Compliance unlikely

by | Dec 19, 2013 | Data Protection | 2 comments

The Information Commissioner has issued a consultation about the way it deals with complaints from the public under Data Protection. Like virtually everything that issues from Wilmslow, it is written in congealed corporatese, using lots of words to convey a very simple idea. The idea in this case is that the ICO wants to start ignoring more individual complaints, and concentrate on what it considers to be strategic priorities. The method they have chosen is to rebrand complaints from the public as ‘concerns’. Instead of automatically doing assessments of compliance, the ICO wants to log complaints and target the most recalcitrant organisations and the most persistently difficult issues.

Complainants who haven’t taken their problem to the Data Controller first can expect short shrift. Complainants whose DP problem is merely a peripheral part of a customer service problem may be ignored. The Commissioner’s objective is to log complaints and aim its enforcement powers against those who deserve it.

This is not an unreasonable aim. Many regulators – OFCOM, the old Financial Services Authority – don’t seek to resolve the cases of individual complainants but instead identify industry issues that need attention. This consultation is a sign that the ICO wants to be a regulator rather than an ombudsman. I worked at the ICO more than 10 years ago, but I’ve spoken to a lot of people who worked (and still work) there since I left, and many complain about the amount of time spent dealing with aggrieved individuals with no worthwhile outcome.

I don’t argue with this idea. My problem with the consultation is that the ICO is currently incapable of doing what it aspires to. Too many people working at the ICO have blinkers on – obsessed with data security incidents in the public sector to the exclusion of almost anything else. I’ve blogged incessantly (and my apologies, tediously) about Wilmslow’s lack of attention to fairness, accuracy, subject access, retention and a huge range of other important issues. Everyone except the ICO itself knows that they won’t take on the private sector, or anyone willing to put up a fight. Getting Google to sign an undertaking that they then breach is better satire of the ICO’s approach than I could think up.

Regulators should be feared. They should be respected but they should not be liked, and yet the ICO’s ingratiating attitude to Data Controller is exemplified by the fact that they have an entire department (Strategic Liaison) devoted to making friends with Data Controllers and keeping them on side. Indeed, even though the chief effect of the proposed changes in this consultation are aimed at complainants, the Commissioner is only interested in asking what the Data Controllers think about those changes.

There are other problems. The idea of logging complaints to make enforcement decisions is an attractive one until you remember that this is what the ICO claims it does with FOI. The Cabinet Office has been diligently ignoring an FOI request I made to them in September, and my complaint about this has been logged. The idea that there is a critical mass of such complaints that will make the ICO roll out the big guns is delusional. The ICO will not take on the Cabinet Office in a strategic way. They will not take on the banks. They will never take meaningful enforcement action against an organisation the big tech companies.

There are also problems with treating complaints as ‘concerns’. Nobody goes to the ICO thinking that they are joining a massive game of regulatory Tipping Point, contributing their problem to a greater whole with no expectation of getting satisfaction. The ICO has thick layers of management – team managers, group managers, department heads, Deputy Commissioners. I have never worked in or for a management-heavy organisation that could make agile, bold decisions because everyone is always looking over their shoulder. ICO managers I have encountered have been indecisive and risk averse, deferring to the loudest voice. The consultation document says “We will not engage in protracted correspondence once we have explained the position” but that requires grit. As a complainant and as a data protection officer, I have had decisions reversed simply by being more obnoxious and obstinate than the other side. I suspect that there are many in the ICO who will back down and try to placate angry complainants, rather than log their complaint and tell them to go away.

But to look at it from the complainant’s perspective, we see the biggest problem of all, one that the consultation even acknowledges. It says “We may make an assessment under section 42 of the DPA where we think this adds value or where the customer has asked us to do so.” The ICO doesn’t actually have a choice about whether to make assessments. They have actually tried this before – the old request for assessment form was changed to a ‘complaint form’ in a bid to do something very similar to what’s afoot here. Anyone remember something called the ‘Robust Approach’? The FOI side of the business had a process of ‘withdrawing’ complaints on behalf of applicants where a request hadn’t been answered until complainants pointed out that they didn’t have the power to do this.

Section 42 obliges the ICO to make assessments of Data Protection compliance. Telling complainants that what they’re doing is expressing concerns is patronising and it won’t work with precisely the most persistent complainants they’re probably trying to deal with.

This consultation is a mess. The ICO is telling complainants that their ‘concerns’ are no longer the priority, but if they start to adopt this approach, the spotlight will be even more on the action that they do take (or in practice, don’t). If they’re not there to represent the public – an argument which has some merit – but they retain their tendency to suck up to ‘stakeholders’ and collapse when faced with anything like opposition, they’ll be faced with a difficult question. What are they for?


This is my last blog of the year, and I will be disappearing from Twitter and the blog for a short while to enjoy a complete break from Data Protection, FOI and work in general. I will be back in the New Year with blogs about ACPO, Direct Marketing, the Police and the Badger cull, the Cabinet Office and no doubt the usual jibes at the ICO. Whether you view Christmas as a religious festival or – like me – a traditional holiday to drive out the dark and the cold, I hope you have the opportunity to relax, indulge and reflect. See you in 2014.