Data Protection Strategy

PDF of our final submission to this consultation

ORG response

Data Protection Strategy Consultation - ORG Response to the Information Commissioner's Office - Submitted Friday 14 February

Detail of Respondents

Prepared by: Becky Hogge

ORG's Response

New technologies for data collection, data storage and data-mining have the potential to dramatically improve the lives of UK citizens and consumers, offering government and business the opportunity to know more about those they serve. But if these opportunities are not matched by the power to protect data about individuals from misuse, then these new advances in technology risk bringing about a net loss to society – making us less free, less equal and consequently less prosperous. This consultation is therefore a timely one and we welcome the opportunity to respond.

The Open Rights Group commends the recent efforts on behalf of the Information Commissioner to raise awareness about data protection risk, and recognises statements made by the Information Commissioner in his most recent annual report to the effect that the public are increasingly aware of their data protection rights. Having read the Data Protection Strategy in detail, and having put it out to consultation among our supporters1, we have drawn the following conclusions.

The present powers granted to the Information Commissioner's Office are not commensurate with the data protection risk presented by advances in data-collecting and data-mining technologies and practice. In particular, we believe that the Information Commissioner should push for the right to audit and inspect, without having obtained prior consent, any commercial, public sector or third sector organisation where poor data protection practice is suspected. The Open Rights Group understands that the Information Commissioner has already called for these stronger audit and inspection powers, and that this call has been backed by the House of Lords Science and Technology Committee2. We hope that the by adding our voice and the voices of our supporters to this recommendation, such powers may more readily be granted. We support the House of Lords' recent call for a data breach notification law3, and believe that the Information Commissioner's Office should do whatever it can to push for such a law.

The Open Rights Group is concerned by the weak enforcement of the Data Protection Act to date, a piece of legislation that is the envy of many other parts of the world, particularly the USA. For example, when “[a] string of high street banks and the Post Office [break] data protection rules by dumping customers' personal details in outdoor bins”, we would expect a greater penalty than the signing of “a formal undertaking to comply with [the] Data Protection Act”.4 We believe that the Information Commissioner's Office should be able to impose stronger and swifter penalties, including criminal sanctions, on those who breach the Data Protection Act. We believe it is appropriate for the Information Commissioner's Office to demand powers similar to those of the Health and Safety Executive. The Data Protection Act will not be taken seriously in businesses at Board Level until this happens.

We note in the tone of the Data Protection Strategy document a reluctance to burden business, which indicates that the rhetoric5 of those opposed to the Data Protection Act has to a certain extent sunk in. We therefore feel it is prudent to point out the benefits that data-gathering and data-mining have offered modern business. For example, it is partly the success of the Tesco Clubcard that commentators have suggested allowed the retailer to overtake Sainsbury's as the UK's top supermarket in the 1990s6. It is our belief that business would be highly likely to comply with stronger regulatory pressure from the ICO rather than stop collecting personal data. The same point can be equally made about government, who see in data-sharing and data-mining the opportunity to, for example, eliminate significant waste, or heighten detection of benefit fraud.

The Open Rights Group commends the Information Commissioner's ambition to influence the legislature to deliver data protection-friendly outcomes. In the past, it appears that the Information Commissioner's Office has only been cursorily consulted by government departments during policy formation; and even then that the ICO has given advice from a regulatory perspective rather from the perspective of an advocate for privacy. We therefore welcome the Information Commissioner's study on Privacy Impact Assessments and on how they might be used in a UK context.

The Open Rights Group recognises the role individuals need to play in protecting their right to privacy. However it is also important to recognise that individuals cannot make decisions about their own interests if they are compelled to hand over personal data in order to comply with the law or gain access to basic services. Further, the ability for people to make an informed choice is very much dependent on the information available to them when they supply personal data. In principle, the idea of accreditation and awards for good practice is an attractive one, although any such scheme would need close monitoring.

The Open Rights Group recognises that data protection is an evolving field and would welcome the opportunity for continued input on the Information Commissioner's Data Protection Strategy.

About the Open Rights Group

The Open Rights Group is a grassroots digital rights advocacy organisation based in the UK. It aims to increase awareness of digital rights issues, help foster grassroots activity and preserve civil liberties in the digital age. It is funded by individual donations and small grants.

