Skip to main content

The Chronicle of WASPI - John Grenfell

Whenever I read the WASPI Accord or while populating a WASPI ISP template, it’s hard for me to avoid reminiscing. After all, while the texts have changed over the years, I still recognise specific phrases and sometimes whole sentences which I wrote and refined all those years ago.

But where did WASPI come from?

By the end of the 1990s, public services were discovering that a ‘paper-first’ world would soon cease to exist, and many were not prepared for the present – let alone the future. Widespread internet use in organisations was still in its infancy, but even then the future looked more likely to be built by interconnected networks than by typing pools.

A series of cases in that era highlighted the fact that the poor handling of information, within and between organisations, could have tragic real-world consequences. The Victoria Climbie inquiry found key information was not being shared even between neighbouring local authorities. Harold Shipman, Britain’s most prolific serial killer, was able to murder over 300 people despite management information existing which identified his practice (a sole practice) was losing elderly women at home at dozens of times the rates of other practices. Soham murderer Ian Huntley did not need any kind of sophisticated plan to escape his questionable past. The simple expedient of changing name and moving police area made him invisible. A Chief Police Officer declared that ‘it was data protection wot dun it’ while his DPO was saying no such thing.

It was becoming inescapable that the mishandling of information and inappropriate scrupulosity over processing information was capable of killing people – and harming many others.

The late 1990s was a time where you could encounter a range of materials that encouraged ‘information sharing’ in the public sector, but practically nothing that seemed grounded in human principles – only the plodding old 8 principles of the 1998 Act.

Information sharing in the public sector was made difficult for a few different reasons. In that immature age, what we now call ‘information governance’ tended to be the preserve of the data people in IT departments, attempting to work with the legal folks. This resulted in documents that were incredibly long and exhaustive doorstops that had no bearing on the lives of the people public services intended to serve. They also tended to be ornamental in that they were so long that they went unread, and senior managers basked in the delusion that somebody more knowledgeable had looked the data protection arrangements over and thought they were OK.

Another problem: in the absence of decent examples of information sharing, very bad examples were being exchanged between local authorities without anything resembling quality assurance. One, from a major London authority, was so bad (i.e. authorising illegal privacy invasion) that I buried it and tried to work out what else we could do.

It was at this point that there was a development in England to look after data better. This resulted in something called the HORUS model. The name was an acronym derived from the verbs associated with information:-

Holding

Obtaining

Retaining

Using

Sharing

This framework had its uses – it was great for communicating simply about what aspects of working with information were important. What was less helpful was the continued focus on ‘data’ – the abstract, dehumanised stuff contained in databases – rather than the fact that we protect data because it has sensitivity, value and importance to real living human beings.

A more significant weakness of HORUS was that the data protection principles and the DPA 1998 itself were built to be used by every kind of organisation in every kind of sector. HORUS itself could have been used in any sector – nowadays we might call HORUS a form of data lifecycle management.

So by the early 2000s, the public sector was feeling the absence of a missing component: how the public sector could approach the issue of sharing personal information without getting bogged down in excess legalistic detail or parochial system protections. A set of principles was required to underpin public sector work with data.

The Human Rights Act of 1998 was a useful starting point, because it was explicitly designed to apply to public sector organisations. It brought into UK Law the European Convention on Human Rights which sets out a range of rights that apply to all human beings. The right to privacy and respect for family life set out in Article 8 is a qualified right, which means that it can be interfered with in specific circumstances.

At this point we arrive at the central balance of information governance in the public sector: how do we discharge our statutory duties and functions while simultaneously respecting the privacy rights of the people we deal with? Primary legislation and statutory guidance helped to provide a basic legislative reason to ‘interfere’ with Article 8 rights. But once a legal gateway was opened, what was allowed and what was not allowed to pass through?

Around 2003, Welsh Government discerned that the missing component would need to be supplied for public services in Wales - and that it needed to be provided in a coordinated fashion. A Code of Practice on Confidentiality for Health and Social Care Workers was then in development, which was a good start on a thorny subject. However, the common law duty of confidence was a relatively narrow path compared to the totality of public service provision in Wales.

