Data and the draft Programme for Government
The draft programme for Government has been published and a quick scan through it highlights some data-centric themes and issues that organisations should pay attention to in the coming weeks and months. This is a programme that has been defined in order to frame a government for the rebooting and the recovery of the economy. Therefore, the measures proposed in it should be considered in that light. They are, by and large, proposed as enablers for policy actions to address the needs of the post-pandemic society and economy.
So, it is interesting to see that the Government is committed to supporting the Digital Single Market and “ensuring high data protection standards”. This is a clear signal that data protection by design/default is not to be seen as a barrier to innovation in the recovery but as a key factor to be considered and as an enabler. Lest there be any doubt, the very last paragraph of the draft programme for government says:
“We recognise the domestic and international importance of data protection in Ireland. We will support the Data Protection Commission to ensure that Ireland delivers on its responsibilities under the General Data Protection Regulation (GDPR).”
From a business strategy perspective, organisations should be considering what lies behind the commitment to “ensuring high data protection standards” as it will have implications for:
- Funding and resourcing of the Office of the Data Protection Commission (the support for which has been the subject of at least two complaints to the EU Commission in recent months – one by Brave and the other (earlier) by myself in a personal capacity)
- Engagement by the Government in issues such as the negotiation of the much-delayed ePrivacy Regulation and (potentially) the treatment of the United Kingdom from a Data Protection adequacy perspective as Brexit plays out.
The litmus test of this commitment to ensuring high data protection standards will, inevitably, be the international perception of the independence and effectiveness of the Data Protection Commission as a regulator, as well as the level of compliance of the State with its obligations under Article 52(4) of Regulation 2016/679/EU with respect to the “human, technical and financial resources, premises and infrastructure” resources necessary for the execution of their function. In other forums I have have commented that this would include things like centralising the currently dispersed DPC offices in Dublin in to one location (in addition to their Portarlington office), down from the multiple locations they currently occupy. While the shift to remote working as part of Covid-19 has doubtless had benefits for the productivity of the office, I imagine that future management of infection control obligations will be greatly simplified if they were planning for staff in two office locations rather than one.
For the rest of us, it means that organisations will need to consider how issues such as Data Protection by Design and the Accountability principle will be put into practice as we implement plans for reopening or redefining our businesses in the post-lockdown environment, particularly as the virus is still infectious and no vaccine has yet been developed.
An interesting point buried in the Programme for Government is the proposal to create a “Regulators’ Forum” where regulatory approaches can be measured against best practice. Hopefully that forum will take note of the detailed findings in the Honohan Report on the regulatory issues in the Irish Financial Services Sector before the financial crisis and the implications for other regulators, such as the DPC (page 54 to 59 of that document are essential reading).
It’s also worth considering the increased reference to the role of Data Protection and the DPC in this Programme for Government compared with the previous two Fine Gael-led governments. In the FG/Labour coalition there was ONE reference to the DPC (in the context of a new Oireachtas Committee) and in the FG/Independent Alliance Programme (which was launched the month GDPR was finalised) there was NO mention of data protection..
There is a LOT in this Programme for Government about data strategy (or “digital strategy”). From commitments with respect to innovation in the work place with respect to “digitalisation, remote and flexible work practices”, to issues such as promotion of on-line trading and development of management skills to operate in a data-driven economy, there is a lot to absorb. And it is clear that the strategic transformation that many organisations will have to embrace will be significantly data-intensive, not necessarily from a technology perspective, but from a ‘human factors’ and change perspective as organisations seek to understand and manage data better or mitigate weaknesses in operations exposed as a result of Covid-19 inspired work-practice changes (e.g. remote working).
It is also interesting that the Programme for Government proposes a public consultation on the a National Digital Strategy (although it is unclear if this is a new consultation or a reboot of the one that was to be carried out in 2018). However, the commitments made re: Data Protection mean that balancing data protection rights and obligations and addressing data protection as part of organisation strategies will need to be a headline item for organisations of all kinds over the life of this Programme for Government. (Don’t get me started on how a Digital Strategy is aligned with the Data Strategy. Let’s just say that organisations need to have a tighter link between their business goal aspirations and their data strategy to support implementation).
