Search and rescue
It’s easier to be apathetic than fight against a culture of CCTV, facial recognition and data sharing. Meet the man in charge of protecting our information, who says that privacy is a human right
“Everyone fixates on this little tweet I composed in two minutes,” laughs John Edwards. “But nobody’s asked me about the tweet that I sent just before Xmas praising Facebook for deleting its facial recognition records.”
The offending tweet, since deleted, dates from 2019, when Edwards was New Zealand’s privacy commissioner and the social media giant allowed a white supremacist terrorist to livestream his attacks on two Christchurch mosques that left 51 people dead.
Edwards, a barrister and solicitor before becoming privacy commissioner in 2014, used some unlawyerly language when Facebook’s founder Mark Zuckerberg refused to commit to changes, calling the company “morally bankrupt pathological liars” who “cannot be trusted”.
HMRC reported 17 serious data breaches in 15 months. That suggests that regulation isn’t working
Last month Edwards became the UK’s new information commissioner, responsible for protecting the data of the tens of millions of people who engage with big tech firms like Meta – Facebook’s owner – and Google’s parent Alphabet. Under Edwards’ predecessor Elizabeth Denham, the Information Commissioner’s Office fined Facebook £500,000 for its role in the Cambridge Analytica scandal, when it allowed the mass harvesting of personal data. Will Edwards be as willing to criticise big tech firms as he has been in the past?
“If they warrant it, definitely,” he replies, sitting in Big Issue North’s office for one of his first interviews since taking up the post. But he refers to Facebook’s decision last year to ditch its facial recognition system, which used artificial intelligence to suggest people to tag in photos and videos. “And we’ll support them if they are doing good things.
“They said we’ve got these billions of records. We don’t need them so we’re going to get rid of them.
“It’s really important we call out good behaviour to support that as well as the poor behaviour – and that we also position ourself to provide advice and make it easy for these companies to choose the most privacy-friendly options.”
Edwards acknowledges that data sharing and adtech – the software advertisers use to target consumers online – are a fundamental part of tech firms’ business model, which they have a right to pursue.
“They bring great benefits. If they weren’t delivering services that people wanted, they wouldn’t be these huge monoliths with trillions of dollars.
“They’re not all evil but where they transgress or go over the line it’s up to me and my colleagues like Ofcom and the Competition and Markets Authority to call them out on it and apply the penalties that Parliament has put in place for us to use to rebalance things in favour of the consumer.”
Edwards was educated in New Plymouth, New Zealand, and began his career – after a spell with the Mount Cook mountain search and rescue team – in legal general practice, before becoming an investigating officer with the country’s ombudsman’s office, looking at Official Information Act decisions. He moved back into the private sector and then became privacy commissioner, when he was also chair of the International Conference of Data Protection and Privacy Commissioners (now known as the Global Privacy Assembly) and a member of the OECD’s Informal Group of Experts on Children in the Digital Environment.
“One of the things I love about privacy is that it’s completely apolitical,” he says. “It applies to everyone in the community, it’s democratic, it’s an unalienable fundamental human right. It doesn’t matter where on the political spectrum you are, you are entitled to have your personal information respected. All businesses owe all customers and all stakeholders that responsibility and government owes that to its citizens.”
In New Zealand, he points to two examples of how he was able to apply this commitment. He took up the case of a witness to a burglary who called the police, resulting in a man’s arrest. But while the culprit was in the police car, an officer at the station read out the witness’s name and address over the radio.
“He phones his girlfriend. She goes round and firebombs the house. His family runs from the house with everything they own in flames behind them and it burns to the ground. So there’s a very profound impact on individuals. We sometimes lose sight, I think, in a world of compliance and form filling, of what this means. It’s about keeping people safe and respecting them.”
“We can do good at individual level and also achieve change across society.”
At a macro level, that was repeated when the government tried to assess the effectiveness of its social spending on budget advice organisations, women’s refuges and rape crisis centres. It demanded the centres record each client’s name, address, date of birth and names of dependents. The centres pointed out this would put off many people seeking their help and Edwards intervened, acknowledging to a “furious” minister that there might be a rationale for the data grab but saying: “Think of the message to an abused woman with kids who’s finally plucked up courage to go to a refuge and the first thing she sees is a form that says we’re going to pass your details on to the Ministry of Social Development. You have their best interest at heart but that’s not this woman’s experience. For her, that’s the place that can take her kids away, that’s who decides if she gets a new washing machine or not.”