Around this time I had been devoting more and more time in and out of work thinking about all these intertwined issues while developing training materials for social care staff sensitising them to the wider concept of ‘privacy’ rather than merely ‘data protection’. The HORUS model helped a bit, but there continued to be something - missing.

So when Welsh Government put out a call for applicants to take forward privacy work nationally on a seconded basis, I applied and was taken on. The late Paddy Pope was the official I worked to and with, the ideal manager willing to let me get on while he organised the official business-y stuff. He pointed me at a few models he had identified in England, things that had moved beyond HORUS and were grasping at something bigger. Then we came across a model that had been used in the crime and justice partnership in Merseyside.

This was a tiered model which included an over-arching agreement with increasing levels of detail beneath it. Not to put too fine a point on it, I nicked that – but always gave credit for where the basic concept came from! As I do now! 

The adaptation of the Merseyside model then began. I was tasked with bringing the Welsh tribes together – not the Silures, the Demetae and the Ordovices - the local authorities, the NHS bodies and other parts of public services. We had a good work ethic, drafting as we went and a stable membership across the tribes. We reported every draft to the Information Commissioner for Wales.

Thus began a series of meetings of a working group held in mid-Wales, often in Llandrindod Wells at the Media Resource Centre. Myself and Richard Howells of what is now the Aneurin Bevan University Health Board acted as the engine room. Richard chaired and I was essentially secretary to the group. In that capacity I learned not to get too attached to my own words as we remorselessly hammered drafts into shape. Gradually our tiered approach took form, knitted out of collective experience and knowledge.

(For the younger reader, yes we really did meet up in those days! And we didn’t have wifi. It was during a break at a meeting in the MRC that I logged onto a PC and learned about the 7/7 bombings in London 2005. Yes, WASPI is older than the iPhone and smartphones in general).

We had several conversations about what to call this new-fangled approach to information governance in Wales. We did not want an Agreement – too formal and likely to put organisations off if its terms were too onerous. Also, an Agreement might end up creating a bureaucracy that could stifle progress in the wrong hands. Ultimately we alighted on the word Accord – the group liked this because it implied a voluntary choice, and that choice was to adopt a set of principles rather than a shed-load of proscriptive rules.

‘Accord’ also suited what we agreed was necessary to make sure that the entire approach would remain alive and healthy – the idea that those who signed up were willing to continue to contribute to the approach.

Best of all, the Accord itself was a relatively short document. Nonetheless, within we crammed a whole lot of thinking, of discussion (lively and intense) and of refinement.

The development team was keen to future-proof WASPI in as many ways as possible, so we kept a close eye on what was happening within the European data protection sphere, including the early discussions about what would ultimately become the dreaded General Data Protection Regulation (GDPR). Good practice examples were sought & considered, with the best incorporated. We wanted to get ahead of the NEXT Data Protection Act – as we knew one must come along!

All these considerations meant that lawfulness and transparency became key elements of WASPI, featuring in the Accord as well as the other templates that were developed. As further templates developed over time, those core principles have remained constant – our north star.

In fact, all this preparation meant that by the time GDPR actually happened, much of it was already covered by what WASPI had been delivering for years. WASPI had always reminded people that organisational safeguards were as important as technical protections – and demanded that each of these be described properly, satisfying much of the ‘new’ GDPR obligations on transparency.

WASPI got much right.

The voluntary approach proved to be constructive and it did not take too long to get to a point where all the health service organisations and all local authorities signed up to the Accord and its framework. Now the WASPI community is 900 organisations strong!

The quality assurance that was built in from Day Zero is probably the thing that I am most proud of. It has kept the entire framework alive and fresh, it has endorsed those Accord principles by action rather than just words and has ensured that more people get to understand the nuances and thought process that attach to good quality privacy work.

Making the approach to privacy and data protection distinct from purely legal and / or digital tasks has allowed some maturity to develop in our collective understanding of what privacy means in the 21st century. Would we have IG teams without WASPI? Maybe, but they would be even more stretched than they already are!

