Higher profile for privacy but is it sexy?

Data protection is an important issue of public concern. Richard Thomas CBE, former UK Information Commissioner and adviser to the Centre for Information Policy Leadership, documents how the profile of data privacy has steadily grown over the years.

When I started as the UK’s Information Commissioner at the ICO in 2002, data protection had a low and negative profile – in the political and legal worlds, in the media and with the public.

It was seen as nerdy or irrelevant, with strange language, vague requirements and toothless laws. It almost had a theological feel, with a handful of regulators and cognoscenti talking to each other as the High Priests. Who could ever imagine that “data subjects” meant men, women and children?

No wonder that few companies or public bodies were taking it seriously. Worse still, it was great way to duck out of responsibility – “We can’t help you sort out your mother’s bank account because of data protection”. Even worse – until he had to back down – when a Chief Constable blamed data protection for his force’s failure to link previous complaints against the main suspect in the notorious Soham child murders.

If I am frank, I mainly wanted to be Information Commissioner to oversee the introduction of the new Freedom of Information law (FoI). This duly generated half a million requests in the first four years, transformed the fabric of public life and led to publication of the formal Advice to Tony Blair about the legality of the Iraq invasion and to the MPs’ expenses scandal.

But I quickly worked out that privacy and data protection were destined to have just as much impact as the FoI – and for private firms as much as government. Technology and globalisation were about to transform people’s lives – and spread their electronic footprints all over the place. There were real worries about the ways some organisations – whole sectors in some cases – were handling personal information. Scandals were waiting to happen. There was an acute lack of genuinely helpful guidance. My experience as a consumer regulator (in charge of consumer affairs at the Office of Fair Trading, the UK’s ACCC) told me that privacy had to become reputational matter, so that companies in competitive market places really worried about what their customers thought. Likewise employers needed to understand the importance of respecting the privacy of their staff.

What a change over the last decade! Google and Facebook have made something of an appearance. Big Data is everywhere and getting bigger. Privacy issues are now rarely off the front pages, whether it is hacking by tabloid journalists, interception of communications by US spy agencies or the spread of CCTV cameras – and of course the media just love data breach stories. ICO surveys show the growth of public concern. Numerous parliamentary inquiries and debates have resulted in stronger laws. The issues are now high on corporate and governmental agendas. As the success of IAPP shows, the privacy profession has mushroomed.

At the IAPP-NZ summit in November I’ll be talking more about the transformation of privacy and the ICO’s part in raising its profile.  There are plenty of war stories which raised the temperature – battles over ID cards, warnings about “sleep-walking into a surveillance society”, denouncing the government for losing 25 million child benefit records, exposing the illegal trade in personal information and closing down the construction industry’s blacklist.

I’ll also be discussing what the higher profile means for Commissioners and other regulators – the benefits (and the perils) of media campaigns, being “selective to be effective”, how to use carrots and sticks simultaneously, the value of “naming and shaming”. Above all, how to get companies to understand why getting privacy right is a matter of enlightened self-interest.

The profile of privacy has come a long way, and will continue to climb. It’s almost become sexy – and the risks are getting greater all the time. We ain’t seen nothing yet.

Richard Thomas CBE was the UK Information Commissioner between 2002 and 2009. He is currently an Adviser to the Centre for Information Policy Leadership, the think-tank associated with the Hunton & Williams law firm.