Speech given at Manchester Central Convention Centre to ICO's Data Protection Practitioner Conference.
Thank you Chris (Graham) for your kind introduction and to the ICO for inviting me to speak today.
Can I begin by congratulating you on your reappointment as Information Commissioner for a further two years and I very much look forward to working with you.
It is great to see so many people here. I understand from our hosts that this conference was oversubscribed. I think this is both a reflection of the growing importance of information rights to the public and the growing importance of the Information Commissioner’s Office in promoting and protecting those rights.
I have effectively been given a free rein on what to speak about today. Given this, I thought I would give you my reflections on my first two months as Minister of State for Justice and Civil Liberties and to set out what I see as the priorities in the field of information rights between now and the general election. These priorities include strengthening individuals’ information rights, guaranteeing the effective enforcement of these rights and making progress with the proposed EU data protection Regulation.
Data protection and the powers of the Information Commissioner
The whole concept of privacy and personal data has changed dramatically over the past 20 years. Individuals now share personal data on an unprecedented scale and modern data processing allows companies to provide increasingly personalised services to their customers.
In 2011, the World Economic Forum estimated that individuals around the world send about 47 billion non-spam emails, submit 95 million tweets on Twitter, and share 30 billion pieces of content on Facebook every day. Indeed the ICO’s twitter feed is pretty busy itself, with over 9000 followers and 1700 tweets sent.
A thriving information economy is essential for enhancing our competitiveness and driving economic growth. This is why the Government has published an Information Economy Strategy which looks at how Government, industry and academia can work together to exploit the many opportunities available in this sphere.
Linked to this is the need to maximise the economic and social value of data sharing both within government and between the public and private sectors.
To support this, the Government is embarking on an open policy making process to look at current thinking on data sharing of government held data. We are keen to bring together relevant parts of government with stakeholders who have an interest in the use of data for delivering better public services.
We recognise that the views and opinions in relation to data sharing are diverse, as are the benefits and potential downsides. But I am confident that we can assuage any fears by making sure that our approach is open, honest and positve. Our ambition with this work is to listen to, and understand the arguments put forward and to work with all sides within and outside of government to reach a workable solution for data sharing that will help deliver necessary changes and result in improvements to public service delivery and the lives of people across the United Kingdom.
Given the changing nature of how we share and process personal data, it is essential that we provide for strong rights for data subject in order to protect against abuses and appropriate sanctions for those who breach the Data Protection Act.
As you know, one way we plan to strengthen the rights of data subjects is to make the practice of enforced subject access illegal. This practice has long been considered undesirable by the Information Commissioner and others as it runs contrary to the intention behind the right to subject access in the DPA. The DPA gives individuals the right of access to personal data held about them by a person or organisation by making a subject access request.
The Government will commence s56 of the DPA as part of a package of reforms to the Rehabilitation of Offenders Act and criminal records disclosure. This will prohibit a person from requiring someone else to produce certain records as a condition of employment, or for providing a service, other than where the relevant record is required by law or where it is justified in the public interest.
We are also committed to guaranteeing that the ICO has sufficient powers to enforce compliance amongst organisations and to punish those who commit serious breaches of the Data Protection Act.
On this point, I would like to pay tribute to the Information Commissioner who has been a vigorous campaigner in making sure that the rogue individuals who trade illegally in personal data are brought to justice.
He continues to argue eloquently for the introduction of custodial penalties for breaches of s55 of the DPA. As you know, this is an issue that has been mentioned as part of the wider Leveson press regulation debate. But, in truth, and perhaps more importantly this issue goes far beyond the issue of press regulation. Serious misuse of personal data by any sector causes significant distress and damage to ordinary citizens and undermines public trust in public institutions and business which in turn can undermine economic growth.
That is why in the last few weeks we have begun to review the sanctions available for breaches of the Act so we can decide whether to increase the penalties as the law permits.
The Government is also determined to tackle the scourge of nuisance calls. I know how frustrating nuisance calls are for many people and how they can create fear and anxiety for the elderly and others. Although I have only been a Minister for two months, I have already started to take action against the organisations responsible for making nuisance calls.
Since 2010, the Government has increased the level of penalties that can be levied against those breaking the law. In 2010, the maximum penalty that Ofcom could issue for silent and abandoned calls was increased from £50,000 to £2 million. Similarly, in May 2011 a maximum penalty of £500,000 was introduced to allow the ICO to issue higher penalties in relation to unsolicited calls and texts under the Privacy and Electronic Communications Regulation.
