She spoke about the many roles she must play as UK Information Commissioner and set out the challenges and opportunities ahead.
Many thanks for the invitation to speak today. I have a connection with CRISP and William Webster, Kirstie Ball and Charles Raab that predates my time in the UK – British Columbia OIPC is a partner in Big Data Surveillance Project with David Lyon and others in Canada. I have long been aware of the importance of the CRISP doctoral training school.
One of the wonderful aspects of privacy and data protection is the extremely rich and interdisciplinary scholarly research community.
Data Protection raises questions of law, politics, sociology, computer science, communications studies, business and management, psychology, urban studies, geography, and so many other areas of scholarship.
For all the regulatory and legal challenges, privacy and data protection continue to raise fascinating intellectual issues.
CRISP is a wonderful model of interdisciplinary research and training for young researchers.
I am very glad to have received the support of the broad and vibrant academic community involved in research on privacy and surveillance since taking up this job.
I am also proud to have launched a new program to fund independent research and help consolidate the network of privacy researchers in the UK.
I am hopeful that this will continue for many years.
Money, law, courage
The title, Money, Law and Courage – signifies, of course, that the contemporary data protection authority (DPA), of which the ICO is the largest in the world in terms of personnel and budget, cannot do its work without a clear legislative framework, the necessary technical and financial resources and the courage to do our jobs well. My office is responsible for the effective enforcement of no fewer than eleven statutes and regulations.
They say: “Money makes the world go around . . .”
Well, we have a budget of £24 million pounds, following the introduction of the new funding model this will be £34m in 2018/19. We’ve been busy over the last year recruiting more staff and currently have a headcount of around 500.
We expect staffing numbers to continue to increase, passing 600 by 2019 increasing to an approximate FTE of 650 during 19/20.
We will be assessing demand as the GDPR goes live and beyond, adjusting our plans accordingly. To give you a sense of we are fixed now, we’ve got around 200 case-workers working on issues raised by the public, a 60-strong enforcement department taking forward our investigations and a similar number charged with developing our information rights policies and engaging with the stakeholders and organisations that need to implement them.
Coming from an office of under 40 in British Columbia, the scale of the management tasks is obviously far more complex and challenging.
I had – I have – Great Expectations for this job.
But there’s one aspect of the job that I did not expect, and it stems from the very governance structure of the ICO.
My job combines the role of Commissioner, which has a variety of regulatory and quasi-judicial functions, with that of a CEO. It is based on the “Corporation Sole” Model.
That’s highly unusual for a large regulatory body like the ICO.
The implications of this model are that I perform a wide range of management functions in my capacity as the ICO’s CEO.
I would say that as well as my regulatory role, I must also work alongside my excellent staff on administrative duties involving organisation, finance, human resources, and negotiations with the unions.
Much activity of late has been about recruitment and retention issues. I am pleased to report that the Treasury has given me pay flexibility to address the gap in wages when compared to the external market.
Everyone is looking for data protection expertise.
I am also looking at new ways to bring in talent – through secondments from the private and government sectors, and through technology fellowships for post-doctoral experts.
It’s not just about the money, it’s also about the resources. And I have many tools in the toolbox. 20 years ago, the toolbox was not global.
Now there is a common recognition that all DPAs need to make creative use of all the tools in the toolbox.
And as in a toolbox, each tool (the hammer, the drill, the screwdriver, the chisel) is suited to a different purpose.
But most of these tools can be used separately, and not in conjunction with another. Throw away the screwdriver or the drill, and the hammer still remains and is still capable of driving in the nail.
At the same time, it cannot drill the hole, or screw in the screw – assuming, of course, that the user can tell the difference.
For the person with the hammer, everything can tend to look like a nail, right?
The tools in the privacy toolbox, however, are designed to be used in conjunction with one another. They do form an integrated package, all of which are now necessary and none sufficient on their own.
Of course the tools are all for nothing if the Commissioner and her team don’t have a good plan for what we are building and why.
So now to the law. This global repertoire of instruments is reflected in the General Data Protection Regulation (GDPR), that will apply in the UK from May: privacy by default and design; codes of practice; privacy seals; Data Protection Impact Assessments (DPIA); data protection officers; accountability mechanisms for good privacy management.
