"You cannot expect the ICO to hold back the dam on his own," said Graham. "It's the work that business does itself that is the driver – and they're not doing it just to impress me." It was an upbeat opening gambit, assuming and inferring that business actually is holding back the dam on data loss; and it's clear that the UK's data protection regulator would like to give this impression.
He is keen to stress that although he is a regulator, that's not his sole role. "It involves five e's," he said, "not just one. Enforcement, yes. But also to empower, educate, enable and engage. We prefer not to simply say 'no'; we prefer to say 'yes, if...'"
He sits in the middle of a digital storm that has three separate drivers: technology, which continually changes the climate; consumers with increasing expectations, who continually change the terms of the debate; and politics, which has the power to change everything. In the middle of this storm he believes his role is to find the right balance, regulating data protection on the one hand and providing freedom of information on the other: "to ensure that what should be private remains private, and what should be available becomes available." But he stresses that his role was created by law and is constrained by law; and to whom, how much and why he can impose a civil monetary penalty (CMP, otherwise known as a fine) follows strict guidelines. That, he suggests, is why the 14 CMPs he has imposed over the last year range form £1000 for ACS Law to £140,000 for the Midlothian local authority.
He is keen not to become engaged in political debate, and would not be drawn on the UK government's proposed new bill on monitoring communications traffic. "Let's wait and see what's in the bill," he said. "These discussions have been going on internally for years, and I've always told government that if this is what you want, you have to make the case and prove the safeguards."
In reality, however, he had circumspectly already delivered a warning to government. He introduced details of his annual survey on public motivation. Ninety-two percent of the public believe that prevention of crime is the imperative. But 89% want to protect their personal data. Both figures are way above the traditional political motivations: unemployment, the NHS and even national security.
The message from the ICO is that successful companies will recognize what their consumers want, and will deliver. Those that don't will fail. But in an oblique way, he is also suggesting that if the public are sold the idea of giving up privacy for national security, government will lose the argument and, if government is a business, it will fail. It will have to switch its argument to fighting crime rather than terrorism; and that is a completely different argument.
Graham also introduced some new figures. Under the title 'old kit, new danger' he said, "We've been shopping. We bought 200 devices with hard drives, 20 memory sticks and 10 mobile devices" on the second-hand market. Then the ICO looked at the data left on those devices. The problems he found were not so much on the sticks or mobile devices, but on the hard drives. "The good news," he said, "is that about half of them had been damaged or wiped. The bad news is that half of them had not." And it was in those uncleaned drives that he "found 34,000 files with personal or corporate confidential data." Ample, he said, for identity or monetary fraud.
Slipping back into his less-friendly guise as 'the enforcer', he added, "we're 'talking' to four separate companies."
| See Infosecurity magazine interview Christopher Graham outside the keynote theater at Infosecurity Europe 2012 |