The Commons Justice Select Committee's recent report on the work of the Information Commissioner's Office (ICO) is a mixed bag when it comes to assessing the performance and future of the ICO.
Certainly there are a number of aspects of the report which make for appealing reading:
- The figures reveal that the ICO has made significant inroads into the backlog of UK freedom of information appeals and complaints casework, and turnaround times are on the up.
- The ICO's proposal to makes breaches of section 55 of the Data Protection Act 1998 (i.e. unlawful obtaining of personal data) recordable offences received strong support from the Committee. At present, section 55 offenders are required to pay modest fines for their breaches – one recent example involved an "over enthusiastic" woman convicted for regularly accessing her partner's ex-wife's bank accounts during their ongoing divorce action. In this case she was let off with a £500 fine and a slap on the wrists. Recognising the seriousness of protecting personal data and that the current low fine regime does not act as a real deterrent, the threat of a criminal record is considered to be the solution.
- The ICO's intention for NHS bodies and local authorities to be the subject of compulsory audits, also received commendation from the Committee. The Committee noted that it is in the public interest that such public sector organisations, which hold highly sensitive data, should accept the offer of a free audit (which they have thus far consistently declined) from the ICO moving forward.
So, the Information Commissioner's reflection on the report is not inaccurate when it suggests that "the picture that emerges [of the ICO] is of a regulator that is delivering, that is relevant, and that is efficient."
That being said, there is enormous doubt over the sustainability of this feel good factor in the immediate and long-term future. This stems from the issue of funding. Quite simply, the ICO is already operating at full capacity and worryingly "running out of road and cannot absorb further cuts to the FOI budget without adversely affecting performance".
Against this backdrop, current plans for expansion of the ICO's role do not sit comfortably. Firstly, the Leveson Inquiry recommends that the ICO now frequently monitors the standards of data protection in the press and specifically engages with the Metropolitan Police and Crown Prosecution Service to this end. Secondly, the EU's desire to harmonise data protection (in the form of a Regulation) will mean an increase in the function of the ICO as the data supervisory body for the UK, as well as abolition of the existing notification fee. Given that the notification fee (paid by all data controllers to the ICO) comprises the entirety of the ICO's income from data protection, it is no wonder the Information Commissioner is asking "where is the money going to come from".
With an estimated shortfall of almost £43m, if the ICO is to assume these extra responsibilities, challenging times are ahead. Negotiation and discussion both at home and in an EU environment must now be advanced. Until this occurs, the ICO will remain good value for money but susceptible to financial meltdown.