No 1: The Information Commissioner's Office
- The Information Commissioner has wide ranging functions and powers. They are not always parameterised clearly in the relevant legislation. The Information Commissioner’s reporting shows little evidence that objectives are being met, or even measured. The Parliamentary Committee responsible has not performed its scrutiny function of the Information Commissioner’s Office (ICO) well and a forum appears to be lacking for detailed examination of its actions at a technical and legal level.
- In practice the current data protection regime is not working as had been foreseen by the European Commission in its impact assessment for the General Data Protection Regulation. The costs to businesses have been much greater than expected and there appear to have been negative effects on competition and investment. Many businesses are not fully compliant and some believe full compliance is not possible, suggesting that the Information Commissioner is not succeeding in its functions of promoting public awareness and understanding, and monitoring and enforcing compliance.
- There is insufficient oversight and review of fines and enforcement actions taken by the Information Commissioner. Challenging a decision is costly, there are serious procedural defects and imbalances, and the fines that can be levied are out of all proportion to the harm or loss caused.
- The Information Commissioner can issue guidance that is of uncertain legal effect but has serious consequences – and does so without producing impact assessments. This has negative consequences for the rule of law and accountability.
- The ICO is well regarded internationally and by business organisations for its role in data protection law and policy, but there are reforms that could usefully be made to improve its accountability and effectiveness, while maintaining its independence.