A brief blog on two recent publications in the press that herald the appointment of a malleable Information Commissioner to replace Ms. Denham in October. According to these documents, the replacement Commissioner could well be expected to make decisions that favour Government policy (e.g. in data sharing; with respect to the National Data Strategy).
The first publication is the column that appeared in the Financial Times (FT) on February 27th; it is written by Oliver Dowden, Secretary of State for Digital, Culture, Media and Sport who is responsible for the UK’s data protection policy. The second is the job-specification for the next Information Commissioner (see references for both).
I have reproduced quotes from both (in italics) with an appropriate “comment” or “translation” of what the text means. Mr Dowden’s FT article is first; the job-spec is second. You should note that the role of the data subject and the next Commissioner is to accept that, in the brave new Dowden world, personal data are to become widely available.
Mr Dowden explains to FT readers
Mr Dowden writes in the FT: “As I launch the competition to find the next Information Commissioner, I want to set a bold new approach that capitalises on all we’ve learnt during the pandemic, which forced us to share data quickly, efficiently and responsibly for the public good”. Comment: personal data was shared quickly and efficiently in the pandemic because the current Human Rights regime (and data protection regime) allows for data sharing of personal data in a public health emergency (such as a pandemic). The current data protection/ human rights regime has not hindered any COVID 19 initiative. Quite simply, the issue of flexible data use, raised by Mr. Dowden, has nothing to do with the appointment of an Information Commissioner.
Mr Dowden continues: “Until now, the conversation about data has revolved around privacy — and with good reason. A person’s digital footprint can tell you not just vital statistics like age and gender, but their personal habits”. Comment: so what are you expecting next? Is it that digital footprints therefore need to be protected or is it digital footprints are fair game to be exploited?
Mr Dowden explains that “Our first priority is securing this valuable personal information”. Comment: so it’s digital footprints are fair game (did you get this wrong?). Note that the purpose of that retention is left out from Mr. Dowden’s equation and securing the data is seen, in itself, as a beneficial objective. Usually the purpose of the processing is key to any data protection analysis; in Mr Dowden’s world that purpose of retention is ill-defined and can come much later (whatever that purpose is).
Mr Dowden continues “The UK has a long and proud tradition of defending privacy, and a commitment to maintaining world-class data protection standards now that we’re outside the EU.: Comment: Mr Dowden is clearly ignorant of the fact that the European Commission took active infraction proceedings against the UK because the UK did not implement properly Articles 2, 3, 6, 7, 8, 10, 11, 12, 13, 22, 24, 25, 26 and 28 of Directive 95/46/EC in the DPA1998. These infraction proceedings, which according to DCMS, are still ongoing and therefore kept secret from Parliament and public, relate to the fact that nearly 50% of the Articles of Directive 95/46/EC were not implemented properly in the so-called “world-class” DPA1998.
Mr Dowden adds: “That was recognised last week in the bloc’s draft decisions on the “adequacy” of our data protection rules — the agreement that data can keep flowing freely between the EU and UK”. Comment: the main reason for the EC’s adequacy decision was that the UK_GDPR had not deviated significantly from the normal EU_GDPR standards (unlike the DPA1998 – see above).
Mr Dowden continues “But to do so, we do not need to copy and paste the EU’s rule book, the General Data Protection Regulation, word-for-word. Countries as diverse as Israel and Uruguay have successfully secured adequacy with Brussels despite having their own data regimes.” Comment: the UK is sending a signal that it is likely to diverge from GDPR norms (and risk the EC’s adequacy decision). Perhaps we should become acquainted with the Uruguayan data protection standards that have so impressed Mr. Dowden (e.g. extend data protection to legal persons; register every database as with the DPA1984).
Mr Dowden continues “Right now, too many businesses and organisations are reluctant to use data — either because they don’t understand the rules, or are afraid of inadvertently breaking them.” Translation: Mr Dowden does not understand the rules. He overlooks the fact that Facebook, Google, Spammers and the Adtech Industry understand these rules perfectly well. Mr. Dowden ignores a major problem is the UK’s weak enforcement regime (whose weakness has been enhanced by Mr. Dowden’s decision, taken 4 days before his FT article appeared, not to allow NGO’s to take data protection issues to the Courts independently of data subjects and Information Commissioner – see references).
