I have been writing this blog for two years. It started as a project in my first summer of being a full-time freelance. August is always quiet for training, and in 2011, it was the first time I didn’t have a 9-5 job and I needed something to do. I didn’t set out to spend the majority of my blogging criticising the Information Commissioner, but you’re supposed to write what you know. My time at the ICO is now ancient history, but I remain a keen observer of their work.
I genuinely think that Freedom of Information and Data Protection are important to a functioning and fair democracy, and I honestly believe that the ICO is an ineffective regulator of both. The fact that Chris Graham is a much more energetic and convincing figure than his predecessor hasn’t done much to improve the FOI side of the business (if anything, the quality of the decisions is getting worse), and while public sector data security has certainly been a priority, a lot of other (more) important things have not. The private sector is barely touched by the ICO’s work, and issues like subject access and accuracy – the element of DP most likely to cause real damage – seem more or less untouched.
Many people who hear my views about Wilmslow assume I am showing off, and that underneath it all, I respect the Commissioner’s Office and the quality of its work. No matter how many times I point out real examples of the ICO’s failings, I think a lot of people want to believe that the folk in Wilmslow really know what they’re doing. It’s unlikely that my efforts to convince the world otherwise have made any difference, and if I spend another two years banging on about it, I doubt anything will change. Albert Einstein did not say that insanity is doing the same thing over and over and expecting different results, but it’s a valid point. Sometimes, you have to look in the mirror and ask yourself what the point is. Coupled with some other things going on in my life (some now resolved, some that just aren’t going away), I was tempted to abandon tweeting and blogging and do something more constructive with my time.
And then stuff like this happens.
On June 28th, just around the time I was starting to wonder whether I should give this up, the ICO published their own thoughts on the issue of accidentally sharing data via FOI requests. The blog makes a very important point – FOI disclosures are a significant risk for data security, as they involve a regular flow of information out of the organisation. Often, the person sending the information isn’t the person responsible for its day-to-day use, and they may not necessarily know what’s in what they’re sending, or what the implications are. There have been some egregious examples of very sensitive data leaking very publicly in this way. It is, therefore, probably something that the ICO should be warning data controllers about.
I tried to remember the first time I heard about this being a problem. It never happened to me when I was actually doing FOI disclosures – I remember some very long conversations with increasingly annoyed IT people as they reassured me that, no, there wasn’t anything in the spreadsheet that we didn’t intend to be there. I think I first became aware that FOI had actually resulted in security breaches when I met some of the What Do They Know volunteers, and they told me that accidental disclosures were becoming a problem. Since then, it’s been something I’ve mentioned on most of the DP courses I have run. I always recommend training as an important DP protective measure, but not in the self-serving way you might think. Training in the systems that people use every day is at least as important as training on DP.
What irritated me about the ICO blog is the fact that – even though this is a straightforward problem which all FOI bodies ought to be aware of – the ICO only seemed to have bothered to do it because What Do They Know had prompted them. Indeed, the most useful part of the blog is the bit they lifted from WDTK’s own work on the question. I wondered how long it had taken them to get around to saying something about it, when they first became aware of the problem. So I made an FOI request. When did the ICO first become aware of the issue?
October 29th 2010.
For nearly three years, the ICO has known that this is a problem, and as far as I can see, has said nothing about it. Even now, they have squeaked out a blog about it, rather than shouting it from the rooftops. How much information has ended up in the wrong hands in the last three years? How many incidents could have been prevented if the ICO had bothered to mention it? There are two departments in the ICO – Policy Delivery and the abysmally named Strategic Liaison – that exist solely to come up with guidance and disseminate messages. I’m not sure how many of them would have known the former ICO senior officer who said, in response to a claim that we weren’t doing something that ‘thinking is doing’, but they’re certainly keeping his spirit alive.
Precisely because everyone else in the information rights world doesn’t think that they’re all idiots, the ICO have a responsibility to use their position to get these messages out. Here is a significant risk and the ICO has apparently been sitting on it. Even if they’re investigating enforcement cases as the blog claims, they could have highlighted this much earlier – and if mentioning it would prejudice any cases, they’ve done that now anyway.
I am not a supporter of the ICO’s approach. I am not a critical friend. I am not the only one wanting to give them a kick up the arse, and I am far from being the most significant critic (hello, The Financial Times), but the last thing that the ICO needs is reassurance, praise, a warm pat on the back. They need to be challenged relentlessly, under constant pressure. Enforcing the law is not a comfortable, or an easy business. A popular regulator isn’t doing its job properly.
So the blog about learning the ukulele or Belgian Beer is postponed. Normal service is resumed.