The Commons Justice Select Committee's recent report on the
work of the Information Commissioner's Office (ICO) is a mixed
bag when it comes to assessing the performance and future of the
Certainly there are a number of aspects of the report which make
for appealing reading:
The figures reveal that the ICO has made significant inroads
into the backlog of UK freedom of information appeals and
complaints casework, and turnaround times are on the up.
The ICO's proposal to makes breaches of section 55 of the
Data Protection Act 1998 (i.e. unlawful obtaining of personal data)
recordable offences received strong support from the
Committee. At present, section 55 offenders are required to
pay modest fines for their breaches – one recent example
involved an "over enthusiastic" woman convicted for
regularly accessing her partner's ex-wife's bank accounts
during their ongoing divorce action. In this case she was let off
with a £500 fine and a slap on the wrists. Recognising
the seriousness of protecting personal data and that the current
low fine regime does not act as a real deterrent, the threat of a
criminal record is considered to be the solution.
The ICO's intention for NHS bodies and local authorities to
be the subject of compulsory audits, also received commendation
from the Committee. The Committee noted that it is in the
public interest that such public sector organisations, which hold
highly sensitive data, should accept the offer of a free audit
(which they have thus far consistently declined) from the ICO
So, the Information Commissioner's reflection on the report
is not inaccurate when it suggests that "the picture that
emerges [of the ICO] is of a regulator that is delivering, that is
relevant, and that is efficient."
That being said, there is enormous doubt over the sustainability
of this feel good factor in the immediate and long-term
future. This stems from the issue of funding. Quite
simply, the ICO is already operating at full capacity and
worryingly "running out of road and cannot absorb further cuts
to the FOI budget without adversely affecting
Against this backdrop, current plans for expansion of the
ICO's role do not sit comfortably. Firstly, the Leveson
Inquiry recommends that the ICO now frequently monitors the
standards of data protection in the press and specifically engages
with the Metropolitan Police and Crown Prosecution Service to this
end. Secondly, the EU's desire to harmonise data
protection (in the form of a Regulation) will mean an increase in
the function of the ICO as the data supervisory body for the UK, as
well as abolition of the existing notification fee. Given
that the notification fee (paid by all data controllers to the ICO)
comprises the entirety of the ICO's income from data
protection, it is no wonder the Information Commissioner is asking
"where is the money going to come from".
With an estimated shortfall of almost £43m, if the ICO is
to assume these extra responsibilities, challenging times are
ahead. Negotiation and discussion both at home and in an EU
environment must now be advanced. Until this occurs, the ICO
will remain good value for money but susceptible to financial
The material contained in this article is of the nature of
general comment only and does not give advice on any particular
matter. Recipients should not act on the basis of the information
in this e-update without taking appropriate professional advice
upon their own particular circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
In light of the much anticipated ICO draft GDPR (the General Data Protection Regulation) Consent Guidance being published yesterday, 2 March 2017, we will be running a mini-series on the guidelines under consultation and the impact the GDPR will have on the much vexed position of consent and the impact on your business.
The first of our four discussions on the ICO guidelines for Consent will focus on the meaning of consent under the GDPR (General Data Protection Regulation) and how this change enhances the previous law on consent to data processing.
The fourth and final part of our mini-series on the draft ICO guidance on Consent, published on 2 March 2017, focuses on the practical impact the GDPR (General Data Protection Regulation) will have on how your organisation records and manages consent.
A fundamental aspect of all fair and lawful processing of personal data under the current data protection rules is the requirement for the party who is the data controller to meet one or more conditions ("the conditions for processing").
The second in our mini-series on the ICO guidance on Consent, published on 2 March 2017, focuses on how the changes to be introduced by the GDPR (General Data Protection Regulation) will impact upon your business and what you can do to pre-empt the changes before their introduction in May 2018.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).