Category Archives: Information Commissioner

ICO fails at FOI

I won’t rehearse the points I made in previous posts. Enough to say this – the Information Commissioner’s Office (ICO), in addition to being tasked with regulating Freedom of Information (FOI) law, must also comply with it, and anecdotal evidence suggested a long-standing failure to do so adequately (prior to, as well as during the COVID pandemic). That being the case – to whom should other public authorities look for exemplary guidance? Or put even more shortly – why should public authorities bother with compliance?

I now have some statistics.

I asked the ICO, under FOI, how many FOI cases it had failed to respond to within three months of their receipt (bear in mind that one month is the statutory limit). They have now told me that in 92 cases in the past year they have failed to respond to an FOI request within three months. Some cases are still open – in one, they have failed to reply to a request for 951 days and counting (I don’t know, and am almost beyond caring, whether these are calendar days or working days – it barely matters any more), and five cases are over a year old and still unanswered.

As I said previously, the ICO says that FOI enforcement may be appropriate where there are “repeated or significant failures to meet the time for compliance” and that, when deciding to take enforcement action, the ICO will take into account such factors as “the severity and/or repetition of the breach; whether there is evidence that obligations are being…persistently ignored; whether there would be an educative or deterrent affect; whether it would help clarify or test an issue; and whether an example needs to be created or a precedent set”.

A clearer case for (self-)enforcement action could scarcely be imagined.

Outgoing Commissioner Elizabeth Denham is handing her successor John Edwards a severe problem, both in terms of compliance but also – crucially – in terms of reputation of the office.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, Freedom of Information, Information Commissioner, rule of law

“Access delayed is access denied” – ICO’s terrible FOI compliance

Statistics show that the ICO is regularly delayed – sometimes very severely so – when responding to FOIA requests made to it. Is there a need for a review of the ICO’s own compliance?

The Information Commissioner’s Office (ICO) is tasked with regulating and enforcing the Freedom of Information Act 2000 (FOIA). The ICO is also – perhaps unusually for a regulator – subject to the law it regulates (it is a public authority, listed in Schedule One to FOIA). This means that – sometimes – the ICO must investigate its own compliance with FOIA. It also means that its own compliance with FOIA, and the seriousness with which it treats its own compliance, is bound to be viewed by other public authorities as an example.

FOIA is, let us not forget, of profound democratic importance. The right to receive information is one of the components of Article 10 of the European Convention on Human Rights. Information Commissioner Elizabeth Denham has previously said

openness of information, through FOI laws and other instruments, is vitally-important not only for government accountability in the moment, but also for the long-term health of our democracy… since information is power, the right to information goes to the heart of a democracy’s healthy functioning.

FOIA lays down timescales for complying with a request for information. The core one says that information must in general be provided within twenty working days. In that same speech Ms Denham referred to timeliness (“It is rightly said that access delayed is access denied”) and the benefits of publicising delays by authorities:

Reporting publicly on timeliness has proved to be a powerful tool for improving timely disclosure of information. And public authorities have used their poor grades to push successfully for more resources where the demand has outstripped supply.

Indeed, she has previously taken government departments to task for their FOIA delays

I think that central government though has got away with – I’m not going to say murder – I think they’ve got away with behaviour that needs to be adjusted…I know which organisations we need to focus on…

The ICO certainly has enforcement powers, and a policy which informs it when action is appropriate. The Freedom of information regulatory action policy (which doesn’t appear to have been updated since 2012) says that enforcement may be appropriate where there are “repeated or significant failures to meet the time for compliance” and that, when deciding to take enforcement action, the ICO will take into account such factors as

the severity and / or repetition of the breach; whether there is evidence that obligations are being deliberately or persistently ignored; whether there would be an educative or deterrent affect; whether it would help clarify or test an issue; and whether an example needs to be created or a precedent set.

With all of this in mind, one organisation the ICO apparently needs to focus on is itself.

Regrettably, and rather oddly, the ICO doesn’t publish figures on its own FOI compliance, except at a very high level, and combined with other types of access requests, in its annual report). This is despite the fact that the Code of Practice issued under section 45 of FOIA, observance of which the ICO is specifically tasked with promoting, says that public authorities with more than 100 members of staff should published detailed statistics on compliance.

