ICO wants more power as privacy complaints hit record levels

News by Tim Ring

The UK's data privacy watchdog, the Information Commissioner's Office (ICO), has called on the government to give it more power, better funding and the ability to imprison people as it battles against a record number of data protection complaints.

The ICO said in its annual report, which was released earlier today, that it resolved 15,492 complaints last financial year, a 10 percent rise on the previous 12 months. Calls to its helpline also rose by more than 10 percent.

Despite these findings, there are fears that the ICO could face a new surge in complaints from people challenging Google's decisions on whether to delete data links, after a recent European ruling that people have the ‘right to be forgotten'.

In response, information commissioner Christopher Graham attacked the Ministry of Justice for cutting the ICO's funding every year since 2009 and said that it is now “simply not adequate for us to be doing the work we could and should be doing”.

An ICO spokesperson warned that continued budget cuts could impact its quality of service. He told SCMagazineUK.com: “Funding cuts to our freedom of information work have been consistent over the last five years, but our workload is going up and we're at the point now where it's going to have some impact on the level of service we're able to provide, so we're highlighting that as a warning.”

In an email exchange with SC, the Justice Ministry hinted that it might help

"The Ministry of Justice and ICO are working together to develop an appropriate funding model which will allow the ICO to fulfil its function as a modern information rights regulator," said a spokesperson.

Graham also called for the power to lock up data privacy offenders. “People who steal other's personal information need to face the prospect of a prison sentence. The ICO needs stronger powers, a more sustainable funding system, and a clearer guarantee of independence.”

The issue is complicated by the proposed introduction of the EU General Data Protection Regulation - due to become law next year - and Graham said that the ICO needs Parliament to ensure its independence and funding.

"I look to Parliament to enable the adequate resourcing of the Office, and to guarantee the Commissioner's independence.”

The ICO spokesperson further explained: “The European Directive is set to remove the notification fee that organisations have to pay under the Data Protection Act. Essentially there's going to be a £20 million hole in our funds and we need some way of being assured that that hole isn't just going to lead to our office shutting down.”

Mixed reaction

The ICO's calls have met a mixed reaction from privacy experts and campaigners.

Emma Carr, acting director of campaign group Big Brother Watch, agreed the ICO needs tougher powers, but wants its role simplified.

She told SC by email: “The ICO should continue to push for more appropriate sanctions, including custodial sentences. It is essential that it has adequate powers of inspection and enforcement. However, it is certainly arguable that the ICO's dual role in educating and enforcing can lead to a conflict of interest.

“There is also a problem in the ‘data protection' remit and the wider role of acting as a public advocate for privacy. The ICO should be more robust when Government proposes collecting more information.”

But leading data security researcher and futurologist David Lacey has criticised the ICO for following the trend for more regulation – saying that security professionals need less.

“Data protection does close down a lot of customer data being used for purposes for which it wasn't collected, which can actually give you a worse product," said Lacey. "There's an awful lot of privacy legislation which doesn't always work in the customer's interest.

“The problem is that politicians and regulators always want to introduce tighter and tighter regulation and the ICO is just falling in with the global trends.

“There's already too much regulation. People in security, CISOs, don't do security any more, they do compliance. It's getting tougher and tougher which is stopping security people from doing the things that they think are important. We need less compliance – though I don't think we'll get it.”

But ViaSat UK CEO Chris McIntosh said the ICO is right to argue for more sanctions and funding, pointing out that while it levied £1.97 million in fines last financial year, it collected less than half that (£872,000) because of appeals, early payment reduction or impairments.

McIntosh told journalists by email: “The ICO is using its work over the past year to lobby for increased powers and funding and, quite frankly, it is right to do so.

“With increased funding and powers, the ICO could not only make sure that penalties, financial or otherwise, match the severity of an offence. It could make its investigations even more thorough: reducing the chances of appeals and making sure that its eventual judgement is both fair and final.”

The ICO's report shows that lenders and local government were the worst sectors for data protection complaints in the last year, while local and central government were the biggest culprits for freedom of information complaints.

The highest number of data breaches it punished were in local government and health, in particular the disclosure of personal data in error.

One offender here was the Ministry of Justice itself, which as SC reported, was fined £140,000 last October for a data breach at Cardiff Prison which led to personal details about all 1,182 prisoners being emailed to three inmates' families.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews