The month of September marks the changing of the seasons in the UK from summer to autumn and this year it has witnessed both a political reshuffle at the top of UK government and a change of leadership at the Information Commissioner’s Office (ICO). By Rupert Brown, chief technology officer at Evidology Systems.

Alongside this change, there have been a number of signals about the UK’s political intentions/priorities in the mind of the new cabinet from briefings they have made about consent, cookies and potential divergence from the EU’s stance on data protection enshrined in the General Data Protection Regulation (GDPR).

The right person for the job?

From a political public relations standpoint, John Edwards, the new UK ICO, would appear to be an ideal candidate given both his prior experience in a similar role in New Zealand and his forthright comments about Facebook in the wake of the terror atrocity there.

What we have not seen in the press or in any public briefings is the other shortlisted candidates and their credentials. This leaves the suspicion that the appointment is more of a ‘safe pair of hands’ who will man the tiller of the ICO function rather being a bold enabler in an era requiring change.  

However, lawyers have little or no real-world large-scale IT or data management experienc. They spend most of their time in Microsoft Word drafting and amending text and the rest of it in workflow and time-management systems to recoup their fees. To understand the challenges of information management, the government really needs to poach someone with large data set management experience from a major commercial internet platform in the same way that Facebook hired Nick Clegg to work the corridors of Westminster and Brussels.

The right job for the country?

Before diving into the details about what the new ICO really needs to do, perhaps this is the point at which to mention that there is an opportunity for the secretary of state for digital culture media and sport (DCMS) to rethink the role of the ICO to make it more relevant. In rethinking the role the DCMS secretary needs to ask a number of questions in particular:

Has the ICO been successful in enforcing GDPR?

Ignoring Brexit, no EU state can be said to have been ‘successful’ in enforcing GDPR. The inconsistency of fines and their frequency of application has been sporadic across the EU, with the UK being a particular outlier focusing on a few key headline cases. In each of these cases the initial fine levied has been reduced on appeal to less than 20% of the initial headline amount. It has also allowed the terms of subsequent class action settlements to be kept private, which does little to improve public confidence in its governance.

How critical is the requirement for GDPR equivalence with the EU?

This is probably more of a political requirement for DCMS rather than the ICO. Actions will probably carry more weight than words, particularly if the UK is seen to be continuously challenging Facebook and the other major platforms. The UK’s membership of the Five Eyes intelligence sharing alliance will always set it at odds with the EU, and the recent AUKUS nuclear submarine deal has further cooled relations. Despite the recent noises made it is doubtful there will be a significant rewrite of GDPR in the lifetime of the current parliament.

What is the real threat to UK citizens?

The real and continuing threat to UK citizens (and everyone else) is from two attack vectors: more sophisticated fraud schemes and smarter malware focusing on mobile devices and network infrastructure, particularly at service boundaries where data needs to be decrypted for interchange.

What annoys the general public most?

The catchphrase from comedy series Little Britain, “Computer says no”, probably best sums up the real effect of GDPR on the general public, where it now provides a convenient screen for companies to hide behind rather than improving customer service and restricting the publishing of data in the public interest. Few companies using this defence ever correctly cite which paragraph of the regulation is preventing disclosure.

Does the ICO have the technical expertise to protect against, detect and manage significant IT breaches?

Clearly the ICO does not have these skills, and the problem starts at the top as has already been mentioned. Both the personnel and the responsibility for this resides clearly with the National Cyber Security Centre (NCSC), but at the moment its role is really an advisory one, as well as clearing up the mess after a breach rather than statutory enforcement.  

As well as NCSC there is the less well-known UK Government Central Digital and Data Office (CDDO) which has oversight of critical platform infrastructure strategy and budget, buried with the Cabinet Office.

So what should the ICO really be doing?

The clue is in the first letter of the department’s title i.e.information. The ICO needs to focus its efforts on the information this country needs to be a competitive force in world markets. This consists of three key pillars

• people: what used to be called births, marriages and deaths but now has to be expanded to deal with the increasing fluidity of gender definitions and relationships; 

• places – the UK Land Registry database is a shamble. Next time you order something online look at the addresses in the ‘select from a list’ dropdown on many websites, especially if you live in an inner city area with lots of multi-occupancy buildings. This has a major impact both on postal and delivery services as well as the emergency services, both of which became vital for all of us during the pandemic; and 

• things – i.e. companies (plc, Ltd and LLPs as well as charities).  

Correctly documenting business organisations and their beneficial ownership is key to reducing the risk of fraud and money-laundering/terrorist financing. Today people who die merely ‘retire’ at Companies House, and a recent Freedom of Information request showed there is little or no linkage between Companies House and the major high street banks to automate verification processes.

So if the office of the ICO focused on fixing what ‘truth’ is and where it resides, and how change is notified both to state and commercial organisations, it would justify its value in the savings generated to ‘UK plc’ rather than having so send out annual ‘scare tactic’ letters to companies claiming that they may be unwitting data controllers and thus have to pay a notional charge. 

Having established what needs to be improved, it is then up to the CDDO to budget and implement the necessary ‘levelling up’ work and for NCSC to make sure it is kept secure.

Few countries today regard information quality and efficiency as a strategic economic asset that needs constant incremental improvement. We continue to fear it as a potential instrument of totalitarian control, exemplified by the Chinese control of its internet firewall rather than accepting how pervasive it is in our daily activities. 

Closing thoughts

GDPR has the two foundational notions of 

a) data controllers, i.e. those who determine what data is important and its sources and destinations and the obligations between entities in the supply chain paths; and 

b) data processors, i.e those who physically manipulate it and secure it.

Whichever path the UK choses to take in the future, these roles will still need to be defined in law, but it should be a priority for DCMS to split the governance of them between the ICO and the National Cybersecurity centre. The US focuses almost entirely on the technical aspects of cybersecurity rather than the information rights of citizens partly because of its federal structure and partly because it can fall back on its Constitution as a legislative backstop.

How the UK will navigate the future path between the controlling paranoia of the EU approach to data protection and a more liberal streamlined approach to meet the need for broader global data content standards and sharing mechanisms will continue to be a complex and awkward process, and I hope both the new ICO and DCMS leadership will be up to the challenge. 

Perhaps the ICO should be moved out of DCMS and into the Cabinet Office alongside CDDO so that there is one place for all digital information management across government. The UK government seems to be emulating the TV police drama Line of Duty by creating too many superficial ‘digital’ departmental acronyms.