Jonathan Bamford holds up a tatty bundle of papers. They’re scrumpled, time worn, ripped and held together with yellowing Sellotape, but with the Royal coat of arms crown still proudly visible on the cover. It’s Jonathan’s copy of the UK’s first data protection act, issued to him when he joined the ICO 34 years ago.
“It’s well worn because it’s well used,” he laughs. “There was no looking up details online, we actually had to get the copy out. I used to joke that new starters were issued with copies that looked similarly well-used, professionally aged by the people who work on making parts of Disneyland look old, so they’d get the credibility of looking well-versed in the law!”
Much has changed since Jonathan, most recently Director of Strategic Policy (Domestic Policy), joined the information Commissioner’s Office, then known as the Data Protection Registrar - more computers in the office, less smoking in the office – but as he comes to retire, he’s reflecting that the fundamental principles have remained largely the same.
“There are standards in this 1984 act we can all recognise today. They’ve all been there from the very beginning. There’s transparency in terms of telling people what’s happening to their information, what they called finality principles: if you provide information in one context, it isn’t fair game to be used in any context. There’s data minimisation principles, data quality principles around accuracy and making sure it’s kept up to date. Providing people with information access rights, which was quite novel at the time, and also security provisions. So although this is almost 40 years ago, those concepts remain similar in today’s law.”
Today’s laws, the UK’s Data Protection Act and the EU’s GDPR, run substantially longer than Jonathan’s original 1984 copy – “look how slim this is, the basic ideas of data protection are quite simple.” he remarks – and now give detailed breakdowns of individuals’ rights. But Jonathan recalls that the birth of the law was not solely concerned with protecting people.
“I think it’s fair to say in the 1970s there was concern about the emerging potential of new technology, and how it would enable organisations to hold large collections of information about individuals from disparate sources. There was concern businesses could start to build up an intrusive picture of people’s lives, and then use that information in unwarranted ways - the things that we think today.
“But the technology was very embryonic things in those days, and the concern that really drove the drafting of a law was that the new technology wouldn’t be embraced by the population, and the potential benefits to society would not be achieved. We didn’t want a sort of Luddite approach to this. When we think about that, it was very far reaching for people to look into the future and worry about this type of thing, in an era when computers were full of whirring tapes and flashing lights.”
Indeed, as Jonathan recalls, Wilmslow itself was not the centre of the computer revolution.
“The data protection register we were responsible for was on a single computer, but it was down in Sunbury-on-Thames, with dumb terminals to allow us to read it here in Wilmslow. If people wanted to search it themselves, we published the register of microfiche and sent it to libraries.”
The office was located in Wilmslow at the behest of the first registrar Eric Howe (the story goes he favoured the location as it was close to his home in Macclesfield), but while the new office may not have led the way technologically, it would quickly become central to a law that Jonathan recalls had a clear international intention:
“I think people were waking up to the fact that countries that put data protection laws in place might then restrict the flow of data about their citizens to countries with less protections. So one of the reasons we started to see international instruments emerging wasn’t just the ‘respect to private life’ end of the spectrum, it was also to remove unwarranted barriers to data flowing around the world, which would in effect be non-tariff trade barriers.”
With the law in place, the Data Protection Registrar was able to take action against misuse of people’s personal data. The first tribunal case was in relation to the Community Charge, better known as poll tax, around the volume of personal data being gathered to administrate the process. Another early case involved a company that specialised in selling the type of innovative products you never knew you needed, including slippers with torches, to light up night time bathroom visits.
“The organisation was taking details of people who bought their products, and then selling them as mailing lists. Of course this wasn’t ok – just because people were buying sandals to aerate their lawns, complete with six inch nails on the sole - didn’t mean their personal data could be sold on wherever the company saw fit. Our investigation found the company made nearly as much money out of selling people’s data as it did from selling its products. It was the first time I really realised the value of this personal data.”
The 1990s saw a continued progression of the office. A new data protection registrar, Elizabeth France, oversaw modernisation, including a computer based register and the arrival of a computer terminal for every employee. There was a greater focus on helping organisations comply with the law, including the ICO’s first audit, of the Scottish Tourist Board. And the office also took on responsibility for the Freedom of Information regulation, something Jonathan recalls “wasn’t a straightforward decision at the time - some critics felt us regulating FOI was a conflict with our data protection work.”