The Europeans have made vigorous efforts to learn from abroad and to embrace policy instruments that were pioneered in other countries, such as Canada, and to incorporate them into the GDPR.
Positive results in data protection are not just attributable to decisions from the top.
They are “co-produced” by a widespread network of actors (regulators, businesses, consumer organisations, media, researchers, and individuals).
I see the ICO as the facilitator of this network, a convener as much as the regulator.
My varied roles
Over ten years ago, Charles Raab and Colin Bennett published The Governance of Privacy: Policy Instruments in Global Perspective1.
In that book, they defined the contemporary roles of the DPA as: ombudspersons, auditors, consultants, educators, policy advisers, negotiators, enforcers, and international ambassadors.
Different authorities played these roles in different ways and with shifting emphasis over time. I, and my staff, also play these roles.
Data Protection “Ombudsman”
Any DPA has to be attentive to its main clients – the citizenry who may have concerns and questions about how their personal data is captured and processed.
We all play the classic role of the “ombudsperson.”
Demand for this role is high and increasing. In 2016-17, the ICO received and dealt with over 18000 data protection complaints, 90% of which were resolved within three months of receipt.
This year we will be over the 21,000 mark and next year we expect over 24,000 complaints as people become more aware of their rights.
Prominent concerns include complaints about timely and comprehensive access to personal information, about the use of CCTV, and take-down requests from search engines. We are dealing with a wide range of complaints, most relate to general business, including the financial and insurance sectors, but they also cover the important relationship and services between the state and the citizen, including local and central government, health, policing and education.
The auditing role is central, and will become more so under GDPR. That embraces more proactive assessments of organisational accountability and expands our work to the private sector in a way not seen before. But we now also have a more nuanced understanding of what a data protection audit actually entails, and make important distinctions between full-blown audits, risk reviews and advisory audits.
In 2017-18, we delivered 24 full audits providing advice and recommendations, 37 information risk reviews, 18 follow-up audits, and 47 advisory audits to SMEs.
We are also consultants and often give advice to organisations that come to us with requests to comment on new products and services.
We are happy to hear of new developments and to give advice about whether new systems are compliant with the law, and about how to minimize risks to privacy. This role too will increase under the GDPR – organisations will be increasingly pressured to get the advice of regulators before systems are developed and services are launched.
They will be expected to implement privacy by design, and by default, and will need advice about how to accomplish those goals.
In this regard, my office is establishing a regulatory “sandbox” that provides beta testing of new initiatives in private and public sectors.
This strategy allows us to keep up with new technological developments, and at the same time ensure that appropriate protections and safeguards are built-in.
This is what the law requires.
The strategy is based on the strong belief that privacy and innovation are not mutually exclusive. New technology is both a risk and an opportunity. The strategy also allows us to boost the technical expertise of our staff.
I spend a lot of my time in education – both of the general public and of organisations. We have launched a guide to the GDPR, which has had over 3 million hits since publication.
I have given several dozen speeches to organisations over the last two years, and use those as an opportunity to spread the word to key audiences. We are also active in social media, and broadcast podcasts on significant questions. I also write blogs on key issues – including a series of GDPR myth busting blogs.
In April, we will launch a public education campaign, Your Data Matters, to educate the public on their new rights under the law.
The campaign is the ICO’s but we are collaborating with private sector and civil society partners to assist us in disseminating information about the use of personal data in everyday life, complete with real-life scenarios and story-telling content. The aim is to increase the public’s trust and confidence in how organisations use their data. And that’s my priority.
With the GDPR, and Brexit, I have spent a lot of time with parliamentary committees, ministerial staff in giving policy advice about legislative and regulatory change. I spend around 2-3 days a week in London since I took up the position because of heavy parliamentary and Whitehall business. We have opened a London office and formed a parliamentary team.
My staff and I need strong negotiation skills staking out principled positions, but being prepared to compromise. We negotiate with government agencies, and with corporations. We negotiate, for instance, over codes of practice, such as the one currently being developed on direct marketing.. The role of negotiator is critical in an area of law where there are often no clear black and white answers, and few “bright-line” rules.
We are also involved in negotiation with other regulators and oversight agencies. There are many other players in this space – from the NCSC in matters of cyber security, the Surveillance Camera Commissioner to the Childrens’ Commissioners. In fact I met with Bruce Adamson the Children and Young People’s Commissioner Scotland just this morning.
