In two high-profile speeches in July, Information Commissioner John Edwards made a bold claim, unlike any I’ve heard from previous Commissioners. He told the Data Protection Practitioners’ Conference: “I’ve challenged my team to save business at least £100 million across the next three years”, and the invite-only audience at the launch of his ICO25 strategy got the same line.
Edwards clearly wants to be a business-friendly regulator, and it’s plain from the changes planned in the Data Protection and Digital Information Bill that the re-constituted Information Commission will be tasked with supporting economic growth among other things. There are definitely ways in which the IC can support businesses while at the same time upholding lawful and positive data practices, so I’m fine with that. I just want to know where the £100 million is supposed to come from.
To achieve this objective (which isn’t mentioned in the ICO25 document itself), Edwards and his team have to find ways for UK organisations to achieve actual cost savings, money they’re spending now that won’t be spent in future. If these costs aren’t identified at the outset, it’s difficult to see how the success of this endeavour could ever be measured.
I sent ICO an FOI request asking for information about how the figure was calculated and where savings would be achieved. Because I suspect Edwards hopes at least some of the money will be saved by organisations using the ICO more and consultants and third parties less (especially given comments reported from the DPPC), I added a final question about whether the regulator planned to support the DP sector if its plans effectively undercut it. I’ve attached their full reply below, which includes my request quoted at the beginning.
The official answer is that the £100 million figure isn’t based on anything. To be clear, although the discussions that gave rise to it included the Commissioner as well as the Deputy Chief Executive Paul Arnold, people you’d think would want some evidence to rely on, the ICO holds no recorded information about how the figure was arrived at. There were no documents, no reports, no emails, no messages: not a sausage. Though this is very much not the impression that the ICO wants me to take away, it is their formal response to my request. I am entitled to take it at face value and say that there’s no concrete information behind the figure, and any discussions that involved devising the figure went unrecorded.
Interestingly, the response I received didn’t just contain that formal answer. Before they got to it, the ICO wanted to give me a long statement from Arnold which I would paraphrase as “we absolutely did not pull this figure out of our arse”. There’s nothing to stop a public body from adding unrecorded information to an FOI request, and to be fair, ICO is clear which part of the reply is the proper FOI answer and which isn’t (this tactic is often used to obscure the formal response entirely). Nevertheless, Arnold plainly wasn’t comfortable with the implications of the FOI answer.
He was however “happy and keen” to explain how this aspect of ICO25 “came together during a “series of live and real time discussions”. The “real time” distinction raises the possibility that some ICO meetings take place in Matrix-style bullet time, or more likely, in slow motion. Arnold claimed that the figure was “based on” economic impact assessments previously undertaken into aspects of the ICO’s work. He mentioned one in particular – a study into the impact of the Data Sharing Code which apparently claimed that it would save the economy £850 million.
There are two problems with this. The first is that an impact assessment into the Data Sharing Code is available on the ICO website, and there is no mention of an £850 million saving anywhere, despite the document containing an economic impact assessment that sounds remarkably like what Arnold was citing. Perhaps there is another, separate economic impact assessment about the same code that does contain that figure, because otherwise I have no idea where Arnold got it from or how relevant it is.
The other problem is that if Edwards, Arnold and the team did consider existing documents when working up the figure, the information in those documents contain should have been provided to me in response to my request. At best, the ICO’s response to my FOI request was therefore inadequate and they should acknowledge that when responding to my internal review request (tick tock, friends).
There is another possibility: the £100 million claim is an eye-catching but empty flourish designed to add some pizzazz to the public launch of Edwards’ first big move. It isn’t based on anything; the Commissioner was bandying around a multi-million-pound aspiration without anything solid to back it up. Aware that this looks bad when you come to mention it, Arnold tried to apply some flannel but inadvertently created another problem in the process. His statement contradicts the formal FOI response.
I don’t know which explanation is correct. I’m prepared to believe that the figure is based on more than just a finger in the wind, but if that’s the case, it means that the FOI regulator (except Scotland) is once again incapable of competently answering their own FOI requests. This despite the response being delivered with involvement of the FOI team and one of the organisation’s most senior, highest paid and long-serving officers. I’m equally open to the idea that the figure is based on nothing and Edwards is just winging it until he works out why he’s here.
Nobody makes them act like this and it’s a feature, not a bug. A few months ago, the ICO published an opinion – plainly generated by many complaints from the public – about the way in which the DVLA deals with disclosure requests from parking companies. It was an issue important enough for the regulator to issue a formal opinion, and yet if the Guardian hadn’t mentioned it in an article, nobody would know it existed. The ICO didn’t issue a press release, didn’t highlight it on the website, and didn’t even tweet about it. When I made an FOI request about this, they said: “A decision was made not to publicise the Commissioner’s opinion, but this was not recorded.”
In the absence of a better explanation, I suspect they buried it because they weren’t going to do anything and thought they’d get flak from complainants who found out. The fact that an organisation that can make formal practice recommendations about other people’s information management practices can operate in this opaque, unaccountable way should get more attention.
A lot of people in the DP sector are concerned / paranoid about the government’s plans to reform the ICO’s status. The Commissioner’s role will be abolished, and the ‘ICO’ will be replaced with a Commission run by an independent board. There is a risk that the powers given to the DCMS Secretary of State in this reform will leave the new Commission at risk of political interference. I am still in favour of this change, even if the chaotic current incumbent keeps her job when Boris Johnson is replaced. The IC role is an unaccountable fiefdom, subject almost exclusively to the whims of the office holder. I think poorly evidenced decisions are a symptom of this arrangement. An independent board is an opportunity for an overhaul.
In the meantime, I will wait to see whether the ICO unravels the mess of their response to my request, and I will read any claim Edwards makes from now on with even more scepticism than I did before. I advise you to do the same.