The ICO’s international profile was growing too, including hosting the International Conference of Data Protection and Privacy Commissioners in Manchester, opened by the Princess Royal.
It’s difficult to imagine data protection without such international management, and Jonathan acknowledges the Council for Europe Convention 108 as “the original game changers for us at European level”. But he points out too that the UK so often led the way.
“People think now about data protection as though it’s a European Union construct, but the UK had data protection law ten years before the EU had any. And again, the motivation behind the EU developing a data protection directive was not so much fundamental rights and freedoms as facilitating the free market. There’d been a case of a car company in France being unable to transfer data to their offices in Italy, which was a disruption to trade. And so it was the EU’s trade officials that took the lead initially on dealing with data protection.”
That EU involvement would ultimately lead to a Directive, and in turn a new UK law, including the introduction of organisations requiring a legal basis for processing information. It also reflected the cultural differences between the UK and some EU members. “Trade union membership was now classed as sensitive data, for instance. Our trade union history in the UK was quite different, but membership of a union was a far more sensitive issue in places like Poland, when you think back to the role of Solidarity.”
The ICO’s next era, under new commissioner Richard Thomas, was characterised by increased media attention on data protection law.
“Two pensioners had died from hypothermia after their gas supply was cut off, and the gas company blamed data protection for not informing the local authority. Blaming data protection was absolute rubbish, of course, but that was the line given to the coroner. And then we had the investigation into Ian Huntley, when it came out that suspicions about him hadn’t been shared by police forces ‘because of the Data Protection Act’.
“It led to headlines in the newspaper calling for a repeal of ‘this killer law’. The reputation of data protection was being trashed, even though in both cases it was wrong to blame the law. Richard Thomas launched a data protection fightback. It might seem odd given the crest of a wave we’re on today, with so many people interested in their information rights, but we had to make people more aware of their rights, and in as simple a way as we could.”
Jonathan remembers too when HMRC lost the records of 25 million people. “This was one of my big data protection moments. That was when government, press, public woke up to how vulnerable personal information had become. Losing 25 million paper records would take real effort and planning, but this information on CDs was lost in a second. People spoke about data protection in a completely different way after that. And it led to our office getting stronger powers, including being able to impose civil monetary penalties for the first time.”
That power would come in under a new Information Commissioner, Christopher Graham, a time that also saw high profile domestic cases around CCTV in taxis, and the use of ANPR technology. It also saw the conception of GDPR.
“GDPR is modern history, and so people are more aware of how it came about, but it’s interesting to me that it shows data protection regulation moving much more into that fundamental rights and freedoms category. We’ve also seen the influence of European case law, with concepts like the right to be forgotten. But we were influencing it too. Our work on privacy by design, and privacy impact assessments as an EU DP authority helped to shape GDPR, reinforcing the forward looking accountability concepts that had developed around the world. We also played an important role in helping the government get the DPA 2018 into the statue book.”
It’s an international role that continues today, with Information Commissioner Elizabeth Denham chair of both the Global Privacy Assembly and the International Conference of Information Commissioners, and Deputy Commissioner Steve Wood recently appointed to chair the OECD’s working party on data governance and privacy.
And so to the future. Jonathan finishes at the ICO before Christmas, looking forward to the flexibility retirement brings. He leaves with a positive view of the role of data protection:
“Data protection is vital to modern society, I hear Ministers talking about it as a cornerstone of the digital economy, which in fairness was pretty much what it was set up to be. There’s been bumps in the road, but the reputation of this protection has grown and grown.
“When you’ve worked somewhere for 34 years like I have, you feel like you should apologise for it, like you’re some stick in the mud with no ambition. That couldn’t have been further from the truth. I’ve seen an ever changing landscape, but this was a law set up to encourage public trust and confidence, and it still is today. We don’t want a public scared of those whirring tapes and flashing lights, or about digital footprints that are now part of our lives. At the heart of all the legislation are the same simple principles of looking after people’s information properly and in ways they’d understand.
“Over 34 years, the need to inspire public trust and confidence has been constant. And I’m proud to have played my small role in that.”