Data protection was not a game at London’s 2012 Olympics
By Angelique Carson, CIPP/US
Patricia Poku isn’t new to data protection. A quick glance at her resume would tell you that. In fact, she’s spent the last 20 years or so in the field. But perhaps no amount of experience could have prepared her for the herculean task she most recently took on: head of data protection at London 2012—the Olympics and the Paralympics.
When she finally closes up shop at the London Organising Committee for the Olympics and Paralympics 2012 (LOCOG) on December 14, Poku will have spent 18 months total protecting the personal data of citizens from around the world as it streamed in at a rapid pace from myriad Olympic departments, including marketing, volunteer coordination and ticketing.
“It started from nothing, and it grew big very quickly, only to fold up,” said Poku, who’s now seeing data through to the end of its life cycle. “It’s a once-in-a-lifetime experience in data privacy.”
In total, Poku oversaw roughly 85 databases, each containing an average of about 100,000 data sets. She was charged with ensuring that all Olympic departments within LOCOG collecting data from individuals understood their obligations under the Data Protection Act and would commit to strict Olympics-specific rules, established by Poku, called a “personal data governance strategy,” on appropriate data uses.
“I’m not sure if anyone in Europe or the West has had to deal with something on this scale, but obviously in the UK, they take the Data Protection Act very seriously,” Poku said of the expectations.
It was at times an arduous task, Poku recalls, to convince the necessary leaders and other data handlers of the importance of data protection. Compounding the difficulty was the constant influx of new staffers who would require the appropriate training—100 to 200 additional each subsequent week.
First, Poku set out to create a culture of awareness and make her presence known across the organization. She created a supporting role called the “personal data coordinator,” which handled administrative tasks.
But at the end of the day, when the Olympic torch was blown out, the safety and security of millions of global citizens’ data depended on how well Poku did her job.
The Privacy Advisor caught up with Poku after the games to ask her about this most extraordinary professional experience.
The Privacy Advisor: Now that it’s almost over, how do you feel?
Poku: Winding down the organizations is a massive challenge, but it’s been an amazing experience.
The Privacy Advisor: Did you have a team to help you?
Poku: Eventually, I had to have a team. I started on my own for a few months, and I quickly realized it was too big to handle by myself. My strategy was to work within the functional areas on who would champion the protection of information within their own area of work, and I think that was very successful because most people were very savvy in their matter of work.
If you can imagine the Olympics, you’re dealing with so many groups of work at the same time. It’s unlike any other organization that has one main objective. One minute, I’m dealing with ticketing, whose main objective was to sell tickets. And then I’m dealing with the marketing team, who anxiously wanted to market and promote the brand of the organization and get everyone to register and collect information on people interested in the games; that was all they knew. Then there’s another group of people who recruit volunteers and put people in their big database—their world is a world away from the ticketing team. I had another team where all they wanted to do was run a successful torch relay. Also, the organization was growing at a pace that is so unusual for any other normal organization.
The Privacy Advisor: How did you handle having to constantly educate newcomers on data protection protocols?
Poku: A coordinator was appointed to the induction team who ensured these people had a new training packet to go out every Monday. I put a lot of responsibility back on the function areas and the heads of these areas.
The Privacy Advisor: Did things go smoothly?
Poku: I wouldn’t use “smooth.” I had to be on my toes all the time and on skates around the organization. And I had to be extremely proactive to find and put myself on several distribution lists for different departments and functional areas. The challenging thing is that it wasn’t just within this organization because we had numerous external organizations involved as well. And the central government had key stakeholders in this, making sure the country’s good reputation was maintained as well, so I had the central government’s interest, police interest, the minister of defense’s interest. I had various sponsors of the games who also wanted access to data to do promotions. So many people wanted access to information and lists. I had to put some really strict rules in place very quickly. And the biggest challenge for me was to get people to find out about me, where I am, how I’m located in the organization and into their overall purpose. As soon as I got people used to that, it became more workable. People said, “Let’s run this by Pat.” But to achieve it was a bit of a challenge.
The Privacy Advisor: How did you convince department heads of the importance of data protection?
Poku: You have to be a people person. The main thing was the strategy and teamwork with the senior management team. They would put their name to e-mails out on my behalf and say, “Yes, we agree with what Pat wants to achieve,” and then that was forwarded on. The commitment was coming from high in the organization, so the staff bought into it very seriously.
The Privacy Advisor: Did you face resistance at some points?
Poku: Sometimes, especially when people wanted to use data in ways I didn’t feel was compliant. Sometimes this became a challenge because their main focus was going forward with their objectives and this goal they have set, and sometimes you could come across as a block for them. But I always found it was good to have a talk with people, communicating face-to-face if possible and explaining why something is not compliant and how to understand the risks.
This role is really an advisory role, and therefore I always said to people that “I can advise you; I can highlight the risks, but you make the decision. Once people understand they are responsible for the decision and keeping data safe, they want to listen and understand their options. Sometimes they have to stop doing something and seek the consent of the data subject and see if they are happy with data use if it’s different from the data collection purposes, and this may become a delay.
The Privacy Advisor: So they eventually came around?
Poku: Eventually people became happy and confident in their use of the data, having consulted the data subject. We came across this a lot in the project. They came to a place where they understood why there are important rules and why we need to stop and think and often consult data subjects where we had already progressed in a project. A lot of these problems were resolved amicably. The main thing is communicating and taking time to review the risks.
The Privacy Advisor: What happens to all of that data now that the games are over?
Poku: I’m working with various committees, knowledge-transfer committees, to anonymize data where necessary and to ensure that we have consent from the data subjects for legacy where applicable and to be sure that the data has been properly purged before systems are decommissioned. So I’m following through to the end of the life cycle of the data.
The Privacy Advisor: What advice might you offer to the next person tasked with a similar role? Perhaps at the Olympics 2016?
Poku: They have to be very proactive and confident in the Data Protection Act, be able to make themselves approachable within the project, ensure they understand the requirements of the act thoroughly and can implement them confidently. What I found is that so many people really did rely on me and took my word for it and took my advice that I had to be very confident in what I was saying. That really went a long way to help me and the organization as a whole to achieve what we set out to achieve. Otherwise, it would have been a mess.
Former UK Information Commissioner Richard Thomas was impressed with Poku’s work and the processes followed to ensure data was properly protected, he said.
“Along with every Briton, I am still bursting with pride. The Olympics delivered as the Greatest Show in the World. We British surprised ourselves and everyone else with fantastic infrastructure, highly efficient logistics, brilliant athletics, amazing creativity, cool music and an unbelievable atmosphere…Oh and the data protection worked a treat as well,” he said.
Thomas added that Poku’s comments show data protection “was largely behind the scenes and based on excellent planning and execution. And nothing went wrong! Just imagine the uproar and scandal if all those volunteers’ personal data had got into the wrong hands. Or if spectators’ bank account details had become freely available. Or if athletes’ medical records had somehow got mixed up.”
He concluded, “Doing data protection well is a mix of the right paperwork, the right technology and—above all—people doing the right things. Privacy professionals do not always get spotlight glory, but Patricia’s unique story shows how experience, expertise and determination—with a bit of advice from the ICO—secure compliance and stop things going wrong. Patricia should step on to the podium for her own Gold Medal.”
Read more by Angelique Carson:
Chief privacy officers discuss employee privacy training
Young privacy pros make their way onto the scene
Workplace privacy expert sheds light on fair employer access to employee data
Amidst fledgling smart grid safeguards, utilities self-regulate and an expert offers a how-to