However, what evidence there is indicates a repeated, and serious, failure by the ICO to comply with the timescales it is supposed to enforce on others. Of the formal decision notices issued by the ICO against itself, in 2020 and 2021, 50% (10 out of 20) found a failure to comply with the statutory timescale (and two further ones appear – from an analysis of the notices – to have involved delay, without resulting in a specific finding of such). And it is worth noting that these are formal decisions where requesters have asked for formal notices to be issued – it is almost inevitable that there will be similar delays in a significant proportion of those requests which don’t make it to a formal decision.

Indeed, analysis of recent requests to the ICO made on the request website WhatDoTheyKnowsimilarly shows delays in approximately half the requests. But even worse, many of those delays are of an extraordinary length. In two cases, requests made in February 2021 have only been responded to in November – delays of ninemonths, and in other cases there are delays of six, four and two months.

COVID has – no doubt – affected the ICO, as it has affected all organisations. But if the ICO needs extra resource to comply with FOIA, it has certainly not indicated that. Its published approach to regulatory compliance during the pandemic (not updated since June this year) says that where public authorities have backlogs, the ICO expects them to “establish recovery plans focused on bringing the organisation back within compliance with the Freedom of Information Act within a reasonable timeframe”. In the accompanying blogpost the Deputy Commissioner said that

we have seen more and more organisations adjusting to the circumstances, and returning to offering the transparency…our [own] recovery plan has had a positive impact in removing and reducing backlogs

If that is the case it is hard to know why the WhatDoTheyKnow examples (and one’s own experiences) show precisely the opposite picture.

What is also of concern – though this is an issue for policy-makers and Parliament – is that there is nothing that an individual can do when faced with delays like this, except complain – once more to the ICO. FOIA expressly does not permit individuals to take civil action against public authorities for failure to comply – the only recourse is through the ICO as regulator. Short of bringing judicial review proceedings, citizens must just suck it up.

In 2016 the Independent Commission on Freedom of Information said that FOIA was “generally working well”, but that it “would like to see a significant reduction in the delays in the process”. In 2016, that was not addressed at the ICO, but now it most certainly could be. That Independent Commission has long been dissolved. Meanwhile, the Public Administration and Constitutional Affairs Committee is conducting an inquiry into the Cabinet Office’s FOI handling. 

But, maybe, there actually needs to be some Parliamentary oversight of the ICO’s own FOI compliance.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, Freedom of Information, human rights, Information Commissioner, rule of law, transparency

What John Edwards will inherit

The new Information Commissioner will have a lot on his plate. I’m going to focus very briefly on what is, objectively, a very small matter but which, to me, illustrates much about priorities within the ICO.

On 29 July I happened to notice an Information Tribunal decision which I thought was slightly odd, in that apparently both the Tribunal, and the Commissioner beforehand, had dealt with it under the Freedom of Information Act 2000 rather than the Environmental Information Regulations 2004, despite the subject matter (a tree inspection report) appearing to fall squarely under the latter’s ambit.

However, the decision notice appealed (referred to as FS5081345 in the Tribunal judgment), does not appear on the ICO’s searchable online database (in fact, no decisions relating to the public authority – the mighty Great Wyrley Parish Council – are listed). It’s unusual but certainly not unheard of for decision notices not to get uploaded (either by overlook, or – occasionally – for other, legal reasons) but in the past when I’ve asked for one of these, informally, it’s been provided by return.

So I used the ICO’s online Chat function to ask for a copy of the decision notice. However, I was told I had to submit a request in writing (of course I’d already done so – the Chat function is in writing, after all, but let’s not quibble). I said I was concerned that what was a simple request would get sucked up into the ICO’s own FOI processes, but the person on the Chat thought I would get a response within a couple of days.

Those who’ve stayed this far into the blogpost will be unsurprised to hear what happened next – my simple request got sucked into the ICO’s own FOI processes, and more than seven weeks on (more than three weeks beyond the statutory timescale for responding) I have still had no response, and no indication of why not, other than the pressure the FOI team is under.

And that last point is key: if the ICO’s own FOI caseworkers are under such pressure that they cannot deal with a very simple request within the legal timescale, nor update me in any meaningful way as to why, something has surely gone wrong.

