Episode 32: Regulating information and data protection

Show Notes

In this month's podcast, Institute Chair Marcial Boo talks to senior Information Commissioner's Office staff Emily Keaney and Angela Balakrishnan on how the ICO ensures our personal data are kept safe through the regulation of businesses and public bodies. Their discussion notes how good communications can encourage compliance, and how the ICO, like other regulators, sometimes has difficult conversations with those being regulated, using a range of regulatory tools to be effective. They also talk about the challenge of new technology, including AI, the importance of prioritising regulatory interventions, and how the first step is to get the basics right. You can hear the podcast here, with more information on the ICO website (ico.org.uk).

Keywords: Data protection, Information rights, Privacy regulation, Cyber regulation, Digital trust, Freedom of information

Transcript

00:00:00:00 - 00:00:35:20
Unknown
Welcome to the regulation podcast from the Institute of Regulation. My name is Marcial Boo, chair of the institute and a regulator myself. On this month's podcast, I'm delighted to welcome two senior colleagues from the UK's Information Commissioner's Office to discuss the complexities of information and data regulation. Unlike the many regulators who focus on a sector or a profession, the ICAO is one of the few regulators who regulates a specific issue across the whole economy.

00:00:35:20 - 00:01:03:02
Unknown
In their case, that's data privacy and data protection, upholding information rights in the public interest. And this at a time when over 400,000,000TB of data uploaded onto the internet every day, that's about 200,000,000,000 hours of video every single day. So to help us understand how on earth and I do that, we have Emily Canete, the ICAO Deputy Commissioner of Regulatory Policy.

00:01:03:03 - 00:01:35:11
Unknown
Emily oversees the ICO's policy work, including on legislation, economic analysis and research, and on issues including children's privacy. Emily previously worked at Ofcom, among many other policy roles. Welcome, Emily. Thank you very much. Lovely to be here. And thanks for joining us. And we also welcome Angela Balakrishnan, the ICAO Executive Director for Strategic Communications and Public Affairs. And his job is to gather insights from stakeholders and promote awareness of information rights and the ICO's regulatory approach.

00:01:35:13 - 00:01:59:07
Unknown
And before joining the ICAO and spent nine years in government communications and has experience in charities and journalism, two good comms are really essential for regulators and we've done a podcast on that very topic, so it's great to have you here to and thank you for having us. Lovely. Well, thanks to you both. And I introduced Yoshua very briefly at the beginning, but can you tell us in your own words what the ICAO does as a regulator and why it's important?

00:01:59:08 - 00:02:26:08
Unknown
Emily, let's start with you. Yeah, absolutely. So we're here to make sure that people are able to have trust and confidence in how their information is being used. That organisations feel really confident about being able to, to use that information to innovate with it in ways that benefit all of us. And actually, we're also, we don't just regulate data protection.

00:02:26:08 - 00:02:51:03
Unknown
We also have a range of other responsibilities, including freedom of information. So we make sure that all of us are able to access public information that is critical to an accountable society and government. And we also have responsibilities under this, which is about, ensuring the safety of the information in our critical national infrastructure. And so I would you say this.

00:02:51:05 - 00:03:15:04
Unknown
Yes, yes. Is this kind of cyber, regulation. And so, that plays into that that thing about keeping our personal information safe and secure. Okay. Right. That's that's a great start. So we've already got a little, a little issue that's discussed about the interface between protection of information and access to it. But and coming to you, just anything you want to add about the Oscar's role?

00:03:15:04 - 00:03:42:13
Unknown
Just building on what Emily said. I mean, Emily's summarised, vast role, very succinct. I think the thing I would say is, people hear the words data protection and probably immediately think about sort of very technical compliance and processes and systems. And I think what we fundamentally believe is that these rights are about people. And it's in a people's, people's data, which means people's kind of lives, their stories, their relationships, their dignity is at the heart of of what we do.

00:03:42:13 - 00:04:11:04
Unknown
And we really do try and bring it back to the kind of that real life impact, on, on real people in the real world. Okay. Well, that's obviously absolutely essential. And, great to hear. Before we come on to, some of the detail behind, what you're doing, let me just ask you an about communication because communicating, what you do is clearly important both to people, as you've said, but also to the companies and and public bodies that need to comply with the law.

