Saturday 19 December 2009

Should the ICO be presumed to have the competence to fine miscreants?

I’ve spent some time over the past few months mulling over whether the ICO should be given powers to fine miscreants, and if so, what maximum fining powers should be available.

My first inclination was to assume that the ICO should be viewed in a manner similar to that of the Financial Services Authority. But I quickly realised that they were very different organisations. Citizens of Canary Wharf and and the People's Republic of Wilmslow are not the same. Lots of bling in both locations, but different breeds of regulators. In Wilmslow, you can expect to see the WAG driving the Porsche. Around Canary Wharf, it’s more likely to be the bread winner.

The FSA plays two quite different roles simultaneously. On the one hand, 750,000 individual complaints are assessed by the Financial Ombudsman Service each year, by the staff of some 860 people, who can deal with cases up to the value of £100,000. And on the other hand, the FSA itself can deal with cases that may not be raised by a specific individual, for example when an unencrypted lap top is lost, and can fine the miscreant £ millions. I have heard complaints that the FOS does not understand the issues it judges on and lacks suitably qualified and experienced staff. Former Chief Ombudsman Walter Merricks has explained that the service employs professionals and graduates from different backgrounds and moves them between different areas to build experience.

I’ve often wondered whether it’s much easier to recruit and employ qualified and experienced professionals and graduates from a central London pool of talent than it is to attract people with the necessary range of skills to Wilmslow. But people obviously do wish to work in Wilmslow. And the “Wilmslow culture” is certainly different to that of Canary Wharf. Think “Guardian reader” rather than “The Financial Times”.

Whether the ICO can keep people for a sufficiently long period in Wilmslow (so they can make a really significant contribution to the organisation) before other employers make them offers they would find hard to refuse is another matter. In a recession, private industry may feel constrained in making too many generous pay offers. But, when the consequences of getting Data Protection “wrong” are as serious as they currently are, the market for Data Protection professionals is comparably strong. (Most companies fear the loss of their reputation following a data breach far more than any ICO sanction). And, given pressures over budgets within the public sector, will the ICO really be able to compete with the demand for people who think they know what they are doing?

So, this takes me back to my original point. Financial institutions have come to accept the jurisprudence of the FSA, and have come to accept that it has the competency to fine miscreants £ millions when mistakes are made. They also accept the awards made by the FOS, generally without question. And this is because a bond of trust and competence has been built up between the regulators in the FSA’s compliance function and the regulated.

I don’t think that a similar bond exists in the Data Protection world. I have not had (believe it or not) a particularly high level of interaction with the compliance function of the ICO. I’ve been deeply involved in the policy development function for many years, but I can honestly say that I have not yet had the time to build up a comparable level of trust with the ICO’s compliance team. I’ve dealt with a wide range of people who make assessments, but none of them appear to have remained in their post for very long. Perhaps they get promoted or are relieved of the duty to deal with me when they have completed their probationary period...

Anyway, for that reason, I won’t yet be supporting suggestions that the ICO be given powers to fine miscreants at a level which is similar to that of the FSA. I first need to have confidence in their experience and competence. Let them start with a maximum of £500,000 and let’s see what they do with that. For these days, it’s someone’s track record, rather than their promise or potential, which is so very important.

Sunday 13 December 2009

"It’s time to behave more like Jim", commands the Commissioner

Whats all this about?

Last week I attended the Commissioner’s conference at the Lowry Hotel in Salford (a suburb of Manchester), which launched the public consultation stage of the ICO's proposed "Personal Information Online Code of Practice". The first speaker was Christopher Graham, who reminded us of the achievements of a former local MP, Hilaire Belloc. Between 1906 and 1910 he represented the constituency of Salford South.

More commonly remembered as the Roald Dahl of his day, Belloc’s cautionary tales serve to remind us all of how we ought to behave. And Christopher Graham took the opportunity to refer to the regulatory landscape and to remind us of two elephants in the room, the Article 29 Committee and the European Commission, both of whom were struggling to apply an outmoded Data Protection Directive to the business needs of a world which simply did not exist when the Directive was agreed.

The inference was that the pragmatic approach adopted by the ICO was at risk of being challenged of it, or UK data controllers, were to be seen to be overstepping the mark too blatantly. So, it appears that, as a body, we all need to agree which parts of the law we should apply rigorously, and which parts deserve to be glossed over (because they are unduly onerous, burdensome and simply don't make any sense any more). The inference was that unless we moved as a body in deciding which bits to ignore, the Commission might well take it upon themselves to pick off the stragglers.

So we have been warned. We must all pull together – and then we’ll be permitted (as they say in sailing terminology) to shift our course away from that adopted by the rest and tack away in another direction.

But Christopher Graham didn’t use nautical terms. Instead he used medical terms, by referring to the story of “Jim” – which advises us that we should

“Always keep a-hold of Nurse
For fear of finding something worse”

So, if the main players within the ICO are to be cast in medical terms, then just who are the key characters at the re-jigged Wilmslow Information Hospital? I hear that there’s just been another reorganisation up there, and perhaps soon we’ll learn who’s now in charge of what. But, in the meantime, my suggestions for new job titles are:

Information Commissioner --- Matron
Chief Operating Officer --- Midwife Higher Level (Research Projects)
Director of Human Resources --- Health Visitor Specialist
Deputy Commissioner Data Protection --- Health Visitor
Director of Comms and External Relations --- Nurse Team Manager (Learning Disabilities)
Assistant Commissioner Freedom of Information --- Theatre Nurse
Head of Regulatory Action --- Nursery Nurse (Communities)
Corporate Governance Manager --- Clinical Support Worker

Other suggestions would be welcome until the official structure is known.

