Leader: Data protection watchdog needs more bite

Several cases this week have once again put the role of the Information Commissioner's Office (ICO) into the spotlight, and raised the question of whether the UK's data protection watchdog is more toothless pussycat than dangerous Dobermann.

It's fair to say that the ICO has had its 'successes', such as the £1,200 fine and one-year conditional discharge given this week to a private detective in Croydon for unlawfully disclosing someone's bank account details.

If we want a body with real power to enforce data privacy laws against both small and large public and private institutions then maybe it's time for a rethink.

Let's not belittle these small local prosecutions but all too often it seems the ICO is unwilling - or perhaps unable - to take on the bigger, private sector institutions and the government itself.

After a reporter from a national tabloid newspaper exposed poor data security in an Indian call centre by obtaining the bank and credit card details of 1,000 UK bank customers, the ICO boldly warned that the banks using the centre could face action over a criminal breach of the Data Protection Act.

But more than six months later, the ICO has quietly revealed it is to take no action after its investigation found no evidence to support the claim that customers' personal details had been compromised. The Indian call centre's security procedures, the ICO concluded, are "robust".

Then we learn that the ICO has resolved less than half of the complaints made about public bodies failing to answer requests for information made under the Freedom of Information (FoI) Act. The FoI Act is already heavily weighted in favour of the government without having the ICO sit on a backlog of appeals over refused data requests.

Meanwhile, the ICO has gone silent on the government's controversial and highly contentious plans to introduce biometric national ID cards and a central national database of citizens' data - not that the watchdog would scare the Home Office, which has constructed the ID cards legislation so that it limits the ICO's powers of scrutiny and enforcement right from the start.

All of this raises the question: what is the real purpose of the ICO? If we want what is effectively nothing more than a small claims court for data protection disputes that's fine. But if we want a body with real power to enforce data privacy laws against both small and large public and private institutions then maybe it's time for a rethink.

The ICO does a lot of fine work and deals with an ever increasing amount of complaints and disputes - but the body is ultimately failing the public because it does not have sufficient powers or resources to tackle the big abusers of data protection laws.