Data Breaches and Data Flows: ICO Priorities for the Next 12 Months

June 20, 2009

It is fair to say that in the last 18 months we have seen an unprecedented examination of data protection practice in the public and private sectors. From the moment Alistair Darling, Chancellor of the Exchequer, stood up in Parliament on 20 November 2007 and announced the loss of two discs containing the personal details of over 25 million individuals, including bank details and information about children, data protection came of age.


What was previously the domain of anoraks, who felt frustrated that no one was listening and that a catastrophic loss of personal information was inevitable, suddenly came to the very heart of public service delivery. An investigation into the HMRC loss was set up immediately by the Chancellor, the Cabinet Office were charged with examining practice across Central Government and the Independent Police Complaints Commission also initiated its own investigation into the HMRC loss. The subsequent loss of a Royal Navy laptop on 9 July 2008 initiated further investigations by Government and the Data Sharing Review, which had originally been set up by the Prime Minister as part of his speech on Liberty in October 2007, was given a renewed focus on information security issues.


The media became full of stories of data loss in the public and private sector and this had a number of positive, and negative, effects. Suddenly the Cassandras of old were being sought out, actively engaged and their recommendations were being considered. And public concern about protecting personal information rose to reflect the media narrative[1]. On the other hand, everyone was trying so hard to find a quick and effective solution to data loss problem that new problems were being created. The anecdotal evidence ranged from stories of service delivery being almost halted as absolute bans on removable media were introduced, to junior officials refusing to hand over personal details to be put into computer databases, believing such details were safer in an unlocked drawer in their office. Due to media scrutiny on this issue, everyone wanted to be seen to be doing something, as both chief executives and more junior staff began to fear that the next big news story could mean their job.


Now that the headlines on data loss are moving to the inside pages we are faced with new challenges. Will the last 18 months have brought data protection into the mainstream of public and private sector service delivery or will the focus on protecting personal information fade with the headlines? Does the absence of headlines provide some space to think clearly and plan how protecting personal information can shape service delivery for the next 10 years or does it merely move the focus somewhere else and remove the impetus for action? These are hard questions and the Information Commissioner’s Office certainly would not claim to have all the answers, but as the regulator for the Data Protection Act 1998 we have to respond to the environment of the last 18 months. We cannot afford to take the ‘I told you so’ approach, decrying any and all information sharing, neither can we tell those who would collect and share information that everything is OK, that normal service has been resumed and that information sharing projects can proceed anew, unfettered by safeguards or consideration about the potential harm as well as the benefits of the proposed action.


Harm is exactly what we at the ICO want to help avoid. Harm to individuals through mistaken identity, identity based fraud, inaccuracies in their personal records, profiling, stigmatisation and excessively intrusive uses of personal information. We want to make sure that, as far as possible, individuals are empowered to protect themselves by being able to exercise choice over when and how personal information is used and, where this is not possible, that they are provided with clear and accurate information about who might be given access to personal information, and when they can challenge these decisions.


But the ICO strategy also wants to avoid broader harms to society and this desire will inform our decision making. In November 2006 the ICO published an independent report by the Surveillance Studies Network titled ‘A Surveillance Society’ which provoked a lot of public debate and inspired two Parliamentary inquiries. While the ICO would not suggest that we are living in an Orwellian nightmare, there are questions to be asked about how developments over the next few years will affect the relationship between individuals and the state. Is the increasing use of surveillance starting to have a knock-on effect on how citizens relate to one another and as a result is our society becoming a little more claustrophobic than we would like it to be? Is the mere existence of a burning social problem enough to justify a surveillance led solution, or is there a better, more meaningful way to gauge proportionality? These are considerations of which we will need to take account in establishing whether there is a risk of harm in wider society from new and potentially intrusive uses of surveillance.



Privacy by Design


This is all well and good, but what are we actually doing not just to help organisations identify potential privacy risks, but also to address those risks effectively and find out whether the action they propose to take is proportionate to the problems they are facing? Over the last few years, the ICO has been creating a number of practical tools and promoting a number of practices which were brought together in November 2008 under the banner of ‘privacy by design’, a concept that was originally developed in Canada and Holland in the early 1990s.


The basic idea behind the ICO privacy by design work is to try to demonstrate the benefits to organisations of starting to identify and address privacy concerns from the very inception of a project, system or process. Designing privacy in, making privacy protection part of the very DNA of a new project, should be more effective and significantly cheaper than bolting on a solution as an afterthought. The Privacy by Design report was drafted for the ICO by the Enterprise Privacy Group and was inspired by the ICO’s frustration that organisations only started to consider privacy risks at the point at which a project was ready to launch, at which stage significant design flaws could not be ironed out easily or cost-effectively.


