The UK's data privacy watchdog is lobbying for greater powers and funding after reporting a bumper workload.
The latest annual report from the Information Commissioner’s Office (ICO) (PDF) reveals that the bureau responded to a record number of data protection and freedom of information complaints in the year to April 2014.
The ICO handled 259,903 calls to its helpline and resolved 15,492 data protection complaints, a rise in both cases of over 10 per cent on the previous financial year. The ICO also dealt with 5,296 freedom of information complaints, a 12 per cent rise on FY 2012-13. In addition, the data privacy quango received 161,720 reports from people concerned about spam texts and nuisance calls.
Despite a higher workload, the ICO has seen a reduction in funding for its freedom of information-related work. Meanwhile proposed EU data protection reforms would remove the notification fee that funds the ICO’s work under the Data Protection Act.
Information Commissioner Christopher Graham said that the "troubled launch of care.data, Facebook’s research and the so-called Google 'right to be forgotten' ruling" show that "organisations' use of data is getting ever more complicated" and that the role of the independent data regulator is becoming even more important.
"Sometimes the state is itself the issue," Graham said in a statement. "When the Intelligence and Security Committee wanted to know how the Snowden revelations fitted with data protection law, it was the Information Commissioner they turned to."
Graham wants increased powers as well as a bigger budget, and some moves along these lines are already happening. For example, enforced subject access will become a criminal offence from December 2014. Enforced subject access is where individuals are forced by someone like a prospective employer to make a DPA subject access request and reveal the results to them, typically in relation to criminal conviction data. This data might include convictions considered "spent" under the Rehabilitation of Offenders Act.
Security vendors are somewhat split on whether the ICO should receive extra funding and greater powers. The ICO does not receive the cash from the fines it levies. While penalties totalling £1.97m were issued, the ICO only collected £872K thanks to a combination of early payment reductions, appeals and impairments – which it had to hand over to the Treasury's Consolidated Fund.
The ICO said its two main sources of income are the MoJ's grant in aid, which covers its FOI work, and the DP notification fee paid by organisations processing personal data in the UK, which covers its DP work.
One secure comms firm, ViaSat UK, argues the present system favours organisations with the money to make an early payment, or to mount an appeal – but with more resources, the ICO could make its cases more watertight.
Chris McIntosh, ViaSat chief exec, commented:
"With increased funding and powers, the ICO could not only make sure that penalties, financial or otherwise, match the severity of an offence. It could make its investigations even more thorough: reducing the chances of appeals and making sure that its eventual judgement is both fair and final.
“The ICO is already using its work over the past year to lobby for increased powers and funding and, quite frankly, it is right to do so. While doing the best with what it can, it is still handicapped by the fact that its resources, and the penalties available to it, are still not enough to deter many organisations," he added.
Another security vendor argued that changing data privacy practices more generally rather than prosecuting those caught foul of flouting data protection rules ought to be the ICO's main priority while acknowledging that it needs to money and manpower to handle an expanded caseload.
Simon Eappariello of iboss network security commented:
"Funding isn’t the magic bullet that will fix the data privacy issue. Whilst funding will critically give the ICO the manpower to handle the ever-growing number of complaints, personal and industry attitudes towards data need to change."
"Right now, the British public’s personal data is being thrown into a shared leaking bucket," he added. ®