This Summer, Elizabeth Denham takes up her position as new Information Commissioner. She replaces Christopher Graham, taking responsibility for decisions surrounding the Freedom of Information Act, data protection and privacy and electronic communications regulations. So who is Elizabeth Denham, why has she been picked for the job and what might we expect her to focus on?
For the past six years Denham has been Information and Privacy Commissioner in the Canadian Province of British Columbia. Prior to this she was Canada’s Assistant Privacy Commissioner for three years. Outgoing Commissioner, Christopher Graham, welcomed her appointment saying; “Elizabeth is an experienced information rights practitioner, essential when the ICO is busier than ever and facing the challenges of the digital age.”
During her tenure in British Columbia, Denham was commended for not shying away from taking on big organisations and big issues. Her investigation into Facebook’s privacy practices highlighted concerns surrounding the over-sharing of personal information with third party app developers. Her work led to Facebook agreeing globally to add new privacy safeguards. Denham also worked with Google, resulting in changes to its Streetview service in Canada.
Denham’s report into the Triple Delete Scandal led to a Canadian government crackdown on triple deleting emails to eliminate all traces from documentary records. She recommended the installation of technology to prevent employees from permanently deleting emails, and legislation requiring the documentation of key government decisions. The investigation was prompted by the case of former British Columbian Government staffer accused of asking a colleague to delete emails about the Highway of Tears investigation into missing and murdered aboriginal women.
Denham has been applauded for challenging the Government; a Vancouver Sun columnist described her as “one of the most effective of all the independent watchdogs on government conduct.”
The soon-to-be UK Information Commissioner has also tackled hefty data breaches. She issued a damning report into negligence and incompetence when the Ministry of Education loaded confidential information on approximately 3.4 million British Columbians onto an unencrypted computer drive and then lost track of it. Denham has been a vocal critic of what she describes as “oral government.” She says the practice in local Government of taking decisions verbally leaves little or no record of government decision making and thereby undermines the freedom of information system. In addition to high profile cases Denham has also gained recognition for tackling issues such as social media and automatic number plate reading (ANPR) technology.
Denham takes up her new role at a crucial time, with the new EU General Data Protection Regulation due to be implemented on 25th May 2018. Whether Britain remains in the EU or not after the June Referendum, she will be at the forefront of the biggest change to European data protection law for decades.
GDPR imposes specific requirements for Privacy by Design; an area Denham has shown considerable interest. Her co-authored report; Getting Accountability Right in a Privacy Management Programme, stresses the need for Privacy by Design before systems are built.
Denham will also be the first Information Commissioner to work under the proposed Investigatory Powers Bill – the so called Snooper’s Charter.
When she was announced as the Information Commissioner designate Denham said, “I believe the rapid pace of technological change we face will continue to accelerate and present challenges to information rights – we must ensure access to information while maintaining high standards of data protection,” She continued; “The Information Commissioner’s Office has a global reputation for practical, innovative and responsive regulation. I look forward to contributing to this work.”
For business, Denham’s appointment should focus minds on transparency. A doughty consumer advocate, her record suggests renewed scrutiny on decision-making, and how we both justify and formulate our compliance processes.
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.