At a recent NADPO webinar Dr Neil Bhatia spoke about his own difficulties with getting information out of the ICO through FOI. He (and I) were challenged by one of the other speakers on why we didn’t more regularly take formal action to force the issue. It was a fair point, and prompted me yesterday to ask the ICO for a formal decision under section 50 of the FOI Act (which means the ICO will have to issue an FOI decision notice on whether the ICO handled an FOI request for an FOI request in accordance with the law – and that sentence itself illustrates the ridiculousness of the situation).

This isn’t the only FOI request I have that the ICO is late responding to. I have one going back to May this year and another to June (albeit on rather more complex subjects). And I know that I and Dr Bhatia are not alone.

All the fine talk from the current Commissioner about forging international data protection accords, and encouraging “data driven innovation” can’t prevent a perception that her office seems increasingly to have left FOI regulation (and in some cases its own FOI compliance) behind. The right to access information is (part of) a fundamental right (just as is the right to data protection). If the ICO doesn’t want the role, is it time for a separate FOI Commissioner?

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, Environmental Information Regulations, Freedom of Information, Information Commissioner, Information Tribunal, rule of law

ICO calls for global cookie standards (but why not enforce the law?)

The outgoing UK Information Commissioner, Elizabeth Denham, is calling on G7 countries to adopt her office’s new “vision” for websites and cookie consent.

Her challenge to fellow G7 data protection and privacy authorities has been issued at a virtual meeting taking place on 7 and 8 September, where they will be joined by the Organisation for Economic Cooperation and Development (OECD) and the World Economic Forum (WEF).

Denham says “There are nearly two billion websites out there taking account of the world’s privacy preferences. No single country can tackle this issue alone. That is why I am calling on my G7 colleagues to use our convening power. Together we can engage with technology firms and standards organisations to develop a coordinated approach to this challenge”.

What is not clear is whether her vision is, or can be, underpinned by legal provisions, or whether it will need to take the form of a non-enforceable set of standards and protocols. The proposal is said to mean that “web browsers, software applications and device settings [should] allow people to set lasting privacy preferences of their choosing, rather than having to do that through pop-ups every time they visit a website”. The most obvious way of doing this would be through a user’s own browser settings. However, previous attempts to introduce something similar – notably the “Do Not Track” protocol – foundered on the lack of adoption and the lack of legal enforceability.

Also unaddressed, at least in the advance communications, is why, if cookie compliance is a priority area for the Information Commissioner, there has been no enforcement action under the existing legal framework (which consists primarily of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (or “PECR”)). Those current laws state that a website operator must seek consent for the placing of all cookies unless they are essential for the website to function. Although many website operators try hard to comply, there are countless examples of ones who don’t, but who suffer no penalty.

Denham says that “no single country can tackle this alone”, but it is not clear why such a single country can’t at least take steps towards tackling it on domestic grounds. It is open to her to take action against domestic website operators who flout the law, and there is a good argument that such action would do more to encourage proper compliance than will the promotion or adoption of non-binding international standards.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under cookies, Data Protection, Information Commissioner, marketing, PECR

ICO ignores its own FOI investigators

In the past I recall a few cases where the Information Commissioner’s Office (ICO) had to adjudicate on its own compliance with the Freedom of Information Act 2000 (FOIA). As a public authority, the ICO must comply with FOIA in the same way that all other public authorities must (fundamentally, by responding to a request within twenty working days). In a few cases, the ICO’s investigation of itself would even be slightly critical (along the lines of “you could have handled this a bit better”). But I have never, until now, seen a case like this one.

Extraordinarily, here we have a decision in which we see the ICO (as “the Commissioner”) berating itself (as “the ICO”) for…failing to reply to its own investigators. The notice gives the details:

On 18 May 2021, the complainant wrote to the ICO…and requested information…

The ICO acknowledged the request for information on 19 May 2021…

To date, a substantive response has not been issued…

The complainant contacted the Commissioner on 19 June 2021 to complain about the failure by the ICO to respond to his request…

On 5 July 2021, the Commissioner wrote to the ICO, reminding it of its responsibilities and asking it to provide a substantive response to the complainant within 10 working days…

Despite this intervention the ICO has failed to respond to the complainant.

