UK data watchdog sees its approach to government health tech during COVID-19 outbreak as 'pragmatic' The UK's data watchdog has defended its approach to regulating government health technologies during the pandemic as "pragmatic." In its annual report, the Information Commissioner's Office (ICO) said it had supported public health innovation, reflecting the flexibility of data protection law. The watchdog had come under fire …
It kind of feels like they left the ellipsis in the report. Or maybe it was just a hand-wavy "because pandemic".
The problem with a 'pragmatic' approach is that the ICO is set up to be adversarial and not 'pragmatic'. The regulations that it is there to enforce are ones that are deeply inconvenient to the bodies that are bound by them and consequently are often ignored, bypassed, hand-waved or otherwise disregarded. The notion of the ICO is a body that pushes back hard enough that it's really not worth the gamble.
It's totally worth the gamble.
"...the introduction of mandatory breach reporting in sectors that handle large volumes of personal data has also contributed to the trend"
Let me think about that statement ... mandatory reporting has resulted in a reduction in reports? On that basis the number of breaches reported would go up if it wasn't mandatory to report them ... Forehead meet wall.
Transparency has suffered so far from two significant problems:
[1] practically no organisation has actually fulfilled its transparency obligations;
[2] transparency (even if of itself sufficient) is useless unless redress is available to individuals where processing is questionable (let alone unlawful). To date is generally isn't except very rarely.
Neither of these problems has to date received strategic attention in the UK. Such enforcement as has been undertaken has been piecemeal penalties after the fact. What's needed is to ensure the law is complied with in the first place, rather than just mopping up after it isn't. "Pragmatic" approaches that permit infractions don't quite fit that bill.
"[1] practically no organisation has actually fulfilled its transparency obligations"
Indeed. Two recent examples that I have complained about: the NI Census in March and the NI Electoral Canvass in July - in both cases the Privacy Notice was missing some mandatory information which, as per GDPR, *must* be provided at the time of data collection (i.e. before you fill in your Census form/Register to vote form).
In the case of the NI Census the ICO has decided that "there is more work for the organisation to do" and is in discussion with the org's Chief Executive "explaining that we want them to work with you to resolve any outstanding matters". However I fail to see how it can be resolved as the Census Day is past and everyone here has already filled in their forms when the Privacy Notice was not valid - this can't be resolved/fixed, all that ICO should do is issue a fine against NISRA for failing in their GDPR obligations.
In the case of the Electoral Canvass the matter is with with the EONI currently but I expect to open a case with ICO once EONI have responded to me with their "excuses".
Both of these events are once-every-10-years activities so it is even more important than usual for these organisation to ensure that everything is in compliance in *advance* of the events.
"[2] transparency (even if of itself sufficient) is useless unless redress is available to individuals where processing is questionable (let alone unlawful). To date is generally isn't except very rarely."
My personal data was leaked last year in a hack on a online company operating worldwide and they notified me. However I had stopped using their system 7 years previously but, at the time like many other companies, they only provided a "deactivate your account" option and provided no means to delete your account. With the introduction of GDPR in 2018 this company appeared from then onwards to provide a deletion request mechanism but did not implement any automatic deletion of deactivated accounts (and their Privacy Notice made no mention of deactivated accounts at all, let alone defining retention periods for them) and so deactivated accounts personal data appears to be retained indefinately.
ICO closed the case and basically said "you never asked them to delete your data " and "well they've offered to delete your data now" whilst completely ignoring the point that, at the time I stopped using that service I *could not* request that my data be deleted (which I would have wished to do at the time) as the company then had a policy of "deactivation only".
ICO, and indeed many/most of the regulators in EU, beyond a few "headline" instances have failed to take any significant actions to enforce data protection law.
I understand pragmatism in the face of the pandemic. However, government Data Protection Impact Assessments must not be treated as optional. The government already ignores them and maybe does them after the decision instead of before. This was happening before the pandemic, and is happening in areas nothing to do with the pandemic.
The DPIA is seen as a barrier to quietly outsourcing valuable contracts to their mates, and something that might reduce the value to their mates of the data they are handing over. It is essential that the ICO forces government to do meaningful and complete DPIA's to protect us and ensure probity.
From the ICO's modified Cambridge English Dictionary:
pragmatic (adjective)
solving problems in a sensible way that suits the conditions that really exist now us, rather than obeying fixed theories, ideas, or rules the law
It would be nice to believe that the fall in breech reports is down to the requirement to report, that would be WAI. However, I'm more inclined to reckon that the drop is down to consumer apathy due to lack of confidence in the ICO doing anything useful. Why bother reporting, especially if the target is the government? The ICO's activity in this case just shows them as government toadies.
The Government sending text messages and emails en-masse (without any prior permission), comes to mind, as well as the f-word. Clearly, they just do as they please, ICO rules are for the little people.
The level of complaints with regulators is off the scale, that's why people don't bother. Before you know it, you're complaining about a 3-month wait for reply from a regulator, due to the backlog of complaints (with a scripted response that's worse than the organisation you're complaining about)
It's a fucking merry-go-round to nowhere, that achieves nothing, except more mining of your privacy by the regulators themselves, to big up their own narcissistical admiration.
"Before you know it, you're complaining about a 3-month wait for reply from a regulator, due to the backlog of complaints (with a scripted response that's worse than the organisation you're complaining about)"
3 months? We should be so lucky, ICO's been running on approx 4 months backlog for the past year...
I have one case, raised in Jan, where it was finally allocated a case officer after 4 months - who promptly went on holiday for a week and when he came back he changed departments. 2nd case officer allocated took 6 weeks to find the time to go through the documents I submitted and I received an email a few days ago that he now needs to get advice from his colleagues as to how to proceed with the case - so more than 6 1/2 months on from when I opened the case effectively nothing has happened yet.
BTW ICO don't automatically allocate case reference numbers upon submission, that would be too easy/organised, it is allocated typically 1-2 months later when someone from the relevant "business sector" team take a glance at it (but don't actually start working it yet).
Of course if you don't have a reference number yet you cannot email in additional documents relevant to the case... that's great as their online case submission form only lets you provide up to *four* files which can only be in a few limited file formats (i.e. PDF, text, Word) and each file cannot exceed 1Mb (from memory) in size - so you can't submit a ZIP file (either to provide more docs or to compress a single document that is too large). This presents a risk for a case that is *not* complicated as there is a chance/likelyhood that soon after a reference number is allocated (but not notified to you) you may receive an email that the case has been considered and closed/rejected before you've had a chance to submit any additional relevant docs (beyond the original max 4) that you couldn't provide when you opened the case...
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
