Proposed reform of the ICO – Necessary modernisation or a threat to independence?
17 November 2021
The fifth and final chapter of the Government’s consultation paper addresses Reform of the Information Commissioner’s Office (ICO). Here, the proposals appear to be driven not only by the Government’s aim of ensuring that the ICO is equipped to regulate effectively in an increasingly data-driven world but also by its wider aim of delivering a data protection regime that supports vibrant competition and innovation, keeps pace with the rapid innovation of data-intensive technologies and helps innovative businesses of all sizes to use data responsibly. As with the rest of the consultation paper there is much to be welcomed in the proposals for reform of the ICO. However, a key test is whether these proposals pose a threat to the ICO’s independence. The independence of the regulator in the exercises of its functions, not just from government but from any external influence, is central to any effective data protection regime. It goes not only to public trust in the regime but also to international recognition of the regime which, in the UK’s case, includes the European Commission’s adequacy finding.
This blog discusses the specific proposals for reform of the ICO, assess their likely impact on businesses and considers how far, if at all, they might impact on the ICO’s independence.
Strategy, Objectives and Duties
Governance Model and Leadership
Here the Government is proposing to establish an independent board and chief executive officer at the ICO. There has been a variety of proposals, over the years, to move away from having all the powers and responsibilities of the ICO vested in a single person, the Information Commissioner. Indeed, some commissioners have been in favour of this themselves and the ICO already has a Management Board with non-executive membership, albeit that the Board is established voluntarily, as a matter of good governance, by the Information Commissioner rather than having a statutory basis. As the consultation paper says this “corporation sole” model is unusual in the UK both for regulators of the size to which the ICO has now grown and for regulators with the broad remit that the ICO has now been given. Furthermore, many data protection authorities internationally, particularly the larger and more influential ones, have a board either in place of or in addition to a commissioner. The principle of moving to a more robust governance model with greater collegiality in oversight and direction setting and, perhaps, thereby greater assurance of independence is likely to be widely welcomed.
However, the Government’s proposals are at best unclear and perhaps a little muddled on how this new governance model will work in practice. The ICO, in its response to the consultation, places great importance on retaining the title of “Information Commissioner” although its argument around retaining international influence for the ICO is not entirely convincing. The Government therefore suggests that the title “Information Commissioner” should attach to the chair of the new board. If so, where will the powers currently vested in the Information Commissioner then reside? It would be odd indeed if these powers were to be vested in the chair of the board alone rather than with the board collectively. Might it not be more logical and more transparent to dispense with title “Information Commissioner”, which suggests a single decision maker, and give the board the title “Information Commission” which would confirm its collegiality? Other data protection authorities, such as France’s CNIL, that adopt a model of this type do not necessarily appear to suffer unduly in terms of their international influence.
There is though reference in the consultation paper to the appointment of a chief executive officer, to delegation and to the board providing direction to – and scrutiny – of the executive function rather than to the board performing the executive function itself. If, in the light of this, the designation of “Information Commissioner” is to be retained might it not make more sense for this to be attached to the proposed chief executive officer rather than to the chair of the board? The ICO’s powers would then rest with the Information Commissioner/chief executive officer, either directly or by delegation from the board, with the holder of that post answering to the board as to how those powers are exercised as well as, more generally, for the day to day running of the office. This approach, whereby the chief officer is the most prominent public and international face of the regulator is also one commonly adopted by other board led data protection authorities.
The Government’s proposals then address the appointments process. The chair of the board would be appointed by the same process as that currently used for the Information Commissioner with the other board members also appointed via a formal public appointments process. This means government involvement in the appointment of board members but that does not necessarily threaten the ICO’s independence any more than does its involvement in the current arrangements for appointing the Information Commissioner. What has always been a cornerstone of the Information Commissioner’s independence is the inability of the government to remove the person concerned from office if they don’t like the regulatory outcomes that they are delivering. Removal can only take place if the Commissioner turns out to be “mad or bad” and then only on an address from both Houses of Parliament. The consultation is noticeably silent on how the proposed new board members might be removed from office.
