Original script may differ from delivered version
Elizabeth Denham's keynote speech at the National Association of Data Protection and Freedom of Information Officers (NADPO) Annual Conference on 21 November.
For me, having the opportunity to talk to you today as the UK’s new Information Commissioner takes me back to thinking about my roots. Trained as an archivist, my journey to Information Commissioner began as a records manager in the health sector in Calgary, Alberta, many moons ago, when a new FOI and privacy law meant every organisation had to have a data protection officer – sound familiar? Very soon my first information job was not that much about records management. Instead I was writing policies and training staff on privacy, and trying to convince clinicians and hospital administrators raised on a culture of confidentiality that public access to records (under certain circumstances) was important.
That was a huge attitude change for the health authority, and I am sure all organisations went through a similar (may I say “cultural” change.)
Twenty years later, and 4,000 miles around the globe, I’m tasked with helping the next generation of data protection officers face similar challenges. Responding to a new law – the forthcoming GDPR, assisting in updating your training and assisting and evolving the attitude that your organisations take to data protection.
I understand your reality, and my office will be here to help you through this important change.
As Information Commissioner, along with my capable staff, I have been trying to get the message out of positive change in respecting information rights.
I was interviewed by the BBC about Freedom of Information, and I expressed suggestions on how it could work even better: tighter monitoring of public authorities, extension of the law to cover private companies who are providing services on behalf of public bodies.
I presented my views on WhatsApp and Facebook: specifically the importance of consumers being given proper information and protection around their personal data, my concerns about what happens to people’s information when companies merge or are acquired.
I and my staff presented to the committee reviewing the Digital Economy Bill. I outlined the checks and balances we want to see around data sharing, and the importance of inspiring confidence in e-government.
There’s been work behind the scenes too. Earlier this month I spoke with Dame Fiona Caldicott. Her office plays an important role, and we need to work closely together on issues like data sharing and consent in the health sector. And I am in contact with senior officials urging that the role of the Law Enforcement Directive is confirmed as a priority.
Whatever you’ve seen, I hope you’ll have felt my passion for access rights and privacy issues. This is what I do. I’ve worked as a regulator in this field for more than twelve years. My focus has always been on making sure the regulator is relevant, and making sure our work made a difference to the public.
Each of us in the information rights field, on a daily basis, tries to make a difference to the public. Collectively, we do a good job: I think people have never been more aware of their rights, of what they can expect of the businesses and organisations they trust with their data. But there’s no time to stand still. I believe there is much more to do, and we need to respond to a fast changing world.
You know, when we speak about social media, apps and the digital economy, it’s easy to forget the world that the UK’s current Data Protection Act was forged in. No Google. No Facebook. Clunky desktop computers with less processing power than we all have now in our pockets and purses.
I was honoured to give my views to a group of digital entrepreneurs in September. I wanted to make the point that I do not believe data protection law stands in the way of technological progress.
The theme of my speech was privacy and innovation, not privacy or innovation.
But that’s a theme that is already second nature to most of you. To many of you in this room, privacy and innovation will be part of your day job, not just to help your organisations make money or save money but to provide citizens with modern digital services they increasingly expect.
I think the role of DPO can be one of the toughest jobs around. You have to help your organisations deliver, but you have to do it in a privacy responsible and transparent way. That’s really challenging in lots of varied situations. It’s never easy to speak truth to power, to say ‘your great idea to take the business forward doesn’t fit with the law, and is going to upset consumers’. I know what it’s like: you don’t want to be the Department of No – so you don’t say ‘no’, you say ‘yes, but if you do it this way....’
It often falls to you to find a way to respect privacy rights and enable innovation. That means following the law, but it also means making sure that whatever direction you take with people’s information, you take those people with you. New technology, then, but tried and trusted principles: privacy by design, telling people what you’re doing with their data, maintaining consumer trust.
And of course, attempting to build something today that will withstand the law of tomorrow. And so to GDPR. I know this is an audience that’s been hearing about ‘new dp reforms from Europe’ for a long time. I’m sure we can all agree that the modernisation is overdue. The world’s changed a lot since 1995, not only technology, but people’s attitudes to data, their demand that their information is properly looked after. The law needed to change too.
GDPR brings a more 21st century approach – the right of consumers to data portability is new, as is mandatory data breach reporting, higher standards of consent, and significantly larger fines for when companies get things wrong.
But the big change is about giving consumers control over their data. I believe this is a positive development. Consumers get that they sometimes have to share some of their personal data to get the best service from organisations, or where there are pressing public policy needs that must be met like fighting crime and protecting the vulnerable. But they’re right to expect that information be kept safe, be used transparently and for organisations to demonstrate their accountability for their compliance.
We know now that the government has confirmed the UK will implement GDPR. And the ICO is committed to assisting businesses and public bodies to prepare to meet the requirements of the GDPR ahead of May 2018 and beyond.
I can set out today a bit more detail around how we’ll be doing that.
