Before my appointment as the UK Information Commissioner, I held senior regulatory positions in the field of privacy rights in Canada. From 2010 to 2016, I served as Information and Privacy Commissioner for British Columbia. From 2007 to 2010, I held the post of Assistant Privacy Commissioner of Canada in Ottawa, primarily responsible for enforcing Canada’s commercial privacy law. In Canada, I led investigations into some of the world’s largest technology companies, including the first investigation of Facebook by a data protection regulator. My passion for information and the ethical use of data stems from a professional background in information science and archives. Before information rights laws, my role as a professional archivist placed me at the centre of decisions about preservation of evidence and accessibility of information, balancing the rights and interests of records creators and researchers. These experiences laid the foundation for my current work in helping citizens and consumers navigate and protect their rights in the digital age. In 2016, I moved to my current role from a province on the western edge of Canada to the UK - and discovered that the challenges and opportunities in data protection are very similar: increasing trust, building a culture of accountability, and ensuring that privacy and innovation work in tandem.
The privilege and challenge of regulating the UK’s data protection laws at a time of massive shifts in technology and society. 2018 was the year that data security and privacy went mainstream! My position as the guardian of both data protection and freedom of information gives me a real ability to help people across the full waterfront of information rights. It is more of a calling than a job and a role in which I can make a difference. Coming from a background of information law practice, rather than management, I really value the opportunity. In 2018, I was elected chair of the International Conference of Data Protection Commissioners, the leading global privacy forum representing over 120 jurisdictions world wide. This is a recognition of the UK’s and ICO’s international standing and provides an important avenue to advocate for policy approaches and law reforms that keep pace with changes in our digital age.
Be curious, keep learning and find a mentor! Be open and look for opportunities to move from public to private to third sector for a full range of experiences. But I would also say - good on you, you chose the right career! Where else could you work with a genuinely thoughtful community of people generating change and excitement using millions of building blocks to create models, paradigms and services that shape the world in which we live?
I expected 2018 to be a critically important year for data protection with GDPR a once-in-a-generation reform of the law. But it was more than that. The level of public attention, large scale investigations, parliamentary and political debates, and consumer concern, media coverage and attention signalled that data protection has come of age. Data protection went mainstream. Our office had more than 100% upshift in all of our public-facing services – complaints, calls, requests for advice, breach notifications, speeches, parliamentary and media appearances.
It will be a year of challenge, innovation and change. We begin the year with much uncertainty about the legal relationship the UK will have with Europe. But there is no doubt that the UK will retain the GDPR and high standards of data protection - and the data and analytics industry will continue to innovate. Data always challenges us to behave better, to work more imaginatively and to consider the interests of the individual and their expectations for personal privacy. The new laws and public expectations require fundamental changes to the way organisations account for use of personal data. Those organisations that put people at the centre of their business practices are the ones that will thrive. For the data industry, algorithmic transparency will continue to be a major topic of study, focus and debate, and the UK will be in the forefront of finding workable solutions.
At the ICO, we have increased our staff numbers by over 40% in the last two years. Finding specialist technical staff continues to be a challenge, but we have made good use of secondments from the private and government sector, we have partnered with the universities to recruit new graduates. We also provide extensive training and promotion opportunities to attract those looking to join an organisation with a long-term career development path. We have created a fellowship in AI and recently attracted a leading academic to help us design a framework for auditing algorithms. We are currently building an internal program so that we can “grow-our-own” cyber specialists.
I am optimistic that many companies and public bodies will begin to put accountability to people at the heart of their practices. There are leading companies that really do get the value of big data, but not simply from the company’s perspective. By approaching data from the point of view of trust, companies can enhance the consumer experience and earn the social license for innovative uses of data. Leaders in this space are realising that trying to jump the lowest possible legal hurdle is not a sustainable business strategy.