The Information Commissioner’s Office has published a new three-year plan, pledging to prioritise action in the first 12 months on predatory marketing calls and the beleaguered Freedom of Information system, along with children’s privacy, AI-driven discrimination, and the use of algorithms.
The strategy, dubbed ICO25, is being seen as new Information Commissioner John Edwards’ first major initiative and an attempt to stamp his authority, following his appointment in January this year.
In a speech at the launch of the plan today – published early – Edwards says: “My most important objective is to safeguard and empower people, by upholding their information rights. Empowering people to confidently share their information to use the products and services that drive our economy and society.
“My office will focus our resources where we see data protection issues are disproportionately affecting already vulnerable or disadvantaged groups. The impact that we can have on people’s lives is the measure of our success. This is what modern data protection looks like, and it is what modern regulation looks like.”
However, the ICO has had mixed success in the past over the first four priority areas.
On nuisance calls, it has issued millions of pounds’ worth of fines since being given new powers way back in 2015 yet it still struggles to get rogues to cough up and the number of illegal calls continues to rise.
Under the looming Data Reform Bill, ministers want to bring the Privacy & Electronic Communications Regulations (PECR), which govern telemarketing, in line with UK GDPR, meaning potential fines for rogue telemarketers could be increased from a maximum of £500,000 to up to £17.5m or 4% of annual global turnover.
Whether this will have any impact remains to be seen.
Meanwhile, back in November last year (two months before Edwards took charge) the ICO claimed it only had “limited resources” to investigate breaches of the children’s privacy code – or the Age Appropriate Design Code as it is officially called. At the time, it was predicted that enforcement action would be highly unlikely for years.
The other two ICO priority areas – AI discrimination in the recruitment sector and the use of algorithms in the benefits system – have yet to be the subject of any meaningful action from the regulator.
Elsewhere in ICO25, the ICO claims there will be a package of actions to help save businesses at least £100m across the next three years. Quite how this will be achieved in reality is not clear, although the regulator has set out a raft of programmes which it claims will save firms money.
These include plans by to: publish internal data protection and freedom of information training materials; create a database of ICO advice provided to organisations and the public; produce a range of templates to help organisations develop their own approaches; create an ICO moderated platform for organisations to discuss and debate compliance and share information and advice; develop a range of ‘data essentials’ training, specifically aimed at SMEs; and set up iAdvice to offer early support for innovators.
Edwards said: “Certainty and flexibility remain the two pillars of what I offer to business today, and in how we will support the successful implementation of a new data protection law.
“Certainty in what the law requires, coupled with a predictable approach to enforcement action, that allows businesses to invest and innovate with confidence. And the flexibility to reduce the cost of compliance.
“That support for business and public sector is important in itself, but it is ultimately a means to an end. We help business to help people.”
The report also sets out support for the public sector, including a revised approach to public sector fines – already published last week – and the creation of a cross Whitehall Senior Leadership Group to drive compliance and high standards of information across government departments.
Finally, the report also sets out the ICO’s commitment to supporting the development of what it calls “modern freedom of information”, including prioritising FoI complaints and a greater emphasis on dispute resolution around complaints.
This will be a key area for many data protection professionals, given what some claim is the current shambolic state of FoI enforcement.
In April of this year, an open letter coordinated by the online news organisation OpenDemocracy, and signed by 100 politicians, journalists, and campaigners, claimed the UK’s FoI laws are being undermined by a lack of resources and Government departments obstructing lawful requests, and it is down to the ICO to sort out the mess.
The move followed a Campaign for Freedom of Information report detailing how that backlogs at the ICO had become so extensive that it was taking an entire year for case officers to be assigned to review complaints.
Edwards concluded: “There are few regulators who can say their work is of fundamental importance to the democracy on which society exists. But that is the value of the FoI Act. My role is to ensure the administration of that law is fit for the modern world.
“But to achieve that requires fundamental change. And that change has to start in my office. The proposals I set out today involve trying different approaches. Some may work well, some may not work, some may need tweaking. But it is absolutely clear to me that in a world of increasing demand, and shrinking resources, we simply cannot keep doing what we’ve been doing and expect the system to improve.”
Axe data fines for charities, too, say agency chiefs
Industry claims victory as Data Reform Bill is revealed
ICO claims FoI is a priority as criticism of delays grows
ICO courts industry as John Edwards takes the reins
ICO says it has ‘limited resources’ to enforce kids code
Data reforms could lead to Govt meddling, ICO warns
Privacy group slams ‘bonfire of rights’ in data reforms
Will tougher fines bring victory in nuisance call war?
How will UK data reforms hit the marketing industry?