The Commons Justice Select Committee's recent report on the
work of the Information Commissioner's Office (ICO) is a mixed
bag when it comes to assessing the performance and future of the
Certainly there are a number of aspects of the report which make
for appealing reading:
The figures reveal that the ICO has made significant inroads
into the backlog of UK freedom of information appeals and
complaints casework, and turnaround times are on the up.
The ICO's proposal to makes breaches of section 55 of the
Data Protection Act 1998 (i.e. unlawful obtaining of personal data)
recordable offences received strong support from the
Committee. At present, section 55 offenders are required to
pay modest fines for their breaches – one recent example
involved an "over enthusiastic" woman convicted for
regularly accessing her partner's ex-wife's bank accounts
during their ongoing divorce action. In this case she was let off
with a £500 fine and a slap on the wrists. Recognising
the seriousness of protecting personal data and that the current
low fine regime does not act as a real deterrent, the threat of a
criminal record is considered to be the solution.
The ICO's intention for NHS bodies and local authorities to
be the subject of compulsory audits, also received commendation
from the Committee. The Committee noted that it is in the
public interest that such public sector organisations, which hold
highly sensitive data, should accept the offer of a free audit
(which they have thus far consistently declined) from the ICO
So, the Information Commissioner's reflection on the report
is not inaccurate when it suggests that "the picture that
emerges [of the ICO] is of a regulator that is delivering, that is
relevant, and that is efficient."
That being said, there is enormous doubt over the sustainability
of this feel good factor in the immediate and long-term
future. This stems from the issue of funding. Quite
simply, the ICO is already operating at full capacity and
worryingly "running out of road and cannot absorb further cuts
to the FOI budget without adversely affecting
Against this backdrop, current plans for expansion of the
ICO's role do not sit comfortably. Firstly, the Leveson
Inquiry recommends that the ICO now frequently monitors the
standards of data protection in the press and specifically engages
with the Metropolitan Police and Crown Prosecution Service to this
end. Secondly, the EU's desire to harmonise data
protection (in the form of a Regulation) will mean an increase in
the function of the ICO as the data supervisory body for the UK, as
well as abolition of the existing notification fee. Given
that the notification fee (paid by all data controllers to the ICO)
comprises the entirety of the ICO's income from data
protection, it is no wonder the Information Commissioner is asking
"where is the money going to come from".
With an estimated shortfall of almost £43m, if the ICO is
to assume these extra responsibilities, challenging times are
ahead. Negotiation and discussion both at home and in an EU
environment must now be advanced. Until this occurs, the ICO
will remain good value for money but susceptible to financial
The material contained in this article is of the nature of
general comment only and does not give advice on any particular
matter. Recipients should not act on the basis of the information
in this e-update without taking appropriate professional advice
upon their own particular circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
On 12 January 2016, the European Court of Human Rights handed down a decision on the lawfulness of monitoring private messages sent on an employee's Yahoo! Messenger account using the employer's computer system; the case was Barbulescu v. Romania.
The invalidation of the EU-U.S. Safe Harbor framework in October 2015 has created uncertainty for businesses that were reliant on the regime to transfer data to the United States, and has caused political shockwaves on both sides of the Atlantic.
The final draft of the new European General Data Protection
Regulation (GDPR) was agreed on 15 December 2015 and, once it has
been approved by the European Parliament in early 2016, is expected
to take effect by early 2018.