00:04:11:04 - 00:04:38:05
Unknown
So. So how do you go about doing that? Yeah. So, as Emily said earlier, one of our kind of common goals is to help people understand their privacy and freedom of information rights. But more than that, I think that work that, the comms and public affairs team try to do is to get people to actually care so that they can take steps to protect their information and to see why these rights and the work that we do as a regulator is so important.

00:04:38:07 - 00:05:00:20
Unknown
And, I think over the last few years, we've really tried to use our comms and engagement as a regulatory tool or lever in its own right. If we can help people and if we can help organisations to think and to do things differently as a result of our comms and engagement work, then we can influence behaviours that help protect and promote people's, people's data better.

00:05:00:22 - 00:05:30:04
Unknown
I would say fundamental to our approach is really trying to take that human approach to our work. So I mentioned, you know, trying to make sure that we're bringing it back to people. That means telling emotive stories, turning, the kind of data and insights that we have into creative content, understanding what people do actually care about and how we can seed our work, into the things that they, they care about that are front of their minds so that we're making our work more relevant, more connected.

00:05:30:06 - 00:05:50:17
Unknown
With different audiences so that we can actually deliver that real world social change. That's really great. I'm going to come on to you, Emily, in a moment about these different audiences that you've got. But I'm just interested in, how you get people to care about regulation. And you talked about emotive stories. So can you just briefly give us one little emotive story that you that that's cut through?

00:05:50:17 - 00:06:14:02
Unknown
Absolutely. Gosh, I think there's so many so a really powerful campaign that we ran recently was called The Ripple Effect. And it was all about, people who are often in vulnerable situations and the impact that they have when they experience a data breach. Now people think of the words data breach and again, probably think of like systems processes going wrong.

00:06:14:04 - 00:06:36:21
Unknown
And that was the insight that we we sort of acted on lots of people. That we were supporting, often came to us saying that organisations really failed to understand the impact, the life changing impact that these admin errors. And that's how they were being described, you know, email that was incorrectly sent to a slip of paperwork, these up and errors, were really having on people's lives.

00:06:36:21 - 00:07:05:24
Unknown
And it was trying to sort of flip that and focus on the on the impact to try and get people to to think differently about how they were going about some of their, work to protect people's information. And it really did have, quite a profound impact. I think two thirds of the organisations that we, we worked with as a result of this campaign, said that they were thinking differently about their practices and actually enacting different practices because I think the realisation that they got they they got they got the message.

00:07:05:24 - 00:07:35:00
Unknown
It wasn't just, you know, a slip of a paper or an error. It was it really was changing people's lives quite significantly. Yeah, absolutely. Well, I mean as, as everybody listening as well. No, I mean, it's our own data, our own personal information, which, you know, we want to keep private often. So, Emily, coming back to you, the different audiences that the CEO has, obviously, as I said earlier on, you work across the whole economy, public bodies, companies, individuals, those interests conflict sometimes.

00:07:35:00 - 00:07:57:21
Unknown
How do you balance their needs, and particularly those people who hold the information and those people whose information it is? How do you do that? Yeah, and I think, as you said at the beginning, we are relatively unusual for a regulator in that we we cover the whole of the economy and actually we cover both the public and the private sector.

00:07:57:21 - 00:08:28:21
Unknown
We don't have one specific set of stakeholders, or one particular sector that we cover. So we need to think about multiple interests and understand multiple perspectives and balance those. I mean, actually that generally is what regulation is always about. It's always about understanding that, you are trying to deal with an issue that where there will be different incentives, people will be seeking different outcomes.

00:08:28:23 - 00:08:56:13
Unknown
But when when you've got such a vast landscape of stakeholders that that can be particularly complex. We do it in lots of different ways. So when we are thinking about a particular, policy position or a particular regulatory intervention, we will often consult and we will try and do that in a quite proactive way so that we are really making sure that we're reaching out and making people aware that that consultation is happening.

00:08:56:15 - 00:09:26:05
Unknown
But we also recognise that that's only ever going to get a small proportion of your stakeholders. So we also, increase recently doing research, whether that's research with the public and sometimes that's qualitative research, which is fantastic for not necessarily giving you the kind of x percent of the population think best. But really digging under the skin of, of what's driving people what they, feel and think and worry about.