With some pride he says the minister took the proposal off the table immediately and he was praised across the political spectrum in New Zealand’s parliament for his action. “We can do good at individual level and also achieve change across society,” he says.
From his base at the Information Commissioner’s Office in Wilmslow, Edwards will be engaging with the government over the proposed reforms to the Data Protection Act and introduction of the Online Safety Bill. It also aims to prioritise its work to protect children online, through the Age Appropriate Design Code, a set of safety standards for children online that has already forced TikTok and others to change the way they operate and increase protection, and has influenced regulators elsewhere in the world.
The Data Protection Act implements the European Union’s GDPR, the regulation that caused convulsions among businesses and other organisations when they were force to get to grips with it in 2018. After Brexit, ministers have indicated they want to diverge from GDPR and move to a “common sense, not box-ticking” approach, in the words of former culture secretary Oliver Dowden, to create a friendlier climate for companies whose business is sharing data.
Edwards says GDPR carries a good set of fundamental principles. “I haven’t seen a sign ministers want to depart from that but how we get there can vary. Some aspects of GDPR are perhaps over-bureaucratic and impose compliance costs without those costs resulting in a benefit for individuals.”
He says GDPR can impose onerous and costly record keeping requirements and that the enforcement process, by which breaches must be investigated by the country where the offending company is headquartered, is inefficient. Reforming the regulations, he believes, might “put some stakes in the ground for businesses so they can innovate with confidence”.
In 2019-20 the ICO received 39,000 data protection enquiries, handled over 102,000 enquiries about nuisance calls and texts, and responded to 6,421 freedom of information requests. It employs 770 staff at Wilmslow and other offices in Edinburgh, Cardiff, Belfast and London. But it’s not only protecting people from big tech, smalltime scams and individual predators.
When Big Issue North visited Wilmslow in 2008, HMRC, the Ministry of Defence and the Driving Standards Agency were among the roll call of public sector organisations where recent data breaches had led to millions of people’s records being compromised. Then commissioner Richard Thomas said this wasn’t just about personal errors – “it’s about policies and procedures, and about culture. And it goes back to the guys at the top.”
Between January 2020 and March 2021, HMRC reported 17 serious data breaches to the ICO. The continuing problem suggests to some that regulation is not working. New into post, Edwards is understandably reluctant to be drawn on specific cases but says: “We want to have a culture of reporting and if we’re getting a lot of numbers because there’s a lot of reports then maybe that’s a good thing. We can begin to resolve the problem that we’re seeing. But I do see systemic problems. Systemic problems need a systemic programme of work upstream.”
Data protection is particularly contentious with regard to the police, security services and other agencies with powers of investigation and surveillance. For many politicians and voters, the unchecked growth of CCTV, trials of unreliable facial recognition software in public places and the retention of internet search records are met with a shrug and the retort: If you’ve nothing to hide, you’ve nothing to fear.
Edwards is unimpressed. “That’s nonsense. Everybody’s got something to hide. We don’t reveal ourselves. That’s what pants are for, right,” he jokes. “We don’t reveal ourselves to everyone all the time. We keep some things to ourself. And that’s fundamental, that’s what human autonomy and human dignity is – the ability to have some control over your environment and your information.”
The ICO has supported a project helping homeless people understand how they can control their personal data with the Connection at St Martin’s project in London. In 2018 it issued an enforcement notice against the Metropolitan Police because its Gangs Matrix database of potential gang members breached data protection laws. It has also been sharply critical of the police practice of forcing rape victims to hand over their mobile phones as evidence, under threat of dropping the case – a process that’s been dubbed “digital strip searching”.
Do vulnerable people in the UK receive the protection they need?
“The framework is there and it is robust but it takes a lot for a vulnerable person to find an organisation like the ICO and to tell their story so we have to be on the lookout for that kind of stuff.”
At a time when women’s trust in the police has been undermined by a string of crimes and events including the murder of Sarah Everard, digital strip searching has been sharply criticised.
“If a woman leaves the station in tears what’s the message she says to her friends who might also be in need of police support?”
