Planning

Regulating after the GDPR: Proposed changes to the role of the ICO

In Sept 2021 the UK Department for Digital, Culture, Media and Sport (DCMS) announced proposals to reform UK data protection legislation. The key changes are focused on making data protection compliance more streamlined and reducing burdens on organisations. However, it also includes proposed changes to the role of the Information Commissioner’s Office (ICO) and its authority. In this article, we consider the main aspects of the proposed changes to the role of the ICO as part of the new proposed regime and the current Information Commissioner’s response to those changes.

Critiques of the Information Commissioner’s Office

While the ICO has a strong reputation among Data Protection Supervisory Authorities, some UK government representatives have been critical of its role. Previous reporting on the role of the ICO has indicated that DCMS representatives, such as Deputy Director for Data Strategy Implementation and Evidence, feel that data protection rules need to be “rebalanced” to “unlock the power of data” and make the UK more competitive. The Secretary of State for DCMS had also indicated that reform of the UK data protection regime would take into account that “the ICO kind of hovers and you don’t know if you have done something wrong until after you’ve done it”. He mentioned that the ICO may be required undertake economic impact assessments to “ensure ‘it understands what the cost is on the business’ before introducing new guidance”. The DCMS announced that its consultation on the proposed changes to data protection law would include the Information Commissioner’s role so that the new post-holder “will be empowered to go beyond the regulator’s traditional role of focusing only on protecting data rights, with a clear mandate to take a balanced approach that promotes further innovation and economic growth”.

However, a cross-party group of MPs has criticised the Government for seeking to recruit a new Information Commissioner “who will work to remove protections within current laws […] and rather than guarantee the rights of individuals, will seek to “balance” rights against concerns such as “regulatory certainty” and economic growth.”

The proposed changes

The changes proposed in the DCMS consultation document include the introduction of:

  • a statutory framework setting out the ICO’s strategic objectives;
  • powers for the Secretary of State for DCMS to prepare a statement of strategic priorities to inform the ICO’s regulatory priorities, initiate an independent review of the ICO, approve the ICO’s codes of practice and complex or novel guidance, and require the ICO to set up an expert panel when developing the same; and
  • powers for the ICO to commission an independent report about an organisation’s activities and compel witnesses to interview in the course of an investigation.

The DCMS further proposed that the ICO should have duties and/or objectives to:

  • have an independent board and Chief Executive Officer;
  • absorb the functions of the Biometrics and Surveillance Camera Commissioners;
  • publish its key strategies and processes, and internal KPIs;
  • encourage trustworthy and responsible data use, as well as upholding data rights:
  • have regard for competition, economic growth, innovation and public safety;
  • undertake and publish impact assessments, as well as conduct consultation, when developing codes of practice, and complex or novel guidance; and
  • cooperate and consult with other regulators.

In respect of complaint handling and/or investigations, the DCMS also proposed to introduce and/or require:

  • each organisation to have a complaints process, the complainant to attempt to resolve their complaint with the organisation before lodging it with the ICO (although this is already the ICO’s preferred complaint handling process) and criteria by which the ICO can decide not to investigate;
  • the ICO to set out anticipated timelines for the phases of its investigation to the subject organisation(s) at the outset; and
  • a deadline increased from 6 to 12 months for the ICO to issue a final penalty notice following a Notice of Intent and a new “stop-the-clock” mechanism, for organisation(s) to respond and the ICO to account for the evidence.

The ICO’s response

While some of these changes have been welcomed by the ICO in its response, the Authority also included strong concern around some key issues. Specifically, the ICO broadly supports the initiative to ensure that the ICO’s powers are effective and the introduction of “a more commonly used regulatory governance model for the ICO” that includes a Chair and a CEO. However, the response also included concerns around the independence of the ICO under the current proposed changes. Specifically, the ICO points out that its role is to regulate both the private sector and the public sector. As such, it asserts that it is essential that the independence of the ICO is maintained within the proposed changes. For example, with respect to the appointment of a CEO by the Ministers, the ICO points out that this would “give the ICO a constitution less independent from government […] despite our role in overseeing the public sector and government”. The ICO also points out that the “current proposal for the Secretary of State to approve ICO guidance […does] not sufficiently safeguard” the independence of the regulator.

Our advisors will be analysing the proposed changes as they are released by the UK Government as well as any responses that may influence the final outcome. If you need assistance navigating any of these changes, Trilateral Research’s Data Protection and Cyber-risk team would be happy to help. Contact us for more information.

Sanjay Patel

Sanjay Patel is Data Protection Advisor at Trilateral Research.

Rachel Finn

Rachel Finn is Senior Practice Manager at Trilateral Research.

Sign up for our newsletter

Join our mailing lists to receive updates about our latest research and to hear about our free public events and exhibitions.  If you would like to find out more about how we manage your personal information please see our privacy policy.