Friday 3 January 2014

The ICO's cunning plan to deal with fewer complaints

The ICO’s 2013 Xmas pressie to data controllers (and complainants) took the form of a snappily titled consultation document: “Our New Approach to Data Protection Concerns.” It is proposed that the emphasis would switch from dealing with trivial data matters to those: “Where to do so has a clear regulatory benefit.”

In Plain English, budgetary cuts in 2014 will result in the ICO being unable to deal with the current (let alone predicted) volumes of complaints unless it is made harder for individuals to submit one. 

Data protection officers working for most large controllers probably feel they can't really influence the volume of complaints that are referred to the ICO - especially when many relate more specifically to poor customer service (where the DPA breach is incidental to the main problem) or when the complainant is determined to use the complaint is simply an additional weapon that can be applied against the organisation. At the same time as the ICO receiving notice of the dispute, so will the BBC, the local MP, local councillors, Ofcom, national newspaper editors, and anyone else the complainant can think of.

Unhappily, many data controllers are facing budgetary pressures of their own, which are further reducing customer service standards. These proposed changes won’t affect that reality.

But let’s be honest – of last year’s total of some 40,000 enquiries (presumably letters and emails) and 214,000 phone calls from members of the public, ICO officials assessed that in only 35% of cases was it likely that the legislation had been contravened. That’s a lot of time wasted by the ICO (and by data controllers), time which could have been spent addressing the more serious complaints.

Will the proposed changes will result in any change in behaviour among the larger data controller? Probably not. I would expect them always to use the ICO as a "backstop" for the dispute resolution process, and refer in dispute letters to the fact that they can refer their complaint to the ICO if it is still felt that the controller has breached any part of the DPA and that a sufficiently full apology has not already been given.  It’s always been seen as a way of passing off unmeritorious complaints - but in a way that enables the complainant to feel that not all avenues of complaint have been exhausted.

I'm not sure that the ICO can easily (or swiftly) influence the behaviour of the data controller in ways that will reduce the volume of complaints that are made to the ICO. It needs more firmly to reduce the expectations of the general public about the role of the ICO. 

The ICO has to firmly position itself as an organisation that does not offer individuals "free legal aid", but instead addresses issues that have a wider social importance. It should not hold itself out to offering customers a complaint resolution service along the lines, of say, the FCA. Perhaps it will finally cease just becoming the unofficial complaints resolution body for anyone with a credit reference complaint. It really is about time the credit reference industry paid for their own dispute resolution agency.  

What none of us know is how many complainants will simply "vanish". And we all hope that it’s just the unmeritorious complaints that will vanish.

Perhaps the area of greatest concern among the largest data controllers with respect to these proposals will be how the ICO intends to publish statistics about data protection concerns in future. What could happen is the publication of what will inevitably turn into contested league tables. But if there is no way of apportioning the extent to which the registered concerns are "valid", data controllers are going to query whether anything meaningful can be done to reduce them. Inevitably many DPOs will take the figures personally (or find that their performance at work is assessed to some extent on the published results), which may not be conducive to maintaining a close working relationship between the DPO and the ICO.  

I doubt that the ICO just wants to publish lists of the largest data controllers in the country, without any accompanying contextual information about the volume of customers they have, and thus no analysis on whether data controllers in various sectors are any better, or worse, than their competitors. But that is so easily what could happen.

Given that the heating in the ICO’s offices is not working today, on this the coldest working day of the (new) year, perhaps a more productive change would be to require all complainants to send their complaints by post (not by email), so that the ICO’s furnaces could remain at full blast once the letter, and voluminous enclosures, had been forwarded to the Central Services Department.  Let’s keep the home fires burning.

Comments on the consultation document are sought until 31 January. The changes will take effect on 1 April.