Data reforms 'make it harder for people to get justice'

The Data Protection & Digital Information Bill might have returned to the House of Lords this week but privacy campaigners are not giving up their objections without a fight, with fresh claims that the reforms will make it much harder for people to get justice when they experience data protection abuse.

Under the proposals, the Information Commissioner’s Office will be modernised to have a chair, chief executive and a board in line with other UK regulators and there will be a new way for how the ICO develops statutory codes and guidance, which share best practices for organisations using, sharing or storing personal data in specific instances, such as protecting children’s data online.

The ICO will be required to set up a panel of experts in relevant fields when developing each piece of statutory guidance. Contentiously, the Secretary of State will also need to approve ICO statutory codes and guidance before they are presented to Parliament.

Ministers claim the shake-up will give the regulator new objectives, allowing Parliament and the public better ability to hold it to account, but long-term critic the Open Rights Group claims the plans will harm the regulator’s independence.

The ORG stated: “The ICO already has a poor record on enforcement. In the year 2023/24, aside from fining TikTok for data protection breaches, it has only issued fines to the private sector in relation to spam emails and cold calling.”

The organisation points out that the regulator has only issued one fine to a public sector department – the Ministry of Defence – for an email error that “could have resulted in a threat to life” of 265 Afghan interpreters.

Even then the ICO slashed the initial fine of £1m to £350,000; equivalent to £1,000 for each life that could have been lost.

The ICO did not fine other public sector organisations, including police forces that exposed witness data, a Council whose disclosure put a mother and child at risk, and the Ministry of Justice after four bags of confidential waste were found in an unsecured holding area in the prison, which both prisoners and staff had access to. Instead, it issued reprimands, or in a few cases, enforcement orders.

The ORG claims it has also heard about the individual experiences of complainants that demonstrate the human impact and hurt that is caused when cases raised by the public are left unresolved.

It argues that provisions within the Bill could further weaken the ability of the regulator to operate independently of government and protect data rights.

The ORG continued: “The ICO exists to protect our data and information rights, and this includes investigating issues and problems that are raised with members of the public. ORG asked our supporters about their personal experiences of the ICO. We received dozens of responses where people felt that the ICO had failed them.

“As well as undermining the independence of the ICO, the DPDI Bill shifts power over our data to companies and governments. If it passes, the public will have less control over our data and less recourse when things go wrong.

“Parliament needs to ensure we have a strong, independent ICO which will stand up to corporations, organisations and government departments who are misusing our data and disrespecting our data rights.”

Share with friends and colleagues

Related Articles