00:09:26:07 - 00:10:06:19
Unknown
We also do quantitative research, and we also do research with businesses as well. Because that will generally give you a more varied and representative understanding of the perceptions and experiences of different kinds of businesses, particularly small businesses who are just less likely and less well equipped to respond to formal consultations. We also do a lot of getting out and about kind of, you know, talking to people, whether that's talking to parliamentarians, to civil servants about their policy ambitions and direction, whether it's talking to other kind of stakeholders in the sector, civil society groups.

00:10:06:21 - 00:10:32:11
Unknown
And we have, a policy methodology kind of framework which helps people think about how do you bring all of that evidence and analysis and insight together, weigh it up in different ways. How do you set that against things like your your economic analysis, your legal advice, your legal insight in a way that helps you understand broadly what it is that we're trying to achieve?

00:10:32:11 - 00:11:06:01
Unknown
What is the difference that we're trying to make to the world here? What are the interventions that we have available to us as a regulator, and how do we take into account all of the different perspectives as we start to think about how we act in a in that area? So you gather all of this information from all of these stakeholders as matters, and let another regulator, which is also cutting across the economy in the same way which the human rights Commission, they're very few, as I say, the ICAO, the HRC Health and Safety Executive, you know, and and the key question is how to prioritise.

00:11:06:03 - 00:11:42:12
Unknown
And I say you gather all of this information and you could do any number of different things. So so how do you pick the most important things to do? I think the first thing, and this can be really hard sometimes, but is just recognising that we can't do everything, and helping our own staff to understand that, helping our stakeholders, helping make sure that, you know, we are communicating that we are choosing a number of a particular number of things, and we're not going to be able to do everything.

00:11:42:14 - 00:12:07:22
Unknown
You then have to think about where, we as a regulator, best placed to act that, you know, there is quite a complex regulatory environment. And we work closely with all the regulators, including some of the ones you just mentioned, also with, other regulators in the Digital regulation cooperation forums, Who, Ofcom, CMA, the FCA, and sometimes they will be better placed to act than us.

00:12:07:24 - 00:12:39:14
Unknown
Yeah. And we also have ways of thinking about where are the potential harms to people or to businesses the greatest and actually where all the, the greatest opportunities, because I think the harm element is really important. We want to intervene in places where we know that the public have concerns. We know that actually the, potential impact, if the use of that personal data goes wrong, can be really, really massive.

00:12:39:16 - 00:13:10:07
Unknown
Yeah. But we also recognise that the data, that personal information has the power to really transform, economy, society for the better. So we also don't just think about where can we act to prevent the greatest harm. We also try and think about where are the opportunities, where us intervening, us providing advice or support actually could kind of really enable some of that innovation for for public good.

00:13:10:08 - 00:13:46:04
Unknown
I think a big part of, managing, the vast range of stakeholders that we have, and the tough choices that Emily's described as being able to explain why and how we've reached a decision or landed on a certain approach. And I think that's something that we've been very conscious of doing more deliberately explaining the why. Because we might not always, appease all our different stakeholders and audiences, but at least if we can make the effort to explain our thinking, we might have hope of sort of bringing them onside, or at least getting them to understand where we've come from.

00:13:46:06 - 00:14:06:07
Unknown
That's really interesting. And thanks both for you for for that. So just, on that and you've talked about how sometimes people might take time to come around or maybe not even come around at all. So, I know that this is an issue for all regulators because people tend not to like their regulator. For some reason.

00:14:06:09 - 00:14:27:00
Unknown
Oh, but what do you do, when people complain about the fact that they're regulated for about their information, they need to pay you, they get fined or they get ticked off at, not, responding to subject access requests or freedom informations in a timely way, etc., etc.. How do you how do you turn them around?

00:14:27:00 - 00:14:54:11
Unknown
How do you get people if not to like you, to respect you at least? I think being able to be credible in terms of, evidence, goes a long way. But I think it is being able to have that dialogue as well. And sometimes there are difficult conversations to have. But that's part of that's part of the, the approach to, to help, engage those, those kind of, you know, challenging, customers or stakeholders.

