectively abolishes a legislative provision if it is not brought into force within 5 years of the Act receiving Royal Assent. This lets an incoming Parliament reconsider the provision – and it prevents others from just wishing laws were properly implemented when it is clear that Governments have different views. 

Delegates left the conference venue on a note of optimism. Things aren’t all bad – and the ICO is determined to offer those who try to comply a helping hand. And, when the new European data protection framework is clearer, the ICO plans to be around to adopt a particularly British approach to regulation. It won’t simply be about ticking boxes and admonishing Google & Facebook.

Despite whatever rules come into force, it appears that the ICO will continue to play fair with data controllers that care.