Data protection: hidden risks, clear opportunities
At first glance, my role as chair of the Board at Capacity - The Public Services Lab doesn’t have much connection or continuity with the job I was doing until just over a year ago. I was for seven years Information Commissioner, the UK’s authority for data protection (and freedom of information). Serious stuff. Now my excellent successor Elizabeth Denham is doing the heavy lifting, and I’m chair of the Board of the Lab in Liverpool - where the work is fascinating, but very different.
And yet, one doesn’t leave data protection concerns behind when one stops being Information Commissioner. In fact, data protection represents both an opportunity and a threat when it comes to reconfiguring public services, building a greater role for community organisations as partners, which is what Capacity exists to help make happen.
When I was Information Commissioner I discovered that, all too often, the only thing people knew about data protection was around what they thought ‘you can’t do’. This ‘can’t do’ attitude is commonly cited as an obstacle to doing things differently. This is particularly the case where organisations need to be able to share data in order to deliver services differently. And ‘doing things differently’ is often the key to greater effectiveness and efficiency.
Here at Capacity - The Public Services Lab, we believe that things have to be done differently. Resources clearly aren’t able to keep up with growing needs. Yet, if we configured things in different ways, we could make resources go further. And by involving the voluntary, charitable, and social enterprise sector as partners, public authorities could deliver services that worked much better for clients. That’s where doing data protection properly can open up the potential for change.
We heard recently about the proposed Data Protection Bill which Parliament will be debating in the autumn. This is prompted by the General Data Protection Regulation which will be the law of the land from next May anyway. The Regulation is EU law, but the UK is going to have to replicate the provisions of the GDPR, as it’s known, if we are to continue dealing in data across borders - even after the UK leaves the EU.
Any organisation dealing with personal information is going to have to get to grips with the data protection rules. And that’s particularly the case with local, charitable, and social enterprise organisations, who are often dealing with the most sensitive categories of personal information.
From my experience as Information Commissioner, I am all too aware of the risks to the reputation of organisations mishandling personal information. The charity sector took a beating over sometimes questionable fundraising practices which broke the data protection rules. And some charities were as careless as some local authorities in the lax way in which they stored and used data. A hefty fine from the Commissioner certainly grabbed the headlines. The potential fines under the new rules make even the biggest monetary penalty I imposed look like pocket money. And, while my successor has made it clear that the ICO’s always practical approach to compliance will continue, organisations can no longer leave data protection to take care of itself.
So understanding data protection, so as to grab the opportunities and also avoid the risks, has to be priority over the next few months. If we don’t get this right we will not be able to unlock the potential for change which reimagining public services offers.
That’s why the event we are holding on 26 September 4.00pm - 6.30pm at the Cunard Building in Liverpool is so timely. We will be joined by Richard Marbrow, a Group Manager at the Information Commissioner’s Office (ICO), and by speakers from Catch22, Data Guardsman and Gardner Systems. Following on from the event, Capacity - The Public Services Lab will be seeing what more we can do to help voluntary organisations, charities, and social enterprises to get data protection right - and stay out of trouble.