ICO powers accused of being 'insufficient' and under resourced and do not go 'anywhere near to what the regulator requires in order to properly perform'

News by Dan Raywood

Claims have been made that the Information Commissioner's Office (ICO) powers are insufficient and by capping the top limit it will fall behind other regulators.

Claims have been made that the Information Commissioner's Office (ICO) powers are insufficient and by capping the top limit it will fall behind other regulators.

Speaking at a roundtable co-hosted with Sophos this week Stewart Room, partner in the privacy and information law group at Field Fisher Waterhouse, claimed that the current powers of the ICO were ‘insufficient, under resourced and do not go anywhere near to what the regulator requires in order to properly perform'.

He said: “For instance the audit power, which at the moment only bites on government departments where the risk is across the economy, in terms of the financial power and the penalties concerned there is an absurdity in that position, not least of which the Financial Services Authority (FSA) fined a clearing bank £3 million in July 2009, so already fines have topped out at six times the amount that the Information Commissioner can give.

“Another point in respect to the fine is this, the moment you have a cap is the moment you limit the amount of ammunition in your armoury. If you take the UK's biggest data security breach that we are aware of, which is still HMRC with 25 million people, then you ask people where do you put that on a scale of zero to £500,000, most people would do it a few hundred thousand pounds. If the best you can think of is £500,00 for HMRC, then you don't understand security problems.

“The scope for failure and the scope for damage is vastly more than HMRC. So the problem we've got is that if we start burning through the fine at the £400,000-500,000 levels, on today's known cases, we will leave no bullets in the gun to deal with the really bad stuff which will emerge inevitably at some point in time. The security breach issue that we need to get our heads around is data protection is a really important part, but we could be dealing with critical national infrastructure issues but we are not talking about it.”

He concluded by claiming that he was in favour of an uncapped penalty and said that it should be applied for serious cases in a mandatory reporting framework.

In response James Ford, head of the ICO's press office, said: “We have said that we will take a proportionate approach. We are a responsible regulator and we find reckless activity going on in terms of security breaches and now have this power to impose monetary power, as a responsible regulator should.

“We work within the regulatory framework that is set by the government, we work with the powers that we have, and the commissioner has made it clear that he will make full use of the powers made available to him.

“The monetary penalty is there for the most serious cases and we don't expect it to be used very often as it is there for the most serious, reckless security breaches and is there to deter breaches and organisations from making those mistakes. It is there to ensure better practice.”

Earlier this week the information commissioner Christopher Graham said that he had never been busier following a rise of 20 per cent in reported freedom of information cases and a 30 per cent rise in data protection cases.

Speaking at the annual ICO report launch Graham said: “Technology, concerns about data security and the welcome focus on transparency of official information mean information rights are centre stage. We have made some significant internal changes to ensure we are best placed to deal with the increasing demands and expectations placed upon us by the public and the organisations we work with. Respect for information rights is not optional. Organisations that ignore their responsibilities will not only lose the confidence and trust of citizens and consumers but could face painful enforcement action from the ICO as well.

“I believe that the ICO has not just to be independent of government, but be seen to be independent. To carry out my duties effectively and with the full confidence of all parties, now is the time to formalise the governance arrangements for the Information Commissioner, suitable for an independent public official whose accountability is fully to Parliament, rather than primarily via Departments of State.”


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews