UK information commissioner exit interview: post-pandemic privacy, cyberattacks and ministers
In a final interview, Elizabeth Denham, the UK’s outgoing Information Commissioner (ICO) discussed her shock at firms’ lack of preparedness against cyberattacks, the critical need to deal with the challenges facing the Freedom of Information (FOI) request mechanism, auditing the UK’s ruinously expensive COVID Test and Trace mechanism and being ready to monitor how data captured during the pandemic is handled once it is over.
The Information Commissioner’s Office (ICO) incumbent was in conversation with Bronwen Maddox, director of the Institute of Government. Denham spoke first of the pace of change brought on by Brexit and COVID. “The principle-based approach that we have in our law had the flexibility that we needed, when we needed it. We didn’t have to change the law to implement nationwide Track and Trace systems or to allow for data sharing that needed to happen between government agencies and the commercial sector,” said Denham in her opening address.
“So the law worked in the way we had intended it to…. Where the law works best was where [organizations] considered people’s views front and centre to a new service or intervention.”
This was built into proximity-sensing apps and Denham believes it helped the nations of the UK see how good data protection leads to increased public trust, and subsequently increased take up of apps.
“We saw in the pandemic that data protection is an enabler, encouraging people to trust innovation by showing them that their views were being respected – and that’s not a new idea,” said Denham, describing the changes to issues around privacy over the last thirty years from applications-filing to algorithms, while principles such as respect for data remain consistent.
“Today’s data-driven innovations have the potential to change tomorrow’s society, but that only happens if people, if society buy in to those technical advances,” said Denham, warning that if people do not trust the outcomes of the data however processed, whether they see issues around bias or opacity in decision making, “then people will start to resist and block the use of their data.”
This has already been the case in the UK, such as the abandoning of the Care.data initiative and a backlash against the recent plan for doctors – general practitioners (GPs) – to collate patient data for anonymized National Health Service databases under the General Practice Data for Planning and Research (GPDPR) scheme.
Denham believes government programs have to have people at the center to be successful. People have to be able to trust the law and regulators. “Innovation is enabled by high data protection standards,” and critical in the current consultation on data protection law.
The “centrality of fairness” in how people’s data is used is key for Denham, who called on the government to reassess proposals to remove the requirement for fairness and the right for human intervention of automated decisions. Removing the requirements would risk losing public trust in technologies that could offer so much to society, according to the outgoing Commissioner.
Denham hopes that the ICO’s push for FOIs to be applicable to private companies taking on public sector contracts, which the IFG’s Bronwen Maddox said makes up around a third of government spending, will be taken up. This pursuit was put on the backburner during the pandemic, will go ahead at some point soon. In the meantime, the office focuses on the more fundamental issue of transparency: record keeping “or the preservation of records of important government decisions.”
“The duty to document doesn’t cease in a crisis,” said Denham who believes this fundamental issue is more important than ever. “The suggestion that ministers and senior officials [are] using private correspondence channels such as personal email accounts or encrypted messaging is concerning. Are these historic decisions being made going unrecorded on government networks? And if so, how can we scrutinize and how can we learn from those decisions?”
Good record-keeping is the foundation of Freedom of Information law for Denham, and something the office will continue to pursue after her term ends: “Senior officials and ministers need to walk the talk.”
For the huge pandemic data collection schemes such as Track and Trace and vaccine certificates, “now the work really starts” as the ICO conducts audits of apparatus such as the multi-billion pound project, along with monitoring what is done with other data collected by the government. The Test and Trace audit is finished and is currently with the government.
“During the pandemic, people were more relaxed, in general, about providing their information if they could understand and if the government’s use of that data was transparent,” said Denham, but the ICO will have to actively audit any “secondary” uses of data gathered during the pandemic.
She expects the mandate of the ICO to continue to expand, and it seems the regulator could incorporate the duties of the Biometrics and Surveillance Camera Commissioner. Denham is hoping for an expansion of FOI law as it does not match the way government services are delivered, through private companies, and for a change to the current 28-day processing period which can be extended. Ministers using private channels is within the current law, but Denham hopes for a debate on what “being on the public record” means.
The Office has expanded in terms of headcount and skills during Denham’s term and its new fee regime makes it “fit-for-purpose,” though she would like the ICO to be able to keep some of the fines on order to be better prepared for taking on Big Tech, which litigates against the ICO with what Denham calls an “an inequality of arms.” There is currently an ongoing allegation into issues around children’s privacy on TikTok.
“I am constantly disappointed by the lack of I think even the most basic cybersecurity arrangements in place in organizations,” said Denham, despairing at companies not even taking the steps to protect the backdoors, not training staff and not doing the minimal to protect networks.
Denham’s five-year role, which she had expected to be more of a “quiet little job of just bringing in the GDPR” at ICO before the Brexit vote and COVID changed so many aspects of life in the UK, finishes on 31 October and will be succeeded by John Edwards. Keeping it in the Commonwealth, Edwards was New Zealand’s Privacy Commissioner, as Denham had been for British Columbia.