00:14:54:13 - 00:15:23:07
Unknown
So going in and knowing that you might not, you might not get them onside, but at least having the conversation in the first instance, goes, goes a big part of the way because it shows that you're open to listening to their perspective. And, you know, you you can so have that empathy by by listening. I think having the evidence to show why we've reached a decision or where we're coming from can help, build credibility to the case that we're making.

00:15:23:08 - 00:15:39:22
Unknown
But I think sometimes, you know, it is being comfortable with the fact that we might not always see eye to eye. And that is okay if we feel confident that we are, you know, doing the best thing in terms of our approach as a regulator and have a clear, sight of the impact that we're trying to achieve.

00:15:39:22 - 00:16:06:09
Unknown
And we can then articulate that, that impact. That's fantastic. Okay, brilliant. Now I'm going to move on to another topic, which, which all regulators are grappling with. And, and I'm sure this right front and centre for you as well, because the world's changing at phenomenal speed. And with new tech developments, including AI, obviously, and the fact that so much data about us is held outside that jurisdiction or on the cloud, in places that we don't even know where it is.

00:16:06:09 - 00:16:40:18
Unknown
So, Emily, what does this mean for the future of information regulation? I think it's a quite challenging, both in terms of the speed at which it's moving and the, requirement for us to be thinking not just domestically, but internationally. Actually, we do an awful lot of work with other regulators internationally, both other data protection authorities, but also other regulators, including, there is an international equivalent of the DCF, for instance.

00:16:40:18 - 00:17:08:07
Unknown
And we engage with them as well. We also so some of that is about sharing information, sharing intelligence, sharing, kind of coming to agreed policy positions. Some of it though, is also, about, joint enforcement. And that can be a really powerful tool. So, we recently took action jointly with Canada against 23 and mean, for instance.

00:17:08:09 - 00:17:36:04
Unknown
That's not that can, you know, can be quite time consuming. Because you have to, you have to align slightly different powers, slightly different legislative frameworks, but it really can send an important message that, you know, organisations, even when they're, operating in different jurisdictions, have to take note of the, the legal frameworks in all of those jurisdictions.

00:17:36:06 - 00:18:12:02
Unknown
And also, I think, just the ability to work with other regulators internationally to understand what are, what are their priorities, what are they tackling. And sometimes that helps with the prioritisation discussion that we that we were just having, because it's not just that there might be other regulators domestically who, may be better placed, but if you know that another regulator in, another country is tackling a big issue and they're taking action on something, it might be that we focus our attention elsewhere.

00:18:12:02 - 00:18:34:08
Unknown
And that means that the issues getting addressed. But, we're not duplicating effort. So all of that work with our international colleagues, I think is really critical. We also do quite a lot of work in terms of that fast moving landscape to to try and understand the emerging technology, what what's going to hit us down the road.

00:18:34:10 - 00:19:02:11
Unknown
We, we do kind of horizon scanning reports. We do some of that jointly with other regulators as well. And a lot of the conversations internationally are about where are we as regulators going to need to focus next. So that also helps us manage this very fast moving landscape. That's really good. And obviously I'm a great believer in, in developing this kind of regulatory net where regulators work with each other to combine their shared statutory remit.

00:19:02:11 - 00:19:24:03
Unknown
So, as you say, as well as, focus, you know, sector regulators working with the ICAO to protect data in a particular sector. And the example that you used there of 23 me, which is an organisation that held people's DNA data, which you can't get much more personal than that. I think it's a really great example of that by the ICAO is protecting it comes back to the point and she made earlier on about people.

00:19:24:05 - 00:19:46:12
Unknown
So and anything you want to add on to, to the challenges and how the ICAO is, is, is raising its game to them internationally, which is more, more broadly. Well, you know, the tech challenges and internationally, I mean, you know, obviously that the, the operating environment around the Asia is moving very fast. You know, how how are you able to stay agile?

00:19:46:13 - 00:20:16:00
Unknown
I think there's, this need to really be able to articulate our impact. I think especially at the moment when the tech is moving very fast and there is a perhaps a narrative that regulation as a, as a blocker or a barrier, trying to really show that we are supporting innovation and supporting growth, but not just kind of saying that as kind of rhetoric, having proof points that can demonstrate how we have worked with different organisations to help.

