Sergey Nivens - Fotolia

ICO reports progress in data protection, but funding remains a concern

Despite the progress of the past year, the Information Commissioner's Office (ICO) says it still doesn't know how it will fund its operations in the future

The past year has been one of progress in data protection and freedom of information – but funding continues to cause concern, according to the latest annual report by the Information Commissioner’s Office (ICO).

 “It’s thirty years since this office was established in Wilmslow. We’ve seen real developments in the laws we regulate during that time, particularly over the past year,” said information commissioner Christopher Graham.

He cited as an example the Court of Justice for Europe ruling on Google search results, saying the case could never have been envisaged when the data protection law was established.

“Our role throughout has been to be the responsible regulator of these laws. More than that, we work to demystify some of this legislation, making clear that data protection isn’t to be seen as a hassle or a duck-out, but a fundamental right.

“A good example of that is our role in the data protection package being developed in Brussels. We’ve been asked for our advice, based on our experience regulating the existing law, while we’ve also provided a sensible commentary on proceedings for interested observers.

“That role will continue this year, in what promises to be a crucial twelve months. The reform is overdue, but it is vital that we get the detail right on a piece of legislation that needs to work in practice and to last.”

The information commissioner reflected on the tenth anniversary of the Freedom of Information Act, which was implemented in January 2005.

“It is striking to see how decisions that were so hard fought in the early years have resulted in routine publication of information. Publication of safety standards of different models of cars, for example; or hygiene standards in pubs and restaurants; and surgical performance records of hospital consultants. Publication is now expected and unexceptionable.

“It’s been the ICO’s job to help public authorities to comply with requests.

“The ICO’s role has led to information being released that time and time again has delivered real benefits for the UK. Our annual report is our claim to be listened to in the debates around information rights. It shows the ICO knows what it is talking about."

Improved data regulation

Graham highlighted the strengthening of the ICO’s regulatory powers to show how the legislation continues to develop. In the past year, the ICO was given powers to compulsorily audit NHS bodies for their data handling. Companies' practice of forcing a prospective employee to make a subject access request for their spent criminal record, for example, was also made an offence.

“The long wished-for commencement of the offence of enforced subject access (section 56 of the Data Protection Act (DPA)) enables the ICO to tackle the abuse of this important right. No longer can employers get round the legal safeguards by forcing would-be employees to prejudice their own privacy in return for a job,” Graham said in the report.

He said a change in the law made it easier to issue fines to companies behind nuisance calls and texts. The report showed that, of the £1,078,500 monetary penalties issued by the ICO in the past year, £386,000 – nearly 36% – were for companies making nuisance calls or texts, while there was an 11.4% rise in number of related reports to 180,188.

The report shows that, while the number of data protection reports the ICO received fell just 3% compared with the previous year to 14,268, the value of monetary penalties fell by more than 45% – reflecting the ICO’s emphasis on helping UK organisations improve data protection, rather than punishing them for shortcomings. The ICO reported an increase in the proportion of complaints that were resolved informally to 22%, up from 19% the previous year.

According to the report, the ICO answered 195,431 helpline calls, conducted 41 audits of data controllers and 58 advisory visits to SMEs, responded to 1,177 information requests and recorded 4.9 million visits to the ICO’s website.

ICO funding concerns persist

Despite the progress and the challenges that lie ahead with the EU data protection reforms, Graham said the ICO still awaits a solution to the problem of how best to fund its operations in future.

The report highlights as an “area of uncertainty” possible reductions in income for freedom of information work, given the government's focus on deficit reduction.

Funding has been a central theme in the previous two annual reports with the information commissioner consistently expressing concerns about funding for the ICO in the long term.

For the past six years, the ICO has faced a reduction in its funding for freedom of information work and notification fees for data protection.

The proposed EU data protection reforms will remove the notification fee that funds the ICO’s work under the Data Protection Act.

In response to these changes, the ICO has called for a new method of funding, and last year’s report called on parliament to establish a single, graduated information rights levy to fund the ICO. 

Read more about the ICO

In last year’s report, the information commissioner called on parliament to “strengthen the commissioner's powers, enable the adequate resourcing of the ICO, and guarantee the commissioner's independence”.

However, while still expressing concern about the uncertainty of funding for the ICO, Graham said this year’s accounts reflect the welcome agreement from the Ministry of Justice (MOJ) allowing the ICO greater flexibility in accounting for non-frontline costs between its data protection income from registration fees and the grant-in-aid which pays for the freedom of information work.

Commenting on ICO finances, Chris McIntosh, chief executive of ViaSat UK said that, while the ICO’s net expenditure fell 32%, this year’s report suggests it is operating against the limits of its financing.

“If we are to ask the ICO to take greater action against those breaking the data protection act; to be able to monitor and audit organisations as it feels necessary; and to have greater power to enforce data protection best practice, it is clear this funding needs to increase,” McIntosh said.

ICO shies from tougher cases

According to McIntosh, with greater resources the ICO might have been able to perform audits that came to more than 1/40th of the number of data incidents investigated. “In an ideal world, we would see the ICO performing more audits and having to investigate fewer incidents – but it seems that is still some way off,” he said.

However, McIntosh noted that, while the value of financial penalties levied by the ICO has almost halved compared with the previous year, the final amount paid to the ICO and its consolidated fund after reductions and appeals has not been nearly so greatly affected; dropping by just 13% from £872,000 to £757,000.

“After last year, where more than half of the consolidated fund’s supposed income was eliminated, this can be seen as a serious improvement. This is mostly down to no appeals to punishments being brought, which could suggest that the ICO is being smarter about how it picks its battles and not pursuing cases that could result in a costly and ultimately counter-productive appeal,” he said.

“For an organisation that needs to consider its budget, this is the wisest course of action: We can only hope that, in the future, greater resources will allow the ICO to pursue tougher cases as well."

Read more on Privacy and data protection