Government plans to give the Secretary of State the power to approve or reject Information Commissioner’s Office codes of practice and guidance, would not only undermine the regulator’s independence, but could damage public trust and even trigger more legal challenges.
That is the damning verdict contained in the ICO’s 32,655-word, 89-page response to the DCMS consultation on the data protection reforms, “Data: a new direction”, which also warns that “frequent government interventions” could tie the regulator’s hands.
In the foreword to the document, outgoing Information Commissioner Elizabeth Denham, who leaves this month, gives a cautious welcome to many of the proposals. However, she insists that “the devil will be in the detail”, adding “it will be important that government ensures the final package of reforms clearly maintain rights for individuals, minimise burdens for business and safeguard the independence of the regulator”.
She continued: “The energy powering new technologies is our data: about our behaviour, our interests, our spending patterns, our loves and likes, our beliefs, our health, sometimes even our DNA – the very building blocks that make us who we are.
“The economic and societal benefits of this digital growth are only possible through earning and maintaining people’s trust and their willing participation in how their data is used. Data-driven innovations rely on people being willing to share their data. ICO research shows people who have heard about a data breach have lower levels of trust and confidence in all organisations using their data.
“We need a legislative framework with people at its heart and I am pleased to see the consultation recognise the importance of maintaining and building public trust. It is crucial we continue to see the opportunities of digital innovation and the maintaining of high data protection standards as joint drivers of economic growth. Innovation is enabled, not threatened, by high data protection standards.”
In its response, the ICO states: “Some of the proposals risk undermining the independence we need to carry out our responsibilities under both data protection and freedom of information legislation to oversee government and the public sector.”
Independence, within a framework of strong accountability to Parliament, is important, the regulator continues.
“It allows us to regulate without fear or favour, to make decisions about where we intervene or act based on an impartial assessment of the harm or potential harm to people. It also reassures the public that our actions are impartial and that government as well as businesses are being held to account. This builds the trust needed for people to be willing and engaged participants in the digital economy. The independence of the regulator will also be an important element in securing future global trade deals and adequacy agreements.
“Giving the Secretary of State the power to approve or reject codes of practice and complex or novel guidance would reduce the ICO’s independence. It would also reduce regulatory certainty for organisations and wider trust and confidence in the ICO’s guidance. It could also lead to more legal challenges, such as judicial review.
“In such challenges it would need to be clear who the respondent would be in the context of a challenge to guidance that the Secretary of State had determined. It is our belief that, as an independent regulator, the ICO should be able to issue its own guidance, with a commitment to take account of the views of stakeholders and the impact on economic growth.
“As well as reducing our independence, this proposal also reduces the ability of government to effectively hold the ICO to account. We expect and need government to maintain the ability to hold independent regulators to account for the consequences of the products they produce and decisions they take.
“This is made more challenging if government is the final approver of the guidance and products which establish the standards of legal compliance and regulatory certainty for stakeholders.”
The ICO is also concerned about the new structure of the regulator, arguing that plans for the Government to appoint a chief executive does not sufficiently protect its independence. The ICO insists the appointment should be made by the Commissioner (who under the proposals will become chair) and the board, in consultation with the Secretary of State, as is the case at other independent UK watchdogs.
While it supports the use of a public appointments process for the non-executive and chair roles on the board, the ICO insists it should be the board’s responsibility to appoint the chief executive which they then hold to account.
“We believe this is important for all aspects of our remit, but it is absolutely critical for our oversight of government under data protection and freedom of information legislation.
“We believe that both these proposals would result in more significant and frequent government interventions in the ICO’s regulatory work than is seen at the other UK digital regulators. It is our view that this does not accord with our role in overseeing compliance by government.”
This issue has already been raised by MPs, who back in May warned that the new Commissioner must not be a ministerial stooge and reduce privacy protections instead of a regulator who will enforce the law.
In her foreword to the consultation document, Denham concluded: “Data protection is not just an academic exercise, or the province of regulators or data protection officers. It matters to all of us, and has the power to affect every aspect of our lives.
“I, and my office, remain committed to supporting the Government to ensure a data protection framework that works for everyone, and is fit for both the challenges and the opportunities ahead. The ICO…stands ready to implement the reforms that Parliament decides upon.”
Privacy group slams ‘bonfire of rights’ in data reforms
Will tougher fines bring victory in nuisance call war?
How will UK data reforms hit the marketing industry?
Govt reforms to axe Information Commissioner’s role
Critics round on overhaul of data law; Daily Mail rejoices
Govt plots major data law shake-up steered by NZ chief
MPs warn new data regulator must not be Govt patsy