00:20:16:02 - 00:20:42:21
Unknown
Yeah, support really responsible and innovative uses of people's data. And we've got lots of great examples of that. Economic analysis team have recently done a really great piece of work to actually quantify the impacts that we are delivering to UK businesses. And, you know, that's through a range of our guidance, products or services, the tools that we have, on our website, you know, it's actually delivering, millions of pounds in value for, for UK businesses.

00:20:42:21 - 00:21:17:17
Unknown
And I think that's a really powerful impact to be able to articulate why, where we're relevant, how we're staying agile. That's great. And Emily, what are the challenges that the ICAO facing at the moment? Well, I think there is always the challenge of, it particularly given the breadth of our regulatory remit of working can't where we focus, where we have the greatest impact and how we, kind of deliver against that in a context where we've got lots of stakeholders and lots of competing demands.

00:21:17:19 - 00:21:47:20
Unknown
Yeah. There's also, I think, continue to be a challenge for us in terms of and this is something I think lots of regulators think about around how we've got a whole range of tools in our toolkit. We often have, stakeholders who really want us to go in hard with the stick, you know, to use our fining powers, to use our enforcement powers.

00:21:47:22 - 00:22:37:00
Unknown
Those can be some of the most time consuming, some of the most expensive, powers to use. And the evidence shows, actually, that whilst they can have a real impact, they are not always the best way of shifting wider market behaviour or delivering kind of change beyond that individual organisation. So I think building the understanding for, an approach which is much more nuanced and where we use the whole range of our regulatory tools in order to, effect the greatest change and really being able to demonstrate the impact that those kinds of more nuanced approaches has had in a context in which we are never, I think, going to get away from a,

00:22:37:02 - 00:23:03:06
Unknown
a demand for that big stick use, I think, continues to be a challenge. How do you manage that and evidence it? I mean, you've touched already on some of the challenges in terms of the technology is evolving so fast. And we do need to be able to have the skills to understand the implications of that for how our personal information is used.

00:23:03:08 - 00:23:37:10
Unknown
I suppose the counter to that, that I would say is we absolutely need to be keeping up with that technology, and we need to be understanding sort of how we influencers that is deployed as opposed to trying to come in afterwards. But also so much of what we still see is really about the basics. If you look at some of the, the sort of, cyber breaches for instance, so many of those are still about really they are not sophisticated, they are still really simple, basic things that people are not doing to, to stay protected.

00:23:37:12 - 00:24:09:06
Unknown
And similarly, lots of the issues that we get in through complaints are around things like, access to, information rights, subject access requests. So, I suppose I would add to the Keeping Up challenge is, is balancing the need to do those, those kind of basics well and get organisations to do those basics well with also understanding the the new and the emerging and the most complex.

00:24:09:06 - 00:24:54:15
Unknown
Yeah. And then I think the one other thing that will that is continuing to be a challenge for us is, the volumes, the continued growth in volumes that we are seeing, in areas like our complaint handling functions and RFI functions. And I think we really need to keep thinking about how we use the technology ourselves to make sure that we are dealing with those volumes in ways that both make sure that the people who are coming to us get a really good experience, but also in a way that is as efficient and effective use of public money and, the kind of fees that businesses pay us as possible.

00:24:54:18 - 00:25:13:04
Unknown
Yeah. And that, you know, that's something that I think lots of organisations are grappling with. Absolutely. Well, there's lots of important messages in there. Get the basics right. I mean, this obviously applies to regulators too, because they haven't they they handle data and lots of it. So get the basics right. Collaborate with others on, on the higher end stuff.

00:25:13:06 - 00:25:35:11
Unknown
And understand the tech. And make sure that you're using AI yourself to manage a data effectively as well. And the other thing you said earlier on about the range of tools, again, that applies to all regulators. Well, regulators have had tools of, you know, taking legal action, finding as well as the software approaches of communications, to persuade people to comply because that's what they want to do.

00:25:35:13 - 00:26:00:10
Unknown
So we're nearing the end now. And coming back to you, for people listening to the podcast and concerned about their own, information protecting themselves and, people who are working in regulators who want to make sure that their regulator is doing the right thing. What what what would you recommend? I mean, the ISO has a whole host of really great, tools, information.

