The ICO’s 2013 Xmas
pressie to data controllers (and complainants) took the form of a snappily titled consultation
document: “Our New Approach to Data Protection Concerns.” It is
proposed that the emphasis would switch from dealing with trivial data matters
to those: “Where to do so has a clear regulatory benefit.”
In Plain English,
budgetary cuts in 2014 will result in the ICO being unable to deal with the
current (let alone predicted) volumes of complaints unless it is made harder
for individuals to submit one.
Data protection
officers working for most large controllers probably feel they can't really
influence the volume of complaints that are referred to the ICO - especially
when many relate more specifically to poor customer service (where the DPA
breach is incidental to the main problem) or when the complainant is determined
to use the complaint is simply an additional weapon that can be applied against
the organisation. At the same time as the ICO receiving notice of the dispute,
so will the BBC, the local MP, local councillors, Ofcom, national newspaper
editors, and anyone else the complainant can think of.
Unhappily, many
data controllers are facing budgetary pressures of their own, which are further
reducing customer service standards. These proposed changes won’t affect
that reality.
But let’s be
honest – of last year’s total of some 40,000 enquiries (presumably letters and
emails) and 214,000 phone calls from members of the public, ICO officials
assessed that in only 35% of cases was it likely that the legislation had been
contravened. That’s a lot of time wasted by the ICO (and by data controllers),
time which could have been spent addressing the more serious complaints.
Will the
proposed changes will result in any change in behaviour among the larger data
controller? Probably not. I would expect
them always to use the ICO as a "backstop" for the dispute resolution
process, and refer in dispute letters to the fact that they can refer their
complaint to the ICO if it is still felt that the controller has breached any
part of the DPA and that a sufficiently full apology has not already been
given. It’s always been seen as a way of passing off unmeritorious
complaints - but in a way that enables the complainant to feel that not all
avenues of complaint have been exhausted.
I'm not sure
that the ICO can easily (or swiftly) influence the behaviour of the data
controller in ways that will reduce the volume of complaints that are made to
the ICO. It needs more firmly to reduce the expectations of the general public
about the role of the ICO.
The ICO has to
firmly position itself as an organisation that does not offer individuals
"free legal aid", but instead addresses issues that have a wider
social importance. It should not hold itself out to offering customers a
complaint resolution service along the lines, of say, the FCA. Perhaps it will
finally cease just becoming the unofficial complaints resolution body for
anyone with a credit reference complaint. It really is about time the credit
reference industry paid for their own dispute resolution agency.
What none of us
know is how many complainants will simply "vanish". And we all hope
that it’s just the unmeritorious complaints that will vanish.
Perhaps the area
of greatest concern among the largest data controllers with respect to these proposals
will be how the ICO intends to publish statistics about data protection concerns
in future. What could happen is the publication of what will inevitably turn
into contested league tables. But if there is no way of apportioning the extent
to which the registered concerns are "valid", data controllers are
going to query whether anything meaningful can be done to reduce them.
Inevitably many DPOs will take the figures personally (or find that their
performance at work is assessed to some extent on the published results), which
may not be conducive to maintaining a close working relationship between the
DPO and the ICO.
I doubt that the
ICO just wants to publish lists of the largest data controllers in the country,
without any accompanying contextual information about the volume of customers
they have, and thus no analysis on whether data controllers in various sectors
are any better, or worse, than their competitors. But that is so easily what
could happen.
Newsflash:
Given that the
heating in the ICO’s offices is not working today, on this the coldest working
day of the (new) year, perhaps a more productive change would be to require all
complainants to send their complaints by post (not by email), so that the ICO’s
furnaces could remain at full blast once the letter, and voluminous enclosures, had been forwarded to the Central
Services Department. Let’s keep the home
fires burning.
Source:
Comments on the consultation document are sought until 31
January. The changes will take effect on 1 April.