Hence “The next Information Commissioner will not just be asked to focus on privacy, but also be empowered to ensure people can use data to achieve economic and social goals”. Translation: privacy protection should give way if there well there is a use of personal data for an economic (e.g. more profit) or social goal (e.g. to improve engagement with the disadvantaged or impoverished data subjects).
“I will shortly announce our priority countries for data adequacy agreements”. Translation: those countries who are likely to sign a trade deal with the UK are likely to become adequate. Remember, the fact that Mr Dowden denotes a country as adequate for UK purposes does not mean it will be adequate from the perspective of the European Commission.
“Appointing a new information commissioner is just the first stage in this process” and the new Commissioner has to understand that there is a “new era in the UK — one where we start asking ourselves not just whether we have the right to use data, but whether, given its potential for good, we have the right not to”. Translation: anybody who opposes “good uses” of personal data should not apply for the job.
Information Commissioner’s job spec
The job-spec states that the Information Commissioner’s has a role in the “Government’s National Data Strategy” which sets out the “ambition for the UK’s pro-growth and trusted data regime, one that helps innovators and entrepreneurs to use data responsibly and securely”. Translation: data privacy is not the main priority if there is a “good” economic reason for the use of personal data.
The job spec adds “We also want the public to be active agents in a thriving digital economy, who have confidence and trust in how data, including personal data, is used”. Translation: “active agents” are data subjects who willingly provide their personal data so they can used to meet processing objectives that improve the digital economy.
“This will mean maintaining high standards of data protection without creating unnecessary barriers to data use”. Translation: we intend to appoint a flexible Information Commissioner who will not be a stickler for the letter of data protection law.
“We are looking for an outstanding individual to become the next Information Commissioner, who understands the importance of striking this balance and delivering on this critical agenda”. Translation: the Commissioner has a role in “delivering the National Data Strategy” and should not be too concerned about privacy when economic benefits are there to be obtained.
“The Information Commissioner has a key role to play to drive the responsible use of data across the economy, to build trust and confidence, and to communicate the wider benefits of data sharing for our society as well as for competition, innovation and growth”. Comment: the “responsible” Commissioner we shall appoint should be able to deliver data subjects who will believe in the National Data Strategy.
“The Information Commissioner should play an active role to keep the ICO at the forefront of regulatory best practice, continuing to develop governance, key decision-making and other processes to reflect the ICO’s evolving role”. Comment: DCMS will encourage the new Commissioner to focus on issuing Guidance and Codes of Practice or engage in conferences that discuss ethics or governance (rather than enforcement).
The selection panel is four people, two of which are unknown. The selection panel chair is the current Director General for Digital and Media Policy, the Departmental Official who is ultimately responsible for delivering the Digital Strategy/National Data Strategy. Translation: the appointment process is unbiased.
Concluding comments
The Government appear to have abandoned the idea that the Information Commissioner is an independent Umpire between the interests of data subject and the interest of the controller; the new Commissioner is to be a team player tasked with delivering (or not hindering) the National Data Strategy.
Just imagine your football team turns up for a match, only to discover there are twelve players on the opposing team which includes the referee. That, in summary, is what is likely outcome with this job specification for a new Commissioner.
My gut instinct also, is that the above commentary in the FT and job-spec only make sense if Government are pursuing a weaker data protection regime that is closer to the standards of the DPA1984 (and the APEC/OECD data protection standards rather than the EU_GDPR).
But only time will tell on that one.
Upcoming Data Protection Courses
All courses lead to the relevant BCS qualification:
- Data Protection Foundation: London, Starts April 27-29 (3 days)
- Data Protection Practitioner: London, Starts May 11 (6 days)
- Data Protection Upgrade Practitioner: London, May 25-26 (2 days)<LAST ONE
Full details on www.amberhawk.com of by emailing [email protected]
References
Mr Dowden’s FT article (27 Feb): https://www.ft.com/content/ac1cbaef-d8bf-49b4-b11d-1fcc96dde0e1
ICO JobSpec: https://publicappointments.cabinetoffice.gov.uk/appointment/information-commissioner-2/
Decision by Mr Dowden on 23 February not to allow NGOs to take legal action to defend data subjects: https://www.gov.uk/government/publications/call-for-views-and-evidence-review-of-representative-action-provisions-section-189-data-protection-act-2018/uk-government-response-to-call-for-views-and-evidence-review-of-representative-action-provisions-section-189-data-protection-act-2018
Comments
You can follow this conversation by subscribing to the comment feed for this post.