As the notice says (indeed, as all such notices say), failure to comply may now result in the ICO making written certification of this fact to the High Court pursuant to section 54 of the Act and may be dealt with as a contempt of court. How on earth would this work though? As a matter of law, could a regulator certify its own non-compliance to the High Court in this way?

What a bizarre situation.

Leave a comment

Filed under access to information, Freedom of Information, Information Commissioner

Journalist has to seek pro bono support to enforce subject access request

My firm Mishcon de Reya is acting for John Pring, stalwart editor of Disability News Service, who has been seeking access to his personal data from DWP for more than a year. The ICO upheld his complaint but (see this blog, passim) said it wouldn’t take steps to require DWP to comply.

More here, and here.

As a result of the latest letter, and media coverage, ICO has said it is reopening the case.

Leave a comment

Filed under access to information, DWP, GDPR, human rights, Information Commissioner, subject access, UK GDPR

ICO not compliant with post-Schrems II data protection law?

In which I finally receive a reply to my complaint about ICO’s Facebook page.

The issue of the transfer of personal data to the US has been the subject of much debate and much litigation. In 2015 the Court of Justice of the European Union (CJEU) struck down one of the then key legal mechanisms (“Safe Harbor”) for doing so. And in 2020 the CJEU did so with its successor, “Privacy Shield”. Both cases were initiated by complaints by lawyer and activist Max Schrems, and focused on the transfer of data from the EU to the US by Facebook.

Put simply, European data protection law, in the form of the GDPR and (as we must now talk about the UK in separate terms) UK data protection law, in the form of UKGDPR, outlaw the transfer of personal data to the US (or any other third country), unless the level of protection the data would receive in the EU, or the UK, is “not undermined” (see Chapter V of and recital 101 of GDPR/UKGDPR).

In “Schrems II” – the 2020 case – the CJEU not only struck down Privacy Shield – it effectively also laid down rules which needed to be followed if the alternative mechanisms, for instance using “standard contractual clauses” were to be used for transfers of personal data. Following the judgment, the European Data Protection Board (EDPB) issued guidance in the form of FAQs, which recommended an “assessment, taking into account the circumstances of the transfers, and supplementary measures you could put in place”. The EDPB guidance was subsequently endorsed by the UK’s own Information Commissioner’s Office (ICO)

The EDPB has recommended that you must conduct a risk assessment as to whether SCCs provide enough protection within the local legal framework, whether the transfer is to the US or elsewhere

What struck me as odd in all this is that the ICO themselves have a Facebook page. Given that Facebook’s own data governance arrangements involve the transfer of EU and UK users’ data to the US, and given that ICO don’t just operate their page as a newsletter, but actively encourage users to comment and interact on their page, it seemed to me that ICO were enabling the transfer of personal data by Facebook to the US. But even further than that, another CJEU judgment has previously made clear that operators of corporate Facebook pages may well function as a controller under the GDPR/UKGDPR, where they set parameters on the page. The Wirtschaftsakademie case held that – in the case of someone operating a “fan page”

While the mere fact of making use of a social network such as Facebook does not make a Facebook user a controller jointly responsible for the processing of personal data by that network, it must be stated, on the other hand, that the administrator of a fan page hosted on Facebook, by creating such a page, gives Facebook the opportunity to place cookies on the computer or other device of a person visiting its fan page, whether or not that person has a Facebook account.

By extension, it seemed to me, the ICO were in this position with their page.

So I put the point to them. After four months, and some chasing, I received a reply which not only confirmed my understanding that they are, and accept that they are, a controller, but that, nearly a year on from the Schrems II decision, they have not finished reviewing their position and have not updated their privacy notice to reflect their controller status in respect of their Facebook processing. (They also say that their legal basis for processing is “Article 6 (1) (e) of UK GDPR, public task” because “as a regulator we have a responsibility to promote good practice and engage with the public at large about data protection issues via commonly used platforms”, but I’d observe that they fail to give any attention to the proportionality test that reliance on this condition requires, and fail to point to the justification in domestic law, as required by Article 6.)

