ICO defends its record after scathing Telegraph report

The Information Commissioner’s Office has jumped to the defence of its record following a Daily Telegraph report which claims that, under Elizabeth Denham, the ICO has chased headlines, done little to curb so-called nuisance calls and wasted money on travel expenses instead of doing its job as a regulator.

In the article, which appears to be inspired by long-term critics of Denham’s reign, the Telegraph goes for the jugular.

It states: “The ICO’s budget has doubled in five years but the number of firms fined for badgering, bullying and pestering the public has been static. Complaints about nuisance callers continue to flood into the ICO, with 83,558 reported in the first six months of the year, so that despite the pandemic, 2021 may well become the worst year on record. The highest total was 167,018 complaints in 2016/17.

“The pursuit of companies for misusing data also appears to have hit the buffers. One of the ICO’s functions is to enforce data laws but since the introduction of general data protection regulation (GDPR), a big piece of legislation incorporated into UK law in the Data Protection Act 2018, the ICO has fined only five companies for GDPR breaches.

“Once again, the ICO has gone for big-ticket items, threatening to fine BA £183 million and Marriott £99 million for infringements of GDPR before settling on the much lower sums that will be paid back over time. Travel companies incidentally are well known to executives at the ICO. The travel and subsistence bill for staff rose from £456,000 in 2015/16 to more than £1 million within two years.”

In response, the ICO states: “The article criticises the ICO’s choice of regulatory priorities. As a regulator responsible for the whole economy, including the public sector and Government, with an important international mandate, our work requires us to make often difficult choices about how best to protect the public while enabling the responsible use of personal data.

“We reject the claims that we chase headlines. The ICO takes a proportionate, pragmatic approach to its regulatory responsibilities. The approach is designed to build the public’s trust and confidence in data protection.

“Modern regulation uses a wide range of tools. Fines and penalties are always a last resort.

“Our work to advise organisations, helping them make changes and improvements to comply with the law, is the most effective way of reducing misuse of people’s data. Where monetary penalties are needed, we haven’t shied away from using these powers, but effective regulation is about far more than the number of monetary penalties issued.”

In response to the claim that nuisance call fines have remained static despite the growth in size of the ICO, the regulator states: “Following the introduction of the new data protection law, the GDPR in May 2018, the ICO has doubled in headcount, with a focus on increasing the technical, legal, and economic expertise in line with our increasingly complex technical remit.

“Tech companies based across the world have a huge presence in the UK, processing UK citizens data. With our responsibility to protect the public, we need to understand and engage with these companies as well as to provide as much regulatory clarity and certainty to all the organisations we regulate.

“Our growth has also involved increasing the number of people working in our teams dealing with complaints from the public and enquiries from small businesses as demand for these services has doubled since 2018. Over a third of all ICO staff now work in these public facing services.”

With specific reference to nuisance marketing, the ICO claims it “has always, and continues to, take action where our advice is not followed and where we find serious, systemic or negligent behaviour that puts people’s information rights at risk”.

It points out that, since April 2015, a total of £13,598,500 in PECR fines has been issued.

The ICO adds: “Where we identify organisations that can pay but won’t pay, we will pursue formal recovery action, via our financial recovery unit, which can result in insolvency. Equally, where directors seek to avoid payment via insolvency we actively exercise our full rights as a creditor, including nominating Insolvency Practitioners whose investigations can result in personal claims against directors.

“We also work closely with other enforcement agencies to disrupt and obstruct seriously non-compliant directors who, for example, may persist in continuing to make nuisance calls or send unsolicited spam despite our fine. This can result in directors being disqualified and further civil action or criminal prosecutions.

“We continue to work with our fellow regulators and with government to best direct and co-ordinate our collective resources on this important issue.”

Finally, in response to the claims about the ICO’s approach to international travel, the regulator counters: “The ICO has an extensive remit both domestically and internationally, and ministers have been supportive of the ICO’s current leadership role among its data protection regulator counterparts.

“It is vital for the work of the ICO that the Commissioner has a visible role, championing the rights of the public and directly engaging with stakeholders across the whole economy the ICO regulates.

“Any travel commitments for the Commissioner, or any member of ICO staff, are proportionate to the role and accounted for transparently. When travel to multiple overseas locations is necessary we work hard to reduce the number of flights involved.”