ICO calls for practical approach to data protection

The Information Commissioner’s Office (ICO) has called for a more practical approach to data protection regulation

The Information Commissioner’s Office (ICO) has called for a more practical approach to data protection regulation.

Information commissioner Christopher Graham (pictured) said regulators must not get left behind as technology changes how personal information is used.

“The digital revolution has implications for every aspect of our lives – as citizens, as consumers, as individuals,” he told the 2015 European Conference of Data Protection Authorities being hosted by the ICO in Manchester.

“Unless we are very alert, we are also tracked. Shopping in the supermarket or online, our purchasing habits are recorded and analysed,” said Graham.

He noted that governments have also gone digital in the pursuit of efficiencies from joined-up public services.

“And now there’s the security dimension, with politicians claiming that public safety is an absolute right, while privacy is a right that may need to be qualified,” said Graham.

Read more on data protection reform

“And that’s where we need to get practical. Because the challenges are how we do things, not what we are there for,” he told representatives from around 90 data regulators and international bodies.

“If we want to be effective doing what we do, we are going to have to learn to do some things differently.”

According to Graham, the best place to begin is by understanding what is expected by the people whose fundamental rights the data protection authorities are supposed to be defending.

“If we just carry on doing what we do the way we’ve always done it, regardless of what’s been happening over the last 20 or 30 years and what might happen over the next few decades, oblivious to what consumers and citizens are doing for themselves and ignoring what they are telling us about what they expect from us data protection authorities, we won’t be doing our job as regulators of data, guardians of privacy and policemen of the digital highway,” he said.

Graham said several European studies show that citizen and consumer attitudes to privacy are changing as they become accustomed to the digital deal.

The research revealed that the commonly recurring themes of what the public want from data protection are:

•           Control over their personal data

•           Transparency – they want to know what organisations will do with their personal data

•           To understand the different purposes and benefits of data sharing

•           Security of their personal data

•           Specific rights of access, deletion and portable personal data.

The common themes of what Europeans want from data protection authorities (DPAs) are:

•           Independence – DPAs free from outside influence

•           Consistency – where possible a consistent approach to data protection across the EU

•           Visibility – DPAs making themselves known, providing clear help and guidance

•           Privacy certification, seals and trust marks to give confidence in the organisations processing personal data

•           Responsiveness to new technologies – DPAs that understand the privacy implications of the new technologies the public encounter in their daily lives

•           Enforcement – appropriate remedies that are used effectively by DPAs to ensure that organisations comply with data protection rules.

Graham also discussed the potential impact of a reformed EU data protection regulation, the role of international co-operation, and the importance of properly funding regulation.

He said that while it is still not known exactly what will be required under the data protection regulation and directive on police and justice matters, some things are clear.

For example, he said a European data protection board is going to be a reality within the next two or three years. “That means we in the Article 29 Working Party family have to learn to co-operate and work together better.”

The threats to privacy are global in nature and they require global responses, said Graham.

It’s only job done if it’s job doable. So let’s get practical – all of us

Christopher Graham, information commissioner

“We need to be better joined up and work better together in the face of global developments and multinational players. This doesn’t just mean individual authorities working better together, but closer working between networks of authorities too,” he said.

With more than 400 staff and a budget of around £17m for data protection alone, Graham said the ICO is one of the bigger and better resourced of the European DPAs.

“But, whatever the scale of their operations, individual data protection authorities must be assured of the funding necessary to do what is expected of them,” he said.

Graham said that having proposed the reform, the European Commission will need to compromise to secure a final text that is practicable.

“Yes, the member states have to fund their DPAs, but the Commission, and the Parliament too, must not insist in the trilogue on processes that can only render small, underfunded DPAs ineffective – or less effective than they could be if given space to prioritise their interventions. It’s only job done if it’s job doable. So let’s get practical – all of us,” he said.

Read more on Privacy and data protection