On March 12, 2013, the UK Government Justice Committee published a report on the functions, powers and resources of the UK Information Commissioner’s Office (the “Report”). The Report highlights several key issues raised during an oral evidence session held with the UK Information Commissioner, Christopher Graham, and his two Deputy Commissioners, David Smith and Graham Smith. The Justice Select Committee published the Report to draw these key issues to the attention of the UK Parliament.
The Report highlights a looming ICO funding crisis. Under the proposed General Data Protection Regulation (the “Regulation”), the ICO’s responsibilities as the UK data protection supervisory authority will be expanded significantly. In particular, the ICO will have additional responsibilities relating to prior authorization for processing activities and data breach notifications. At the same time, the Regulation would abolish the current notification system fees that provide revenue for the ICO. This combination of factors could result in the ICO facing a potential funding shortfall of as much as £42.8 million. The Report calls on the UK Government to negotiate to retain the notification fee under the Regulation, or to be able to levy an alternative fee. The ICO has commented that the £42.8 million figure is “very much a worst case scenario,” and is based on its estimates that its enhanced duties under the Regulation could amount to £26.3 million in additional costs while it would lose some £15 million in notification fee revenue.
Leveson Inquiry Recommendations
An inquiry on the culture, practices and ethics of the UK press by the Right Honorable Lord Justice Leveson (the “Leveson Inquiry”) made a number of specific recommendations for the ICO, including developing good practice guidelines in consultation with stakeholders. The Report cautions the Government that, in responding to the Leveson proposals, it should bear in mind that the ICO’s resources are limited. If the ICO is to have an expanded role in monitoring data protection standards in the press, it likely will require additional financial resources.
The Leveson Inquiry also recommended a change to the institutional structure of the ICO. Currently, the Information Commissioner is a “corporation sole” with personal responsibility. The Leveson Inquiry recommended that the ICO be restructured as an Information Commission led by a Board of Commissioners with suitably broad expertise. The Report opposes this recommendation, supporting Commissioner Graham’s contention that the corporation sole structure has the advantages of clear lines of accountability, a figurehead and public face for the organization, and quick and responsive leadership.
Extension of Compulsory Audits
The ICO currently has the authority to compel central government departments to undergo audits, but has repeatedly called for compulsory audits to be extended to local government, the national health service (the “NHS”) and the private sector. In 2011, the ICO submitted a business case to the Ministry of Justice to extend its authority to compel audits, but the Government has not yet taken any action. In the interim, the ICO offers and encourages organizations to submit to free voluntary audits to assist with good data protection practices. Participation by local government authorities and NHS trusts, however, has been disappointingly low. According to the Report, it is “shocking” that public sector organizations should refuse a free audit, but, without the ability to mandate compulsory audits, the ICO’s only option is to issue monetary penalties against public bodies, ultimately paid for by taxpayers.