This blog was written by our Commissioner, Emma Martins, and first appeared in the Guernsey Press on 1 November 2022.
Bailiwick Data Protection Commissioner Emma Martins reflects on the far-reaching implications when a damaged undersea cable cuts off an entire community, depriving it of essential services and serving as a reminder of how fragile the important links we all take for granted can be.
“Police declare major incident”
“People told to check on elderly and vulnerable”
“Shops unable to open”
“Transport links affected”
“Emergency hub set up by the police”
“Public told to flag down vehicles if they need police/fire/ambulance as 999 lines down”
“Local MP talks of ‘catastrophic impact’”
This is not a description from of disaster movie but real life for the Scottish Island of Shetland last month when their subsea connecting cable was cut, resulting in no phone or internet connection. It reminded me of something I heard many years ago from a prominent technology expert – that access to the internet should be considered a human right. I admit that I rolled my eyes. I understood human rights as being about freedom from torture, right to life, etc – basically the big-ticket concepts which we are all familiar with. I have now come to better understand the sentiment of that speaker.
We live in the Information Age, characterised by rapid technological developments. So much of our life, both home and work, is interwoven with information technology. Whoever controls that infrastructure and the data that feeds it, has extraordinary power. And when talking about ‘power’ in this context, we mean political, economic, and social. One cable. Just one cable. Think about it. Businesses could not open, public services were affected, people could not communicate.
These things cannot really be compared to rights such as freedom from torture, but they do not compete, they complement. And if public services are impacted, that means hospitals, ambulances, fire engines etc, and those things do have a real and direct impact on the lives of individuals and communities.
So it was too easy for me to roll my eyes in the face of the comments I heard all those years ago. The reality is that we need to understand the evolving relationship with and reliance on the technology that underpins so much of our lives. We sometimes only get real clarity of the scale of that reliance when cables are cut. The more reliant we have become on it, the more critical it has become for us to build in protections of from the beginning.
Despite data protection and privacy often being positioned as anti-progress or anti-innovation, it is neither.
We do not baulk at the designers of cars who, from the first day of considering what the latest sports car is going to look like, have driver, passenger and public safety at the forefront of every element of the design process.
I want to encourage us to look at data in the same way.
If a failure of security means that an ambulance cannot be called, if compromised data means that your bank account is cleared out by a hacker, if a child gives personal data to a stranger – these are real world risks and harms, and they absolutely go to the heart of the rights, freedoms and protections we have come to expect in modern democracies.
This is not about one law, it is about a protection and governance framework around the infrastructure and the data within it. The data protection law is one important element of that but it should not be viewed in isolation. The effort and administration that can often go around compliance duties for organisations, looked at through a different lens, can be something we learn to expect, demand and appreciate. Rather than being considered a burden, it is something that asks us to build in protections from the beginning in a way that actively seeks to prevent harms.
I heard a local small business owner speak at a conference in the Island last month about a cyber attack which had impacted his business significantly. He spoke powerfully and articulately about the difficult journey to get back up and running, not only technologically, but also reputationally. He spoke too of the fact that cyber security was not really something on his radar before the attack, that as a small business he thought that it would simply not be of interest. He spoke with integrity and authenticity and concluded by accepting that he had lost the trust of some of his clients but had come out the other side better equipped and better prepared for life in the digital world. We owe him a debt of gratitude for sharing his experiences because that is how we learn and that is how we improve. And in a lovely nod to the value of being open and honest (yes it matters!), I overheard someone at the conference say how they were going to make a point of visiting the business to buy some of the products.
At our office, we try to publish useful guidance and raise awareness of the risks, but actually hearing from people like that small business owner has a big impact. Whether it’s cables or hackers, we are all at risk, regardless of size or sector. Data protection and data security must be looked at as a community endeavour, with government, regulators, businesses and civil society all striving for the same thing – a healthy, innovative and safe environment where we, as citizens and businesses, can thrive.