Of greater concern, as voiced by the ICO in its response to the consultation paper, is the proposal that the chief executive officer should also be appointed via the public appointments process, meaning that the final decision on appointment would rest with government. The ICO’s independence might be better assured if the independent board were able to appoint its own chief executive officer, albeit that it should be required to follow a fair and open process in doing so. Again, this is commonly how the chief officers of other board led data protection authorities are appointed. It might not be the Government’s intention to try to influence how the ICO carries out its executive functions over and above its role in appointing members of the independent board but it is hard to see any justification for the government, rather than the board, taking ultimate responsibility for the appointment of the chief executive unless it believes that it needs to retain the ability to do this.
Accountability and Transparency
Given the emphasis in the UK GDPR on the accountability and transparency of data controllers it is perhaps not surprising that that the Government’s proposals feature enhanced accountability and transparency requirements for the ICO. These include a requirement for the ICO to develop and publish key performance indicators (KPIs), a possible requirement for it to publish key strategies and processes and the introduction of a power whereby the government could initiate an independent review of the ICO’s activities and performance. It is this latter element that might be interpreted as a threat to the ICO’s independence. However independence does not necessarily mean an absence of external scrutiny. The ICO is a large organisation spending around £70m per year, which, although largely collected from data controllers, is nevertheless public money. Ensuring that the ICO operates efficiently and that this public money is spent effectively need not necessarily threaten the required independence of the ICO. Government led scrutiny will only do this if it starts to call into question the outcome of the ICO’s regulatory processes and decision making. Here independence requires that any scrutiny remains the province of the courts and Parliament rather than the government of the day.
Codes of Practice and Guidance
The Government is proposing to place an obligation on the ICO to undertake and publish impact assessments, as well as to conduct enhanced consultation, when developing “codes of practice, and complex or novel guidance”. This will include a power for the government to require the ICO to set up of a panel of persons with relevant expertise when developing these codes and guidance. In many ways this will do no more than put the ICO’s current practice onto a statutory footing. Businesses are likely to welcome the assurance that their views will be taken into account in the enhanced consultation process, even if the ICO may not be bound by them. There may though be some concern about applying these requirements to “complex and novel guidance” as well as to codes of practice if they mean that such guidance takes significantly longer to develop and publish than would otherwise be the case. Businesses faced with complex and novel challenges generally welcome early regulatory guidance with the ICO currently having a track record of being “first to market” amongst data protection authorities when addressing topics such as artificial intelligence and facial recognition.
Of far greater concern will be the proposal for the Government to introduce a power under which the ICO will be obliged to submit codes of practice and complex or novel guidance to the government and will not be able to issue such codes and guidance without its approval. Although the Government says that this is a parallel power to that afforded to the Houses of Parliament, the power of Parliament only extends to statutory codes of practice and not to “complex or novel guidance”. It is also a very different matter, in relation to the ICO’s independence, for the government of the day rather than the legislature to give itself the ability to veto aspects of the ICO’s regulatory output. The ICO, in its response to the consultation paper, points out that the government will, in any case, have an opportunity to be heard in the consultation process and that enabling it to go one stage further in vetoing guidance on topics such as AI and facial recognition that it may find challenging to implement or difficult politically is “fundamentally at odds with safeguarding the ICO’s independence”.
The UK GDPR gives every data subject the right to lodge a complaint with the ICO and places the ICO under an obligation to investigate, to the extent appropriate, and to inform the complainant of the outcome of their complaint. The ICO receives nearly 40,000 complaints each year. Handling these consumes a significant proportion of the ICO’s limited resources. In considering how far this is a good use of such resources it needs to be borne in mind that, in respect of its data protection functions, the ICO’s role is one of regulator rather than ombudsman despite the consultation paper misleadingly likening it to “other domestic ombudsmen and regulatory bodies such as Financial Ombudsman Services”. This means that the ICO’s primary function is to bring about compliance rather to resolve problems for individuals even if, very often, achieving the former will also deliver the latter. Although they might come from aggrieved individuals not all the complaints that the ICO receives necessarily raise significant compliance issues. Arguably, the ICO could operate more effectively and efficiently in its data protection regulatory role were it to have more discretion over how it handles complaints. The Government is therefore exploring whether to introduce criteria by which the ICO can decide not to investigate a given complaint.
