Changes to the Data Protection Directive could affect the independence of the Information Commissioners Office (ICO).
Speaking at the SC Magazine IT Governance, Risk and Compliance (GRC) conference in London, Simon Rice, principal policy adviser (technology) at the ICO, said that while some of the changes to the directive were welcome, some were not and the removal of the notification fee removes the ICO's prime source of funding.
Rice said that changes, announced in January of this year, were welcome to the 14-year old data protection directive as it was 'more prescriptive of what businesses need to put in place' and it welcomed improved subject rights and better rights and clear responsibilities on transparency and data privacy.
However what he said was less welcome was a divide between directive and regulation, with the former for the public sector and the latter for the private sector, and that it was difficult to regulate both of those as some businesses sit between the two so regulation could 'get very difficult and confusing'. Rice said: “It would be better if there was one piece of legislation across the board and regulated effectively. This is very over-prescriptive and the 'thou shalt do this' nature doesn't fit.”
He was also critical of the removal of the notification fee that businesses pay the ICO and which funds the data commissioner, and that the change 'increases the workload but removes funding'.
“Currently there is no minimum requirement for breach. There is the proposed removal of the requirement to notify, but we are funded by fee and it allows us to remain independent from the government and public and private sector, so will we be issuing penalties to fund ourselves? We are tackling this as it allows us to remain independent,” he said.