In many of the articles, I tend to reference the ICO in a negative way. Unfortunately, this is my experience having submitted possibly hundreds of complaints to them over the years. The ICO is not fit for purpose in my view, because senior managers have failed to implement processes to ensure consistency. This failure has meant that the ICO’s front-line staff have likely been guessing at it for nearly two decades.
The failure of process continues to this very day. It was only a few months ago that a case officer was adamant that I was not entitled to be provided with the source of the data in response to a Subject Access Request. She copied and pasted the relevant section of the DPA to show me that she was right so I copied and pasted the Commissioner’s SAR code of practice to show her that she was wrong. A subsequent case review found in my favour but that’s rare.
There’s no process at all! This case officer literally interpreted the DPA – something that she is simply not qualified to do, when that interpretation had already been carried out and published as guidance. Most of the time there is no guidance but even when it exists, case officers simply ignore it.
The ICO is simply not fit for purpose. And here are some of the obvious reasons.
The ICO has ignored the view of the Secretary of State for Culture, Media and Sport.
The Secretary of State for Culture, Media and Sport is the Minister who oversees the ICO. My MP asked the following question in Parliament on my behalf (38213):
To ask the Secretary of State for Culture, Media and Sport, what mechanisms the Information Commissioner’s Office has in place to ensure decisions of staff of that Office are compliant with Section 42 of the Data Protection Act 1998.
The response from the Secretary of State for Culture, Media and Sport was:
The Information Commissioner’s Office (ICO) produces guidance for organisations on their obligations under the Data Protection Act 1998 (DPA). This guidance is used by the Information Commissioner’s staff when assessing concerns and complaints from the public under S42 of the DPA. In addition, staff receive formal training to ensure that consistent outcomes are achieved in decision making.
I reasonable person, having read this response, will conclude that the Minister expects the ICO to publish guidance (guidance for organisations) and that it’s this publish guidance that is used by case officers when they carry out assessments. However, the ICO’s Rob Cole told me that assessments are supported by guidance but that not all of the guidance is published. Yet Paul Arnold, the ICO’s Head of Customer and Business Services, has told my MP that he expects his case officers – who are not qualified to interpret the law, to subjectively interpret the DPA and make their own conclusions. So, they’re not relying on guidance at all. He said that he cannot create guidance for every aspect of the DPA but he’s had nearly 20 years to do so.
Had the ICO implemented a process in the early days, that required case officers to rely on published guidance or seek new guidance, then the published guidance would have been in place years ago.