The Commons Justice Select Committee's recent report on the
work of the Information Commissioner's Office (ICO) is a mixed
bag when it comes to assessing the performance and future of the
Certainly there are a number of aspects of the report which make
for appealing reading:
The figures reveal that the ICO has made significant inroads
into the backlog of UK freedom of information appeals and
complaints casework, and turnaround times are on the up.
The ICO's proposal to makes breaches of section 55 of the
Data Protection Act 1998 (i.e. unlawful obtaining of personal data)
recordable offences received strong support from the
Committee. At present, section 55 offenders are required to
pay modest fines for their breaches – one recent example
involved an "over enthusiastic" woman convicted for
regularly accessing her partner's ex-wife's bank accounts
during their ongoing divorce action. In this case she was let off
with a £500 fine and a slap on the wrists. Recognising
the seriousness of protecting personal data and that the current
low fine regime does not act as a real deterrent, the threat of a
criminal record is considered to be the solution.
The ICO's intention for NHS bodies and local authorities to
be the subject of compulsory audits, also received commendation
from the Committee. The Committee noted that it is in the
public interest that such public sector organisations, which hold
highly sensitive data, should accept the offer of a free audit
(which they have thus far consistently declined) from the ICO
So, the Information Commissioner's reflection on the report
is not inaccurate when it suggests that "the picture that
emerges [of the ICO] is of a regulator that is delivering, that is
relevant, and that is efficient."
That being said, there is enormous doubt over the sustainability
of this feel good factor in the immediate and long-term
future. This stems from the issue of funding. Quite
simply, the ICO is already operating at full capacity and
worryingly "running out of road and cannot absorb further cuts
to the FOI budget without adversely affecting
Against this backdrop, current plans for expansion of the
ICO's role do not sit comfortably. Firstly, the Leveson
Inquiry recommends that the ICO now frequently monitors the
standards of data protection in the press and specifically engages
with the Metropolitan Police and Crown Prosecution Service to this
end. Secondly, the EU's desire to harmonise data
protection (in the form of a Regulation) will mean an increase in
the function of the ICO as the data supervisory body for the UK, as
well as abolition of the existing notification fee. Given
that the notification fee (paid by all data controllers to the ICO)
comprises the entirety of the ICO's income from data
protection, it is no wonder the Information Commissioner is asking
"where is the money going to come from".
With an estimated shortfall of almost £43m, if the ICO is
to assume these extra responsibilities, challenging times are
ahead. Negotiation and discussion both at home and in an EU
environment must now be advanced. Until this occurs, the ICO
will remain good value for money but susceptible to financial
The material contained in this article is of the nature of
general comment only and does not give advice on any particular
matter. Recipients should not act on the basis of the information
in this e-update without taking appropriate professional advice
upon their own particular circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
Four years after the overhaul of European data protection laws began, the final text of the new General Data Protection Regulation (GDPR) was approved in Spring 2016 and the new rules will come into effect on 25 May 2018.
The options available to EU organisations for lawfully transferring personal data from Europe to the United States appear to be dwindling. In particular, there have been further setbacks to the approval of the Privacy Shield and, separately, a new legal challenge to the validity of EU model contract clauses.
Following the final text of the GDPR that was published in the Official Journal in May 2016, Wedlake Bell presented a webinar on Thursday 12 May, explaining the main changes and what to expect going forward.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).