Aside from the news of a mysterious security incident, the Information Commissioner’s Office (ICO) this week launched its annual report calling for more power, funding and independence.
Yes an independent regulator is needed, and wouldn’t we all love more power and money? I asked some of the industry’s key minds on legal and data protection issues on what they thought of the “request”.
Stewart Room, solicitor and president of the National Association of Data Protection Officers
The legal requirement for regulatory independence requires that the regulators do not form part of the State. Where the regulator is reliant on State funding, that is a problem. However, this isn’t the case for data protection, as the ICO is funded by notification fees.
I really do not see any independence issue as far as this area of the law is concerned. Of course, the funding issue will need to be resolved, because notification fees will be abolished if the Regulation comes into effect. Perhaps the solution will be found in letting ICO keep some of the money from financial penalties.
I don’t think that the ICO stands much chance of getting an increase in its Government grant for freedom of information work. Many parliamentarians will be opposed to giving the ICO preferential treatment in times of continuing deficits and cut backs. We may be out of recession but we’re not out of austerity.
The nature of the security problem, while serious, does not mean that the case for compulsory regulatory audits has been made out for the entire economy, though in the public sector it seems odd that the government has not yet brought in compulsory audits for the NHS and health. But, if the Regulation comes into effect, the issue will be resolved, as the regulators will get these powers.
When the ICO’s positions are examined, it’s helpful not to forget that there has been a long tradition at ICO of campaigning for new powers and penalties. This is one of the key features of the ‘Regulatory Bear Market’ that I’ve talked about for years. This campaigning is not going to go away, even after a new DP Regulation. Campaigning is part and parcel of what regulators do.
Martin Hoskins, Privacy Consulting
Can a regulator, enabled by Government and working with a European directive, be independent? Yes he can. A directive gives member states more flexibility when transposing European legal requirements into local laws, compared with a regulation, which is basically directly applicable, word for word, once it has been agreed by the European Institutions.
Depending on the wording of the legal instrument, the regulator may be given a range of powers to exercise in certain circumstances (which gives him a considerable margin of flexibility) compared to a stricter regime where, say, fixed fines are to be levied by the regulator when particular transgressions occur (e.g. a Regulation could contain a provision that requires a fixed fine to be payables by a data controller if they fail to notify the regulator of a data breach within a fixed period of time.
Also, we need to remember that regulators were deliberately designed to be independent to act as a firewall betw
een those regulated and the Government. If there were not an independent regulator, there would be a Government department that was responsible for the regulating of that particular area – and Ministers tend not to like the toxic obligations that flow when they are directly responsible for come thing. So, they “contract out” the regulating work to someone who they can criticise in the event that something goes awry.
What the ICO needs are powers that are capable of effecting behavioural change among recalcitrant data controllers. The possibility of fines is not necessarily a sufficient tool, particularly for companies who have directors that are capable of quickly disposing of the corporate assets, and therefore won’t face fines. Somehow it needs to encourage a climate where senior executives of companies are more personally accountable in the event of a significant failing.
Have the quantity of breaches demonstrated the need for businesses to be audited better when it comes to data protection and privacy? I don’t think there’s a very strong link between data breaches and the need for organisations to be audited better. Currently, the organisations that are audited most frequently (those in the NHS) have a transparency culture that promotes breach reporting. But just because they are good at breach reporting does not mean that they don’t have a lot of good controls in place which monitor their information flows.
Many businesses find it difficult to know what good data protection looks like, and what questions they should ask when they carry out a data protection audit. That’s why I’ve recently published a book called “How do I carry out a data protection audit”.
Jonathan Armstrong, partner at Cordery
On balance, though the ICO has a better track record than some other equivalent regulators in Europe, it is hard to think of a case where Christopher Graham has shown Government bias and in some cases – for example the ring of steel case – he has clearly made decisions which go against Government policy. There is a perception risk certainly, especially if the ICO succeeds in getting more central Government funding.
I think funding will be hard to justify in central Government and there is a worry that the withdrawal of registration fees will create a funding gap. Equally unlike some countries, the ICO does not directly see fine revenue put back into its budget; re-allocating fines back to the ICO may be a way of plugging the gap, but based on the figures the ICO gave,it won’t be the complete answer.
Have the quantity of breaches demonstrated the need for businesses to be audited better when it comes to data protection and privacy? They have certainly demonstrated a need for businesses to take information security more seriously, but I would question if audits lessen risk. In the US, we have experience of some of the large data breaches coming after a comprehensive PCI audit which questions the value of some audits as a way of lessening information security risk.
Jon Baines, chair of the National Association of Data Protection Officers
Can a regulator, enabled by Government and working with a European directive, be independent? Not without difficulty, and this has been recognised on several occasions by the Commons Justice Committee, who have suggested the IC be made directly responsible to and funded by Parliament.
The government has rejected this however, saying in 2012 “[the ICO’s] work does not relate primarily to that of Parliament”.
The current Directive, and th
e draft Regulation, both talk of data protection authorities needing to have “complete independence”. Under the current domestic law that is sought to be achieved by security of/fixed-term tenure, status as a crown appointment etc. Whether that goes far enough is questionable.
Another way “independence” is applied is in terms of funding being derived from notification fees. If these go under the draft Regulation, then the shortfall would have to be made up somehow. This is the source of the IC asking for an “Information Rights Levy”. How that would differ in effect from current notification requirements, I’m not sure.
On funding – I agree with Stewart Room. The chance of any direct funding increase is vanishingly small. However, the “Information Rights Levy” might also involve getting public authorities to pay for the pleasure of being subject to FOIA. I suspect this may go forward – Christopher Graham has been making strong demands for it for a while now. Question then will be whether DP and FOI funding will continue to be ring-fenced (as they are now) or whether it can be pooled.
On audits, I think it would be good to have compulsory powers, but I think the issue is not so much with the “visible” security breaches, but the hidden/suspected stuff. Something along the lines of the VAT man doing occasional random checks. Realistically that is not going to happen (but as Stewart says, the Regulation would bring the powers at least).
