Eye Tea

Spend a few minutes on the web ‘shopping’ for sites that are accessible.   Which ones do you really rate as meeting every accessibility need?

I guess it’s only fair to look at big, high profile organisations that have a diverse user base – broadcasters, big retailers, public authorities.  Comments please: who are your top performers?  I don’t want a naughty list but if you spot some trends I’d be interested: “Not many retail websites do …”, “The public sector is great at …”.  My comment about websites for mid-sized organisations would be: “Patchy – not all websites address accessibility, and those that do often don’t offer a complete set of facilities”. 

Like many technology lawyers I’ve been offering ‘accessibility/ data protection/ consumer compliance audit’ services for years, so I’ve kept a lazy eye on accessibility features.  I think we’ve seen steady, quite slow growth in accessibility features on websites over the years.  I’d say it’s to do with the rise in businesses trying to learn about their customers and meet their needs, and not really prompted by the steadily increasing demands of the law over the same period.

Accessibility support is quite an easy thing for website buyers to specify,  and offers massive added value that appeals to perhaps 20% of the buying public who rely on accessibility features.  For anyone who’s spending money on the corporate website in 2011, it’s a simple but effective thing to put on the shopping list, a solid buy with a good business case at this time of slow recovery for many economic  sectors.

Getting hot on accessibility is also a pretty easy way for website developers/ providers to differentiate themselves from the competition and/or command a premium.  It could be a good return against the price of developing standard features that will appeal to many business customers across all sectors.   Sometimes legal compliance is just frustrating, whereas this one offers benefits for developer/ provider, corporate customer, staff and the public alike.  I’ve come across providers who are rolling out well thought-through features in their products this year. 

Killer apps for accessibility?  Yes, I think there’s plenty of scope for getting creative and taking it outside the ‘we must so we will’ category of website functions.   I’m not aware of anything out there at the moment – let me know if you are.   Maybe 2011 could be the year for accessibility.

I’m booked variously to speak and advise on accessibility this year so please get in touch if you’re looking for input/ support too – if we can get similar work whilst we’re on the boil it’ll help reduce our prices for everyone.  Meantime, have a look at the links.

Pesky People blog: http://www.peskypeople.co.uk/

WAI-ARIA web standard: http://www.w3.org/WAI/intro/aria.php

If you’ve been reading Computing recently you’ll be aware that there is lots of interest in open standards in the public sector.  I like to see sharing and efficiency so this caught my eye.  This immediately came to mind when I was recently prompted to do some thinking about the Government’s Total Place and Frontline First initiatives.  These are all about efficiency and joint working across central and local Government.

Naturally there’s more to redesigning the Government machine than agreeing a pile of open data standards.  Before you can even contemplate routine sharing of data between different organisations, whatever their sector, you have to navigate information laws.  There are some significant issues, to which the Government is alive.

What struck me is that the issues are mainly about mindset.  There is tendency for organisations (not just in the public sector) either to totally overlook information law issues in certain contexts, or to adopt an overly rigid and cautious approach, sometimes in contexts where it really doesn’t matter.  Data protection ends up being a barrier to efficient sharing, or a major risk area due to non-compliance.  Major opportunities to farm intellectual property and confidential information to generate income are overlooked, whilst blood, sweat and tears are expended on gain share or risk reward deals with ICT providers which never generate income at all.  The success of Frontline First and Total Place depends on re-setting the balance in these areas.

Doing this well requires support from the top, and in large or complex organisations it requires well co-ordinated effort.  But it is achievable, and significant improvements in compliance can be achieved relatively quickly and easily.  It requires good quality training and careful review of internal policies and procedures.  There is a significant challenge for professional advisers who are perhaps often guilty of focusing on one project at a time instead of maintaining a ‘whole organisation’ approach to advising their clients on data protection.  If our client has committed to a balanced approach to information management, we absolutely must support that through our advice and methodologies.

I think the starting point for Government organisations has to be training and policy review on these issues.  It’s only when your internal systems are geared to “getting to yes” in relation to information sharing that the Total Place initiative has much hope of success.  Start with the tweak in attitudes, however, and the stage is set for some very effective information sharing and partnerings. 

Links

http://www.hm-treasury.gov.uk/psr_total_place.htm

http://www.computing.co.uk/computing/analysis/2252846/open-initiative-gathers-4890350

Okay, let’s be polemical.

Data protection in the UK is benign. For the average organisation that gets routine compliance wrong but doesn’t mean to, you don’t get into trouble as such.  You get told how to comply, and as long as you do as you’re told there’s no talk of criminal offences. You could almost make it your compliance strategy to wait for customers to complain then let the regulator tell you what to do.  Customers have the right to compensation in some cases, but it’s small stuff and rarely goes to court. You can get named and shamed on the regulator’s website, but so what? It’s a rare case that causes major reputational damage and makes the national news headlines, and you can ride out stories in local news and sector/ trade publications.

The thing is, you pretty much can run your compliance strategy like that, and I think many organisations do.  I don’t imagine that it’s driven by cynicism.  It’s just what it ends up looking like if you don’t put enough resources into data protection compliance.  And with plenty of other calls on your cash and time, why would you ?

I think there’s quite a good business case for good data protection compliance, although I’ll write about that another time.  What interests me today is why DP compliance gets neglected.

My guess is, not many people know how to do compliance simply and cost-effectively, without making a business out of it.  The law and regulators’ guidance are pretty complicated.  They offer high level principles and really specific guidance and case studies, and not much in between.  You could be forgiven for not even bothering to make a start, let alone boil it all down into a simple, effective system.  I like the BSI’s new standard on data protection but I think it’s complicated and can’t yet be certified.  Ditto the information governance standards.  So far as I can tell the regulator hasn’t issued similar standards guidance, which I find a bit surprising.  Which leaves us all … not doing too well at DP compliance.

What’s prompted me to think about this is news this week about new powers for the regulator.  (See the “News” links, below.)  I need to spend time getting to grips with guidance on the new powers, and I’ll be watching the first few decisions carefully, but it looks like time is nearly up for relaxed or cynical approaches to compliance.  These features caught my eye:

• You get penalised if the outcome of a breach is serious, or likely to be, and the breach and outcome were foreseeable but not managed as such.  That puts virtually any business in the frame, and pushes organisations to put effort into DP risk assessment.
• Penalties will be used to neutralise commercial benefit.  There’s a commercial benefit to slack compliance.  Are we looking at that kind of compliance saving being charged in the end, by the regulator?

I’m surprised to see the regulator’s practice notes are treated as a benchmark in the guidance.  I find that difficult, because the recommendations do not cover all sectors or DP issues, and they’re not always easy to apply in practice.  Humph.   If you can build a business case for it, the on-the-shelf solution is British Standards compliance (which gets several endorsements in the guidance).

So we all need simple, quick, cost-effective ways of achieving compliance without a huge increase in the legal or consultancy bill, or the payroll of your compliance department.  If you think you’ve succeeded in setting up a great personal information management system, leave a comment, let me know.  I reckon I’ve got good solutions and I’d be happy to share ideas.

News: http://www.ico.gov.uk/upload/documents/pressreleases/2010/penalties_guidance_120110.pdf

BSI survey: http://www.bsigroup.com/About-BSI/News-Room/BSI-News-Content/Disciplines/Information-Management/BS-10012-publication/

BSI standards: http://shop.bsigroup.com/en/Browse-by-Subject/Data-Protection–Freedom-of-Information/?t=r