Information overload? The future of the ICO

In this article, Emily Carter considers how the Information Commissioner’s Office is changing in response to new strategic direction and legislative reform.

New commissioner, and new strategic chapter

John Edwards, the new Information Commissioner, has his work cut out for him. The remit of the Information Commissioner’s Office (ICO) is vast. It regulates the processing of personal data by every organisation in the UK, of all sizes and sectors, as well as organisations internationally which fall within the territorial jurisdiction of the UK GDPR. The ICO oversees the statutory disclosure of official data by public bodies under the Freedom of Information Act (FOIA), along with eight other pieces of legislation. Meanwhile, the ICO has obligations towards the millions of people who have specific rights under information legislation, whether in respect of protection of their personal data or access to official data.

After having conducted an extensive listening tour up and down the country, Edwards stated: “I want you to see an ICO that is agile and curious. We want to move fast and fix things. I want you to see an ICO that preserves people’s rights. And I want you to see an ICO that brings you certainty in an uncertain world.” These goals are reflected within the three-year strategic plan, ICO25 published for public consultation in July. With the Government’s data reform legislation introducing changes to both the ICO, and the laws it regulates, what can lawyers expect in the coming years?

A strong, but proportionate, regulator

The ICO has flexed its muscle over the last five years, targeting areas where it considers most harm is caused. It has not shied away from enforcement in response to significant data protection failings, with hefty fines issued to Clearview AI, British Airways and Marriott and, within the public sector, to the Cabinet Office. To bring it in line with similar regulators, the ICO will soon be granted the power to conduct compulsory investigation interviews. Even if it will not be necessary to exercise this power frequently, its existence will extend the ICO’s investigatory reach significantly.

The ICO has also been carefully monitoring the timeliness of responses by police forces to subject access requests. More recently, it has taken action with respect to the handling of FOIA requests by BEIS and DIT, which is one of its areas of renewed focus.

To date, a significant number of fines issued relate to breaches of the Privacy and Electronic Communication Regulations (PECR) relating to direct marketing, and nuisance calls continue to be a priority. The Data Reform Bill includes provision for the maximum limit for fines for breaches of PECR to increase from £500,000 to 4 per cent of global turnover or £17.5m.

The focus of the ICO’s regulatory action will not substantially shift, with continuing emphasis upon safeguarding the most vulnerable, especially children online as seen in its recent investigation of TikTok and discrimination in the use of AI and biometric technologies. Given the inherent difficulties of achieving principles-based compliance, consideration is also being given to offering more certainty to organisations engaged in novel forms of processing, by seeking approval from the ICO prior to processing rather than facing enforcement proceedings afterwards.

A swift regulator

The ICO deals with a vast volume of complaints and reports. In 2021-22, it received 36,343 data protection complaints, 6,361 FOIA complaints and 9,571 personal data breaches reports. In response to concerns about the time taken to resolve these complaints and reports, the Information Commissioner is committed to reducing the processing times for complaints and investigations. ICO25 includes measurable targets, which will be reported upon every quarter, including assessing and responding to 85 per cent of data protection complaints within 90 days and concluding 95 per cent of formal investigations within 12 months.

Further, new measures are expected requiring all organisations to have an internal data protection complaints system and enabling the ICO to refuse to consider any complaint where the internal channels have not been exhausted. It is intended for this to reduce the volume of data protection complaints to the ICO.

An independent regulator

The ICO’s independence is central to its role, not least given its role as regulator of public authorities and central government with respect to UK GDPR and FOIA. It is intended the new data reform package will include a number of significant changes to the ICO, including reform of its corporate governance structure. The ICO’s independence depends on it being able to set its own operational priorities and direction within the statutory framework. Concerns expressed by the Information Commissioner in the course of the recent data protection reform consultation have been addressed and the ICO will remain free from undue government interference.

An integrated regulator

As digital technology becomes more complex and wide-ranging, various regulatory spheres are overlapping. Along with the Competition and Markets Authority, the Financial Conduct Authority and Ofcom, the ICO is a member of the Digital Regulatory Cooperation Forum to ensure a co-ordinated response to current and emerging technology challenges such as AdTech and the online safety legislation. This direction of travel is formalised within the data reform bill which includes a new duty to consult with appropriate regulators.

The ICO also intends to widen the audience for its advice and guidance through sectorial regulators and trade associations. From the perspective of enforcement, it has signed Memoranda of Understanding with key UK government and regulatory bodies. As a ‘whole economy regulator,’ it is clear the Information Commissioner believes the ICO’s objectives are best achieved by embedding it within a broader regulatory network.

A global regulator

Data is not solely processed within national borders and therefore data protection authorities need tools to enforce data protection principles across borders. The Information Commissioner has played an important role in data privacy internationally, chairing the Global Privacy Assembly and participating in the OECD and Council for Europe. Mr Edwards is focussed upon harmonising systems for international data transfers, including working bilaterally with EU regulators to form memoranda of understanding. Such agreements are already in place with Australia, New Zealand, the Philippines and Singapore. The Information Commissioner has specific duties to develop international co-operation mechanisms to facilitate the effective enforcement of data protection legislation, and provide international mutual assistance in the enforcement of legislation. The ICO’s challenging experience with respect to Clearview AI demonstrates the importance of developing international enforcement agreements and mechanisms.

A knowledgeable and creative regulator

When appointed, the Information Commissioner stated: “I intend to work with stakeholders to demonstrate the Data Protection Act and UK GDPR are not impediments to innovation, growth and the use of data to add value; on the contrary, they are enabling statutes”. Or put more simply, the ICO25 states the ICO takes pride in showing it can be “how to, rather than don’t do.” This is in line with the Government’s Data Strategy and the proposed new duties to have regard to the desirability of promoting innovation and competition in carrying out its functions.

The ICO has invested heavily in technical expertise, in the hope of staying ahead of the technological curve and assisting those on the steeper slopes of that curve to be compliant, including within the field of machine learning and AI. The ICO’s Regulatory Sandbox was introduced in March 2019 to support organisations which use personal data in innovative and safe ways, for example, NHS Digital setting up a covid vaccine trial registry. The ICO is intending to broaden its Innovation Hub which supports the integration of privacy within innovation. However, technical expertise is in short supply within a rapidly expanding industry, and the Information Commissioner recognises the challenges attracting and retaining this expertise.

A bigger regulator

Given the expanding regulatory remit and responsibilities, alongside rapid technological development, one of the most significant challenges facing the ICO is ensuring it has the right resources available. The ICO’s data protection responsibilities are funded by the data protection registration fee. With more than one million data controllers on the register, this income has increased from £48m to £61m over the last three years. Over the same period, the headcount has increased from 768 to 891, with significant resource invested in complaints handling.

An overly ambitious regulator?

The demands upon the ICO will increase, both from those whose personal data is processed in increasingly complex and opaque ways, and from the government seeking to protect data subjects and facilitate a thriving and data-driven economy. Inevitably, these demands will conflict. However, the Information Commissioner clearly understands the challenges ahead. Although the overall strategic objectives are ambitious in scope, a targeted and proportionate approach to regulatory enforcement must be achievable. In an area in which change is the only constant, the biggest challenge for the Information Commissioner is to continue to listen and respond with agility.           

Emily Carter is a partner in the public law team at Kingsley Napley, specialising in information law, data rights and the application of data protection legislation: kingsleynapley.co.uk