We work hard to develop a framework that allows us to work in a co-ordinated manner in the best interest of UK citizens.
I played all those roles in Canada (in Ottawa and in British Columbia). But they are now played out on a bigger stage, and with far greater implications.
There are two roles I’ve yet to speak about – the enforcer and the international ambassador.
These are far more prominent in my role as UK Information Commissioner than they ever were in Canada. And these are the ones that I would like to discuss in greater detail in the rest of this talk.
My office possesses a greater range of enforcement and sanctioning powers than those in Canada.
As an illustration, companies could find themselves subject to severe penalties for not complying with the GDPR, which states the maximum amounts that companies could be liable to as £17m, or 4% of the organisation’s total annual worldwide turnover in the preceding year, whichever is higher.
We also have powers to suspend or amend processing or transfers.
The enforcement notice can be more intrusive than the fine. These are significant fining and directing powers, and they have to be to be used predictably, consistently and judiciously.
To that end, my office is developing a Regulatory Action Policy to provide greater clarity and focus to our roles.
So, when I look at the contemporary inventory of regulatory tools at my disposal, it is now a long list that operates on a sliding continuum, or hierarchy of regulatory action.
That’s quite a list, right?
We aspire to select the most appropriate regulatory instrument based on a risk assessment of the nature and seriousness of the breach, the sensitivity of the data, the number of individuals affected, the novelty and endurance of the concerns, the larger public interest, and whether other regulatory authorities are already taking action in respect of the matter.
We also reserve the right to take into account the attitude and conduct of the organisation, whether relevant advice has been heeded, and whether accountability measures have been taken to mitigate risk.
Now might be a good time to tell you about our ongoing investigation into the use of personal data by political parties and campaigns. The use of data analytics for political purposes has not been examined by any other DPA.
It is a complex investigation involving over 30 organisations including political parties, data analytics companies, and social media platforms.
We hope to shed light on the mysteries and complexities of the data driven campaign and election. And we hope that our work will be an important contribution to the wider legal and ethical discussions about the use of personal data to mobilize voters.
All privacy and data protection commissioners are increasingly international ambassadors for their domestic data protection regimes and approaches.
We advance the interests of our citizens, and also to some extent our businesses, in a variety of regional and international forums.
As UK Information Commissioner, I am now of course on a far more visible international stage then I ever was in Canada.
To help navigate these uncertain international waters, my office has published an international strategy that recognizes the importance of agility in an ever changing world.
As you know, the GDPR will apply in the UK as of May 25th 2018. We have been giving guidance to British businesses on how to comply with the GDPR, on issues such as automated decision-making, profiling, personal data breach notification, and the processing of data on children.
We have also tried to explode some of the unfortunate myths concerning compliance.
As we have a more longstanding experience with some of the instruments in the GDPR, we hope that our practical guidance can have an influence beyond the UK.
At the same time, we have been trying to influence the new Data Protection Bill, which had its Second Reading debate in the Commons last week, and which aims to align UK law with the GDPR.
Overall, I am encouraged that the interests of the government, UK industry and civil society are broadly aligned around the need to apply the provisions of the GDPR within the UK with minimum divergence. The government has prioritised the issue of data protection and data flows in the Brexit negotiations because data underpins the digital economy, trade and criminal justice.
I am striving for what I have called a “holy trinity of outcomes”: uninterrupted data flows to Europe and the rest of the world; high standards of data protection for UK citizens and consumers, wherever their data resides; and legal certainty for business.
We intend to play a full role in EU institutions until the UK leaves the EU, we are preparing for the post-Brexit environment in order to ensure that the information rights of UK citizens are not adversely affected.
But several questions remain, and which will be inescapably determined by the final contours of the relationship between the UK and the European trading bloc. There is agreement that there will be a transition period – necessary to untangle a 40-year regulatory regime. During the transition period, to avoid a cliff edge harmful for business and citizens, the intent is that the regulatory regimes – from data protection to aviation, food standards and the environment will be maintained.
When it comes to the arrangements post-Brexit for international transfers, achieving a bespoke agreement on data flows in the commercial and security sectors, or an adequacy finding from the European Commission may be the most elegant ways of ensuring the continued frictionless flow of data between the EU and the UK.