Oh, and by the way, for those really interested in “Jim”, Hillaire Belloc’s poem about the boy who ran away from his nurse and was eaten by a lion is set out below:

There was a Boy whose name was Jim;
His Friends were very good to him.
They gave him Tea, and Cakes, and Jam,
And slices of delicious Ham,
And Chocolate with pink inside
And little Tricycles to ride,
And read him Stories through and through,
And even took him to the Zoo--
But there it was the dreadful Fate
Befell him, which I now relate.

You know--or at least you ought to know,
For I have often told you so--
That Children never are allowed
To leave their Nurses in a Crowd;
Now this was Jim's especial Foible,
He ran away when he was able,
And on this inauspicious day
He slipped his hand and ran away!

He hadn't gone a yard when--Bang!
With open Jaws, a lion sprang,
And hungrily began to eat
The Boy: beginning at his feet.
Now, just imagine how it feels
When first your toes and then your heels,
And then by gradual degrees,
Your shins and ankles, calves and knees,
Are slowly eaten, bit by bit.
No wonder Jim detested it!
No wonder that he shouted ``Hi!''

The Honest Keeper heard his cry,
Though very fat he almost ran
To help the little gentleman.
``Ponto!'' he ordered as he came
(For Ponto was the Lion's name),
``Ponto!'' he cried, with angry Frown,
``Let go, Sir! Down, Sir! Put it down!''
The Lion made a sudden stop,
He let the Dainty Morsel drop,
And slunk reluctant to his Cage,
Snarling with Disappointed Rage.
But when he bent him over Jim,
The Honest Keeper's Eyes were dim.
The Lion having reached his Head,
The Miserable Boy was dead!

When Nurse informed his Parents, they
Were more Concerned than I can say:--
His Mother, as She dried her eyes,
Said, ``Well--it gives me no surprise,
He would not do as he was told!''
His Father, who was self-controlled,
Bade all the children round attend
To James's miserable end,
And always keep a-hold of Nurse
For fear of finding something worse.

Saturday 5 December 2009

How can we ditch EU data protection standards in favour of global standards?

It looks as though more and more people are asking this question, and it’s possible that quite a bit of background work has already been done.

And the more I think about it, the more sympathy I feel for the regulators, who are charged with creating solutions to problems that are extremely hard to resolve.; These people must know that the more complicated they make the solution, the greater will be the likelihood that it will fail. All of us dread solutions that are so convoluted you need a brain like Albert Einstein’s to understand them. And we all know that we’re basically doomed unless we can develop an approach that even Homer Simpson can grasp.

So I was really surprised recently to come across a document that actually managed to spell out, in simple language, a set of principles which might well have global application. They were developed by stakeholders from some 50 countries, and first saw the light of day at the recent international privacy conference in Madrid. For those who want to have a close look at them, try the following link - https://www.agpd.es/portalweb/canaldocumentacion/common/estandares_resolucion_madrid_en.pdf

The text uses reasonably plain language and tries to avoid the trap that the EU dug itself into, by focussing on ensuring transparency and fairness, rather than convoluted procedures that so few of us really understood in the first place. Could it result in the demise of the ridiculously complicated contracts that were created to “regulate” international data flows? I have a feeling they might.

The problem, though, will be that there will be countries who pride themselves on high internal data protection standards, either for local cultural reasons (say, to protect people from what is perceived to be a pressing harm in that local country) or for purely protectionist reasons, as they are frightened of the globalisation of trade and hope their initiatives will prove to be more effective than King Canute’s gestures in turning the tide back (which occurred almost exactly one thousand years ago).

Will these countries give up their gold plating, or will they finally acknowledge that they need to live in a real world? I’m sure that some will try to hang onto their gold plating for as long as they can, while many of the companies operating inside them will be finding it ever harder to develop commercially attractive propositions to their customers. Thanks to the globalisation of the internet, if customers don’t like local rules they can simply download a service from a country that operates under more favourable rules. It’s just like the climate change debate – these carbon particles don’t respect political boundaries any more. And neither do the acquirers of electronic services. If it’s hard to download from Germany, you might as well get it from Sweden.

An interesting emerging principle is one of accountability. The Madrid Resolution requires “the responsible person” to make available verifiable evidence that they have actually taken the measures necessary to meet their obligations – and this evidence should be made available both to regulators and individuals. It’s a neat idea – as it now places a greater onus on the company to establish it is behaving responsibly, rather than await an allegation that it had not behaved responsibly.

And this new “accountability principle” might well give the Data Protection Officers the stick they need to remind their companies that, in the event of transgressions, there will be fewer places to hide. And it might also give them an opportunity to point out to regulators that mistakes sometimes happen in spite of the efforts that the companies make to behave properly.