What the ICO response doesn’t do is actually respond to me as a data subject in respect of my complaint nor explain how they are complying with the international data transfer provisions of Chapter V of the GDPR/UKGDPR, and whether they have conducted any sort of transfer impact assessment (one presumes not).

As I said in my original complaint to ICO, I am aware that I might be seen as being mischievous, and I’m also aware I might be seen as having walked ICO into a trap. Maybe I am, and maybe I have, but there’s also a very serious point to be made. The cost to UK business of the Schrems II decision has been enormous, in terms of the legal advice sought, the internal governance reviews and risk assessments undertaken, and the negotiating or novation of contracts. At the same time the business and legal uncertainty is significant, with many wondering about their exposure to legal claims but also (and especially) to regulatory enforcement. If, though, the regulator is not complying with the relevant law, ten months on from the judgment (and five months on from my raising it with them as a concern) then what are controllers meant to do? And where do they turn to for guidance on the regulatory approach?

THE ICO RESPONSE

Firstly, it may be helpful to explain that following the findings of the CJEU in Wirtschaftsakademie, we started a review of the transparency information we provide to visitors of the page. The review was delayed when Schrems11 decision was issued as we needed to consider the impact of the judgement on any transfer element to the US.

We agree that as the Facebook page administrator, we are processing personal data of the visitors of our page and therefore we are controllers for this information. We process the names of the users as they appear on their Facebook profiles and any personal data they may share through their comments on our posts or via messages to us. We process this information in reliance on Article 6 (1) (e) of UK GDPR, public task. We consider that, as a regulator we have a responsibility to promote good practice and engage with the public at large about data protection issues via commonly used platforms.

For the cookies and similar technologies, Facebook is responsible for setting the cookies, when you visit our Facebook page.

We also receive anonymous information from Facebook in the form of aggregate statistics of all those who visit our page, regardless of whether they have a Facebook account or not. In line with the findings of the CJEU in Wirtschaftsakademie we are joint controllers with Facebook for this information. We process this information under Article 6 (1) (e) as well. The Insights include information on page viewings, likes, sharing of posts, age range, the device used and how it was accessed and breakdown of demographics. All Insights are received from Facebook by the ICO in aggregate format. Our PN will updated shortly to reflect the above information.

Like other regulators, the ICO is currently reviewing its position on international transfers following the judgment in Schrems II. As part of that review, it will, amongst other things, consider the questions that you have raised about the ICO’s use of Facebook. The ICO intends to publish its guidance on how UK organisations should address the question of international transfers, in due course, and will act in accordance with its guidance. That work is still in progress, and it will be published in due course.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under adequacy, data sharing, EDPB, facebook, GDPR, Information Commissioner, international transfers, privacy notice, privacy shield, safe harbor, Schrems II, UK GDPR

You what?

Twice in recent months the outgoing Information Commissioner, Elizabeth Denham, has given speeches including these words

Data protection law was born in the 1970s out of a concern that the potential from emerging technology would be lost if we didn’t embrace innovation.

I don’t know what she means. Does anyone else?

Studies I’m aware of more generally see data protection law arising, from the 1960s through to the early 1980s, out of a combination of: increasing awareness of and focus on fundamental human rights; an understanding that use of computers would cause an exponential increase in the ability to process information; a desire that concerns about the preceding two should not lead to unnecessary barriers to international trade.

(See, for example, the UK 1972 Report of the Committee on Privacy, chaired by Kenneth Younger, and the UK 1978 Report of the Committee on Data Protection chaired by Sir Norman Lindop. See, especially, the 1980 OECD Guidelines and the 1981 Council of Europe Convention 108.)

Whatever Ms Denham’s words mean, they miss the foundational status of human rights in modern data protection law. And that is a glaring omission. Article 1 of the UKGDPR is clear – data protection law now, as it always has

protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data

There’s nothing wrong with embracing innovation (I do it myself). But let’s not misstate history.

Leave a comment

Filed under Data Protection, GDPR, human rights, Information Commissioner, UK GDPR

Search and (don’t) destroy

Martin Lewis’s Money Saving Expert (MSE) site reports that over £1m is apparently held by Highways England (HE) in respect of Dartford Crossing pre-paid online accounts (Freedom of Information requests were apparently used to establish the amount). It is of course by no means uncommon for money to lie dormant in money accounts – for instance, banks across the world hold fantastic sums which never get claimed. MSE itself suggests elsewhere that the total amount in the UK alone might be around £15bn – but what these FOI requests to HE also revealed is an approach to retention of personal data which may not comply with HE’s legal obligations.

