UK watchdog ICO complains about limited powers

News by Doug Drinkwater

The Information Commissioner's Office (ICO) has once again hit out at its limited powers, but might get more resources and money when new EU data protection laws go live.

In a blog post published on the ICO website on Tuesday, ICO's head of enforcement Stephen Eckersley detailed how the watchdog is playing catch-up.

“Sometimes the simplest statements are the strongest: to be an effective regulator the ICO needs effective powers.”

Eckersley's post was specifically relating to the number of complaints the ICO deals with on nuisance calls and text messages. He wrote that the group had received 120,000 concerns on unsolicited calls and 30,000 regarding texts in the last year, and added that the laws are not adequate for keeping up with the deluge of spammers.

He cited one example where the ICO handed out its ‘highest civil monetary penalty', of £440,000, to Christopher Niebel and Gary McNeish (owners of marketing company Tetrus Telecoms) in November 2012 only for the fine to be overturned at a later date due to their actions causing 'insufficient damage and distress' under the Privacy and Electronic Communications Regulations (PECR).

Eckersley continued that the ICO is looking to lower the legal threshold it has to prove before issuing a fine – something that could be cleared up after government consultation later this year – and added that the body continues to work with existing powers and liaise with regulators and mobile phone operators to understand what personal data is collected, traded and used by organisations under PECR.

The body has also prosecuted 10 organisations and individuals over last year under the Data Protection Act, because they haven't register with ICO to confirm they are processing personal data.

This news comes shortly after Information Commissioner Christopher Graham bemoaned the watchdog's limited powers and fines  - and the fact that it's spending has been cut every year since 2009 – in its annual report, which also revealed that it reported a record number of complaints in the last year.

The ICO issued £1.97 million in penalties to companies found to have breached data protection laws, and saw 15,492 complaints – a 10 percent year-on-year rise.

A spokesperson told SC at the time: “Funding cuts to our freedom of information work have been consistent over the last five years, but our workload is going up and we're at the point now where it's going to have some impact on the level of service we're able to provide.”

The ICO's workload could go up substantially in 2015, if the proposed EU General Data Protection Regulation finally sees the light of day. The new law – which is still subject to European Council approval – will stipulate data breach fines of up to 5 percent of global turnover, and demand that data breaches are reported within 72 hours. It will also mean that companies don't have to pay a notification fee.

The ICO spokesperson further explained: “The European Directive is set to remove the notification fee that organisations have to pay under the Data Protection Act. Essentially there's going to be a £20 million hole in our funds and we need some way of being assured that that hole isn't just going to lead to our office shutting down.”

But privacy lawyer Stewart Room played down the recent complaints being made by the ICO, saying that it was part of the reform for data protection in the UK.

“The ICO regularly calls for an increase of new powers, and for new penalties,” Room told today. “It's part of the cycle of data protection law reform.”

As examples, he said that while the group now cites email and telephone spam as one of the biggest problems, it has previously pointed to auditing in healthcare, and serving information notices during the downturn of the UK economy during 2007/08. “This is what regulators do…its part of their job.”

He added that their wishes “will likely be granted” if  and when the EU General Data Protection Regulation gets the green-light.

Chris McIntosh, CEO of ViaSat UK, added that the call for new powers is no surprise when other agencies have much tougher fines at their disposal.

“The Information Commissioner's call for power to issue tougher punishments is no surprise, especially when you compare it to other bodies. For instance, the FCA this year imposed a fine of over £26 million on Barclays Bank for improper practice, and has previously fined Zurich Insurance £2.27 million for a lost hard drive,” McIntosh told SC.

“Conversely, the ICO's maximum penalty of £500,000 for breaches of the Data Protection Act or Privacy and Electronic Communications Regulations could be seen as peanuts by many large, wealthy organisations. However, a data breach can potentially place individuals at great risk of fraud and criminal activity, seriously jeopardise the personal and business data and even endanger the personal safety of vulnerable individuals. Organisations know information can be encrypted and staff educated, yet too many still consider data protection and privacy as afterthoughts.

“As such it is clear that the ICO needs the ability to take a firmer stance against those it believes to present the greatest risk. On the other hand, any increase in penalties should be met with consideration of just where penalties are imposed, to ensure that there are no possible accusations of bias or of taking the easy option.” He added that the ICO needs the resources to build ‘watertight' cases.

Sophos' global head of security research James Lyne adds that the ICO also needs help dealing with small and medium-sized enterprises (SMEs).

“The ICO has issued a number of successful fines and sanctions over the past few years and has undoubtedly contributed to the focus on data protection that is increasingly being created in most enterprises,” Lyne told SC by email.

“That said, there is a great deal more work to be done particularly in the SME space and there have been numerous occasions on which the ICO has been overruled or shown to not have quite the punch a regulator with such a task ought to.

“The new EU data protection laws, in whatever form they eventually take will create further focus on this important issue and challenge the ICO with supporting a broader European regime. Technology and business practices (let alone the volume and value of data) are changing at an astronomical rate and the law must be prepared to adapt at breakneck speed to deal with these issues.


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews