Following an oral evidence session with the Information Commissioner, Christopher Graham, and his two Deputy Commissioners back in February this year, the Commons Justice Select Committee (Committee) recently published a report which looks at the functions, powers and resources of the Information Commissioner’s Office (ICO).
The first section of the report takes a detailed look at the finances of the ICO and, in particular, the potential impact on those finances of the proposed reforms to the UK data protection regime that are set out in the draft EU Data Protection Regulation and Directive (Proposed Reforms). The Committee highlights that the Proposed Reforms could result in the ICO having to take on a significant new burden of work, the cost of which will amount to an estimated £28 million per year. In addition, if the proposal to scrap the notification fee is pushed through as part of the Proposed Reforms, the ICO will lose one of its primary sources of income for its data protection workload. As a result of these two factors combined, the Committee finds that the ICO, as a worst case scenario, potentially faces a funding shortfall of £42.8 million per year.
Given the current state of the economy, and in light of the fact that all government departments and public bodies are having to make difficult decisions and take drastic measures in order to reign in and bring down costs, there is clearly a concern as to how and even if this funding shortfall can be addressed.
Whilst the Committee’s finding in this regard is clearly worthy of note, the Information Commissioner was very keen in his blog on the ICO’s website to draw the public’s attention to some of the other more positive findings made by the Committee in its report.
The Information Commissioner was particularly pleased with the Committee’s recognition and commendation of the ICO’s efforts to tackle the backlog of freedom of information appeals and the general improvement in performance that has resulted in a 10.8% increase in the amount of freedom of information complaint casework being completed between 2010-11 and 2011-12. This figure is even more impressive when one takes into account the fact that: (a) during the same period, the ICO received 7.7% more complaint casework; and (b) the ICO has sustained significant cuts to the grant-in-aid income that it receives in connection with its freedom of information workload.
The Information Commissioner noted on his blog that, to his mind, “[t]he picture that emerges [from the report] is of a regulator that is delivering, that is relevant, and that is efficient.”
The Committee also supported the Information Commissioner’s view that a number of his powers should be increased. For example, the ICO currently has the power to conduct compulsory audits, however, at present this power can only be exercised in respect of central government departments. In respect of all other bodies, the ICO can only carry out voluntary audits, which require the consent of the relevant bodies. The Information Commissioner considers this requirement for consent to be a significant limitation on his ability to investigate and assess compliance with the Data Protection Act 1998 (DPA).
The Committee’s report states that the “case for extending compulsory audits to NHS Trusts and local councils is clear”. Of those NHS Trusts and local councils that have been approached by the ICO for the purposes of carrying out voluntary audits, approximately only 50% have consented to participate in such audits. This figure is startling when one considers that the ICO has confirmed that it will not impose fines against any organisation for serious or reckless breaches of the DPA where such breach is discovered during the course of such an audit and even more so when one notes that the average penalty imposed against NHS Trusts for breaches of the DPA is currently £190,000 and is £100,000 for local councils.
The report is also robust in its recommendation that custodial sentences be introduced in respect of “section 55 offences”, that is for those who breach section 55 of the DPA by unlawfully obtaining personal data or offering to sell personal data that has been unlawfully obtained.
In summary, the Committee’s report highlights some of the many challenges that will face the Information Commissioner and his office over the coming years and sets out a number of recommendation for how at least some of the challenges can be overcome. From the Information Commissioner’s perspective, he feels that the report shows the ICO to be “in good shape, and that is reason to feel positive about the future”.