A busy week this week, with a Directors' Round-Table discussion at EURIM (a working group which brings together policymakers, industrialists and stakeholders from think-tanks and the not-for-profit sector), and then a launch event for the Information Commissioner's Office to publish the latest report from the Enterprise Privacy Group (EPG) - on "Privacy By Design".
While the two events were very different, they both reinforce a few key points about the identity and privacy world of today.
The EURIM round table was fascinating, as it always is to get a glimpse of the inner workings of our parliamentary system (which, incidentally, is in a state of some upheaval today... but more of that another time...). Among other things, there is this perennial question: when you invite MPs (and peers) to a meeting while parliament is in session, what are the chances that any of them will be able to turn up, and/or stay for any useful length of time? The chances are that they will either simply not attend, because there's something more important going on in the House (on Monday it was the Chancellor's Pre-Budget Report, so a highly-charged and contentious session), or that they will have to rush out of the room at short notice when the Division Bell signals that it is time to vote.
Most parliamentarians are, unfortunately, notoriously technophobic, and indifferent to anything related to the information society and knowledge economy. There are a number of exceptions, and in the interest of impartial representation I can cite Alun Michael MP (Lab/Co-op), Philip Dunne (Con) and Merlin, Lord Erroll (Cross-bench) as all demonstrating a greater-than-average commitment to these topics.
On the other hand, the EURIM round-table was somewhat frustrating, in this sense: there was, to be sure, a wide range of input, from policymakers, technologists, civil society and so on. There was, as one might expect, a commendable wish to address the high-order topics such as identity, privacy, the 'ownership' of personal data, and so on.
However - and it gives me no pleasure to say this, I assure you - there was a depressing sense of déjà entendu about the whole thing. We trotted steadily round the same topics, jumping (or hitting) the same obstacles as have been encountered at countless similar meetings over the past year or so. And it need not be like this. For instance, the model I described in an earlier post (The Future of Identity and Privacy - 2) charts exactly what we went through on Monday, how it can be avoided, and how to pass beyond it to a productive discussion of the high-level issues. As it was, I'm afraid we got, once again, a series of statements of stakeholder perspectives and no real progress. 10/10 for effort, though, and likewise, full marks to EURIM for diligently keeping this in the attention of at least some of our elected representatives.
Then, on Wednesday, it was up to Salford for the launch of EPG's "Privacy By Design" report - commissioned by the Information Commissioner's Office and produced in record time after sterling work by Toby Stevens, co-founder of EPG. He was rightly praised by the Commissioner for that, and for the report itself, which is a very readable and practical document. It, and other related reports, can be downloaded from the ICO site here, or the EPG site here.
Arguably, the UK ICO has for too long been under-funded and 'under-empowered' (if that's a word...), frequently criticised for lacking the legislative teeth to do an effective job. On that score, at least, the Commissioner was able to announce that the Ministry of Justice is announcing greater powers for the ICO, including the ability to 'spot check' public sector bodies without their consent, if that is felt to be appropriate. Where the problem at hand is so much a 'cultural' one - such as good practice in data privacy - it's often hard to know where to start to bring about meaningful change. I tend to think that that ability to perform consentless audits is a good place to begin.
There are those who have argued that it's invidious for public sector bodies to be singled out this way, and that commercial organisations should be subject to the same regime. There, I tend to disagree. As of next year, the ICO will be able to punish commercial sector organisations by fining them. Applying the same sanction to public sector bodies is likely to be neither rational nor effective: at best, it shuffles money from one part of the public purse to another; at worst, it will further stretch the (fixed) budget of the body in question, and reduce still further their ability to resource effective compliance. On the other hand, the possibility of a 'spot check' may do much to encourage good practice - which is, after all, the desired outcome.
![[RSS Newsfeed]](/themes/sotto/images/valid-rss.png)
![[This is a Roller site]](/themes/sotto/images/roller-logo.gif){kind=logo}