00:26:00:12 - 00:26:21:21
Unknown
So I would say, you know, come and come and see us, our website, has has lots that can help you, whether you're an organisation or, an individual, looking to, access your rights or exercise your rights. We also do have, helpline, which is great if you want to speak to someone.

00:26:21:21 - 00:26:46:07
Unknown
And, we've had really great, feedback about the help provided by that service. I think, as Emily have said and said, you know, people do seem to exercise their, their rights, especially relating to their subject access requests. And it's about, making people aware that they have that, that rights they can exercise. And, despite the volumes of complaints.

00:26:46:07 - 00:27:14:14
Unknown
I mean, you can you can raise concerns with the, with the ICO and, we, we do, respond to a vast volume of those, complaints. So I would say there's the kind of three things. Fantastic. Well, I'll give a little plug to your website in a moment. Because absolutely. People should go there, and check out for themselves what they need to do to protect themselves, as well as to make sure that there are no organisations, regulators are, doing the right thing as well.

00:27:14:16 - 00:27:42:13
Unknown
But, Emily, coming back to you, maybe, maybe for some final hints and tips that, you would give other regulators who want to improve their own organisation, their own regulatory practice, drawing on your experience there at the ICO and obviously what, professional body like the Institute of Regulation can do to help staff and regulators, such as the, the ACA?

00:27:42:15 - 00:28:24:12
Unknown
That's a tricky one. I think the things that I would say are really think about who you are there to deliver for and understand, what it is that they, they want and need from you. And I think one thing to remember, particularly for regulators, for whom they are there in some way to deliver to the public, is that you are not as a somebody working in a regulator, you are probably not representative of the way in which most of the public will think about or experience those issues.

00:28:24:17 - 00:28:51:10
Unknown
So you need to make sure you're really putting yourself in the shoes of the people that you're there to deliver for. And that's absolutely crucial because it it will mean that you think about the problems you're trying to solve in a different way. That's often true, actually, for regulators who are delivering to, businesses rather than the public to is they will be thinking about those issues in ways that are different to you, and their motivations will be different.

00:28:51:10 - 00:29:29:08
Unknown
And they may just, so, you know, respond quite differently to to how you would say really understanding that you want unlikely to be representative. You are an expert. And that kind of takes you out of that thinking about that whole range of tools that you have available to you and how you best deploy them. And, also thinking about how you get your staff and the people who work for you both in that mindset, where they're thinking about it from an outside in perspective and ideally, I think not working in silos.

00:29:29:12 - 00:29:56:01
Unknown
That really helps to manage some of those things around. What's the best tool that we can use? How do we work together to solve this problem? That's something that we've been working really hard on here at the ICO. And then I think, I just talking to other regulators, organisations like, like you, are really helpful because there's so much that we can learn from each other, you know, the kind of things that we're regulating are different.

00:29:56:01 - 00:30:25:15
Unknown
But so many of the problems and the solutions are the same. Fantastic. Okay. That's, brilliant. We're at time now, and I'm really grateful for those hints and tips. You're absolutely right. Talking to other regulators is really, really helpful because we all basically do the same thing. And we all think about, the users, whoever we're regulating on behalf of, whether it's, citizens or service users or businesses, we're working all in a complex, legal, political and economic environment.

00:30:25:17 - 00:30:53:16
Unknown
And we all care about balancing protection with enabling growth and innovation. So thank you very much, both of you. That's, Emily Kane and Angela Balakrishnan of the Information Commissioner's Office. It's great to hear about your work. I said I'd plug your website. It's ICO talk.uk. Please. Everyone check out how you can keep your own information safe as well as improve the information, governments and data protection in your own organisation.

00:30:53:18 - 00:31:15:20
Unknown
Thanks also to our sound engineer, Neil Bauman of Bauman Audio Productions. And if those of you who've been listening to this podcast have found it interesting, please tell your colleagues and tune in to future episodes where we will talk about more, issues of interest to regulators. That's all from me. From this Institute of Regulation. There's more material on our website IO regulation.org.

00:31:15:22 - 00:31:32:19
Unknown
So for now, good luck with your own regulatory challenges. Stay in touch with each other and talk to other regulators. Which will help UK regulation become the best it can. Thank you very much. Goodbye.