Footnotes

1. The Open Rights Group is a community of enthusiastic volunteers and renowned technology and policy experts, supported by a small team of core staff. We are funded by regular donations from our 500+ supporters and small, campaign-based grants. See About the Open Rights Group section at the end of this document. We asked our community to respond to the consultation via our fledgling e-consultation tool available at http://www.openrightsgroup/consult See http://www.openrightsgroup.org/consult/data-protection-strategy/ for more details.
2. House of Lords Science and Technology Committee Personal Internet Security 10 August 2007
3. ibid
4. See Press Association “Banks 'dumped personal information in bins'” The Guardian 13 March 2007 http://money.guardian.co.uk/saving/banks/story/0,,2032962,00.html. A list of “UK Privacy Debacles” is collaboratively maintained at http://www.openrightsgroup.org/orgwiki/index.php/UK_Privacy_Debacles
5. The Data Protection Act was labelled “expensive bureaucracy” by the Conservative policy group in their recent publication Freeing Britain to Compete http://standupspeakup.conservatives.com/Reports/FreeingBritaintoCompete.pdf
6. See “Stores at War: winning secrets” bbc.co.uk 4 June 1999 http://news.bbc.co.uk/1/hi/business/the_company_file/360997.stm

Consultation

The Information Commissioner’s Office is consulting on its Data Protection Strategy, which sets out how it intends to minimise data protection risk. The document is aimed at major stakeholders and spells out the basis on which the ICO select the issues on which to engage; the outcomes we seek; and the approach taken to engagement. Submissions should be send to mail@ico.gsi.gov.uk by 28 September 2007, with 'Data protection strategy consultation' in the header.

Excerpts from 'ICO launches new data protection strategy' press release:

  • Concerned with maximising ICO's long-term effectiveness in bringing about good practice
  • Directing their data protection resources to scenarios with the greatest risk of harm through improper use of personal information.
  • David Smith, Deputy Information Commissioner, said: "Our vision is of a society where respect for personal information is guaranteed ... where organisations inspire trust by meeting reaosnable expectations of integrity, security and fairness in the collection and use of personal information. A society where individuals understand how their information is used and are aware of their rights and are confident in using them. Our strategy is all about turning this vision into a reality."

Consultation document

The 'Data Protection Strategy - Consultation Draft' does not ask specific questions, but is only 20 pages of plain english text, so a relatively quick read. Here's my notes:

Our vision and our purpose

  • Flowery PR-speak about 'integrity, security and fairness'
  • Primarily concerned with regulating the processing of personal data by the state, by businesses and by other organisations ad not with processing by individuals in their purely personal capacity.
  • Compliance with the legal system is the main goal, but not an end in itself so is combined with the promotion of good practice.

This strategy

How the ICO will minimise data protection risk by selecting:

  • the issues on which to engage
  • the outcomes we seek; and
  • the approach taken to engagement

(Excludes specific areas such as case handling and the use of formal powers to take regulatory action)

Our approach

Limited resources => selective with interventions => apply limited resources in ways that deliver the maximum return in terms of a sustained reduction in data protection risk => focus is the risk of harm through improper use of personal information

Focus is on 1. real likelihood of serious harm 2. long term difference 3. working closely with others

Unrealistic to remove all risk; instead moderate the most serious risks and protect those most vulnerable to improper use of their information.

Not simply improving (i.e guidance, persuasion, regulatory action) organisations, but also influencing the market or political environment in which they operate (i.e. seek to influence legislature, devolved administrations, stakeholders and representative bodies)

  • "Strengthening public confidence in data protection by taking a practical, down to earth approach - simplifying and making it easier for the majority of organisations who seek to handle personal information well, and tougher for the minority who do not".

Data protection risk

Defines 'harm' (as in "minimise the risk of harm through improper use of personal information") in both the individual and societal context:

  • Individual suffering because personal information about them is
    • inaccurate, insufficient or out of date;
    • excessive or irrelevant;
    • kept for too long;
    • disclosed to those who ought not to have it;
    • used in unacceptable or unexpected ways beyond their control; or
    • not kept securely.
  • Societal harm arising from improper use of personal information can have multiple causes:
    • excessive intrusion into private life which is widely seen as unacceptable;
    • loss of personal autonomy or dignity;
    • arbitrary decision-making about individuals or their stigmatisation or exclusion;
    • the growth of excessive organisational power;
    • a climate of fear, suspicion of lack of trust

Setting priorities

Priorities (important to give value in return for limited public money, and ensure regulatory burden is proportionate) will be influence by :

How serious and how likely

Tricky judgments involved identifying where there is a 'real likelihood of serious harm'. They take an objective approach, based on:

  • Broad sources of information (own experiences; research findings; political and market intelligence)
  • Specific evidence
  • 'Harm must be genuine and capable of explanation'

Severity a function of

  • the number individuals affected
  • vulnerability of these individuals
  • both long and short-term impact
  • one-off harm, or part of a pattern?
  • indirect harm where public confidence in data protection is damaged

Can we make a difference

Economical? Are others intervening? Opinions of stakeholders? Core to ensuring respect for the rights and obligations of the DP regime?