A key pillar of the new law is consistency across the EU, and a key player in ensuring consistency will be the European Data Protection Board. The Article 29 Working Party - the body that currently brings together the DP authorities across Europe - is leading the way developing guidance on some of the key aspects of the law to help us all hit the ground running.
We’re inputting into this process, of course. The ICO is helping to write guidance on a number of priority areas of the GDPR aimed at organisations. The first pieces likely to be published address the role of the Data Protection Officer, the new right of data portability and how to identify an organisation's main establishment and lead supervisory authority. The Article 29 Working Party is aiming to finalise this guidance by the end of 2016.
Next up will be guidance on the concept of risk and conducting a Data Protection Impact Assessment. This is already being worked on, with an estimated completion date of February 2017. Work has also commenced on guidance on certification.
There are areas too where the ICO wants to develop its own thinking, and obviously we don’t want to duplicate the work being done internationally. Priorities include a revised Big Data report, which we’re aiming to publish by the end of this year, and guidance on consent and profiling, which should be complete by the end of January.
As well as our guidance, we’re also committed to working with industry groups. We know some sectors will face specific challenges, and we’re happy to meet to understand what the constraints will be on the ground, and to see how we can help.
As ever, everything will be published on the ICO website, and we’ll flag updates on twitter and through our e-newsletter.
I know there are still some questions to be answered around GDPR. We’ve more certainty today than we had six months ago, but I’ve heard the questions about what happens when the UK leaves the EU. That’s one for government, of course, but we’ll be at the centre of any conversations, and will be banging our drum for continued protection for consumers, clear laws for organisations, and all the usual aspects that we’ll need to continue trading with Europe. We still need DP laws to achieve all that.
And I hear the concerns around the Law Enforcement Directive too. Those of you affected by that will not be reassured by the quiet approach taken by government so far. I wrote to the Home Secretary last month raising this issue. It high on our agenda as we know organisations crave certainty and need to plan ahead.
It’s clear this is a time of change. GDPR, the rapid growth in technology, the increasingly central role data is playing in modern life are some of the elements that are evolving.
The ICO as a regulator organisation isn’t insulated to this change. We need to evolve too – to stay relevant, and to make sure we’re providing the best service we can. With that in mind I’m making a few changes at the ICO.
We’ll have two deputy commissioners, one to oversee policy issues, and one to oversee operations. And we’ll have a deputy CEO, who’ll oversee functions like HR, facilities and finance.
Simon Entwisle, who many of you will have worked with, is retiring after 12 years at the ICO. He’ll be here until next summer, and I hope to have my new team around me before he leaves. He has made a huge and lasting contribution to information rights.
There’ll be more improvements too.
A new Chief Technology Officer to improve our capacity and expertise.
A dedicated Parliamentary and Government Affairs Team, to play a proactive role in our dealings with government and an even stronger connection with the law makers.That will include a small office in London.
Strengthening our assurance work – accountability, BCRs and certification.
Appointing a senior legal counsel to build on our expertise ahead of a new law that will bring greater legal challenges and scrutiny of our enforcement work.
Reinforcing our International team, further equipping them to meet the challenges head on and ensuring we are as influential as possible on that stage.
There’s work to do around these changes. We’re consulting with staff, and making sure we make the right changes. But it’s clear we do need to make changes if we’re going to stay relevant.
And that includes not forgetting about FOI. I’ve worked as a regulator in this area for more than twelve years, across four different jurisdictions. Independent of how the letter of the law varies from country to country, there are tried-and-true access principles that Commissioners must defend. That doesn’t just mean the big stuff: the importance of access to information, the importance of proactive transparency from government, the balance between those rights and the need for government to have room to do its job. It also means things like proper records management and retention policies that don’t just sit on a shelf gathering dust, but on which staff are properly trained and are properly followed.
I’ve already been clear that I think government could do more to include private bodies that are basically doing work on behalf of the public. And I want to review what we’re doing when public authorities aren’t dealing with requests quick enough, whether we’re talking local authorities or central government departments. You can expect to hear more from me in this area in 2017.
2017 is going to be a busy year. But I am pleased that it will be. There is work to be done for us all. I want to leave you with a stat from an ICO survey earlier this year. It showed only one in four UK adults trust businesses with their personal data. Only one in four.
I’ve already said a fundamental objective of my five-year term as Commissioner is to build a culture of data confidence in the UK. The ICO will do its bit. Advising. Educating. Investigating. Enforcing.
But we can’t do that on our own. Data protection is a team sport. It is a marathon and not a sprint. Effective regulation requires engagement with the public sector, with industry, with civil society and with the public at large.
We’ve got an opportunity with the GDPR to look at how we do things afresh. To consider where we can improve. Getting it right means not only following the letter of the law, but taking people with us, demonstrating to customers that you’re taking your responsibilities with their data seriously. We want to hold organisations up as great examples of how privacy and technology can work for consumers. We'll help you get there, but we can all lead the way.
Thank you for inviting me to speak with you today. Great to be here.