Friday 28 November 2014

What do we think of the ICO so far?

Our chums at the MoJ are seeking our views on the ICO's performance. Evidently, as part of the UK Government's requirement to reform public bodies, all non departmental public bodies must be reviewed at least once every three years.  

This review will examine whether there is a continuing need for the ICO to carry out its functions, and whether the organisation should continue to operate in its current form, considering whether services could be provided more effectively and efficiently. 

We, the people, have been asked to respond to the questions that are set out below:

      1.     With regard to the ICO’s functions to enforce and oversee the DPA and a range of a different regulations,
a.     Do you consider, in relation to any or all of the above, that the provision of their services to individual users and to organisations remains necessary?  Please explain your reasons for your answer.
b.     Do you consider that services provided by the ICO in these areas could be improved? Please explain your reasons for your answer.
c.     Do you consider that services provided by the ICO could be delivered differently? Please explain your reasons for your answer, including any examples from other regulators or comparable international bodies.
      2.     Is the independence of the ICO best supported by reporting to Parliament or to a government department such as the Ministry of Justice? Please explain your reasons for your views.
      3.     With continually changing technology, an increased use of social media and the internet, do you believe the ICO will continue to be fit for purpose?
      4.     Do you have any additional comments you would like to submit as evidence to the review?

The deadline for responding is 16th January. Bearing in mind that the data protection Xmas party season starts next week (with the Data Protection Forum’s famous December meeting, which always ends with a marvelous festive lunch), we actually haven’t got that long to think about our responses.

What are we likely to say?

In response to Q1, I expect respondents will be split between those who don’t think the ICO is sufficiently effective, given its budgetary constraints, and those who are pretty content with the current state of affairs, as the only time they usually come into contact with the Information Commissioner and his team is when they attend the ICO’s annual Data Protection Officer Conference in Manchester each April, or when they attend other events where an ICO official is speaking. Or perhaps when they pay their annual registration fee.

Many people may well have heard of the ICO’s enforcement (and audit) teams, but much fewer will have been visited by the ICO’s staff during the year, so they may not fully appreciate just what all the 350-odd ICO employees really do all day.

This might, however, prove to be a useful opportunity to compare the size of different regulatory bodies, and to ask whether the ICO is appropriately resourced. Is it sufficient to the ICO to be expected to spend some spend some £16 million on data protection work when the Financial Ombudsman Service is likely to require an operating budget of over £250 million for 2014 / 15?

That statistic tells me a lot about the problem at hand. If the Government really wanted to properly enforce the laws it has passed, it needs to ensure that the right resources are available. Perhaps “data protection compliance” is similar to the “right to be forgotten” or “a fundamental right”  – a soundbite that trips easily off the tongue, but is really hard to pin down in practice.

In response to Q2, I expect that the balance of views will be for the ICO to report to, and be funded by, Parliament, rather than a Government Department. If the Parliamentary and Health Services Ombudsman (with an operating budget of some £33 million) can report directly to Parliament, then so should the ICO.

In response to Q3, I’m not sure how many people can answer this. Does the question invite us to ponder how effective the ICO will be in a world where many huge data controllers will operate from countries outside the ICO’s ambit? If so, perhaps this is where we need to put a word in for the Global Enforcement Network, and hope that the ICO has enough funds in the kitty for its staff to travel to all corners of the earth and liaise with local regulators.

In response to Q4, I wonder how many respondents will point out that should the UK vote to weaken our links with countries that remain within the EU, then it will be even more important for a suitably equipped ICO to be able to deal with data protection standards and opinions emerging from European data protection regulators, and make sure that the standards can be interpreted in ways that meet the needs of pragmatic Brits.

As well as advising on rules that are sufficiently robust to persuade the EU that the UK has affords its citizens an adequate level of protection.