Pan-Euro data protection impacts ICO role
The UK privacy watchdog, the Information Commissioner's Office (ICO), likely to restructure following new pan-Europe legislation
European data protection legislation hits ICO
The UK privacy watchdog, the Information Commissioner's Office (ICO), could follow up fewer individual data privacy complaints as it faces a “funding crunch” with revenues set to fall following new pan-Europe legislation, while resources are “stretched to the maximum” by the growing public interest in data protection.
The changes are being floated in a just-released consultation document called ‘Looking ahead, staying ahead: towards a 2020 vision for information rights'.
Among its future aims, the ICO suggests: “Changing how we handle casework and enquiries to allow us to identify and address wider compliance issues, and only where appropriate, to address individual concerns”. Asked if this meant the ICO is planning to deal directly with fewer individual complaints, an ICO spokesperson replied to SCMagazineUK.com: “We do wish to be more strategic with our approach to be more effective.”
The consultation document can be seen as a ‘cry for help' as the ICO deals with thousands of individual complaints a year, while facing funding cuts caused partly by the impact of the looming pan-European data protection law, which will end the ‘notification system' that generates a major chunk of the ICO's income.
In 2012/13 the watchdog completed 14,042 data protection cases and 4,697 freedom-of-information cases.
But in a swipe at its current government funding regime, the ICO says: “We're less able to respond effectively to the growing demand for our services due to the outdated way in which the ICO is funded – part by grant-in-aid for our freedom of information work and part by a notification fee system for data protection. Grant-in-aid has been cut by a third since 2010 and the cuts go on. The notification system is due to be ended under proposals for a new EU Regulation on data protection.”
According to its last annual report, the ICO received around £15.7 million from notification fees and £4.25 million from grant-in-aid, meaning more than three-quarters of this combined income would be lost when the pan-European data protection law comes into place.
Among other ideas being put up for discussion, the ICO suggests coordinating more with other organisations and regulators – such as Ofcom, the Financial Ombudsman, the Ministry of Justice and other commissioners.
The ICO is also considering whether it needs to plug “significant gaps” in its regulatory powers. This could mean pushing for courts to be able to imprison, rather than just fine, people to stop the unlawful use of personal information.
It is also looking at developing privacy kitemarks and accreditations. The ICO spokesperson explained this was prompted by the European Commission's data protection proposals which “include provisions intended to encourage the take-up of privacy seals, certification mechanisms and trustmarks. A seal is like a ‘stamp of approval' for a product or service, indicating good privacy standards. In effect it's like a kitemark for data protection which can be awarded to companies and websites, etc. We would be looking at potentially accrediting other organisations so they could award privacy seals on our behalf.”
The ICO is also considering handling more work online and cutting the cost of its back-office services including considering shared services. It currently has 360 to 370 staff.
Information Commissioner Christopher Graham said in a 28 November blog post: “There are some significant changes in direction. There's a notable shift in focus towards getting results for the many by acting on the concerns of individuals, as well as a significant commitment towards exploring the development of trust marks and privacy seals so that the ICO is not the first and last line of defence for citizens and consumers' rights.”
The watchdog wants CISOs, as well as members of the general public, to comment on the consultation document before a deadline of 7 February, after which it will finalise its plans. The spokesperson said: “We would be very interested in the particular perspective of computer security professionals.”
Link to document
Link to where people can give their views