Simon McDougall, deputy commissioner - regulatory innovation and technology, Information Commissioner’s Office

How is your organisation using data and analytics to support the corporate vision and purpose?

The Covid-19 crisis has accelerated the growth of data-enabled services, such as increased working from home, virtual medical consultations and online shopping. It has also meant more attention on using data to track health outcomes. High data protection standards are vital in ensuring the benefits of these developments for all citizens.

The Information Commissioner’s Office (ICO) is here to support organisations to build public trust and confidence in the use of data.

Data protection is an enabler of innovation and economic growth because it builds public trust that their data will be protected; provides organisations with the confidence to share data to improve the quality and efficiency of public services; and supports the take-up and use of new data-enabled services.

Looking at the organisations we regulate, the concept of “accountability” is critical. There is a need for alignment between their corporate visions, and the data processing that’s happening under the hood. This is why the work of data and analytics professionals is so important to us - every organisation needs the governance and know-how to ensure it understands how it is using the data it holds.

2020 was a year like no other - how did it impact on your planned activities and what unplanned ones did you have to introduce?

As the pandemic took hold, we reorganised our office to address the new world. Our business continuity plans worked well - the large majority of our staff were already on portable devices, so the shift to working from home was relatively painless. Because many aspects of the UK’s response to the pandemic have been data-driven, we quickly got pulled into a range of urgent and novel questions around how data could be used. We established a dedicated team that worked tirelessly to help organisations using data to save lives, protect people, and support recovery from the crisis. The work was incredibly diverse, including:

• Engaging with local authorities and others to enable prompt and well-managed sharing of information about vulnerable people and shielding individuals;
• Extensive involvement in the UK nations’ contact tracing apps, promoting a decentralised approach through the publication of an opinion endorsing the Google/Apple API;
• Building the data protection and coronavirus information hub, providing a wide range of support and “myth busting” on areas ranging from managing customer logs in a pub, through to the practicalities of working from home.

This also meant that some of our other work went on hold, such as adtech, anonymisation and privacy enhancing technologies, all of which we are now coming back to.

Looking forward to 2021, what are your expectations for data and analytics within your organisation?

Supporting the UK’s recovery from the pandemic will doubtless raise further questions around data usage in the health sector and elsewhere. The ICO will continue to help organisations navigate data protection during this unprecedented time.

The government’s National Data Strategy and forthcoming Digital Strategy, alongside the advice of the Digital Markets Taskforce and the government’s response to the Online Harms White Paper, mean that the digital regulatory landscape will continue to evolve.

Underlying all this is the ongoing proliferation of data being generated, processed and analysed, with innovative technologies and products utilising the data. We are expecting a very busy year!

Is data for good part of your personal or business agenda for 2021? If so, what form will it take?

Data for good is critical to everything the ICO does - we want to support responsible and innovative data usage. We are always working on this - in December 2020 we published our Data Sharing Code of Practice, providing advice to organisations on how to carry out responsible data sharing. Promoting the Code will be a focus for the ICO at the start of the year. We have a lot more to come around using data for good in 2021, including work on data ethics, anonymisation and privacy enhancing technologies. Looking further into the year, the Age Appropriate Design Code is going live in September.

What has been your path to power?

I didn’t start out with aspirations to work in privacy, though looking back it’s a natural fit. For me, privacy represents the convergence of human rights, regulation and technology - all areas that remain very important to me. It’s exciting to be at the forefront of innovation and working to make sure innovation serves to benefit everyone.

I’ve always been interested in new and different areas, and have enjoyed my varied journey so far. I’ve veered between disciplines - I studied English Literature at Oxford University, but trained as an accountant and took the plunge from Shakespeare to statements because it was important for me to balance my knowledge of arts with an understanding of the numbers. I then worked in accounting, auditing and technology risk before I found my privacy calling.

After two decades in privacy and the private sector, it was time to experience the public sector and look beyond the bottom line. I searched out the role at the ICO and it’s been a fantastic experience. I will finish my term at the ICO this year and will likely return to the private sector. I would warmly recommend working in public service to others - it’s very challenging, but incredibly rewarding.

What is the proudest achievement of your career to date?

Leading the ICO’s work on Covid-19. The team worked on questions that were urgent, novel and complex. We covered areas such as health data sharing, using data to keep workspaces and public places safe, and using innovative technologies to identify, assess and support those suffering from Covid-19. We strove to ensure that data protection wasn’t a blocker and that standards were maintained. We are not frontline workers, of course, but nevertheless I’m incredibly proud of our contribution to fighting this pandemic.

Tell us about a career goal or a purpose for your organisation that you are pursuing?

I lead our work on the interaction between privacy, competition and online harms. This cuts across a range of regulatory remits, in particular between the ICO, the Competition and Markets Authority and Ofcom. Very often, it’s the same data usage that is of interest to different regulators, so it’s critical that we remain co-ordinated. In 2020, we set up the Digital Regulation Co-operation Forum (DRCF) to help do this, working to share information, insight and resources. Helping the DRCF establish itself is a big focus for me in 2021.

How closely aligned to the business are data and analytics both within your own organisation and at an industry level? What helps to bring the two closer together?

We are seeking to increase our data science capacity during 2021 by continuing recruitment in our technology team, revamping our industry secondment programme on a much larger scale, and working through the DRCF to understand how we can share people and technologies across regulators. We are interested in hearing from anyone currently working at industry level who has the skills and experience they believe could add value to our team.

The ICO’s work is interesting, rewarding and cutting-edge. So I would encourage the whole DataIQ family to check our website and consider career options at the ICO!

What is your view on how to develop a data culture in an organisation, building out data literacy and creating a data-first mindset?

Nowadays, the vast majority of organisations accept they need a data-first mindset. The question is not, “if,” but “how?”. So there’s no need to evangelise: data and analytics professionals simply need to have empathy for those less data-skilled than them and be able to outline a path to a data-first mindset.

The ICO is focused on putting principles into practice. That’s why we created our Guidance on AI and Data Protection in 2020, and are working to articulate what good data protection practice has to offer data ethics. But our guidance is only effective if organisations actually use it. So I would encourage data and analytics professionals to keep providing us with feedback on what is useful, so that we can continue to make a difference.