And there is no doubt that having domestic laws that achieve a high standard of data protection, harmonized with those of the EU, will be a significant advantage in a special arrangement.
Should the UK leave the EU without a data deal in place, EU organisations will need to have binding contractual arrangements in place every time they wish to share new information and data with their UK partners.
Even with the GDPR translated into UK law, interpretation of the law is the responsibility of the ICO, and the UK courts.
Our interpretation might be influenced by decisions made through consistency mechanisms within the GDPR and the European Data Protection Board, but there is no guarantee – leading to possible divergences of interpretation and confusion for companies that do business in the UK and the EU.
Perhaps the most significant “unknown” from my point of view is the exact nature of relationship with our DPA colleagues across Europe.
Is the ICO going to have a seat on the European Data Protection Board with voting rights or will we be an observer without voting rights; or not even allowed to have a seat around the table? Is the UK going to be a partner, helping to set policy, or will we have the status of a third country – like Canada or Japan?
And then there is the “onward transfer” problem of how to protect the data of EU citizens exported from UK organisations to other areas of the world, and which will be a critical issue in the determination of adequacy. Will the UK have a mirror agreement, similar to that enjoyed currently by Switzerland? Or will UK businesses have to default to various accountability mechanisms, such as binding corporate rules.
And what, then, of data flows from the UK to the United States? Will there be a separate UK-US Privacy Shield arrangement?
There is uncertainty over the legal arrangements in the transition period and the repercussions of this unprecedented process, but the one certainty is that the European Union will continue to advance the highest standards of protection for the personal data of people in the EU, and the UK shares and has committed to maintain these high standards.
I expect that when it comes to rights such as the right to privacy and data protection, the EU and the UK will continue to pursue common strategies; and I expect to maintain substantial dialogue and work with my EU colleagues. The ICO is the largest DPA in Europe and contributes heavily to the work of the Article 29 Working party. Its influence should, and will, continue to be felt post-Brexit.
But none of those resources, legal tools and relationships are sufficient, unless the Commissioner has the courage of leadership and inspires teamwork to advance the rights of UK citizens in the face of some strong global, technological and organisational pressures. But courage is not just manifested in enforcement – in using the legal powers of the office to punish and sanction.
It is also a matter of hard work, commitment, perseverance and a skill in knowing what instrument to use, at what time.
Any data protection or privacy Commissioner has to be pragmatic, and be aware of the various policy tools and instruments at his or her disposal. At a superficial level, the job does involve knowing when to use the ‘carrot’ or ‘the stick’. But those choices are now more complex.
So that simple distinction may be misleading – there are now many types of ‘carrot’ and many types of ‘stick’.
At the end of the day, all privacy and data protection commissioners are looking for an ounce of prevention.
That has been generally argued by observers of the work of privacy commissioners, going back to David Flaherty’s 1989 pioneering book, Protecting Privacy in Surveillance Societies2.
Offices like mine, like the ICO are more effective when they can act proactively, and can give general policy guidance to minimize the needs for complaints, and for enforcement actions.
Prevention is better than cure.
But this is a goal that is not easy to realise, when the office is continually expected to respond to the unexpected: the data breach, the high-profile media story, the sudden policy initiative from government, the significant court decision and so on.
We do try to operate an intelligence function that gathers data on the implementation of data protection, surveys companies and monitors practices.
We have a new team that focuses on priority files, and these cases, investigations or audits are run by cross office groups directed by the senior leadership team. We are then able to understand any general patterns and take proactive measures accordingly.
We also work with civil society and consumer groups – and take their complaints about systemic issues.
GDPR will give us more tools for education, for encouraging accountability, for building in privacy by design and by default. Of course, it is essential to keep the legal sanctions in the background, be ready to use them, and make organisations aware that we are ready to use them.
That general conclusion about the importance of the proactive and general policy work, over the more reactive enforcement work, was also true of my work in Canada and BC.
It is just that I now have more money, more staff, more laws, more tools in my toolbox, a larger audience, a brighter media spotlight and a more extensive range of organisations to regulate.
So, I have the resources to do the job and the law to back me up.
I’ll let you be the judge as to whether I and my team have the courage!