Sunday, 12 December 2010

Advising within a huge arc of legal uncertainty

Stewart Room was on great form, addressing a group of Data Protection Managers at the offices of Field Fisher Waterhouse last Thursday. The conference organisers had certainly saved the best till last. His climactic address to the assembled throng of went down extremely well. As did a couple of measures of gin & tonic at a local hostelry immediately after the event.

And, once the alcohol had started to really clear my thoughts, I fell into a deep discussion with some of the conference stragglers at the drinks session. It was about the role that professional legal advisors can play when clients consider their options over tricky data protection issues. Do we clients have a problem in that we often ask these advisors the wrong question?

What I mean by this is that some Data Protection Managers are required to deal with queries quite beyond which they feel equipped. But does it help, or complicate matters, when an external advisor is engaged?

I have felt sorry for the poor bloody advisor, as they struggle to understand what it is that the client actually wants. As the Legal Manager for the Association of British Insurers a couple of decades ago, I was occasionally asked by members of its Data Protection Panel to seek advice on a particular point. I would explain to a trusted external advisor what the situation was, what sort of advice it was that I required, and that I would go elsewhere and seek other advice if the answer they gave me was not the one I needed to pay to hear. These clear, transparent, instructions worked extremely well. Closely knit teams were forged, with likeminded folk sharing the same vision, passion and prejudices. And sharing drinks, evening meals, and trips to Doncaster races. And, eventually, sharing car journeys to attend the funerals of those we had so greatly loved and respected. I still miss you so much, Shelagh.

What’s brought this on? Well, Stewart used a wonderful phrase in his session last Thursday. He spoke about Data Protection Managers needing to advise and support their business about issues that lay within a huge arc of legal uncertainty.

Significant areas of the law simply aren’t fit for modern day purposes. So, every day, we need to appreciate which bit of the law we are going to ignore - just in order that we can get the day job done. Or we need to appreciate which bit of the law we are going to interpret in a certain way today. It’s not like tax law, where you generally know where you stand. As I earn, some tax professional or other is always able to offer, with a considerable measure of confidence, advice on precisely how much of my income is going to be transferred from my control and off into the hands of Treasury coffers.

Established data protection law is far less precise than that – where it actually exists, that is. It’s not quite reached the level of mere bluster and bravado. That’s for the real charlatans. But, in our every day jobs, we often have to forget about relying on detailed facts and legal presidents (unless you actually want to have to bother about the minutia of, say, legitimising transborder data flows). I mean, we still don’t have settled views law about what the law is actually about. Has any court in the land entered the fray about whether an Internet Protocol Addresses is personal data? Or whether consent which is not “freely give, specific and informed” is really of any lesser quality than the other ways in which it can be assumed that consent has been provided?

Come on, if the tax lawyers are focussing on issues that face those who concern just those at the very summit of taxation law, what sympathy must they feel about their data protection colleagues, who are still scrambling around at base camp level?

What it means, I think, is that Data Protection Managers need to consider themselves as wading chest deep in the business of the management of risk. We are not talking about certainty here, we are talking about levels of confidence. Is the process we are considering sufficiently transparent. Or simple? Or harmless to the individual? How much information really does need to be retained to provide the service efficiently? Are we creating a service that meets the legitimate aspirations of the individual? Did they know we were going to do that? (Or that anyone else was?)

I think that questions such as these can only be met when the business has a clear appreciation of its own integrity and attitude to risk. There’s no point asking a lawyer for “information” about something as vague as data protection law if the lawyer has no appreciation of the degree of risk that the business likes to operate within. Experienced musicians are not engaged to join orchestras for particular concerts unless it’s abundantly clear what music will be played, and which score will be used. In our own sweet way, we experienced data protection professionals can all develop programmes that are tailored to meet the risk profile of their business – but surely only when the business knows what risk profile it wants.

So, professional data protection advisors may well waste lots of their time unless they get the basic question out of the way first. This is “How close do you like to sail to the wind?” Once that answer is known, the rest quite neatly falls into place.

I’m not interested in asking (or paying) for “information about the legal risks” if it means that I’ll receive a thick sheaf of documents which offer finely balanced arguments about the pros and cons of different approaches. In my experience, people working for units within a business don’t really want to know what the law is or what it might be. They want to be told what to do. In a couple of paragraphs, and in words that Homer Simpson, not Albert Einstein, can understand. And I can only tell them what to do when I’m confident that my advice has been calibrated to the degree of risk that the business is prepared to run.

So, if you ever want to work with me, please come armed with a high level of emotional intelligence. And representing a business with a settled sense of its own ethical standards.