Privacy by design encourages those charged with developing and implementing a new project to ask some very basic but important questions when at the design stage, such as:

·        Do we need to collect any personal information at all?

·        What is the minimum amount of personal information needed?

·        Who do we want to access the personal information we collect?

·        How will we control that access?

·        What specific security measures will be required?

·        Do individuals need to be identified for every transaction in the system?

·        How is identity authenticated?

·        Can individuals assert their rights easily?

·        Does the system have functionality to comply with privacy laws, such as deletion and amendment of personal information?


Privacy by design draws on much of the work completed over the last few years by the ICO in the use of privacy impact assessments, the Framework Code of Practice on Information Sharing and our recently published Privacy Notices Code of Practice. It draws on discussion documents we have produced on information governance, information assurance and new forms of identity management. Later in the year we shall be consulting on our new Personal Information Online code of practice.


We also need to consider the impact of technology on our interpretation of the law and good practice. Technology has not only allowed us to process greater and greater volumes of personal information, but which has also enabled us to communicate more effectively, immediately and cheaply with the individual concerned. Just a few years ago, technology was limited to collecting information on one central database and decisions could only be made by the database owner. Now, technology allows the individual to give permission in real time for an organisation to use his information for a specific purpose, and even provides the means for that permission to be specific to certain sections of an organisation and only to use specific pieces of personal information. This march of technology has a direct effect on what is considered strictly necessary in terms of privacy intrusion and leads in more and more cases to the conclusion that only privacy friendly forms of user centric identity management can be used in new projects. The age of the lumbering all-encompassing dinosaur database is coming to an end.


Matters for the Board


All of these tools and the very concept of privacy by design are not going to have an impact on organisations beyond the data protection officer unless responsibility for privacy issues is seen to be taken at the very top of an organisation. Two common themes of all the reports that were commissioned in response to the data losses of 18 months ago was the lack of leadership and accountability for protecting personal information at senior level, and the need for culture change. This work has already started and the ICO will be continuing to promote the need to bring data protection into the boardroom throughout the next 12 months.


The ICO Personal Information Promise was launched on European Data Protection Day, 28 January 2009. It was a list of 10 promises to be made by an organisation’s chief executive to demonstrate a personal commitment by the leadership of the organisation to protecting personal information. It is not a compliance tool, nor is it another burden of regulation to be foisted upon businesses and public sector organisations who sign up. At the same time, it is not a meaningless commitment and we have already been getting feedback from signatories that their CEO has, after signing up, restructured their data protection functions to be more effective and hold more authority or in other cases the chief executive’s signature on the Promise has stopped other departments developing systems that potentially would not comply with the law. The Promise is having significant effects within organisations.


However, we are not so naive as to think that a signature alone will solve all privacy problems or suddenly demonstrate in and of itself that data protection should matter. That is why the ICO will be investing this year in research to enable us to make the economic case for proactive privacy protection by organisations. How does privacy protection affect the bottom line? What are the costs and benefits of privacy protection?


And of course, this is where the ICO comes in as regulator. Because no matter how much guidance we produce and no matter what tools and initiatives we publish, all of these things will mean nothing if we do not have the powers effectively to regulate those organisations who do not take their data protection obligations seriously enough. To that end the ICO has been calling for greater powers to inspect organisations from across the public and private sector and has been cooperating with the Ministry of Justice as to how the fines for breaches of the data protection principles will work in practice. Changes to the notification fees regime are also being discussed in Parliament to provide the ICO with the resources to implement these new powers effectively.


The Landscape has Changed


The change in powers means by necessity a change in the operation of the ICO – how we engage with those organisations that process personal information. How do we simplify and make it easier for those organisations who seek to handle personal information well, and how do we make it tougher for those who don’t? How do we ensure that individuals are able to assert their rights easily against the backdrop of constantly changing technology and trust that the ICO can resolve their concerns quickly and effectively?


The changes that are coming indicate that concerns that data protection issues might not be considered as important as the media spotlight fades are perhaps not as founded as some might fear. Changing powers and a changing ICO indicate that the landscape has changed. Those organisations who would resile from their obligations to protect personal information will now find an ICO empowered to take meaningful action to bring them back to compliance with the law.


The last 18 months have changed how the public, the private sector, the Government and the ICO view data protection. There is no going back.


Stephen McCartney is Head of Data Protection Promotion at the Information Commissioner’s Office.

[1] ICO research showed that 94% of respondents were concerned about protecting their personal details.