Something is rotten in the Information Commissioner’s Office

The COVID-19 test and trace system immediately hit the news for its dubious privacy policy, as well as the lack of a Data Protection Impact Assessment (DPIA). Not so long before, the NHSX published the DPIA of its Contact Tracing App, leaving us with many concerns and a lot to be desired. Finally, the world is starting to notice how “the users experience of browsing the web is worse than ever”, thanks to the online advertising industry (adtech).

What’s the common thread among these news? The Information Commissioner’s Office (ICO) is supposed to take action against these infringements, but it looks like they have other plans: after pausing their investigation into the adtech sector, they finally seem to have pulled the brake entirely, blaming the Coronavirus crisis.

Open Rights Group (ORG) is deeply worried by the ICO’s recent developments: the unprecedented use of sensitive data and intrusive technologies we are facing demands closer scrutiny by our privacy watchdog, and we see no reason to give up on old issues either. This is why we have written to the Digital, Culture, Media and Sports Committee (DCMS), outlining how Covid-19 is impacting an already feeble regulator, and asking the Committee to take action.

Alongside our submission to the DCMS consultation, we are now publishing our views on the matter.

ICO seems to have frozen their investigatory powers

The ICO response to Covid-19 reads in plain English that they have stood down their audit work. This deprives the ICO of one of their two investigative means (compulsory audits), and significantly weakens the other (written inquiries). Indeed, by shouting to the world that they will not conduct on-site investigations, it is likely that non compliant organisations may very well lie or omit facts to the ICO, as nobody will check.

On top of that, the ICO has repeatedly tweeted about how they won’t take action against certain infringements (for instance, see here and here), and has stated to some complainants that they won’t take forward any complaints at all.

ICO shut down has no parallel at other government agencies

Although we understand the need for a regulatory agency to reassess its priorities in times of crisis, we find no excuse for ICO’s anomalous policy, even in a comparison with other Governmental agencies.

We looked at 14 UK public authorities, agencies or bodies, and 12 European Data Protection Authorities (DPAs). In stark contrast with the ICO, everyone is pretty much keeping up with their job, while European DPAs seems to be increasing rather than halting their activities.

One example? In France, their DPA has not only supervised the development of their contact tracing app all long the way, but they also have compelled their government to enshrine certain safeguards in primary legislation.

ICO is failing to ensure that our data is treated with respect

Unfortunately, we find the ICO’s behaviour is having tangible consequences in the unfolding of the COVID-19 crisis. For instance:

Despite the privacy-themed Rocky Horror Show which is unfolding before them, the ICO seems to be sleeping on their feet. Indeed, we have no news concerning Serco being under investigation for their blatant infringement of the law, and the ICO has openly refused to keep the NHSX accountable for their failure to submit their (contact tracing app) DPIA for review, despite the residual risks which have not been mitigated.

What’s next

We have asked the DCMS to invite the ICO to a hearing, and have them explain how they are planning to catch up with a situation which is obviously out of control. On top of that, ORG won’t give up challenging Government responses which do not meet legal and privacy standards.

Want to know more? Take a look at the campaign pages about Covid-19 App privacy risks and adtech abuses, or join us and help us upheld our digital rights during these turbulent times.