Information can drive everything in our lives: from the provision of public services to job opportunities, or the decisions made for and about us – people’s data is vital.
As a regulator for information rights, I want to provide certainty to the public, so they can trust that organisations will look after their personal data. And I also want to provide certainty for those same organisations, so they have the knowledge and confidence to deliver privacy-minded services.
That’s why, soon after I became information commissioner last year, I set out a new approach to working closely with the public sector to improve data-protection practices. While we will continue to issue fines when necessary, we want to collaborate with and provide support to organisations to help them get it right.
But we can’t do this alone. We need support from senior leaders in the public sector to drive higher data-protection standards. That’s why I called on the UK government to create a cross-Whitehall senior leadership group to encourage improvements in the way public bodies handle people’s information. This work is underway and I’m pleased to see good practice being shared, but also examples of how things have gone wrong – this enables government departments to recognise and learn from mistakes, and to identify potential harms so they can prevent them before they happen.
The ICO and the Department for Education
The way we worked with the Department for Education is a clear example of our public sector approach in practice.
In 2020, following an audit of the DfE, we found that the department was not prioritising their data protection responsibilities and this had severely impacted the DfE’s ability to handle people’s data responsibly. We issued 138 recommendations for improvement, with over 60% classified as urgent or high priority.
In the same year, the DfE reported to my office that its database of 28 million pupils’ learning records was used by an employment screening firm to check if people opening online gambling accounts were 18, which was not its original purpose. In this case, we chose to issue a reprimand instead of the potential multi-million pound fine, as we believe that regulation works best when we work alongside organisations, encouraging change and improvement.
Our approach with the DfE resulted in positive change. I am very pleased with the progress the DfE has made in the past two years towards improving their overall compliance with people’s information rights in general, and the security of shared datasets in particular.
Lessons for other departments and wider public sector
While I recognise that the public sector as a whole is facing a challenging time in terms of resourcing and funding, many of the data breaches and issues I see are easily avoidable.
Government departments must consider their data protection and privacy obligations upfront – from the provision of public services to the design of new projects, organisations must put people’s information rights at the heart of everything they do.
If the public sector can show people their commitment to high data protection standards, and that they will look after their personal information, people are more likely to trust public institutions and participate in their services.
John Edwards is the UK information commissioner