Setting the Right Goals, in the Right Order

May 24, 2017

 The ICO has now published its Information
Rights Strategic Plan 2017-2021
.

As Elizabeth Denham states in her
blog post introducing the Plan
:

This Information Rights
Strategic Plan sets out my mission to increase the confidence that the public
has in government, public bodies and the private sector.

It commits us to leading
implementation and effective oversight of the General Data Protection
Regulation and other data protection reforms.

It commits us to exploring
innovative and technologically agile ways of protecting privacy.

It commits us to
strengthening transparency and accountability and promoting good information
governance.

And it commits us to
protecting the public in a digital world.

All very laudable. But, and you knew there was a ‘but’, the
Plan states its main goals and, at the very least, they are in the wrong order.

Goal 1 is ‘To increase the public’s trust and confidence in
how data is used and made available’. 

There is a big question here. Do we
really want the public to have ‘trust and confidence’? I think there is quite a
lot to be said for a level of scepticism about how data is used and made
available. Trust is what leads to clicking your privacy away. We might want the
public to have trust and confidence in the ICO but that’s a rather different
aim and, even if the ICO were staffed by powerful saints, its jurisdiction would
not stretch into the darker recesses of the web nor would it be able to transform
all data users into law-abiding protectors of privacy.

Goal 5 is ‘Enforce the laws we help shape and oversee’. 

I am
not going to go into the ICO’s long-term record on enforcement, not least
because there are signs that things are on the up (and Tim Turner may have to
delete his standard dismissive tweet, one day soon). But, especially bearing in
mind the fact that enforcing those laws is a statutory function of the ICO, it
might be wise for it be Goal 1, not Goal 5. In fact I am not sure it should be
a goal at all – it should be a given. And if enforcement was a given, there
might well be an upsurge in ‘trust and confidence’ – trust and confidence in the
ICO at least.