Richard Thomas is best known for his warning that Britain was “sleepwalking into a surveillance state”, made during his tenure as information commissioner, a position he held from December 2002 to June 2009.
That period, he recalls, saw data protection and privacy rise to the forefront of the public consciousness. This was in part due to a barrage of embarrassing government data breaches that took place, the most notorious of which was the loss of two CDs containing the personal details of 25 million British citizens by HM Revenue & Customs in 2007.
The controversy and debate that followed such episodes have brought about “a greater awareness of the need to ensure public trust and public acceptability” among both public and private organisations in the UK, Thomas says.
Thomas now works as global strategy adviser at the Centre for Information Policy Leadership, a think tank affiliated with corporate law firm Hunton & Williams. In that guise, he is encouraging private and public sector organisations from around the globe to develop a common language around data protection and privacy.
Today, the variation of laws between geographic regions makes handling data in a compliant manner unnecessarily complex for global organisations, he says. “There are blocks around the world that make for incompatibility and inconsistencies, which is burdensome,” he explains.
The solution is not a universally prescriptive law, he says, but a common understanding of the issues and an acceptance by businesses of their responsibilities. “We want to encourage companies to follow the legal procedure, not because of an externally imposed set of regulations, but because it is in their own interest to safeguard their data.”
Getting it right
There are a number of criteria that are essential for any large organisation if it is to ensure that data is handled appropriately, says Thomas. The first of these is organisational commitment.
“The chief executive and the board have to take responsibility for getting these things right,” he says. Other criteria are effective policies and procedures; internal oversight of data handling; the participation of the person the data relates to, be they customer or employee; and “making sure that when things do go wrong, you have arrangements to put them right”.
One unwanted side effect of high-profile breaches is “a focus on the security of the data, and the risk it might get lost or stolen”, says Thomas. “That is hugely important, of course, but it is by no means the whole story. Another requirement of data protection is that data be accurate, and that can be challenging if you haven’t got the systems in place to ensure that data is accurate when you collect it.”
Inaccurate data can be just as harmful to an individual as stolen data, he says, as it can impact their credit rating, their employment prospects and in some cases their personal life.
Another trap businesses can fall into, he says, is “dumping data protection into a particular box. It can be dumped on the lawyers or on the IT department or on the human resources department. But the issues cut across all of that – you have to include them all.”
While he stresses the importance of accountability on the part of private enterprise, Thomas also says that the law, in particular the EC’s Data Protection Directive, upon which the UK’s Data Protection Act is based, could be improved upon.
“I describe the European Data Protection Directive as a mainframe directive,” he says, conceived at a time when there existed only a small number of large computers. “The thinking behind it was that for virtually all forms of data processing, organisations would notify the regulator what they were going to do, hence a rather bureaucratic regime was created.”
The directive should be revised to reflect ‘the realities of international data flow’, he says. “It must address the way data flows across networks today, ways that were unimaginable ten, let alone 30, years ago.”
There are, Thomas says, signs that this may happen. “I said two years ago that the time had come for a review, but that was certainly not the view of the EC at the time. I commissioned a comprehensive assessment of what is good and bad about the directive that was published this year, and the EC has itself risen to the challenge.
“The EC has announced that it will conduct its own review, and it is asking for suggestions for improvements,” he says. “I am very proud indeed to have initiated that.”