FOI Man highlights a new report from the Justice Select Committee calling for more help for the Information Commissioner.
Say what you like about the Information Commissioner’s Office (ICO), but without it, the handling of personal data and FOI would be a little like the old west. Your rights would only be meaningful if you could afford a gunslinger (or expensive lawyer for those not following the metaphor).
The Justice Select Committee has taken a good hard look at the ICO and identified some major issues. And they’re worth noting.
In particular, the Committee has highlighted a major problem which may result from the proposed EU Data Protection Regulation, which, if passed, will replace our existing Data Protection Act (DPA) in the next couple of years. The existing draft will see the end of notification, which currently requires every organisation that processes personal data (with a few exceptions) to register (or notify) with the Information Commissioner every year. Depending on the size of your organisation, you have to pay either £35 or £500 for the privilege.
And that’s the problem. The ICO’s data protection work is financed by this notification fee. So even if you don’t have much time for the form-filling, box-ticking nature of the notification process (I’m a little lukewarm about it in all truth), that fee is essential to ensuring that the ICO can do its job on DPA. If the regulation removes the requirement from our statute book, the ICO will be left with a shortfall of £42.8 million. Bearing in mind that some suggest that the ICO doesn’t do enough as it is – including criticisms from Lord Justice Leveson – and the fact that it is highly unlikely that the Government will want to fund data protection enforcement directly – this is a major problem. As the Committee says, “No one seems to know where resources would come from to replace the notification fee if it is abolished.”
Interestingly, the Committee is not impressed with Leveson’s recommendation to change the status of the Commissioner’s Office to create an “Information Commission”. It repeats the call (which it rolls out every time it looks at anything to do with the ICO) for the Information Commissioner to be made directly responsible to and funded by Parliament. This is just as regularly rejected by Government, but it’s worth another shot.
Others have pointed out that successive Governments have failed to commence existing sections of the Criminal Justice and Immigration Act 2008 which introduced custodial sentences for data protection breaches. Some have suggested that bringing these into force would have been a better way to deal with the problems discovered by Leveson than the Royal Charter. The Committee calls for the the sections to be brought into force.
Similarly, Government has the power to bring in regulations allowing the ICO to carry out compulsory audits of parts of the public sector. This power hasn’t been used much, and the Committee suggests that it should be now to allow the ICO to go into councils and hospitals when there appears to be a problem.
So overall, the ICO will be happy with this report. Let’s hope the Ministry of Justice take note and enact at least some of these recommendations, as otherwise, we’ll be back in the wild west. And I’m rubbish at riding horses.