Information Commissioner Christopher Graham writes in his office’s annual report today: “Our grant-in-aid from the Ministry of Justice, which has been cut in every year since I became Information Commissioner in 2009, is simply not adequate for us to do the work we could and should be doing.”
In the year to 31 March 2014, the number of data protection cases the ICO received went up by 7 per cent and freedom of information (FoI) cases by 10 per cent on the previous 12 months. Its biggest caseload comes from enforcing the Privacy and Electronic Communications Regulation, which includes investigating nuisance phone calls and spam texts, and the volume of these complaints remained virtually unchanged at over 160,000.
The number of cases the ICO closed in each area went up by even more, suggesting that it is already successfully doing more with less, but its responsibilities are increasing exponentially. The government plans to give the ICO more power to prosecute nuisance callers, which it will undoubtedly be expected to use. It’s also likely to have much more to do when the EU parliament passes its new data protection regulation, expected this year.
As Graham himself notes in the ICO annual report, there’s a need for strong enforcement of laws to build up public confidence in how brands and public bodies use people’s data. He claims that American whistleblower Edward Snowden’s revelations about state surveillance, the botched care.data government health scheme and “foot-dragging” from public bodies responding to FoI requests “make it more difficult to secure the necessary public support”.
He also criticises the transparency of commercial data practices, saying consumers “are fed up with being taken for fools by big brands and big business with their often opaque and tricky privacy statements”. The ICO needs the teeth – and the money – to change this status quo.
If it can’t, then don’t expect European judges and politicians to sit idly by. In two highly significant cases already this year, EU courts have stepped in to rule that European companies aren’t complying with existing data laws – once to tell Google it must delete out-of-date search results (the so-called ‘right to be forgotten’) and once to order internet and telecoms brands that they can’t keep holding consumers’ communications records without cause. The latter has prompted emergency legislation by the UK government, who want security services to be able to access this data.
The chances are that similar situations will only be more common in future, as EU laws become even more restrictive on what consumer data can be collected, processed and stored. It’s up to the ICO to ensure that British brands and organisations comply without the need for further European intervention, but without greater funds it’s a job they might not be capable of doing in the future.