The Government is also proposing to introduce a requirement, with some exemptions, whereby the complainant would have to attempt to resolve their complaint directly with the business concerned before lodging the matter with the ICO. Although there might be some impact on businesses there should be little to worry them here given that the ICO already encourages complainants in this direction. There might be some possibility of a loss of public confidence in the UK’s data protection regime if significant numbers of data subjects believe that they are unreasonably being denied access to the regulator’s complaints function. This should though be manageable, particularly if the ICO is given discretion over when it can take on complaints that have not first been raised with the business concerned rather than this being prescribed inflexibly in the law.
Of more concern to businesses might be the proposal to place a requirement on them to have a simple and transparent complaint-handling process in place to deal with data subjects complaint. Part of this would involve the publication of information about the type and volume of complaints received on a periodic basis. For many businesses meeting this requirement could have resource and reputational implications even though the Government is proposing exemptions to avoid placing burdens on SMEs or organisations that process data in a low risk way.
Elsewhere in its consultation paper the Government is seeking views on whether to bring the enforcement regime under the Privacy and Electronic Communications Regulations 2003 (PECR) into line with that under the UK GDPR and Data Protection Act 2018. This would mean increasing the maximum fines under PECR for breaches, such as the sending of unsolicited email and SMS marketing without consent, from the current maximum of £500,000 to a maximum of £17.5 million or 4% of global turnover, whichever is the higher. It would also mean giving the ICO the power to issue assessment notices when investigating PECR compliance so that it could require an organisation to give it access to premises, documentation and equipment.
Additionally, in the chapter addressing reform of the ICO, the Government makes a number of proposals for strengthening the ICO’s enforcement powers. Nevertheless, businesses may be relieved to learn that the Government considers that the current powers are “broadly fit for purpose”. Of most concern to them is likely to be a proposal for the ICO to be given a new power under which it will be able to commission an independently produced, technical report to inform its investigations with a view from a third party about aspects of a business’s activities. This is likened to the power of the Financial Conduct Authority to require a regulated business to commission a report from a skilled person, who is approved by the Authority, and to require the business to provide the report to the Authority. Although the consultation makes clear that any such power for the ICO would only be used in a small minority of cases, and that appropriate thresholds would be put in place, it is silent on the extent to which the business under investigation might be obliged to pay for the third party technical report itself. This is one of the points that the Government is seeking views on.
The other matters that the Government is seeking views on are whether there is a need to give the ICO a power to compel witnesses to attend an interview and to answer questions during the course of the investigation, a proposal to change the statutory deadline for the ICO to issue a final monetary penalty notice following a notice of intent from 6 months to 12 months and a proposal to require the ICO to set out anticipated timelines for the phases of an investigation at the beginning of that investigation.
Biometrics Commissioner and Surveillance Camera Commissioner
Although there is no firm proposal, the Government is exploring the potential for further simplifying the oversight framework for the public sector by absorbing the functions of these commissioner roles into the ICO. There has already been some alignment in that both roles are now performed by a single person. Absorbing them into the ICO might therefore seem to be the logical next step. Indeed one might ask why the roles were ever established separately in the first place. Nevertheless there could be some risk if the absorption of these roles is not handled carefully. Neither the Biometrics Commissioner not the Surveillance Camera Commissioner enjoy the level of independence from Government that is expected of the ICO. They are both appointed by the Home Secretary, have their staff provided by the Home Office and report to the Home Secretary rather than to Parliament. If their functions are to be absorbed by the ICO it will be important that this is not done in a way that compromises the ICO s independence or diverts the ICO from its primary function of promoting and enforcing compliance with data protection law.