The government is attempting to unduly influence the appointment of the UK’s new information commissioner and should restart the process, a cross-party group of MPs has warned.
In an open letter to digital secretary Oliver Dowden, the MPs expressed concern that the Department for Digital, Culture, Media and Sport (DCMS) is seeking an information commissioner to support its own policy agenda, rather than a regulator that will enforce data protection laws as written by Parliament.
The Information Commissioner’s Office (ICO) is the UK’s data protection, privacy and freedom of information regulator, and is responsible for ensuring compliance with statutory data protection rules.
The MPs said that “no mention is made of experience regulating data protection” in the job description published on 28 February 2021, which instead advertised for a commissioner with “commercial and business acumen”, as well as experience of “using data to drive innovation and growth”.
Organised by digital campaign organisation the Open Rights Group (ORG), the letter was signed by 29 MPs and peers – including Caroline Lucas, Clive Lewis, Diane Abbott, Joanna Cherry and Layla Moran – who wrote that this approach “may prove inimicable to growth in practice” because it would be difficult to prevent unethical business practices in the absence of strong, principle-based regulation.
“The advert makes extensive mention of the need for the information commissioner to align with the goals of the National Data Strategy, which the advert says include removing barriers to commercial use of data and balancing rights with growth,” said the MPs.
“The impression has been made that DCMS seeks an information commissioner that will work to remove protections within current laws, to reduce the risks of enforcement action, and rather than guarantee the rights of individuals, will seek to ‘balance’ rights against concerns such as ‘regulatory certainty’ and economic growth.”
The MPs ended the letter by calling on the government to “halt the recruitment process and restart it, removing recruitment criteria pertaining to matters of policy that are outside of the remit of this statutory regulator, and include criteria that allow candidates to demonstrate they are able to do the job, in particular regulatory and data protection enforcement experience”.
In response a DCMS spokesperson said “our priority is to find an exceptional candidate with a wide range of skills and experience, including in data protection and data rights, and a strong understanding of the legal and regulatory framework.
“The ICO's independence is established in law and we are conducting this recruitment process in line with the Cabinet Office’s governance code for public appointments, which is regulated by the Commissioner for Public Appointments."
The ICO was contacted by Computer Weekly but declined to comment.
Concerns about the government’s ability to influence the appointment of the information commissioner were previously raised by Parliament in 2004 and 2014.
Read more about the ICO and data protection regulation
- The UK government is searching for a new information commissioner with an updated remit to use data to support growth and innovation, and plans on reaching new international data partnerships.
- Metropolitan Police failed to comply fully with an enforcement notice issued by the Information Commissioner, and despite hundreds of overdue subject access requests the regulator did not take further action.
- Information Commissioner’s Office levies fine of £20m on British Airways for failing to protect the personal data of hundreds of thousands of passengers – a vast reduction on the initial £183m penalty.
A Select Committee on Constitutional Affairs wrote in a 2004 report: “The UK model, where funding of the ICO is provided by the government department responsible for FOI [freedom of information] promotion and compliance, is unusual. Since the level of funding for the ICO can have a direct impact on its capability to enforce compliance, there is a potential for conflicts of interest.”
And in 2014, the Public Administration Committee recommended making the information commissioner an officer of Parliament, appointed by Parliament, to ensure they were not political appointments, although this was never included in the Data Protection Act 2018.
Most recently, MPs raised concerns in August 2020 that the ICO was already failing to enforce data protection standards or hold the government to account over its “unlawful” Test and Trace programme for Covid-19.
In another open letter to the ICO at the time, the MPs called on information commissioner Elizabeth Denham to “properly act” and demand that the government make changes to the Test and Trace programme to establish public confidence that their data was being processed safely and legally.
The effectiveness of the regulator was also called into question by ORG in November 2020, when it said it would take the ICO to court over its alleged failure to stop unlawful practices within the digital advertising technology (adtech) industry.
Jim Killock, ORG executive director, said at the time: “The adtech industry has driven a coach and horses through the GDPR [General Data Protection Regulation] and the ICO’s own investigation has highlighted widespread systemic abuses in the adtech industry practices.
“But instead of taking action against it, it has decided to close the investigation. We are determined to ensure that the law is enforced, even when the regulator can’t be bothered to protect our rights and liberties.”
The new information commissioner will earn £200,000 a year, and is expected to be appointed in October 2021 when Denham’s term comes to an end.