By silicon.com, 13 January 2006 16:25
Several cases this week have once again put the role of the Information Commissioner's Office (ICO) into the spotlight, and raised the question of whether the UK's data protection watchdog is more toothless pussycat than dangerous Dobermann.
It's fair to say that the ICO has had its 'successes', such as the £1,200 fine and one-year conditional discharge given this week to a private detective in Croydon for unlawfully disclosing someone's bank account details.
Let's not belittle these small local prosecutions but all too often it seems the ICO is unwilling - or perhaps unable - to take on the bigger, private sector institutions and the government itself.
After a reporter from a national tabloid newspaper exposed poor data security in an Indian call centre by obtaining the bank and credit card details of 1,000 UK bank customers, the ICO boldly warned that the banks using the centre could face action over a criminal breach of the Data Protection Act.
But more than six months later, the ICO has quietly revealed it is to take no action after its investigation found no evidence to support the claim that customers' personal details had been compromised. The Indian call centre's security procedures, the ICO concluded, are "robust".Then we learn that the ICO has resolved less than half of the complaints made about public bodies failing to answer requests for information made under the Freedom of Information (FoI) Act. The FoI Act is already heavily weighted in favour of the government without having the ICO sit on a backlog of appeals over refused data requests.
Meanwhile, the ICO has gone silent on the government's controversial and highly contentious plans to introduce biometric national ID cards and a central national database of citizens' data - not that the watchdog would scare the Home Office, which has constructed the ID cards legislation so that it limits the ICO's powers of scrutiny and enforcement right from the start.
All of this raises the question: what is the real purpose of the ICO? If we want what is effectively nothing more than a small claims court for data protection disputes that's fine. But if we want a body with real power to enforce data privacy laws against both small and large public and private institutions then maybe it's time for a rethink.
The ICO does a lot of fine work and deals with an ever increasing amount of complaints and disputes - but the body is ultimately failing the public because it does not have sufficient powers or resources to tackle the big abusers of data protection laws.
Comments
There is 1 comment. Join the discussion
1. James Button
Is the ICO realy supposed to protect the public from organisations passing out personal information?
Or is it there to stop the public taking effective action against organisations sharing, or publishing personal information they are holding, having 'persuaded' or or even demanded and legally required the the members of the public to supply that personal information.
I thought that those holding such information were to be required under thread of prosecution by the ICO to:
Ensure that any personal information held, and any information linked to such personal information was limited to that required to undertake the process for which the personal information was obtained.
Was accurate
Was held and maintained in a secure manner
Was not disclosed to any person, or organisation not enforceably agreeing to maintain that date within, and under the same constraints and requirements.
So - why only prosecute the Private detective, and not the organisation, individuals and their management that passed that information to him.
It was their acts that allowed that information to enter the public domain,
because - if they hadn't told the 'PI' then he couldn't have passed the data to anyone else - including a Solicitor.
And.. that leads on to
Why was the Solicitor not prosecuted, or even disciplined by the ICO, or their professional standards organisation?