But we are determined to do more and, I’m pleased to say, we are doing more. We are working closely with the Department for Culture, Media and Sport, the ICO, OfCom, Which? and others to deal effectively with the root causes of these calls and those organisations that break the law.
We are positively considering a proposal by the Information Commissioner to lower the threshold at which he can issue civil monetary penalties for breaches of PECR from the very high bar of proving substantial damage and distress to a lower bar of irritation and nuisance. My ministerial colleague Ed Vaizey and I have asked the Information Commissioner, working with OfCom, Which? and others, to consider what would need to be done to set up a common portal for the reporting of nuisances calls. We will publish an action plan in the coming weeks that will set out current and further plans in this area.
Finally, we have recently conducted a consultation on extending the ICO’s powers of compulsory audit to NHS bodies. This requires secondary legislation which we plan to introduce before the summer recess so that the power can come into effect by the autumn.
We have chosen the NHS as it is one of the largest data controllers in the UK, processing huge amounts of sensitive personal data on a daily basis. We will work closely with the ICO to monitor the effectiveness of these powers before considering whether we might extend them to other sectors that process large amounts of personal data in their day to day business.
EU Data Protection Regulation
Of course, the issue of Data Protection and personal privacy is a global issue. For the past two years, the Government has been working with our European Partners on a new EU data protection framework. This is following the European Commission’s publication of proposals back in January 2012. We recognise that the current legislation needs to be updated to reflect the realities of data processing in the 21st century.
An immense amount of work has gone in to the negotiations to get the proposed Regulation right over the last 2 years. I would like to pay tribute to my Sarah Ludford, who has worked tirelessly in the European Parliament to scrutinise and improve these regulations. Her hard work has had a considerable effect, and I know that the whole of the Government is grateful for the efforts she has made. I would also like to pay tribute to the important work of the Information Commissioner who has played a pivotal role as vice-chair of the Article 29 Working Party.
How we achieve a balance between growth and data protection rights is the key question that we have been working to resolve. The UK carried out its own Impact Assessment of the proposals. This concluded that the Regulation in its original form could have a net cost to the UK economy of £100- £360 million per annum.
The Government wants to see EU data protection legislation that protects the civil liberties of individuals while allowing for economic growth and innovation. We are clear that these should be achieved in tandem and not at the expense of one another.
It should give everyone the right that their personal data will be protected , whilst allowing for the free flow of data which is crucial to underpinning the digital economy.
So how do we go about achieving this balance? We have already seen since the draft Regulation was published that there has been a tangible shift in perception as to what the best approach should be to balancing individuals’ data protection rights against the obligations on controllers.
When the Commission first published the draft Regulation, many concerns were raised about the how prescriptive the text was; that one size does not necessarily fit all; and that the burdens placed on data controllers and of course our regulators, may not always be in proportion to the protection conferred on data subjects.
There is now a growing consensus in the negotiations around the importance of not placing disproportionate burdens on small and medium enterprises which form the backbone of the European Economy. These SMEs are particularly well suited to taking advantage of the opportunities that technological developments will provide; we do not want to force innovative enterprises to look outside the EU to better realise their ambitions.
Bearing this in mind, the emergence of the risk-based approach has been a welcome development during the course of the negotiations. This continues to be a key element of our negotiating strategy under the Greek Presidency. This approach should be accompanied by effective enforcement so that data controllers remain accountable for the processing decision they make and the safeguards they put in place.
The Government continues to support a Directive, rather than a Regulation. This would provide consistency across Member States where it is beneficial but would give Member States flexibility to transpose the legislation with regard to their national traditions and practices.
I cannot predict what will happen under the Greek Presidency; or whether the European Parliament will be able to come to a conclusion on the text of the Regulation before the European Parliamentary Elections. However, we are clear that the quality of the text should take precedence over a rush to conclude the negotiations. If the negotiations are rushed, we risk a complicated and prescriptive instrument that could damage growth and employment prospects for years to come.
I know you will be interested in this process as it develops, and I will ensure that the Coalition Government continues to work openly with stakeholders and other member states throughout the development of this legislation.
So it is clear that a lot has been achieved over the last few years, but there is clearly a lot more still to do. I am looking forward to working closely with the Information Commissioner and others over the next 15 months on driving forward the information rights agenda. Thank you.