Wanted: corporate lobbyist to take over the ICO

Communicating “the wider benefits of data sharing”, “commercial and business acumen”, experience “of using data to drive innovation and growth”; and, of course, “excellent communication and relationship management skills”.

This isn’t a job description for a sales representative, but the candidate being sought to replace Elizabeth Denham in her role as the UK’s Information Commissioner. The vacancy notice was published by the Cabinet Office, accompanied by an opinion piece about a novel “approach to data” for post-Brexit UK, authored by the Secretary of state for Digital, Culture, Media, and Sport (DCMS).

The “new approach to data” can be summarised as follows: the fact that you’ve been invited to book your vaccine inoculation via email is a testament to the need to share data quickly and efficiently, but the GDPR would make businesses reluctant to use your data. Post-Brexit UK is in the position to learn from the pandemic and write new rules, thus defeating businesses’ alleged timidity regarding use of our data.

Yet the public health response to the Coronavirus has shown, if anything, that lowering our guard is hardly desirable in the face of failures such as:

• Government running its Test and Trace programme without a DPIA in place and leaking our personal data — as in the case of patients’ data being shared on social media;
• Pubs’ contact tracing data being used to harass women;
• Local councils drawing up “covid risk scores” based on the apps on one’s phone
• Attempts to create a massive database of people’s contacts through a centralised Tracing App, thankfully defeated by us and others

Open Rights Group has been critical of the ICO and their approach to regulation in the past. However, Government new vision hardly provides a response to these concerns, instead presaging a move to weaken data protection in favour of removing ‘barriers to use’. It is a worrying development for UK citizens at large.

A new approach to deregulation

The Government says that its yet to be finished National Data Strategy promotes the

“UK’s pro-growth and trusted data regime, one that helps innovators and entrepreneurs to use data responsibly and securely, without undue regulatory uncertainty or risk, in order to drive growth across the economy. Data is a strategic asset and its responsible use should be seen as a huge opportunity to embrace

This should be read in conjunction with what the next ICO is meant to deliver, namely:

“a new approach to data in the UK that strikes the right balance between high data protection standards and responsible use of data to benefit our economy and society. This candidate must be willing and able to steer the ICO through a dynamic period of change, refining processes and decision-making.

The new Information Commissioner will be required to have “a successful track record of credible and strategic leadership and management, including the delivery of transformative organisational change,” and ”commercial and business acumen, including an understanding of how the data protection regulatory environment impacts on business and how to help them” as well as “experience of working at the highest level of public or commercial life”.

Thus the primary qualities of the candidate appear to be a desire to roll data protection rules backward, while being able to move the ICO’s organisation along the way as these changes are implemented. The case for a major shift away from GDPR has not yet been made, nor it is the job of the ICO to do that. It is an independent regulator, not a policy think tank tasked with clipping its own wings.

On the other hand, Government never mentions experience in regulating and enforcing data protection among the desired requirements for a suitable candidate — excepting a very hasty mention of “understanding the legal and regulatory framework in which the ICO operates”. There is also no mention whatsoever of any background or understanding of Freedom of Information.

It is easy to imagine an industry insider being appointed, but far less someone who knows how to make a regulator function effectively. Yet we know from experience that the ICO desperately needs strong leadership to deliver the benefits of GDPR for citizens and trust.

From words to deeds

Government’s new approach isn’t worrying only because of its premise, but also for its conclusions. The issues we outlined previously about the National Data Strategy must be read in conjunction with Government recent decision not to implement article 80.2 of the GDPR, which would have introduced a collective and highly effective redress mechanism against data rights abuses. Interestingly enough, Government rejected this option while characterising the ICO as “best placed […] to tackle systemic risks to individuals’ privacy and breaches of the data protection regime. However, the Secretary of State for DCMS is now announcing that the ICO will be the “first stage” in the process of turning the UK data protection framework into one that “no longer sees data as a threat, but as the great opportunity of our time”.

Finally, the ICO is supposed to act with complete independence when “performing their tasks and when exercising their powers” — not only as a requirement of the UK GDPR, but also of the Modernised Convention 108 of the Council of Europe, which the UK has undersigned. This requirement, however, seems hardly in line with Government expectations that the next Commissioner “understands the importance of striking this balance [between data protection and barriers to data use] and delivering on this [government’s] critical agenda“.

What the new approach to data ought to be

While personal data can be a valuable driver for innovation, they also carry the risk of data breaches, commercial and political exploitation, and discrimination. If we are to use data for the public good, deregulation is hardly the response we need.

Genuine assessment of the risks involved, maturity in mitigating and proceeding with caution, and strong safety nets for those individuals who may found themselves entangled in the long march for progress are the only tools that can really deliver on any Government agenda. With these premises, the next head of the ICO should be focusing on enforcing the rules, holding Government to account, and striking fear at the heart of these rogue corporations that aim to exploit our data for their self-interested gains.

It is clear to us that, instead, the next ICO is being appointed in order to gut the GDPR and remove barriers to business use of data. That signals a shift away from enforceable rights, to make it harder for you to control the way your data is used.