People appear to have received penalty charges after assuming that their pre-paid accounts – in credit when they were last used – would still cover the crossing charge (even where the drivers had been informed that their accounts had been closed for lack of use). MSE reports the case of Richard Riley, who

had been notified by email that his account would be closed, but he’d wrongly assumed it would be reactivated when he next made the crossing (this is only the case if you cross again within 90 days of being notified). On looking into it further, Richard also realised he had £16 in his closed account

However, HE apparently explained to MSE that

…it’s unable to reopen automatically closed accounts or automatically refund account-holders because it has to delete personal data to comply with data protection rules.

This cannot be right. Firstly, as the MSE article goes on to explain, if someone suspects or discovers that they have credit in a closed Dartford Crossing account, they can telephone HE and “any money will be paid back to the debit or credit card which was linked to the account. If this isn’t possible, a refund will be issued by cheque.”

So HE must retain some personal data which enables them to confirm whose money it is that they hold. But if it is true that HE feels that data protection law requires them to delete personal data which would otherwise enable them to refund account-holders when accounts are closed, then I fear that they are misreading two of the key principles of that law.

Article 5(1)(e) of the UK GDPR (the “storage limitation principle”) requires that personal data be “kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed” (emphasis added), and Article 5(1)(c) ( the “data minimisation principle”) requires that personal data be “limited to what is necessary in relation to the purposes for which they are processed” (emphasis added). Both of these make clear that where personal data is still needed for the purposes for which it is processed, then it can (and should) be retained. And when one adds the point, under Article 5(1)(c), that personal data should also be “adequate” for the purposes for which it is processed, it becomes evident that unnecessary deletion of personal data which causes a detriment or damage to the data subject can in itself be an infringement.

This matter is, of course, on a much lower level of seriousness than, for instance, the unnecessary destruction of landing cards of members of the Windrush Generation, or recordings of witnesses in the Ireland Mother and Baby Homes enquiry, but it strikes me that it is – in general – a subject that is crying out for guidance (and where necessary enforcement) by the Information Commissioner. Too many people feel, it seems, that “data protection” means they have to delete, or erase or destroy personal data.

Sometimes, that is the worst thing to do.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under accuracy, adequacy, Data Protection, Information Commissioner, Let's Blame Data Protection, UK GDPR

You don’t “register” with the ICO

“Data protection public register…find organisations and people registered with the ICO under the Data Protection Act”, says the Information Commissioner’s Office (ICO) website. Which is funny, because you can’t register with the ICO under the Data Protection Act.

Under the now-repealed 1995 European Data Protection Directive, given domestic effect in the UK by the now-repealed Data Protection Act 1998 (DPA98), all data controllers had to notify with their version of the ICO (unless they were exempt from doing so). And under section 19 of the now-repealed DPA98, the ICO had to keep a register and make it publicly available. The obvious way of doing that was to put it online.

It was a criminal offence to process personal data and not be notified (registered) with the ICO.

But, the General Data Protection Regulation (aka GDPR, and now to be known as the “EU GDPR”), did away with statutory notification as a matter of European law (on the grounds that it achieved nothing, and was an administrative headache). In the UK, where (as part of the notification scheme) controllers had to pay a fee to the ICO, this risked a major budget shortfall for the ICO. So, cleverly, we passed law that requires controllers to pay a fee purely to fund the ICO’s data protection work (the explanatory memo to that law even says it is “to make provision to ensure that the [Information Commissioner] has the financial resources necessary for the performance of her tasks and exercise of her powers”. Failure to pay this fee is a civil wrong, punishable by the imposition of a civil monetary penalty (of up to £4350). There is no requirement for the ICO to maintain a register, no requirement for it to be made public, and it is certainly not the case that what they do publish is a register of people “registered with the ICO under the Data Protection Act”.

What they publish is a non-statutory register of controllers who’ve paid their fee. Presence on that register says nothing other than that the controller has paid its fee.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, Information Commissioner