What is the Information Commissioner’s Office?
The Information Commissioner’s Office (better known as the ICO) is an independent public body and regulatory office dealing with Data Protection regulations (The Data Protection Act 2018 and the General Data Protection Regulations) and Freedom of Information Act 2000. One of the ICO’s main roles is to ensure organisations are aware of and comply with their data protection obligations, i.e. that organisations or companies keep the personal information of employees and customers safe and secure and do not disclosed this to unauthorised third parties.
If a company or organisation does disclose your personal data to a third party without your consent, you can and should raise a formal complaint about the data breach directly with the company or organisation. However you are also entitled to submit a complaint about the said company or organisation to the ICO. The ICO will investigate your complaint, make a decision as to whether your personal data has been breached and then offer the said company or organisation guidance to ensure they comply with their data protection obligations in the future. The ICO cannot make or force companies to offer compensation following a data breach, you need to take legal advice if you want this.
In addition to offering guidance to ensure a company complies with their data protection obligations, the ICO can fine a company for repeated data breaches or even large data breaches (where a lot of personal information has been breached). One recent fine was Cathay Pacific Airways Limited who were fined £500,000 for failing to protect the security of its customer’s personal data.
But is the ICO fit for purpose in its current format?
The Government have instructed consultancy Oliver Wyman to audit the ICO and answer that very question. The ICO has in recent days been compared to a ‘toothless tiger’, as it does not actively police the conduct of companies (in managing/complying with their data protection obligations) but only investigate once made aware of a data breach or data breach concerns.
In addition there is a question of resources, the ICO’s budget for 2018 was approximately £40m, this sounds like a large budget but when you take into consideration the amount and potential size (both large and small) of some of the companies the ICO investigates (massive companies such as Google, Amazon, Facebook and Virgin Media) suddenly the budget can seem rather small, even just comparing it to the amount of revenue a massive company creates in a single year.
The ICO has approximately 680 staff, however less than 10 of these work in their investigation unit. With less than 10 staff working in their investigation unit does the ICO even have sufficient manpower to investigate the data breach complaints it receives on a daily basis? Or will the ICO end up overwhelmed? Is it already overwhelmed?
The audit comes at a time when data breaches are major news stories, the recent EasyJet data breach just hit the news, it is likely the ICO will have some involvement in to any investigation to find out what happened. The EasyJet data breach will also renew interest into another large airline the ICO investigated. They previously investigated British Airways in regards to a data breach and in July 2019 announced they intended to fine British Airways £183.39M. To date the ICO has placed a delay on British Airways paying the said £183.39M fine.
Inconvenient timing or not, it is clear the ICO audit is greatly needed, not least to try and provide reassurance that the ICO can carry out its purpose offering help and guidance in relation to potential breaches of individuals data protection information. If the ICO needs to be better resourced or funded then hopefully the audit will make this clear.