  • Does ICO need to display leadership?
  • Genuine DP issue, or actually a wider problem?
  • Real, long-term difference?
  • Influence on governmental policy?
  • Influence on technological advances or commercial activities?
  • Opportunities to exploit media interest?
  • Pressure for ICO engagement due to gaps / inconsistencies in approach?
  • Already managed by market forces or other regulators?

(ICO are obliged to consider complaints brought to their attention, so lack total freedom to prioritise.)

  • Most serious risks can arise in the public sector, so higher proportion of policy work will be devoted to developments in the public sector.

How we intervene

Much work is reactionary, based on complaints, but intervention guided by

  • Prevention better than cure
  • Prioritise DP aims in the early stages of developments, rather than as bolt-ons when maybe too late to achieve anything
  • Emphasis on privacy-friendly approaches, minimising collection of personal information, ensuring accuracy, security and transparency.
  • Sustainable reductions in risk rather than short-term fixes.
  • Educate public to ask relevant questions themselves
  • Use reputation, consumer pressure and market forces
  • Use expertise regarding business practices
  • Partner with other regulators, letting them lead where suitable
  • Incentivise good practice with accreditation and awards
  • Given burden and costs of regulation, ensure balance and proportion
  • Reflect genuine public concern and command public confidence
  • "We are open to new ways of working and new forms of engagement with our stakeholders."

Partnerships

  • Other statutory regulators (cf horizontal vs vertical distinction)
  • Commercial and self-regulatory bodies
  • The legislature
  • The media
  • Data protection and privacy officers
  • Civil society and consumer organisations - "We rely on consumer and related organisations to deliver clear and consistent messages to the public on data protection. We need them to tell us what the public or sections of the public, want and expect from us."
  • "Above all we see ourselves as working with those whose rights and liberty we are seeking to protect and enhance. We have a role in educating the public and raising their awareness and competencies but we must understand and respond to their interests and concerns."

Our expectations of others

Seeking 2-way communications: they will work to gather intelligence, but stakeholders should inform them, at an early stage, on developments with a significant data protection risk.

  • Rather than advising stakeholders the same things again and again, best if we read / use their publications (and feedback where it doesn't fulfill purpose)
  • "We value our contact with civil society and non governmental organisations. They have an important role in drawing our attention to current and potential data protection risk and reflecting the concerns of individuals. We will listen to their claims provided they are supported by evidence and argument."

Our international role

Concerned with international cooperation and supervision as well as globalisation. Data protection risk does not respect national boundaries; engage with EU bodies, inter-governmental organisations, international trade associations and multi-national businesses.

  • Helping multinationals means uniform multinational advice

Where does this take us?

Themes likely to remain high on the agenda:

  • The unlawful trade in confidential personal information
  • The emergence of a surveillance society
  • Increased information sharing
  • Law enforcement activity
  • Security of personal information
  • Effective data protection supervision

Annex - Data protection functions

"This annex explains briefly what the Data Protection Strategy means in practice for some of the data protection functions of the Information Commissioners Office."

Educating and Influence

  • Individual awareness - "an aware and questioning population is a key partner in data protection regulation"
  • Guidance - how is existing guidance used? What improvements could be made?
  • Promoting privacy protections where a. personal info is process and b. could help decision-making within organisations
  • Influencing the legislature - "critical but constructive friend seeking to ensure that the position of individuals has been fully taken into account"
  • Technology - "We will watch how technology is developing, spot areas of data protection risk and seek to influence further developments and their application to ensure data protection friendly outcomes."
  • Data protection laws should be simple, targeted and proportionate, so will lobby for reform where necessary.

Resolving problems

  • Complaints

Enforcement

  • Regulatory action
  • Notification
  • Tools and penalties


Further resources