The Information Commissioner’s Office (ICO), the UK’s data watchdog, has had a rough ride of late. The pandemic has disrupted the body’s work, with it announcing that it would take a more relaxed approach to enforcement during the coronavirus crisis. As a result, its newly published annual report notes that internal auditors gave the body a scoring of “adequate assurance” on its “risk management policies, procedures and practices”.
The report said this meant “there is generally a sound control framework in place, but there are significant issues of compliance or efficiency or some specific gaps in the control framework which need to be addressed. Adequate assurance indicates that despite this, there is no indication that risks are crystallising at present.”
The report attributed this mainly to the uncertainty due to Covid-19, which it says “has a direct impact on the ICO’s operations and priorities, and may well have a long-term impact on the ICO’s future operations and priorities, even after the UK and world returns to normal as the pandemic eases”.
It says that uncertainty also stems from the UK’s exit from the EU and the country “establishing its new international position”. “In the run up to the EU exit, the ICO has devoted significant resources to developing our bilateral relationships with other data protection authorities, both in the EU and beyond,” says the report.
The ICO has been under fire recently for its apparent lack of bite, with Wired UK saying that the body had given up entirely and was blaming coronavirus. It was reported in May that an external consultant had been called in to assess whether the body had the requisite powers to carry out its role effectively. The ICO was also critiqued for its role in the contact tracing app debacle. Information commissioner Elizabeth Denham attracted flak for equivocating on the ICO’s position with regards to the app, while asserting that the body was working as a “critical friend” to NHSX.
Perhaps it’s for these reasons that the annual report’s identifies “managing the ICO’s reputation” as one of the risks the body grappled with during the 2019/20 period.
During the period, the ICO handled 38,514 data protection complaints, closed 39,860 data protection cases and received 6,367 freedom of information complaint cases.
Two of the period’s largest GDPR fines – £99 million for Marriott and £183.4m for British Airways – are yet to be issued, and have been pushed back to August. Some expect that the fines could be reduced in light of the hotel and airline industry being hard hit by the pandemic.
However, Computer Weekly reports that according to statistics compiled by RPC, a City of London-based law firm, the average fine issued by the ICO has trebled from £73,645 in 2016/17 to £216,000 in the last year, even excluding the two largest fines.