The Information Commissioner Christopher Graham has called for stronger and custodial penalties to deter those who trade illegally in personal information. Current penalties are too slight, he argues; and courts are, he implies, encouraged by the current low tariff to ignore it altogether. A tough response is what he wants, which will send the right signals about data protection. But is he right?
A regulatory scheme like the current data protection scheme rests, it seems to me, mainly on a set of rules that provide prompts and prohibitions. Once players have agreed to play the game and understood the rules, rational action ensues. If someone breaks the rules in a game like this, then the appropriate response is educational and persuasive rather than coercive. If you take the latter course too often or too heavily, then you have changed the type of game you are playing.
This means, I think, that it is alright to have criminal sanctions at the margins of the scheme, but those sanctions must not be too strong, because that alters the balance. After all, if you send someone to prison for breaking a rule at the margins, what is going to happen when you break all those other rules, particularly as they are pretty much the same sort of rules as the ones you go to jail for?
The other sense one has here is that the new IC is continuing the strategy of his predecessor of talking up the importance of his office in one way or another, rather than doing what is consistent with his main role as an educational regulator. The trouble is that the latter role is a bit boring, and no one takes it seriously, or as seriously as you would like them to. It is the fate of educators not to be admitted to the top table. Still, in my view education is where the main job of the regulator lies.
So the question then arises whether it is the educational function of the ICO that is really in crisis, and it is the crisis here that is leading to demands for more coercive powers, powers of inspection, the knock on the door, and so on. Anything, so to speak, to divert attention from the no clothes situation (not the same as the no powers situation). And this in turn could be a reflection of the wider crisis of data protection, which is that no one really knows what is wrong with it, although everyone does know that it is wrong.
But you can’t educate in such circumstance, because the teacher doesn’t understand it either. You adopt odd counter-measures – the common sense approach, which you hardly need to be educated about to adopt. You just need to be given permission. Then you send people to jail – for not using their common sense perhaps?
Philip Larkin once said that a novel has a beginning, a muddle, and an end. The core educational agenda of the ICO is being lost, in my view, because it hasn’t got a coherent narrative about what is wrong with data protection. It just has a muddle.