Feeds

British data cops: We need greater powers and more money

You want data butt kicking, we need bigger boots - ICO

Choosing a cloud hosting partner with confidence

The UK's data privacy watchdog is lobbying for greater powers and funding after reporting a bumper workload.

The latest annual report from the Information Commissioner’s Office (ICO) (PDF) reveals that the bureau responded to a record number of data protection and freedom of information complaints in the year to April 2014.

The ICO handled 259,903 calls to its helpline and resolved 15,492 data protection complaints, a rise in both cases of over 10 per cent on the previous financial year. The ICO also dealt with 5,296 freedom of information complaints, a 12 per cent rise on FY 2012-13. In addition, the data privacy quango received 161,720 reports from people concerned about spam texts and nuisance calls.

Despite a higher workload, the ICO has seen a reduction in funding for its freedom of information-related work. Meanwhile proposed EU data protection reforms would remove the notification fee that funds the ICO’s work under the Data Protection Act.

Information Commissioner Christopher Graham said that the "troubled launch of care.data, Facebook’s research and the so-called Google 'right to be forgotten' ruling" show that "organisations' use of data is getting ever more complicated" and that the role of the independent data regulator is becoming even more important.

"Sometimes the state is itself the issue," Graham said in a statement. "When the Intelligence and Security Committee wanted to know how the Snowden revelations fitted with data protection law, it was the Information Commissioner they turned to."

Graham wants increased powers as well as a bigger budget, and some moves along these lines are already happening. For example, enforced subject access will become a criminal offence from December 2014. Enforced subject access is where individuals are forced by someone like a prospective employer to make a DPA subject access request and reveal the results to them, typically in relation to criminal conviction data. This data might include convictions considered "spent" under the Rehabilitation of Offenders Act.

Security vendors are somewhat split on whether the ICO should receive extra funding and greater powers. The ICO does not receive the cash from the fines it levies. While penalties totalling £1.97m were issued, the ICO only collected £872K thanks to a combination of early payment reductions, appeals and impairments – which it had to hand over to the Treasury's Consolidated Fund.

The ICO said its two main sources of income are the MoJ's grant in aid, which covers its FOI work, and the DP notification fee paid by organisations processing personal data in the UK, which covers its DP work.

One secure comms firm, ViaSat UK, argues the present system favours organisations with the money to make an early payment, or to mount an appeal – but with more resources, the ICO could make its cases more watertight.

Chris McIntosh, ViaSat chief exec, commented:

"With increased funding and powers, the ICO could not only make sure that penalties, financial or otherwise, match the severity of an offence. It could make its investigations even more thorough: reducing the chances of appeals and making sure that its eventual judgement is both fair and final.

“The ICO is already using its work over the past year to lobby for increased powers and funding and, quite frankly, it is right to do so. While doing the best with what it can, it is still handicapped by the fact that its resources, and the penalties available to it, are still not enough to deter many organisations," he added.

Another security vendor argued that changing data privacy practices more generally rather than prosecuting those caught foul of flouting data protection rules ought to be the ICO's main priority while acknowledging that it needs to money and manpower to handle an expanded caseload.

Simon Eappariello of iboss network security commented:

"Funding isn’t the magic bullet that will fix the data privacy issue. Whilst funding will critically give the ICO the manpower to handle the ever-growing number of complaints, personal and industry attitudes towards data need to change."

"Right now, the British public’s personal data is being thrown into a shared leaking bucket," he added. ®

Internet Security Threat Report 2014

More from The Register

next story
FYI: OS X Yosemite's Spotlight tells Apple EVERYTHING you're looking for
It's on by default – didn't you read the small print?
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
Edward who? GCHQ boss dodges Snowden topic during last speech
UK spies would rather 'walk' than do 'mass surveillance'
Microsoft pulls another dodgy patch
Redmond makes a hash of hashing add-on
'LulzSec leader Aush0k' found to be naughty boy not worthy of jail
15 months home detention leaves egg on feds' faces as they grab for more power
China is ALREADY spying on Apple iCloud users, claims watchdog
Attack harvests users' info at iPhone 6 launch
Carders punch holes through Staples
Investigation launched into East Coast stores
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.