When the WASPI Team has been able to do so, it provided excellent training. I have attended a couple of times over the years and been impressed with the quality and content – as has everyone else I’ve spoken to who has attended.

Of course, needless to say WASPI wasn’t perfect and harboured blemishes.

The original model of multiple tiers was probably too sophisticated, but it was my darling and I didn’t want to kill it so - my bad. The revision to the WASPI model to the Accord plus ISPs and other types of template improved the overall framework and I’m happy now to acknowledge I wasn’t entirely convinced at the time. But I was wrong – the simplification was necessary because it didn’t render the framework simplistic but useable.

A bigger elephant trap was set with European work that gathered greater pace and force after the original WASPI framework was launched. That trap was the massive change to the concept of ‘consent to process data’ within GDPR. Unfortunately, not only was the concept changed radically, the consequences of getting it wrong suddenly became potentially catastrophic. I’d always advised colleagues that if there wasn’t an appropriate legislative / guidance framework directly relevant, a consent model might be appropriate. Under the 1998 Act, not much by way of penalty existed. So now I have to tell everybody that you don’t use a consent model even if the sky falls in, and that my earlier advice is now bunk. C’est la vie.

WASPI launched over the winter of 2005/6, and I did a lightning tour of Wales – north, mid, south - to promote and explain the framework. (In fairness, neither the Beatles nor Elvis Presley ever managed a lightning tour of Wales.) Then my secondment ended, and it was over to Welsh Government to keep WASPI alive. Paddy Pope continued to carry the torch and a small team was established to keep blowing the flames.

In the initial phases after launch of WASPI, the first couple of years were a bit shaky. No matter what else, QA absolutely demanded some central organisation. So for a couple of years a few of us had to write to Welsh Government to explain it would be short sighted to lose the very small and extra-effective WASPI unit because they were keeping the Accord and framework alive. Now the WASPI Team is an established and incredibly effective Team.

Times changed and I became less involved with the development of WASPI, but I have always championed it. As did the Williams Commission report, which commended WASPI as an example of an effective way of working collaboratively across Wales. Later on, in 2018 the UK Information Commissioner commended the Accord and its long pedigree (‘many years’ – harrumph – I’m 57).

As a father (maybe grandpa) of WASPI, it has been fascinating to see it begin and continue to thrive over the years, and maybe it is a good sign that occasionally I have disapproved but then accepted changes, something I imagine to be familiar to most parents. I also imagine most parents have also thought it wise to keep their traps shut, which has been my usual policy.

So now WASPI is twenty, and pretty grown-up with it, how do I see the future and what we will all need help with to achieve going forward?

Machine learning and Artificial Intelligence are having a moment. This is not going to go away, and there will be lots of silliness to navigate. (It’s happening already.) It will be vital that governance of the ‘clankers’ exists to protect people from grotesque privacy invasions and unintended (but inevitable) harms. I think a process of education is vitally necessary, because those without technical understanding are being bewitched by the promise.

When it comes to AI, I have to say that I would quote Isaac Newton on astrology. When someone dismissed astrology to him, Newton opined that he wasn’t so sure and he had at least studied the subject - and he had, copiously. In fact, Newton was more mystic than scientist. But that, once more, is another story.

(I have tested a number of large language clankers, not the big names but others. Try one of those minor ones asking ‘what time is it?’ Then ask whether you’d be happy with it treating or making notes about a close relative. Or even turning your lights on for you.)

Public awareness of privacy is growing and of course the public, anecdotally, is getting angrier. Complaints to the ICO are a cheap outlet for this combination. This makes good quality IG more important than ever.

It would be a witches’ brew indeed if somebody went off and made treatment decisions with a clanker that turned a minor ailment into a life-threatening situation without having carried out all the necessary preparatory work. That’s your first £17.5m fine right there, looking straight at you.

All of this means that the future needs to be about privacy, because data protection is not enough. At the end of the day, technical solutions protect data – only humans can fully protect privacy because only humans can feel whether something is ‘right’.  Computers don’t and can’t follow the Human Rights Act as we must and do.

John Grenfell

22 October 2025