Concerns Around Cyber Security Top ICO Annual Survey

In my previous blog about the Information Commissioner’s Office (ICO), I wrote of how awareness of GDPR and issues surrounding personal data more generally (such as cyber security protections), is on the rise. This trend has been highlighted by both UK government and ICO research.

It is important to remember that for the ICO this increased public awareness of and engagement with information rights is not a happy accident, but a specific aim. Indeed, the first goal of their Information Rights Strategic Plan 2017-2021 is “to increase the public’s trust and confidence in how data is used and made available”.

The focus on public trust and awareness make sense in the context of the ICO’s broader mission. Their mission statement, after all, declares that the ICO’s purpose is “To uphold information rights for the UK public in the digital age”.

But in order to do this effectively the ICO need an informed public who understand their rights and the protections their personal data should be afforded. Such an informed public, in reporting their data protection concerns to the ICO, helps the regulator identify organisations who are in breach of the law. While some of these organisations may ultimately be fined, the majority will not. Instead, the early intervention allows the ICO to use their powers to force changes in behavior, correcting the issue before something more serious occurs. A recent example of this sort of interaction can be seen in the ICO’s engagement with the Royal Free NHS Foundation Trust with regards to the use of AI in healthcare.

To inform their public awareness work – with regards to the Strategic Plan 2017-2021 – the ICO have commissioned an annual Trust and Confidence survey, the aim of which is “to gauge public perceptions and awareness of how data is shared with and used within organisations and to monitor any change in the trust and confidence in how data is used and made available”.

The most recent edition of the survey was published in July 2019. There were a number of key findings. Firstly, echoing the findings of previous research, the survey revealed that the perceived importance of data protection continues to increase, with significantly more people (61%) strongly agreeing that it is important that their personal information is protected when they share it with companies/organisations, versus those who strongly disagree (6%) with the same.

Secondly, cyber security emerged as the data protection concern those surveyed were most worried about (ranked as most important by 23% and as a top 3 priority by 49%). In her blog reviewing the survey, the Information Commissioner Elizabeth Denham remarked that it’s “perhaps no surprise to see cyber security tops the list. A series of cyber-attacks across the past year have not only directly affected large numbers of people, but also prompted headlines read by millions more”. A good example would be the British Airways incident. Regulatory action in response to a hack is, in many ways, the easiest for the public to get their head around. Their data has been stolen or lost, punishment is therefore due.