The conflation of “digital literacy” with Cybersecurity is a weakness that should be addressed. The ability of people to understand data, how data can and is processed about them, their data-related rights and obligations, and also the array of data-related knowledge and skills that individuals need to develop to engage as anything other than passive consumers in today’s digital economy is essential. The understanding of online threats and harms is only a subset of a wider skills and knowledge gap that needs to be addressed.
The discussion of eHealth and ICT in the Programme for Government is interesting, re-presenting many historic initiatives anew (e.g. eHealth Identifers etc.). The challenge from a data strategy perspective will be ensuring the alignment of these with data protection obligations and data ethics principles. Also, while the commitments are forward looking, there is no specific mention of the need for investment in data management systems and technologies as part of our public health surveillance infrastructure to reduce the need for heroic measures and work-arounds in the case of another public health emergency. However, the Programme for Government does reference the need to build on the progress made already in light of Covid-19 to improve data management in the health sector, but there remains a risk of conflating technology with solutions – much of what needs to be done in the transformation to an information-enabled organisation is not glamorous or shiny.
One area of concern is that the discussion of “Digital Strategy” in the Programme for Government is focussed on technology and appears to conflate technical capability with a truly transformative capacity. It is essential that initiatives in this area recognise that there is now a 20+ year legacy of technology innovation failing to deliver due to failure to engage with, manage, and mitigate issues such as data quality, data governance, and the ‘human factors” of data. Increased integration of digital services in the public sector is explicitly called out, and it is essential that the new Government learns the lessons of previous initiatives such as the PSC which ran afoul of data protection obligations and were highlighted as contributing to discrimination by the UN Special Rapporteur on Poverty and Human Rights.
The Programme for Government talks about the “Just Transition” as the economy is moved from fossil-fuel dependence and as digital disruption and automation become more prevalent. It is important to remember that the failure rates of digital transformation run at up to 84% due to failures in properly understanding and addressing the data management fundamentals and a conflation of data/digital enabled transformation with the implementation of technology.
Ethical Data and Information Management have a role to play here in ensuring the transformation efforts are focused on delivering an information-enabled society where technology serves mankind. Indeed, this “Just Transition” is precisely what the framers of GDPR had in mind when they drafted Recital 4 of that legislation:
“The processing of personal data should be designed to serve mankind. The right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality. This Regulation respects all fundamental rights and observes the freedoms and principles recognised in the Charter as enshrined in the Treaties, in particular the respect for private and family life, home and communications, the protection of personal data, freedom of thought, conscience and religion, freedom of expression and information, freedom to conduct a business, the right to an effective remedy and to a fair trial, and cultural, religious and linguistic diversity.”
Therefore, in order to have a “Just Transition” and implement appropriate data strategies and data-driven transformation of business and the economy in a way that serves society, a meaningful approach to ethical data management will be needed that builds on the core principles of GDPR.
The devil will, as in all things, be in the detail of implementation of this Programme for Government. However, the commitments given in respect of data protection leadership have implications for many of the initiatives elsewhere in the document.
It will be a test of the commitment of the Government to this principle how well data protection principles are applied in the definition of and roll out of a range of initiatives in this Programme, from remote working supports for SMEs to eHealth, to integration of government services. It will also be a test for the Government how it will ensure that organisations who are being supported by the various initiatives in this programme are encouraged to invest in developing data literacy and digital competencies as well as buying information technology.
Organisations in all sectors should be considering how the management of their data assets can be improved as part of their strategy for success in the new economic environment and should be thinking about how to make optimum use of supports that may become available under this programme to help them avoid the mistakes that larger predecessors have made with these types of transformations in business models – failure rates are high for many well understood but oft overlooked reasons.
One bright note for me personally is that it is clear in the Programme that the Greyhound Board’s future budget will be conditional on them implementing commitments made to date. Regular readers will know that it is a bone of contention for me that a Greyhound industry that had serious animal welfare issues exposed in recent years receives approximately the same funding as a globally systemically important Regulator. Given the commitments made in this Programme for Government to supporting the DPC in executing its responsibilities, one hopes that this oddity in priorities will be reconsidered.