The Information Commissioner’s Office (ICO) has announced a corporate plan for the next three years, to 2016.
The unveiling of the rolling three-year plan – setting out the ICO’s objectives, to be reviewed annually – coincides with the sixth annual Data Protection Officer Conference in Manchester.
“Our central purpose remains unchanged. The ICO is the upholder of information rights in the public interest, promoting openness by public bodies and data privacy for individuals: the right to know and the right to privacy,” said information commissioner Christopher Graham.
The focus for 2013, he said, is on "information rights in the spotlight" and, with information rights taking centre stage, the ICO is determined to stay alert and relevant.
Policy shift and funding
But the ICO approaches its task in the face of a series of policy challenges, starting with the draft EC data protection regulation.
Read more about EU data protection
- Internet firms concerned over EU data protection proposals
- Proposed EU data breach laws will require proactive security
- Proposed EU data protection bad for business, says CBI
- How to prepare for proposed EU data protection regulation
- Proposed EU data protection framework needs work, says ICO
- The implications for storage of EU data protection regulation
- Data Protection Masterclass: New EU Data Protection Regulation
- The new EU data protection regulation: Planning for compliance
- EC publishes proposed data protection reforms
- UK business fears impact of new EU data protection framework
- The proposed EU data protection regulation and its impact on cloud users
“Although the final shape of the legislation is still being debated, some things at least are given. A political agreement this year would mean that, by 2016, the new regulatory framework would need to be up and running,” Christopher Graham said.
As currently drafted, the regulation would require a different approach to regulating data protection, said Graham.
“The ICO will need to lead the implementation of the new rules across the UK. But, under the current proposals, the ICO would also have to shift the focus towards processes and permissions with less emphasis on the advice and guidance role the ICO has traditionally championed,” Graham said.
Graham said a highly prescriptive regulation would also be expensive for the ICO to administer.
Even if resources could be switched from advice to administration, he said the regime is likely to be more costly to run, especially if the current proposal to end universal notification survives the legislative process.
“The ICO’s data protection work is currently wholly funded by notification fees. A different method of funding the ICO will need to be identified in short order,” Graham said.
FoI services in demand
Another challenge, said Graham, is the remorseless rise in demand for services under the Freedom of Information Act.
“Our plans to deal with this demand have to be highly focused given our limited grant-in-aid, much reduced and still diminishing,” Graham said.
Graham said Lord Justice Leveson has called for changes in data protection law as it applies to the media, suggesting that the ICO be reconstituted as a commission with a board of commissioners, in place of the Information Commissioner.
Highlights of the ICO's 3-year plan
- Rebuild the ICO’s website to make it more intuitive;
- Modernise the ICO’s systems for notifying under the Data Protection Act;
- Offer practical guidance, such as the new subject access code;
- Work with regulators, at home and abroad, to enforce effectively and share good practice;
- Improve procurement skills and capabilities;
- Renegotiate key supplier contracts;
- Introduce a new portfolio of IT suppliers to reduce costs and improve strategic capabilities;
- Introduce new self-service HR systems.
“Both these proposed changes will now be the subject of public consultation and debate. Their implementation would clearly have a significant impact on the ICO,” he said.
Another challenge, said Graham, lies in the fact that the ICO appears to have become the "go-to" regulator for anything involving personal data and open government.
“While this is evidence of an ICO that is doing its job well and, in turn, is well regarded, there is no doubt that we are being asked to extend our activities beyond what we were set up to do,” he said.
According to Graham, strategic thinking is needed at the ICO and strategic decisions are required from government and parliament.
He said that, in the light of these challenges, the ICO would be reviewing the different scenarios and options and talking to its stakeholders about what they expect from the ICO.
“We’ll develop our next corporate plan in the light of that feedback and conduct an extensive public consultation in the autumn,” Graham said.
The most immediate challenges, he said, include how the ICO can deliver services more efficiently and effectively.