“Undertaking activities which people might experience as revictimising is something I’m really interested in. The agencies that are doing this, they don’t mean to demonise or harm or humiliate people. They’ve got a job to do. But we can show them the impact and what that means to individuals, and help them to see that different perspective. Is there another way you could go about this? What are you looking for? Is there a better way of doing it that restores and maintains the agency and the autonomy and the dignity of the victim here?
“If a woman leaves the station in tears what’s the message she says to her friends who might also be in need of police support at some point – a service to which they are entitled?”
Edwards has long held an ambition to do human rights law at an international level and is “really excited” to be at the ICO. He’s also going to have to protect its own future. Ministers want to change its structure, bringing in a supervisory board with separate chair and CEO. Before she stepped down, Denham broadly welcomed the reforms but warned some aspects of them “do not sufficiently safeguard” its independence. Is Edwards ready for some big battles with ministers?
“I’m keen to engage with ministers and get to a place where we have an ICO that’s fit for purpose.
“This job is so important. It’s about humanity and that’s what gets me up in the morning and everybody into the office for the day. Talk of data adequacy and international data transfers can be esoteric and obscure the fact it’s about how to protect and empower the individual, allow them to prosper and reach their potential.”
Do not delete
As well as protecting data, the Information Commissioner’s Office tries to ensure it flows freely.
It oversees the Freedom of Information Act, which Tony Blair introduced in 2000 and immediately regretted.
The act obliges public authorities such as central government departments, schools and police forces to publish certain information. It also gives people the right to ask for information held by public authorities that’s not already published. If they don’t the appeals process runs up to the ICO.
In his memoirs, Blair called himself an “idiot” for bringing in the act, because he felt it gave journalists a “mallet” to hit him with and stymied the confidentiality needed for his conception of effective government.
Ever since, journalists, campaigners, academics and others have used FOI to good purpose, extracting reams of material that lays bare the workings of the public sector. But they are often frustrated when public bodies use the act’s exemptions to refuse applications, whether that’s on the grounds of cost or unreasonable workload, commercial sensitivity or is “vexatious”. Often, responses come much later that the law demands.
“FOI is so important to a functioning democracy. It gives people the basis for their civic engagement.”
The Cabinet Office’s FOI clearing house underlines government resistance to transparency. It was established in 2005 but its workings have been relatively secret until recently and it has been used to effectively suppress information on issues including Grenfell Tower and the contaminated blood scandal.
What can John Edwards do to embed a real commitment rather than lip service to FOI?
“FOI is so important to a functioning democracy,” he says. “It gives people the basis for their civic engagement. It helps with the process of holding agencies to account. All of these things are indisputable. We also find it comes at quite an administrative cost and I think that is quite a big part of the experiences of the critics you are describing – departments are feeling overwhelmed.
“The message I would be trying to get into those departments is that this is core business – it’s not a chore. You’ve got to really make sure you have the resources necessary to deliver on FOI in a timely way.
“But I think we need to go even further and say get ahead of it. If one of the problems is the administrative burden, then why don’t you create systems that allow for proactive posting, so we get more into the habit of putting up information without having been asked to. And then when somebody does ask you can point to it. ‘It’s already on the website. Help yourself, fill your boots.’
“We’ve got a way to go – and for my office to get there we’ve got some pretty big challenges in terms of backlogs, in terms of funding.”
The ICO has also faced a growing demand for FOI appeals, without a rise in funding, he says. “We need make good our commitment to both agencies and complainants but also need to find some capacity to work on those upstream factors and try to improve the system.”
ICO’s concern runs all the way up to the heart of government. Last year it opened an investigation into the suggestion that ministers and senior officials at the Department of Health and Social Care were using private correspondence channels, such as private email accounts, to conduct sensitive official business.
That in itself is not against the law but Edwards’ predecessor Elizabeth Denham said she was worried that “information in private email accounts or messaging services is forgotten, overlooked, autodeleted or otherwise not available when a freedom of information request is later made.”
And last month, in response to a query over lockdown parties at Downing St, the ICO clarified rules about not deleting emails or texts that may be relevant for an FOI request.
“Relevant information that exists in the private correspondence channels of public authorities should be available and included in responses to information requests received,” said a spokesperson.
“Erasing, destroying or concealing information within scope of a Freedom of Information request, with the intention of preventing its disclosure, is a criminal offence under section 77 of the Freedom of Information Act.”
