In this tech-insight, we look at the role of the Information Commissioner’s Office, and how it can be a source of valuable compliance information and help to businesses.
What Is It?
The Information Commissioner’s Office is the UK’s independent, non-departmental public body set up to uphold information rights in the public interest. The ICO also promotes openness by public bodies and data privacy for individuals and is the regulator for Data Protection and Freedom of Information, with key responsibilities under the Data Protection Act 2018 (DPA) and Freedom of Information Act 2000 (FOIA), as well UK GDPR, and other acts. The ICO gives help and advice to individuals and businesses.
Who It Reports To
The ICO reports directly to the Parliament of the United Kingdom and is sponsored by the Department for Digital, Culture, Media, and Sports, and has physical offices in Wilmslow, Cheshire, Cardiff, Edinburgh, and Belfast.
The current (although outgoing) Information Commissioner is Elizabeth Denham CBE, who was appointed UK Information Commissioner in July 2016. Her previous roles included Information and Privacy Commissioner for British Columbia, Canada, and Assistant Privacy Commissioner of Canada. In March 2018, she was named as the most influential person in data-driven business in the updated DataIQ 100 list and, In March 2019, Elizabeth was appointed chair of the Governance Working Group of the International Conference of Information Commissioners (ICIC), a global forum for information commissioners and ombudspersons with 45 members across all continents.
In August this year, it was announced the preferred new UK Information Commissioner is John Edwards who has been New Zealand’s Privacy Commissioner since February 2014, and who has practiced law in Wellington, New Zealand, for more than 20 years (specialising in information law).
The ICO is the body/regulator responsible for Data protection law advice and information-giving, enforcement, monitoring/audits/studies, recommendations, decisions, and somewhere to complain to for matters like:
– Political campaigning practices (data analytics) e.g., transparency, ethics.
– Charity fundraising practices e.g., compliance laws that protect privacy and prevent nuisance phone calls.
– CCTV systems and facial recognition systems, matters of privacy and compliance with data protection laws.
– Credit and the uses of personal information e.g., by credit reference agencies (CRAs).
– Electoral registration.
– Nuisance marketing calls (enforcing the Privacy and Electronic Communications Regulations 20030). Nuisance calls can be reported to the ICO.
– Spam emails and texts (which can be reported to the ICO).
– Data protection and journalism.
– Data held by the Police.
– Data protection matters for schools, universities, and colleges.
– Public data access rights.
Advice and Help For Businesses
The ICO provides guides to the legislation, resources, and support for businesses about obligations and how to comply under the Acts. Much of it can be found on the ICO website here: https://ico.org.uk/for-organisations/.
Examples of Action Taken
Part of the role of the ICO is to take action to ensure organisations meet their information rights obligations. Examples of action taken by the ICO can be found on their website here: https://ico.org.uk/action-weve-taken/.
Staying Independent Is Important
The outgoing Information Commissioner, Elizabeth Denham CBE, has warned (in a recent statement) that in order for the ICO to be able to hold the government to account, it is important that it preserves its independence in a way that is workable, within the context of the framework set by Parliament.
What Does This Mean For Your Business?
Businesses and organisations must comply with often complicated and changing data protection laws. Although the ICO is responsible for enforcing those laws, its primary role is really to help by giving advice and information, and the website is a useful resource and signposting place for businesses to use and to stay up to date with the latest developments and news. The ICO is also a place for individuals and businesses to complain (perhaps resulting in action with enough complaints) about practices such as spamming (calls, emails, and texts) or not responding to data requests.