At yesterday’s Update session in Manchester, Stephen McCartney, Head of Data Protection Promotion, at the Commissioner’s office outlined several changes to the structure of the ICO’s office and in the ICO’s modus operandi.
First the Office of the Information Commissioner is being reorganised and the division between Data Protection and Freedom of Information is being removed. Instead, staff at the ICO will be expected to deal with both subjects. The new focus will be on “information rights” rather than DP or FOI and in this context, the name of the Tribunal will change. From mid-January, the Information Tribunal will be known by the catchy title of "First Tier Tribunal (Information Rights)” (of the General Regulatory Chamber) as it will become a part of the First Tier Tribunal established by the Tribunals, Courts and Enforcement Act 2007.
In this context, appeals from the First Tier Tribunal can be heard by an Upper Tribunal. This Upper Tribunal will take over from the courts when arguments arise from the decisions of the First Tier Tribunal (e.g. when there are judicial review considerations). In the FOI context, this is likely to mean there will be more appeals from the decision of the lower First Tier Tribunal (the old Information Tribunal) as the costs of a further legal appeal are reduced significantly (e.g. it is likely that each side will carry its own costs).
Cases of significance (e.g. a FOI request that raises a matter of significant public interest) can be heard by the Upper Tribunal (thus avoiding the lower Tier).
The focus of the ICO’s office will be on operational aspects, using powers where this is necessary to enforce information rights laws. The ICO will make the reduction of operational backlogs (e.g. assessments, Decision Notices) a priority. Policy matters, for example, delving into the Surveillance Society will still continue where appropriate but with a lower priority.
The Commissioner is to be known as the Chief Executive of the ICO to reflect the Information Rights agenda. When asked about the overlap between data protection and other Commissioners (e.g. in the context of access to communications data), the response was that if personal data were processed, then the Commissioner would have a remit to use his powers where appropriate.
The Commissioner is pressing for his ability to audit data controllers in the public sector to be extended to the private sector.
The ICO mission is to “uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals”. This statement says nothing about educating data controllers or public authorities in their obligations.
In anticipation of the power to fine (e.g. Monetary Penalty Notice) or imprison (e.g. custodial Section 55 offences) and the increasing use of signed undertakings when data protection matters go significantly awry, the ICO is expecting to become “less popular” with data controllers. As a result, I expect that more Information Notices to be served as data controllers (and public authorities) might be reluctant to confess all to a Commissioner that has significant powers and an information rights agenda to push.
In short, “no more Mr Nice Guy”. These new powers, when implemented, will result in a more normal relationship between the regulator and regulated.
Note: there are still places on our Edinburgh Update next Monday - details on www.amberhawk.com.
Do you think that this means that we will, finally, get the Rottweiler we need in the role?
For far too long we have had to put up with a regulator on a leash. Cry Havoc and let slip the dogs of war!
Posted by: Tim Trent | 27/10/2009 at 05:32 PM
Please note: Because the mission statement is focused on data subject rights (and says nothing about data controller education) I did not want to imply that the ICO was abandoning its education/advice role. Some people have read it that way.
Posted by: cp | 28/10/2009 at 03:53 PM